Operational Risk Management - Understanding Your Risk Landscape

OPERATIONAL RISK MANAGEMENT
UNDERSTANDING AND MAPPING YOUR RISK LANDSCAPE
Presentation by: Eneni Oduwole
1

OUTLINE
1. Introduction
2. What is OpRisk Mgt
3. Classification of OpRisk
4. Components of OpRisk
5. OpRisk Identification
6. Methods of OpRisk Identification
FBN CCPD, 2014 (ORGANIZED BY CIBN)
7. OpRisk Tools
8. Understanding & Mapping OpRisks
9. Challenges of OpRisk
10. Prioritizing Risks
11. Risk Treatments
2

INTRODUCTION
 Operational risk, broadly speaking, is the risk of loss resulting from any operational failure in a
organization
 Such events include direct and indirect actions that may lead to increased errors, system failures, acts
of nature, non-adherence with internal policies land regulatory stipulations
 Operational Risk is the responsibility of all staff in an organization – junior, middle and senior staff
 Involves interfacing with all business units with all business areas in the organization
3

WHAT IS OPERATIONAL RISK
 ‘the risk of loss resulting from inadequate or failed internal processes, people and
systems or from external events’…Basel Definition
 ‘the risk of loss resulting from inadequate or failed internal processes, systems or
human factors, or from external events. It includes the reputation and franchise risk
associated with business practices or market conduct in which the Company is
involved’…Citigroup Definition
4

CLASSIFICATION OF OPRISK
 Operational risk can be classified according to the following:
─ The nature of the loss: internally inflicted or externally inflicted
─ The impact of the loss: direct losses or indirect losses
─ The degree of expectancy: expected or unexpected
─ Risk type, event type, and loss type
─ The magnitude (or severity) of loss and frequency of loss
5

OPRISK COMPONENTS IN OTHER KEY RISKS
 Credit Risk
─ Documentation issues, rate change issues, appropriate portfolio classification, error rates, manual
processes, non-adherence with approved contract terms and risk rating…
 Market Risk
─ Instituting and adhering to limits, manual processes, non-adherence with policy guidelines, manual
processes, key man risks…
 Strategic Risk
─ Non-monitoring of milestone achievements or failures, non-adherence with agreed strategic plan,
failure to review plans for consistency with business environment
 Reputational Risk
─ Non-monitoring of internal and external factors that could have adverse impact on brand equity /
public perception
6

OPRISK IDENTIFICATION
 This process entails the recognition, categorization, prioritization and enlisting of prevalent risks in the
organization
 It usually starts with the review of issues / concerns affecting a business process, product or service;
thereafter close monitoring and tracking of key issues that might affect set goals and objectives is
embarked upon
 The identification of risks also allows for conduct of causal analysis which enables better
understanding and categorization of risk drivers
 Classification of risk drivers reduces redundancy and ensures easier management of risk factors in
later phases of the risk management process; classifying risks also provides for the creation of risk
checklists, risk registers, and databases for future projects
7

METHODS FOR OPRISK IDENTIFICATION
 Documentation Review
 Other Information Gathering Techniques such as Interviews with Process Owners
 Conduct of Surveys
 Checklist Analysis
 Root Cause Analysis
 Assumption Analysis
All of these tools can be used in developing a database
of key risk factors to be monitored by the
organization…
“KKeeyy Key RRiisskk Risk IInnddiiccaattoorr DDaasshhbbooaarrdd”
8

OpRisk Tool: RISK CONTROL SELF ASSESSMENTS (RCSA)
 RCSA is a simple process by which the risk profile of an organization can be ascertained and prevalent
risks and controls evaluated
 It is a participative process that relies on inputs from everyone involved in running the business or
managing relevant processes
 It is qualitative and therefore cannot be analyzed for corrective actions
 Frequency of exercise should be derived by a risk-based approach
9

OpRisk Tool: LOSS DATA COLLATION
 Process of collating data resulting from operational risk events relating to people, process, system and
external events risks
 Assists with identifying trends
 Ensures cost-effective controls are deployed to mitigate likely risks
 Enables determination of risk concentration and adequate capital charge estimation
 Loss data includes:
─ Actual losses
─ Near misses (potential and prevented losses)
10

OpRisk Tool: BUSINESS CONTINUITY MANAGEMENT
 Management of an end-to-end process from incident management to full restoration of all services and
business processes
 It involves putting in place strategies for all operational risk elements (people, process, systems and
external events) to enable an organisation respond appropriately when a disaster occurs:
─ Response
─ Resumption
─ Recovery
─ Restoration
 It requires that recovery plans are put in place for all departments and business activities of the Bank
 It also requires that business functions are ranked in order of priority to the organization in terms of
financial or reputational relevance
11

OpRisk Tool: KEY RISK INDICATORS (KRIS)
 Quantitative parameters used to identify changes in the risk profile of business activities and
processes
 Examples include:
─ Number of training interventions per staff per year; Exit rate
─ Number of fire / robbery incidents recorded; Link availability per month
 Enables the following:
─ Clear understanding of how risk profiles change
─ Determination of volatility of risks across the business environment
─ Providing a forward looking perspective on current risk profile
─ Understanding of early warning signals for emerging risks
12

OpRisk Tool: KRIS (cont’d)
 Are measurable metrics that identify trends and track possible exposures; they are quantitative
parameters used to identify changes in the risk profile of business activities and processes
 KRIs enable the following:
‒ Determination of volatility of risks across the business environment
‒ Determination of risk concentrations
‒ Determination of risk patterns
 Objectives for having defined KRIs should include:
‒ Ensuring that a process for predicting the pattern / behaviour of current risk profile is in place
‒ Enabling early warning signs for emerging risks to be picked up as they crystallize
13

OpRisk Tool: OPRISK REPORTING
 Periodic detailing of OpRisk trends identified from Key Risk Indicator trending, Loss Data Collation
trends and key risks identified from RCSA reviews
 Should be circulated to key decision-makers within the organization
 Should highlight key risks identified with recommended mitigants for controlling respective risks
 Should serve as a decision-making tool for budgeting and resource allocation
14

UNDERSTANDING & MAPPING THE RISK LANDSCAPE
 Understand the strategic intent of the organization in the short, medium or long term
 Drill this into expected deliverables within the respective timeframes
 Determine core business activities that would be focused on to achieve these expected deliverables
 Isolate the core drivers of these core business activities
 Develop quantitative parameters for tracking these core drivers
 Agree on trigger limits with business process owner
15

UNDERSTANDING & MAPPING THE RISK LANDSCAPE (CONT’D)
 Monitor the trends of these parameters, where adverse trends are observed:
‒ Conduct a Causal Analysis to determine prevalent risk factors
‒ Determine areas of the business affected by this adverse trend
‒ Identify likely constraint to the organization resulting from this adverse trend
‒ Estimate impact and severity to the organization should the risk crystallize
‒ Report on risk trend identified
16

KEY OPRISK PROBLEMS
 Determine the risk tolerance levels or thresholds for each major operational risk
 Determine optimal risk treatments in terms of risk-control and risk-transfer relationships in the
context of cost-benefit analysis
 Determine the impact that decisions taken by Management would have on the organization’s
exposure to operational risk
17

PRIORITIZING RISKS
 Requires the estimation of risk factors into defined categories for risk treatment
 These categories are:
 High – Medium – Low Risks (for 3-tiered Risk Bands)
 High – Medium/High – Medium – Medium/Low and Low Risks (for 5-tiered Risk Bands)
 These bands are defined to direct the organization on appropriate risk treatments required for
identified risk factors; defined risk categories are also indicative of likely risk exposure (impact x
probability)
High Probability
Medium Probability
Low Probability
Low Impact Medium Impact High Impact
18

PRIORITIZING RISKS IN YOUR ORGANIZATION
 Risk prioritization must be based on the following:
‒ The Risk Appetite of the organization
‒ The Business Model of the organization
‒ Regulatory Requirements
‒ Business objectives in the short, medium and long terms
‒ Risk – Reward Analysis
‒ Response style of the organization
‒ Maturity of the Risk-Aware Culture
19

DEALING WITH THE RISK EXPOSURES
 Terminate: when cost is higher than benefit; no competencies for managing risk
 Tolerate: when cost is within risk appetite levels or insignificant to benefit; no brainer
 Treat: when benefit from business venture is seriously threatened; staff and business model /
structure can implement and support control
 Transfer: when benefit is threatened but staff / business model may not support required control
(risk may be shared or transferred completely)
20

CONSIDERATIONS FOR SELECTING APPROPRIATE ACTION PLANS
 Policy Changes: Consider regulatory / legal / ethical issues such as modifications of banking & related
policies
 In-House Actions: Consider appropriate plans that would fit into the organization’s business strategy /
model / structure, and culture
 Simplicity: Action plans should be rid of complexities / complex methodologies which might sabotage the
correction process; new process / control should be easy for auditors to review
 Implementation: Incorporation of related activities into routine business processes should be seamless;
relevant parties should be carried along; cost effectiveness considered
 Review: Tracking of implementation should be easy; effectiveness of control should be tested periodically
21

TRACKING RESULTS OF ACTION PLANS
22

CONCLUSION
 A qualitative Risk Assessment is usually the first step required for identifying prevalent risk drivers and
attributes
 It is important that the Risk Assessment approach adopted is based on the organization’s culture, behaviour
and attitude in managing issues
 The Risk Maturity of the Organization should also be considered
 For very structured organizations, brainstorming approaches would yield better results whilst for less
structured organizations the conduct of interviews would be more worthwhile
 For optimal results, a hybrid approach with all levels of staff involved is highly recommended; this way both
strategic and operational risk exposures organization-wide are unearthed
23

FOOD FOR THOUGHT
 “The key to successful ERM practices depends on the behavioural attributes of the
organization at all levels.” – RIMS
 “One of the greatest contributions of a risk manager – arguably the single greatest –
is just carrying a torch around and providing transparency.” Enterprise Risk
Management, (Chapter 5 “Becoming the Lamp Bearer” by Anette Mikes)
24

THANK YOU Thank you
25
Eneni Oduwole
eneni.oduwole@dangote.com;
234-8033045896

Operational Risk Management - Understanding Your Risk Landscape

More Related Content

What's hot

Viewers also liked

Similar to Operational Risk Management - Understanding Your Risk Landscape

More from Eneni Oduwole

Recently uploaded

Operational Risk Management - Understanding Your Risk Landscape