Operational Risk Managment, ORM refined,approved.pptx

6/13/2024 COOPERATIVE BANK OF OROMIA | https://coopbankoromia.com.et/ 1

Operational Risk
Assessment Training
03
01
02
Risk Identification
Risk Analysis
Risk Matrix
2
May 2024
04 Risk Treatment
05 Risk Monitoring

Overview
What is Risk?
Major Risks in Banking Industry?
What is Operational Risk?
Three Lines of defense Model
Risk and Control

6/13/2024 COOPERATIVE BNAK OF OROMIA | https://coopbankoromia.com.et/ 4
The Institute of Risk
Management (IRM)
Institute of Internal Auditors
The ISO 31000: 2009 Risk
Management – Principles and
Guidelines standard
HM Government: The Orange
Book. Management of Risk –
Principles and Concepts 20201
defines risk as the combination of the probability of an event and its
consequence. Consequences range from positive to negative.
The uncertainty of an event occurring that could have an impact on the
achievement of the objectives. Risk is measured in terms of consequences and
likelihood.
defines risk quite simply as: The effect of uncertainty on objectives events, and
their consequences.
The effect of uncertainty on objectives. Risk is usually expressed in terms of
causes, potential
Overview Cont.…

Overview Cont.…
Risk management is the is a process of proactively identifying, measuring,
controlling/mitigating, monitoring and reporting of risks using various
techniques.
Financial risk is a risk which directly affects the financial performance of the
Bank. E.g. Credit risk, Market risk, & Liquidity risk
Non-financial risk is a risk which indirectly affects the financial performance
of the Bank. E.g. Operational risk, Cyber risk, strategic risk, Regulatory risk,
Reputational risk.

According to Basel
Committee Jan
2001, “Operational
risk is the risk of
loss resulting from
inadequate or failed
internal processes,
people, and
systems, or from
external events’’
Overview Cont.…

Operational Risk Factors
Process Risk People Risk
The risk of loss is caused by
piracy, theft, failure, breakdown,
or other technology disruption.
IT problems, i.e.
hardware or software failures &
computer hacking or viruses;
Unreliable information & security
system;
Network failures;
Utility outages.
System Risk
The risk of loss arises due to
damage of physical
property/asset from natural or
non-natural causes.
Criminal activities (theft, terrorism,
vandalism);
Political and military events (wars,
sanctions);
Changes in political, legal, regulatory, tax
environment;
Natural events such as fire, earthquake &
floods;
External Risk
Introduction cont.…
Risk related to the execution and
maintenance of transaction and
the various aspects of running a
business.
Transaction errors, i.e.
Execution, registration settlement
and documentation errors;
Errors in models & methods;
Accounting and taxation errors;
Inadequate internal procedures;
Inadequate definition and attribution
of responsibilities.
Risk related to the execution and
maintenance of transaction and
the various aspects of running a
business.
Fraud, Criminal activities;
Violation of internal & external
rules;
Errors related to competence or
negligence;
Illness, injury and problems in
retaining employees;

Detective
 Authorization of transactions
 Retention of records (source
documents)
 Supervision or monitoring of
operations
 Physical safeguards
 IT Security
 Limit setting.
Directive
 Directive: Accessible,
detailed, written,
systems and procedures,
 Training to ensure
understanding of
procedures
Detective
 Account reconciliations
 Timely preparation of financial
statements
 Review of performance reports
 Inventories
 Cash count
Preventive
Operational Risk & Internal Control
Overview Cont.…
 Submit corrective journal
entries after discovering an
error.
 Implement a full
restoration of a system
from backup tapes after
evidence is found that
someone has improperly
altered the payment data.
Corrective

Overview Cont.…

Objectives, Risk and Internal Control Relationship
Overview Cont.…

Operational Risk & Internal Control
Overview Cont.…

.
Board of Directors
(Oversight)
Business line management
(Owner)
(First Line of Defence)
An independent corporate
operational risk management
function
(Second Line of Defence)
An independent
review.
(Third Line of Defence)
Sets the ‘tone’
Establishes risk
appetite & strategy
Approves the ORM
framework,
methodologies,
overall policies,
and roles and
responsibilities.
RAUs and Risk owners (Ownership)
“Owner” of the risk management
process;
Identifies, assess, mitigates and
reports on different risks.
Designs and deploys the overall ORM
framework;
Monitors adherence to framework
and strategy;
Develops risk Mgt methodologies
Develops risk policies and procedures
and monitors compliance
Performs aggregated risk reporting;
Independent testing & verification
of effectiveness;
Validates the overall risk
framework;
Provides assurance that the risk
management process is
functioning as designed.
Introduction cont…
Three Lines of Defence

Operational Risk Management Process

01 Risk Identification
Risk identification is the process by
which banks find out potential threats
to the achievement of their objectives
by determining:
Encompasses:
Events which have occurrence history
Events do not have occurrence history

Data/Information Required for Risk Identification
Loss event
data,
Policies,
procedures ,
guidelines …
Audit reports, prior
risk assessment
reports,
Strategic
document
loss experience
of the industry,
competitors,
NBE reports
other external
environmenta
l factors.
01 Risk Identification cont…

Major Risk
Identification
techniques
Self-Assessment
Questionnaire
01
Process and Risk
Mapping
02
Brainstorming
03
Scenario Analysis
04

Level 1 Risks Level 2 Risks Level 3 Risks Level 4(Risk Events)
Operational Risk
Internal fraud
Fraud and Theft Inactive account fraud
Unauthorized activity Misuse of authorities and access rights
External fraud
First party fraud Misrepresenting identity
Second party fraud Money mulling
Third party fraud Robbery
Agent/broker/intermediary fraud Unauthorized fee by agents
Employment Practices and Workplace Safety Risk
Ineffective Employment and Employee relation Insufficient number of employees
Health and safety failure Pandemic
Client and business process risk
Client/account mismanagement failure to fulfil duties to customers
Product/service quality risk Delay in product launch
Business process mismanagement Deficient/Ineffective risk culture
Damage to physical assets Natural disaster Earthquake, flood,
Non-natural disaster Terrorist attack, civil riot
Execution, delivery, & process management Risk
Process design or execution failure Unclear roles and responsibilities
Transaction and business process error Failure to execute transaction
Monitoring and reporting failure Failed mandatory reporting obligation
Process control failure Poor performance management system
Process support failure Ineffective and inefficient use of staff
Third party Risk (Vendor and outsourcing)
Concentration Risk in outsourcing/third party Service provider concentration
Country/offshore risk Communication and cultural barriers
Engagement & delivery risk Low vendor reputation
Vendor/supplier failure Vendor/service provider constant delay
Management control failure Poor governance system
Change and project management risk
Change execution risk High level of resistance
Project management failure Poor project/program management
Legal risk
Contractual risk Breach of existing contract
Non-contractual obligation risk Failure to register property right
Litigation risk Missing legal documentation
Interpretation risk Defective application on ambiguous or untested part of
the law/regulation

one or more factors that
leads to risk event
Cause
is the anticipated direct
outcome if a given risk
event is materialized.
Effect
is a single incident that leads
directly to one or more
effects/consequences;
Event
Cause-event-effect relationship

a. Inadequate employee Mgt.
b. Obsolete computer system
c. Large transaction volumes
d. Inadequate due diligence
Cause
a. High employee turnover
b. System failure
c. Failed/inaccurate reporting
d. Financing illegible customers
Event
a. Loss of skilled manpower
b. Loss of revenue/customer
c. Fines (regulatory action)
d. Legal costs (Legal Liability)
Impact
Examples

Source : Protecht ERM System

A
Analysis of how control effectiveness is perceived.
Control Analysis
B
C Impact is the damage or loss (net of recoverable
amount +opportunity cost) of a given risk event
Impact Analysis
Estimation of the probability of occurrence;
Likelihood Analysis
02 Risk Analysis

Control Analysis
Control
Status
Score
Excessive 100%
Effective 80%
Adequate 60%
Deficient 30%
Ineffective 10%
Description
A preventive control, which is automated and has proved
accurate and reliable. The existing controlling mechanism
is too firm that require update.
A preventive control, which is performed manually.
A detective control, which is automated, or manual.
Control identifies errors most of the time but exceptions
are common. The control may be unstructured, not
understood or poorly supervised.
A missing or weak control or performed rarely. Unlikely to
prevent or detect errors. Untrained or inappropriate person
performing the control or insufficient information available
to perform properly.
02 Risk Analysis cont.…

Likelihood Analysis
Descriptor Likelihood
Almost certain above 60%
Likely 40 to 60%
Possible 20 to 40%
Unlikely 10 to 20%
Rare 0 to 10%
Explanation of Historical Basis of Likelihood
May occur at least once a month
May occur at least once a quarter
May occur at least once semi‐annually
May occur at least once a year
May occur once every 5 years
02 Risk Analysis Cont.….
22
COOPERATIVE BNAK OF OROMIA | https://coopbankoromia.com.et/
6/13/2024

Impact Analysis
Sco
re
Rating Financial loss Health and safety Reputation and Image Performance Regulatory
1.
Insignific
ant
Less than 0.005% of the
Bank’s capital.
No or only minor personal injury or
health impact; First aid needed but
no days lost.
No local media attention or coverage Up to 5% variation
on objectives
accomplishment.
No noticeable regulatory impacts;
2.
Minor
[0.005% to 0.01%] of
the Bank’s capital.
Minor injury; Medical treatment and
up to 1 week incapacity to resume
work.
Low local news coverage but not appearing on
news headlines or not shared by social media; but
quickly remedied.
(5% - 10%]
variation on
objectives
accomplishment.
 Temporary non-compliance with
regulatory requirements;
 verbal corrective advice or
warning from regulatory organ.
3.
Moderate
(0.01% to 1%] of the
Bank’s capital.
 Noticeable or significant
injuries or health impacts;
 Possible hospitalization and
up to 1 month incapacity to
resume work.
 Moderate local news coverage, (national
short period of time negative media
coverage).
 Appearing on news headlines of less than
three mass media or shared by one social
media.
(10%-25%]
variation on
objectives
accomplishment
 Short period of time non-
compliance with significant
regulatory requirements.
 Written warnings from regulatory
organ.
4.
Major
(1% to 5%] of the
Bank’s capital.
Single death and/or long-term
illness or multiple serious injuries or
health impacts.
 High local news profile, (National long
period of time negative media coverage);
 Appearing on news headlines of more than
three mass media and shared by more than
one social media.
 Significant loss of market share.
(25%-50%]
variation on
objectives
accomplishment
 Significant non-compliance with
essential regulatory
requirements.
 Financial loss and imprisonment
of staff.
5.
Extreme
Greater than 5% of the
Bank’s capital.
Multiple deaths or very sever health
crises/injuries/ disabilities
 Widespread local and international news
coverage, and almost all social medias;
 international long period of time negative
media coverage; game-changing loss of
market share
More than 50%
variation on
objectives
accomplishment
 Long period of time or indefinite
non-compliance with essential
regulatory requirements;
 Partial or full business
closure/business discontinuation
02 Risk Analysis Cont.….

03 Risk Matrix
1-3
4-6
8-12
15-25
Low Risk
Moderate Risk
High Risk
Very High Risk

04 Risk Treatment

04 Risk Treatment Cont….
Action Plans
If the selected risk
response option is
‘Reduce’ the actions
to be performed
should be relevant
to reduce the risk
event
Relevant and
actionable activities to
be performed to
achieve the selected
appropriate risk
response option.

2002
is tracking how well
the overall ORM is
doing in line with the
predefined framework.
helps banks to identify
operational gaps and
control weaknesses so that
appropriate adjustments
could be carried out.
Action plan
implementation
and ORA status
(Progress) Follow-
up
05 Risk Monitoring

05 Risk Monitoring Cont.…

Thank you

Operational Risk Managment, ORM refined,approved.pptx

More Related Content

Similar to Operational Risk Managment, ORM refined,approved.pptx

More from Shiferaw Biru

Recently uploaded

Operational Risk Managment, ORM refined,approved.pptx