P. 1
Operational Risk Management

Operational Risk Management

|Views: 31|Likes:
Published by Uzair Shakeel
Article on Operational Risk
Article on Operational Risk

More info:

Published by: Uzair Shakeel on Feb 28, 2013
Copyright:Attribution Non-commercial


Read on Scribd mobile: iPhone, iPad and Android.
download as DOCX, PDF, TXT or read online from Scribd
See more
See less





Operational Risk Management (ORM) Framework in Banks and Financial Institutions

Roadmap to Advanced Measurement Approach (AMA) and better business performance Alan Greenspan, Chairman of the Federal Reserve American Bankers Association, during Annual Convention on October 5, 2004 held, “It would be a mistake to conclude that the only way to succeed in banking is through ever-greater size and diversity. Indeed, better risk management may be the only truly necessary element of success in banking.” Banks and financial institutions are undergoing a sea change and today face an environment marked by growing consolidation, rising customer expectations, increasing regulatory quirements, proliferating financial engineering, uprising technological innovation and mounting competition. This has increased the probability of failure or mistakes from the operations point of view – resulting in increased focus on managing operational risks. Operational risk losses have often led to the downfall of financial institutions, with more than 100 reported losses exceeding US$100 million in the recent years. The regulators of financial companies and banks are demanding a far greater level of insight and awareness by directors about the risks they manage, and the effectiveness of the controls they have in place to reduce or mitigate these risks. Further, compliance regulations, like Basel II and SOX, mandate a focus on operational risks, forcing financial organizations to identify, measure, evaluate, control and manage this ubiquitous risk. This has led to an increased emphasis on the importance of having a sound operational risk management (ORM) practice in place, especially when dealing with internal capital assessment and allocation process. This makes ORM one of the most complex and fastest growing risk disciplines in financial institutions.

Operational Risk: Changing Face of Compliance
Old perceptions and behaviors towards risk are changing. ORM is acquiring new credibility as a roadmap to add value to the business; and is garnering new attention from regulators and key stakeholders. A recent Chartis Research's1 report on ORM systems, suggests that the worldwide financial services ORM market will continue to grow, reaching a total value of $1.55 billion by 2011. This indicates a growing concern among banks and financial institutions for managing their operational risk. The report has three main findings:

 

Many US and European financial institutions continue to replace their first generation ORM systems largely due to inflexible and rigid product design and the ongoing evolvement of ORM methodologies. Some market segments, such as emerging regions (e.g. Middle-East, Asia-Pacific, South America), and vertical sectors (e.g. insurance, asset management) have begun investing in formal and sophicticated ORM systems.

Average investment in ORM projects is increasing, as more and more financial institutions are focusing on ORM's strategic business benefits

The second key development is the launch of the Basel II Capital Accord (the New Accord) by the Basel Committee for Banking Supervision.S. It is imperative to strengthen the soundness and stability of operational risk management practice by employing Advanced Measurement Approach (AMA). The road ahead should lead to “Advanced Measurement Approach” (AMA) as described under Basel II accord. the report claims financial institutions working on the demand side of the market are reexamining their approach. As summed up by a U. Further. Additionally. For example. One of the major improvements in Basel II is that it ensures closer linkages between capital requirements and the ways banks mange their actual risk. there is a growing acknowledgement from banks that a consistent and effective operational risk management framework can help them achieve organizational objectives and superior performance. data infrastructure and analytical capabilities. culture and systems for managing operational risk. in order to ensure that it does not become a significant source of competitive inequity over rival banks & financial institutes. Firms focused on competing effectively are already incorporating . banks are making significant investments to improve their internal risk processes. by including a well-constructed operational risk process in the entire value chain. To comply with the accord. In many instances an early involvement of operational risk management can increase the development speed of new initiatives. There are two main drivers for this development. AMA fosters risk sensitive environment and promotes efficiency in managing risk. a bank can help ensure that the risks inherent in those activities are understood and addressed. regulator. “The advanced approaches of Basel II represent a sea change in how banks determine their minimum level of required capital for regulatory purposes. It intends to better align regulatory capital with inherent risks and banks' internal economic capital” The advanced approach for measurement of operational risk requires economic capital to be calculated on the basis of bank‟s own operational risk management & measurement technique. Firstly. which requires banks to set aside regulatory capital for operational riskan important development that has affected most financial services institutions worldwide.

operational risk incidents. it also offers many implementation challenges. Despite the industry's efforts to control operational risk.many elements of the Basel II requirements into their risk and capital management practices. The need for historical data (including external data) has been a cause for concern for many enterprises. risk and control profiles. one of the U. As a result.” Although Basel II compliance opens up many strategic opportunities to leverage improved data standards and risk management practices.  Lack of Systematic Measurement of Operational Risk: Many enterprises hold that their institutions are measuring operational risk. Challenges of Managing Operational Risk The discipline of operational risk is at a crossroads. The next section highlights the major challenges in successfully implementing ORM. stressed. many organizations are looking to go beyond traditional siloed approaches and implement a consolidated ORM framework across entire value chain. for example. Susan Schmidt Bies2. Development of an ORM model as part of a regulatory and economic capital . and its implications on efficient financial intermediation.S. risk reports.  Implementing ORM Systems: Amid regulatory efforts to re-vamp the industry‟s immunity to operational risk. very few of them have been able to complete the Basel II quantification requirements. institutions still have much work to do. and rules and definitions for regulatory capital and economic capital reporting.  Development of Loss Databases: A well-structured operational risk framework requires development of business-line databases to capture loss events attributable to various categories of operational risk. However. „What does the advanced measurement approach‟s (AMA) modeling techniques say about the operational risks my firm is facing?‟.  Access to Appropriate Information and Reporting: Effective management of operational risk requires diverse information from a variety of sources-including. Let‟s take a look at some of the unique challenges that ORM brings:  Rising Costs of Compliance: Development of an ORM model as part of a regulatory and economic capital framework is complex and takes time. regulators. „What is the strategic role of operational risk my firm should adopt?‟. as a blueprint fo improved growth and profitability. Basel II compliance programs offer a rare opportunity to rethink the way banks approach risk measurement and managementz and to look again at how risk measures can be integrated with each other and with management‟s approach to running the business. risk heat maps. but rather as a foundation for risk management practices that will strengthen the value of the banking franchise. „How does the discipline add value to my organization?‟. or yet to formalize the measurement process around the Basel II framework. Basel II specifically requires a minimum of three years of data for initial implementation and ultimately five years for the Advanced Measurement Approaches (AMA). There is a general agreement that the major ORM challenge is escalating cost of compliance. key risk indicators. Risk Managers are grappling with questions like. “The emphasis in the new Accord on improved data standards should not be interpreted solely as a requirement to determine regulatory capital standards.

which spells out how to introduce ORM principles. HSBC3 has invested heavily in understanding customer behavior through new systems initially designed for fraud detection. demonstrate their support for its management.integrating risk management practices into processes. allowing it to take a more proactive approach. or may not yet have in place the required governance or framework. and designate an appropriate managing entity and framework . if bank‟s top leaders perceive operational risk management solely as a regulatory mandate. they may tend to be less supportive of such efforts. contributing to optimal return for stakeholders. Next section throws light on essentials of an ideal operational risk framework. as well as on loss reduction. Building an Operational Risk Framework Operational risk management is at the core of a bank's operations . The ORM group of an organization keeps its people up-to-date on problems that have happened to other financial institutions. improved productivity and quality. and lack of meaningful and timely data across business unit and product lines make the implementation of an ORM system all the more formidable. rather than as an important means of enhancing competitiveness and performance.one that is part of the bank‟s overall corporate governance framework.driven by the top management and adhered by the bottom line. As a pro-active partner to senior management. For instance. companies can ensure that all operational risks management initiatives are sustained and are aligned with the corporate strategy. Some banks may either still be struggling with the requirements of the "Sound Practices for ORM" BIS paper. ORM's value lies in supporting and challenging them to align the business control environment with the bank's strategy by measuring and mitigating risk exposure. By adopting an integrated operational risk framework. "Our goal is for employees to look at ORM . however. Management and the board must understand the importance of operational risk. Factors like lack of understanding of upcoming technology regarding operational risk management.framework. failure to get the top management to focus on the benefits of the program.  Tone at the Top: Effective risk management program starts with “The Tone at the Top”. which is now being leveraged beyond compliance to address more effective customer service. However. is complex and takes time. systems and culture.

" What elements should a financial institution consider when developing an analytical framework for operational risk? There is no „one-size-fits-all‟ approach to ORM – as every enterprise follows a framework that is specific to its own internal operating environment. decide. and processes for daytoday risk management. Ultimately." said senior vice president of Operational and Compliance Risk Management Group. A noted financial services company. It defines overall operational risk culture in organization. A successfully executed risk strategy often results in risk being firmly embedded in the vision. Governance sets the precedence for Strategy. tools.bank protection. There should be a strategic policy at the board level to focus on managing risk all levels and conscious efforts should be made to ensure that these policies are communicated at all levels and across entire value chain. The company has implemented an operational risk umbrella that encompasses all aspects of potential risks .as a business stakeholder and a shareholder. Structure and Execution. strategies. Understanding our risks should lead to better decision making and refelect in our performance”. fraud prevention. Adopting an operational risk strategy aligned to risk appetite. a risk expert notes. involving them on all levels and bring stability into their jobs. and sets the tone as to how a bank implements and executes its operational risk management strategy. the Operational risk framework should not merely be Baselcompliant. policies. Depending upon the criticality of internal operating environment and key external factors.  Appetite and Policy: An ideal risk management process ensures that organizational behavior is driven by its risk appetite. audit and supervise their strategic risks. “There is no "standard" standard. When inquired about the standard ORM framework. "We utilize our ORM practices to gain respect and appreciation of all our business lines by really understanding their issues.  Strategy: A bank‟s strategy for operational risk drives the other components within the management framework and provides clear guidance on risk appetite or tolerance. capture of operational loss data.  Periodic Evaluations Based on Internal & External Changes: An ideal risk management process puts improvement of risk performance on a competitive level with other important mission concerns – periodically evaluating the ORM performance goals in the light of internal and external factors. assess. A robust operational risk management framework is made up of the following core components:  Governance: It is the process by which the Board of Directors defines key objectives for the bank and oversees progress towards achieving those objectives.  Clear Definition & Communication of Policy: An organization‟s top management must identify. key risk indicators. it should also provide the bank with mechanisms for improving overall risk culture and behavior towards operational risk management. organization must review the strategic policies inside out. leads to informed business and investment decisions. and tactics of the organization. Its Chief Risk officer quotes. . incorporates its ORM approach as an extension of its business line and not a separate entity. business line risk oversight and new products and initiatives for data security. implement. on the other hand. and being part of the overall solution.

and select and prioritise appropriate mechanisms for mitigation. . developing risk measurement models to assess regulatory and economic capital. Centralized aggregation of operational risk information collected via various self assessments across the organization. The results of the risk assessment and quantification process enables management to compare the risks with its operational risk strategy and policies. The first step includes identification and assessment of operational risk inherent in day-to-day processes of the bank.  Execution: Once operational risk management structure have been established by an organization adequate procedures should be designed and implemented to ensure execution of and compliance with these policies at business line level. by considering the drivers or causes of the risk together with the assessment of its impact. This includes initiatives like laying down a hierarchical structure that leverages current risk processes. identify those risk exposures that are unacceptable to the institution or are outside the institution's risk appetite. further. After assessment of inherent risk.and allocating economic capital vis-à-vis the actual risk confronted. Structure: When designing the operational risk management structure. This is commonly accomplished by calculating the probability/ likelihood of materialization of risk. provides useful insight for the desired hierarchial structure. The implementation of these concepts allows risk to be handled consistently throughout the organization. target tolerance limit of risk should be established. the bank's overall risk scenario should serve as a guideline.

Consistent and timely operational risk management information and reporting capabilities: Through the development of a well-tailored risk management strategy. enabling the organization to evaluate the risk controls. a robust ORM system supports features like role-based dashboards. efficient allocation and utilization of operational risk capital can be ensured. Regular reviews must be carried out. based on the identified inherent risk. it is essential that the top management ensures consistent monitoring and controlling of operational risk. control diagrams and scorecards that provide visibility into the ongoing risk management efforts and bring high-risk areas into focus. Further. such alignment must be based on a clear vision of the potential benefits. they are becoming increasingly valuable to the business. To be successful. An essential element of a risk-smart environment is that it ensures that the organization has the capacity and tools to be innovative while recognizing and respecting the need to be prudent in protecting its interest. It not only streamlines the risk management process.Finally appropriate risk mitigation and internal controls procedures are established by the business units such that residual risk is mitigated to the acceptable level. and to measure the residual risk which remains after the implementation of controls. roles and responsibilities for managing operational risks: Clear cut specification of roles and responsibilities of personnel regarding risk profile is an imperative part of implementing an integrated ORM framework. but also allows risk managers to better incorporate accountability into the work culture of the organization. Operational risk metrics or “Key Risk Indicators” (KRIs) are established to ensure timely warning is received prior to the occurance of an event. these efforts can be leveraged and aligned with business performance management. and that risk information is received by the appropriate people. on a timely basis. however. in conjunction with related risk management activities. Few of the benefits are discussed below:  Identified and assessed key operational risk exposures: ORM enables an organization to identify measure. Elements like Risk Assessment. Perceived initially to support regulatory requirements. thereby ensuring business operations are conducted within acceptable risk limits. To ensure continuous risk . monitor and control its inherent risk exposures of the business at all levels. and gain both the support and the confidence of management.  Ensured continuous risk management learning: Most business units today acknowledge that continuous learning is fundamental to more informed and proactive decision-making. Business Benefits: Moving Beyond Compliance As ORM efforts mature. in a form and format that will aid in the monitoring and control. to analyse the control environment and test the effectiveness of implemented controls. Key to effective KRIs lies in setting threshold at the acceptable level of risk. Event Management. and Key Risk Indicator play an important role. and a successful learning organization must align itself to the businesses it supports.   Evolved and enabled efficient allocation of operational risk capital: With streamlined risk management process.  Sustained risk-smart workforce and environment: Application of an ORM framework.  Clarified personal accountabilities. Execution and implementation of Operational Risk framework is key to setting up effective Operational Risk environment ensuring that business is conducted within appropriate risk tolerance limit. will support a cultural shift to a risk-smart workforce and environment in the organization.

these business units are sharing their experience and best risk management practices . MetricStream Solution for ORM MetricStream offers industry‟s most advanced and comprehensive solution designed to meet Operational Risk needs of banks & financial services.in a single solution.a reusable library of risks and their corresponding controls and assessments. capacity building and continuous improvement. MetricStream uniquely combines software and content to deliver ORM solutions content helps define the scope of processes and sub-processes for which risk management needs to be performed and guides development of control and test libraries.management learning. results from individual assessments. and fosters an environment that motivates people to learn. key risk indicators. It supports risk assessment and computations based on configurable methodologies and algorithms giving an insight into organizations risk profile enabling . Its embedded best practices Expected loss is the amount a business should budget to cover its annual cost of operational failure while unexpected loss is the amount the business ought to reserve as capital.internally and across organizations. It brings together all risk management related data . events such as losses and near-misses. It also provides other intelligent and content driven features such access to training content from an expert community from within the solutions and integration of business processes with regulatory notifications and industry alerts. issues and remediation plans . By taking a holistic approach to ORM an organization can significantly lower its risk profile and improve responsiveness to risk scenarios leading to strategic and operational benefits. However. successfully navigating the road from compliance to value creation can be daunting without a roadmap and a clear vision. The solution is based on an integrated Enterprise Compliance Platform (ECP) for successfully managing risk and meeting regulatory requirments while lowering the associated costs that can otherwise be substantial. a proven infrastructure for building risk and compliance application. Key components of MetricStream solution for ORM would include:  Risk Analysis and Risk Self Assessment: The MetricStream solution for ORM provides a centralized risk framework to document all risks faced by an organization. ECP. This supports innovation. provides core modules and services to automate and streamline Opertaional Risk processes.

The repository of all assessments with an easy search capability ensures that the users can check to see if a specific control was tested. The solution supports triggering automatic alerts and notifications to appropriate personnel for task assignments for investigation and remedial action. the system provides flexibility by enabling stakeholders to configure ad-hoc or scheduled reports to view metrics on a variety of parameters such as by process. etc. and determine root causes and ownership. operational audit. risk managers can track loss incidents and near misses. by business units. etc. a systematic mechanism of investigation and remediation is set off by the underlying workflow and collaboration engine. email-based notifications and alerts and offline functionality for conducting at remote field sites allow organizations to implement the industry best practices for efficient audit execution and ensure integration of the audit process with the risk and compliance management system. including internal audit. on graphical charts that can be accessed globally and display real-time information. Advanced capabilities like built-in remediation workflows. In addition to pre-configured standard risk reports. Key risk indicators (KRIs) 11 provide capabilities for tracking risk metrics and thresholds. time tracking. Quarterly and monthly trending analysis along with the ability to drill-down into each report and dashboard to see the underlying details enables risk managers and process owners to stay in constant touch with the ground reality and progress on risk management programs. IT audits and quality audits. risks. finanacial statement audit. MetricStream's risk selfassessment capabilities enable organizations to document and evaluate their risk frameworks.  Loss Tracking and Key Risk Indicators (KRIs): With loss event tracking. assessment plans. MetricStream leverages the operational risk framework to enable companies to define a set of controls that mitigate those risks. Business process automation capabilities provide for real-time event escalation. access the assessment results and confirm whether it requires a remedial action plan. The system supports assessments based on predefined criteria and checklists and has a mechanism for scoring. data and processes to support risk management. Risk Control Self Assessment (RCSA) forms a core part of the MetricStream solution. automated risk processes and streamlined remediation of issues and action items. The solution also allows associated policy and procedure documents to be attached for reference.the risk managers to prioritize their response strategies for optimal risk/reward outcomes. remediation status.  Issue Management and Remediation: For issues arising from the assessment and auditing processes or from any other external events such as loss-events. with automated notification when thresholds are breached. Ability to drill-down provides an easy way to access the data at finer levels of detail.  Reports and Dashboards: The solution has the ability to track risk profiles. . including processes.  Internal Audit: MetricStream solution provides seamless integration with internal audit management for streamlining the auditing process in the organization. MetricStream provides facilities for both manual and automatic data inputs from internal and external data sources. tabulating and reporting results. the MetricStream solution provides seamless issue management and remediation management capabilities. highlighting key risk metrics and policy compliance. control ownership.  Control Design and Assessments: Once the key risks are identified and prioritized. It supports all types of audits. by status. events. Once issues are identified. MetricStream provides statistical and trend analysis capabilities and enables end-users to track remedies and action plans. record amounts. documented and prioritized. It provides the flexibility to manage a wide range of audit-related activities. Executive-level dashboard and reports provide visibility into the risk analysis. Automated alerts for events such as exceptions and failures eliminate any surprises and make the process predictable. key risk indicators (KRI) and controls. scenario analysis or „near-misses'.

Roadmap to Advanced Measurement Approaches (AMA) MetricStream ORM solution provides a platform for organizations to develop an integrated ORM approach which can help them qualify for Basel II AMA approach. control and mitigate operational risk. Meeting AMA qualifying criteria through MetricStream ORM solution Qualifying Criteria MetricStream solution capability Sound Operational Risk Management System   Risk & Control Self Assessment (RCSA) Key Risk Indicators (KRI) Systematic tracking of 3-5 years of historic loss data   Loss Event Database External Loss Data interface Measurement integrated in daytoday risk management Review of management and measurement processes by internal/external audit  Integrated RCSA & Loss Event Data   Internal Audit Dashboards & Reports References Operational Risk Management Systems 2008 . “well reasoned and well documented”. Switzerland OpRisk & Compliance . Solution implements strategies. measure. It ensures that the organization‟s internal systems and controls are “credible and appropriate”. Geneva. Moreover. and are capable of being “validated” by internal and external auditors.Navigating through a fragmented market Remarks by Governor Susan Schmidt Bies: At the International Center for Business Information's Risk Management Conference: Basel Summit. monitor. methodologies and risk reporting functionality to identify. it provides capability to ensure that the risk management practices are embedded across the entire value chain. “transparent and accessible”.

You're Reading a Free Preview

/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->