Operational Risk Management

A GATEWAY TO MANAGING THE RISK PROFILE OF YOUR

ORGANIZATION
E n e ni O duwol e , J u l y 2 0 1 5
Content
1. Definitions of Operational Risk & Operational Risk Management
2. Elements of ORM
3. ORM Procedures
4. ORM Tools
5. Benefits of ORM

2
 DEFINITIONS
BRIEF INTRODUCTION TO THE SUBJECT, ITS CORE
PRINCIPLES AND FRAMEWORK

3
What is Operational Risk?
Commonly defined as the ‘risk of loss resulting from failed or inadequate processes, people,
systems or from external events’.

It is not a control function

It involves interfacing with all departments and business units within an organization to ensure
that primary risks regarding people, process, systems and external issues

4
What is Operational Risk Management (ORM)?
Commonly defined as the ‘continual cyclic process which includes risk assessment, risk decision
making, and implementation of risk controls, which results in acceptance, mitigation, or
avoidance of risk’ (see Wikipedia)

Operational risk management had been defined in the past as all risk that is not captured in
market and credit risk management programs. Early operational risk programs, therefore, took
the view that if it was not market risk, and it was not credit risk, then it was operational risk
(GARP)

ORM is the discipline in an organization that manages the loss or risk of loss resulting from
improper or non-management of people, process, system and externally triggered issues

5
Core Principles of ORM
Accept risk only when benefits are greater than risk of loss or cost of control

Do not accept unnecessary risk; transfer or share where necessary

Anticipate and manage risk by effectively planning and monitoring

Ensure that risk decisions are made at the right level and executed organization-wide

Transparency of Risk is critical

6
 The ORM Framework
i. Management driven
ii. Provides consistent policies and procedures
to be applied firm-wide
iii. Must have a consistent and comprehensive
capture of data elements
iv. Must reflect the scope and complexity of all
business activities
v. Be ‘fit-for-purpose’, unique and require a
tailored approach that is appropriate for the
scale and materiality of the size and risks
prevalent in the institution

As depicted by The Risk Mgt Association (RMA)

7
Governance Structure
Board • Risk appetite and tolerance

Process Owners (All Staff) • Ownership and accountability

Mgt Staff / Dept Heads /

• Business requirement
Line Managers

ERM / ORM • OR Risk standards and benchmarks

Internal Audit • Independent review

8
ELEMENTS OF ORM
HIGHLIGHTS ON THE COMPONENTS OF ORM WITH
RELEVANT EXAMPLES

9
Components of ORM
People Risks
• Loss of Key Staff
• Employment Laws
• Occupational Health &
Safety
• Adequate Training and
Skills Nurturing
• Employee collusion/fraud
System Risks
• IT Security breaches
• System Capacity
• Data Availability
• System Suitability
• IT General Controls
• Programming errors
• Data Integrity
Process Risks
• Input Errors
• Non-adherence to
policies & procedures
• Reporting errors
• Product/Process
complexity
• Project Risk
External Risks
• Business Continuity Mgt
• Regulatory Compliance
• Supplier Risk Mgt
• Security Risk
• Impact of macro-
economic trends
• Vendor Relationship Mgt
10
People Risk Issues
Quality of Recruits

Sourcing and Selection strategy

Retention strategy for top-talents

Strategy for training; Acculturation of staff

Monitoring Attrition Rate and Concentrations

Managing Staff Motivation

11
Process Issues
Effectiveness of process designs – simple or
complex; flexible or rigid

Manual vs. Automated processes; Cost

effectiveness of process controls

Performance gradient monitoring

Adequacy of embedded controls; Execution of

controls

Vendor Management

12
System Issues
Availability of core applications or systems

Network intrusion; Virus Attack

Denial of service

Data corruption or Sabotage

Unauthorised Access to Information

System Penetration Issues

www.computerweekly.com

13
External Events
Adherence to Regulatory Stipulations

Compliance & Legal Risk Management

Business Continuity Management

Shift in Industry trends; Global trends

Macro-economic conditions

Available Infrastructure

14
 ORM PROCEDURES
PROCESSES, PROCESS FLOW, MEASUREMENT PARAMETERS

15
Processes of ORM

OPERATIONAL RISK GOVERNANCE &

MANAGEMENT

1. Fraud Risk Mgt 1. OR Policies & 1. Compliance & Legal Risk

2. Information Risk Mgt Procedures Mgt
3. Business Continuity Mgt 2. Risk Assessments 2. Audit Non-conformance
4. Occupational Health & 3. Loss Incident Reporting Monitoring
Safety Mgt 4. Key Risk Indicator 3. Third Party Relationship
5. IT Risk Assurance Monitoring Mgt

16
OpRisk Process Flow
Report identified risks to RCSA Events;
key stakeholders; Ensure KRI Trends;
suggested mitigants are Risk Loss Data Risk
Risk
fully implemented Monitoring Concentrations
Identification

Suggest required controls; Conduct RCSAs; Compile

Risk Risk
Ensure cost effectiveness KRIs and Loss Incident
Control
and appropriateness Assessment reports

Risk
Measurement

Probability & Severity Assessments;

Overall Risk Ratings, Risk Concentration and Prioritization

17
Measurement Parameters
Impact:
Also known as Severity
Refers to actual or estimated loss to the organization in terms of financial losses or
reputational damage

Probability:
Also referred to as Likelihood of occurrence
Used to measure the estimated frequency of an event

Both types can be measured in either

Qualitative or Quantitative terms

18
Probability or Likelihood
Likelihood Rating Criteria
It is expected to happen; will certainly happen this fiscal year or
Almost certain 5
during the three year period of the Service Plan
We expect it to happen; it would be surprising if this did not
Likely 4
happen.
Just as likely to happen as not; we don't expect it to happen, but
Possible 3
there is a chance
Unlikely 2 Not anticipated; we won't worry about it happening
It would be surprising if this happened; there would have to be a
Rare 1
combination of unlikely events for it to happen

19
Impact
Impact Rating Criteria / Examples
No recovery of outstanding debt in full; Irreparable damage to DIL's
Catastrophic 5
credibility or integrity
Event that requires a major realignment of how service is delivered;
Major 4 Significant event that has a long recovery period; Failure to deliver
major stakeholder or investors commitment
Less vulnerable in the near term but faces major ongoing
Moderate 3
uncertainties to adverse business, financial and economic conditions
Strong capacity to meet financial commitments but more subject to
Minor 2 adverse economic conditions; Can be dealt with at a department
level but requires Executive notification
Minimal financial losses; Can be dealt with internally; No escalation
Insignificant 1 of the issue required; No media attention; No or manageable
stakeholder or client interest

20
OpRisk Loss Types
Actual losses:

Values related to losses already expensed by the organisation

Potential losses:

Values related to incidents that are yet to be determined, usually as it

relates to incidents under investigation or for which the customer is liable

Prevented losses:

Values related to incidents that were frustrated because of the

effectiveness of the organisation’s control mechanism

21
 ORM TOOLS
BRIEF INTRODUCTION ON RCSA, KRI AND LOSS
INCIDENT REPORTING

22
Tools of ORM

23
Risk & Control Self Assessment (RCSA):
A simple process that captures prevalent and likely risks in a business function and suggests
required controls

It is a participative process that relies on inputs from everyone involved in running the business
or managing relevant processes

It is a qualitative exercise that should be carried out at least on a quarterly basis

24
Risk & Control Self Assessment (RCSA):
It should provide answers to the following questions:

What can go wrong? How can it go wrong?

Risk Factors

What is the likelihood of it going wrong?

Likelihood
What is the potential damage?

Impact
What can be done about it?

Who will do it? Controls

Responsibility

25
RCSA Sample Template

26
Loss Incident Reporting
• Involves the Process of collating data resulting from operational risk events relating to
people, process, system and external events risks

• Assists with identifying trends

• Ensures cost-effective controls are deployed to mitigate likely risks

• Enables determination of risk concentration

Loss data includes:

– Actual losses
– Near misses (potential and prevented losses)

27
Sample of Loss Incident Form

28
Key Risk Indicator (KRI) Monitoring
• KRIs are quantitative parameters used to identify changes in the risk profile of business
activities and processes

• Close monitoring enables the following:

– Clear understanding of how risk profiles change
– Determination of volatility of risks across the business environment
– A forward looking perspective on current risk profile
– Understanding of early warning signals for emerging risks

29
Sample of KRI Dashboard

30
BENEFITS OF ORM
REASONS FOR INVESTING IN ORM

31
Values of ORM
Improved quality
Cost savings
Stability of earnings; Reduced Volatility
Enhanced competitive position of the organization
Operational efficiency
Assured long-term survival
Compliance with best global practices Risk Reward
Enhanced Shareholder Value

32
ORM is Simply Good Business

Increased
Fewer Shareholder Value
Surprises

Good Operational Risk

Management

33
Thank you…

34