Professional Documents
Culture Documents
TABLE OF CONTENTS
Acronyms.............................................................................................................................................2
INTRODUCTION........................................................................................................................................3
I: OVERVIEW OF OPERATIONAL RISK MANAGEMENT.............................................................................5
1.1What is Risk?................................................................................................................................5
1.2 Banks Exposure to Risk..........................................................................................................5
1.3 The Increasing Importance of Operational Risk Management..................................9
1.4. Benefits and Opportunities of ORM.................................................................................10
1.5. Defining Features of Operational Risk............................................................................10
1.6. Operational Risk Perspectives...........................................................................................12
1.7 Operational Key Risk Indicators.........................................................................................14
1.8. Operational Risks and Internal Control..........................................................................18
1.9 Operational Risk Treatment/mitigation Options..........................................................21
1.10 Examples of High Magnitude Operational Losses.....................................................27
II. OPERATIONAL RISK GOVERNANCE AND FRAMEWORK......................................................................33
2.1 The Operational Risk Management Framework............................................................33
2.2 Basel Principles on Operational Risk Management.....................................................35
2.3. CBE’s Operational Risk Management Framework......................................................38
2.4 Risk Appetite.............................................................................................................................42
III. THE OPERATION RISK MANAGEMENT...............................................................................................44
3.1 Planning and scope of the ORM.........................................................................................44
3.2. Operational Risk Identification..........................................................................................45
3.2.1 How to perform risk identification.........................................................................46
3.2.2. Describing the Identified OR event......................................................................62
3.2.3 OR Categorization........................................................................................................65
3.3. Operational Risk Assessment............................................................................................69
3.4. Operational Risk Treatment/Mitigation..........................................................................73
3.4.1 Developing a risk response Plan/Strategy.................................................................74
3.4.2 How to respond to risks?..................................................................................................74
3.5 Operational Risk Monitoring................................................................................................77
3.5.1 Developing Key Risk Indicators (KRIs).......................................................................80
Fig. 4.5. Development Process of KRI....................................................................................81
3.5.2 Capturing Loss Data Base................................................................................................85
PART IV: BUSINESS CONTINUITY MANAGEMENT...............................................................92
4.1 Concepts and Perspectives of BCM...................................................................................92
4.2 Objectives of BCM...................................................................................................................94
4.3 Importance of Business Continuity Management........................................................95
4.4. Link with Risk Management...............................................................................................96
4.5. Basic Requirements of BCM...............................................................................................97
Annex 1: ORA Reporting Template.........................................................................................105
Annex 2: Checklist of Important step of the ORA Process.....................................113
Annex 3: Glossary.................................................................................................................115
References...............................................................................................................................120
Acronyms
AMA Advanced Me/asurement Approach
IS Information System
IS Information System
IT Information Technology
OR Operational Risk
PC Process Council
RM Relationship Manager
INTRODUCTION
The Strategy of the CBE has brought many changes. For instance, branch
expansion, greater use of automated technology, increased service outlets
introduced new products and services, engaged in outsourcing arrangements and
maintained large number of staff to maintain its growth. These and other changes
are expected to bring the operational risk profile of the Bank to a much higher
level than before.
Proper management of operational risk needs well defined framework. Hence CBE
has developed Operational Risk Management Guideline/ORMG/ which addresses
basic OR definition, the roles and responsibilities of the Bank personnel with
respect to operational risk management exercise, the ORA process and
monitoring mechanisms of operational risk events.
1.1What is Risk?
In finance risk is the fundamental element that affects financial behaviour. There
is no unique or uniform definition of risk, but this is not surprising: the definition
depends on the context and the purpose for which one wishes to formulate the
concept of risk.
From CBE’s perspective; risk is defined as “the possibility that an event will occur
and adversely affect the achievement of the objectives”. An event, according to
COSO ERM, is “an accident or occurrence, from sources internal or external to an
entity that affects achievement of objectives”
Banks are subjected to a wide array of risks. These risks can be classified in
various ways and perspectives. For this training manual purpose the most widely
used classification is employed. According to this classification, banking risks can
be classified under two categories: Financial and Non-financial risks
Financial risk is umbrella terms for multiple types of risk associated with
financing and directly affects the financial performance of the bank. Credit,
Liquidity, Market risks are the three types of financial risks in banking
industry. Financial risks are subject to complex interdependencies that may
significantly increase a bank’s overall risk profile. For example, a bank
engaged in the foreign currency business is normally exposed to currency risk,
but it will also be exposed to additional liquidity and interest rate risk if the
bank carries open positions or mismatches in its books.
1. Credit risk is the potential loss a bank would suffer if a bank borrower, also
known as the counterparty, fails to meet its obligations pay interest on the loan
and repay the amount borrowed in accordance with agreed terms.
2. Market risk is the risk of losses to the bank arising from movements in
market prices as a result of changes in interest rates, foreign exchange rates, and
equity and commodity prices. The components of market risk are as follows:
• Interest rate risk is the potential loss due to movements in interest rates. This
risk arises because bank assets (loans and bonds) usually have a significantly
longer maturity than bank liabilities (deposits). This risk can be conceptualized in
two ways. First, if interest rates rise, the value of the longer-term assets will tend
to fall more than the value of the shorter-term liabilities, reducing the bank’s
equity. Second, if interest rates rise, the bank will be forced to pay higher interest
rates on its deposits well before its longer-term loans mature and it is able to
replace those loans with loans that earn higher interest rates.
Foreign exchange risk is the risk that the value of the bank’s assets or
liabilities changes due to currency exchange rate fluctuations. Banks buy and
sell foreign exchange on behalf of their customers (who need foreign
currency to pay for their international transactions or receive foreign
Equity risk is the potential loss due to an adverse change in the price of
stock. Stock, also referred to as shares or equity, represent an ownership
interest in a company. Banks can purchase ownership stakes in other
companies, exposing them to the risk of the changing value of these shares.
Market risk tends to focus on a bank’s trading book. The trading book is the
portfolio of financial assets such as bonds, equity, foreign exchange, and
derivatives held by a bank to either facilitate trading for its customers or for its
own account or to hedge against various types of risk. As-sets in the trading book
are generally made available for sale, as the bank does not intend to keep those
assets until they mature. Assets in the bank’s banking book (held until maturity)
and trading book (not held until maturity) collectively contain all the various
investments in loans, securities, and other financial assets the bank has made
using its deposits, loans, and shareholder equity. Distinguishing between the
trading and banking books is essential for how the banks operate and how they
manage their risks.
3. Liquidity risk: The risk of inability to fund increases in assets and meet
obligations as they come due, such as inability to raise money in the long-term or
short-term debt capital markets, or an inability to access the repurchase and
securities lending markets. Generally, liquidity risk is classified as funding and
trading liquidity risks.
■ Business and Strategic Risk: The risk that a bank would have to modify the
line of behaviour and activity in order to cope with changes in the economic and
financial environment in which it operates. [Example, a new competitor can
change the business paradigm, or new strategic initiatives (such as development
of a new business line or reengineering an existing business line, for example, e-
banking) can expose bank to strategic risk. Many strategic risks involve timing
issues, such as the inability to keep up with rapid technological changes and the
increasing use of the Internet.]
■ Reputational risk: The potential that negative publicity regarding the bank’s
business practices, whether true or not, will cause a decline in the customer base,
costly litigation, or revenue reductions. This definition suggests that reputational
risk takes the form of an indirect, rather than direct, loss resulting from a bank’s
past business practices.
It can also be defined as the risk of loss of image through questionable business
practices, lack of customer centred approach, low standards of professionalism
and public disclosure of bank’s financial problems.
2. Operational risk: The BCBS (2004a): defines operational risk as “the risk of
loss arising from inadequate or failed internal processes, people and systems or
from external events”. This definition, which is based on the underlying causes of
operational risk, includes legal risk but excludes business and reputational risk.
The CBE has adopted the above definition and the following table shows the
breakdowns, based on these underlying causes or risk factors:
Operational Risk Management (ORM) is a value adding function in the sense that
it contributes to smooth functioning of business by proactively managing potential
risks and minimizing the loss that would emanate, as a result. The following are
some of the benefits of operational risk management.
Enhances a bank’s early-warning system and strategy development;
Helps to identify the important and relevant risks amongst all that can go
wrong with the business objective
Ensures that the process of risk management is developed and risks are
managed throughout the Bank in a consistent manner;
Promotes a culture of “risk awareness”;
Combats a “risk averse” mentality;
Guide performers involved in the risk management process;
Assist performers in prioritizing risks for further actions; and
Report the risk profile of the bank to the BoDs and the Process Council for
informed decision making.
Operational losses can be internally inflicted or can result from external sources.
Internally inflicted sources include most of the losses caused by human, process,
and technology failures, such as those due to human errors, internal fraud,
unauthorized trading, injuries, and business delays due to computer failures or
telecommunication problems. External sources include man-made incidents such
as external fraud, theft, computer hacking, terrorist activities, and natural
disasters such as damage to physical assets due to floods, and fires.
Direct losses are the losses that directly arise from the associated events. For
example, an incompetency can result in a loss for a bank. Indirect losses are
Some operational losses are expected; some are not. The expected losses are
generally those that occur on a regular such as every day basis, such as minor
employee errors. Unexpected losses are those losses that generally cannot be
easily foreseen, such as natural disasters, and large-scale internal fraud.
d) Operational Loss Severity and Frequency
We have already stated that expected losses generally refer to the losses of low
severity (or magnitude) and high frequency. Generalizing this idea, operational
losses can be broadly classified into four main groups:
1. Low frequency/low severity
2. High frequency/low severity
3. High frequency/high severity
The distinction between the three is comparable to cause and the effect:
Thus, hazard potentially leads to events, and events are the cause of loss.
Therefore, an event is the effect of a hazard while loss is the effect of an event.
Terrorism
KRIs are metrics capable of showing that a bank is subject to, or has a high
probability of being subject to, a risk that exceeds the defined risk appetite. They
are parameters which can act as indicators and which can be seen to be
predictive regarding changes in the risk profile of a bank’s business. The indicator
becomes key when it tracks an especially important exposure or indicates
significance risk of a bank.
KRIs then are measures which indicate the level of and changes in the
bank’s risk profile. This is achieved by focusing KRIs on the root causes of
potentially significant risk events and exposures, as illustrated below.
Cause- 1
Effect- 1
Cause- 2
Risk event Effect- 2
Cause- 3 Effect -3
The following list provides generic examples of key risk indicators related to the
basic risk categories of operational risk sources—people, processes, system and
Processes
Systems
Control activities are policies and procedures that ensure management directives
are executed; they ensure necessary actions are taken to address risks to the
achievement of corporate objectives. They may include:
The control activities shall involve all staffs and management of the bank and
enable quick responses to changing conditions and avoid unnecessary costs.
When designing and implementing control activities process owners shall consider
the following:
The cost of establishing the control activities shall not exceed the
benefits that would be revised by the bank if the undesirable event is
avoided.
The identified risk shall be prioritized and considered against the existing controls
so that the residual risk shall be identified after the existing controls have been
applied to the inherent risks.
Inherent Risk: the risk in a business or process before the effect of any
risk mitigation, control or transfer activities.
Current risk: is the actual risk today, i.e., inherent risk with current risk
responses applied.
Equal
Equal to
to current
current risk
risk
Risk
Risk without
without Actual with
with additional
additional risk
risk
Inheren Actual risk
risk
taking
taking into
into Current Residua responses
responses applied;
applied;
today, i.e.
today, i.e.
t Risk account Risk additional
additional risk
risk
account any
any Inherent
Inherent risk
risk l Risk responses
responses are
are
risk
risk response
response with
with current
current identified
identified based
based on
on
risk
risk responses
responses risk
risk analysis
analysis of
of current
current
risk.
risk.
applied
applied
one or more risks. As it is discussed in the part two of this training manual ;
there are four internationally accepted risk treatment/response options.
The risk mitigation strategies for operational risks fall into the same four general
categories of risk mitigation used for managing risks of all types. These are:
i. Risk Avoidance
In a cost-benefit analysis, a bank should opt for risk avoidance if the expected
margin of activities is lower than the expected risk cost taking account of all the
risks. Such activities should be abandoned or not be launched in the first place.
Such a decision has to consider several aspects, such as time horizon, available
specialized expertise, strategic objectives and reputational risks.
(a) Insurance
There should be close cooperation between the risk controlling units responsible
for operational risks and the unit in charge of taking out insurances in the
company. In some banks, the operational risk unit is put in charge of insurances
against operational risks. At any rate, it makes sense to develop an insurance
concept as a basis for taking out insurances. Moreover, there should be regular
coordination with risk policy and risk strategy.
Examples of typical insurance products offered for operational risks in banking
are:
property insurance,
business interruption,
computer crime,
bankers professional indemnity – mistakes made by employees,
directors and officers liability – breach of a duty of diligence by directors
and officers,
employment practices liability,
economic crime,
unauthorized trading, and
Vault and transport of cash.
(b) Outsourcing
At first glance, outsourcing solutions apparently result in “shuffling off ” the risk
related to the relevant activities. In fact, however, the way in which the risk
situation of a credit institution is changed by outsourcing has to be carefully
studied on a case-by-case basis:
At any rate, outsourcing always gives rise to a business partner risk, i.e.
the risk that the business partner does not fulfil the obligations under the
outsourcing agreement. The causes may range from quality problems
(process or system failures or mistakes made by employees of the
outsource provider) and contractual disputes to the partner’s bankruptcy.
As a consequence of such problems, the services outsourced may not be
rendered in the quality required, only to a limited extent or, in extreme
cases, not at all.
In addition, account has to be taken of legal risk which may arise from
usually complex contractual relations between a credit institution and its
outsource provider. Fuzzy provisions governing the duties of the outsource
provider or liability issues may lead to protracted legal proceedings to
clarify who is responsible for a loss event. Ultimately, the credit institution
itself may even have to bear the loss in full or in part so that, in fact,
conventional system or process risk was only replaced by a special legal
risk without improving the risk situation of the institution.
The risk of losing control of core processes finally results from inadequate
secondary obligations of the outsource provider. If the outsourcing credit
institution is not given adequate control, information and auditing rights
beforehand, a kind of “black box” or “blind spot” emerges for risk
management in the field outsourced. Thus, the quality of the processes
outsourced cannot be appropriately assured nor verified. This highly
Has the outsourcing company adequate control rights for assessing the
situation in the fields outsourced? Possible options range from appropriate
reporting lines to information, inspection and access rights and regular
external audits. Moreover, measures have to be taken to ensure that the
outsourcing of company parts or functions does not hamper or restrict the
supervisor’s activities.
v. Exploiting risk
Exploiting risks that represent missed opportunity. (I.e. exploiting the risk
factors by implementing strategies to take advantage of the opportunities
presented by such risk factors.)
The world financial system has been shaken by a number of banking failures over
the last 20 years. More than 100 operational losses exceeding $100 million in
Citron either did not understand the interest rate exposure of his portfolio
because he was unacquainted with the risk/return of the securities in the portfolio
or he ignored the magnitude of the risk exposure, believing he could correctly
forecast the direction of interest rates. In any case, there were no systems in
place to monitor the portfolio’s exposure to changes in interest rates. Orange
County illustrates combination of lack of expert risk oversight and incompetence.
In February 1995, Barings Bank declared bankruptcy. Barings Bank was the
United Kingdom’s oldest merchant bank, founded in 1762. Nick Leeson, who was
appointed the general manager of the Barings Futures subsidiary in Singapore in
1993, was assigned to exploit low-risk arbitrage opportunities that would leverage
price differences in similar equity derivatives on the Singapore Money Exchange
(SIMEX) and the Osaka exchange markets. However, due to a lack of higher
supervision, he was given control over both the trading and back-office functions.
He began taking much riskier positions by trading different amounts on contracts
of different types on the two exchanges. The derivatives contracts on the
When the market became volatile, losses in Leeson’s trading account began to
accumulate, forcing him to increase his bets in an attempt to recover losses. He
created a special secret account to keep track of his losses, account 88888. This
account had originally been set up to cover up a mistake made by an
inexperienced member of the trading team, which led to a loss of £20,000.
Leeson then used this account to cover his mounting trading losses.
Finally, the Nikkei index dropped sharply after the January 17, 1995, Kobe
earthquake in Japan, and the losses exceeded $1 billion. The fraud was only
exposed when Nick Leeson failed to show up at work at his Singapore office in
February 1995; he was attempting to flee from Kuala Lumpur to England in order
to escape the tough Far Eastern justice system. The bank was unable to sustain
the loss and announced bankruptcy. Here is an extract from Leeson’s book Rogue
Trader (1997, pp. 2–3), about his last trading day:
I knew I’d still lost millions of pounds, but I didn’t know how many. I was
too frightened to find out— the numbers scared me to death....I’d gone in
trying to reduce the position and ended up buying another 4,000
contracts....Traders looked at me and knew I’d done an amazing volume of
trade; they marvelled at the sheer amount of business I’d got through.
They wondered whether I was dealing for myself or for clients, and
whether I’d hedged, protected my position. But they knew—as the whole of
Asia did—that I’d built up an exposure to over£11 billion worth of Japanese
shares. They were doing their sums and they reckoned I was well long: it
was hard to conceal it when you stand for over 40 percent of the Singapore
market. The rest of the market had smelled what Barings back in London
were completely ignoring: that I was in so deep there was no way out.
A month later, in March 1995, the bank was purchased by the Dutch Bank ING for
£1 sterling! In November 1995 Nick Leeson was sentenced to 6.5 years in a
Singaporean jail. This is another example of the dramatic Operational Risk Is Not
Just ‘‘other’’ Risks consequences of internal fraud, unauthorized trading, and poor
internal surveillance and control.
On July 13, 1995, the executive vice president of Japan’s Daiwa Bank’s New York
branch, Toshihide Iguchi, confessed (in a 30-page letter to the president of Daiwa
Bank in Japan) that he had lost around $1.1 billion trading U.S. Treasury bonds.
At the time of the incident, Daiwa was one of Japan’s top 10 banks and one of the
world’s top 20 banks in terms of asset size. An astonishing part of the incident is
that Iguchi’s illegal trading had been taking place over an 11-year period. Daiwa’s
New York branch managed the custody of the U.S. Treasury bonds that it bought,
as well as those that it bought on behalf of its customers, via a sub-custody
account held at Bankers Trust. Through this account, interest on the bonds was
collected and dispersed, and bonds were transferred or sold according to the
wishes of either customers or the bank’s own managers. When Iguchi lost a few
hundred thousand dollars in his trading activities, he began selling off bonds in
the Bankers Trust sub custody account to pay off his losses, falsifying Bankers
Trust account statements so that they would not indicate that the securities had
been sold. Throughout the 11 years he forged about 30,000 trading slips and
other documents.
When customers needed to be paid interest on bonds that had been sold without
their knowledge, Iguchi would settle their accounts by selling off more securities
and further altering more records. In total, Iguchi sold off roughly $377 million of
Daiwa’s customers’ securities and $733 million of Daiwa’s own investment
securities to cover his trading losses. Shortly after the incident came to surface in
November 1995, the Federal Reserve ordered Daiwa Bank to end all of its U.S.
operations within 90 days; by January 1996 Daiwa agreed to sell most of its U.S.
assets of $3.3 billion to Sumitomo Bank and to selloff its15U.S.offices.
In December 1996, Iguchi was sentenced to four years in prison and fined $2.6
million. The scandal led to Standard & Poors downgrading Daiwa from A to BBB
and to Japan’s Ministry of Finance imposing restrictions on the bank’s activities for
a year. In September 2000, a Japanese court in Osaka ordered 11 current and
former Daiwa board members and top executives to pay the bank $775 million as
compensation to shareholders’ damages. This is yet another example of internal
fraud and illegal trading.
Rusnak, a U.S. citizen, was nicknamed a second Nick Leeson, and entered the
league of the infamous rogue traders, together with Toshihide Iguchi. He was
sentenced to 7.5 years in federal prison, and was barred for life from working in
any financial services company. Amazingly, this case demonstrates how the
lessons from Barings Bank’s collapse of almost a decade earlier had not been
properly learned.
The collapse of Enron Corporation has been the largest bankruptcy in U.S.
history. The Enron Corporation was one of the world’s largest energy commodities
and services companies. Enron was formed in July 1985 in Houston, Texas, by a
merger of Houston Natural Gas and Inter North of Omaha, Nebraska. Initially a
natural gas pipeline company, Enron quickly entered the energy futures as energy
markets were deregulated. It entered the European energy market in 1995.
On January 25, 2001, the stock price of Enron had reached its peak at $81.39 per
share, and began to drop. Just two days earlier, on January 23, Enron’s CEO since
1985, Kenneth Lay, resigned. By the middle of August 2001, it fell to $43. At the
same time, the new CEO, Jeffrey Skilling, quit his new job after six months, for
‘‘purely personal’’ reasons. In November the price per share fell below $10, and
Enron announced $600 million in losses from 1997 to 2000. On December 2,
when the share price finally hit zero, Enron filed for bankruptcy protection,
The board of directors of Enron blamed the failure on poor information from the
accountants and the management. An investigation into the case conducted by
the Securities and Exchange Commission in 2002 suggested that Enron may have
overstated its assets by up to $24 billion due to poor accounting practices.
Their losses due to the case were estimated at over $750 million. Merill Lynch has
been accused of a conspiracy to help Enron hide its true state of financial affairs,
and estimated its losses due to the involvement at over $80 million. Other banks
involved in the scandal include NatWest (losses over $20 million), Citibank,
JPMorgan Chase & Co., and Salomon Smith Barney, among others, were accused
of lending Enron billions of dollars with the full knowledge that Enron was not
reporting these loans as debt on its balance sheet. This is an example of losses
due to legal liability in combination with fraudulent activities.
In June 2005, MasterCard International Inc. in the United States announced that
the names, banks, and account numbers of up to 40 million credit card holders
were feared to have been accessed by an unauthorized user. It was revealed that
a computer virus captured customer data for the purpose of fraud and may have
affected holders of all brands of credit cards. This was one in a series of recent
incidents involving security failures and external fraud. In the same month,
Citigroup said United Parcel Service lost computer tapes with sensitive
information from 3.9 million customers of CitiFinancial, a unit that provides
personal and home loans. As of 2006, the final impact (and possible losses) has
not been estimated yet.
A) Environment
It refers to the surroundings that set the tone and behaviour of the bank,
including culture and external factors. Culture, which refers to the involvement
and support of senior management and the related values and communication
that set the tone for decision making, is a component of the process because it
supports the risk management objectives. It is the set of shared attitudes, values,
goals, and practices that characterize how the bank considers risk in its daily
activities. Operational risk management becomes embodied in the culture of the
bank, in the sense that every decision must involve an explicit review of the
underlying operational risk.
B) Strategy
The strategy involves determination of business objectives, the risk appetite, the
organizational approach to risk management, and the approach to operational risk
management. Naturally, the involvement of senior management in the
formulation of the strategy is essential. The objective is to align the bank’s risk
profile (the risk that the bank wants to assume) with the selected risk appetite.
The business objectives include targets like a market share or the introduction of
new products and technology. Objectives are also stated for individual business
units. The risk appetite does not only refer to the level of acceptable risk but also
to the types of unacceptable risks. A risk map may be used as a quantifiable
measure of the risk appetite that can be used to identify unacceptable risks.
Also important are some general statements of risk management principles and a
description of the expectations for the use of tools and reporting. For example, if
there is a common self-assessment or database, the policy might state that every
business area should implement it and maintain the information in an up-to-date
manner. In short, therefore, the strategy involves;
(i) Setting effective operational risk policies and clear directions to
follow,
(ii) Establishing an effective management structure and arrangement
to deliver the policy, and
(iii) Implementing the policy through an effective operational risk
management system.
C) Process
D) Infrastructure
Infrastructure refers to the tools used to facilitate the entire risk management
process, including systems, data, methodologies as well as policies and
procedures. Data in this sense include self-assessment data, internal event/loss
data, operational data, and external loss data.
The BCBS has underscored the following guiding principles as to the management
of operational risk in banks.
A - Governance
The Board of Directors
Principle 1: The board of directors should take the lead in establishing a strong
risk management culture. The board of directors and senior management should
Principle 3: The board of directors should approve and review a risk appetite
and tolerance statement for operational risk that articulates the nature, types,
and levels of operational risk that the bank is willing to assume.
Senior Management
C - Role of Disclosure
Principle 11: A bank’s public disclosures should allow stakeholders to assess its
approach to operational risk management.
In line with the three line defence Model, the following general roles were
identified by the CBE:
Likewise, the specific roles, of various organs of the CBE, are shown below:
The PC shall:
Oversee the proper implementation of this ORMG, ORM strategic actions
and the appetite/limit of the Bank, as approved by LRRC;
Provide sufficient human and technical resources to support effective
management of operational risk;
Maintain an appropriate culture and set a tone conducive to effective and
transparent ORM;
Define Processes’ responsibilities in ORM; and eliminate gaps and overlaps
in the ORM responsibilities and authorities; and
Ensure that appropriate remedial actions are taken whenever ORM gaps
are identified.
It is a function of the bank’s capacity to bear risk and of its attitude towards
managed risk taking. Risk appetite can also be viewed as assigned or allocated
risk capacity.
Loan /Deposits Ratio to be within the limits agreed with the board
Growth rate for each key Target growth rate of xx% for corporate, yy% for retail, zz%
portfolio for Business etc.
Preference for qualification CBE wants to recruit at least First degree holders
Target impairment levels Max. of XX% NPLs (as percentage of total loans)
Banks that effectively articulate their risk appetite and adequately fund their
managed risk taking are better insulated against shock to future earnings, better
placed to allocate scarce resources when and where needed.
To effectively realize the intended results, the ORA process shall begin with the
establishment of a scope and plan. These include selecting objectives, assigning
specific responsibilities, scheduling the process, defining the input and output
requirements etc. Responsibilities in the risk management process are assigned to
those parties that can provide meaningful perspective on relevant risks. In this
respect, the ORMG of the CBE stipulates that ORA process is expected to be done
with full engagement of all managers and resourceful individuals of the respective
process/RAU. Lastly, identifying the data and information source shall be taken
into account while planning the ORA.
When identifying risks, it is also important to bear in mind that "risk" also has an
opportunity component. This means that there should also be a deliberate
attention to identifying potential opportunities that could be exploited to improve
the Bank’s performance. In identifying risks, consideration should be given to
risks associated with not pursuing an opportunity, e.g. failure to implement an IT
system to transfer money.
The following are key steps necessary to effectively identify risks from across the
Bank in connection with the respective processes:
The following data/information are some of the most commonly inputs for the
ORA. As appropriate, Process/RAU shall exhaustively look at these factors while
conducting their respective ORA.
These are, to a large extent, outside the control of a bank; and include:
Internal environmental factors are, to a large extent, under the control of a bank,
although they may not always be easy to change. Internal risk factors include:
The factor is correlated with the capability of a bank to recognize and detect risks
and adverse events; hence, it should not be neglected. Risk management
capability is a very significant element in the frequency and impact of risk events
in a bank because it is responsible for management’s risk decisions (or lack
thereof), as well as for the presence, absence and /or effectiveness of control that
exist within a bank. Hence risk management capability is an important component
of the overall risk profile of the bank.
Specific process capabilities refer to how good the processes are as defined in
their internal policy & procedure.
In the context of risk management and the operational risk framework, on how to
achieve this, specific processes capabilities are associated with the maturity level
of each process and their internal control system. Mature and well controlled
processes are equivalent to high capabilities, which have influence on reducing
the frequency of events and reducing the business impact when events happen,
e.g., having a good BCP/DRP in place when disaster strikes.
Review of international practices reveals that there are many types of risk
identification techniques. However a process should apply a set of risk
identification techniques that are suited to its objectives and capabilities and to
the risk the process faces from the techniques described below. Scenario is
More specifically, these experiences show that the results of self assessment
questionnaire are used to:
evaluate the effectiveness of internal controls;
assess the risk profile against risk appetite;
provide internal audit with prioritized areas of work; and
Agree on action plans to address the risk in excess of the agreed risk
appetite (for example, to address identified weaknesses in internal control
or risk management).
Experience of foreign banks shows that under this method the various risks can
be ranked to arrive at a consensus of the top 5 to 10 or 15 prioritized (depending
on the situation), for example. Thus using interactive voting system (using
method of individual input secretly) allows the individuals to identify and rank the
risks anonymously without fear of revenge should their superior be a member of
the group. The purpose of the workshop is mainly to identify the root causes of
the risks, prioritize based on their significance and take the required action to
mitigate these risks.
KRIs are metrics capable of showing that a bank is subject to, or has a high
probability of being subject to, a risk that exceeds the defined risk appetite.
From them one can identify potential operational risk events. (The detail is
discussed on part two and part four of this training manual).
KRIs are widely viewed as having the potential to make operational risk
management a more effective discipline. Financial regulators in particular have
expressed interest in KRIs as a potentially important tool to manage operational
risk. However, this has not been realized for a number of reasons:
(a) A top-down approach: where one starts from the overall business
objectives and performs an analysis of the most relevant and probable
operational risk scenarios impacting the business objectives. If the impact
criteria are well aligned with the real value drivers of the enterprise,
relevant risk scenarios will be developed. Here managers and other
experts identify possible operational loss events that range from losses
occurring every day to stress events.
(b) Bottom-up approach: where a list of generic scenarios is used to define
a set of more concrete and customised scenarios, applied to the individual
enterprise situation. It may start with a detailed process analysis or risk
assessment and assign probabilities and loss severity to possible individual
events.
International best practices states that developing a manageable and relevant set
or risk scenarios requires:
Expertise and experience, to not overlook relevant scenarios and not be
drawn into highly unrealistic or irrelevant scenarios. While the avoidance of
scenarios that are unrealistic or irrelevant is important in properly utilizing
limited resources, some attention should be paid to situations that are
highly infrequent and unpredictable, but which could have disastrous
impact on the enterprise.
A thorough understanding of the environment- This includes the
operating environment (e.g., infrastructure, applications, dependencies
between application, infrastructure components Service outlets, the degree
of dependencies on service outlets), the overall business environment, and
Bottom-up
Scenario
Identificatio
Risk Factors
External
External Internal
Internal Risk
Risk Specific
Environmenta
Environmenta Environmen
Environmen management
management process
ll Factors
Factors tal
tal factors
factors capability
capability Capability
Not every type of threat requires an actor, e.g., failures or natural causes.
2. Threat type (the nature of the event) - Threat types are either man
made(e.g. Failure, Malicious and Accidental);or natural(e.g. Flood,
Earthquake)
Asset/resources include:
Assets can be critical or not, e.g., a client –facing web site of a major bank
compared to the web site of the local garage or the intranet of the software
development group. Critical resources will probably attract a greater
number of attacks or greater attention on failure; hence, the frequency of
related scenarios will probably be higher. It takes skill, experience and
thorough understanding of dependencies to understand the difference
between a critical asset and a non-critical asset.
Events
Asset/Resource
Misuse of client’s
People and organization
information,
Process
Misuse of assets
Infrastructure |
Interruption
Threat Type Modification
(facilities)
IT infrastructure
Malicious Theft
Information
Accidental/error Destruction Application
Failure Ineffective design
Natural Ineffective execution
Breaches of Rules
External
and regulations
requirement Inappropriate use Vulnerability
the weakness of
62 CBE—Risk and Compliance Management Process (RCMP) the internal
control which
let the threat to
happen
OPERATIONAL RISK MANAGEMENT TRAINING MANUAL 2013
Threat
Agent/Actor
Internal (staff, +
contractor) + Time
External + Duration
(competitor, + Timing of occurrence
outsider, business Potential (critical, non-critical)
partner, regulator, Timing to detect
+
market) Risk Event
+
Risk
Consequences
Vulnerability
Event Name of
ID. Threat Threat Asset/resource
the Risk Timing
Agent type affected
Event
3.2.3 OR Categorization
CBE has introduced nine operational risk categories which are described as
follows:
2. External fraud refers to theft or fraud carried out by a third party outside the
organization. It includes, for example:
theft/robbery
forgery
computer hacking damage
theft of information
Check kiting (i.e.) to make use of non-existent funds in a checking or other
bank account.
4. Clients, Products & Business Practices losses in this category arise from a
failure to meet an obligation to a client, or from the nature or design of a product.
Examples of events in this category include:
breaches of fiduciary duties
suitability/disclosure issues (KYC, and so on)
Account churning (in connection with NSF checks, issuing CPOs by NSFs.)
misuse of confidential client information
antitrust
money laundering
product defects
exceeding client exposure limits
High turnover
Grievances
Inadequate number of staffs
Disputes among staffs
Incapable employees
It uses expert opinions to estimate the frequency and business impact of adverse
events. The frequency and the magnitude of impact are estimated using
qualitative labels. Theses labels can vary depending on the circumstances and
different environments.
However using the qualitative risk analysis method has the following
disadvantages:
It is highly subjective,
There will be great variance in human judgements and
Lack of standardised approach during the assessment.
Nevertheless having the above limitations, qualitative risk analysis is usually less
complex and less expensive than quantitative analysis
In this method either quantitative values like ranges are used to define qualitative
values or only quantitative values are used.
However some things are very hard or impossible to quantify. For example:
value of human life, cost of terrorist attacks or similar events and loss of
reputation.
Many suggest that that neither of the two risk analysis methods is complete in all
aspects. Hence it is better to use the combination of both.
In analyzing controls, all relevant controls that can reduce the impact and
likelihood of the risks shall be listed down. Non control related mitigation such as
insurance has to be identified. Hence the effectiveness of the existing control shall
be measured using the following assessment parameters.
The identified risk shall be prioritized and considered against existing controls so
that the residual risk shall be identified after the existing controls have been
applied to the inherent risks.
It is the estimation of the effect that the risk would have on the organization’s
ability to successfully achieve its objectives if the risk occurred.
Red level/Extreme risk /: represents risks with score that ranges from
12 up to 25
Yellow level/ High risk/: represents risks with score that ranges from
6 up to 10
Green level/ Moderate risk/: represents risks with score that ranges
From 4 up to 5
Blue Level/ Low risk/: represents risks with score that ranges from
1 up to 3
MAJOR (4)
IMPACT
MINOR (2)
MODERATE (3)
INSIGNIFICAN
DISASTROUS
LIKELIHOOD
T (1)
A key outcome of the risk identification and assessment process is a detailed list
of all key risks including those that require treatment as determined by the
overall level of the risk against the Bank's risk tolerance levels. However, not all
risks will require treatment as some may be accepted by the Bank and only
require occasional monitoring throughout the period.
In instances where the management of risk is not within the control of the Bank,
the response strategies should consider measures such as forward planning and
lobbing. Response strategies should be documented and the responsibilities and
timelines attached thereto should be communicated to the relevant persons.
Responding to risks involves the following key steps, each of which is covered in
detail in this section:
Avoiding risk – not engaging in the activity that creates risk exposure;
Mitigating risk – applying procedures that reduce the risk;
Once risks have been assessed and a level of risk rating has been assigned, an
option for response is selected. Consideration should be given to the following
parameters:
Comparing the sum of the costs with the sum of the benefits
The risk owner (the person accountable for managing a particular risk) should be
a senior staff member or Manager with sufficient technical knowledge about the
risk and/or risk area for which a response is required.
The risk owner will often delegate responsibility (but not accountability) to his /
her direct reports or consultants for detailed plan development and
implementation.
Once response options for individual risks have been selected, they should be
consolidated into risk action plans and/or strategies.
As one risk response may impact on multiple risks, response actions for different
risks need to be combined and compared so as to identify and resolve conflicts
between plans and to reduce duplication of effort. and finally the response plan
should be documented and the practicability of the chosen options needs to be
monitored.
Once the Proper risk mitigation is identified, Process/RAU shall report their
Mitigation Plan as per the following format.
To ease subsequent actions (i.e. risk response and monitoring), the identified and
analyzed risk shall be summarized in a standard format presented below. The OR
database of every process shall consider, at minimum, the particulars noted in
this table.
Duration
Response
event Event Category
ID
The monitoring activity enables banks to track how well their overall operational
risk management is doing in line with the predefined framework. On the way
monitoring helps banks to identify operational gaps and control weaknesses so
that appropriate adjustments could be carried out for the upcoming business
seasons. Among others, tools that are employed towards monitoring operational
risk include the development and implementation of key risk indicators (KRIs) and
maintenance of internal and external loss data. Therefore, the following part is
devoted to explaining the significance of monitoring of operational risk and the
use of the KRIs and loss data.
The frequency of monitoring should reflect the risks involved and the frequency
and nature of changes in the operating environment. Monitoring should be an
integrated part of the bank's operational risk activities. According to best
practices, the results of these monitoring activities are usually included in regular
management and Board reports.
In view of this, the bank can implement a process to regularly monitor and review
operational risk profiles and material exposures to losses. There should be regular
reporting of pertinent information to Senior Management and the Board of
Directors that supports the proactive management of operational risk. In general,
the Board of Directors should receive sufficient higher-level information to enable
them to understand the bank's overall operational risk profile and focus on the
material and strategic implications for the business.
The operational risk reports should contain internal information about events and
conditions that are relevant to decision making and should be distributed to
International experience suggests that the monitoring and review process for
operational risk management has to take place on three levels:
First, the adequacy and effectiveness of internal control system has to
be monitored, evaluated and reported for every single internal control
action. It would be important for the evolution of risk management
within a bank to communicate and share lessons learned at this level.
Second, the general risk profile of a bank and eventual changes in
uncertainties has to be monitored to allow an early identification of
upcoming risks early enough and to stop internal control on outdated
risks. The monitoring process can, if need be, entail the redistribution of
resources.
The Progress of the Mitigation plan which was drawn with respect to the identified
risk event shall be reported as per the following format:
a) Attributes of KRI
The following diagram illustrates how key risk indicators may be identified. The
diagram uses people risk as an illustration.
De De Establish
fin vel KRIs
e op
ris
ca
k
us
cat
al
eg
m
ory
ap
The following (non exhaustive list) provides some sources of information that
can help to identify significant risks and aid in KRI identification:
The following table describes some of the main properties of a good KRI in terms of
effectiveness; comparability; and ease of use.
Effectiveness Comparability Ease of use
apply to at least one be quantified as an be available reliably
specific risk and one amount, a on a timely basis;
business function or percentage, or a be cost-effective to
activity; ratio; collect; and
be measurable at be a reasonably be readily understood
specific points in time; precise and definite and communicated
reflect objective quantity;
measurement rather have values that are
than subjective comparable over
judgment; time;
track at least one be comparable
aspect of the loss internally across
profile or event businesses;
history, such as be reported with
frequency, average primary values and
severity, cumulative be meaningful
loss or near-miss without interpretation
rates; and to some more
provide useful subjective measure;
management be auditable; and
information be identified as
comparable across
the industry.
f) Illustration of a KRI
A key risk indicator for monitoring and responding to risk around the
effectiveness and continuity of a bank’s business relates to staff turnover levels.
Key risk indicators of this type require tolerance thresholds in order to give a
meaningful representation of the risk; and the resultant ratings which could be
used to create “heat map” reporting on indicators.
For example, when given thresholds are breached there will be a requirement to
escalate to an appropriate level of management. Following is a hypothetical
illustration for an organization in using a specified threshold.
KRI—Staff turnover
No Risk level Risk status Action required
.
1. Below 24% No risk The organization is comfortable with the
(green) level of staff turnover. No escalation or
treatment required.
2. Above 24% Potential The risk is a concern and HR would
(25-28%) risk be expected to monitor actively and
(yellow) establish causes and actions.
Escalation required raising
awareness but explanatory report
not required.
3. Above 28% Significant Action and escalation with explanatory
(red) risk report required.
The number of customer complaints could be another example of a key risk indi-
cator. As customer complaints increase, the probability that there are some
underlying and potentially systemic mistakes and errors of judgment being made
is likely to rise. In other words, there is a rationale for thinking that, at least in
some ranges; changes in the value of this indicator are likely to be associated
with changes in operational risk exposure or operational loss experience.
The systematic capture of clean and comprehensive data on losses is one of the
most important aims of an operational risk management since the variety of
management information that can subsequently be produced is very significant.
Capturing losses is a prerequisite to measuring them, and thus to answering
management questions such as ‘Which products produce the highest number of
losses?’ ‘Which processes are most error-prone?’ ‘Where do the losses fail to
match the expected risk profile?’ etc.
Internal loss events may be viewed as actual loss, potential loss and “near
miss” events experienced by the bank. They could happen as a result of new
risks to the bank or due to lack of control or control failures surrounding an
already identified risk.
The tracking of internal loss event data is a key component of robust operational
risk management and contributes to the assessment and monitoring of
operational risk. Internal loss data is most relevant when it is clearly linked to a
bank's current business activities, technological process and risk management
procedures.
To bring effective use of loss data, a bank's internal loss data should be
comprehensive in that it captures all material activities and exposures from the
different business units and support functions.
Internal loss data are gathered and analyzed primarily for the following main
reasons, according to literatures on the subject:
Customer service
Supports customer
focused service
Supports first contact
resolution
Regulatory compliance
Complies with
Financial benefits regulatory requirements
Cost identification and
reduction Enables future
Reduction of regulatory progression to more
capital requirements for advanced approaches
risk to calculation of
Internal stakeholders regulatory capital
Supports cost/benefit
analysis of Improves knowledge and requirements
improvement/control understanding of risk
losses
Enables oversight and
resolution of losses
Validates control
effectiveness and
enables corrective action
Mitigates future incidents
and avoid repeat
incidents
The following figure illustrates the process of determining the loss type of a
new event.
Incident detected
Is financial Is financial
impact zero impact to
or positive? date zero or
positive?
Yes No Yes No
The external loss data mainly consist of large volumes of actual loss data
specifying amount, frequency and classification of loss events and/or specifics of
particular large loss events collected from publicly available information.
External loss data, i.e. on operational losses experienced by other banks found in
Ethiopia could be found from the Bankers Association, the central bank and other
if any. However international external loss data are collected by several data
consortia and, additionally, there are a few commercial providers. Consortia allow
their members to exchange loss data in a standardized, anonymous and quality-
assured form.
Presently, the best known data consortia are GOLD (Global Operational Loss
Database) in Great Britain and ORX (Operational Risk data exchange Association)
in Switzerland. GOLD was established on the initiative of the British Bankers'
Association in the year 2000. ORX was set up in 2001 and currently has 22
members. An example of a national initiative is DIPO (Database Italiano delle
Perdite Operative) in Italy, a consortium founded by the Italian bank association
ABI (Associazione Bancaria Italiana) in the year 2000. At the end of 2003, the
membership of that consortium included 32 banks and bank groups.
The reporting threshold is EUR 20,000 for ORX, USD 50,000 for GOLD and EUR
5,000 for DIPO.
The following box further elaborates the two data consortia; namely ORX
(Operational Risk data eXchange association) and DIPO (Database Italiano delle
Perdite Operative), a consortium founded by the Italian bank association ABI
(Associazione Bancaria Italiana).
Box—1
Operational Risk data exchange association (ORX)
This database uses the Basel loss event categories to collect, cleanse,
process and report operational risk loss data for members.
Founding members are from the banking sector and the database is
expected to meet FSA regulatory requirements for external data.
Data held in the database is anonymous, and records loss events
with a threshold set at €25,000.
A problem related to the use of external data is their methodical classification and
scaling. A loss that can be easily borne by one bank may threaten the life of
another bank. Different factors may be used for scaling, e.g. balance sheet total,
expenditure or income, with different factors being relevant for different business
lines. However, since suitable data are only available to a certain extent, pragmatic
solutions are needed in this context.
Taking into account the benefits of using external loss database, processes/RAU
shall perform the following.
Processes/RAUs can use external loss data for the following purposes:
How is their level of Severity? Some of the disruptive events may be severe and
result in an inability to fulfil some or all of their business obligations. Incidents that
damage or render inaccessible the bank’s facilities, telecommunication or
information technology infrastructures, or a pandemic event that affects human
resources, can result in significant financial losses to the bank, as well as broader
disruptions to the financial system (Basel Committee on Banking Supervision,
2011).
outage and the steps necessary to contain or minimise the negative consequences
when an outage actually occurs. It is not concerned with the likelihood of
occurrence, as matters of likelihood should already have been addressed as part of
the Risk Management process. Preventative controls should already have been
established to reduce the likelihood and consequences of the risk event to levels
that are acceptable to management. Thus, to ensure its resiliency, timely responses
and management actions are required. Hence, management may have different
approaches to responding to and managing crises. Regardless of the approach, the
key elements that can usually be distinguished and collectively make up a BCM
response plans are:
Provide a consistent framework for the functions and to assist the bank in
benchmarking its program against accepted and proven practices.
Step 2:
Step 3:
Step 1: Risk and Step 4: Step 5: Step 6:
Identify
Program Business Develop Awareness Exercise,
Response
Management Impact Response and Training Audit and
Options
Analysis Plans Programs Maintenance
Steps of BCM
and responsibilities and the development of a programme schedule of how the BCM
is to be implemented.
At the end of Step 2 you will have identified; (a) the list of critical business
activities, (b) the timeframe within which each of these critical business activities
must be resumed following a disaster (i.e. the maximum acceptable outage (MAO),
and (c) the resources that must be made available to support the resumption of
these critical activities. This output is now used in Step 3 to formulate a set of
response options that will meet the requirements for business continuity (William,
2009).
The key resources required to support business recovery encompass people,
equipment, data, premises, services and supplies. In identifying response options,
it is important to consider the quantity and timeframes within which these
resources must be made available before, during and after an incident. There are
four broad categories of response options (William, 2009):
Temporarily suspending the activity- Activities that are non-essential or are not
required to be performed immediately following an incident may be suspended
temporarily. At some point, these activities will nonetheless need to be resumed,
but suspending them in the short term will allow you to free up resources for more
critical tasks.
Transferring the activity- Where the same activities are performed in different
locations (such as regional offices), the work at an affected location may be passed
over to the other non-affected locations.
Working from home- This response option would be viable for activities that have
little or no dependency on the infrastructure of a normal office environment, and
where face-to-face interactions with others are not essential.
Relocating to an alternate (backup) site- An alternate or backup site is a
facility that is appropriately equipped with the resources needed to support the
resumption of critical services in the event the primary location is impacted by a
disaster. According to William, (2009), the following need to be taken into account
when considering response options
People- How does the bank minimize the risk of loss of key personnel?
IT systems and networks- What is the Bank’s current IT disaster recovery
capability? Does the Bank have an up-to date and workable IT disaster recovery
plan?
Premises and facilities- What are the most practical and cost effective ways to
provide for premises and facilities?
Data backup and off-site storage- What data is required for business continuity
and how quickly does it have to be made available?
Evaluate Response options
When evaluating each of the response options, it is necessary to consider the
technical, operational and financial viability of each. Technical viability refers to
whether the option is able to fulfill the business continuity specifications and
requirements of the critical activities – i.e. can the option meet the timeframe
within which the activity must be resumed? Operational viability refers to
whether the option can realistically be implemented. For example, working from
home may be technically feasible for someone performing an accounting activity
but operationally may be prevented from doing so due to compliance requirements.
Financial viability refers to the cost to implement the option. Based on the
evaluation, a recommendation should be presented to the Executive for approval
(William, 2009).
Step 4: Develop Response Plans
Having identified and selected the response options in Step 3, this step involves
putting together the action-level processes and procedures necessary for the
execution of these response options when an incident occurs. These include the
[Name of the Process/RAU] [Date on which this Report is Produced] Page 99
[Here state the title of the Report (i.e. Operational Risk Assessment of X (the Name of the Process) Process/RAU]
[Name of the Process/RAU] [Date on which this Report is Produced] Page 100
[Here state the title of the Report (i.e. Operational Risk Assessment of X (the Name of the Process) Process/RAU]
Recovery procedures are directed towards restoring full operational capability and
returning to business-as-usual after the crisis is over. The principle purpose of
recovery response is the staged return to a level of normal (pre-disruption)
capability and performance. Depending on the nature of the incident, recovery
response may be completed quickly if there has not been any damage to physical
infrastructure (for example, staff may return to the office to resume normal
operations immediately after the “all clear” has been given following a bomb threat)
or may run into weeks or even months after a major catastrophe (as experienced
by some firms during 9/11 that took over 6 to 9 months to fully recover).
Steps 5 and 6 brings the planning process to a logical conclusion and also sets up a
process to ensure that the plan continues to be relevant to the bank on an on-going
basis. This involves; (a) training the staff on how and when the plan is the be used,
(b) exercising or rehearsing the plan to ensure that staff are indeed able to execute
the plan, and (c) putting in place a maintenance process to keep the plan current
and relevant.
Raising Awareness and Training Program
To ensure that BCM capability continues to reflect the nature, scale and complexity
of the bank it supports, it must be understood by all staff and stakeholders. The
primary objective of training is to ensure that the importance of BCM is understood
by all staff in the bank and they are aware of their roles and responsibilities during
an emergency or crisis situation. Training may be pitched at different levels of the
organization, depending on what the needs and objectives are (William, 2009).
According to Ian McPhee, (2009), raising awareness is an ongoing education and
information program for staff can raise and maintain awareness of business
[Name of the Process/RAU] [Date on which this Report is Produced] Page 101
[Here state the title of the Report (i.e. Operational Risk Assessment of X (the Name of the Process) Process/RAU]
The goal of this practice is to establish an exercise, testing, maintenance and audit
program. To continue to be effective, a BCM Program must implement a regular
exercise schedule to establish confidence in a predictable and repeatable
performance of recovery activities throughout the organization. As part of the
change management program, the tracking and documentation of these activities
provides an evaluation of the on-going state of readiness and allows for continuous
improvement of recovery capabilities and ensures that plans remain current and
relevant. Establishing an audit process will validate the plans are complete,
accurate and in compliance with organizational goals and industry standards as
appropriate (DRII, 2012). The list of activities includes (DRII, 2012):
[Name of the Process/RAU] [Date on which this Report is Produced] Page 102
[Here state the title of the Report (i.e. Operational Risk Assessment of X (the Name of the Process) Process/RAU]
[Name of the Process/RAU] [Date on which this Report is Produced] Page 103
[Here state the title of the Report (i.e. Operational Risk Assessment of X (the Name of the Process) Process/RAU]
1. INTRODUCTION
1.1. Background
[Here, Processes/RAUs are required to provide information on issues that are considered
essential to understand the very purpose of the Report. Among others, such information
shall include process level objectives and related operational risks, lessons drawn from
previous ORA and how it is incorporated in the current assessment, the level attention
given in terms of resource and time allocated for this assessment, brief overview of the
assessment process etc…]
[Information on the total number of staff (both managerial and non-managerial), the
nature (and size) of customers (internal and external) and/or stakeholders that the
Process deal with, nature (and size) of the available infrastructure (technology and
system) which are under direct use of the Process/RAU etc are valuable points to note]
[Major resources (including data and information) which are directly owned and managed
by the Process/RAU shall also be discussed, here]
[The process/RAU shall include the specific objectives of the assessment. The objectives of
shall be in conformity with factors such as the scope and limitation of the ORA process]
[The limitation of the assessment, as related to issues such as scope, data source and
type, assessment techniques, skill and knowledge on the ORA process, engagement level
[Name of the Process/RAU] [Date on which this Report is Produced] Page 104
[Here state the title of the Report (i.e. Operational Risk Assessment of X (the Name of the Process) Process/RAU]
of all relevant staff, resource and time allocated to the process, attention and emphasis
given to the process etc shall be described without any reservations.]
[Here, the data/information employed for this assessment purpose shall be described in
detail along with their respective sources, which can be internal as well as external]
[Name of the Process/RAU] [Date on which this Report is Produced] Page 105
[Here state the title of the Report (i.e. Operational Risk Assessment of X (the Name of the Process) Process/RAU]
[The description shall be detailed enough to see the nature, source and timing of the risk
events. While describing risk events, process/RAU shall assign a unique ID for the
identified risk event(s). The ID shall include the name of the process, event number and
the year of its identification. Definition of the remaining particular of the table is found in
the ORMG. If the particulars (columns) for describing a given event are found to be
inapplicable, the column shall be marked as N.A.] Description of an event is illustrated in
the following table.
Risk
Event Threat Threat
Risk Asset/resource
ID Vulnerability Timing Consequences
Event affected
Agent Type
[Name of the Process/RAU] [Date on which this Report is Produced] Page 106
[Here state the title of the Report (i.e. Operational Risk Assessment of X (the Name of the Process) Process/RAU]
[The ORA shall start with analysis of the internal control system on the identified risk event.
In particular, the evaluation of the effectiveness of the internal control activities with
respect to the identified risk event shall be rated against the rating scale provided in the
ORMG. The result of the control analysis shall be summarized using the following table.]
[Name of the Process/RAU] [Date on which this Report is Produced] Page 107
[Here state the title of the Report (i.e. Operational Risk Assessment of X (the Name of the Process) Process/RAU]
[Name of the Process/RAU] [Date on which this Report is Produced] Page 108
[Here state the title of the Report (i.e. Operational Risk Assessment of X (the Name of the Process) Process/RAU]
[Name of the Process/RAU] [Date on which this Report is Produced] Page 109
5. Risk Response
[Risk response shall be selected in line with the direction given in the ORMG. Risk
response plan shall be drawn to all identified risk events, including the blue ones.
For those risk events which demands the attention of multiple processes, risk
owners shall be assigned in consultation with the RCMP. The duration of the
selected response action shall be reasonably set in consultation with the respective
(properly assigned) owner of the risk event. The risk response action plan shall be
presented using the following format.]
[The summary describes the whole process in one sheet. The following table shall be used for this purpose]
114
Direct losses: are the losses that directly arise from the associated
events
Emergency Response (ER): the protection of people, assets and/or the
environment following a disaster or emergency (for example a fire or bomb
threat).
Environment: refers to the surroundings that set the tone and behavior
of the bank, including culture and external factors.
Environmental risks: Risks that include all types of exogenous risks that,
if they were to materialize, could jeopardize the bank’s operations or
under-mine its ability to continue in business.
Event is occurrence or change of a particular set of circumstances or “an
accident or occurrence, from sources internal or external to an entity that
affects achievement of objectives” - An event can be-
One or more occurrences and can have several causes.
consist of something not happening
Sometimes be referred to as an “incident” or “accident”.
Without consequences can also be referred to as a “near miss”,
“incident”, “near hit” or “close call”.
External sources of risks: include man-made incidents such as external
fraud, theft, computer hacking, terrorist activities, and natural disasters
such as damage to physical assets due to floods, and fires.
Frequency: the number of times in a given period usually in a year that
an event is likely to occur.
Foreign exchange risk: is a risk which emanates from changes in
exchange rates between a bank’s domestic currency and other currencies
General legal risk: The risk that a bank would have to modify its
activities due to changes in the country’s legal system or law
enforcements.
Impact: is the effect that the risk would have on the organization’s ability
to successfully achieve its objectives if the risk occurred
Indirect losses: are generally opportunity costs and the losses
associated with the costs of fixing an operational risk problem such as
near-miss losses.
115
Infrastructure: refers to the tools used to facilitate the entire risk
management process, including systems, data, methodologies as well as
policies and procedures
Inherent Risk: is the risk in a business or process before the effect of any
risk mitigation, control or transfer activities.
Internal sources of risk: are most of the losses caused by human,
process,
and technology failures, such as those due to human errors, internal fraud,
unauthorized trading, injuries, and business delays due to computer
failures or telecommunication problems.
IT Disaster Recovery (Disaster Recovery or DR) the recovery
arrangements for IT, data availability and protection.
KRIs: are metrics capable of showing that a bank is subject to, or has a
high probability of being subject to, a risk that exceeds the defined risk
appetite.
Limit: reflects the absolute maximum level of exposure that is acceptable
for a particular risk
Liquidity risk: is the risk that a bank will not be able to meet its current
and future cash flow and collateral needs, both expected and unexpected,
without materially affecting its daily operations or overall financial
condition.
Loss Data: Describes actual loss events that have occurred either
internally or externally to the bank.
Market Risk: a risk that the value of on and Off-Balance sheet positions
of a bank will be adversely affected by movement in market rate or price
such as interest rate, foreign exchange rate, equity, and commodity
resulting in a loss to earning and capital.
Operational risk: The risk of loss resulting from inadequate or failed
internal processes, people or systems or from external events.
Political risk: The risk of an adverse impact on bank’s activities due to
changes in country and/or regional political or economic pressures, such as
monetary controls.
Process map – The major steps in any process, usually portrayed as a
flow chart, and depicting the inputs and outputs for each step in the
process. Key controls may be depicted as process steps.
116
Recovery: the rebuilding of specific business operations following a
disruption to a level sufficient to meet outstanding business obligations.
Recovery level: the target level of service that will be provided in respect
of a specific business operation after a disruption.
Recovery time: the target duration of time to recover a specific business
operation.
Reputational risk: The potential that negative publicity regarding the
bank’s business practices, whether true or not, will cause a decline in the
customer base, costly litigation, or revenue reductions.
Residual Risk: is the potential impact and likelihood of an identified risk
exposure, considering the effect of the existing (but excluding planned)
controls.
Resilience: the ability of a financial industry participant, financial
authority or financial system to absorb the impact of a major operational
disruption and continue to maintain critical operations or services.
Risk: means exposure to adversity
Risk analysis: is the actual estimation of frequency and
magnitude/impact of a risk scenario.
Risk appetite: refers to the attitude towards risk taking and whether it is
willing and able to tolerate either a high or a low level of exposure to
specific risks or risk groups.
Risk assessment is overall process of risk identification, risk analysis and
risk evaluation.
Risk category (or risk group / risk sub-group) – Risks identified can be
grouped in order to facilitate monitoring and reporting.
Risk description (or definition) – A detailed articulation of a risk,
designed to give clearer understanding of the risk.
Risk factors: are those factors that influence the frequency and/or
business impact of risk scenarios.
Risk identification is process of finding, recognizing and describing risks.
Risk management capability Traditional banking risks: balance sheet
and income statement structure, credit, and solvency risks that can result
in loss for a bank if they are not properly managed
Risk management process systematic application of management
policies, procedures and practices to the activities of communicating,
117
consulting, establishing the context, and identifying, analyzing, evaluating,
treating, monitoring and reviewing risk
Risk Matrix/risk map: is the visual representation of risk (which has
been identified through a risk assessment exercise) in a way that allows
priority ranking. This representation often takes the form of a two-
dimensional grid with frequency (or likelihood of occurrence) on one axis,
and severity (or degree of impact on the other axis; the risks that fall in
the high-frequency/high-severity quadrant are given priority risk
management attention.
Risk profile is description of any set of risks.
Risk Response: is an action, consciously taken by management, to
counteract, in advance, the effects on the business of risk events
materializing.
Scenario: A scenario may be defined, as a sequence of possible events
and the description of possible developments leading up to these events.
The expected losses: are generally those that occur on a regular (such
as every day) basis, such as minor employee errors and minor credit card
fraud.
Threshold: represents a level of exposure which, with appropriate
approvals, can be exceeded, but which, when exceeded, will trigger some
form of response
Unexpected losses: are those losses that generally cannot be easily
foreseen, such as terrorist attacks, natural disasters, and large-scale
internal fraud.
118
References
1. Bank risk management training document prepared by NBE.
2. Basel Committee on Banking Supervision, 2011, Principles for the Sound
Management of Operational Risk, bank for international settlements
3. Basel Committee on Banking Supervision, 2010, Operational Risk
supervisory Guidelines for the advanced measurement approach.
4. Basel committee on banking supervision (February 2003), Sound practices
for the management and supervision of operational risk.
5. Basel committee on banking supervision, 2003, Sound Practices for the
Management and Supervision of Operational Risk, bank for international
settlements
6. Basel Committee on Banking Supervision, 2005: High-Level Principles for
Business Continuit,
7. Basel Committee on Banking Supervision, 2009, Results from the 2008
Loss Data Collection Exercise for Operational Risk, bank for international
settlements
8. Basel Committee on Banking Supervision, 2011, Principles for the Sound
Management of Operational Risk, bank for international settlements
9. Basel Committee on Banking Supervision. 2003b. The 2002 Loss Data
Collection Exercise for Operational Risk: Summary of the Data Collected.
Switzerland: Bank for International Settlements
10. BCBS (2004) Basel II: international Convergence of Capital
Measurement and Capital Standards; A Revised Framework, Basel:
Bank for International Settlement, June.
11. BCBS (2001a) Operational Risk: Supporting Documents for the New
Capital Accord, Basel: Bank for International Settlement, January.
12. BNP-Paribas Fortis-peter Hoflijik. ORM
13. Conventional Banking Hand book, 2010, financial sector talent
enrichment program,
14. D E Bostander (November 30, 2007), Operational risk events in
banks and practices for collecting internal loss data, A research report
presented to the graduate school of business leadership, University of
South Africa.
15. Don Williams, 2009, Business Continuity Management guidelines,
RiskCover, 2nd edition
119
16. DRI International 2012, Professional Practices for Business Continuity
Practitioners Disaster Recovery Institute
17. Everest, David; Key Bank Garber, Roy E. ; Keating, Michael;
Peterson, Brian, 2008, Business Continuity Management : Global Audit
Guide, Institute of Internal Auditors
18. Foot, M. 2002. ‘Operational risk management for financial
institutions’. Journal of Financial Regulation and Compliance. London,
Volume number 10, Issue. 4; 4 pgs; (ProQuest).
19. Guidance note on management of operational risk, Reserve bank of
India, Department of banking operations and development central office,
Mumbai.
20. Hennie van Greuning and Sonja Brajovic Bratanovic, 2009,
Analyzing Banking Risk, A Framework for Assessing Corporate
Governance and Risk Management, 3rd edition, World Bank, Washington
D.C.
21. Hiles Andrew 2010 The Definitive Handbook of Business Continuity
Management 3rd edition, John Wiley & Sons, Inc, 2010
22. Imad A. Moosa, 2007, Operationa risk management, Palgrave
macmilan.
23. Ian McPhee, 2009, Business Continuity Management, Building
resilience in public sector entities
24. Ian Storkey, 2011, Operational Risk Management and Business
Continuity Planning for Modern State Treasuries Fiscal Affairs Department,
International Monetary Fund.
25. Jonathan Davies, Mike Finlay, Tara McLenaghen and Duncan Wilson
(February 13, 2006), Key risk indicators; their role in operational risk
management and measurement, Risk business international limited.
26. Operational risk screen tcm16-49652.pdf/ORM/,Guidelines for
operational risk Management
27. Peter Hoflijk, Operational Risk Management Guideline, Operational
Risk Management.
28. Paul M.Collier (2009): Fundamental of Risk Management for
Accountants and Managers, Great Britain: Elsevier Ltd.
29. Risk Management materials for London Training
30. Risk Management Toolkit, Lloyd's Risk Management, UK.
120
31. Risk management training handbook (2010), Bureau of strategic
planning, United Nations educational, scientific and cultural organization
(UNESCO), Paris
32. Risk Management Services, 2009, Business Continuity Management
Guidelines Western Australian State Government Agencies
33. Swiss Bankers Association, 2007, Recommendations for BCM
34. The risk IT Framework (2009), ISACA, USA
35. Vima, 2012, Understanding Business Continuity Management
36. Wing lam, 2002, Ensuring Business continuity
37. www.hdfcbank.com
121