RISK EXPERT Training Manual8edited

OPERATIONAL RISK MANAGEMENT TRAINING MANUAL 2013
TABLE OF CONTENTS
Acronyms.............................................................................................................................................2
INTRODUCTION........................................................................................................................................3
I: OVERVIEW OF OPERATIONAL RISK MANAGEMENT.............................................................................5
1.1What is Risk?................................................................................................................................5
1.2 Banks Exposure to Risk..........................................................................................................5
1.3 The Increasing Importance of Operational Risk Management..................................9
1.4. Benefits and Opportunities of ORM.................................................................................10
1.5. Defining Features of Operational Risk............................................................................10
1.6. Operational Risk Perspectives...........................................................................................12
1.7 Operational Key Risk Indicators.........................................................................................14
1.8. Operational Risks and Internal Control..........................................................................18
1.9 Operational Risk Treatment/mitigation Options..........................................................21
1.10 Examples of High Magnitude Operational Losses.....................................................27
II. OPERATIONAL RISK GOVERNANCE AND FRAMEWORK......................................................................33
2.1 The Operational Risk Management Framework............................................................33
2.2 Basel Principles on Operational Risk Management.....................................................35
2.3. CBE’s Operational Risk Management Framework......................................................38
2.4 Risk Appetite.............................................................................................................................42
III. THE OPERATION RISK MANAGEMENT...............................................................................................44
3.1 Planning and scope of the ORM.........................................................................................44
3.2. Operational Risk Identification..........................................................................................45
3.2.1 How to perform risk identification.........................................................................46
3.2.2. Describing the Identified OR event......................................................................62
3.2.3 OR Categorization........................................................................................................65
3.3. Operational Risk Assessment............................................................................................69
3.4. Operational Risk Treatment/Mitigation..........................................................................73
3.4.1 Developing a risk response Plan/Strategy.................................................................74
3.4.2 How to respond to risks?..................................................................................................74
3.5 Operational Risk Monitoring................................................................................................77
3.5.1 Developing Key Risk Indicators (KRIs).......................................................................80
Fig. 4.5. Development Process of KRI....................................................................................81
3.5.2 Capturing Loss Data Base................................................................................................85
PART IV: BUSINESS CONTINUITY MANAGEMENT...............................................................92
4.1 Concepts and Perspectives of BCM...................................................................................92
4.2 Objectives of BCM...................................................................................................................94
4.3 Importance of Business Continuity Management........................................................95
4.4. Link with Risk Management...............................................................................................96
4.5. Basic Requirements of BCM...............................................................................................97
Annex 1: ORA Reporting Template.........................................................................................105
Annex 2: Checklist of Important step of the ORA Process.....................................113
Annex 3: Glossary.................................................................................................................115
References...............................................................................................................................120
1 CBE—Risk and Compliance Management Process (RCMP)

Acronyms
AMA Advanced Me/asurement Approach
BCBC Basel Committee on Banking Supervision
BCP Business continuity planning
BCM Business Continuity Management
DRP Disaster recovery planning
IS Information System
ICF Internal Control Framework
IS Information System
IT Information Technology
KRI Key Risk Indicators
LRRC Loan and Risk Review Committee
OR Operational Risk
ORA Operational Risk Assessment
ORM Operational Risk Management
ORMG Operational Risk Management Guideline
PC Process Council
NBE National Bank of Ethiopia
RAU Risk Assessment Units
RCMP Risk and Compliance Management
RCSA Risk and Control Self Assessment
RM Relationship Manager

INTRODUCTION
The Strategy of the CBE has brought many changes. For instance, branch
expansion, greater use of automated technology, increased service outlets
introduced new products and services, engaged in outsourcing arrangements and
maintained large number of staff to maintain its growth. These and other changes
are expected to bring the operational risk profile of the Bank to a much higher
level than before.
On the other hand, the Bank is facing an environment marked by mounting

competition, rising government’s and customers’ expectations. With respect to
government expectation, the five year development and transformation plan has
put enormous responsibility on the Bank. More specifically, the Bank entrusted
with the role of mobilizing financial resources destined to finance projects of huge
significance in attaining the growth and transformation plan. This increase role of
the bank in the overall developmental endeavour of the Bank can only be
sustainably delivered if and only if the Bank properly managed its increased
operational risk exposure.
Proper management of operational risk needs well defined framework. Hence CBE
has developed Operational Risk Management Guideline/ORMG/ which addresses
basic OR definition, the roles and responsibilities of the Bank personnel with
respect to operational risk management exercise, the ORA process and
monitoring mechanisms of operational risk events.
In general, appropriate risk mitigation and/or internal control procedures are

needed to be established by all processes of the Bank such that risk is maintained
within an acceptable level. To this end, process shall conduct regular Operational
Risk Assessment (ORA), to analyze operational risks and test the effectiveness of
implemented controls, thereby ensuring business operations are conducted within
acceptable risk limits.
To clarify issues discussed on the ORMG, the preparation of training manual is

found to be important. Hence issues addressed by the ORMG will be discussed in
detail through the four major parts of the training manual. These are
 Overview of Operational Risk Management

 Operational Risk Management Framework and Governance
 The Operational Risk Management Process
 Business Continuity Management
The overall objective of providing the operational risk management training is to

create a risk enabled banker across the bank.

I: OVERVIEW OF OPERATIONAL RISK MANAGEMENT
1.1What is Risk?
In finance risk is the fundamental element that affects financial behaviour. There
is no unique or uniform definition of risk, but this is not surprising: the definition
depends on the context and the purpose for which one wishes to formulate the
concept of risk.
From CBE’s perspective; risk is defined as “the possibility that an event will occur
and adversely affect the achievement of the objectives”. An event, according to
COSO ERM, is “an accident or occurrence, from sources internal or external to an
entity that affects achievement of objectives”
Generally, risk can be defined as a function of three variables:

(i) The probability that there is a threat,
(ii) The probability that there are vulnerabilities, and
(iii) The potential impact.
1.2 Banks Exposure to Risk
Banks are subjected to a wide array of risks. These risks can be classified in
various ways and perspectives. For this training manual purpose the most widely
used classification is employed. According to this classification, banking risks can
be classified under two categories: Financial and Non-financial risks
 Financial risk is umbrella terms for multiple types of risk associated with
financing and directly affects the financial performance of the bank. Credit,
Liquidity, Market risks are the three types of financial risks in banking
industry. Financial risks are subject to complex interdependencies that may
significantly increase a bank’s overall risk profile. For example, a bank
engaged in the foreign currency business is normally exposed to currency risk,
but it will also be exposed to additional liquidity and interest rate risk if the
bank carries open positions or mismatches in its books.
 Non-Financial Risk is a risk which indirectly affects the financial

performance of the bank. It is associated with the internal and external
environmental factors, macroeconomic and policy concerns, regulatory

factors, the overall financial sector infrastructure and payment systems of
the jurisdictions in which a bank operates. It incorporated Operational and
environmental risks.
Table 2.1. Banking Risks (based on two major classification)
Financial Risks Non-Financial Risks
 Credit risk  Operational Risk

 Liquidity risk  Environmental Risk
 Market risk  Business and Strategic risks
 Legal risk
 Reputational risk
 Country and political risks
Types of Financial Risks
1. Credit risk is the potential loss a bank would suffer if a bank borrower, also
known as the counterparty, fails to meet its obligations pay interest on the loan
and repay the amount borrowed in accordance with agreed terms.
2. Market risk is the risk of losses to the bank arising from movements in
market prices as a result of changes in interest rates, foreign exchange rates, and
equity and commodity prices. The components of market risk are as follows:
• Interest rate risk is the potential loss due to movements in interest rates. This
risk arises because bank assets (loans and bonds) usually have a significantly
longer maturity than bank liabilities (deposits). This risk can be conceptualized in
two ways. First, if interest rates rise, the value of the longer-term assets will tend
to fall more than the value of the shorter-term liabilities, reducing the bank’s
equity. Second, if interest rates rise, the bank will be forced to pay higher interest
rates on its deposits well before its longer-term loans mature and it is able to
replace those loans with loans that earn higher interest rates.
 Foreign exchange risk is the risk that the value of the bank’s assets or
liabilities changes due to currency exchange rate fluctuations. Banks buy and
sell foreign exchange on behalf of their customers (who need foreign
currency to pay for their international transactions or receive foreign

currency and want to exchange it to their own currency) or for the banks’
own accounts.
 Equity risk is the potential loss due to an adverse change in the price of
stock. Stock, also referred to as shares or equity, represent an ownership
interest in a company. Banks can purchase ownership stakes in other
companies, exposing them to the risk of the changing value of these shares.
 Commodity risk is the potential loss due to an adverse change in commodity

prices. There are different types of commodities, including agricultural
commodities (e.g., Coffee, sesame, niger seeds etc), industrial commodities
(e.g., metals), and energy commodities (e.g., natural gas, crude oil). The
value of commodities fluctuates a great deal due to changes in demand and
supply.
Market risk tends to focus on a bank’s trading book. The trading book is the
portfolio of financial assets such as bonds, equity, foreign exchange, and
derivatives held by a bank to either facilitate trading for its customers or for its
own account or to hedge against various types of risk. As-sets in the trading book
are generally made available for sale, as the bank does not intend to keep those
assets until they mature. Assets in the bank’s banking book (held until maturity)
and trading book (not held until maturity) collectively contain all the various
investments in loans, securities, and other financial assets the bank has made
using its deposits, loans, and shareholder equity. Distinguishing between the
trading and banking books is essential for how the banks operate and how they
manage their risks.
3. Liquidity risk: The risk of inability to fund increases in assets and meet
obligations as they come due, such as inability to raise money in the long-term or
short-term debt capital markets, or an inability to access the repurchase and
securities lending markets. Generally, liquidity risk is classified as funding and
trading liquidity risks.
Types of Non Financial Risks
1. Environmental risks: are risks associated with a bank’s business

environment, including macroeconomic and policy concerns, legal and regulatory

factors, and the overall financial sector infrastructure and payment systems of the
jurisdictions in which it operates. It includes: Business and strategic risk,
reputational risk, political risk.
■ Business and Strategic Risk: The risk that a bank would have to modify the
line of behaviour and activity in order to cope with changes in the economic and
financial environment in which it operates. [Example, a new competitor can
change the business paradigm, or new strategic initiatives (such as development
of a new business line or reengineering an existing business line, for example, e-
banking) can expose bank to strategic risk. Many strategic risks involve timing
issues, such as the inability to keep up with rapid technological changes and the
increasing use of the Internet.]
■ Reputational risk: The potential that negative publicity regarding the bank’s
business practices, whether true or not, will cause a decline in the customer base,
costly litigation, or revenue reductions. This definition suggests that reputational
risk takes the form of an indirect, rather than direct, loss resulting from a bank’s
past business practices.
It can also be defined as the risk of loss of image through questionable business
practices, lack of customer centred approach, low standards of professionalism
and public disclosure of bank’s financial problems.
■ Political risk: The risk of an adverse impact on bank’s activities due to

changes in country and/or regional political or economic pressures, such as
monetary controls.
2. Operational risk: The BCBS (2004a): defines operational risk as “the risk of
loss arising from inadequate or failed internal processes, people and systems or
from external events”. This definition, which is based on the underlying causes of
operational risk, includes legal risk but excludes business and reputational risk.
The CBE has adopted the above definition and the following table shows the
breakdowns, based on these underlying causes or risk factors:

Table 1.2. Operational Risk and its Main factors
PEOPLE SYSTEM PROCESSES EXTERNAL EVENTS

 Fraud, collusion  IT problems  Execution,  Criminal activities
and other (hardware or registration, (theft, terrorism or
criminal activities software failures, settlement and vandalism)
 Violation of computer hacking documentation  Political and military
internal or or viruses, etc) errors (transition events (wars or
external rules  Unauthorized risk) international
(unauthorized access to  Errors in models, sanctions)
trading, insider information and methodologies  Changes in the
dealing, etc.) system security and mark to Political, legal,
 Errors related to  Unavailability and market (model regulatory and tax
management questionable risk) environment
incompetence or integrity of data  Accounting and (strategic risk)
negligence  Telecommunications taxation errors  Natural events (fire,
 Error related to failures  Inadequate earthquake, flood,
Quality and  Utility outages formalization etc)
skills of internal  Operational failure
professionals procedures. at suppliers or
and employees.  Compliance outsources
 Loss of important issues operations
employees  Breach of
(illness, injury, mandate
problems in  Inadequate
retaining staff, definition and
etc) attribution of
 Violation of responsibilities
system security
1.3 The Increasing Importance of Operational Risk Management
The trend toward greater dependence on technology, greater competition among

banks and globalization have left the banking industry more exposed to
operational risk than ever before. The risk of fraud and external events (such as
natural disasters) has been around ever since the beginning of banking but it is
technological progress that has boosted the potential of operational risk. The
following comments summarize the situations:

“Operational risk has traditionally occupied a netherworld below
market and credit risk” but “headline-grabbing financial failures,
decentralized control, the surge in e-commerce and the
emergence of new products and business lines have raised its
profile”.
Likewise, CBE witnesses a great development and growth manifested with

aggressive expansion of branches and service outlets; greater use of automated
technology, introduction of E-Banking; engaged in international banking activities
at large, increased transaction volumes and the growing use of outsourcing
arrangements. These and other changes are expected to bring the operational
risk profile of the bank to a much higher level than before demanding operational
risk management.
1.4. Benefits and Opportunities of ORM
Operational Risk Management (ORM) is a value adding function in the sense that
it contributes to smooth functioning of business by proactively managing potential
risks and minimizing the loss that would emanate, as a result. The following are
some of the benefits of operational risk management.
 Enhances a bank’s early-warning system and strategy development;
 Helps to identify the important and relevant risks amongst all that can go
wrong with the business objective
 Ensures that the process of risk management is developed and risks are
managed throughout the Bank in a consistent manner;
 Promotes a culture of “risk awareness”;
 Combats a “risk averse” mentality;
 Guide performers involved in the risk management process;
 Assist performers in prioritizing risks for further actions; and
 Report the risk profile of the bank to the BoDs and the Process Council for
informed decision making.
1.5. Defining Features of Operational Risk
Operational risk has some peculiar features. Some of these peculiarities, as

commonly noted by many literatures on the subject, are noted here below:

 Inherent to business: the risk is inseparably linked with almost all
business activities;
 Specific: All measures to control and mitigate it strongly depend on the
specific profile of a bank. That is, there is no “one size fits all” formula for
managing operational risks.
 A cultural risk: That is, bank’s business practice and approaches in
managing risks determine the nature and level of operational risk.
 Diversity: As its definition clearly suggests, the scope of operational risk is
one feature that distinguishes it from the relatively narrowly defined
market risk and credit risk, which are more widely understood and
appreciated (by banks and regulators) as risk types. The diversity of
operational risk (ranging from legal concerns to technological issues to
behavioural matters) makes it difficult to limit the number of dimensions
required to describe it. Operational risk encompasses the types of risk
emanating from all areas of the bank: front office to the back office and
support areas. Hence, identifying operational risk is more difficult than
identifying market risk and credit risk. Operational risk is so complex in its
causes, sources, and manifestations.
 Higher OR not necessarily mean Higher Income: operational risk
does not involve a clear relation between risk and income, i.e. higher
operational risks, as a rule, do not lead to better income prospects.
 Located inside, to great extent: In contrast to other banking risks, a
major part of operational risk is fully located inside financial institutions and
it is understandable – for competition.
 Difficulty of establishing reliable data base: More often, banks take
care not to draw attention to their own weaknesses. This results in a lack of
event data for building an appropriately broad statistical database, which
may be further aggravated by a generally bad database for certain loss
event types in specific business lines. On the other hand, loss events of
one bank are not necessarily transferable to other banks – due to
differences in business activities, practices or internal control.
 Difficult to Predict: It is relatively easy to measure and, thus, control the
financial risks, while it is much more difficult to establish a link between
risk factors and the probability/ severity of losses for operational risk. For

example, in the case of credit and market risks, risk factors, i.e.
determining circumstances, and risk potentials, i.e. existing exposures, can
be better differentiated due to the generally deliberate acceptance of risks.
 Infrequent: Very high operational losses potentially threatening the
stability of a bank is relatively infrequent. But these are changing in recent
times.
 Difficult to Measure: On principle, the loss potential is determined by the
combination of the magnitude and likelihood of loss also in the case of
operational risk – none of these “risk dimensions” alone is suitable as an
objective measure of exposure.
1.6. Operational Risk Perspectives
Operational risk events could be classified using five perspectives:

a) Internal versus External Operational Losses
Operational losses can be internally inflicted or can result from external sources.
Internally inflicted sources include most of the losses caused by human, process,
and technology failures, such as those due to human errors, internal fraud,
unauthorized trading, injuries, and business delays due to computer failures or
telecommunication problems. External sources include man-made incidents such
as external fraud, theft, computer hacking, terrorist activities, and natural
disasters such as damage to physical assets due to floods, and fires.
Many of the internal operational failures can be prevented with appropriate

internal management practices; for example, tightened controls and management
of the personnel can help prevent some employee errors and internal fraud, and
improved telecommunication networks can help prevent some technological
failures.
External losses are very difficult to prevent. However, it is possible to design

insurance or other hedging strategies to reduce or possibly eliminate externally
inflicted losses.
b) Direct versus Indirect Operational Losses
Direct losses are the losses that directly arise from the associated events. For
example, an incompetency can result in a loss for a bank. Indirect losses are

generally opportunity costs and the losses associated with the costs of fixing an
operational risk problem such as near-miss losses. The following table list down
direct loss types, as per the Basel II definition.
1.3. Direct Loss Types and their definition according to Basel II
Loss type Contents

Write-downs Direct reduction in value of assets due to theft, fraud,
unauthorized activity, or market and credit losses arising as a
result of operational events
Legal Liability Judgement, settlements, and other legal costs
Regulatory and Taxation penalties, fines, or the direct cost of any other
Compliance penalties, such as license revocations
Loss of or Direct reduction in value of physical assets, including
damage to certificates, due to an accident, such as neglect, accident, fire,
asset and earthquake
c) Expected versus Unexpected Operational Losses
Some operational losses are expected; some are not. The expected losses are
generally those that occur on a regular such as every day basis, such as minor
employee errors. Unexpected losses are those losses that generally cannot be
easily foreseen, such as natural disasters, and large-scale internal fraud.
d) Operational Loss Severity and Frequency
We have already stated that expected losses generally refer to the losses of low
severity (or magnitude) and high frequency. Generalizing this idea, operational
losses can be broadly classified into four main groups:
1. Low frequency/low severity
2. High frequency/low severity
3. High frequency/high severity
4. Low frequency/high severity
e) Cause type, event type, and loss type

There is a distinction between cause (hazard type), event type, and loss type.
When banks record their operational loss data, it is crucial to correctly identify the
risk event.
The distinction between the three is comparable to cause and the effect:

 Hazard (cause) constitutes one or more factors that increase the
probability of occurrence of an event.
 Event is a single incident that leads directly to one or more effects
(e.g., losses).
 Loss (Consequence) constitutes the amount of financial damage
resulting from an event.
Thus, hazard potentially leads to events, and events are the cause of loss.
Therefore, an event is the effect of a hazard while loss is the effect of an event.
Inadequate employee High employee Human loss/Financial loss

management turnover/Theft
Business disruption
Obsolete computer system System failure
Reputational damage
Inexperienced personnel Customer
dissatisfaction Regulatory and compliance (e.g.
Large transaction volumes
fines and taxation penalties)
Diversity and cultural Improper reporting
difference Legal Liability
Failed/inaccurate
Unfavorable climate reporting Reputational damage
conditions and
geographical location Diversity/discrimination Loss of or damage to physical
events assets
Other
Improper business and
market practices
Terrorism
1.7 Operational Key Risk Indicators
KRIs are metrics capable of showing that a bank is subject to, or has a high
probability of being subject to, a risk that exceeds the defined risk appetite. They
are parameters which can act as indicators and which can be seen to be
predictive regarding changes in the risk profile of a bank’s business. The indicator
becomes key when it tracks an especially important exposure or indicates
significance risk of a bank.

KRIs can include:
 Something observed or calculated – used to identify a condition or trend;

 An instrument or gauge – measures something and registers the
measurement; and
 Something such as a “light, sign, or pointer” – provides
information, for example, about which direction to follow, and
which serve as “signals”.
KRIs then are measures which indicate the level of and changes in the
bank’s risk profile. This is achieved by focusing KRIs on the root causes of
potentially significant risk events and exposures, as illustrated below.
Cause- 1
Effect- 1
Cause- 2
Risk event Effect- 2
Cause- 3 Effect -3
Key risk indicators Detective controls

expected loss events
The following list provides generic examples of key risk indicators related to the
basic risk categories of operational risk sources—people, processes, system and

external events. In general, the KRIs are specific to an organization and their
selection depends on a number of parameters in the internal and external
environment, including the size and complexity of the business and its strategic
focus.
Risk Factors Examples of key risk indicator
People
 Number of staff disciplinary/dismissals

 Percentage of staff appraisals below “satisfactory”
 Number of staff grievances
 Results of staff surveys
 Staff turnover rates
 Percentage of joiners leaving within the first 6 months
 Proportion of permanent versus temporary staff
 Average length of service per member of staff
 Average time to fill vacant positions
 Staff absenteeism / sickness rates
 Overtime
 Actual versus budgeted training costs
 Percentage of staff who have not had two weeks
consecutive leave
Processes
 Number / percentage of accounts with

outstanding / incomplete customer
documentation
 Number / percentage of unauthorized customer
accounts opened
 Number / percentage of customer accounts with
significant change in volume / value of transactions
 Number of incidents reported to the Money Laundering
Reporting Officer
 Number / percentage of customer accounts with
unusual transactions
 Number and nature of limit breaches

 Market share by product
 Customer intake / retention / churn by product versus
budget
 Significant revenue variance by product
 Number of new products / new products awaiting
approval / unapproved products
 Projected transaction processing volumes versus
capacity
 Percentage change in transaction volumes
 Percentage of total transactions handled
 Number / value / age of processing exceptions
 Processing exceptions as a percentage of transaction
volumes
 Number of customer complaints
 Number of compliance / regulatory breaches
 Number of un-reconciled accounts
 Number / value / age of un-reconciled items
Systems
 Number and type of security violations

 Number of virus incidents
 Systems usage versus capacity
 Systems downtime
 Number, type and severity of system incidents /
breaches
 Number of system upgrades / version releases
 Number of open system change requests
 Number of help desk calls
 Number of outstanding business continuity plans
 Utility performance statistics
External events
 Number of outstanding disaster recovery plans

 Number of overdue disaster recovery plan tests
 Number and nature of physical security incidents

1.8. Operational Risks and Internal Control
Internal control is defined as:

“.. The process designed, implemented and maintained by those charged with
governance, management and other personnel to provide reasonable assurance
about the achievement of the entity’s objectives with regard to Reliability of
financial reporting, Effectiveness and efficiency of operation, Safeguarding of
assets, and Compliance with applicable laws and regulations.” It is a coordinated
set of policies & procedures that help to ensure those managements’ objectives
are achieved.
Internal control is a preventive, detective and/or corrective activity, intended to

manage the inherent risks identified with in the business. This will normally relate
to management of potential impact and /or likelihood of risk exposure but may
also involve risk transfer, mitigation or elimination.
Internal controls can be detective, corrective, or preventive by nature.
1. Preventive controls are designed to keep errors or irregularities from

occurring in the first place. E.g. Prior authorization, approval & verification of
transactions, segregation of duties, limit, committee
2. Detective controls are designed to detect errors or irregularities that may

have occurred. E.g. Account reconciliations, timely preparation of financial
statements and review of performance reports.
3. Corrective controls are designed to correct errors or irregularities that have

been detected.
Formal Vs Informal Internal Control
Formal Internal control includes explicit rules, procedures, performance

measures, and incentive plans that guide the behaviour of its managers and other
employees. However informal internal control includes shared values loyalties,
and mutual commitments among members of the company, corporate culture,
and unwritten norms about acceptable behaviour.

Control activities:
Control activities are policies and procedures that ensure management directives
are executed; they ensure necessary actions are taken to address risks to the
achievement of corporate objectives. They may include:
 Segregation of duties- no one person initiates, approves, record

transactions, reconcile, balance, handle assets & review reports. At least
two sets of eyes. Maker-checker, RM-Analyst, purchaser-stock controller
etc
 Authorization of transactions - review of particular transactions by an

appropriate person. Separating authorization, custody, and record keeping
roles.
 Retention of records - maintaining documentation to substantiate

transactions
 Supervision or monitoring of operations - observation or review of

ongoing operational activity.
 Physical safeguards - usage of cameras, locks, physical barriers, etc. to

protect property, such as server, merchandise inventory.
 Top-level reviews-analysis of actual results versus organizational goals or

plans, periodic and regular operational reviews, etc
 IT Security - usage of passwords, access logs, etc. to ensure access

restricted to authorized personnel.
The control activities shall involve all staffs and management of the bank and
enable quick responses to changing conditions and avoid unnecessary costs.
When designing and implementing control activities process owners shall consider
the following:
 The cost of establishing the control activities shall not exceed the
benefits that would be revised by the bank if the undesirable event is
avoided.

 Control activities shall be controlled as the processes and systems are
being designed. Adding control activities after the development of a
process or system is generally more costly.
 The allocation of resources among control activities should be based on
the impact and likelihood of the risk.
 Control shall not be excessive since it can impede productivity.
The identified risk shall be prioritized and considered against the existing controls
so that the residual risk shall be identified after the existing controls have been
applied to the inherent risks.
Inherent Risk: the risk in a business or process before the effect of any
risk mitigation, control or transfer activities.
Current risk: is the actual risk today, i.e., inherent risk with current risk
responses applied.
Residual risk is the potential impact and likelihood of an identified risk

exposure, considering the effect of the existing (but excluding planned)
controls.
Figure 2.4 Inherent Risk, Current Risk and Residual Risk
Equal
Equal to
to current
current risk
risk
Risk
Risk without
without Actual with
with additional
additional risk
risk
Inheren Actual risk
risk
taking
taking into
into Current Residua responses
responses applied;
applied;
today, i.e.
today, i.e.
t Risk account Risk additional
additional risk
risk
account any
any Inherent
Inherent risk
risk l Risk responses
responses are
are
risk
risk response
response with
with current
current identified
identified based
based on
on
risk
risk responses
responses risk
risk analysis
analysis of
of current
current
risk.
risk.
applied
applied

1.9 Operational Risk Treatment/mitigation Options
Risk treatment/mitigation is an appropriate steps taken or procedures

implemented upon discovery of an unacceptably high degree of exposure to
one or more risks. As it is discussed in the part two of this training manual ;
there are four internationally accepted risk treatment/response options.
i. Risk Avoidance (strategy: “to avoid the Risk by deciding to stop,

postpone, cancel, divert or continue with an activity that may be the cause
for that Risk”);
ii. Risk Reduce (strategy: “ to modify the likelihood of the Risk trying to
reduce or eliminate the likelihood of the negative outcomes and/or to try
modifying the consequences in a way that will reduce losses ”);
iii. Risk Sharing and Transfer (strategy: “to share the Risk with other
parties facing the same Risk (insurance arrangements and Outsourcing
arrangements can be used to spread responsibility and liability); (of course
one should always keep in mind that if a Risk is shared in whole or in part,
the organization is acquiring a new Risk, i.e. the Risk that the organization
to which the initial Risk has been transferred may not manage this Risk
effectively.)
iv. Risk Acceptance (strategy: “deliberately taking certain risks in a targeted
way/ to retain the Risk or its residual Risks”).
v. Exploiting risk – exploiting risks that represent missed opportunity (i.e.
exploiting the risk factors by implementing strategies to take advantage of
the opportunities presented by such risk factors.)
The risk mitigation strategies for operational risks fall into the same four general
categories of risk mitigation used for managing risks of all types. These are:
i. Risk Avoidance
In a cost-benefit analysis, a bank should opt for risk avoidance if the expected
margin of activities is lower than the expected risk cost taking account of all the
risks. Such activities should be abandoned or not be launched in the first place.
Such a decision has to consider several aspects, such as time horizon, available
specialized expertise, strategic objectives and reputational risks.

ii. Risk Reduce

The objective may be a cause-oriented reduction of loss frequency or an effect-
oriented reduction of loss severity. Both objectives can be supported by internal
control activities. Additionally, risk sharing or complete risk transfer is suitable
options for reducing loss severity.
The tools of risk mitigation mainly include a multitude of organizational

safeguards and control measures within the framework of an internal control
system:
 guidelines and procedures,
 separation of functions and “four-eyes principle”,
 need-to-know principle (access control),
 physical access control,
 coordination and plausibility checks,
 limit management,
 inventories, and
 Disaster recovery and business continuity planning.
The establishment of such controls should be evidenced in a system and
procedural documentation, for example, in the form of frameworks, guidelines or
instructions, but also their implementation should be appropriately documented.
The key principles of the separation of functions and the “four-eye principle” are
supported, for example, by job descriptions as well as the allocation of
responsibilities and powers. Preventive controls embedded in business processes
are particularly efficient. Informal controls play an important role in all
organizations. The related decision should be made deliberately, and its
justification should be traceable.
iii. Risk Sharing and Transfer
Risk sharing or transfer is mainly of interest if a risk cannot or only inadequately
be reduced by internal controls or if the cost of controls is higher than the
expected loss. Another condition is that, in comparison with the company’s risk
appetite, the risk is so high that it cannot simply be accepted. Important
instruments of risk sharing and/or risk transfer are insurance and outsourcing of
activities and functions. Very careful examinations are needed to see whether the

desired effect can be fully or only partly achieved and whether undesirable effects
are possible. Thus, there are cases where only risk sharing is possible instead of a
full risk transfer or where circumstances change over time that also shift the
relation between the risk borne by the company itself and by a third party. Owing
to different deductibles, insurances allow for a differentiation with a view to risk
appetite and risk profiles of companies and their individual activities. In the case
of outsourcing solutions, undesirable effects on the risk profile are frequently
overlooked because the risk effects often are only indirectly related to the
purpose aimed at.
(a) Insurance
There should be close cooperation between the risk controlling units responsible
for operational risks and the unit in charge of taking out insurances in the
company. In some banks, the operational risk unit is put in charge of insurances
against operational risks. At any rate, it makes sense to develop an insurance
concept as a basis for taking out insurances. Moreover, there should be regular
coordination with risk policy and risk strategy.
Examples of typical insurance products offered for operational risks in banking
are:
 property insurance,
 business interruption,
 computer crime,
 bankers professional indemnity – mistakes made by employees,
 directors and officers liability – breach of a duty of diligence by directors
and officers,
 employment practices liability,
 economic crime,
 unauthorized trading, and
 Vault and transport of cash.
(b) Outsourcing
In the past years, the permanent outsourcing of key activities or functions to

other companies has considerably increased in importance in the banking sector.
Outsourcing, however, involves several specific risks so that banking supervisors
give appropriate attention to this issue.

The most important aim of outsourcing is cost reduction. Another advantage may
be higher process quality and lower operational risks as compared with
performing the related activities internally. In addition to cost and efficiency
aspects, risk mitigation through risk sharing or transfer may be a goal, in
particular, of long-term, strategic partnerships.
At first glance, outsourcing solutions apparently result in “shuffling off ” the risk
related to the relevant activities. In fact, however, the way in which the risk
situation of a credit institution is changed by outsourcing has to be carefully
studied on a case-by-case basis:
 At any rate, outsourcing always gives rise to a business partner risk, i.e.
the risk that the business partner does not fulfil the obligations under the
outsourcing agreement. The causes may range from quality problems
(process or system failures or mistakes made by employees of the
outsource provider) and contractual disputes to the partner’s bankruptcy.
As a consequence of such problems, the services outsourced may not be
rendered in the quality required, only to a limited extent or, in extreme
cases, not at all.
 In addition, account has to be taken of legal risk which may arise from
usually complex contractual relations between a credit institution and its
outsource provider. Fuzzy provisions governing the duties of the outsource
provider or liability issues may lead to protracted legal proceedings to
clarify who is responsible for a loss event. Ultimately, the credit institution
itself may even have to bear the loss in full or in part so that, in fact,
conventional system or process risk was only replaced by a special legal
risk without improving the risk situation of the institution.
 The risk of losing control of core processes finally results from inadequate
secondary obligations of the outsource provider. If the outsourcing credit
institution is not given adequate control, information and auditing rights
beforehand, a kind of “black box” or “blind spot” emerges for risk
management in the field outsourced. Thus, the quality of the processes
outsourced cannot be appropriately assured nor verified. This highly

unsatisfactory situation could ultimately even mean that the overall level of
operational risk rises without the credit institution being aware of this fact.
These problems need to be borne in mind when outsourcing activities so that the
credit institution remains in a position to assess its risk situation and take
appropriate measures to limit risks. This includes the consideration of the
following aspects:
 How high is dependence on outsource partners and which options exist for
responding to any failure of the business partner (e.g. by outsourcing to a
second partner, rapid reintegration of the activities concerned)? In this
context, exposure to concentration risks (increasing dominant position of
individual outsource providers) should be considered. In particularly critical
areas (activities or functions of special importance for maintaining business
operations), business contingency plans and fallback solutions may need to
be provided; it is also recommendable to plan exit scenarios in advance. A
specific question to be answered in this context is whether the Know-how
and skills required will still be available within the credit institution after
outsourcing.
 Are the contractual relations between outsource provider and credit

institution regulated in a sufficiently clear and comprehensive manner so
that issues related to the scope of services, availability, confidentiality,
etc., need not be clarified later on when problems have already cropped
up? Further aspects to be considered when drafting contracts are
modalities of contract termination by either party as well as issues of data
protection and data security.
 Has the outsourcing company adequate control rights for assessing the
situation in the fields outsourced? Possible options range from appropriate
reporting lines to information, inspection and access rights and regular
external audits. Moreover, measures have to be taken to ensure that the
outsourcing of company parts or functions does not hamper or restrict the
supervisor’s activities.
iv. Risk Acceptance

As a rule, risk acceptance depends on a cost-benefit analysis or weighting of
expected income versus risk. A rational reason for accepting risks would be that

the expected loss is lower than the cost of management activities to mitigate the
risks.
It is recommendable that such decisions are systematically prepared and

documented in a suitable form especially when the amounts involved are rather
high. Systematization can be achieved by using a risk matrix. Criteria, such as
thresholds, and decision-making processes, including escalation procedures,
should exist for accepting risks.
v. Exploiting risk
Exploiting risks that represent missed opportunity. (I.e. exploiting the risk
factors by implementing strategies to take advantage of the opportunities
presented by such risk factors.)
1.10 Examples of High Magnitude Operational Losses
The world financial system has been shaken by a number of banking failures over
the last 20 years. More than 100 operational losses exceeding $100 million in

value each, and a number of losses exceeding $1 billion, have impacted financial
firms globally since the end of 1980s. Such large-scale losses have resulted in
bankruptcies, mergers, or substantial equity price declines of a large number of
highly recognized ﬁnancial institutions. Here are a few examples of such losses
that occurred in the 1990s.
Orange County, 1994, United States
On December 6, 1994, a prosperous district in California, Orange County,

surprised the markets by declaring bankruptcy. The treasurer, Robert Citron, was
entrusted with a $7.5 billion commingled portfolio managed on behalf of the
county schools, cities, districts, and the county itself. Investors perceived Citron
as a financial wizard who could deliver high returns on their funds during a period
of low short-term interest rates by investing in mortgage derivative products that
had a substantial exposure to interest rate changes (i.e., securities with a high
effective duration). The portfolio performed well when interest rates were
declining; however, when rates increased in early 1994, the portfolio blew up.
Losses reaching $1.7 billion, forcing Orange County into bankruptcy.
Citron either did not understand the interest rate exposure of his portfolio
because he was unacquainted with the risk/return of the securities in the portfolio
or he ignored the magnitude of the risk exposure, believing he could correctly
forecast the direction of interest rates. In any case, there were no systems in
place to monitor the portfolio’s exposure to changes in interest rates. Orange
County illustrates combination of lack of expert risk oversight and incompetence.
Barings Bank, 1995, United Kingdom
In February 1995, Barings Bank declared bankruptcy. Barings Bank was the
United Kingdom’s oldest merchant bank, founded in 1762. Nick Leeson, who was
appointed the general manager of the Barings Futures subsidiary in Singapore in
1993, was assigned to exploit low-risk arbitrage opportunities that would leverage
price differences in similar equity derivatives on the Singapore Money Exchange
(SIMEX) and the Osaka exchange markets. However, due to a lack of higher
supervision, he was given control over both the trading and back-office functions.
He began taking much riskier positions by trading different amounts on contracts
of different types on the two exchanges. The derivatives contracts on the

Singapore and the Japanese foreign exchange markets were highly dependent on
the market conditions in 1993 to 1994.
When the market became volatile, losses in Leeson’s trading account began to
accumulate, forcing him to increase his bets in an attempt to recover losses. He
created a special secret account to keep track of his losses, account 88888. This
account had originally been set up to cover up a mistake made by an
inexperienced member of the trading team, which led to a loss of £20,000.
Leeson then used this account to cover his mounting trading losses.
Finally, the Nikkei index dropped sharply after the January 17, 1995, Kobe
earthquake in Japan, and the losses exceeded $1 billion. The fraud was only
exposed when Nick Leeson failed to show up at work at his Singapore office in
February 1995; he was attempting to flee from Kuala Lumpur to England in order
to escape the tough Far Eastern justice system. The bank was unable to sustain
the loss and announced bankruptcy. Here is an extract from Leeson’s book Rogue
Trader (1997, pp. 2–3), about his last trading day:
I knew I’d still lost millions of pounds, but I didn’t know how many. I was
too frightened to find out— the numbers scared me to death....I’d gone in
trying to reduce the position and ended up buying another 4,000
contracts....Traders looked at me and knew I’d done an amazing volume of
trade; they marvelled at the sheer amount of business I’d got through.
They wondered whether I was dealing for myself or for clients, and
whether I’d hedged, protected my position. But they knew—as the whole of
Asia did—that I’d built up an exposure to over£11 billion worth of Japanese
shares. They were doing their sums and they reckoned I was well long: it
was hard to conceal it when you stand for over 40 percent of the Singapore
market. The rest of the market had smelled what Barings back in London
were completely ignoring: that I was in so deep there was no way out.
A month later, in March 1995, the bank was purchased by the Dutch Bank ING for
£1 sterling! In November 1995 Nick Leeson was sentenced to 6.5 years in a
Singaporean jail. This is another example of the dramatic Operational Risk Is Not
Just ‘‘other’’ Risks consequences of internal fraud, unauthorized trading, and poor
internal surveillance and control.

Daiwa Bank, 1995, New York
On July 13, 1995, the executive vice president of Japan’s Daiwa Bank’s New York
branch, Toshihide Iguchi, confessed (in a 30-page letter to the president of Daiwa
Bank in Japan) that he had lost around $1.1 billion trading U.S. Treasury bonds.
At the time of the incident, Daiwa was one of Japan’s top 10 banks and one of the
world’s top 20 banks in terms of asset size. An astonishing part of the incident is
that Iguchi’s illegal trading had been taking place over an 11-year period. Daiwa’s
New York branch managed the custody of the U.S. Treasury bonds that it bought,
as well as those that it bought on behalf of its customers, via a sub-custody
account held at Bankers Trust. Through this account, interest on the bonds was
collected and dispersed, and bonds were transferred or sold according to the
wishes of either customers or the bank’s own managers. When Iguchi lost a few
hundred thousand dollars in his trading activities, he began selling off bonds in
the Bankers Trust sub custody account to pay off his losses, falsifying Bankers
Trust account statements so that they would not indicate that the securities had
been sold. Throughout the 11 years he forged about 30,000 trading slips and
other documents.
When customers needed to be paid interest on bonds that had been sold without
their knowledge, Iguchi would settle their accounts by selling off more securities
and further altering more records. In total, Iguchi sold off roughly $377 million of
Daiwa’s customers’ securities and $733 million of Daiwa’s own investment
securities to cover his trading losses. Shortly after the incident came to surface in
November 1995, the Federal Reserve ordered Daiwa Bank to end all of its U.S.
operations within 90 days; by January 1996 Daiwa agreed to sell most of its U.S.
assets of $3.3 billion to Sumitomo Bank and to selloff its15U.S.offices.
In December 1996, Iguchi was sentenced to four years in prison and fined $2.6
million. The scandal led to Standard & Poors downgrading Daiwa from A to BBB
and to Japan’s Ministry of Finance imposing restrictions on the bank’s activities for
a year. In September 2000, a Japanese court in Osaka ordered 11 current and
former Daiwa board members and top executives to pay the bank $775 million as
compensation to shareholders’ damages. This is yet another example of internal
fraud and illegal trading.

Allied Irish Banks, 2002, Ireland
On February 6, 2002, Allied Irish Banks (AIB), Ireland’s second-biggest bank,

discovered a large-scale and what the bank described as a ‘‘complex and very
determined fraud’’ in its Baltimore based subsidiary Allfirst. Total losses to
AIB/Allfirst are estimated to have exceeded $700 million. A report stated that
around 1997, John Rusnak, a trader, had lost a large amount of money on a
misplaced proprietary trading strategy, repeatedly falsifying bank statements in
an attempt to recoup losses. Rusnack did this by writing nonexistent options and
booking the fictitious premium income as revenue, thereby getting himself into a
loop of accruing even bigger losses. One weekend he failed to show up at work on
Monday morning. As a result of his disappearance, the details of his fraudulent
activities came to light.
Rusnak, a U.S. citizen, was nicknamed a second Nick Leeson, and entered the
league of the infamous rogue traders, together with Toshihide Iguchi. He was
sentenced to 7.5 years in federal prison, and was barred for life from working in
any financial services company. Amazingly, this case demonstrates how the
lessons from Barings Bank’s collapse of almost a decade earlier had not been
properly learned.
The Enron Scandal, 2001, United States
The collapse of Enron Corporation has been the largest bankruptcy in U.S.
history. The Enron Corporation was one of the world’s largest energy commodities
and services companies. Enron was formed in July 1985 in Houston, Texas, by a
merger of Houston Natural Gas and Inter North of Omaha, Nebraska. Initially a
natural gas pipeline company, Enron quickly entered the energy futures as energy
markets were deregulated. It entered the European energy market in 1995.
On January 25, 2001, the stock price of Enron had reached its peak at $81.39 per
share, and began to drop. Just two days earlier, on January 23, Enron’s CEO since
1985, Kenneth Lay, resigned. By the middle of August 2001, it fell to $43. At the
same time, the new CEO, Jeffrey Skilling, quit his new job after six months, for
‘‘purely personal’’ reasons. In November the price per share fell below $10, and
Enron announced $600 million in losses from 1997 to 2000. On December 2,
when the share price finally hit zero, Enron filed for bankruptcy protection,

making it the largest bankruptcy case in U.S. history. In the middle of January,
Enron’s stock was formally delisted from the New York Stock Exchange.
The board of directors of Enron blamed the failure on poor information from the
accountants and the management. An investigation into the case conducted by
the Securities and Exchange Commission in 2002 suggested that Enron may have
overstated its assets by up to $24 billion due to poor accounting practices.
A number of financial institutions were involved in the Enron case. Arthur

Andersen, which was Enron’s auditing firm for 16 years, was charged with
obstruction of justice for destroying some of the Enron’s documents in order to
protect the firm, while on notice of a federal investigation, and was ordered to
cease auditing publicly traded companies on August 31, 2002.
Their losses due to the case were estimated at over $750 million. Merill Lynch has
been accused of a conspiracy to help Enron hide its true state of financial affairs,
and estimated its losses due to the involvement at over $80 million. Other banks
involved in the scandal include NatWest (losses over $20 million), Citibank,
JPMorgan Chase & Co., and Salomon Smith Barney, among others, were accused
of lending Enron billions of dollars with the full knowledge that Enron was not
reporting these loans as debt on its balance sheet. This is an example of losses
due to legal liability in combination with fraudulent activities.
MasterCard International, 2005, United States
In June 2005, MasterCard International Inc. in the United States announced that
the names, banks, and account numbers of up to 40 million credit card holders
were feared to have been accessed by an unauthorized user. It was revealed that
a computer virus captured customer data for the purpose of fraud and may have
affected holders of all brands of credit cards. This was one in a series of recent
incidents involving security failures and external fraud. In the same month,
Citigroup said United Parcel Service lost computer tapes with sensitive
information from 3.9 million customers of CitiFinancial, a unit that provides
personal and home loans. As of 2006, the final impact (and possible losses) has
not been estimated yet.

II. OPERATIONAL RISK GOVERNANCE AND FRAMEWORK
2.1 The Operational Risk Management Framework
Scholars and practitioners engaged in the study of operational risk management

in financial institutions state that operational risk framework has four
components. Namely: environment, strategy, process and infrastructure.
A) Environment
It refers to the surroundings that set the tone and behaviour of the bank,
including culture and external factors. Culture, which refers to the involvement
and support of senior management and the related values and communication
that set the tone for decision making, is a component of the process because it
supports the risk management objectives. It is the set of shared attitudes, values,
goals, and practices that characterize how the bank considers risk in its daily
activities. Operational risk management becomes embodied in the culture of the
bank, in the sense that every decision must involve an explicit review of the
underlying operational risk.
The environment is also about communications, accountability, and

reinforcement. People are another component, as there should be adequate and
trained people to do the job. The external component of the environment includes
competitors, customers, regulators, the economy, and the law.
Cultural drivers, suggesting that the experience of implementing credit and

market risk management frameworks leads one to think that operational risk
management will in time become an intrinsic part of a corporate culture.
Incorporating awareness of operational risk into a bank’s culture is an important
part of prevention, so the question is how to promote this culture. This is why
education and training are important. Because operational risk is present across
the entire bank, every employee should be made aware of the issue and related
management processes. One thing that can be done is to include operational risk
in performance measurement.

People risk management, suggests that three sets of human factors affect
operational risk management;
 Organizational factors: The bank need to establish a risk

management culture that promotes employee involvement and
commitment at all levels. The culture should emphasize that deviation
from established risk management standards is unacceptable.
 Job factors: As mismatch between job requirements and an
individual’s capabilities strengthen the potential for human error.
 Personal factors: People need to be matched to their jobs through
appropriate selection techniques, taking into account such attributes as
habits, attitudes, skills and personality. While skills and attitude can be
modified by training and experience, others (such as personality) are
difficult to modify.
B) Strategy
The strategy involves determination of business objectives, the risk appetite, the
organizational approach to risk management, and the approach to operational risk
management. Naturally, the involvement of senior management in the
formulation of the strategy is essential. The objective is to align the bank’s risk
profile (the risk that the bank wants to assume) with the selected risk appetite.
The business objectives include targets like a market share or the introduction of
new products and technology. Objectives are also stated for individual business
units. The risk appetite does not only refer to the level of acceptable risk but also
to the types of unacceptable risks. A risk map may be used as a quantifiable
measure of the risk appetite that can be used to identify unacceptable risks.
The strategy also involves setting up an operational risk policy statement

describing the overall approach and can be made specific to each business line as
applicable. Policies often start with the objectives of operational risk
management, which include increasing awareness and reducing operational
losses. The statement of objectives can be complemented by a description of how
the bank goes about the process and the agreed-upon definition of operational
risk. The policy statement also discusses the governance model and related roles
and responsibilities.

Also important are some general statements of risk management principles and a
description of the expectations for the use of tools and reporting. For example, if
there is a common self-assessment or database, the policy might state that every
business area should implement it and maintain the information in an up-to-date
manner. In short, therefore, the strategy involves;
(i) Setting effective operational risk policies and clear directions to
follow,
(ii) Establishing an effective management structure and arrangement
to deliver the policy, and
(iii) Implementing the policy through an effective operational risk
management system.
C) Process
The process involves the day-to-day activities required to understand and

manage operational risk, given the chosen strategy. The process consists of
(i) Risk and control identification,

(ii) Risk measurement and monitoring,
(iii) Risk control/mitigation, and
(iv) Process assessment and evaluation.
D) Infrastructure
Infrastructure refers to the tools used to facilitate the entire risk management
process, including systems, data, methodologies as well as policies and
procedures. Data in this sense include self-assessment data, internal event/loss
data, operational data, and external loss data.
2.2 Basel Principles on Operational Risk Management
The BCBS has underscored the following guiding principles as to the management
of operational risk in banks.
A - Governance
The Board of Directors
Principle 1: The board of directors should take the lead in establishing a strong
risk management culture. The board of directors and senior management should

establish a corporate culture that is guided by strong risk management and that
supports and provides appropriate standards and incentives for professional and
responsible behavior. In this regard, it is the responsibility of the board of
directors to ensure that a strong operational risk management culture exists
throughout the whole organization.
Principle 2: The board of directors should establish, approve, and periodically

review the Framework. The board of directors should oversee senior management
to ensure that the policies, processes and systems are implemented effectively at
all decision levels.
Principle 3: The board of directors should approve and review a risk appetite
and tolerance statement for operational risk that articulates the nature, types,
and levels of operational risk that the bank is willing to assume.
Senior Management
Principle 4: Banks should develop, implement, and maintain a Framework that is

fully integrated into the bank’s overall risk management processes. The
Framework for operational risk management chosen by an individual bank will
depend on a range of factors, including its nature, size, complexity, and risk
profile.
Principle 5: Senior management should develop for approval by the board of

directors a clear, effective and robust governance structure with well defined,
transparent and consistent lines of responsibility. Senior management is
responsible for consistently implementing and maintaining throughout the
organization policies, processes and systems for managing operational risk in all
of the bank’s material products, activities, processes and systems consistent with
the risk appetite and tolerance.
B - Risk Management Environment
Identification and Assessment
Principle 6: Senior management should ensure the identification and assessment

of the operational risk inherent in all material products, activities, processes and
systems to make sure the inherent risks and incentives are well understood.

Principle 7: Senior management should ensure that there is an approval process
for all new products, activities, processes and systems that fully assesses
operational risk.
Monitoring and Reporting

Principle 8: Senior management should implement a process to regularly
monitor operational risk profiles and material exposures to losses. Appropriate
reporting mechanisms should be in place at the board, senior management, and
business line levels that support proactive management of operational risk.
Control and Mitigation

Principle 9: Banks should have a strong control environment that utilizes
policies, processes and systems; appropriate internal controls; and appropriate
risk mitigation and/or transfer strategies.
Business Resiliency and Continuity

Principle 10: Banks should have business resiliency and continuity plans in place
to ensure an ability to operate on an ongoing basis and limit losses in the event of
severe business disruption.
C - Role of Disclosure
Principle 11: A bank’s public disclosures should allow stakeholders to assess its
approach to operational risk management.

2.3. CBE’s Operational Risk Management Framework

ORMG dictates that CBE has endorsed the tree lines of defence strategy as an approach for risk governance
which is illustrated as follows:
3 LINES OF DEFENSE FRAMEWORK

AN APPROACH FOR RISK GOVERNANCE
1ST LINE OF 3RD LINE OF
2ND LINE OF DEFENSE
DEFENSE DEFENSE
Governing BU process and risk Risk Management Internal Audit
Body/Boards owners (Spearhead and (Test &
(Oversight) (Ownership) Coordination) verify/Assurance)
 Sets the ‘tone  “owner” of the  Provides interpretation  Provides
from the top’ risk management of regulation/leading independent testing
 Establishes risk process practices and & verification of
appetite &  Identifies, disseminates to Bus efficacy of
strategy measures,  Designs and deploys corporate standard
 Approves the RM manages, the overall RM and business line
framework, mitigates & framework compliance
methodologies, reports on  Monitors adherence to  Validates the
overall policies, different risks framework and overall risk
and roles & strategy framework
responsibilities  Develops risk  Provides assurance
 Leverages risk management that the risk
information into methodologies management
decision making  Develops risk policies process is
process. accepts, and procedures and functioning as
transfers or monitors compliance designed and
mitigates  Performs aggregated identifies
identified risks. risk reporting improvement
 Evaluates BU opportunities
activities on a risk
adjusted basis
Reporting can only
st nd
1 and 2 line need robust risk profiles be as good as the
underlying analysis
In line with the three line defence Model, the following general roles were
identified by the CBE:

 First Line of Defence – All processes of the bank are responsible for
managing operational risks within their respective domain.
 Second Line of Defence – The RCMP is responsible for overseeing and
ensuring that operational risks are managed in line with the requirement
set in this framework.
 Third Line of Defence – The Internal Audit shall be responsible for
providing independent assurance to the Board of Directors (LRRC) as to
the proper management of operational risk.
Likewise, the specific roles, of various organs of the CBE, are shown below:
(i) Role and Responsibility of the LRRC
The LRRC shall:

 Approve the ORMG , ORM strategic actions and the appetite/limit of the
bank;
 Ensure that the PC takes necessary measures to effectively identify,
assess, analyze, control, and monitor operational risk;
 Ensure the availability of robust governance structure, process and the
implementation of sound ORM principles; and
 Review significant operational risk exposure of the Bank.
(ii) Role and Responsibility of the PC
The PC shall:
 Oversee the proper implementation of this ORMG, ORM strategic actions
and the appetite/limit of the Bank, as approved by LRRC;
 Provide sufficient human and technical resources to support effective
management of operational risk;
 Maintain an appropriate culture and set a tone conducive to effective and
transparent ORM;
 Define Processes’ responsibilities in ORM; and eliminate gaps and overlaps
in the ORM responsibilities and authorities; and
 Ensure that appropriate remedial actions are taken whenever ORM gaps
are identified.
(iii) Role and Responsibility of the RCMP

The RCMP shall:

 Develop/review the ORM guidelines, principles, process and methodologies
and monitor their proper application;
 Spearhead the proper implementation of the ORMG and ensure that the
ORM system and measures are observed through assisting and
coordinating Processes to identify, assess, control/mitigate and monitor
operational risks;
 Identify the appropriate list of operation risk appetite or limit types;
develop the operational risk limit and threshold in consultation with the
respective process;
 Identify stakeholders and assign risk owners to risk events with cross
process natures;
 Collect and maintain external loss database and forward to the appropriate
process/RAU for subsequent analysis;
 Review the ORA results of all processes/RAU of the Bank and provide
guidance in the process;
 Consolidate ORA results/reports, maintain portfolio of risk response
activities, aggregate operational risk database of all Processes of the Bank;
 Establish criteria for setting risk analysis scope; establishes Processes/RAU
risk level; determines ORA level and frequency (of the appropriate
process/RAU);
 Coordinate appropriate and timely delivery of ORM information to all the
appropriate process/RAU of the Bank; and oversee the effectiveness of
operational risk communications;
 Escalate up to the PC and Board appropriate reports/findings (in line with
thresholds) ,ensure the appropriate reporting of deviations and breaches of
threshold to the PC/LRRC; and ensure the PC/LRRC are made aware of
material changes to the Bank’s operational risk profile;
 Organize and conduct operational risk awareness and training programs;
and
 Propose capital for operational risk exposure.
(iv) Role and Responsibility of the Internal Audit Process
The Internal Audit Process shall:

 Monitor the implementation of this ORMG & assess its effectiveness; and
 Provide validation/independent assurance on the risk management process
to the PC and BoD.
(v) All Processes/RAUs of the Bank
All Processes/RAUs of the Bank shall:

 Consider the requirements of this ORMG and Internal Control Framework
(ICF) when designing their respective policies, processes and procedures;
 Identify operational risk events (actual loss, potential loss and near miss)
inherent in all material products, activities, processes and systems;
 Conduct ORA of their respective process (i.e. assess operational risks and
the effectiveness of controls associated of their respective domain);
 Draw action plans (response options) for the findings of ORA, identify
stakeholders and assign risk owners to risk events and monitor its
implementation;
 Design, operate and monitor controls;
 Verify that appropriate internal controls and practices are in place
operating effectively, and consistent with the Bank Policies, legal and
contractual obligations, and regulatory requirements;
 Maintain operational risk database (including external loss database) of
their respective process;
 Ensure strict adherence to the Bank’s policies, procedures and standards;
and monitor operational alignment with applicable limits and tolerances;
 Identify, capture, and communicate pertinent information in a form and
timeframe that enables staff to carry out their responsibilities;
 Conduct the required level of operational risk awareness creation;
 Reports on their respective operational risk profile to the RCMP.

2.4 Risk Appetite

Risk appetite reflects the amount of risk taking that is acceptable to the bank. As
a result, risk appetite refers to the attitude towards risk taking and whether it is
willing and able to tolerate either a high or a low level of exposure to specific risks
or risk groups. Risk appetite has been defined in different ways. Some of them
are noted here:
 “....the amount of risk, on a broad level, an entity is willing to accept in
pursuit of value ( and its mission)” [COSO]
 “.....make clear its tolerance levels and be capable of being used as a
trigger for escalation.... in terms of monetary aggregate or in non-
monetary terms” [FSA requirement on risk appetite]
 “....reflects the amount of risk taking that is acceptable to an organization”
[Loylds risk management]
It is a function of the bank’s capacity to bear risk and of its attitude towards
managed risk taking. Risk appetite can also be viewed as assigned or allocated
risk capacity.
Table 2.1. Articulation of Risk Appetite (illustration)
Metric Quantitative Indicators
Loan /Deposits Ratio to be within the limits agreed with the board
Growth rate for each key Target growth rate of xx% for corporate, yy% for retail, zz%
portfolio for Business etc.
Preference for qualification CBE wants to recruit at least First degree holders
Target concentration level Name concentration and sector concentration limits
Target impairment levels Max. of XX% NPLs (as percentage of total loans)
The Benefits of Articulating Risk Appetite
Banks that effectively articulate their risk appetite and adequately fund their
managed risk taking are better insulated against shock to future earnings, better
placed to allocate scarce resources when and where needed.

Specifically, risk appetite plays two roles in supporting the business objectives
and risk management activities of any bank:
Firstly, it establishes a benchmark from which transaction specific limits or

thresholds can be set and monitored for a bank’s exposure to particular risks:
 A limit reflects the absolute maximum level of exposure that is
acceptable for a particular risk (i.e. it represents a level of exposure
that should not normally be exceeded);
 In contrast a threshold represents a level of exposure which, with
appropriate approvals, can be exceeded, but which, when exceeded,
will trigger some form of response (e.g. additional capital or
expenditure on risk control, reporting the situation to senior
management, etc.);
Secondly, as a resource allocation tool, risk appetite helps determine the degree
of control that needs to be applied to a particular risk. For example:
 If current exposure to a particular risk is considered to be acceptable
there is usually little value, other than for efficiency reasons, in
changing the extent of control (either in terms of using tighter controls
or by increasing capital or the amount invested in risk control);
 In contrast, where current exposure to a particular risk is considered
unacceptable, an agent may decide that it needs to invest more capital
and introduce more rigorous controls.
There are a number of additional benefits of articulating risk appetite:
 Risk appetite is an essential element of risk governance and provides a

framework for the business to operate within, as it provides clear
boundaries regarding what is and is not acceptable to the organization;
 Articulating risk appetite leaves room for creativity within acceptable limits
and reduces the possibility of exposure to unpleasant incidents due to a
lack of awareness;
 Provides a framework for considering and approving risk taking levels and
activities that are outside the current appetite for risk; and
 Assists in the identification and prioritization of areas where additional
resources or controls may be necessary to bring the risk into line with the
stated risk appetite.

III. THE OPERATION RISK MANAGEMENT
The operational risk management is an iterative process of risk identification,

assessment, treatment/mitigation and monitoring.
3.1 Planning and scope of the ORM
To effectively realize the intended results, the ORA process shall begin with the
establishment of a scope and plan. These include selecting objectives, assigning
specific responsibilities, scheduling the process, defining the input and output
requirements etc. Responsibilities in the risk management process are assigned to
those parties that can provide meaningful perspective on relevant risks. In this
respect, the ORMG of the CBE stipulates that ORA process is expected to be done
with full engagement of all managers and resourceful individuals of the respective
process/RAU. Lastly, identifying the data and information source shall be taken
into account while planning the ORA.
The scope of the ORA is determined by various factors. International experience,

in this respect, shows that the scope of the ORA is determined by many factors
that primarily include the following:
 The level of perceived risks;

 Previous ORA results;
 Business criticality of the activities, process or product under consideration;
 The presence of overarching regulatory requirement; and
 Management’s need for further examination of ongoing operations (e.g.,
lines of business, product, service and process individually or in
combinations).
The timings of the assessment process is another area where planning is

essential. According to the ORMG of the Bank, every process/RAU shall perform
risk assessment of their respective process/units, on at least annual basis. The
RCMP may request a more frequent risk assessment, if the need arises, primarily
based on the perceived level of risk of the respective Process/RAU.

Fig. 3.1. The Operational risk management as a process
3.2. Operational Risk Identification
It is the process by which organizations identify potential threats to the

achievement of their objectives by determining what can happen, why it can
happen and how it happens. The risk identification process should cover all risks,
regardless of whether or not such risks are within the direct control of the Bank.
operational risk identification should be an embedded continuous process to

identify new and emerging risks and consider shifts in known risks through
mechanisms such as management and committee meetings, environmental
scanning, process reviews and the like; and risk identification should be inclusive,
not overly rely on the inputs of a few senior officials and should also draw as
much as possible on unbiased independent sources, including the perspectives of
important stakeholders.

3.2.1 How to perform risk identification
It is crucial to have knowledge of the business before commencing with risk

identification process. It is also important to learn from both past experience and
experience of others when considering the risks to which the Bank may be
exposed and the best strategy available for responding to those risks.
When identifying risks, it is also important to bear in mind that "risk" also has an
opportunity component. This means that there should also be a deliberate
attention to identifying potential opportunities that could be exploited to improve
the Bank’s performance. In identifying risks, consideration should be given to
risks associated with not pursuing an opportunity, e.g. failure to implement an IT
system to transfer money.
The following are key steps necessary to effectively identify risks from across the
Bank in connection with the respective processes:
1) Understand factors to be considered when identifying risks
In order to develop a comprehensive list of risks, a systematic process should be

used that starts with defining objectives and key success factors for their
achievement. To achieve the predetermined objectives what types of customers
are going to be served? What activities to be performed and the nature and type
of products should be identified first. Design, implementation and effectiveness of
processes and systems; risk culture and risk tolerance of a bank ,human resource
policy and development and the environment of the Bank in which it operates are
another factors to be considered before starting the identification process. This
can help provide confidence that the process of risk identification is complete and
major issues have not been missed.
2) Gather Data /information from different sources to identify risks
Good quality data/information is important in identifying risks. The operational

risk assessment process aims to determining bank’s risk exposure to uncertainty.
This process requires knowledge of bank’s business objectives, its
product/services, policies and procedures, markets and the legal, political,

economic, social and technological environment in which it operates. For this to
happen, all relevant information has to be gathered and systematically analysed.
The following data/information are some of the most commonly inputs for the
ORA. As appropriate, Process/RAU shall exhaustively look at these factors while
conducting their respective ORA.
A. Data/information on the operating environment: This includes:

 The Bank’s or process level strategic goals and objectives: Risk
identification starts with understanding the Bank’s objectives, both
implicit and explicit.
 Legal environment (e.g. tax law, labour law, investment
proclamation, regional government law and federal law.)
 International law(e.g. ICC, AML)
 The regulatory landscape/directives;
 Competition within the industry;
 Loss experience of the industry, if any.
B. Data/Information on risk events: The starting point for risk identification

may be historical information about the risk event. This can be captured from
related issues, incidents, problems, and investigations. These include:
 Loss event data;
 KRI data;
 Audit reports; and
 Prior risk assessment results.
C. Data/Information on risk factors: operational risk factors are those factors

that influence the frequency and/or business impact of operational risk
scenarios. Information on Risk factors include:
I. External environmental factors
These are, to a large extent, outside the control of a bank; and include:
 Market/economic factors- the industry sector in which a bank

operates. Other economic factors can be included as well, e.g.,
nationalisation, mergers and acquisitions, consolidations.

 Rate of change in the market in which a bank operates. Are
business models changing fundamentally? Is the product or service at
the end of an important life-cycle moment?
 Competitive environment in which the environment operates.
 Geopolitical situation-Is the geographic location subject to frequent
natural disasters? Does the local political and overall economic
context represent an additional risk?
 Regulatory environment:-Is a bank subject to new regulations. Are
there any other compliance requirements beyond regulations(e.g..,
industry-specific, contractual)
 Technology status and evolution: - is a bank using state-of-the art
technology and, more important, how fast are relevant technologies
evolving?
II. Internal environmental Factors
Internal environmental factors are, to a large extent, under the control of a bank,
although they may not always be easy to change. Internal risk factors include:
 Strategic importance of the specific process in a bank- This

involves identifying whether the process is strategic differentiator, a
functional enabler or a supporting functions?
 Complexity of the process: Is the process highly complex, simple,
standardized and streamlined?
 Degree of change a bank is experiencing
 Change management capability- to what extent is a bank capable
of organizational change?
 The risk management philosophy of a bank (risk averse or risk
taking) and, linked with that, the values of a bank.
 Operating model, i.e. the degree to which a bank operates
independently or is connected to its clients/suppliers, the degree of
centralisation/decentralisation.
 Strategic priorities of a bank.

III. Capabilities
How good a bank is in a number of operational activities.

 Risk Management capability:
Risk Management capability refers to what extent a bank is mature in performing

the risk management processes as defined in the operational risk frame work.
Risk management capability is an indication of how well a bank is executing the

core risk management processes. The better executed or more mature the
processes, the more capable the risk management programme.
The factor is correlated with the capability of a bank to recognize and detect risks
and adverse events; hence, it should not be neglected. Risk management
capability is a very significant element in the frequency and impact of risk events
in a bank because it is responsible for management’s risk decisions (or lack
thereof), as well as for the presence, absence and /or effectiveness of control that
exist within a bank. Hence risk management capability is an important component
of the overall risk profile of the bank.
 Specific process capabilities:
Specific process capabilities refer to how good the processes are as defined in
their internal policy & procedure.
In the context of risk management and the operational risk framework, on how to
achieve this, specific processes capabilities are associated with the maturity level
of each process and their internal control system. Mature and well controlled
processes are equivalent to high capabilities, which have influence on reducing
the frequency of events and reducing the business impact when events happen,
e.g., having a good BCP/DRP in place when disaster strikes.
3) Apply risk identification techniques;
Review of international practices reveals that there are many types of risk
identification techniques. However a process should apply a set of risk
identification techniques that are suited to its objectives and capabilities and to
the risk the process faces from the techniques described below. Scenario is

embedded in all risk identification techniques since risk identification is a
proactive activity.
(i) Self assessment questionnaire
International experiences show that self assessment questionnaire is one of the

most widely used tools to identify and assess risk within a business and
evaluating the effectiveness of the controls that are in place to manage these
risks.
According to these experiences, a bank assesses its operations and activities

against a menu of potential operational risk vulnerabilities. This process is
internally driven and often incorporates checklists and/or questionnaire to identify
the strengths/weaknesses of operational risk environment.
More specifically, these experiences show that the results of self assessment
questionnaire are used to:
 evaluate the effectiveness of internal controls;
 assess the risk profile against risk appetite;
 provide internal audit with prioritized areas of work; and
 Agree on action plans to address the risk in excess of the agreed risk
appetite (for example, to address identified weaknesses in internal control
or risk management).
Self-assessments aim at raising awareness of operational risks and at creating a

systematic inventory as a starting point for further risk management processes as
well as process improvements towards better performance.
The following sample of self-assessment questionnaire that a process may

consider to identify potential OR risks.

Table 3.1Example of Self assessment questionnaire

S.N Particulars Agree Disagree Comments
o
1. Confidential information of the

process is treated as such by
any staff.
2. A framework exists which

enables your process to operate
in accordance with the legal and
regulatory requirements.
3. Customer’s information is not

disclosed to any third party by
the employee.
4. Employees, premises, financial

assets, computer and ancillary
equipment and information
contained therein are protected
from unauthorized access,
accidental and deliberate
damage or theft.
5 Access to applications and

associated information is
restricted to authorized
individuals and enforced
accordingly.
6 All employees maintain the

strictest secrecy in confidential
matters relating to their duties.
Any unauthorized breach of
confidentiality is treated as a
disciplinary offence.
7 Know your customer procedures

are in place and operating
effectively.
8 Appropriate systems and

procedures are in place to
prevent, detect and monitor the
incidence of money laundering.
(ii) Process and risk mapping
In this process, various business units, organizational functions or process flows

are mapped against risk types. This method helps the major steps in key business
processes as a prompt to identify the major risks. This exercise can reveal areas
of weakness and help to prioritize subsequent management action.

By specifying business lines, each process or sub-process will be able to

crystallize the assessment processes to the underlying operational risk. Thus, by
specifying business lines, the line managers will be aware of operational risk in
their line of business. Further, confusion and territorial overlap which may be
linked to subsets of the overall risk profile of the bank can be avoided.
According to best experiences, the following basic principles has to be followed

during business line mapping-
 All activities must be mapped into business lines in a mutually exclusive
and jointly exhaustive manner.
 Any banking or non banking activity which cannot be readily mapped into
the business line framework, but which represents an ancillary function to
an activity included in the framework, must be allocated to the business
line it supports.
 The mapping of activities into business lines for operational risk
management must be consistent with the definitions of business lines used
for management of other risk categories, i.e. credit and market risk. Any
deviations from this principle must be clearly documented.
 The mapping process used must be clearly documented. In particular,
written business line definitions must be clear and detailed enough to allow
third parties to replicate the business line mapping. Documentation must,
among other things, clearly motivate any exceptions or overrides and be
kept on record.
 Processes must be in place to define the mapping of any new activities or
products. ( any new product has to be allocated to specific process) The
mapping process to business lines must be subject to independent review.

Illustrations:
1. CATS process
Main activity Detail Activities Identified potential risks
1.1.Performing due  Accepting of forged ID
diligence(KYC) Accepting illegal customer
related to AML
1.2.Accepting sample of  Accepting of different
Opening of CA signatures signatures
1.3. Collecting cash  Accepting forged notes,

cash counting error
1.4. Posting of the  Transaction error

transaction
2. Credit Management Process

1.1. Performing due  Accepting forged
Accepting new credit diligence KYC documents like: ID, Trade
Application. licence, title deed, and
etc....
1.2.Giving  Misinforming the customer
information about  Accepting loan requests for
the bank’s product the product which the
customer is not eligible.
 mistreating the customer
1.3.Collecting the  Accepting of cooked financial

relevant document statements,
for credit appraisal  Accepting internally produced
purpose feasibility studies.
 Accepting bribes
3. Credit Appraisal Process

Processing new 1.1.Checking the  Missing vital document by

documents received oversight
from the RM  Cheated by the cooked
project requests financial statement
 Cheated by the internally
produced feasibility study.
1.2.Appraissing the  Modelling error
case  Manipulation of the spread
sheet
 wrong judgment as a result of
the cooked financial statements,
feasibility studies etc.
4. Trade Service Process

 Advising 1.1. checking the  Transacting with the bank
export L/C integrity/position of the who is not our
corresponding bank correspondent bank./AML
1.2. communicating the  Miscommunication,

customer on time and giving untimely delivery of
the required information information
1.3. Accepting the export  Accepting of discrepant

document documents
5. Corporate Human Resource Development Process

1.1. Advertisement  Selection of inactive media
/publication ……
1.2.Accepting candidates  Accepting forged
Selection & and registration process credentials, unable to get
recruitment the required personnel…..,

1.3. Selecting candidates  Following wrong model
for interview/exam ……….

1.4. Screening  Unfair/subjective judgment
6. Facilities Management Process: Procurement sub process

1.1 Preparing bid 1.1.typing error ,missing important
document issues/ legal concerns/,untimely
delivery of the document
1.2. Advertising the 1.2.Selecting in active media,

bid
1.3.Selling bid 1.3.posting error, duplication
A single purchasing
document
activity
1.4. Collecting bid 1.4.the staff may release
document information about the
amount…,Collusions( either
internal/external
1.5. Screening the 1.5. Selection of wrong supplier…..

right supplier
7. Finance process: Nostro reconciliation team

Ensuring accurate and 1.1. Ensuring the proper 1. Omission of long o1.utstanding
timely preparation of identification of those entries(intentional/ accidental)
unmatched and reasonably
account reconciliation
long outstanding entries 2.
all Nostro ledger
account balances that 3.
may be exposed to
4.
material
1.2. Timely investigations 1.Late investigation
misstatements.
and elimination through 2.Inadequate follow up
adequate and proper follow- 3.
ups
1.3.Ensuring maintenance 1.Missing documents of reconciling
of adequate documentation items
of reconciling items until 2.Mis filing
the items are reconciled 3.Intentional voiding of important

and eliminated document
8. Business Development Process: Research and Development sub process

1.1Gathering data on the 1.Limited source of data
issue 2. Limited market analysis
Preparing a research 1.2. making market 3. Limited technical analysis
document on a new analysis 4. Limited Financial analysis
product line 1.3.Making technical
analysis
1.4. Making Financial
analysis
2.1.preparing 1.Missing important questions
Preparing a research questionnaire 2. Using the wrong target group .
document on a 2.2.Distributing the 3. Using wrong model.
customer complaints questionnaire 4.Typing error
handling 2.3.Summarizing the 5. Untimely delivery of the reports
responses and analyzing
the data
(iii) Facilitated workshop
According to best experiences, moderated workshops contribute to raising

awareness and communicating risks across different organizational units. In many
cases, a survey (questionnaires and/or interviews) will be carried out before such
workshop. Based on the results, the workshop may then concentrate on
significant risks, controls and processes. The active involvement of senior
managers as well as a participatory culture is factors contributing to the success
of a workshop.
Experience of foreign banks shows that under this method the various risks can
be ranked to arrive at a consensus of the top 5 to 10 or 15 prioritized (depending
on the situation), for example. Thus using interactive voting system (using
method of individual input secretly) allows the individuals to identify and rank the
risks anonymously without fear of revenge should their superior be a member of
the group. The purpose of the workshop is mainly to identify the root causes of
the risks, prioritize based on their significance and take the required action to
mitigate these risks.

Before any workshop exercise the objectives of the business need to be made
clear to all parties to allow for discussion around risks that will be relevant.
Typically a workshop session will flow through the following outline:
 Up front activity
 Invite business owners, subject matter experts and actual practitioners
who are engaged in the whole business activities.
 Syndicate business objectives/processes to be reviewed and allow time
for research in both the internal and external environment.
 During the meeting

 Full participation is required by all attendees,
 It is recommended that a facilitator is used to facilitate the workshop.
 All risk aspects previously discounted through other techniques can be
reconsidered and be aligned to the business objectives either at the
meeting or afterwards to ensure they fit.
 “Off the wall" suggestions need to be actively encourages.
 The meeting should only be closed if no suggestions are forwarded.
After the meeting

The output of the session will then be taken away and assessed using the risk
assessment methodology discussed in this training manual.
(iv) Brain storming
This process encourages a group of people meeting face to face to put forward all
their thoughts and ideas on a specific topic. During a brainstorming session all
input is encouraged without evaluation. Evaluation of ideas occurs at the
completion of the session when the ideas are analysed. The diversity of
participants will have an impact on the nature of the ideas and perspectives, so
some thought will need to be given to who will participate in the process.
How Brainstorming Works?
A meeting is organized with a multidisciplinary set of experts. Under the
leadership of a facilitator, these people generate ideas about operational risks

with in their processes. The brainstorming meeting proceeds without interruption,
without expressing judgment or criticism of others’ ideas and without regard to
individuals’ status in the organization. Sources of risk are identified in broad
scope and posted for all to examine during the meeting. Risks are then
categorized by type of risk and their definitions are sharpened.
Brainstorming can be more effective if participants prepare in advance, the

facilitator develops some risks in advance, and the meeting is structured by sub
process level and risk category.
(v) Key Risk indicators
KRIs are metrics capable of showing that a bank is subject to, or has a high
probability of being subject to, a risk that exceeds the defined risk appetite.
From them one can identify potential operational risk events. (The detail is
discussed on part two and part four of this training manual).
Challenges of implementing KRIs
KRIs are widely viewed as having the potential to make operational risk
management a more effective discipline. Financial regulators in particular have
expressed interest in KRIs as a potentially important tool to manage operational
risk. However, this has not been realized for a number of reasons:
 KRIs are not linked to specific risks;

 There are too many KRIs;
 it has been difficult to show that KRIs really track losses well;
 there is no consistency in the way organizations use KRIs - various
units track the same thing but call it something different, and
calculate it differently;
 KRI specifications are often incomplete or inaccurate; and, as a
consequence, it has been difficult to aggregate, compare or
interpret KRIs in a systematic way.
(vi) Scenario Analysis

Literature on the subject states that there is no standard definition of the term
“scenario”. A scenario may be defined, as a sequence of possible events and the

description of possible developments leading up to these events. “What-if
“questions asked in a scenario analysis shift the focus of risk assessment to the
future. Due to this future orientation, scenario analysis is an important instrument
complementing loss databases that exclusively document past events. Moreover it
is a technique used to make operational risk more concrete and tangible and to
allow for proper risk analysis and assessment. It is a core approach to bring
realism, insight, organizational engagement, improved analysis and structure to
the complex matter of operational risk.
Basically, there two approaches of scenario analysis:
(a) A top-down approach: where one starts from the overall business
objectives and performs an analysis of the most relevant and probable
operational risk scenarios impacting the business objectives. If the impact
criteria are well aligned with the real value drivers of the enterprise,
relevant risk scenarios will be developed. Here managers and other
experts identify possible operational loss events that range from losses
occurring every day to stress events.
(b) Bottom-up approach: where a list of generic scenarios is used to define
a set of more concrete and customised scenarios, applied to the individual
enterprise situation. It may start with a detailed process analysis or risk
assessment and assign probabilities and loss severity to possible individual
events.
International best practices states that developing a manageable and relevant set
or risk scenarios requires:
 Expertise and experience, to not overlook relevant scenarios and not be
drawn into highly unrealistic or irrelevant scenarios. While the avoidance of
scenarios that are unrealistic or irrelevant is important in properly utilizing
limited resources, some attention should be paid to situations that are
highly infrequent and unpredictable, but which could have disastrous
impact on the enterprise.
 A thorough understanding of the environment- This includes the
operating environment (e.g., infrastructure, applications, dependencies
between application, infrastructure components Service outlets, the degree
of dependencies on service outlets), the overall business environment, and

an understanding of how and which operating environments support the
business environment to understand the business impact.
 The intervention and common views of all parties involved- senior
management, which has the decision power; performers, who has the best
view to each activity.
Fig 3.2. Scenario Analysis
Top-down Refined Estimate

Scenario -Indentify
Indentify business
business and Frequen
identification objectives.
objectives. Specific cy and
Risk Impact
-Identify
-Identify scenarios
scenarios with
with most
most Scenarios
impact
impact on
on achievement
achievement of
of
Business objective.
objective.
Objectiv
es
Operation
Operation
al
al Risk
Risk
-Identify all hypothetical

scenarios.
-Reduce through high-

Generic risk level analysis
scenarios
Bottom-up
Scenario
Identificatio
Risk Factors
External
External Internal
Internal Risk
Risk Specific
Environmenta
Environmenta Environmen
Environmen management
management process
ll Factors
Factors tal
tal factors
factors capability
capability Capability
3.2.2. Describing the Identified OR event

It is the description of an event that can lead to a business impact in terms of six
components as it is discussed below:
1. Actor (who generates the threat): actors can be internal or

external and they can be human or non human.
- Internal actors are within the enterprise, e.g., staff

- External actors include outsiders, competitors and the market.
Not every type of threat requires an actor, e.g., failures or natural causes.
2. Threat type (the nature of the event) - Threat types are either man
made(e.g. Failure, Malicious and Accidental);or natural(e.g. Flood,
Earthquake)

3. An event – Is it disclosure (of confidential information), interruption
(of a project), theft or destruction? Event can also -include ineffective
design (of systems, processes, etc.) or ineffective execution of
processes (e.g., change management procedures, acquisition
procedures, project prioritization processes).
4. An Asset or resource (on which the scenario acts) - An asset is

any object of value to the enterprise that can be affected by the event
and lead to business impact. A resource is anything that helps to
achieve business goals. Assets and resources can be identical. E.g. IT
hardware is an asset because it has a certain value to the enterprise,
at the same time; it is a resource because all IT applications use it.
Asset/resources include:
- People and organization

- Business processes,
- Physical infrastructure, facilities, equipments, etc.
- IT infrastructure, including computing hardware, network
infrastructure, middleware
- Other enterprise architecture components, including:
 Information
 Applications
Assets can be critical or not, e.g., a client –facing web site of a major bank
compared to the web site of the local garage or the intranet of the software
development group. Critical resources will probably attract a greater
number of attacks or greater attention on failure; hence, the frequency of
related scenarios will probably be higher. It takes skill, experience and
thorough understanding of dependencies to understand the difference
between a critical asset and a non-critical asset.
5. Timing dimension, where the following could be described, if relevant

to the scenario:
o The duration of the event (for how long the threat will
occur?)/from occurrence to detection )

o The timing of occurrence (Does the event occur at a critical
moment?, working hour/off working hour)
o Time lag between the event and consequence (Is there an
immediate consequence, e.g., network failure, immediate downtime,
or a delayed consequence, e.g., wrong IT architecture with
accumulated high costs over a time span of several years?)
6. Vulnerability of the identified risk event: The description of

significant flaws or weaknesses in the Bank's business environment
(policies, procedures, system, organizational structure, people etc)
that will increase the likelihood of potential threats to be materialized.
Figure 3.3. Risk event Description
Events
Asset/Resource
Misuse of client’s
People and organization
information,
Process
Misuse of assets
Infrastructure |
Interruption
Threat Type Modification
(facilities)
IT infrastructure
Malicious Theft
Information
Accidental/error Destruction Application
Failure Ineffective design
Natural Ineffective execution
Breaches of Rules
External
and regulations
requirement Inappropriate use Vulnerability
the weakness of
62 CBE—Risk and Compliance Management Process (RCMP) the internal
control which
let the threat to
happen
Threat
Agent/Actor
Internal (staff, +
contractor) + Time
External + Duration
(competitor, + Timing of occurrence
outsider, business Potential (critical, non-critical)
partner, regulator, Timing to detect
+
market) Risk Event
+
Table3.2. Risk Event Description
Risk
Consequences
Vulnerability
Event Name of
ID. Threat Threat Asset/resource
the Risk Timing
Agent type affected
Event
3.2.3 OR Categorization
Risk Categorization provides a way of grouping individual risks into meaningful

groups so that they can be managed as a group. There is no one widely accepted
listing of categories for risk, as they will vary according to the nature of the
business, its size, competitive intensity, etc. What is important is that risks are
classified in some way that is relevant to the needs of the business. In this regard
CBE has adopted the Basel accord categorization which is the standard used by
most international banks with little adjustments.
Advantages of risk categorizations are:
 The list of individual risks facing an organization is potentially endless. By

grouping risks into categories, they can be managed in common through
the use of similar controls;

 Categorization forces managers to think holistically as well as at
operational levels. Categories of risks are more easily communicated
upwards in the organization where senior managers/process owners and
Boards of Directors need to consider ‘big picture’ risks rather than the
details of individual risks;
 Once a risk has been identified, it becomes possible to think of tools that
may be used to measure and control those risks. Categorization helps
managers to identify how they can use their past experience to treat risks
as a class, rather than to identify an appropriate treatment for each
individual risk;
 Risk categorization provides a framework that can be used to define who is
responsible, design appropriate internal controls and assist in simplified risk
reporting for management and Board review; and
 The development of a sound risk management system would be difficult
without grouping risks into categories. Such a systematic approach may
help organizations to identify inter-related risks in the same category.
a) Operational risk categories
CBE has introduced nine operational risk categories which are described as
follows:
1. Internal fraud refers to unauthorized activity, theft or fraud that involves at

least one internal party.
Examples of events that are classified as internal fraud include:

 intentional misreporting of positions
 unauthorized undertaking of transactions
 insider trading (on an employee's own account)
 malicious destruction of assets
 theft/robbery/embezzlement/cheating/misappropriation
 bribes

 forgery
 wilful tax evasion
2. External fraud refers to theft or fraud carried out by a third party outside the
organization. It includes, for example:
 theft/robbery
 forgery
 computer hacking damage
 theft of information
 Check kiting (i.e.) to make use of non-existent funds in a checking or other
bank account.
3. Employment Practices & Workplace Safety refers to events relating to

employee relations, a safe working environment and diversity/discrimination.
Examples of events that could give rise to operational losses include:
 employee compensation claims (for example, diversity/discrimination
events)
 wrongful termination
 violation of health and safety rules
 discrimination claims
 Harassment(Gender related ,lack of transparency in connection to career
development)
 general liability (for example, slip and fall events)
4. Clients, Products & Business Practices losses in this category arise from a
failure to meet an obligation to a client, or from the nature or design of a product.
Examples of events in this category include:
 breaches of fiduciary duties
 suitability/disclosure issues (KYC, and so on)
 Account churning (in connection with NSF checks, issuing CPOs by NSFs.)
 misuse of confidential client information
 antitrust
 money laundering
 product defects
 exceeding client exposure limits

5. Execution, Delivery & Process Management this category covers risk
events related to transaction processing or process management, trade
counterparties and vendors. Examples of such events include:
 miscommunication /Misunderstanding
 data entry errors (for example, wrong data)
 missed deadline or responsibility
 model/system disoperation
 accounting errors
 mandatory reporting failures
 missing or incomplete legal documentation
 unapproved access given to client accounts
 non-client counterparty disputes
 Supplier disputes
 Outsourcing related to the contractual agreements.
6. Damage to Physical Assets this category accounts for losses as a result of

disasters and other events. It therefore includes:
 natural disasters (earthquakes, fires, floods, and so on)

 terrorism
 vandalism
Apart from physical assets, human losses from external sources are also included.
7. Business Disruption & System Failures, Operational risk events in this
category include:
 hardware and software failures
 telecommunication problems
 utility outages/disruptions
 Political instability
8. Human loss refers to failure to recruit, develop, protect or retain employees

or manage employee relations. Operational risk events in this category include:
 High turnover
 Grievances
 Inadequate number of staffs
 Disputes among staffs
 Incapable employees

9. Legal Refers to the risk of unenforceable contracts (in whole or in part),

lawsuits, adverse judgments, or other legal proceedings disrupting or adversely
affecting the operations or condition of the bank.
 Missing provision in an otherwise valid agreement.
Table 2.3 Risk Event Categorization
Risk Name of the Risk Event Risk

Event Category
ID

3.3. Operational Risk Assessment
Operational Risk Assessment (ORA) is a systematic way of evaluating the impact

and likelihood of a given risk event. It refers to the measurement of operational
risk exposure of a bank. However it is widely argued that, there is no clearly
established approach to measure operational risk at the moment. This is mainly
due to the fact that most of the operational risk events are difficult to quantify.
Due to this, operational risk is sometimes referred as every type of unquantifiable
risk faced by banks; and Losses from operational risk may result from a complex
of events (don't always fall into precise categories) which makes it difficult to
predict or model the events.
An approach often used in operational risk measurement is the "matrix" approach

in which losses are categorized according to the type of event and the business
unit/function or activity in which the event occurred.
(a) Methods of Risk Assessment/Analysis
Quantitative Vs. Qualitative Methods
According to literatures on the subject, the enterprise’s culture, resources, skills

and knowledge of the operational risk management, environment, risk appetite,
and its existing approach to ERM will determine which methodology should be
used.
Both methods of risk analysis have the following common limitations.
 No method is fully objective, and results of risk assessments are

always dependent on the person performing them and his/her skills
and views.
 Operational risk related data (such as loss data and operational risk
factors) are often of poor quality or quite subjective (e.g. process
maturity, control weaknesses) .
 Qualitative approaches run the risk of creating over-confidence in
complex models based on insufficient data. However, over-simplified
qualitative models can also result in unreliable results.

Qualitative Risk Analysis
It uses expert opinions to estimate the frequency and business impact of adverse
events. The frequency and the magnitude of impact are estimated using
qualitative labels. Theses labels can vary depending on the circumstances and
different environments.
It can be used in situations where there is only limited or low-quality information

available.
However using the qualitative risk analysis method has the following
disadvantages:
 It is highly subjective,
 There will be great variance in human judgements and
 Lack of standardised approach during the assessment.
Nevertheless having the above limitations, qualitative risk analysis is usually less
complex and less expensive than quantitative analysis
Quantitative Risk Analysis
In this method either quantitative values like ranges are used to define qualitative
values or only quantitative values are used.
Since it is based on formal empirical data, quantitative risk analysis is more

objective. Using purely quantitative methods requires sufficient, complete and
reliable data on past and comparable events. Obtaining these data is in many
cases very difficult.
However some things are very hard or impossible to quantify. For example:
value of human life, cost of terrorist attacks or similar events and loss of
reputation.
Many suggest that that neither of the two risk analysis methods is complete in all
aspects. Hence it is better to use the combination of both.

(b) Control Analysis /Control Rating
In analyzing controls, all relevant controls that can reduce the impact and
likelihood of the risks shall be listed down. Non control related mitigation such as
insurance has to be identified. Hence the effectiveness of the existing control shall
be measured using the following assessment parameters.
The identified risk shall be prioritized and considered against existing controls so
that the residual risk shall be identified after the existing controls have been
applied to the inherent risks.
Rating Definition Description
1 Ineffective Fundamental deficiencies exist in risk

mitigation
2 Deficient Scarcity exist in risk mitigation/control
3 Adequate Minor weaknesses exist in risk mitigation
4 Effective Risk mitigation/controls are considered

sufficient
5 Excessive Opportunities exist to streamline risk
mitigation/control
(c) Likelihood Analysis
It is the estimation of the probability that exposure to a risk will occur. As
appropriate the respective process/RAU may consider either the likelihood
percentage and /or the frequency noted below in assigning a score for the
identified risk events:
Probability Score Likelihood Frequency
Rare 1 Low (0-5%]. Materialize only in Once in every 20+

exceptional circumstances. years
Unlikely 2 Low/Medium, but not impossible Once in every 5-20
(5-25%]. Probably not materialize. years
Possible 3 Medium (25-75%]. Might Once in every 1-5
materialize at some time. years
Likely 4 Medium/High (75-95%]. Probably Once in a years
materialize at least once in a year.
Almost, 5 High (>95%). Will materialize in More than once
certain most circumstances. per year
(d) Impact Analysis

It is the estimation of the effect that the risk would have on the organization’s
ability to successfully achieve its objectives if the risk occurred.
Under impact/magnitude analysis, the maximum amount of damage that could be

suffered like a worst-case loss when specific risk factors converge or opportunity
that could be gained, will be estimated and determined.
As appropriate, the respective Process/RAU may consider the either the

consequence definitions and/or the thresholds noted below, in assigning a score
for the identified risk events:
IMPACT SCORE CONSEQUENCE THRESHOLD
Insignificant 1 Minimal impact on the Bank's/Process's < Birr 5,000

objective(s). Can be easily and quickly
remedied. Generally minimal and
negligible
Minor 2 Minor impact on the Bank's/Process's Birr 5,000-
objective(s). Generally short to medium Birr 100,000
term effect.
Moderate 3 Significant impact on the Birr100,001-
Bank's/Process's objective(s). Medium Birr 500,000
term effect which may be expensive to
recover.
Major 4 Major impact on the Bank's/Process's Birr 500,001-
objective(s). Generally medium and 10,000,000
long term effect and expensive to
recover.
Disastrous 5 Critical impact on the Bank's/Process's Above Birr
objective(s). Generally very difficult and 10,000,000
possibly long term to recover.

(e) Risk Level Determination /Risk Matrix
A risk level (score) is determined by simply multiplying the impact of a given by

its likelihood. Four levels of risks are known, by the ORMG:
 Red level/Extreme risk /: represents risks with score that ranges from
12 up to 25
 Yellow level/ High risk/: represents risks with score that ranges from
6 up to 10
 Green level/ Moderate risk/: represents risks with score that ranges
From 4 up to 5
 Blue Level/ Low risk/: represents risks with score that ranges from
1 up to 3
The following table represents the risk matrix:
MAJOR (4)
IMPACT
MINOR (2)
MODERATE (3)
INSIGNIFICAN
DISASTROUS
LIKELIHOOD
T (1)
ALMOST CERTAIN (5) 5 10 15 20 25

LIKELY (4) 4 8 12 16 20
POSSIBLE (3) 3 6 9 12 15
UNLIKELY (2) 2 4 6 8 10
RARE (1) 1 2 3 4 5
3.4. Operational Risk Treatment/Mitigation
A key outcome of the risk identification and assessment process is a detailed list
of all key risks including those that require treatment as determined by the
overall level of the risk against the Bank's risk tolerance levels. However, not all
risks will require treatment as some may be accepted by the Bank and only
require occasional monitoring throughout the period.
Risk response is concerned with developing strategies to reduce or eliminate the

threats and events that create risks. Risk response should also make provision for

the exploitation of opportunities to improve the performance of the Bank.
Responding to risk involves identifying and evaluating the range of possible
options to mitigate risks and implementing the chosen option. Management
should develop response strategies for all material risks, whether or not the
management thereof is within the direct control of the Bank, prioritizing the risks
exceeding or nearing the risk appetite level.
In instances where the management of risk is not within the control of the Bank,
the response strategies should consider measures such as forward planning and
lobbing. Response strategies should be documented and the responsibilities and
timelines attached thereto should be communicated to the relevant persons.
3.4.1 Developing a risk response Plan/Strategy
Risk response plan/strategy identifies responsibilities, schedules, the expected

outcome of responses, budgets, performance measures and the review process to
be set in place. It usually provides detail on:
 actions to be taken and the risks they address;

 who has responsibility for implementing the plan;
 what resources are to be utilized;
 the budget allocation;
 the timetable for implementation; and
 details of the mechanism and frequency of review of the status of the

response plan.
3.4.2 How to respond to risks?
Responding to risks involves the following key steps, each of which is covered in
detail in this section:
a) Identify risk response options

Risk response design should be based on a comprehensive understanding of how
risks arise. This includes understanding not only the immediate causes of an
event but also the underlying factors that influence whether the proposed
response will be effective. Risk response options are not necessarily mutually
exclusive or appropriate in all circumstances. They should include the following:
Avoiding risk – not engaging in the activity that creates risk exposure;
Mitigating risk – applying procedures that reduce the risk;
Transferring risks – transferring the risk exposure to other parties;
Exploiting risk – exploiting risks that represents missed opportunity;
Accepting risk – accepting a risk with a low level of exposure;
b) Select options for response
Once risks have been assessed and a level of risk rating has been assigned, an
option for response is selected. Consideration should be given to the following
parameters:
(i) Cost of the response:

- The cost of insurance premium should be considered in the case of
risk transfer.
- The cost (capital expense, salaries, consulting) to implement

control measures need to be considered if risk mitigation is
selected as a tool.
Basic cost benefits analysis includes:
Defining or breaking down the risk into its elements by drawing up a

flowchart or list of inputs, outputs, activities and events;
Calculating, researching or estimating the cost and benefit associated
with each element. (Include, if possible, direct, indirect, financial and
social costs and benefits); and
Comparing the sum of the costs with the sum of the benefits

(ii) Importance of the risk addressed by the response: i.e. its position
addresses on the risk map(which reflects combined frequency and
magnitude levels)
(iii) Effectiveness of the response, i.e. the context to which the

response will reduce the frequency and impact of the risk.
c) Assign risk ownership
The risk owner (the person accountable for managing a particular risk) should be
a senior staff member or Manager with sufficient technical knowledge about the
risk and/or risk area for which a response is required.
The risk owner will often delegate responsibility (but not accountability) to his /
her direct reports or consultants for detailed plan development and
implementation.
d) Prepare response plans
Once response options for individual risks have been selected, they should be
consolidated into risk action plans and/or strategies.
As one risk response may impact on multiple risks, response actions for different
risks need to be combined and compared so as to identify and resolve conflicts
between plans and to reduce duplication of effort. and finally the response plan
should be documented and the practicability of the chosen options needs to be
monitored.
Once the Proper risk mitigation is identified, Process/RAU shall report their
Mitigation Plan as per the following format.
Table 3.4. Risk Mitigation Plan
Risk Event Event Mitigation Mitigation Risk Owner

Event ID Name Category Plan Date

To ease subsequent actions (i.e. risk response and monitoring), the identified and
analyzed risk shall be summarized in a standard format presented below. The OR
database of every process shall consider, at minimum, the particulars noted in
this table.
Table 3.5. Risk Summary Matrix
Risk Risk Risk Likelihood Impact Score Owner
Duration
Response
event Event Category
ID
3.5 Operational Risk Monitoring
The monitoring activity enables banks to track how well their overall operational
risk management is doing in line with the predefined framework. On the way
monitoring helps banks to identify operational gaps and control weaknesses so
that appropriate adjustments could be carried out for the upcoming business
seasons. Among others, tools that are employed towards monitoring operational
risk include the development and implementation of key risk indicators (KRIs) and
maintenance of internal and external loss data. Therefore, the following part is
devoted to explaining the significance of monitoring of operational risk and the
use of the KRIs and loss data.
Why Monitoring of Operational Risk?
The monitoring and reviewing activities of operational risk refers to the

mechanisms for tracking whether the operational risks of the bank are being

managed in line with the predefined framework, i.e. strategy, policies,
procedures, systems, standards, and practices, governing the bank. Hence, an
effective monitoring and reviewing process is essential for adequately managing
operational risk. Regular monitoring activities can offer the advantage of quickly
detecting and correcting deficiencies in the policies, processes and procedures for
managing operational risk, which can substantially reduce the potential frequency
and/or severity of a loss event.
In addition to monitoring operational loss events, it is necessary to identify

appropriate indicators that provide early warning of an increased risk of future
losses. Such indicators (often referred to as key risk indicators/early warning
indicators) should be forward-looking and could reflect potential sources of
operational risk such as rapid growth, the introduction of new products, employee
turnover, transaction breaks, system downtime, and so on. When thresholds are
directly linked to these indicators, an effective monitoring process can help
identify key material risks in a transparent manner and enable the bank to act
upon these risks appropriately.
The frequency of monitoring should reflect the risks involved and the frequency
and nature of changes in the operating environment. Monitoring should be an
integrated part of the bank's operational risk activities. According to best
practices, the results of these monitoring activities are usually included in regular
management and Board reports.
In view of this, the bank can implement a process to regularly monitor and review
operational risk profiles and material exposures to losses. There should be regular
reporting of pertinent information to Senior Management and the Board of
Directors that supports the proactive management of operational risk. In general,
the Board of Directors should receive sufficient higher-level information to enable
them to understand the bank's overall operational risk profile and focus on the
material and strategic implications for the business.
The operational risk reports should contain internal information about events and
conditions that are relevant to decision making and should be distributed to

appropriate levels of management and others, as appropriate. Reports should
fully reflect any identified problem areas and should motivate timely corrective
action on outstanding issues. To ensure the usefulness and reliability of these risk
reports, management should regularly verify the timeliness, accuracy, and
relevance of reporting systems and internal controls in general. Also, reports
should be analyzed with a view to improving existing risk management
performance as well as developing new risk management policies, procedures and
practices.
International experience suggests that the monitoring and review process for
operational risk management has to take place on three levels:
 First, the adequacy and effectiveness of internal control system has to
be monitored, evaluated and reported for every single internal control
action. It would be important for the evolution of risk management
within a bank to communicate and share lessons learned at this level.
 Second, the general risk profile of a bank and eventual changes in
uncertainties has to be monitored to allow an early identification of
upcoming risks early enough and to stop internal control on outdated
risks. The monitoring process can, if need be, entail the redistribution of
resources.
 Third, the progress of the implementation of operational risk

management itself has to be monitored and fostered. The following
questions can serve as a point of orientation:
 Is operational risk management well supported and promoted?
 Are people equipped to do operational risk management?
 Is there a clear operational risk strategy/policy?
 Do a bank’s processes incorporate operational risk management?
 Does operational risk management contribute to
outcomes/achievement of objectives?
 Are operational risks well handled and managed?

The following monitoring actions shall be carried out with regard to the CBE to
effectively monitor operational risks. Accordingly, all processes/RAUs shall:
 Ensure that their mitigation plan (risk response) addresses the root
cause of the identified risk events;
 Shall assign management responsibility and conduct ongoing monitoring
and review for risk events with all the rating results (risk levels). Also,
they shall perform monitoring actions that commensurate with the level
of risk posed by the specific risk event as shown below;
 Update the RCMP status of the identified risks, on at least quarterly
basis; and
 Periodically test control design and operating effectiveness.
The Progress of the Mitigation plan which was drawn with respect to the identified
risk event shall be reported as per the following format:
Table 3.6 Risk Progress Reports

Risk ID Mitigation Due Date of Current Status Justification
Plan the Plan
3.5.1 Developing Key Risk Indicators (KRIs)
a) Attributes of KRI
The key attributes of KRIs are that they:
 Highlight current risk levels by providing a measure of the status of an

identified risk and the effectiveness of its control. Risk indicators can
provide information which gives a useful ongoing view of the underlying
behaviour of the risk profile;
 Provide early warning signals through predictive risk indicators which
highlight changes in the risk environment, control effectiveness and
potential risk issues, before they crystallize and result in loss or other
exposure;
 Enable actions that prevent or minimize material loss or incident by

prompting timely action on early warning signals;
 Express escalation criteria for risk management by using thresholds to
convert raw indicator data into meaningful risk ratings to aid effective
decision making.
 Enable to identify process and/or control weaknesses and thus enable
action to be taken to strengthen controls and resolve issues;
 Drive behaviour and desired outcomes for the bank; and
 Enhance risk appetite setting – one of the methods to articulate risk
appetite, particularly for operational related risk, is through the setting of
tolerance and escalation levels for key risk indicators
b) How KRIs are identified and selected?
The following diagram illustrates how key risk indicators may be identified. The
diagram uses people risk as an illustration.
Fig 3.4. Relationship between Risk and Risk indicators
De De Establish
fin vel KRIs
e op
ris
ca
k
us
cat
al
eg
m
ory
ap
Fig. 4.5. Development Process of KRI
Risk Risk causes Risk indicators

Examples
Staff turnover ratios
People Risk Average time to fill vacant

posts
Inability to recruit
No of application per
Competitors vacancy
Inability to retain
No of staff not completing
80 CBE—Risk and Compliance Management
Inadequate skills andProcess (RCMP)
Low job their probationary period
education satisfaction
Low staff
Poor performance Exit interview summaries
morale
of staff Staff survey summaries
% job offerssalaries
Benchmark accepted
c) Sources of KRI
The following (non exhaustive list) provides some sources of information that
can help to identify significant risks and aid in KRI identification:
 historical internal loss events;

 risk and control self assessment results;
 internal/external audit findings;
 regulatory inspection findings; and
 Workshops/discussions with business functions e.g. human resources
(including staff turnover statistics).
d) Why are KRIs important?
An important objective of key risk indicators is to provide a measure of risk

causes in addition to the effects of risk, so aiding robust risk management and
enabling timely action. Key risk indicators play an important role in:
 Risk management – namely:
o the ability of KRIs to predict potential “risk events”

can help the bank avoid or minimize losses;
o KRIs help identify process and/or control weaknesses

and thus enable action to be taken to strengthen
controls and resolve issues; and
o Targets for KRIs can be set to drive behaviour and desired

outcomes for the bank.
 Risk appetite setting – one of the methods to articulate risk

appetite, particularly for operational related risk, is through the
setting of tolerance and escalation levels for key risk indicators;
 Regulatory compliance – identification and management of KRIs is

an area of regulatory focus;
 Fulfilment of business goals – Improving the likelihood of

achieving primary business goals through more effective operational
risk management; and
 Capital calculation – data from established KRIs can be used as

one of the inputs into operational risk capital calculations.
e) Properties of a good indicator
The following table describes some of the main properties of a good KRI in terms of
effectiveness; comparability; and ease of use.
Effectiveness Comparability Ease of use
 apply to at least one  be quantified as an  be available reliably
specific risk and one amount, a on a timely basis;
business function or percentage, or a  be cost-effective to
activity; ratio; collect; and
 be measurable at  be a reasonably  be readily understood
specific points in time; precise and definite and communicated
 reflect objective quantity;
measurement rather  have values that are
than subjective comparable over
judgment; time;
 track at least one  be comparable
aspect of the loss internally across
profile or event businesses;
history, such as  be reported with
frequency, average primary values and
severity, cumulative be meaningful
loss or near-miss without interpretation
rates; and to some more
 provide useful subjective measure;
management  be auditable; and
information  be identified as
comparable across
the industry.
f) Illustration of a KRI
i. Staff turnover ratio
A key risk indicator for monitoring and responding to risk around the
effectiveness and continuity of a bank’s business relates to staff turnover levels.
Key risk indicators of this type require tolerance thresholds in order to give a
meaningful representation of the risk; and the resultant ratings which could be
used to create “heat map” reporting on indicators.
For example, when given thresholds are breached there will be a requirement to
escalate to an appropriate level of management. Following is a hypothetical
illustration for an organization in using a specified threshold.
KRI—Staff turnover
No Risk level Risk status Action required
.
1. Below 24% No risk The organization is comfortable with the
(green) level of staff turnover. No escalation or
treatment required.
2. Above 24% Potential  The risk is a concern and HR would
(25-28%) risk be expected to monitor actively and
(yellow) establish causes and actions.
 Escalation required raising
awareness but explanatory report
not required.
3. Above 28% Significant Action and escalation with explanatory
(red) risk report required.
Thresholds can be used alongside targets set by management. These could be

flexed over time as objectives/strategy and risk appetites develop. These
targets will help drive the desired behaviour and outcomes and improve the
organization’s operational risk profile over time.
ii. Number of customer complaints
The number of customer complaints could be another example of a key risk indi-
cator. As customer complaints increase, the probability that there are some
underlying and potentially systemic mistakes and errors of judgment being made
is likely to rise. In other words, there is a rationale for thinking that, at least in
some ranges; changes in the value of this indicator are likely to be associated
with changes in operational risk exposure or operational loss experience.
3.5.2 Capturing Loss Data Base

Operational risk loss data consists of internal loss data and data obtained from
external sources (external data). Internal loss data is bank-specific and obtained
from processes/RAUs of the bank. Internal loss data includes the ability to record
internal loss events as they arise, to attribute them to the various categories of
operational risk, and to track them to closure in line with the workflow which
matches a bank’s unique business processes. External data include data obtained
from public sources and other banks in the industry.
The systematic capture of clean and comprehensive data on losses is one of the
most important aims of an operational risk management since the variety of
management information that can subsequently be produced is very significant.
Capturing losses is a prerequisite to measuring them, and thus to answering
management questions such as ‘Which products produce the highest number of
losses?’ ‘Which processes are most error-prone?’ ‘Where do the losses fail to
match the expected risk profile?’ etc.
i. What are Internal Loss Events?
Internal loss events may be viewed as actual loss, potential loss and “near
miss” events experienced by the bank. They could happen as a result of new
risks to the bank or due to lack of control or control failures surrounding an
already identified risk.
 Actual loss – an incident that has resulted in a negative financial impact

for the business;
 Potential loss – an incident that has been discovered, that may or may
not ultimately result in a financial loss; and
 Near miss – an incident discovered through means other than standard
operating practices and through good fortune or focused management
action which has resulted in nil or a positive financial.
ii. The Need for capturing internal loss events
The tracking of internal loss event data is a key component of robust operational
risk management and contributes to the assessment and monitoring of
operational risk. Internal loss data is most relevant when it is clearly linked to a
bank's current business activities, technological process and risk management
procedures.
To bring effective use of loss data, a bank's internal loss data should be
comprehensive in that it captures all material activities and exposures from the
different business units and support functions.
Internal loss data are gathered and analyzed primarily for the following main
reasons, according to literatures on the subject:
 measure risk exposure more accurately;

 justify the cost of new or improved controls and compare the effectiveness
of controls;
 identify trends and lessons to be learned over time;
 for tying the bank's risk estimates to its actual loss experience; and
 use loss data as a potential input for capital calculation.
The following chart summarizes the benefits of internal loss event collection and
the way to classify a new loss event.
Customer service
Supports customer
focused service
Supports first contact
resolution
External stakeholders External stakeholders

Identifies key sources & Demonstrates risk
costs of risks losses are being
Facilitates escalation of identified and managed
issues appropriately
Enables prioritization of
activities Aligns overall risk
Enables management practices
reduction/mitigation of Internal loss to peer group
key sources or risk comparisons
event capture
Facilitates process of
continual
improvements
Regulatory compliance
Complies with
Financial benefits regulatory requirements
Cost identification and
reduction Enables future
Reduction of regulatory progression to more
capital requirements for advanced approaches
risk to calculation of
Internal stakeholders regulatory capital
Supports cost/benefit
analysis of Improves knowledge and requirements
improvement/control understanding of risk
losses
Enables oversight and
resolution of losses
Validates control
effectiveness and
enables corrective action
Mitigates future incidents
and avoid repeat
incidents
Figure 3.5. Benefits of internal loss event collection

[Here state the title of the Report (i.e. Operational Risk Assessment of X (the Name of the Process) Process/RAU]
iii. How to classify a new loss event
The following figure illustrates the process of determining the loss type of a
new event.
Incident detected
Yes Internal loss No

event
capture
Is financial Is financial
impact zero impact to
or positive? date zero or
positive?
Yes No Yes No
Near miss Actual loss

Potential loss Actual loss
Closed Closed Open Open

Figure 3.6. How to classify a new loss event
iv. External Loss Data
External loss data is information relating to the loss experiences of other

institutions. External loss database provides an indication of the size, frequency
and sources of losses experienced by other banks in the industry and thus can
provide a wider frame of reference when assessing potential risk exposures.
The external loss data mainly consist of large volumes of actual loss data
specifying amount, frequency and classification of loss events and/or specifics of
particular large loss events collected from publicly available information.
[Name of the Process/RAU] [Date on which this Report is Produced] Page 87

a. Sources of External Loss Data (experience of others)
External loss data, i.e. on operational losses experienced by other banks found in
Ethiopia could be found from the Bankers Association, the central bank and other
if any. However international external loss data are collected by several data
consortia and, additionally, there are a few commercial providers. Consortia allow
their members to exchange loss data in a standardized, anonymous and quality-
assured form.
Presently, the best known data consortia are GOLD (Global Operational Loss
Database) in Great Britain and ORX (Operational Risk data exchange Association)
in Switzerland. GOLD was established on the initiative of the British Bankers'
Association in the year 2000. ORX was set up in 2001 and currently has 22
members. An example of a national initiative is DIPO (Database Italiano delle
Perdite Operative) in Italy, a consortium founded by the Italian bank association
ABI (Associazione Bancaria Italiana) in the year 2000. At the end of 2003, the
membership of that consortium included 32 banks and bank groups.
The reporting threshold is EUR 20,000 for ORX, USD 50,000 for GOLD and EUR
5,000 for DIPO.
The following box further elaborates the two data consortia; namely ORX
(Operational Risk data eXchange association) and DIPO (Database Italiano delle
Perdite Operative), a consortium founded by the Italian bank association ABI
(Associazione Bancaria Italiana).
Box—1
 Operational Risk data exchange association (ORX)
This database uses the Basel loss event categories to collect, cleanse,
process and report operational risk loss data for members.
Founding members are from the banking sector and the database is
expected to meet FSA regulatory requirements for external data.
Data held in the database is anonymous, and records loss events
with a threshold set at €25,000.

data is collated, held and distributed by a third party for security

purposes.
reports on the consortium dataset are made available to all
members.
current database is banking focused, but ORX are developing an
insurance version.
 ABI Operational Loss Consortium (OLC)

ABI use Basel loss event type categorization within their database
and provide a robust/secure data repository for users
database aims “to provide an industry database of quality operational
loss event information to enhance both quantitative and qualitative
understanding of operational risk for insurers”
ABI objectives include providing a quantifiable input; identification of
risk areas; and provision of benchmarks.
ABI collate, host and distribute reporting. A reporting suite enables
members to access pre-defined reports, create reports in a secure
environment, and benchmark themselves against other consortium
members.
b. Some Requirements on Handling External Loss Data
 Confidentiality— Confidentiality among the member banks and strictly

anonymous information are key factors for the development of data consortia.
This may lead to restrictions with regard to information depth since geographic
information, for example, might reveal the data source especially if the number
of members is low.
 Consistency— The consistency of data recording has to be ensured. Banks
should input data on comparable loss events in the same way. This should also
be guaranteed within one bank. Hence, data field names should be easily
understood and sufficient information should be recorded to permit data
validation. By consistent data recording, data consortia fulfill an important

function in ensuring comparability.

 Flexibility— Consortia and their systems have to be structured in such a way
that they are flexible with a view to future developments, such as changes in
categories or amendments due to new risks.
A problem related to the use of external data is their methodical classification and
scaling. A loss that can be easily borne by one bank may threaten the life of
another bank. Different factors may be used for scaling, e.g. balance sheet total,
expenditure or income, with different factors being relevant for different business
lines. However, since suitable data are only available to a certain extent, pragmatic
solutions are needed in this context.
Taking into account the benefits of using external loss database, processes/RAU
shall perform the following.
 Processes/RAUs can use external loss data for the following purposes:
to test the responsiveness of the control environment against the external

loss events in order to assess control effectiveness in helping to avoid, or
mitigate against such events;
to assess potential exposure during the self-assessment process;
to perform realistic scenario tests; and
to provide additional data, which may potentially assist with the modeling
of capital requirements. However, careful judgment is needed on the
relevance of such data, in view of different industry or industrial sector data
sources, differences in operational scale, control systems, cultures and the
likely completeness of the data.
 The RCMP shall collect and maintain operational related external loss database
and forward to the respective processes for subsequent analysis.

PART IV: BUSINESS CONTINUITY MANAGEMENT
4.1 Concepts and Perspectives of BCM
What is Business Continuity Management? Business Continuity Management is

a significant aspect of operational risk management. Ian Storkey, (2011), stated
that BCM is the development; implementation and maintenance of policies,
frameworks and programs to assist financial institutions manage a business
disruption, as well as build business resilience. The primary output of the BCM
Process is a Business Continuity Plan (BCP), which is a plan for mitigating some of
the bank’s risks.
Business Continuity Management is in essence a management process focused on
what to do following an unexpected event or incident, which is best developed prior
to an incident occurring, in the relative calm of daily management of the bank. As a
result, BCP is initiated when a risk event occurs that has a business interruption
consequence. The business interruptions that are of concern from a continuity
viewpoint are referred to as ‘outages’. These events will cause a significant
disruption to or loss of key business activities over a prolonged period of time. It
follows that such events will have a high impact on and severe consequence for the
bank (William, 2009).
 What are the causes of Business Disruption?
Causes of Business Disruption

The disruptions to business organizations may be due to:
- Damage to Physical Assets-such as losses arising from loss or damage to
physical assets from natural disaster or other events (Examples of other
events include human losses from external sources such as terrorism and
vandalism); and
- Business disruption and system failures-such as losses arising from
disruption of business or system failures (Examples of these losses include
losses due to hardware, software, telecommunications, utility
outage/disruptions, etc). (Lloyd’s Risk Management Toolkit)

 Examples of Disruptive Events/crisis situations

 Natural disasters such as earthquakes, hurricanes, rain/flooding, and
lightning.
 Industrial events such as fire, explosions, spills, and contaminations.
 Supplier failures such as component provider disruptions and electricity
utilities.
 Other catastrophes such as airplane crashes.
 Medical epidemic such as pandemic or other medical risks.
 Labour disruption, including strikes, transportation disruption, and civil
unrest.
 Economic or political instability, including terrorism bombings and war.
 Human factors such as employee errors, criminal acts, and fraud.
 IT risks such as cyber-terrorism, viruses, hacker attacks, and denial-of-
service attacks.
 Production and manufacturing risks such as: Supplier disruptions, including
power, raw materials, and critical services.
 Process automation system (IT systems) failures that stop operation.
(Everest, 2008)
How is their level of Severity? Some of the disruptive events may be severe and
result in an inability to fulfil some or all of their business obligations. Incidents that
damage or render inaccessible the bank’s facilities, telecommunication or
information technology infrastructures, or a pandemic event that affects human
resources, can result in significant financial losses to the bank, as well as broader
disruptions to the financial system (Basel Committee on Banking Supervision,
2011).
Responses to Business Disruption: By its nature business organization is

operating in a dynamic environment which is full of uncertainties even sometimes
difficult to forecast their likelihood occurrences hence disruptions to business may
be resumed and seems to be inevitable. Thus, BCM focuses on consequences of an

outage and the steps necessary to contain or minimise the negative consequences
when an outage actually occurs. It is not concerned with the likelihood of
occurrence, as matters of likelihood should already have been addressed as part of
the Risk Management process. Preventative controls should already have been
established to reduce the likelihood and consequences of the risk event to levels
that are acceptable to management. Thus, to ensure its resiliency, timely responses
and management actions are required. Hence, management may have different
approaches to responding to and managing crises. Regardless of the approach, the
key elements that can usually be distinguished and collectively make up a BCM
response plans are:
Emergency Response: The initial response to a disruption, which involves the

protection of people and property from immediate harm. An initial reaction by the
Crisis Management team will form part of the bank’s first response.
Continuity Response: Processes, controls and resources are made available
immediately following an interruption to ensure that the bank continues to deliver
its critical business services.
Recovery Response: Processes, resources and capabilities of the bank are re-
established to return the Bank to normal operations. This will often include the
introduction of significant organizational improvements, even to the extent of re-
focusing strategic or business objectives.
4.2 Objectives of BCM

According to some of the literatures reviewed for this purpose (Don Williams, 2009;
SBA, 2007, Vima, 2012) and other bank’s practical experiences, Business continuity
Management is generally aimed to make the bank more resilient to potential
threats and allow it to resume or continue operations under adverse or abnormal
conditions. And the specific objectives are to:
 Assist the Bank in the development and implementation of a BCM program;

 Serve as both a guide for BCM Program development, implementation and
maintenance and as a tool for conducting audits of an existing program;
 Audit a program to identify program gaps or deficiencies so they may be
corrected before an event occurs;

 Provide a consistent framework for the functions and to assist the bank in
benchmarking its program against accepted and proven practices.
4.3 Importance of Business Continuity Management

Business strategies and decisions are based on an assumption of the business
continuing as resilience comes from tackling the likelihood as well as the
consequences of disruptive events. An event that violates this assumption is a
significant occurrence in the life of any entity, impinging directly on its ability to
fulfil its business objectives and its reputation. Therefore, it is important to have
both effective ORM and business continuity planning frameworks in place. Hence,
according to Ian Storkey, (2011), maintaining a sound BCM provide the following
benefits:
 Assists in preventing, preparing for, responding to, managing, and
recovering from the impacts of an incident or disruptive event ;
 Perform a business impact analysis, and develop mitigation strategies, which
will ensure the continuity of its business, operations and technology
components in the event the existing environment is unavailable;
 Develop and maintain a comprehensive business continuity and disaster
recovery plan (BCP/DRP) to ensure that essential/critical activities are
recoverable;
 Deals with actual events—a risk event which has occurred—and the action
required responding to the event;
 Complements the overall ORM process which deals foremost with possibility
of occurrence of risks events that may occur, and the analysis and pro-active
management of such events;
 Provides plans for crucial business lines, on the basis of which operations can
be continued despite possible disruptions.

4.4. Link with Risk Management

How do you relate BCM with risk management? Business continuity is an
element within the wider context of Risk Management. Risk Management is the
practice of systematically identifying, understanding and managing the risks
encountered by a bank. Ian McPhee, (2009), stated that better practice entities are
able to demonstrate a direct link between the bank’s risk management and
business continuity management processes and activities. One way to do this is to
share (or co-create) entity information that is necessary for both risk management
and business continuity management. For example, a risk assessment for each core
business function and IT service, which identifies the assets, threats, vulnerabilities
and controls in place for each activity, would assist in analyzing the entity and its
context from a business continuity perspective. Disruption scenarios, to which the
entity may be vulnerable, including the effect of interdependencies with third
parties/suppliers are another valuable piece of information. Risk Management – the
identification, analysis and evaluation of risks – is the important early step to
understanding the risks and scoping the need for BCPs.
The interface between RM and BCM is illustrated in the following figure (ICWA,
2009).
Figure 4.1: Relationship between RM and BCM

4.5. Basic Requirements of BCM
Basel Committee on Banking Supervision, (2011), stated that to provide resiliency

against business continuity risk, a bank should establish business continuity plans
commensurate with the nature, size and complexity of their operations. Different
authors described phases/processes/components of BCM in different ways. For
convenience purpose this training material tried to incorporate literatures stated by
(Williams, 2009; Everest, 2008; DRII, 2012; Ian McPhee, 2009; and SBA, 2007) in
describing the phases of BCM. Accordingly, effective BCM should incorporate
Programme Management, Risk and Business Impact Analysis, Identify Response
Options, Develop response Plans, Awareness and Training programs, and Business
Continuity plan, Exercise, Audit and Maintain.
Step 2:
Step 3:
Step 1: Risk and Step 4: Step 5: Step 6:
Identify
Program Business Develop Awareness Exercise,
Response
Management Impact Response and Training Audit and
Options
Analysis Plans Programs Maintenance
Steps of BCM
Figure 4.2: Business Continuity Management Process
Step 1: Program Management
Management support is critical to the success of BC at every organization and thus

must display visible support for BCM and the emergency management program
(Everest, 2008). William, (2009), also stated that BCM should be an integral part of
an the bank’s Risk Management programme. As with Risk Management, effective
implementation is dependent upon leadership commitment and demonstrated
support. This step is concerned with demonstrating Executive leadership through
the development and communication of a BCM policy, the assigning of specific roles

and responsibilities and the development of a programme schedule of how the BCM
is to be implemented.
Step 2: Risk and Business Impact Analysis
When preparing for a Business Impact Analysis, it is important that Management

has a clear understanding of (William, 2009):
 The activities of the bank;

 The Critical Success Factors for each of the business activities;
 An assessment of risk associated with each of the business activities; and
 The treatments for unacceptable risks.
Risk treatment involves identifying a range of options to reduce the consequences

and / or likelihood of an unacceptable risk. Amongst all the options, BCP is
specifically a treatment for risks that could potentially interrupt business operations
and cause unacceptable consequences to the bank (William, 2009).
Approach to Business Impact Analysis
The BIA is an essential starting point for developing the BCP as it establishes the
business requirements for the plan. The subsequent two steps in the BCM process,
Identify Response Options and Develop Response Plan, are driven by the outcomes
of the BIA. Get the BIA wrong and the chances are that the plan that is eventually
developed will not fully caters to the business continuity requirements of the bank.
The key tasks in carrying out the Business Impact Analysis are (William, 2009):
Preparation and Set-up- The BIA template is used to capture impact information
for each activity assessed along two dimensions – severity (1 being insignificant
impact) through to 5 (being catastrophic impact) and duration of outage (1 day, 3
days, 5 days and 10 days) are used.
Identify Business Activities- The functional organizational chart could also be
reviewed to identify general areas of operational responsibilities and the activities
that go along with these responsibilities.
Assess Business Impact and Determine Priorities-The aim of the analysis is to
determine the Maximum Acceptable Outage (MAO) of each activity – i.e. how long

can an activity be disrupted before the consequences became unacceptable to the

bank.
Identify Business Continuity Requirements (Resource Requirements)- Once
the business impact profile has been endorsed by the Executive, the next task is to
define the minimum resource requirements for business continuity. This involves
identifying broad strategies, key dependencies and resources (people, IT systems
and networks, premises and facilities, and data backup and offsite storage) needed
to support the resumption of critical business activities within the required MAO
timeframes.
Step 3: Identify Response Options
At the end of Step 2 you will have identified; (a) the list of critical business
activities, (b) the timeframe within which each of these critical business activities
must be resumed following a disaster (i.e. the maximum acceptable outage (MAO),
and (c) the resources that must be made available to support the resumption of
these critical activities. This output is now used in Step 3 to formulate a set of
response options that will meet the requirements for business continuity (William,
2009).
The key resources required to support business recovery encompass people,
equipment, data, premises, services and supplies. In identifying response options,
it is important to consider the quantity and timeframes within which these
resources must be made available before, during and after an incident. There are
four broad categories of response options (William, 2009):
Temporarily suspending the activity- Activities that are non-essential or are not
required to be performed immediately following an incident may be suspended
temporarily. At some point, these activities will nonetheless need to be resumed,
but suspending them in the short term will allow you to free up resources for more
critical tasks.
Transferring the activity- Where the same activities are performed in different
locations (such as regional offices), the work at an affected location may be passed
over to the other non-affected locations.

Working from home- This response option would be viable for activities that have
little or no dependency on the infrastructure of a normal office environment, and
where face-to-face interactions with others are not essential.
Relocating to an alternate (backup) site- An alternate or backup site is a
facility that is appropriately equipped with the resources needed to support the
resumption of critical services in the event the primary location is impacted by a
disaster. According to William, (2009), the following need to be taken into account
when considering response options
People- How does the bank minimize the risk of loss of key personnel?
IT systems and networks- What is the Bank’s current IT disaster recovery
capability? Does the Bank have an up-to date and workable IT disaster recovery
plan?
Premises and facilities- What are the most practical and cost effective ways to
provide for premises and facilities?
Data backup and off-site storage- What data is required for business continuity
and how quickly does it have to be made available?
Evaluate Response options
When evaluating each of the response options, it is necessary to consider the
technical, operational and financial viability of each. Technical viability refers to
whether the option is able to fulfill the business continuity specifications and
requirements of the critical activities – i.e. can the option meet the timeframe
within which the activity must be resumed? Operational viability refers to
whether the option can realistically be implemented. For example, working from
home may be technically feasible for someone performing an accounting activity
but operationally may be prevented from doing so due to compliance requirements.
Financial viability refers to the cost to implement the option. Based on the
evaluation, a recommendation should be presented to the Executive for approval
(William, 2009).
Step 4: Develop Response Plans
Having identified and selected the response options in Step 3, this step involves
putting together the action-level processes and procedures necessary for the
execution of these response options when an incident occurs. These include the
bank’s Emergency response, Continuity response and Recovery response. This is

also the steps where roles and responsibilities of crisis management and business
continuity teams are specified and individuals assigned to these teams (William,
2009).
i. BCM Plan Overview

Typically the information presented would include an overview of the BCM process,
BIA findings, business continuity strategies and requirements, response options
considered, and testing, training and maintenance protocols (William, 2009).
ii. Emergency Response
(a) Emergency Response Plan
An Emergency Response Plan is designed to be invoked immediately following a
critical incident for the protection of people and assets. Typically, the plan would
cover:
 instructions on actions to be taken by staff during an emergency such as
bomb threat, fire, explosion and flooding;
 instructions on how to evacuate the building, location of muster points and
process for accounting for staff;
 names of floor wardens, and their roles and responsibilities; and
 Emergency contact numbers that staff should call to report an incident.
(b) Crisis Management Plan

A Crisis Management Plan sets out the principles to be followed should any incident
cause, or threaten to cause, serious business impact on the bank. The plan
provides a process that facilitates organised decision making on critical issues to
cope with any serious incidents that might otherwise be quite chaotic.
(c) Continuity and Recovery Response (Teams Action Plans)
The Continuity and Recovery Response Plan (or Team Action Plan) is focused on
individual business continuity teams. It is designed to provide team level response
to maintain critical business activities following a major incident and to recover
from the incident in order to return to normal operations.
Continuity procedures operationalise the response options identified in Step 3 for

the resumption and continuity of critical business activities within the required
maximum acceptable outage (MAO). These procedures should encompass all

instructions necessary to guide the staff on plan execution and provide answers to
a number of fundamental questions such as “ Who do I call?”, “Where do I go?”,
“What needs to done?”, “When do I have to do it?”, and “What resources do I
need?”
Recovery procedures are directed towards restoring full operational capability and
returning to business-as-usual after the crisis is over. The principle purpose of
recovery response is the staged return to a level of normal (pre-disruption)
capability and performance. Depending on the nature of the incident, recovery
response may be completed quickly if there has not been any damage to physical
infrastructure (for example, staff may return to the office to resume normal
operations immediately after the “all clear” has been given following a bomb threat)
or may run into weeks or even months after a major catastrophe (as experienced
by some firms during 9/11 that took over 6 to 9 months to fully recover).
Step 5: Awareness and Training Programs
Steps 5 and 6 brings the planning process to a logical conclusion and also sets up a
process to ensure that the plan continues to be relevant to the bank on an on-going
basis. This involves; (a) training the staff on how and when the plan is the be used,
(b) exercising or rehearsing the plan to ensure that staff are indeed able to execute
the plan, and (c) putting in place a maintenance process to keep the plan current
and relevant.
Raising Awareness and Training Program
To ensure that BCM capability continues to reflect the nature, scale and complexity
of the bank it supports, it must be understood by all staff and stakeholders. The
primary objective of training is to ensure that the importance of BCM is understood
by all staff in the bank and they are aware of their roles and responsibilities during
an emergency or crisis situation. Training may be pitched at different levels of the
organization, depending on what the needs and objectives are (William, 2009).
According to Ian McPhee, (2009), raising awareness is an ongoing education and
information program for staff can raise and maintain awareness of business
continuity management and why it is important to the entity. Staffs particularly

need to be aware of the crucial role they play in maintaining the delivery of
products and services, and that BCM has the ongoing support of the executive.
Typically, training and awareness raising take the following forms (William, 2009):
 General staff awareness training – delivered to all staff and may be incorporated
into the inductions programme for new hires. This may cover topics such as; (a)
an overview of what BCM is, (b) why is BCM important to the organisations, (c)
what is the staff’s role in an emergency, (d) what should the staff do if the BCM
plan is invoked, and (e) what are the emergency contact numbers.
 BCM Coordinators training – delivered to staff with specific BCM responsibilities
within their own departments. The aim is to improve the BCM skills of the
coordinators as well as to help build ownership of the BCM process within the
departments. Key topics may include; (a) BCM concepts, processes, corporate
recovery policies and objectives, (b) how to complete/update risk / impact
assessments, (c) how to document recovery plans, and (d) how to test the
plans.
 Senior management training – delivered to senior managers of the Bank with
the aim of providing a strategic view of how the BCM programme is linked to the
bank’s mission and objectives. Such training is also a good vehicle for getting
senior level buy-in and support for the BCM programme.
Step 6: Exercise, Audit and Maintenance
The goal of this practice is to establish an exercise, testing, maintenance and audit
program. To continue to be effective, a BCM Program must implement a regular
exercise schedule to establish confidence in a predictable and repeatable
performance of recovery activities throughout the organization. As part of the
change management program, the tracking and documentation of these activities
provides an evaluation of the on-going state of readiness and allows for continuous
improvement of recovery capabilities and ensures that plans remain current and
relevant. Establishing an audit process will validate the plans are complete,
accurate and in compliance with organizational goals and industry standards as
appropriate (DRII, 2012). The list of activities includes (DRII, 2012):
 Establish an exercise/testing program.

 Establish a plan maintenance program.
 Identify or establish appropriate industry and/or organizational standards.
 Establish a business continuity program audit process.
 Communicate exercise/test/audit results and recommendations.
Annex 1: ORA Reporting Template
1. INTRODUCTION
1.1. Background
[Here, Processes/RAUs are required to provide information on issues that are considered
essential to understand the very purpose of the Report. Among others, such information
shall include process level objectives and related operational risks, lessons drawn from
previous ORA and how it is incorporated in the current assessment, the level attention
given in terms of resource and time allocated for this assessment, brief overview of the
assessment process etc…]
[Information on the total number of staff (both managerial and non-managerial), the
nature (and size) of customers (internal and external) and/or stakeholders that the
Process deal with, nature (and size) of the available infrastructure (technology and
system) which are under direct use of the Process/RAU etc are valuable points to note]
[Major resources (including data and information) which are directly owned and managed
by the Process/RAU shall also be discussed, here]
1.2. Objectives of the ORA
[The process/RAU shall include the specific objectives of the assessment. The objectives of
shall be in conformity with factors such as the scope and limitation of the ORA process]
1.3. Scope of the Assessment

[Detailed description of the process(s), product(s) and system(s) on which this assessment
was performed shall be listed down, here. Furthermore, the processes/RAUs shall state the
sub-units/branches/sub-process which have been considered for this assessment purpose]
1.4. Limitation of the Assessment
[The limitation of the assessment, as related to issues such as scope, data source and
type, assessment techniques, skill and knowledge on the ORA process, engagement level
of all relevant staff, resource and time allocated to the process, attention and emphasis
given to the process etc shall be described without any reservations.]
2. DATA/INFORMATION AND TECHNIQUES

OF THE ORA
2.1. Source of the Data/Information
[Here, the data/information employed for this assessment purpose shall be described in
detail along with their respective sources, which can be internal as well as external]
2.2. Risk Identification Techniques Employed

[Here, processes/RAUs shall clearly state the risk identification techniques that they
employ while conducting their respective ORA. The explanation shall include the names of
the selected risk identification techniques, the reasons why the Process/RAU opted to use
those techniques and the areas/products/process/system for which the selected techniques
is applied at etc]
3. RISK EVENT DESCRIPTION AND

CATEGORIZATION
3.1. Description of the Identified Risk Events
[The description shall be detailed enough to see the nature, source and timing of the risk
events. While describing risk events, process/RAU shall assign a unique ID for the
identified risk event(s). The ID shall include the name of the process, event number and
the year of its identification. Definition of the remaining particular of the table is found in
the ORMG. If the particulars (columns) for describing a given event are found to be
inapplicable, the column shall be marked as N.A.] Description of an event is illustrated in
the following table.
Table 3.1. Description of the Identified risk events
Risk
Event Threat Threat
Risk Asset/resource
ID Vulnerability Timing Consequences
Event affected
Agent Type
3.2. Event Categorization

[Following proper description of the identified risk, the identified risk events shall be
categorized under one of the 9 categories provided in the ORMG. The categories are defined
in the ORMG. If there is difficulty in assigning the identified risk events, remark shall be
given to such events. In a situation where a given event is attributable to more than one
category, the most appropriate one shall be selected. The following table shall be used for
this purpose.]
Table 3.2. Risk Event Categorization
Risk Event Risk Event Risk Category Remark

ID
4. Operational Risk Assessment

4.1. Control Analysis
[The ORA shall start with analysis of the internal control system on the identified risk event.
In particular, the evaluation of the effectiveness of the internal control activities with
respect to the identified risk event shall be rated against the rating scale provided in the
ORMG. The result of the control analysis shall be summarized using the following table.]
Table 4.1. Control Analysis
Risk Risk Event Rating of the Justification

Event Existing Control
I.D.
4.2. Likelihood analysis

[The likelihood of the identified risk events shall be conducted following
due assessment on the existing control. The likelihood rating shall be in
line with the scale and the corresponding definition as provided in the
ORMG. Processes/RAUs are required to include their justification while
assigning their ratings. The result of the likelihood assessment shall be
summarized as per the following format.]
Table 4.2. Results of the likelihood assessment
Risk Event Risk Event Likelihood Justification (for the Rating)

ID Rating(Score
)
4.3. Impact Analysis

[The impact rating shall be in line with the scale and the corresponding
definition as provided in the ORMG. Processes/RAUs are required to
include their justification while assigning their ratings. The result of the
impact assessment shall be summarized as per the following format. The
extent of loss/ impact is estimation.]
Table 4.3. Results of Impact Analysis
Risk Risk Event Extent of Impact Justification (for the

Event ID Loss/impac Rating(Score Rating)
t )
(Birr)
4.4. Risk Level Determination
[The risk level of the identified risk event is determined just by

multiplying the likelihood rating with the impact rating. The result can be
presented as per the following format]
Table 4.4. Risk level Determination
Risk Risk Level

Event Risk Event Likelihood Rating Impact Rating
ID
5. Risk Response
[Risk response shall be selected in line with the direction given in the ORMG. Risk
response plan shall be drawn to all identified risk events, including the blue ones.
For those risk events which demands the attention of multiple processes, risk
owners shall be assigned in consultation with the RCMP. The duration of the
selected response action shall be reasonably set in consultation with the respective
(properly assigned) owner of the risk event. The risk response action plan shall be
presented using the following format.]
Table 5.1. Risk Response Action Plan
Risk Risk Event Risk Response Plan Risk Duration of

Event ID Owner the Plan
6. Summary of risk assessment
[The summary describes the whole process in one sheet. The following table shall be used for this purpose]
Risk Risk Risk Likelihoo Impact Score Response Duration Owner

Even Event Category d
t ID
Annex 2: Checklist of Important step of the ORA Process
Sr. no Description of activities Duration Responsible Status Comment
Start End Organ Performed Not
Performed
The Pre-assessment Phase
1 Preparing the Plan:
 Scope;
 Resource; and
 Time
2 Communicating the Plan ( to Process owner, Manager and
all relevant staff)
3 Collecting the Necessary Data/info:

 Internal; and
 External
Risk Identification Phase
1 Process Mapping
2 Conducting Workshops
3 Conducting self assessment
 Preparing questionnaires
 Distributing questionnaires
 Compiling results
Risk Analysis and Report Preparation Phase
1 Describing Risk Events

2 Categorizing Risk Events
3 Performing Control Analysis
4 Performing Likelihood Analysis
5 Performing Impact Analysis
6 Determining Risk Level
7 Assigning risk owners
8 Performing risk response action plans
9 Setting duration for the risk response action
10 Preparing summary of risk assessment
11 Submitting ORA Report
OR Database Establishment & Risk Monitoring Phase
1 Establishing the OR database
2 Monitoring the Implementation Response Plan
Sr. no Description of activities Duration Responsible Status Comment
Start End Organ Performed Not
Performed
3 Updating the OR database
4 Periodic Reporting to RCMP
Annex 3: Glossary
 Business and strategic risk: The risk that a bank would have to modify
the line of behavior and activity in order to cope with changes in the
economic and financial environment in which it operates.
 Business continuity: a state of continued, uninterrupted operation of a
business.
 Business continuity management: a whole-of-business approach that
includes policies, standards, and procedures for ensuring that specified
operations can be maintained or recovered in a timely fashion in the event
of a disruption.
 Business continuity plan: a comprehensive written plan of action that
sets out the procedures and systems necessary to continue or restore the
operation of an organization in the event of a disruption.
 Compliance risk: can be defined as the risk of legal or regulatory
sanctions, financial loss, or loss to reputation a bank may suffer as a result
of its failure to comply with all applicable laws, regulations, codes of
conduct and standards of good practice (together “laws, rules and
standards”)
 .Credit risk: the potential that a bank borrower or counterparty will fail to
meet its obligations in accordance with agreed term
 Control: is a preventive and/or detective activity, intended to manage the
inherent risks identified with in the business.
 Control analysis/rating: refers to a score achieved through the risk and
control self-assessment (RCSA) process that provides an indication of how
the current control effectiveness is perceived.
 Crisis management (incident management): the governance
arrangements and processes that enable an organization to protect
reputation, value, order, manage media and stakeholders and properly
disseminate timely and accurate information.
 Culture: is the set of shared attitudes, values, goals, and practices that
characterize how the bank considers risk in its daily activities.
 Current risk: is the actual risk today, i.e., inherent risk with current risk
responses applied.
114
 Direct losses: are the losses that directly arise from the associated
events
 Emergency Response (ER): the protection of people, assets and/or the
environment following a disaster or emergency (for example a fire or bomb
threat).
 Environment: refers to the surroundings that set the tone and behavior
of the bank, including culture and external factors.
 Environmental risks: Risks that include all types of exogenous risks that,
if they were to materialize, could jeopardize the bank’s operations or
under-mine its ability to continue in business.
 Event is occurrence or change of a particular set of circumstances or “an
accident or occurrence, from sources internal or external to an entity that
affects achievement of objectives” - An event can be-
One or more occurrences and can have several causes.
consist of something not happening
Sometimes be referred to as an “incident” or “accident”.
Without consequences can also be referred to as a “near miss”,
“incident”, “near hit” or “close call”.
 External sources of risks: include man-made incidents such as external
fraud, theft, computer hacking, terrorist activities, and natural disasters
such as damage to physical assets due to floods, and fires.
 Frequency: the number of times in a given period usually in a year that
an event is likely to occur.
 Foreign exchange risk: is a risk which emanates from changes in
exchange rates between a bank’s domestic currency and other currencies
 General legal risk: The risk that a bank would have to modify its
activities due to changes in the country’s legal system or law
enforcements.
 Impact: is the effect that the risk would have on the organization’s ability
to successfully achieve its objectives if the risk occurred
 Indirect losses: are generally opportunity costs and the losses
associated with the costs of fixing an operational risk problem such as
near-miss losses.
115
 Infrastructure: refers to the tools used to facilitate the entire risk
management process, including systems, data, methodologies as well as
policies and procedures
 Inherent Risk: is the risk in a business or process before the effect of any
risk mitigation, control or transfer activities.
 Internal sources of risk: are most of the losses caused by human,
process,
and technology failures, such as those due to human errors, internal fraud,
unauthorized trading, injuries, and business delays due to computer
failures or telecommunication problems.
 IT Disaster Recovery (Disaster Recovery or DR) the recovery
arrangements for IT, data availability and protection.
 KRIs: are metrics capable of showing that a bank is subject to, or has a
high probability of being subject to, a risk that exceeds the defined risk
appetite.
 Limit: reflects the absolute maximum level of exposure that is acceptable
for a particular risk
 Liquidity risk: is the risk that a bank will not be able to meet its current
and future cash flow and collateral needs, both expected and unexpected,
without materially affecting its daily operations or overall financial
condition.
 Loss Data: Describes actual loss events that have occurred either
internally or externally to the bank.
 Market Risk: a risk that the value of on and Off-Balance sheet positions
of a bank will be adversely affected by movement in market rate or price
such as interest rate, foreign exchange rate, equity, and commodity
resulting in a loss to earning and capital.
 Operational risk: The risk of loss resulting from inadequate or failed
internal processes, people or systems or from external events.
 Political risk: The risk of an adverse impact on bank’s activities due to
changes in country and/or regional political or economic pressures, such as
monetary controls.
 Process map – The major steps in any process, usually portrayed as a
flow chart, and depicting the inputs and outputs for each step in the
process. Key controls may be depicted as process steps.
116
 Recovery: the rebuilding of specific business operations following a
disruption to a level sufficient to meet outstanding business obligations.
 Recovery level: the target level of service that will be provided in respect
of a specific business operation after a disruption.
 Recovery time: the target duration of time to recover a specific business
operation.
 Reputational risk: The potential that negative publicity regarding the
bank’s business practices, whether true or not, will cause a decline in the
customer base, costly litigation, or revenue reductions.
 Residual Risk: is the potential impact and likelihood of an identified risk
exposure, considering the effect of the existing (but excluding planned)
controls.
 Resilience: the ability of a financial industry participant, financial
authority or financial system to absorb the impact of a major operational
disruption and continue to maintain critical operations or services.
 Risk: means exposure to adversity
 Risk analysis: is the actual estimation of frequency and
magnitude/impact of a risk scenario.
 Risk appetite: refers to the attitude towards risk taking and whether it is
willing and able to tolerate either a high or a low level of exposure to
specific risks or risk groups.
 Risk assessment is overall process of risk identification, risk analysis and
risk evaluation.
 Risk category (or risk group / risk sub-group) – Risks identified can be
grouped in order to facilitate monitoring and reporting.
 Risk description (or definition) – A detailed articulation of a risk,
designed to give clearer understanding of the risk.
 Risk factors: are those factors that influence the frequency and/or
business impact of risk scenarios.
 Risk identification is process of finding, recognizing and describing risks.
 Risk management capability Traditional banking risks: balance sheet
and income statement structure, credit, and solvency risks that can result
in loss for a bank if they are not properly managed
 Risk management process systematic application of management
policies, procedures and practices to the activities of communicating,
117
consulting, establishing the context, and identifying, analyzing, evaluating,
treating, monitoring and reviewing risk
 Risk Matrix/risk map: is the visual representation of risk (which has
been identified through a risk assessment exercise) in a way that allows
priority ranking. This representation often takes the form of a two-
dimensional grid with frequency (or likelihood of occurrence) on one axis,
and severity (or degree of impact on the other axis; the risks that fall in
the high-frequency/high-severity quadrant are given priority risk
management attention.
 Risk profile is description of any set of risks.
 Risk Response: is an action, consciously taken by management, to
counteract, in advance, the effects on the business of risk events
materializing.
 Scenario: A scenario may be defined, as a sequence of possible events
and the description of possible developments leading up to these events.
 The expected losses: are generally those that occur on a regular (such
as every day) basis, such as minor employee errors and minor credit card
fraud.
 Threshold: represents a level of exposure which, with appropriate
approvals, can be exceeded, but which, when exceeded, will trigger some
form of response
 Unexpected losses: are those losses that generally cannot be easily
foreseen, such as terrorist attacks, natural disasters, and large-scale
internal fraud.
118
References
1. Bank risk management training document prepared by NBE.
2. Basel Committee on Banking Supervision, 2011, Principles for the Sound
Management of Operational Risk, bank for international settlements
3. Basel Committee on Banking Supervision, 2010, Operational Risk
supervisory Guidelines for the advanced measurement approach.
4. Basel committee on banking supervision (February 2003), Sound practices
for the management and supervision of operational risk.
5. Basel committee on banking supervision, 2003, Sound Practices for the
Management and Supervision of Operational Risk, bank for international
settlements
6. Basel Committee on Banking Supervision, 2005: High-Level Principles for
Business Continuit,
7. Basel Committee on Banking Supervision, 2009, Results from the 2008
Loss Data Collection Exercise for Operational Risk, bank for international
settlements
8. Basel Committee on Banking Supervision, 2011, Principles for the Sound
Management of Operational Risk, bank for international settlements
9. Basel Committee on Banking Supervision. 2003b. The 2002 Loss Data
Collection Exercise for Operational Risk: Summary of the Data Collected.
Switzerland: Bank for International Settlements
10. BCBS (2004) Basel II: international Convergence of Capital
Measurement and Capital Standards; A Revised Framework, Basel:
Bank for International Settlement, June.
11. BCBS (2001a) Operational Risk: Supporting Documents for the New
Capital Accord, Basel: Bank for International Settlement, January.
12. BNP-Paribas Fortis-peter Hoflijik. ORM
13. Conventional Banking Hand book, 2010, financial sector talent
enrichment program,
14. D E Bostander (November 30, 2007), Operational risk events in
banks and practices for collecting internal loss data, A research report
presented to the graduate school of business leadership, University of
South Africa.
15. Don Williams, 2009, Business Continuity Management guidelines,
RiskCover, 2nd edition
119
16. DRI International 2012, Professional Practices for Business Continuity
Practitioners Disaster Recovery Institute
17. Everest, David; Key Bank Garber, Roy E. ; Keating, Michael;
Peterson, Brian, 2008, Business Continuity Management : Global Audit
Guide, Institute of Internal Auditors
18. Foot, M. 2002. ‘Operational risk management for financial
institutions’. Journal of Financial Regulation and Compliance. London,
Volume number 10, Issue. 4; 4 pgs; (ProQuest).
19. Guidance note on management of operational risk, Reserve bank of
India, Department of banking operations and development central office,
Mumbai.
20. Hennie van Greuning and Sonja Brajovic Bratanovic, 2009,
Analyzing Banking Risk, A Framework for Assessing Corporate
Governance and Risk Management, 3rd edition, World Bank, Washington
D.C.
21. Hiles Andrew 2010 The Definitive Handbook of Business Continuity
Management 3rd edition, John Wiley & Sons, Inc, 2010
22. Imad A. Moosa, 2007, Operationa risk management, Palgrave
macmilan.
23. Ian McPhee, 2009, Business Continuity Management, Building
resilience in public sector entities
24. Ian Storkey, 2011, Operational Risk Management and Business
Continuity Planning for Modern State Treasuries Fiscal Affairs Department,
International Monetary Fund.
25. Jonathan Davies, Mike Finlay, Tara McLenaghen and Duncan Wilson
(February 13, 2006), Key risk indicators; their role in operational risk
management and measurement, Risk business international limited.
26. Operational risk screen tcm16-49652.pdf/ORM/,Guidelines for
operational risk Management
27. Peter Hoflijk, Operational Risk Management Guideline, Operational
Risk Management.
28. Paul M.Collier (2009): Fundamental of Risk Management for
Accountants and Managers, Great Britain: Elsevier Ltd.
29. Risk Management materials for London Training
30. Risk Management Toolkit, Lloyd's Risk Management, UK.
120
31. Risk management training handbook (2010), Bureau of strategic
planning, United Nations educational, scientific and cultural organization
(UNESCO), Paris
32. Risk Management Services, 2009, Business Continuity Management
Guidelines Western Australian State Government Agencies
33. Swiss Bankers Association, 2007, Recommendations for BCM
34. The risk IT Framework (2009), ISACA, USA
35. Vima, 2012, Understanding Business Continuity Management
36. Wing lam, 2002, Ensuring Business continuity
37. www.hdfcbank.com
121

RISK EXPERT Training Manual8edited

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

RISK EXPERT Training Manual8edited

Uploaded by

Copyright:

Available Formats

OPERATIONAL RISK MANAGEMENT TRAINING MANUAL 2013

1 CBE—Risk and Compliance Management Process (RCMP)

BCBC Basel Committee on Banking Supervision

BCP Business continuity planning

BCM Business Continuity Management

DRP Disaster recovery planning

ICF Internal Control Framework

KRI Key Risk Indicators

LRRC Loan and Risk Review Committee

ORA Operational Risk Assessment

ORM Operational Risk Management

ORMG Operational Risk Management Guideline

NBE National Bank of Ethiopia

RAU Risk Assessment Units

RCMP Risk and Compliance Management

RCSA Risk and Control Self Assessment

2 CBE—Risk and Compliance Management Process (RCMP)

On the other hand, the Bank is facing an environment marked by mounting

In general, appropriate risk mitigation and/or internal control procedures are

To clarify issues discussed on the ORMG, the preparation of training manual is

 Overview of Operational Risk Management

3 CBE—Risk and Compliance Management Process (RCMP)

The overall objective of providing the operational risk management training is to

4 CBE—Risk and Compliance Management Process (RCMP)

I: OVERVIEW OF OPERATIONAL RISK MANAGEMENT

Generally, risk can be defined as a function of three variables:

1.2 Banks Exposure to Risk

 Non-Financial Risk is a risk which indirectly affects the financial

5 CBE—Risk and Compliance Management Process (RCMP)

Table 2.1. Banking Risks (based on two major classification)

Financial Risks Non-Financial Risks

 Credit risk  Operational Risk

Types of Financial Risks

6 CBE—Risk and Compliance Management Process (RCMP)

 Commodity risk is the potential loss due to an adverse change in commodity

Types of Non Financial Risks

1. Environmental risks: are risks associated with a bank’s business

7 CBE—Risk and Compliance Management Process (RCMP)

■ Political risk: The risk of an adverse impact on bank’s activities due to

8 CBE—Risk and Compliance Management Process (RCMP)

Table 1.2. Operational Risk and its Main factors

PEOPLE SYSTEM PROCESSES EXTERNAL EVENTS

1.3 The Increasing Importance of Operational Risk Management

The trend toward greater dependence on technology, greater competition among

9 CBE—Risk and Compliance Management Process (RCMP)

Likewise, CBE witnesses a great development and growth manifested with

1.4. Benefits and Opportunities of ORM

1.5. Defining Features of Operational Risk

Operational risk has some peculiar features. Some of these peculiarities, as

10 CBE—Risk and Compliance Management Process (RCMP)

11 CBE—Risk and Compliance Management Process (RCMP)

1.6. Operational Risk Perspectives

Operational risk events could be classified using five perspectives:

Many of the internal operational failures can be prevented with appropriate

External losses are very difficult to prevent. However, it is possible to design

b) Direct versus Indirect Operational Losses

12 CBE—Risk and Compliance Management Process (RCMP)

1.3. Direct Loss Types and their definition according to Basel II

Loss type Contents

c) Expected versus Unexpected Operational Losses

4. Low frequency/high severity

e) Cause type, event type, and loss type

13 CBE—Risk and Compliance Management Process (RCMP)