OPERATIONAL RISK MANAGEMENTNEED FOR ADEQUATE SYSTEMS AND

CONTROLS

L.V.S. MOHAN
DGM/MOF

Introduction
Operational risk is one area that is faced by all organizations.
More complex the organization is the more exposed it would
be to operational risk.
Operational risk would arise due to deviations from normal
and planned functioning of systems, procedures, technology,
and human failure of omission and commission.
Results of deviations from normal functioning is reflected in
the revenues of the organization either by way of additional
expenses or by way of loss of opportunities that would be
otherwise feasible.
It may also arise due to inherent defaults in systems,
procedures and technology which impacts the revenues of
an organization adversely.

Introduction
Operational risk arises literally from all the activities
undertaken and consequently it is everywhere in the
organisation.
The impact of various forms of operational risk may
vary in degree i.e., some risks may have more
potential of causing damages while some may have
less potential , some may occur more frequently
while some may occur less frequently.
Operational risks in the organization continuously
change especially when an organization is
undergoing changes

Definition of Operational
Risk
Basel Committee has defined operational risk as the risk
of loss (direct loss) resulting from inadequate or failed
internal processes, people and systems or from
external events. This definition excludes strategic and
reputational risk but includes legal risk.
(Legal risk includes exposure to fines, penalties, or
punitive damages resulting from supervisory
actions , as well as private settlements)
Operational risk can result not only in losses (direct
expenses) but can also impact service, revenues,
competitive advantage( known as indirect losses)
For operational risk management banks should assess the
operational risk based on both direct and indirect losses.

Operational Risk
Management
Management of Operational Risk
means and includes identification,
assessment,
monitoring/control/
mitigation of this risk.

Likely forms of operational risk

Operational risk has the potential to crystallize into a
specific event that could culminate into a loss.
Basel II and RBI have broadly categorised these into
seven Event Types.
(i) Internal fraud: intentional misreporting of positions,
employee theft,
(ii) External fraud: robbery, forgery, cheque kiting, and
damage from computer hacking
(iii) Clients, products, and business practices: this would
cover risk events or risk associated with fiduciary
breaches, misuse of confidential customer information,
money laundering, and sale of unauthorized products.

Likely forms of operational

risk
(iv)Damage to physical assets: terrorism,
vandalism, earthquakes, fires and floods

(v) Business disruption and systems

failures: hardware and software failures,
telecommunication problems

(vi)Execution, delivery and process

management:
incomplete
legal
documentation and unauthorised access
given to client accounts, bad delivery by
counterparty and vendor disputes.

Likely forms of operational

risk
(vii)Employment practices and work
place safety: Losses arising from acts
inconsistent with employment, health
or safety laws or agreements from
payment of personal injury claims, or
from diversity/ discrimination events.

Likely forms of Operational Risk

ATM related
Failure of ATMs due to massive rains,
inability to operate ATM due to power
failure, embezzlements, removal of
an ATM machine by vandals, security
breach in ATM, wrongful use of stolen
credit cards. All these are examples
of operational risk where there is a
system or process failure.

Effects and causes

Causes : The underlying cause or
control that failed and permitted a
risk to be incurred. The four major
cause categories of operational risk
are :

Operational Risk - Cause

Based
Cause based:
People Oriented causes: negligence, incompetence,
insufficient training, integrity , key man.
Process Risk:
Transaction Risk: transaction guidelines, errors in execution
of transaction, documentation
Operational control risk: violation of controls, money
laundering, frauds etc
Technology oriented causes: poor technology and telecom,
obsolete application, lack of application, information
system complexity, poor design,
External causes: natural disasters, operational failures of a
third party., deteriorated social or political context.

Effect based
Effects: The consequences or impact of the event.
Effects are a combination of hard losses and
indirect consequences such as reputation ,
service,
regulatory
exposure
or
business
interruption.
Legal liability,
Regulatory, compliance and taxation penalties.
Loss or damage to assets
Restitution,
Loss of recourse
Write downs.

Why significant increase in

operational risks.
De-regulation and globalization of financial
services coupled with sophistication of financial
technology and associated complexities.
Highly automated technology has the potential
to transform risks from manual processing
errors to system failures risks as reliance is
placed on integrated systems
Emergence of e-commerce which brings with it
the potential risks like internal and external
frauds as well as systems securities issues.

Why increase in operational risks

Emergence of banks as very large volume service
providers
creates
the
need
for
continual
maintenance of high grade internal controls and
back up systems.
Outsourcing increased growth and the use of
outsourcing arrangements and the participation in
clearing and settlement systems may be cost
effective and expedite processes but they also
present significant other risks to banks.
Large
scale
acquisitions,
mergers
and
consolidations test the viability of the new and
newly integrated systems

Structure of ORM
Each institutions risk profile is unique
Each institution requires a tailored risk management
approach for the scale and materiality of the risk present
and size of the institution
There is no single framework that would suit every
institution
Different approaches will be required for different
institutions
The techniques of ORM continue to evolve rapidly to keep
pace with new technologies, business models and
applications.
Operational risk is more of risk management than
measurement issue.

Management of operational risk

Role of Board of Directors
Be aware of the major aspects of the banks
operational risks as a distinct category that should
be managed,
Provide senior management with clear guidance and
direction.
Approve
an
appropriate
operational
risk
management framework for the bank and review it
periodically.
Definition of operational risk should articulate what
constitutes operational risk in the bank and it should
cover the banks appetite and tolerance for
operational risk.

Role of Board of Directors

The framework should also articulate the key
processes the bank needs to have in place to
manage in operational risk.
Be responsible for establishing a management
structure capable of implementing the banks
operational risk management framework.
Establish
clear
lines
of
management
responsibility, accountability and reporting as
strong internal controls are essential for
operational risk management.

Role of Board of Directors

Ensure that the bank is managing
operational
risks
arising
from
external market changes, operational
risks associated with new products,
activities or systems.
Ensure that the bank has adequate
internal audit coverage in place to
make
sure
that
policies
and
procedures have been implemented
effectively.

Organisational Set-up
Board of Directors
Risk Management committee of the
Board
Operational
Risk
Management
committee
Operational
Risk
Management
Department
Operational Risk Managers
Support Group for operational risk
management

Operational Risk Management

Committee
It is an executive committee.
It shall have as its principal objective the mitigation
of operational risk within the institution by the
creation and maintenance of an explicit operational
risk management process.
Its goals are to take a cross business view and
ensure that a proper understanding is reached and
actions are being taken to meet the stated goals
and objectives of operational risk management risk
in the bank.
The committee meets quarterly or more often when
necessary.

Role of Operational Risk

Management Committee (ORMC)
Review the risk profile, understand future changes
and threats and concur on areas of highest priority
and related mitigation strategy
Assure adequate resources are being assigned to
mitigate risks as needed,
Communicate to business area and staff components
the importance of operational risk management and
assure adequate participation and cooperation
Review and approve the development and
implementation of operational risk methodologies
and tools including assessments, reporting, capital
and loss event databases.

Operational Risk Management

Committee.
Receive reports/presentations from
the business lines and other areas
about their risk profile and mitigation
programs.
Monitor industry issues and incidents
and evaluate the impact on the bank.

Operational Risk Management

Department (ORMD)
ORMD is responsible for coordinating all the
operational risk activities of the bank
working towards achievement of the stated
goals and objectives. Specific activities
include:
Risk Profile: ORMD will work with all areas
and assemble information to build an overall
risk profile of the institution understand and
communicate these risks and analyze
changes /trends in the risk profile

ORMD (contd)
Consolidation and Reporting of Data: ORMD will
collect relevant information from all the areas of
the Bank ,build a consolidated view of operational
risk, assemble summary management reports and
communicate the results to the risk committees
or other interested parties. Key information will
include risk indicators, event data and self
assessment results and related issues.
Analysis of data: ORMD is responsible for
analysing the data on consolidated basis , on
individual basis and a comparative basis

ORMD (contd)
Best Practices: ORMD will identify best
practices from within the bank or from
external
sources
and
share
these
practices with management and risk
specialists across the bank
Insurance: ORMD will determine optimal
insurance limits and coverage to ensure
that the insurance policies the bank
purchases are cost beneficial and align
with the operational profiles of the bank.

ORMD (contd)
Policies: ORMD will be responsible for drafting,
presenting,
updating,
and
interpreting
the
operational risk policy, and related policies and
methodologies.
Self assessment: ORMD will be responsible for
facilitating periodic self assessments for the
purpose of identifying and monitoring operational
risks.
Coordination
with
Internal
audit:
to
plan
assessments and concerns about risks in the bank.
They share information and coordinate activities so
as to avoid overlap of activities.

Risk Monitoring and control

practices
It encompasses the following:
Collection of operational risk data (incident reporting
framework)
Regular monitoring and feedback mechanism in
place for monitoring any deterioration in operational
risk profile
Collation of incident reporting data to assess
frequency and probability of occurrence of
operational events.
Monitoring and control of management of large
exposures. The modalities to be prescribed in the
loan policy document.

Examples of risk mitigation

Insurance: for the losses that may arise
from natural disasters, heists (robbery),
fidelity insurance (for the losses that may
arise on account of dishonesty of
employees)
Back up facilities: to guard against losses
that may arise from business disruptions,
electrical or telecommunication failures
Audit: to pre-empt losses that may arise
due to embezzlement by employees etc.

Requirements for effective controls /

mitigation of operational risks
Board of directors should ensure that
internal controls are in place and also
ensure legal and regulatory compliance
by the bank. Effectiveness of the control
depends on the following:
Appropriate control structure
Defining control activities at every level
Systems of approval and authorisations
System of verification and reconciliation

Requirements of effective
controls
Segregation of duties and personnel to forestall
conflicting responsibilities/ conflict of interests
Available data should be reliable, timely,
accessible, and in a consistent format
Data in electronic form should be secured
monitored independently, and supported by
contingency plans
Staff should be adequately trained to fully
understand policies and procedures relating to
their duties and responsibilities.

Disaster Recovery Plans and

Business continuity plans
In order to safeguard against contingencies
like fire, floods, earthquakes or failure of
systems banks should have Business
continuity plans and Disaster recovery plans.
The plans should be tested to ensure that
they can be executed taking into account
different types of plausible scenarios to
which may be vulnerable . The plans should
be take care of the banks size and
complexity of business.

Operational risk
quantification
Three options are provided
for
measurement of operational risk for the
purpose of capital allocation:
The Basic Indicator approach
The standardized approach
Advanced Measurement approaches
While the first two are based on income
approach the third is based on
operational loss measurement.

Risk Indicators
Lack of supervision of lending/ investment by
designated officers
Lack of specific lending or treasury policies or failure to
enforce existing policies
Lack of code of conduct or failure to enforce the code
Lack of separation of duties
Lack of accountability
Lack of written policies/ or internal controls
Entering into transactions where the institution lacks
expertise
Excessive growth through low quality loans
Unwarranted concentration

Risk Indicators
Volatile source of funding such as short term deposits
Too much emphasis on earnings at the expense of
safety and soundness
Compromising credit policies
High rate high risk investments
Lack of documentation or poor documentation
Lack of adequate credit analysis.
Failure to properly analyse and verify financial data
The institution is a defendant in a number of lawsuits
alleging improper handling of transactions.

 THANK YOU