Operational Risk Management

Transcription

1 Operational Risk Management Speaker: Jay Ranade CRISC, CBCP,CISA,CISSP,CISM,ISSAP,CGEIT Director of Education Risk Management Professionals Intl. New York City, USA Phone

2 ORM, ITRM, BCRM Jay Ranade CISA, CISSP, CISM, CBCP, CGEIT, CRISC, ISSAP Risk Management Professionals Intl. New York City Cell

3 Instructor Introduction Jay, a certified CISA, CISM, CISSP, and CBCP, is an internationally renowned expert on computers, communications, disaster recovery, IT Security, and IT controls. He has written and published more than 35 IT-related books on various subjects ranging from networks, security, operating systems, languages, and systems. He also has an imprint with McGraw-Hill with more than 300 books called Jay Ranade Series. He has written and published articles for various computer magazines such as Byte, LAN Magazine, and Enterprise Systems Journal. The New York Times critically acclaimed his book called the Best of Byte. He is currently working on a number of books on various subjects such as IT Audit, IT Security, Business Continuity, and IT Risk Management. Jay has consulted and worked for Global and Fortune 500 companies in the US and abroad including American International Group, Time Life, Merrill Lynch, Dreyfus/Mellon Bank, Johnson and Johnson, Unisys, McGraw-Hill, Mobiltel Bulgaria, and Credit Suisse. He was a member of the ISACA International's Publications Committee( ). He also teaches graduate-level classes on Information Security Management and Ethical Risk Management at New York University. Jay is also adjunct professor at St John s University and teaches Accounting Information Systems, IT Auditing, Internal Auditing, and Operational Risk Management. Jay teaches ORM, ITRM, BC Planning in Bermuda almost every month from Basel III and Solvency II perspective. He is four times world champion in Arm Wrestling and two times world champion (2002 and 2003) in martial arts breaking. He has appeared on ESPN and ESPN2 numerous times. 12/3/2012 Copyright by Risk Management Professionals International (Version 19) 3

4 What are we going to cover? ORM- summary of 1100 foils ITRM summary of 900 foils BCRM- summary of 540 foils FRM- summary of 630 foils Compressed to 60 minutes presentation 12/3/2012 Copyright by Risk Management Professionals International (Version 19) 4

5 What is a RISK 12/3/2012 Copyright by Risk Management Professionals International (Version 19) 5

6 Risk Areas in Financial Sector Chief Risk Officer (risk and compliance) Credit Risk Market Risk Operational Risk IT Risk People s risk Process Risk External Events 12/3/2012 Copyright by Risk Management Professionals International (Version 19) 6

7 Value Delivery vs. Risk Management Corporate structure Value delivery people Risk management people Balance between two Proper corporate governance Reporting structure Who should RM report to? 12/3/2012 Copyright by Risk Management Professionals International (Version 19) 7

8 SoD and Risk Management Principles of DOPESS for IT Data Operations Programming End user Security administrator System administrator 12/3/2012 Copyright by Risk Management Professionals International (Version 19) 8

9 SoD and Risk Management Principles of CARRE for ORM Custody Authorization Record keeping Reconciliation Error correction 12/3/2012 Copyright by Risk Management Professionals International (Version 19) 9

10 Some examples Barings Bank- February 23, 1995 Societe General 2008 UBS 2011 What failed in all of these mega scandals? SoD breach of R and A Excessive privileges 12/3/2012 Copyright by Risk Management Professionals International (Version 19) 10

11 Jay s Definition of Risk Threats exploit vulnerabilities That s damages an asset That breaks business process(es) That s the risk You put controls in place to reduce that risk Till the residual risk is acceptable to the management 12/3/2012 Copyright by Risk Management Professionals International (Version 19) 11

12 Types of Risks 93 types of risks Credit risk, market risk, liquidity risk, IT risk, sovereign risk, political risk, IT risk, project risk,. And by the way- Operational Risk What kind of risk created recent recession ( )? Do you think it was credit risk? 12/3/2012 Copyright by Risk Management Professionals International (Version 19) 12

13 Operational Risks and other Financial Risks Liquidity risk Group risk Operational risk (including strategic risk) Underwriting risk Market/ product risk Credit risk

14 Rough Allocation of Risk The main risk factors relevant to almost all organizations and the mark assigned to them can be summarized as below. Financial risk35% Strategic Risks25% Operational Risks25% Legal and compliance Risks15% 12/3/2012 Copyright by Risk Management Professionals International (Version 19) 14

15 Risk Appetite and Risk Tolerance Risk Appetite at the board level Risk Tolerance at the BU level But sum of risk tolerance can not exceed risk appetite 12/3/2012 Copyright by Risk Management Professionals International (Version 19) 15

16 Facts about risk It is part of life It is part of doing business You can avoid it, mitigate it, accept it, transfer it Controls are not free Controls slow down business Controls cost money 12/3/2012 Copyright by Risk Management Professionals International (Version 19) 16

17 Types of Controls Directive controls Preventive controls Detective controls Corrective controls Compensating controls Deterrent controls 12/3/2012 Copyright by Risk Management Professionals International (Version 19) 17

18 1. What is a Operational RISK 12/3/2012 Copyright by Risk Management Professionals International (Version 19) 18

19 Operational Risk Definition Lets go by BASEL committee s new definition Failed processes People (Computer ) Systems External events BASEL does not include Strategic risk or reputation risk 12/3/2012 Copyright by Risk Management Professionals International (Version 19) 19

20 Seven Operational Risk Categories From Basel Committee Internal Fraud External fraud Employment practices and workplace safety Clients, products, and business practices, Damage to physical assets Business disruption and system failures Execution, delivery, and process management 12/3/2012 Copyright by Risk Management Professionals International (Version 19) 20

21 OR Boundary cntd. More than 50 percent of bank debts are operational losses, not credit or market Collateral documentation failure are not credit losses Fat Finger losses - wrong key pressed, sales vs. buy order, Mizuho Securities in December 2005, J-com shares, one share at yen vs shares at one cent, recruitment company J-Com vs. cable television Jcom, OR not market risk 12/3/2012 Copyright by Risk Management Professionals International (Version 19) 21

22 Cause vs. Effect Cause Event Event Effect (aka consequence) Insurance companies follow this principle OR is managed through DirC and PCs by managing the causes OR is managed through DCs and CCs by mitigating effects 12/3/2012 Copyright by Risk Management Professionals International (Version 19) 22

23 Operational risk management framework Governance Risk and control Assessment Identify risk and Identify control owner and owner Assess likelihood Assess design and Impact and performance Action plans Scenarios and modeling Identify key risk and control indicators Indicators Action plans Specify risk appetite Events Identify and capture internal and external events Action plans Analyze causes Reporting

24 Seven Steps of ORM ORM and ITRM is about informed decision making. It involves 7 steps Understand operational risk context of decision making (governance) How are your ORs controlled (RCA and treatment) Perform loss causal analysis for past problems Where are you now (from indicators) Where you want to be (scenario analysis) Capital allocation for OR (modeling) Reporting and communications Continuous improvement (CMMI level 5)

25 Managing Operational Risk Likelihood Expected loss Severe unexpected loss Catastrophic unexpected loss Reserve Capital Risk transfer and BRP Impact

26 2. Risk Appetite using Risk and Control Assessment cntd. Includes RA and CA to mitigate those risks RA is likelihood x impact CA is Control DE x Control OE Next foil E.g. Operational threats to IT are well controlled E.g. People risk to IT is not well controlled, but is an acceptable risk with high appetite

27 Risk appetite using risk and control assessment scores Systematic approach to IT strategy IT dependency on people Systems manuals and procedures documentation Computer application poorly specified Computer systems not adequately protected Systems and processes not adequately protected Systems and processes not adequately protected Training procedures for IT Dependency on technology Operational threats to IT Dependency on external suppliers Testing of systems Investement in technology Legacy systems will not support business Risk Control

28 Risk Appetite using KRI thresholds for Number of help desk queries Red Amber Green Amber Red 2 or fewer 3 to 7 7 to to 25 Over 25

29 Three lines of defense for RM Business units is the first line Day-to-day function Board s oversight committees is the second line Based on exceptions IAA is the third line Based on risk based approach It is NOT monitoring

30 4. Risk and Control Assessment (RCA) 12/3/2012 Copyright by Risk Management Professionals International (Version 19) 30

31 Why RCA? To identify, assess, and monitor RISKS and CONTROLS for an organization RCA can be qualitative (subjective) or quantitative (objective) or both Qualitative based on value-judgment Low, medium low, medium high, high Quantitative based on numbers E.g. likelihood percentage or ARO, loss in monetary units

32 Business Objectives, Processes, and Activities Three levels (very important) Strategic level (business objectives) Process level (business process) Activity level (business operations)

33 Levels of risk and control assessment OBJECTIVES Strategic RISK Strategic CONTROL PROCESS Process RISK Process CONTROL ACTIVITY Activity RISK Activity CONTROL

34 Risk and Control Components Risk Owner Direct explicit responsibility for managing risk event Ultimately a board member One risk owner usually own many risks Certain risks have multiple owners Control Based on DE and OE

35 Risk Identification Mistakes Risk Register It is risk inventory Pitfall is that people start focusing on risk rather than strategic objectives Cause Cause is not event. Cause is the cause of event. Preventing one cause will not prevent a risk event, because another cause can cause such an event Cause(s) and risk event(s) have many to many relationship

36 Risk Identification Mistakes Effect Effect is the outcome Control of an event gives short term assurance to the risk owner (Corrective Control) Good practice is to have controls to control the cause (Preventive Control)

37 Risk Identification Mistakes Indicators Indicators show movement in likelihood or impact of a risk Indicators show movement in DE and OE of a control Indicators show movement in performance of firm s objectives or processes

38 Risk Identification Mistakes Levels and Components If risk is identified at strategic level, do not do RA at activity level Strategic risks are at a level too high to worry about activity If risks are at process level or BU-level, know when to stop. Don t overdo RCA

39 Risk and Controls Following is a very important concept Repeat: very very very very very very important Risk has 2 dimensions Likelihood (directive, preventive) Impact (detective, corrective) Controls have 2 dimensions DE OE Third dimension should be CMM level Controls must match risk as per risk appetite of the firm

40 Typical risk and control assessment ID Risks Owner(s) of the risk 1 Failure to attract; recruit and retain key IT staff 2. Financial advisors misinterpret/ fail to understand the complexity of equity release products 3. Poor IT staff communication 4 Failure to understand the law and/or regulations by IT 5 Poor detection of money laundering I L S Controls Owner(s) of the control D P E SR Salary surveys TJ Training and mentoring schemes TB Retention packages for key staff TJ PL AB Staff Training TB Learning gained from previous deals KW&EL Review of individual needs in performance appraisal process TB Procedure manuals for processes EL SR JK Defined communication channels ZK Documented procedures and processes EL PL Internal training courses EL PL Regular updates from various sources EL External training courses TB&EL TB&EL Anti-Money Laundering annual training Circulation of British Bankers Association awareness circulars EL&ZK Know Your Customer ALL

41 Don t Forget Link risk to risk appetite Residual risk is cost of doing business RCA is indication of internal control environment It is needed for advanced modeling of OR RCA used to understand effect of scenario on risk profile of organization Don t underestimate independent review of IAA

42 5. Events and Losses 12/3/2012 Copyright by Risk Management Professionals International (Version 19) 42

43 6. Indicators 12/3/2012 Copyright by Risk Management Professionals International (Version 19) 43

44 Indicators KRIs and KPIs KPIs are from value delivery perspective KRIs are from risk management perspective KCIs are from control perspective They indicate the state of performance or risk at a particular time Meaning of KRIs (very important) KRIs should be read as K-R Is and NOT K R-Is Or KRI could be called I of KR Very important to understand this concept

45 Thresholds for Loss of key staff risk and risk appetite for key staff turnover Red Amber Green Amber Red Under 5% 5 % - 9% 10% -15% 16% -20% Over 20%

46 8. Modeling 12/3/2012 Copyright by Risk Management Professionals International (Version 19) 46

47 Introduction You can not model operational uncertainty, so its roots are not as mathematical as CR or MR modeling Quantitative but not intensely mathematical Our focus based on BASEL committee s three suggested approaches OR modeling can start as soon as RCA is complete Can use data from one or more of the three OR processes ( trio of RCA, Events, and indicators) Goal: Convert qualitative RCA data into monetary values

48 Capital Requirement BASEL II capital requirement formula ((Total capital))/((risk weighted assets (market risk+ operational risk)) must be >8%

49 Fat Tails Term used for OR losses Higher quantiles in a distribution Lognormal distribution (next figure) Considerable high quintile events have taken place in the last 20 years Mathematically, large events happen once in many lifetimes. This seems to be wrong!!! Higher losses require more capital Bimodal distribution (next second figure) Source is external data One mode in expected losses, second in low frequency/high impact area

50 Frequency Lognormal distribution and fattened tail lognormal distribution at low severities Fattened tail at high severity values Internal (private) data External (public) data Severity

51 Frequency Lognormal and bimodal distributions lognormal distribution at low severities Second distribution at high severity values Internal (private) data External (public) data Severity

52 9. Stress Tests and Scenarios 12/3/2012 Copyright by Risk Management Professionals International (Version 19) 52

53 Introduction Stress testing (ST) and scenario analysis (SA) are tools for ORM process ST and SA do not forecast what is likely to happen ST and SA provide outcomes for severe but plausible outcomes Forward looking Involve element of judgment

54 Why use scenarios? To challenge subjective RCA SA is also subjective KRIs are forward looking based on current and past data So trends form useful input when concocting scenarios SA overcomes limitations of models OR models are constructed based on assumptions and correlations but are lost during the process

55 Important OR scenarios should be combined with market and credit risk for SA. Events of 911 proved that these 3 risks are interdependent and can occur simultaneously

56 Summary Scenarios are about imagination These are practical exercises, not mathematical Imagine combination of events which could adversely affect firm s objectives or existence Ultimate goal is to have a BCP for such scenarios (and that is next presentation)

57 Questions