Risky Business. Jaidev Iyer Operational Risk Expert, CEO J-Risk Advisors

Transcription

1 Risky Business Jaidev Iyer Operational Risk Expert, CEO J-Risk Advisors

2 Speaker Information Jaidev Iyer Enterprise & Operational Risk Expert J-Risk Advisors Jaidev Iyer is a veteran of Citigroup, where he worked for 28 years, in a variety of positions in many geographies and businesses, starting with the Citibank India trading room in 1981, and retiring in 2008 as Global Head of Operational Risk for its Corporate & Investment bank businesses. During his tenure, Jaidev s roles included Global Head of Risk for Asset Management, Global Head of Derivatives for Private Banking, Head of Market Risk for the Americas, Head of Middle East Capital Markets, Head of Asia Derivatives Financial Engineering, and Head of Asia Market Risk. Upon retiring from Citi in 2008, Jaidev held a variety of not-for-profit and Risk consulting roles including directorship of GARP ( ), and CEO of J-Risk Advisors. He was most recently CEO & co-founder of Insorce Operational Optimizers, immediately prior to which he was Global Head of Operational Risk at UBS, based in NYC. Jaidev s academic background is in Statistics and Economics. He is a Chartered Financial Analyst, and has completed management programs at the Kellogg School of Management (Northwestern University) as well as the John F. Kennedy School of Government (Harvard University).

3 Risk is a Forward View of Vulnerability An Enterprise Risk Management Approach Continuously Solves for A B = C < = D Where A = Inherent Risk Due Chosen Business B = Control-based Mitigation C = Residual Risks D = Risk Appetite Risk vs. Boundaries Risk vs. How taken i.e. Market/Product Risk vs. Reward 3

4 Operational Risk Event Types Fraud, Theft and Unauthorized Events Clients, Products and Business Practices Employment Practices and Workplace Environment Physical Assets and Infrastructure Events Execution, Delivery and Process Management 4

5 5

6 Enterprise Risk as a Program Exec Team Oversees Issues Metrics Assessments Corrective actions Identify Risks Iterative exercise Periodic revisit with Metrics, and Risk Control Self Assessment Informed by actual Issues and Events Governance and Assurance Assess Risks Severity and likelihood Vulnerability and speed Heat-map/matrix Monthly Reporting Metrics trends RCSA* results Remediation plans Monitor Controls and Risk Operational Risk Management Install Policies Required policies Reflect business Include procedures Metrics (Key Risk Indicators) Indicators of good health Smoke detectors Risk-Control Self-assessment* Metrics and RCSA* Implement Controls Chosen responses to risks Policy implementation Reporting 6

7 Risk at Summary Event Level Risk at Category Level Basel II Level 2 Risk at Activity Level Basel II Level 3 Internal Fraud Unauthorized (Rogue) Activity Transactions intentionally not reported Transaction/type is Unauthorized Positions are deliberately mis-marked Theft and Fraud (Internal) Fraud (internal party) of any type e.g. Credit Fraud, Worthless Deposits Theft (internal party) of any type e.g. embezzlement, extortion, robbery, misappropriations FORGERY: Involving at least one internal party Other Criminal Conduct: Intentional Tax non-compliance, bribes, kickbacks by employee/s Insider Trading: By firm s employee/s for own account External Fraud Theft and Fraud (External) Theft and robbery, by a third-party Forgery, by a third-party Systems Security (Hacking etc.) Hacking, third-party originated Employment Practices, and Workplace Safety Employee Relations Safe Environment Workplace Practices Theft of Information by an external party Compensation, Benefits, Termination Issues Organized Labor activity, strikes, union issues General Liability issues Employee Health and safety, workers compensation Discrimination, Diversity, Harrassment issues 7

8 Risk at Summary Event Level Basel II Level 1 Risk at Category Level Basel II Level 2 Risk at Activity Level Basel II Level 3 Clients, Products and Business Practices Suitability, Disclosure and Fiduciary Fiduciary Breaches, guideline violations, suitability/kyc issues, disclosure violations, breach of privacy Aggressive sales, account churning, misusing information Improper Business or Market Practices Antitrust, improper market practices, market manipulation, firm a/c insider trading Money laundering Product Flaws, Defects, Errors Product Defects Model errors Client disputes (e.g. performance of advisory activities) Physical Assets Damage to Assets, Disasters Natural Disasters, Losses from terrorism and vandalism Business Disruption Systems Hard/software failures, telecomms, outages and disruptions and System Failure Business Continuity Disruption of of business and client-service given natural and man-made disasters; Disaster recovery Execution, Delivery and Process Management Transaction Capture, Execution, and Maintenance Errors of all kinds: Data entry or maintenance, deadlines, system inoperation, accounting errors, Miscommunication Failures: Delivery, Collateral, Reference data maintenance Missed or Inaccurate Failed mandatory reporting obligation 8 Mandatory Reports Customer Intake and Documentation Customer/Client Account Mgt Trade Counterparties Misperformance and Disputes Vendors and Suppliers Outsourcing and Disputes Inaccurate external reporting: Loss or fine incurred Client Onboarding issues permissions and disclaimers missing, missing KYC and other opening requirements Documentation Issues of all types new or existing clients Unapproved access to client accounts, Incorrect client records, negligent loss or damage to client assets Counterparty mis-performance, or disputes Vendor disputes, outsourcing related errors and losses

9 Illustrative Severity Scale Rating Descriptor Definition. Note: Each Successive Bullet-point must be Read as and/or 5 Extreme/ Catastrophic Financial loss of $350 Million or more (say) Long-term or significant negative media; loss of status or market share Hearings, prosecution, fines, litigation including class actions, incarceration Significant injuries or fatalities to employees, customers or vendors Multiple senior leaders leave 4 Major Financial loss of $200M up to $350M (say) Long-term negative media; significant loss of market share and reputation Reports to regulators requiring major project for corrective action Care required for employees or third parties, such as customers or vendors Seniors leave, high turnover of experience, no longer premier employer 3 Moderate Financial loss of $50M up to $200M (say) Short-term but impactful negative media coverage Report of breach to regulator with immediate correction to be implemented Medical treatment required for employees, customers or vendors Widespread staff morale problems and high turnover 2 Low Financial loss of $5M up to $50M (say) Reputational damage Reportable incident to regulator, no strong follow up No or minor injuries to employees or 3rd-parties, customers or vendors General staff morale problems and increase in turnover 1 Insignificant Financial loss up to $5M (say) Local media attention, if at all, quickly remedied Not immediately reportable to regulator No injuries to employees or third parties, such as customers or vendors Isolated staff dissatisfaction can be managed locally 9

10 Illustrative Likelihood Scale Rating Frequency Description Definition 5 Very Frequent Once a year or more 4 Quite Likely Once every 1 to 10 years 3 Occasional Once in 25 to up to 50 years Probability Description Definition Almost Certain 90% or greater chance of occurrence over life of asset or project or in a time window such as Annual Likely Possible 60% up to 90% chance of occurrence over life of asset or project or annually 30% up to 60% chance of occurrence 2 Unlikely Once in 50 years up to once in 100 years Unlikely 10% up to 30% chance of occurrence 1 Rare Once in 100 years or less often Remote Less than 10% chance of occurrence 10

11 Risk Assessment Heatmap Definitely 5 Likely 4 Possibly 3 Seldom 2 Unlikely 1 Likelihood Severity Insignificant Minor Moderate Major Extreme 11

12 Risk Assessment (Hypothetical) Definitely 5 Likely 4 Inaccurate Reporting Systems Business Continuity Hacking Data Theft Client Suitability Product Defects Possibly 3 Employee Relations Insider Theft Fraud Business Practices AML Issues Client Account Mgmt Regulatory Censure Transaction Errors Seldom 2 Compensation Issues Physical Assets Unauthorized Accts Workplace Mgmt Vendor Mgmt Staff Health Unlikely 1 Hiding Transactions Mismarking Positions Theft by 3 rd Party Likelihood Severity Insignificant Minor Moderate Major Extreme 12

13 Likelihood Reconciling Risk Appetite with Assessment Control Risk Avoid/Terminate Reduce Risk Accept Risk Contain/ Transfer Risk Impact 13

14 Operational Risk Control Framework Contextualize vs. Objectives Client satisfaction Business performance No-surprises Full compliance Information flow Controls-framework must work for all stakeholders, for real and perceived risks Cost of Control must be clear Access control physical Access control systems, applications, network Accurate and complete transaction capture and execution Business continuity management Client account servicing, monitoring, oversight (from onboarding onwards) Confirmations and reporting Documentation management and review Employee management Product management: supervision and compliance Limits and approvals Information security management MIS Model control Monitoring business practices Operational risk management Governance, review and compliance Reconciliations positions, P/L and balances Systems control software/hardware and change management Monitoring and managing use of and social networks Valuation value recon, controlled environment Third-party/Vendor management 14

15 15 Business Continuity and Disaster Recovery

16