Operational Risk Management in Small Banks

Transcription

1 Operational Risk Management in Small Banks

2 Operational Risk Definition Operational risk is defined as the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events. The definition includes legal risk* but excludes strategic and reputational risk. Basel II n.644 *legal risk includes, but is not limited to, exposure to fines, penalties, or punitive damages resulting from supervisory actions, as well as private settlements.

3 Compliance, Strategic & Reputational Risk Compliance Risk - The current and prospective risk to earnings or capital arising from violations of, or noncompliance with laws, rules, regulations, internal policies and procedures, or ethical standards. Strategic Risk - The current and prospective impact on earnings or capital arising from adverse business decisions, improper implementation of decisions, or lack of responsiveness to industry changes. Reputational Risk - The current and prospective impact on earnings and capital arising from negative public opinion. Need for formal definitions for the Bank including how these risks are being measured and managed

4 Drivers of Operational Risks Risks could arise from failures in: Process People Systems Operational failure occurs every time one or more of these resources is inadequate to the task being performed: Insufficient quality or quantity (capacity or capability) Unavailable at a critical stage (availability & criticality) Breakdown altogether Or as a result of External Events Any of these failures could lead to customer dissatisfaction and/or losses to the bank.

5 Loss event type classification Type Internal Fraud External Fraud Employmen t practices and Workplace Safety Definition Intentional fraud, misappropriation of property, involving at least one internal party Intentional fraud, misappropriation of property, by 3rd party Acts inconsistent with employment, health & safety laws, discrimination Activity Examples Transactions not reported (intentionally) Intentional mismarking of Theft/ position robbery/ forgery Fraud/ forgery Hacking systems/ Employee Theft of relation issues information Safety issues Discrimination

6 Loss event type classification Type Clients, Products & Business Practices Definition Unintentional or negligent failure to meet professional obligations to specific clients or from the design of a product / service Activity Examples Suitability (KYC issues) Aggressive sales Misuse of confidential information Improper market practices Product flaws/ model errors Failure to investigate client per guidelines Exceeding client exposure limits Disputes over performance of advisory activities Damage to Physical Assets Loss or damage to physical assets from natural disaster or other events Natural disaster losses Human losses from terrorism, vandalism

7 Loss event type classification Type Business disruption and system failures Execution, Delivery & Process management Definition Disruption of business or system failures Failed transaction processing/ process management, or failure of relations with trade counterparties Activity Examples Hardware/ software failure Telecommunicaitons Utility outage Incorrect capture e.g. of data entry, missed deadlines Delivery failure Inaccurate reporting Missing client permissions / legal documents Incorrect client records Misperformance of 3 rd party suppliers/ counterparties

8 Are adequate controls in place? Control activity that reduces incidence of risk, reduces the possibility that something will go wrong, thus helping us achieve process objectives

9 Recommended Controls Type Internal Fraud External Fraud Employment practices and Workplace Safety Clients, Products & Business Practices Controls Segregation of duties Internal Controls Double Checking Firewalls Encryption Double Checking Training Enforcement Provision of protective clothing Adherence to safety Standards Compliance department Prevention of money Laundering Procedures system Internal Audit Risk Management

10 Recommended Controls Type Damage to Physical Assets Business disruption and system failures Execution, Delivery & Process management Controls Insurance Sound Building Management Safety Measures Uninterruptible power supply Preventive maintenance Standby systems/ back ups Physical security Alternative Business Sites Training Internal audits Double checking Procedures standards Risk management

11 Basle Committee Sound Principles Establishment & review of Op Risk Framework & Strategy (BoD & Senior mgt) Implementing strategy & developing Policies (Senior mgt) Communication to oversee and manage the framework Processes and systems to identify, assess, monitor operational risk exposures & loss events Policies controls & procedures re control & mitigation of risks Allocates responsibilities related to operational risk and its management to the various organisational Supervisors should ensure effective systems are in place to identify, measure, monitor and control operational risks & evaluate reporting mechanisms functions and external bodies. Public disclosure to inform market participants of op. risk exposure and the quality of its operational risk management.

12 Strategy & Risk Appetite An Operational Risk Mgt Framework for the Bank was drawn up and approved in 2008 and is being implemented by ORU. An OR Strategy should set out risk exposure profile, include a statement of risk appetite, and state the overall approach to identification, measurement, reporting & transfer of Op Risk (in accordance with Best Practice) A general Operational Risk Management Policy is needed to fit within an overarching risk management policy. These objectives should serve to support the risk management

13 Risk Culture Organisational culture, values and valued behaviour will underpin our risk culture. Values should encourage comprehensive risk reporting (current, new or emerging) encourage challenging debate about risk at all levels. What reflects a good risk culture? people have an awareness of risk in what they do supportive, rather than looking for someone to blame. people understand their responsibilities, and level and limits of accountability People are open to learning and to challenge, aware of changing internal and external environment and seeking continuous improvement in all aspects of risk management Through our initiatives, by the end of this year we should aim to have increased

14 Governance (1) Good governance Good risk governance should result in risk being accepted and managed within known and agreed risk appetites It should provide a structure of risk responsibility throughout the BOV Group to ensure everyone is aware of their own risk responsibilities and accountabilities and those of others with whom they work. By the end of this year, risk management should be seen as key component in strategic decision making (e.g. when evaluating new products, new distribution channels, changes to systems & resources) and also at process and activity levels

15 Governance (2) Three lines of Defence

16 Governance (3) Role of ORU The risk management & analysis function does not directly manage risk. It is the business line executives and managers who are responsible to manage the risks they accept. ORU provides oversight of each business line s risk activities and facilitates risk management throughout the bank by: Providing framework, tools & methodology to allow key decision makers to identify, assess and manage risks Monitoring key exposures against agreed risk appetites Establishing appropriate scenario planning for operational risks likely to affect our business Providing cost-benefit analysis on risk control optimisation and other risk mitigation

17 Governance (4) Role of Business Units Operational Risk Co-ordinator Role to act as risk champions responsible for business-level risk mgt Managing OR exposures on a daily basis Communicate business unit level OR information to ORU Reporting to business unit management ORU will provide adequate training for these OR Co-ordinators to ensure that skills are in place and appropriate levels of independence so that reporting of losses or control failures will not be compromised.

18 Operational Risk Management Framework Operational risk management is about managing the exposure to expected operational loss events as well as reasonably probable unexpected losses. Risk Identification Loss Database Key Risk Indicators Scenario Analysis Business Continuity Planning Information Security & Information Quality

19 Risk Mapping Methodology Identify complete process & business units involved Map current (AS IS) process Identify Issues/risks Understand Process Objectives Evaluate Risks (scoring) Set objectives for TO BE Options identification Final TO BE recommendations Approval & implementation of recommendations Review of Risk Assessment to understand benefits derived Current Process Maps AS IS (Level 1-3 ) Risk Matrix Risk Assessment Risk Map Set of recommendations for a changed process to be presented at Executive Committee Project Team set up to implement approved changes Review & update Process Maps, Risk Assessment, & Risk Map Driven by PMF Ext. Consultants & PMF Core Team includes Op. Risk representatives SMEs Driven by Op. Risk incl. SMEs Risk Map Panel Driven by PMF Ext. Consultants & PMF Core Team includes Op. Risk representatives SMEs Driven by PMF Ext. Consultants & SMEs Driven by Op. Risk & Mgt Services incl. SMEs Risk Map Panel

20 Standard Notation used in Process Mapping

21 Level 3 Process Map Sample START Customer is greeted by CSO and is informed/identifies his need to apply for a card Customer holds the necessary documentation? NO Customer is informed of the required documentation END YES R.O. and customer identify suitable Card type Is card type a credit card? NO (Debit Card Application) R.O. asks for and checks other details on any other facilities YES Clicks on ISAI to access CPS screen to check Borrowers Index R.O. and customer agree on card type 1 Customer asked to submit application at his Monitoring unit YES Customer holds loans at another Monitoring unit NO PROCESS: ISSUING Process Stream 1: END PAGE 1 Revised: 21 May 2007

22 Central Operations Cards Embossing IT Cards Mgt. Cards Issuing Personal / Bus. Lending Branch Manager Branch RO / CO Consumer

23 Identifying Risks What is the possibility that something can go wrong? Does your process sometimes fail to deliver its objectives? Where are the gaps between where we are now and where we want to be? What is not working well? Can you think of past incidents that may have led to losses, inefficiencies or customers being dissatisfied with this part of the process?

24 Risk Assessment - Sample Risk Ref Map Ref Process Stream 13 - Risk Description Owner Cause? Severity Score Probability Score Rank Voting Score Action Required? Comments & Recommendations Currently 20% of daily trades are not settled due to insufficient funds Settlement of these trades will then be delayed for an average 2 days (exposure to bank). This normally takes place when customer has both sale & purchase and purchase settlement trn Limited reporting capabilities of MultFonds system (VFS). Data has to be captured by EFA Luxembourg & Uploaded to Datamart by IT Optns as part of a daily process next morning. Keying in of trade details & verification of amounts on contract notes currently carried out by same officer Systems Issues: Manual processes using XL spreadsheets: prone to human errors, no audit trails, possibility of inadequate backups If ticket.xls is not properly updated,more cumbersome reconciliations process at Settlements WM Optns. Keying in of local trades under nominee is duplicated on Prospero following keying in on LN. If only one system is in use, keying in would only take place once. Too many different settlement options re Redeemed funds (6 different methods) Sales VFS Finance WM Operation s Human error at branches or WM FO System inadequate Very Frequent High Very Frequent High Inadequate process controls Very Frequent High IT Systems Regular High WM Human error/ system Operation inadequate s 9.82 Very Frequent Medium WM Operation s, IT Systems VFS Operation s, VFS /VFM GM?? Lack of integration of systems 6.87 Very Frequent Medium Process inefficient 4.91 Very Frequent Medium Funds to be blocked in clients' account by executing branch whenever purchase trade is requested. Look at possibility of rejecting consideration to rejected items account at branch. Additional verification by 2nd officer will be implemented immediately

25 Risk Assessment process Scoring each issue/risk in terms of the Severity of Impact Each severity score will be weighted: Financial & Performance 58% Reputational 30% Human Aspect 12% Determine probability that the issue/risk will occur

26 Risk Assessment Questionnaire Impact on Bank's Performance This area tries to assess whether a material monetary loss would occur because of this issue/risk in this particular process. The risk of such a loss would increase in proportion to the volume of transactions and complexity of the operation If this issue materialises, what would be the monetary loss to the Bank? No material loss or < x Between x-< x Between x-< x Over x 2 Volume/ Complexity of transactions? Relatively low volumes on a daily basis <x Normal volumes on a daily basis >x<x High volumes on a daily basis >x<x Very high volumes on a daily basis >x Impact on Bank's Reputation This area will take into account the possible impact that the issue could have on the bank's reputation with both regulators and the market Impact on the bank's reputation with customers, the markets, Regulators? xx xx xx xx Human Aspect This area evaluates whether the process in question is more prone to human risks or if it incentives offences/ omissions Does the process require specialist knowledge for which we are dependent on only one or two persons? xx xx xx xx Estimation of Likelihood Estimation of likelihood of occurrence. 5 The issue or risk is expected to happen: Very Frequent: once a week (or more often) Regular: monthly Likely: quarterly Occasional: yearly Unlikely: every 5 yrs Remote: every 30 yrs

27 Risk Matrix Severity of impact 0-10 >10-30 >30-50 >50-75 > Very frequent May happen once a week or more Probability Regular Likely Occasiona l Happens approx. once a month Happens approx. once a quarter Happens approx. once a year Unlikely Happens once between 1&5 years Remote May happen in 15 years 1

28 Loss Database To move from Basic Indicator Approach to Standardised approach, the Bank must satisfy a number of criteria including the ability to keep track of relevant operational risk data on losses or near misses, report on operational risks to relevant functions and have procedures to take appropriate action. (BR/04/2007) An internal loss database must capture all material activities and exposures from all appropriate sub-systems. Typical fields include: Loss event category Amount and recoveries basis of severity Date basis of frequency Business activity, business unit Cause narrative Effect/ impact

29 Example of Loss Database Report Losses by Business Line (No. & '000s) C orporate Finance Trading & Sales R etail Banking C om m ercial Banking Paym ent & Settlem ent Agency Services Asset M anagem ent R etail Brokerage N o Business Line Info Total Internal Fraud E xternal Fraud C um ulative O ct Jun 2010 E m p. P ractices & W orkplace S afety C lients, P roducts & B usiness P ractices D am age to P hysical A ssets B usiness D isruption & S ystem Failures E xec., D elivery & P roc. M gt Total , ,051

30 Comparison to Losses in other Banks Distribution by Business Line by No. of Loss Events ORX by amount of Losses ORX Loss BOV Database Corporate Finance Trading & Sales Retail Banking Commercial Banking Payment & Settlement Agency Services Asset Management Retail Brokerage No Business Line Info Distribution by Event Type by No. of Loss Events ORX by amount of Losses ORX Loss BOV Database Internal Fraud External Fraud Emp. Practices & Workplace Safety Clients, Products & Business Practices Damage to Physical Assets Business Disruption & System Failures Exec., Delivery & Proc. Mgt *Comparison to Loss Events reported in ORX Loss Database in the first half, 2009

31 Key Risk Indicators KRIs: measurable metrics that track exposure or loss or problem areas. Such indicators become key when they track especially important exposures. They must act like early warning systems. The challenge of identifying the right KRIs is to identify measures: that will help us address those issues that have highest impact

32 Operational Risk Monthly Dashboard

33 Scenario Analysis Process of obtaining information on the low-frequency-high-severity losses through expert opinions of business managers and stress testing. They are seen as an efficient way of bringing issues to the surface and promoting risk management. Scenarios may be used in risk mitigation decision and/or cost/benefit analysis and to: Create risk awareness Bring together different functions to discuss a topic Considering emerging risks before there is loss data Linking into insurance purchasing decisions We have undertaken scenario analysis for ICAAP (Internal Capital Adequacy Assessment Programme) reporting and also to increase awareness of Operational Risk at Board level Pandemic Flu outbreak and large scale absenteeism 3 rd party fraud in credit cards 3 rd party fraud in credit granting process IT risks related to service delivery, solution delivery, IT benefit realisation, security of information & IT assets Risk related to unavailability of critical system Prospero 3 rd party fraud in Payments area We need to be in a position to carry out periodic scenario analysis with regular reviews to determine whether they are still relevant Assess whether defined scenarios best reflect major drivers of OR e.g. ORX survey includes most common topics Processing errors (12%); Mis-selling & business practices (9%); External fraud (9%); Need to work out process to validate scenarios

34 Risk Mitigation Responsibility for initiating mitigation action should lie with business where impact of risk is across the bank such responsibility will lie with ORU Risk mitigation is normally recommended during To Be stage of PMF or as part of ad hoc risk assessment by PMF or Op risk in liaison with SMEs. Continuous improvement will be embedded as part of the PMF and ORMF with regular planned reviews of process maps and Risk assessments. This should be possible with implementation and roll-out of PROP. In this coming year, as risk assessments are reviewed, or following RCSA need to understand whether controls in place are effective to mitigate risks and if not, define appropriate risk mitigation - accept, transfer, avoid, reduce (including costbenefit analysis) Once policies are in place and appetite has been defined it may be easier to understand which exposures are above risk appetite. Once these

35 Coverage of Operational Risk Losses Recovery Procedures Op Risk Capital Charge Insurance 27m Type of Policy Excess Limit Industrial All Risks 11,650 23,300 Marine Open Cover 4.5K- 11.5K 4.7m 582K-240K 23.3m Bankers Comp. Crime & Professional lndemnity 233K- 582K 4.7m

36 Enterprise-wide Business Continuity Plan What is it? It is the making of Proactive and Reactive plans to help the Bank to survive crisis or major disruptions to return to business as usual as quickly as possible.

37 What should we plan against? Plan to recover from possible threats Inaccessibility to premises Failure in computer systems Sudden shortage of staff Suspension of service chain by key supplier Threats exist to all businesses. Once they happen loss is inevitable. BUT..we can contain Loss Therefore we set off to make a plan to manage disruptions to recover as quickly as the customer, regulator or the market expect. - Enterprise-wide Business Continuity Plan

38 IT Disaster Recovery Work-around solutions Enterprise-wide Plan Prioritization of tasks Facilities & physical resources ENTERPRISE-WIDE BCP Human Resources contingencies Setting-Up of Alternative Sites

39 Business Impact Analysis April st Phase of the BIA Assessment of the criticality of activities and impact to the Bank. August 2010 November nd Phase of BIA exercise: Gathering of information through a questionnaire and one-to-one meetings with Units (40); 95% complete. Information gathered includes tolerable downtime period of tasks, IT applications and recovery point objective (RPO), HR resources availability and skills, Interdependencies and alternative sites. Analysis of data and findings and identification of gaps Results to be evaluated in terms of potential risks and likelihood of happening. Seek approval of timeframe recovery priorities generated from the analysis at Executive level Prioritisation of tasks and services as a result of the potential impact to the Bank Draw up and present report to IMT and Risk Committee to address gaps

40 Enterprise Wide BCP documentation December 2010 January 2011 Documentation of a plan Seek approval of plan from Units appointed by IMT to manage their particular area of interest Seek approval from Senior Management February 2011 Study of workaround solutions short term and long term plans Communication of plan Gradual strategy implementation Eventually Testing and

41 Reporting Current reporting of KRIs to EC (monthly) & quarterly report to RMC Inadequate/no feedback back to business with no further recommendations for remedial action Implementation of PROP should facilitate multidirectional reporting (including business lines & process owners) and provides the possibility to tailor reporting to

42 PROP Process, Risk, Operational Performance and Project Management Toolkit PMF rolling out process transformation across major business lines incorporating Operational risk management, metrics, performance management & customer service delivery Realisation that Customer experience, operational risk & process management are intertwined activities Change programme is underpinned by integrated program & project management disciplines which are in turn linked to tangible benefits that need to measure success of implementation As responsibilities to manage operational processes, risks and projects shifts to the business/process owner they need to be given the tools to manage their business operations with this new vision. Whilst accountability is decentralised to business lines, there will be central monitoring of risk, program management and process system will help these units perform bank-wide data analysis and cross functional integration. Integration of risk, process, project & performance data will also allow executive management to prioritise projects, align bank s strategy, ensure resources are effectively allocated, and ensure envisaged benefits from chosen projects are implemented and measured accordingly.

43 PROP Process, Risk, Operational Performance and Project Management Toolkit

44 PROP Milestones Issue RFP 13 October 2010 Submission of Proposal (by vendor) 5 November 2010 Proposal Evaluation (by BOV) 31 January 2011 Proof of concept (by BOV & vendor) May 2011 Finalise Agreement (by BOV & vendor) 15 March 2011 Proof of Concept During Proof of concept bidders will install proposed solution on-premise (1 each at Strategy, Risk, Mgt Services & ITSD) A number of requirements / features have been requested as outlined in RFP Short user training will take place to kick-off evaluation Support from bidders is required during

45 Op Risk Mgt - What value will be derived? Key aspect of effective corporate governance Reduce exposure to and avoidance of operational risk losses through risk mitigation Improve operating efficiency Reduce earnings volatility Rationalise the allocation of capital between business uses Regulatory compliance ERM component Management of new product approval process Change in culture and enhancement