Best Practices in Issues Management Cara McWilliams Vanguard Operational Risk Management April 2016
2
Agenda Operational risk management lifecycle Issues vs. Events Origination Response Integration Reporting 3
Difference between Issues and Internal Events An Issue is defined as an identified deficiency in the design or effectiveness of the control environment, highlighting an undesired risk exposure. AN ISSUE CAN LEAD TO, OR BE IDENTIFIED FROM AN INTERNAL EVENT An Internal Event is defined as any event: Where the actual outcome differs from the expected outcome, and Where the root cause is from failures in people, process, and technology, or due to external factors 4
Operational risk management lifecycle Top down Risk voices Identify Risks, mitigation, and issues Integrated portfolio Bottom up Data sources Business (RCSAs) Contingency Information Security Legal Internal Audit Compliance Fraud 5
Origination Org Risk Process Impacts Internal Events Risk Control Self-Assessment Org Risk Process Impacts Org Risk Process Impacts Issues (untethered) Internal Audit Issues Compliance Issues Issues Log 1 XXXXXX X XX XXXXX X XXX 2 XXX X XX XXXXX X XXX 3 XXXXX X XX XXXXX X XXX 4 XXXX X XX XXXXX X XXX 5 XXXXXX X XX XXXXX X XXX 6
Self-identified issues Management Self-Identified Issues Issue 1: Logical Access Issue 2: Data Quality Issue 3: Management Oversight Issue 4: 7
Risk response An Issue can be addressed in one of two ways: Action Plans A sequence of steps or activities performed to appropriately mitigate the risk/issue. Clearly documented: 5 W s Clear assignment of ownership Realistic completion date(s) Risk Acceptance Management s decision to endure a risk exposure instead of pursuing an Action Plan. Clearly documented: WHY Properly vetted with management Re-evaluated annually (at minimum) 8
Integration Common platform and Taxonomy Issue Severity Business Process Legal Entity Division Risk Category 9
Reporting 10
Sample Issue Reporting 11
Divisional Operational Risk Profile As of XX/XX/2016 Rotating Topic Top Risk Scenarios Issue Identification Count of Past Due and Current Open Issues by source Issue Duration How long an issues has been open by priority Past due Current High Medium Low Lorem ipsum dolor sit amet, consectetuer adipiscing elit, sed diam nonummy nibh euismod tincidunt ut laoreet dolore magna aliquam erat volutpat. Risk Acceptance Risk Acceptances that have not been renewed Events by Net Impact Area of First Detection Client Business Events by Sub-Division Potential for Reoccurrence MPE High High/ Med Med Past due <180 <270 <365 Lorem ipsum dolor sit amet, consectetuer adipiscing elit, sed diam nonummy nibh euismod tincidunt ut laoreet dolore magna aliquam erat volutpat. Lorem ipsum dolor sit amet, consectetuer adipiscing elit, sed diam nonummy nibh euismod tincidunt ut laoreet dolore 12 magna aliquam erat volutpat.
Internal Control Environment Risk Management Practices Governance Operational risk management maturity Dashboard Components Ideal State Oversight Organizational Structure Management Engagement Forums exist for senior management to provide direct oversight of current and emerging exposures. Risk teams are established with qualified, high performing crew that are closely integrated in business operations and decision making processes. Business management exhibits dedicated involvement in the risk management program. Top-down Exposure Monitoring Bottom-up Control Identification Control Design Evaluation Control Effectiveness Monitoring End-to-End Transparency The division s top risks have been identified and documented. The division has effective processes for measuring whether key exposures are increasing, decreasing, or remaining stable in order to take action as needed. The division follows a structured methodology for establishing and prioritizing its process universe and performing risk assessments based on inherent risk level. The division uses the controls assessment framework methodology to identify and document key controls. The strength of key controls (control design adequacy) has been evaluated using controls assessment framework criteria. There is a structured process for validating that key controls are operating effectively to meet business objectives. There is cross-functional transparency in instances where the division has reliance on another division or internal / external service provider for performing key controls. 13
Outcomes Operational Risk Exposures Outcomes Operational Risk Exposures Drivers Proactive Risk Management Behaviors Drivers Proactive Risk Management Behaviors Operational risk management effectiveness Prior 3 Periods XX% Prior Prior 3 Period Periods s Q1 2016 2015 Metric XX% XX% Issue Self-Identification High and medium severity issues that are self-identified by the business as a percentage of the total number of high and medium severity issues identified by all sources <xx% xx-xx% >xx% Risk Accepted Findings Formally risk accepted high and medium severity issues as a percentage of the total number of high and medium severity issues. <xx% xx-xx% >xx% XX% Action Plan Accountability¹ High and medium severity issues with action plans deferred as a percentage of the total number of open high and medium severity issues <xx% xx-xx% >xx% XX% XX% XX% XX% Event Exposure Duration Internal events identified 31 calendar days after the date of occurrence as a percentage of the total number of internal events reported to ORM <xx% xx-xx% >xx% Green Audit Reports Audit reports that have a green rating as a percentage of the total number of audit reports <xx% xx-xx% >xx% Significant Events Internal events with a high severity as a percentage of the total number of internal events reported to ORM <xx% xx-xx% >xx% External Fraud Events External fraud events with losses $100K as a percentage of the total number of external fraud events with losses reported to ORM <xx% xx-xx% >xx% 14
Not for public distribution. 15
Appendix: Issue Data Collection Components Not for public distribution. 16
Appendix: Issue Data Collection Components Risk Acceptance Data Components Risk Acceptance ID Submit Date Optional Review Stages Accountable Division Submitted By Date Submitted for Review Accountable Subdivision Submission Status Owner Reviewer(s) Accountable Department/RC Risk Acceptance Description Additional Owner Reviewer(s) Accountable Business Unit Business Justification Owner Review Decision Expiration Date Business Impact Owner Review Due Date Days to Expiration Review Frequency Owner Review Approval Date Risk Acceptance Type Initial Expiration Date Finding ID Findings Number of Extensions Status Overall Status Review Stage Response Action Plan Data Components Action Plan Title Status Summary Action Item ID ERM Owner Comments Legacy ID Business Owner In Progress Date Accountable Division Due Date # of Days In Progress Accountable Subdivision % Completion Remediation Plan ID Accountable Department/RC Date Completed Finding ID Not for public distribution. 17