Managing risk appetite for operational and non-financial risks

Similar documents
An introduction to Operational Risk

Insurance regulation and operational risk

Bank risk management workshop Operational risk

Goodman Group. Risk Management Policy. Risk Management Policy

Enterprise Risk Management Integrated Framework

ENTERPRISE RISK MANAGEMENT (ERM) POLICY Republic Glass Holdings Corporation. Purpose. Goals

Guidance Note: Stress Testing Credit Unions with Assets Greater than $500 million. May Ce document est également disponible en français.

Enterprise Risk Management How much risk do you want to take? Mark Lim Risk Consulting and Software Towers Watson

ENTERPRISE RISK MANAGEMENT POLICY FRAMEWORK

RESERVE BANK OF MALAWI

Kidsafe NSW Risk Management Plan. August 2014

INTERNAL CAPITAL ADEQUACY ASSESSMENT PROCESS GUIDELINE. Nepal Rastra Bank Bank Supervision Department. August 2012 (updated July 2013)

Risk Management Policy

Operational Risk Management

Identifying and taking opportunities to improve performance as well as taking action to avoid or reduce the chances of something going wrong

STRESS TESTING GUIDELINE

Applying COSO s Enterprise Risk Management Integrated Framework. September 29, 2004

Solvency Assessment and Management: Stress Testing Task Group Discussion Document 96 (v 3) General Stress Testing Guidance for Insurance Companies

BERGRIVIER MUNICIPALITY. Risk Management Risk Appetite Framework

Enterprise Risk Management

Perpetual s Risk Management Framework

RISK MANAGEMENT - CORPORATE COMPLIANCE & ETHICS

Pillar 3 Disclosure ICAP Europe Limited

Bournemouth Primary MAT Risk Management Policy

Risk Concentrations Principles

FIRMA Nashville Tennessee April 21, 2015

RISK MANAGEMENT - CORPORATE COMPLIANCE & ETHICS

MEMORANDUM. To: From: Metrolinx Board of Directors Robert Siddall Chief Financial Officer Date: September 14, 2017 ERM Policy and Framework

Business Auditing - Enterprise Risk Management. October, 2018

Operational Risk Management

Applying COSO s Enterprise Risk Management Integrated Framework

Basics of Liquidity Risk Management For Community Financial Institutions under $3 Billion in Assets

Key risks and mitigations

Risk Management Strategy January NHS Education for Scotland RISK MANAGEMENT STRATEGY

Risk Management Framework

RISK MANAGEMENT FRAMEWORK

Enterprise Risk Management Sources. Universe. Tolerance. Appetite

Index. Managing Risks in Commercial and Retail Banking By Amalendu Ghosh Copyright 2012 John Wiley & Sons Singapore Pte. Ltd.

Scouting Ireland Risk Management Framework

RISK MANAGEMENT FRAMEWORK

SEI Investments (Europe) Limited Pillar 3 Disclosure

LONDON BOROUGH OF ENFIELD RISK MANAGEMENT STRATEGY

Pillar 3 Disclosures. Sterling ISA Managers Limited Year Ending 31 st December 2017

Risk Management. Seminar June Compiled by: Raaghieb Najjaar, Yaeesh Yasseen & Rashied Small

AAS BTA Baltic Insurance Company Risks and Risk Management

Pillar 3 disclosure. Executive Summary

Risk Management Framework. Group Risk Management Version 2

Risk Management. Credit Risk Management

Subject ST9 Enterprise Risk Management Syllabus

IOPS Toolkit for Risk-Based Pensions Supervision Kenya

Risky Business. Jaidev Iyer Operational Risk Expert, CEO J-Risk Advisors

TD BANK INTERNATIONAL S.A.

Enterprise-wide Scenario Analysis

Executive Board Annual Session Rome, May 2015 POLICY ISSUES ENTERPRISE RISK For approval MANAGEMENT POLICY WFP/EB.A/2015/5-B

Subject SP9 Enterprise Risk Management Specialist Principles Syllabus

Risk Management Policy

Merrill Lynch Kingdom of Saudi Arabia Company. Pillar 3 Disclosure. As at 31 December 2016

Delivering Clarity to Credit Unions Through Expertise and Experience

Nagement. Revenue Scotland. Risk Management Framework. Revised [ ]February Table of Contents Nagement... 0

RISK MANAGEMENT REPORT (for the Financial Year Ended 31 March 2014)

1. Define risk. Which are the various types of risk?

Merrill Lynch Kingdom of Saudi Arabia Company. Pillar 3 Disclosure. As at 31 December 2017

GENERAL RISK CONTROL AND MANAGEMENT POLICY

NOTTINGHAM CITY HOMES. THE BOARD REPORT OF Ian Rabett Head of Health & Safety 26 November 2015

Risk Management. Policy No. 14. Document uncontrolled when printed DOCUMENT CONTROL. SSAA Vic

Clarify and define the actual versus perceived role and function of rating organizations as they currently exist;

ECB Guide to the internal liquidity adequacy assessment process (ILAAP)

Fundamentals of Project Risk Management

Collective Allowances - Sound Credit Risk Assessment and Valuation Practices for Financial Instruments at Amortized Cost

Risk Management. Webinar - July 2017

CASE STUDY DEPOSIT GUARANTEE FUNDS

Cyber Risk Enlightenment through information risk management

The Components of a Sound Emerging Risk Management Framework

Understanding Enterprise Risk Management: An Overview

Procedure: Risk management

RISK MANAGEMENT FRAMEWORK

City of London Group plc ( COLG or the Company or the Group ) Executive Summary

INTERNATIONAL ASSOCIATION OF INSURANCE SUPERVISORS

ERM/ORSA Training Thai General Insurance Association (TGIA)

Draft for Consultation FICOM ICAAP Guide

RISK MANAGEMENT FRAMEWORK

Operational risk and corporate governance

GUIDELINE ON ENTERPRISE RISK MANAGEMENT

Statement of Guidance for Licensees seeking approval to use an Internal Capital Model ( ICM ) to calculate the Prescribed Capital Requirement ( PCR )

Risk Management at the Deutsche Bundesbank March 2011

An Introductory Presentation for ECU Staff

PILLAR 3 REGULATORY DISCLOSURES REPORT AS AT 30 NOVEMBER 2017 LEUCADIA INVESTMENT MANAGEMENT LIMITED

Risk Management Policy and Framework

Capital & Risk Management Pillar 3 Disclosures

Risk Management in Italy: State of the art and perspectives. PMI Rome Italy Chapter

Amidst such development, BPMB stays focused in fulfilling its mandated role whilst remaining steadfast in improving its asset quality.

Guidance Note: Internal Capital Adequacy Assessment Process (ICAAP) Credit Unions with Total Assets Greater than $1 Billion.

BERMUDA MONETARY AUTHORITY THE INSURANCE CODE OF CONDUCT FEBRUARY 2010

Practical challenges of managing operational risk in Annuities

Summary of Risk Management Policy PT Bank CIMB Niaga Tbk

Practical aspects of determining and applying a risk appetite for SMEs

POLICY RISK MANAGEMENT AND REPORTING. Introduction

REPUTATIONAL RISK MANAGEMENT MODULE

Internal Capital Target (PD-11)

Risk Evaluation, Treatment and Reporting

Transcription:

Managing risk appetite for operational and non-financial risks John Thirlwell IIA, Bodø, 27 May 2013

Agenda What do we mean by operational and nonfinancial risks? What do we mean by risk appetite? A framework for managing operational / nonfinancial risk appetite Uses and benefits

Defining operational risk the risk of loss resulting from inadequate or failed internal processes, people or systems or from external events [Basel II]

Is operational risk different from other risks? Credit, market, commodity, liquidity (financial) Operational (nonfinancial) Is the risk wholly transaction-based? Y N Is the risk assumed proactively? Y N Can it be identified from accounting information e.g. the P&L? Y N Can audit confirm that every occurrence of the risk has been captured? Y N Can its financial impact be capped or limited? Y N Can you trade the risk? Y N Is everybody in the firm responsible for the risk? N Y Does the risk affect every activity? N Y

Liquidity Risk Market/Product Risk Operational Risk (including Strategic Risk) Underwriting Risk Credit Risk Group Risk

Agenda What do we mean by operational and nonfinancial risks? What do we mean by risk appetite? A framework for managing operational / nonfinancial risk appetite

Risk appetite definitions The amount and type of risk that an organisation is willing to take to achieve its strategic objectives [over a specified time horizon at a given level of confidence] Amount and type of risk that an organisation is prepared to seek, accept or tolerate. (ISO 31000:2009) The amount of risk which is taken for reward.

A regulatory perspective on ORA Operational risk differs from other banking risks in that it is typically not directly taken in return for an expected reward, but exists in the natural course of corporate activity. [Basel Committee] Appetite, in the true sense, may not be appropriate. But a residual level of operational risk (events) may be tolerable, for example where the cost of mitigating the risk outweighs its impact, or where the cost can be mitigated by income. [UK FSA]

Risk appetite and risk tolerance Risk tolerance The maximum amount of risk which can be taken before financial distress What you are prepared to allow the organisation to deal with

Operational risk appetite(s) No single appetite figure for operational risk appetite. Different nature of risks and different approaches to these risks mean different approaches to measures of risk appetite. Can be expressed quantitatively or qualitatively through losses (number and amount), risk and control assessments, risk indicators or qualitative statements.

Whose risk appetite is it anyway -and how might they express it?

Whose risk appetite is it anyway? Politicians Investors Customers Regulators Public Employees

Agenda What do we mean by operational and nonfinancial risks? What do we mean by risk appetite? A framework for managing operational / nonfinancial risk appetite Uses and benefits

Governance Committed and consistent leadership Business strategy and objectives the context for: Risk management Risk appetite Risk policy - establish a common language

Classifying risks and ORA Identifying and classifying risks Accept as BAU, mitigated by capital and reserves or business performance and/or margins Accept willing to invest in controls and mitigants Avoid transferred through, for example, insurance Avoid transformed through, for example, outsourcing Avoid

Appetite statements Simple - easily communicated and resonate with multiple stakeholders Practical - guiding management Allow flexibility but not strategic drift Include: Definition Term / time horizon and confidence level Monitoring Measurable, although can be qualitative

Example appetite statements We seek to minimise the downside risk from the impact of unforeseen operational failures within our business and in our suppliers and service providers. The firm has no appetite for individual operational losses above x and cumulative losses above y within a 12 month period. Any operational risk losses exceeding z are reported to the Group Operational Risk Committee. Zero appetite statements The firm has no appetite for financial crime and will implement appropriate measures to control it. Legal and regulatory risks. The group has minimal risk appetite and seeks to operate to high ethical standards.

The Zero Harm Vision Balfour Beatty's vision is for: zero deaths zero injuries to the public zero ruined lives (amongst all our people)

and one for the Board Board and senior management must understand and be able to manage all risks. [Senior Supervisors Group report on developments in risk appetite frameworks, December 2010]

What measures can we use: loss events Which events or losses? Amount (the basis of impact/severity) Direct or indirect? Date (the basis of likelihood/frequency) Boundary losses Multiple events Need to be clear what losses mean Data capture

People Resources Processes Systems Cause(s) Event Effect(s) People External Events Reputation 23

A Nobel thought on quantification Unlike the position that exists in the physical sciences, in economics and other disciplines that deal with essentially complex phenomena, the aspects of the events to be accounted for about which we can get quantitative data are necessarily limited and may not include the important ones. [Friedrich von Hayek, Pretence of Knowledge, Nobel acceptance speech 1974] So be humble and acknowledge the limitations of operational risk loss event data!

Losses and risk appetite

What measures can we use? Risk and control assessments Likelihood High (4) 4 8 12 16 Med High(3) 3 6 9 12 Med Low (2) 2 4 6 8 Low (1) 1 2 3 4 Impact Low (1) Med Low (2) Med High (3) High (4)

Residual risk (assuming controls work) Likelihood High (4) 4 8 n/a n/a Med High(3) 3 6 9 n/a Med Low (2) 2 4 6 8 Low (1) 1 2 3 4 Impact Low (1) Med Low (2) Med High (3) High (4)

Assessing risks How many bands or ranges? Ensure periods for likelihood and impact are appropriate Gross / inherent (assuming controls fail) or net / residual (assuming controls work)?

Identifying and assessing controls Types of controls: Likelihood (cause) Directive, e.g. policies, procedures, manuals Preventative, e.g. system checks on limits Impact (effect) Detective, e.g. sensors, indicators Corrective, e.g. follow-up on reconciliations, BCP Controls may mitigate more than one risk, but the application of the control may not be the same

Assessing control design and performance Control effectiveness doesn t give clear control improvement guidance Design is the inherent ability of the control to mitigate the risk And is often about process or system Performance is about how the control is working in practice And is often about people

Example of risk and control assessment output ID Risks I L S Controls D P E 1 Failure to attract, retain key staff A 4 4 16 Salary surveys D 2 2 4 Training and mentoring E 3 2 6 Retention packages D 4 4 16 2 Poor staff communication B 4 4 16 Defined communication channels F 4 3 12 3 Poor detection of money laundering Documented procedures and processes G 3 2 6 C 4 3 12 AML training D 3 2 6 Circulation of trade association briefings H 3 1 3 Know Your Customer procedures G 4 3 12

ORA using RCSA scores (step 1) Board expressed residual appetite Annual Loss Thresholds Low 25,000 Acceptable 100,000 Warning 450,000 Catastrophic 1,500,000

ORA using RCSA scores (step 2) Impact per event ( ) L'bound U'bound Mid point Low 0 50,000 25,000 Med-low 50,000 150,000 100,000 Med-high 150,000 500,000 325,000 High 500,000 1,500,000 1,000,000 Likelihood of event (per annum) L'bound U'bound Alternative label Mid point Low 0.04 0.10 10% likely in next year 0.07 Med-low 0.10 0.33 30% likely in next year 0.22 Med-high 0.33 1.00 Very likely in next year 0.67 High 1.00 12.00 Several times in next year 6.50

ORA using RCSA scores (step 3) Annual Loss Thresholds Low 25,000 Acceptable 100,000 Warning 450,000 Catastrophic 1,500,000 High 70,000 220,000 670,000 6,500,000 IMPACT Med-high 22,750 71,500 217,750 2,112,500 Med-low 7,000 22,000 67,000 650,000 Low 1,750 5,500 16,750 162,500 10% likely 30% likely Very likely Severe LIKELIHOOD

Control appetite The amount a firm is willing to spend (in time, money and/or resources) to mitigate a risk to an acceptable residual level. The aim can be expressed as: Acceptable level of control assessment Reduction in assessed risk from gross (inherent) to net (residual) Targets and thresholds of key control indicators Reductions in number and/or value of events and/or losses Cost / benefit of risk profile reduction

Types of controls Types of controls: Likelihood Directive, e.g. policies, procedures, manuals Preventative, e.g. system checks on limits Impact Detective, e.g. sensors, indicators Corrective, e.g. follow-up on reconciliations, BCP

Using the right controls

Spidergram: IT & Systems Risks & Controls Systematic approach to IT Strategy IT dependency on people Systems manuals and procedures documentation Computer Applications poorly specified 200.0 180.0 160.0 140.0 120.0 100.0 80.0 60.0 40.0 20.0 0.0 Computer Systems not adequately protected Systems and Processes not adequately protected Systems and Processes not adequately protected Training Procedures for IT Dependency on Technology Operational threats to IT Dependency on External Suppliers Testing of Systems Legacy systems will not support business Investment in Technology Risk Control

What measures can we use? Indicators K Risk I Change in likelihood or impact, linked to RCA K Performance I Change in business performance, linked to business objectives KIs K Control I Change in design or performance, linked to RCA

Leading and lagging indicators Risk indicators Likelihood indicators tell you about the chance of a risk happening (lead) Impact indicators tell you about the effects of the risk when it has happened (lag) Control indicators Preventative control indicators tell you about controls that stop a risk from happening (likelihood) (lead) Detective control indicators tell you about controls which reduce the impact of a risk (lag)

Thresholds and targets < 5% 5-9% 10-15% 16-20% > 20%

Risks and risk indicators for Audit Committees Inappropriate tone at the top Autocratic management Inexperienced management Poor management oversight Frequent senior management over-rides Overly complex organisational structures Lack of transparency in the business model or or transactions and the purposes of transactions (Late) surprises Unrealistic earnings expectations Exposure to rapid technological changes (Derived from: KPMG Audit Committee Institute, Shaping the audit committee agenda, May 2004)

What measures can we use? Scenarios potential vulnerability to exceptional but plausible events (Basel Committee) Events must have a low probability of occurring but should be realistic the nastiest you can imagine without being unrealistic They are stories, which is why they are effective and generate buy-in They are combinations of events; a single event is a stress test Outcomes often too modest they must be severe enough

Natural biases when developing scenarios and RCSAs Wikipedia gives 84 types of cognitive bias, but they tend to resolve down to 3: Judgemental Availability bias (and the elephant) The ease with which relevant information is recalled or visualised, generally from personal experience Anchoring bias Arises when participants start with an initial value (including external loss data) and adjust it to yield their final answer. Motivational Arises when participant has an interest in influencing the results

Overcoming biases Two (or more) pairs of eyes, i.e. peer review Challenge by Group functions, e.g. Risk Internal audit of the risk assessment process Comparison of actual losses (including external data) against experts expectations Anchoring: Mitigate with deliberate use of availability, i.e. ask participants to posit extreme values for impact and then come up with scenarios outside those values

Considered too unlikely to plan for CIA scenario planners rejected this scenario as being just too unlikely

Issues with scenarios Outcomes too modest Not considered credible by the business the nastiest you can imagine without being unrealistic Mechanical, point in time Did not capture reputational risk Forgot the crisis management team and who will run business as usual

Scenario analysis is an important risk management tool Alerts management to adverse unexpected outcomes Supplements other risk management approaches, especially during periods of expansion, providing data when none is available Provides forward-looking assessments of risk Overcomes limitations of models, including the tail problem, and historic data Supports internal and external communication and generally gets buy-in Feeds into capital and liquidity planning Assists in setting and challenging risk tolerance and appetite Facilitates contingency planning

Agenda What do we mean by operational and nonfinancial risks? What do we mean by risk appetite? A framework for managing operational / nonfinancial risk appetite Uses and benefits

Uses of the operational risk appetite process Challenges strategy development and strategic decision-making Expands understanding of strengths and competitive advantage Identifies resource gaps i.e. capacity and constraints Fundamental to assessing insurance and outsourcing decisions Helps to assess mergers, project, investment and M&A decisions

Takk!

John Thirlwell Tel: +44 (0)20 7628 4749 Mob: +44 (0)781 382 9362 Email: info@johnthirlwell.co.uk

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback