This presentation provides insights on how the proper implementation of Operational Risk Management can lead to effective risk profiling, analysis and mitigation. It introduces operational risk as a bedrock for meaningful risk management irrespective of which industry an organization plays in.
2. OUTLINE
1. Introduction
2. What is OpRisk Mgt
3. Classification of OpRisk
4. Components of OpRisk
5. OpRisk Identification
6. Methods of OpRisk Identification
FBN CCPD, 2014 (ORGANIZED BY CIBN)
7. OpRisk Tools
8. Understanding & Mapping OpRisks
9. Challenges of OpRisk
10. Prioritizing Risks
11. Risk Treatments
2
3. INTRODUCTION
Operational risk, broadly speaking, is the risk of loss resulting from any operational failure in a
organization
Such events include direct and indirect actions that may lead to increased errors, system failures, acts
of nature, non-adherence with internal policies land regulatory stipulations
Operational Risk is the responsibility of all staff in an organization – junior, middle and senior staff
Involves interfacing with all business units with all business areas in the organization
FBN CCPD, 2014 (ORGANIZED BY CIBN)
3
4. WHAT IS OPERATIONAL RISK
‘the risk of loss resulting from inadequate or failed internal processes, people and
systems or from external events’…Basel Definition
‘the risk of loss resulting from inadequate or failed internal processes, systems or
human factors, or from external events. It includes the reputation and franchise risk
associated with business practices or market conduct in which the Company is
involved’…Citigroup Definition
FBN CCPD, 2014 (ORGANIZED BY CIBN)
4
5. CLASSIFICATION OF OPRISK
Operational risk can be classified according to the following:
─ The nature of the loss: internally inflicted or externally inflicted
─ The impact of the loss: direct losses or indirect losses
─ The degree of expectancy: expected or unexpected
─ Risk type, event type, and loss type
─ The magnitude (or severity) of loss and frequency of loss
FBN CCPD, 2014 (ORGANIZED BY CIBN)
5
6. OPRISK COMPONENTS IN OTHER KEY RISKS
Credit Risk
─ Documentation issues, rate change issues, appropriate portfolio classification, error rates, manual
processes, non-adherence with approved contract terms and risk rating…
Market Risk
─ Instituting and adhering to limits, manual processes, non-adherence with policy guidelines, manual
processes, key man risks…
Strategic Risk
─ Non-monitoring of milestone achievements or failures, non-adherence with agreed strategic plan,
failure to review plans for consistency with business environment
Reputational Risk
─ Non-monitoring of internal and external factors that could have adverse impact on brand equity /
public perception
FBN CCPD, 2014 (ORGANIZED BY CIBN)
6
7. OPRISK IDENTIFICATION
This process entails the recognition, categorization, prioritization and enlisting of prevalent risks in the
organization
It usually starts with the review of issues / concerns affecting a business process, product or service;
thereafter close monitoring and tracking of key issues that might affect set goals and objectives is
embarked upon
The identification of risks also allows for conduct of causal analysis which enables better
understanding and categorization of risk drivers
Classification of risk drivers reduces redundancy and ensures easier management of risk factors in
later phases of the risk management process; classifying risks also provides for the creation of risk
checklists, risk registers, and databases for future projects
FBN CCPD, 2014 (ORGANIZED BY CIBN)
7
8. METHODS FOR OPRISK IDENTIFICATION
Documentation Review
Other Information Gathering Techniques such as Interviews with Process Owners
Conduct of Surveys
Checklist Analysis
Root Cause Analysis
Assumption Analysis
FBN CCPD, 2014 (ORGANIZED BY CIBN)
All of these tools can be used in developing a database
of key risk factors to be monitored by the
organization…
“KKeeyy Key RRiisskk Risk IInnddiiccaattoorr DDaasshhbbooaarrdd”
8
9. OpRisk Tool: RISK CONTROL SELF ASSESSMENTS (RCSA)
RCSA is a simple process by which the risk profile of an organization can be ascertained and prevalent
risks and controls evaluated
It is a participative process that relies on inputs from everyone involved in running the business or
managing relevant processes
It is qualitative and therefore cannot be analyzed for corrective actions
Frequency of exercise should be derived by a risk-based approach
FBN CCPD, 2014 (ORGANIZED BY CIBN)
9
10. OpRisk Tool: LOSS DATA COLLATION
Process of collating data resulting from operational risk events relating to people, process, system and
external events risks
Assists with identifying trends
Ensures cost-effective controls are deployed to mitigate likely risks
Enables determination of risk concentration and adequate capital charge estimation
Loss data includes:
─ Actual losses
─ Near misses (potential and prevented losses)
FBN CCPD, 2014 (ORGANIZED BY CIBN)
10
11. OpRisk Tool: BUSINESS CONTINUITY MANAGEMENT
Management of an end-to-end process from incident management to full restoration of all services and
business processes
It involves putting in place strategies for all operational risk elements (people, process, systems and
external events) to enable an organisation respond appropriately when a disaster occurs:
─ Response
─ Resumption
─ Recovery
─ Restoration
It requires that recovery plans are put in place for all departments and business activities of the Bank
It also requires that business functions are ranked in order of priority to the organization in terms of
financial or reputational relevance
FBN CCPD, 2014 (ORGANIZED BY CIBN)
11
12. OpRisk Tool: KEY RISK INDICATORS (KRIS)
Quantitative parameters used to identify changes in the risk profile of business activities and
processes
Examples include:
─ Number of training interventions per staff per year; Exit rate
─ Number of fire / robbery incidents recorded; Link availability per month
Enables the following:
─ Clear understanding of how risk profiles change
─ Determination of volatility of risks across the business environment
─ Providing a forward looking perspective on current risk profile
─ Understanding of early warning signals for emerging risks
FBN CCPD, 2014 (ORGANIZED BY CIBN)
12
13. OpRisk Tool: KRIS (cont’d)
Are measurable metrics that identify trends and track possible exposures; they are quantitative
parameters used to identify changes in the risk profile of business activities and processes
KRIs enable the following:
‒ Determination of volatility of risks across the business environment
‒ Determination of risk concentrations
‒ Determination of risk patterns
Objectives for having defined KRIs should include:
‒ Ensuring that a process for predicting the pattern / behaviour of current risk profile is in place
‒ Enabling early warning signs for emerging risks to be picked up as they crystallize
FBN CCPD, 2014 (ORGANIZED BY CIBN)
13
14. OpRisk Tool: OPRISK REPORTING
Periodic detailing of OpRisk trends identified from Key Risk Indicator trending, Loss Data Collation
trends and key risks identified from RCSA reviews
Should be circulated to key decision-makers within the organization
Should highlight key risks identified with recommended mitigants for controlling respective risks
Should serve as a decision-making tool for budgeting and resource allocation
FBN CCPD, 2014 (ORGANIZED BY CIBN)
14
15. UNDERSTANDING & MAPPING THE RISK LANDSCAPE
Understand the strategic intent of the organization in the short, medium or long term
Drill this into expected deliverables within the respective timeframes
Determine core business activities that would be focused on to achieve these expected deliverables
Isolate the core drivers of these core business activities
Develop quantitative parameters for tracking these core drivers
Agree on trigger limits with business process owner
FBN CCPD, 2014 (ORGANIZED BY CIBN)
15
16. UNDERSTANDING & MAPPING THE RISK LANDSCAPE (CONT’D)
Monitor the trends of these parameters, where adverse trends are observed:
‒ Conduct a Causal Analysis to determine prevalent risk factors
‒ Determine areas of the business affected by this adverse trend
‒ Identify likely constraint to the organization resulting from this adverse trend
‒ Estimate impact and severity to the organization should the risk crystallize
‒ Report on risk trend identified
FBN CCPD, 2014 (ORGANIZED BY CIBN)
16
17. KEY OPRISK PROBLEMS
Determine the risk tolerance levels or thresholds for each major operational risk
Determine optimal risk treatments in terms of risk-control and risk-transfer relationships in the
context of cost-benefit analysis
Determine the impact that decisions taken by Management would have on the organization’s
exposure to operational risk
FBN CCPD, 2014 (ORGANIZED BY CIBN)
17
18. PRIORITIZING RISKS
Requires the estimation of risk factors into defined categories for risk treatment
These categories are:
High – Medium – Low Risks (for 3-tiered Risk Bands)
High – Medium/High – Medium – Medium/Low and Low Risks (for 5-tiered Risk Bands)
These bands are defined to direct the organization on appropriate risk treatments required for
identified risk factors; defined risk categories are also indicative of likely risk exposure (impact x
probability)
High Probability
Medium Probability
Low Probability
FBN CCPD, 2014 (ORGANIZED BY CIBN)
Low Impact Medium Impact High Impact
18
19. PRIORITIZING RISKS IN YOUR ORGANIZATION
Risk prioritization must be based on the following:
‒ The Risk Appetite of the organization
‒ The Business Model of the organization
‒ Regulatory Requirements
‒ Business objectives in the short, medium and long terms
‒ Risk – Reward Analysis
‒ Response style of the organization
‒ Maturity of the Risk-Aware Culture
FBN CCPD, 2014 (ORGANIZED BY CIBN)
19
20. DEALING WITH THE RISK EXPOSURES
Terminate: when cost is higher than benefit; no competencies for managing risk
Tolerate: when cost is within risk appetite levels or insignificant to benefit; no brainer
Treat: when benefit from business venture is seriously threatened; staff and business model /
structure can implement and support control
Transfer: when benefit is threatened but staff / business model may not support required control
(risk may be shared or transferred completely)
FBN CCPD, 2014 (ORGANIZED BY CIBN)
20
21. CONSIDERATIONS FOR SELECTING APPROPRIATE ACTION PLANS
Policy Changes: Consider regulatory / legal / ethical issues such as modifications of banking & related
policies
In-House Actions: Consider appropriate plans that would fit into the organization’s business strategy /
model / structure, and culture
Simplicity: Action plans should be rid of complexities / complex methodologies which might sabotage the
correction process; new process / control should be easy for auditors to review
Implementation: Incorporation of related activities into routine business processes should be seamless;
relevant parties should be carried along; cost effectiveness considered
Review: Tracking of implementation should be easy; effectiveness of control should be tested periodically
FBN CCPD, 2014 (ORGANIZED BY CIBN)
21
23. CONCLUSION
A qualitative Risk Assessment is usually the first step required for identifying prevalent risk drivers and
attributes
It is important that the Risk Assessment approach adopted is based on the organization’s culture, behaviour
and attitude in managing issues
The Risk Maturity of the Organization should also be considered
For very structured organizations, brainstorming approaches would yield better results whilst for less
structured organizations the conduct of interviews would be more worthwhile
For optimal results, a hybrid approach with all levels of staff involved is highly recommended; this way both
strategic and operational risk exposures organization-wide are unearthed
FBN CCPD, 2014 (ORGANIZED BY CIBN)
23
24. FOOD FOR THOUGHT
“The key to successful ERM practices depends on the behavioural attributes of the
organization at all levels.” – RIMS
“One of the greatest contributions of a risk manager – arguably the single greatest –
is just carrying a torch around and providing transparency.” Enterprise Risk
Management, (Chapter 5 “Becoming the Lamp Bearer” by Anette Mikes)
FBN CCPD, 2014 (ORGANIZED BY CIBN)
24
25. THANK YOU Thank you
25
Eneni Oduwole
eneni.oduwole@dangote.com;
234-8033045896