Transcript Operational Risk Questionnaire

Operational Risk
Questionnaire
A Framework for Operational
Risk Management
Broad Street Banking I Operational Risk Questionnaire
Background on Operational Risk
• New Basel capital requirements are based upon market, credit, and
operational risk.
• The New Basel Capital Accord defines operational risk as:
“The risk loss resulting from inadequate or failed processes, people and
systems or from external events”
• Market and credit risk both have well-understood market conventions, and are
readily quantifiable. Operational risk management is at an earlier stage, and no
market consensus on measurement and approach has yet formed.
• Best practices and industry trends are moving toward more active means of
defining, measuring, monitoring, and mitigating operational risks.
2
Broad Street Banking I Operational Risk Questionnaire
BSB Questionnaire Framework
BSB proposes the following risk categories to establish what risks exist, and how
management is or could be controlling risk:
• External Catastrophe
• Customer Relationships
• Service Provider Failure
• Key Control Effectiveness
• Regulatory
• Compliance with Commercial Contracts
• Fraud, Theft, and Vandalism
• People Management
• Compliance with Policies, Procedures
and Practices
• Information Risk
• IT Security
3
Broad Street Banking I Operational Risk Questionnaire
BSB Approach – Risk Identification
Each risk category is intended to elicit risk information from a specific perspective
• External Catastrophe - The risk that an external event would disrupt the ability of staff to access office locations or
perform normally required tasks. These are risks that you can plan against but cannot prevent.
• Service Provider Failure - The risk that a service providers failure to deliver expected services would hinder or
prevent normal business activity. The risks in this category are those where there is excessive reliance upon an
external or internal service provider or outsourced function, or where contingency plans do not exist or are inadequate.
The principal risk in this category is that you will be unable to continue business, or will suffer significant deficiencies,
due to failures or inadequacies in service provider delivery or outsourced functions.
• Regulatory - The risk that your activities will fail to comply with regulatory requirements and restrictions. The risks in
this category are those where regulatory non-compliance results in regulator response, up to and including a ceaseand-desist order.
• Fraud, Theft, and Vandalism - The risk to you of an internal or external party committing fraud, theft, or vandalism,
damaging BSB or its clients monetarily or in image.
• Compliance with Policies, Procedures, and Practices - The risk that you will fail to comply with internal policies,
procedures, and practices, as well as industry best practices and ethical business practices. To not be in compliance
with these practices would be to suggest that you are not managing its business and risks according to market
standards.
• Customer Relationships - The risk that you will fail in the management of customer relationships and in delivery of
services to customers, causing monetary and reputational damages. The risks in this category are those that affect
your market share, reputation, and profitability.
4
Broad Street Banking I Operational Risk Questionnaire
BSB Approach – Risk Identification
• Key Control Effectiveness - The risk that operational control points will fail to function as intended, putting you at risk
of significant monetary losses, regulatory action, and reputational damage. The risks of ineffective controls are
widespread, and affect many areas with a wide range of monetary, reputational, and regulatory implications. The risk
that you will have poorly structured behavioral and physical limits, or that those limits might be unenforced or
circumvented. The risk in this category is also of control and efficiency, which would affect risk and control.
• Compliance with Commercial Contracts - The risk that you will fail to comply with, or implement properly,
commercial contracts, with potential monetary damage, legal exposure, and reputational damage. The risks in this
category are those which affect the legal relationships between you and clients / counterparties. Incidents of this type
could affect relationships, cause legal action, and adversely impact future ability to do business with the client /
counterparty.
• People Management - The risk that you will fail to attract, manage, develop, and retain employees with the appropriate
skills. The risk in this category is that you will, over the long-term, fail to stay competitive and fail to have employees
with the skills and training to engage in business in a prudent, well-controlled fashion. The risk that you will fail to
organize its business in an appropriate way, resulting in an inefficient and operationally risky business structure. The
risk in this category is largely of control and efficiency, which would affect long-term business risk, profitability, and
competitiveness. The risk that you will choose inefficient or inappropriate measures of staff or business performance.
• Information Risk - The risk that you might manage your business or generate reporting based upon incomplete,
inaccurate or inappropriate information. The risk that you might manage its business or generate reporting based upon
incomplete, inaccurate or inappropriate information. The risk that you might manage its business or generate reporting
based upon incomplete, inaccurate or inappropriate information, as well as the risk that BSB will not be able to access
archived information.
• Infrastructure Security (IT View) - The risk that your IT security structure will fail to perform as intended, allowing
unauthorized access and data damage or loss.
5
Broad Street Banking I Operational Risk Questionnaire
BSB Risk Categories
The original 23 risk
categories have been
merged into 11,
eliminating 12
descriptive answers
and approximately 10
more repetitive lines of
questioning.
1
2
3
4
5
6
7
8
9
10
11
Category
External Catastrophe
Service Provider Failure
Sub-category or line of questioning
External Catastrophe
External Service Provider Failure
Outsourced Functions
Availability and Continuity of Systems (User View)
Regulatory
Regulatory
Reports
Fraud
External Fraud
Internal Fraud
Compliance with Policies, Procedures,
Compliance
and Practices
with Policies, Procedures, and Practices
Compliance with Practices and Rules
Improper Practices
Customer Relationships
Customer Risk Management
Customer Satisfaction
Key Control Effectiveness
Key Control Effectiveness
Empowerment and Authorization
Compliance with Commercial
Compliance with Commercial Contracts
Contracts
HR Management
Human Resources Management
Role Definition
Performance Measurement
Information
Information Integrity
Information's Nature
Information Use
IT Security
Infrastructure Security (IT View)
6
Broad Street Banking I Operational Risk Questionnaire
BSB Risk Classification
For each risk category, the questionnaire will have one or several scenarios or risks. For each of
these scenarios or risks, the following questions need to be answered:
Risk Severity
Management’s Ability to Control
• What would be the impact on P/L?
•How aware and involved is management in
managing this risk? (Responsibilities defined,
resources allocated, etc.)
• What would be the effect on customers and
on your image?
• What is the frequency of this type of event or
loss?
• What would be a typical loss from an
incident of this type?
•What is your assessment of the effectiveness and
efficiency of the internal control system?
•Which of the following exist to address this type of
operational risk?
Policies, procedures, formal organization,
formal limits, risk control system, monitoring
system, regular or periodic reporting,
management review
•Is data regarding this type of event or loss known,
reported, and stored?
7
Broad Street Banking I Operational Risk Questionnaire
Questionnaire Format
General
Questions
Risk
Scenario
s
8
Broad Street Banking I Operational Risk Questionnaire
Questionnaire Function
The questionnaire consists of approximately 100 risk
scenarios, with 8 general questions to answer for each
7 of the 8 questions are multiple choice, and
have drop-down selection boxes to simplify
the process for the user
1 of the questions asks about the existence
of certain risk management tools. In the
answer space for this question are
checkboxes, with a check signifying yes
and an empty checkbox signifying no.
Each of the 23 risk categories has one
answer space for a text description of the
risk situation, particularly significant risks or
scenarios, and additional comments.
9
Broad Street Banking I Operational Risk Questionnaire
Questionnaire Output
• Highlighting high impact
risks with a high degree of
controllability gives BSB a
starting point to reduce risk.
Impact of Risk
• BSB has taken the approach
that operational risk is best
viewed in the context of a
four-sectored grid.
High Impact /
High Ability
High Impact /
Low Ability
Low Impact /
High Ability
Low Impact /
Low Ability
Ability to Control Risk
10
Broad Street Banking I Operational Risk Questionnaire
Answer Scoring
• External Catastrophe
• External Service
Provider Failure
Impact of Risk
By employing a scoring
methodology, the answers
on the questionnaire can
be used to plot the risks of
a business area by type.
• Regulatory
• Compliance with Policies,
Procedures, and Practices
• External Fraud
• Customer
Risk Management
• Key Control
Effectiveness
Ability to Control Risk
11
Broad Street Banking I Operational Risk Questionnaire
Contact Us
David E. Fisher
Maurice A. Krisel
203.434.7545
203.331.5644
[email protected]
[email protected]
12