Transcript Document

Operational
Risk
6th ACSDA International Seminar
Punta del Este, Uruguay - October 27-28, 2005
Mary Ann Callahan, DTCC
Agenda
• Defining Operational Risk
• Demystifying Operational Risk
Management from Basel II
• Key measures and elements of an
Operational Risk Management
framework
• DTCC’s experiences in developing
and implementing an Operational
Risk Management Program
Traditional view of
Op Risk
Generally managed in a less
explicit way:
• Ambiguous responsibility and accountability
for identification, monitoring and
management
• Weak issue-monitoring and escalation
processes
• Lack of statistically significant loss data
• No common perspective, language and
culture throughout or across organizations
• Weak linkage of risk management
framework with measurement of people
and business performance
Operational Risk as defined
by the Basel Accord (2003)
“The risk of loss resulting from
inadequate or failed internal
processes, people and systems or
from external events.”
-- Basel Committee on Banking Supervision
… and especially for CSDs, don’t
forget about reputational harm
The Basel II Accord
• Effective 2006, some banks will be
required to set aside capital
specifically for Operational Risk.
• US implementation for largest banks
now set for three-year transition
beginning in 2007.
• The accord requires the affected
largest banks to adopt both qualitative
and quantitative framework elements
for Risk Management.
Some Operational
Risks at a CSD
Customer
Confidentiality Failure
Fraud
Computer
Hacking
Settlement Fails
Terrorist Threats
Data Entry Errors
Governance Issues
Incomplete Due Diligence
Corporate
Actions Losses
Missing Certificates
Operational Risk Categories
Execution, Delivery &
Process Management Risk
Customer Service & Interaction Risk
Liquidity Risk
Legal & Regulatory Risk
Financial Controls & Reporting Risk
People & Culture
Risk
Key Person Risk
Brand Image Risk
Employment Practice Risk
Technology
Risk
Infrastructure Risk
Security Risk
Hardware Risk
Business Continuity
Risk
Business Resumption Risk
External
Risk
External Fraud Risk
Physical Asset Risk
Utility Risk
Mapping the Operational Risk
Landscape: DTCC Example
What
Operational Risk
is Not:
• Credit Risk
• Market Risk
• Strategic Risk
Operational Risk is NOT LIMITED to
the processing-type of risks generally
associated with a back-office
operation.
Why Focus on
Operational Risk
Management?
• Largest losses in the financial
services industry are attributed
to Operational Risk
• Good business sense
• The new world post-September
11, 2001, and resulting regulatory
requirements
• Potentially lower capital charges
for CSD and its members
Examples of
Op Risk Failures
Enron
Sumitomo Bank
Arthur
Andersen
Tyco
Allied Irish
Bank
Barings
August 2003
Blackout
Parmalat
REFCO
Hurricane
Katrina!
Basel II Focus –
Three Pillars
• Minimum capital requirements
• Supervisory review of capital
adequacy
• Market discipline through
effective disclosure
Basel II
3 Pillar Concept
Pillar 1
Pillar 2
Pillar 3
Minimum Capital Charge
Supervisory Review
Market Discipline
• Establish risk sensitive
minimum capital
requirements
Encourages
development of better
risk management
techniques
• Rules for calculating
credit and operational
risk capital
• Assesses ability to
measure economic
capital
• Menu of options from
simple to advanced
• Allows for capital addons by supervisors
• Reinforces capital
regulation/supervisory
efforts
• Greater transparency/
disclosure trade-off for
use of internal
measurement
approaches
Further Basel Guidance on
Sound Practices
• Board of Directors approve framework and understand major
risks
• Consistent transparency and reporting of risk and control
• Operational Risk framework that is well understood and
consistently implemented throughout the institution
• Ongoing risk identification and assessment for all material
products, activities, processes and systems
• Risk monitoring and reporting
• Policies, processes and procedures to document effective
mitigation of risks
• Regular internal audit coverage of operational risk
framework
• An organization’s use of third parties does not diminish the
responsibility of the board of directors and management to
ensure that the third-party activity is conducted in a safe and
sound manner and in compliance with applicable laws.
Goals and Objectives
•
•
•
•
•
•
•
•
•
•
•
Consistent approach
Timely, accurate, meaningful reporting
More robust analysis
Risk-focused data
Better enables decision making and effective
oversight role by Senior Management
Business ownership for risk information
embedded throughout management
Measure actual risk level against risk appetite
Gain benchmarking perspective
Less resource intensive
Leveraging technology
Determine capital requirements (possible
change) and allocate capital
Operational Risk
Management
Components
•
•
•
•
•
Identify & Assess Risk
Monitor Risk
Manage Risk
Measure Risk
Disclose Risk
Program Components
• Risk and Control SelfAssessment
• Key Risk Indicators
• Enterprise-wide reporting
• Leveraging off existing risk
event information
An Op Risk Management Framework
Operational Risk Governance
Vision, Guiding Principles, Risk Strategy, Risk Appetite,
Organization Structure, Risk Glossary
Risk Identification &
Assessment
Risk Monitoring
Risk Measurement
Strategy
•Common Organizational Hierarchy
Risk and
Control Self
Assessments
(RCSA)
Key
Indicators
(KIs)
•Common Risk Definitions
Loss Data
•Common Control Themes
•Key Process Focus
•Validating Components
Business
Initiatives
Risk Reporting
DTCC’s
Operational
Risk
Management
Initiative
DTCC Operational Risk
Objectives
• Establish a common risk language across
the organization
• Define the organization’s risk tolerance
• Foster a climate where risks are
identified and openly discussed by all
departments and employees
• Inform senior management and Board
about Operational Risk across the
enterprise
• Reinforce transparency and comply with
regulatory expectations
21
Program Components
•
•
•
•
Risk and Control Self-Assessment
Key Risk Indicators
Enterprise-wide reporting
Leveraging off existing risk event
information
An Operational Risk Framework
Stage 1:
Stage 2:
Stage 3:
QUALITATIVE
ASSESSMENT
RISK
MONITORING
QUANTITATIVE
VALIDATION
Identification,
Prioritization and
Assessment of
Operational Risk
Monitoring of Risk and
Process Indicators to
Track Operational Risk
Level, Modify Risk
Profile and Improve
Business Processes
Identification and
Measurement of
Operational Risk Events,
including Near Misses
Risk Measurement
Risk Monitoring
Risk Monitoring
Risk Mitigation
Risk Assessment
Risk Identification
Risk Mitigation
Risk Mitigation
Risk Assessment
Risk Assessment
Risk Identification
Risk Identification
Status of Effort to Date
• Governance Structure in place
• Corporate Policy and other documents
issued
• Risk & Control Self-Assessment (RCSA)
process piloted, improved, formalized
and completed for all identified DTC
“high risk areas
• Six month RCSA process initiated
• Key Risk Indicator process piloted
• Third Party software selected
Governance Structure
• Board of Directors
 Membership & Risk Management
Committees
 Audit Committee
 Operations and Planning Committee
• DTCC Management Committee
• DTCC Internal Risk Management
Committee
• Operational Risk Working Group
Our RCSA Process
•
•
•
•
•
Planning Stage
Conduct RCSA
Review & Validate RCSA (Team)
Rate Inherent Risks
Prepare Presentation for Dept.
Management
• Management Sign Off
RCSA Planning Stage
• Research & Gather Information
• Conduct a Planning Meeting with
Dept. Management
• Identify Assessment Team(s)
• Introduce the RCSA Concept
• Schedule Facilitated Sessions
Conduct RCSA
•
•
Conduct facilitated sessions
Populate RCSA Template
 Identify and Describe Risk Mitigants
 Rate Mitigant Importance and
Effectiveness
 Provide Additional Comments or
Define Issue
 Rate Issue Severity
 Accept Risk or Formulate Action Plan
Target Date
RCSA Review &
Validation
• Team reviews the template that
has been completed over the
course of the facilitated
sessions to ensure accuracy
• Team validates its risks,
mitigants, action plans and
accepted risks, prepares
management presentation.
Rate Inherent Risk
• Absence of Mitigants
• Two Components for Each
Sub-Risk
 Severity (Impact)
 Frequency
• Requires Consistency Across
the Organization
Inherent Risk Rating
Matrix
Severity (Impact)
Frequency
Very Low = Notify
Manager/Director/ Less than
$150,000
Very Low = could occur
annually
Low = Notify Vice President/
$150,000-$249,999
Low = could occur quarterly
Medium = Notify Managing
Director/$250,000- $499,999
Medium = could occur monthly
High = Notify DTCC
Management Committee
Member/$500,000 - 1,000,000
High = could occur weekly
Very High = Notify CEO or
COO/
In excess of $1 million
Very High = could occur daily
Inherent Risk Rating
Worksheet
Sub-risk
Name
Key Person
Risk
Adequacy
Risk
Internal
Theft &
Fraud Risk
Culture Risk
Workplace
Safety Risk
Severity
Frequency
Rationale
Continuous
Improvement
•
•
•
•
Team feedback
Rewards and Recognition
Chairman’s Acknowledgement
Loop-back to Subject Matter
Experts
2005 Objectives
• Complete RCSAs for ALL
DTCC High Risk Areas
• Install, test and implement
a system for selfassessments
• Enhance Enterprise-wide
Operational Risk
Management Reporting
2005 Objectives – cont.d
• Considering the purchase an
external Loss Event database to
augment internal causal
analysis
• Continue Regulatory Meetings
• Roll-out Key Risk Indicator
methodology