Transcript RISK MANAGEMENT

OPERATIONAL RISK MANAGEMENT
ASSURANCE , concept , tools and toolkits
PRESENTER : Roy Akalah, CISA,
President, ISACA Kenya Chapter
www.isaca.or.ke:
[email protected];
[email protected]
17 FEBRUARY 2011
1
OPERATIONAL RISK MANAGEMENT
ASSURANCE , concept , tools and toolkits







DEFINITION
OPERATIONAL RISK MANAGEMENT
OBJECTIVES
TOOLKITS
SELF ASSESSMENT
REPORTING
ESSENTIALS /CHALLENGES
2
CAVEAT




PRESENTER IS INDEMNIFIED FROM ANY RESPONSIBILTY ARISING
FROM LACK OF MANAGEMENT SUPPORT / BUY-IN LEADING TO
INABILITY TO IMPLEMENT THE FRAMEWORK WITHIN YOUR
ORGANISATION
THIS IS NOT EXHAUSTIVE BUT RATHER A GUIDE TO ENABLE YOU
SET UP A FRAMEWORK. CONTACT PRESENTER FOR DETAILED
INFORMATION THAT YOU MAY REQUIRE.
THIS IS NOT PROPRIETARY INFORMATION. VIEWS /COMMENTS
EXPRESSED BY PRESENTER DO NOT REPRESENT ANY
ORGANISATIONS CORPORATE VALUES OR POLICIES
GENDER REFERENCE IMPLIES BOTH MALE AND FEMALE
3
Operational Risk Management

What is Operational Risk ??
Probability of loss resulting from
inadequate or failed internal processes,
people and systems, or from external
events”
4
Operational Risk Management

Operational Risk : -Arises from failure to
properly control key aspects of an
organisations activities, e.g.
Documentation, Processing, Settlement
and Accounting of transactions and
External hazards.
5
Operational Risk Management

It is therefore important as an organization
to ensure that Operational Risk
management framework is robust, well
embedded and allows for identification ,
management and measurement and
reduction /mitigation of Operational Risks
in a timely manner.
6
Operational Risk Management

These risks and hazards can be caused by internal
and/or external sources relating to fraud, business
interruptions and system failures, damage to
physical assets, execution and service delivery,
clients, products and business practices. The risks
and losses can occur in all aspects of the
businesses, and support functions across all legal
entities. The impact of losses can be severe at
times and have a resultant impact on reputation.
7
Operational Risk Management

Key objectives :



Ensuring continued solvency of the organisation through capital
adequacy and enhanced understanding and management of
significant Operational Risk exposures.
Ensuring that customer impact is minimized through proactive and
focused risk management practices.
Ensuring senior management attention on significant Operational Risk
exposure areas and mitigating risks is prioritised, focused and
adequate.
Ensuring that staff are sufficiently incentivised to perform their risk
management roles & responsibilities diligently.
8
Operational Risk Management
Key Objectives
 Setting, communicating and monitoring high level
policy & procedures on OR.
 Maintaining an organisation-wide framework for
Risk so that organisation and its support functions
can consistently identify, assess and respond to
internal and external changes in operating
environment.
 Collating information and trends on gaps, risks,
breaches and control failures.
9
Operational Risk Management
Key Objectives
 Reporting significant Operational Risks and
corporate governance issues to senior
management and the Board.
 Granting dispensations for non-compliance
with policy, as required.
 Developing and then maintaining a risk
tracking system.
10
ORGANISATION STRUCTURE
ORM
U/BORM U/BORM U/BORM
RP
RP
RP
REPORTING STRUCTURE
ORG
U/BORG U/BORG U/BORG
Operational Risk Management
Toolkits
Key Risk Indicators - statistical
 Key Control Standards –Define
expected controls
 Key Control Self Assessments –
analytical
 Risk Grading Structure

13
Operational Risk Management
Type
Standard or
Customised
Purpose
Example
Key Risk
Indicators
Developed and
customised unit
Determine key risk
indicators for the high
and medium risk areas
identified for the unit
Nos. of internal fraud
incidents; No. of staff
double hatting; No. of
breaches of delegated
authority; No. of
documents past review
date; Nos. of legal actions
in department; Staff
turnover; Unplanned
system downtime; Block
leave outstanding, etc.
KRIs should be reviewed
monthly and trends
assessed to identify
potential risks for the
unit.
14
Operational Risk Management
Toolkits
Type
Standard or Customised
Purpose
Example
Generic Key Control
Standards
Standard
Set minimum Operational Risk
standards (including Corporate
Governance Standards) for all
business and functional units
to establish controls and
monitor risks through Key
Control Standards and Key
Risk Indicators.
Minimum standards in areas
such as segregation of duties,
defined roles, staff
competency, delegated
authorities, adequate staff
levels, system security,
Business Continuity, Disaster
Recovery, staff/premises
protection, formal
procedures, SLAs, Insurance,
legal agreements, Regulatory
rules, ethical standards, legal
actions, external
infrastructure, reputation,
environmental issues,
15
Operational Risk Management
Toolkits
Type
Standard or
Customised
Purpose
Example
Key Control
Standards and
Key Control Self
Assessment
Developed and
customised by
unit *
Determine key control
standards (for high and
medium risk areas as a
minimum) and implement a
risk monitoring plan (KCSA)
for reviewing ongoing
compliance with Key
Control Standards. Control
Standards should be
customised for unit ,
commensurate with risk
profile.
Periodic confirmations of
adequacy of controls e.g.
review delegated authorities,
Job Descriptions are up to
date, review standardised
documentation, product
programmes are in place and
up to date, review BCP plans
are up to date and tested
16
Operational Risk Management
Toolkits
Type
Standard or
Customised
Purpose
Example
Risk grading
Structure
Standard
To facilitate risk
assessment and risk
reporting / escalation
Assess risks in terms of
impact and probability
in accordance with risk
grading structure e.g.
(4,3) i.e. Impact 4,
Probability 3.
17
Operational Risk Management –
Self Assessment





Self assessment of risks should be undertaken regularly and linked to
likelihood and impact. Exceptions once identified should be risk graded
and reported as per the exception-reporting framework
All units must identify any other specific areas of risk relevant to the
business and should take account of risks identified through various
sources including the following:
Loss data (e.g. frauds, operational losses, fines)
Top five event risks
Issues raised at ORG and KCS and KRI exception reporting
Regulatory inspections and reviews
18
Operational Risk Management –
Reporting
Significant Operational Risk Exception Report



Purpose :- Reports significant operational risk issues and control
weaknesses. Monitors progress against defined action plans to resolve
control weaknesses.
Summarises issues for reporting and discussion at ORGs and elevation of
key business issues to Businesses Operational Risk functions.
Author :- Departmental Heads
Audience :- Department Heads , ORGs , Business Operational Risk
functions
19
Operational Risk Management –
Summary of Top Event Risks




Identifies and monitors most significant event risks
and help management ensure risks are adequately
identified and mitigated.
Consolidated reporting to Audit and Risk Committee .
Author : Managers and ORG members
Audience:- Senior Management, Operational Risk,
Audit and Risk Committee,
20
Operational Risk Management
Essentials /Challenges
 Ensure Operational Risk policies and procedures are in place that reflect
industry practice. These include toolkits to help identify, assess, control,
manage and report on key Operational Risks.

Ensure roles and responsibilities are agreed and clearly understood by all
management levels.

Ensure all staff, in organisation and support functions, are aware of
their responsibilities for Operational Risk management.

Consider the potential Operational Risk impact of organisations
activities and products at their outset with a view to minimising these as
far as possible.
21
Operational Risk Management
Essentials /challenges

Ensure there are structured processes to report control failures to designated
individuals and escalate material issues to Risk Committees as appropriate.

Ensure staff are given Operational Risk training appropriate to their roles.

Ensure staff and organisation assets are adequately protected.

Establish workable Business Continuity Plans (including Disaster Recovery and
Crisis Management procedures) to minimise the impact of unplanned events
on business operations and customer service.

Minimise the financial impact of operational losses, through the utilisation of
insurance or other risk transfers where appropriate.
22
Operational Risk Management
QUESTIONS / COMMENTS
23