Operational Risk Management Framework And Control Self
Download
Report
Transcript Operational Risk Management Framework And Control Self
Implementing Operational Risk in an
Enterprise Risk Management Framework
William Gonyer
Managing Director
[email protected]
Broad Street Banking I Operational Risk Management
Session Outline
Operational Risk as a component to ERM;
BIS II defined and as template to an ORM
program;
The Pillars of Hercules and Basel II’s European
Flavor;
One Man’s Struggle for European Convergence;
Campaign Promises, a Big Stick and the art of
moral suasion;
ORM for Less than Million Euros;
COSO, SOX and the World Today.
2
Broad Street Banking I Operational Risk Management
How Does ORM Fit Within ERM as Defined?
“… a process, effected by an entity's board of
directors, management and other personnel,
applied in strategy setting and across the
enterprise, designed to identify potential events
that may affect the entity, and manage risks to be
within its risk appetite, to provide reasonable
assurance regarding the achievement of entity
objectives.”
Source: COSO Enterprise Risk Management – Integrated Framework. 2004. COSO.
3
Broad Street Banking I Operational Risk Management
Operational Risk
Is a pragmatic approach to many of the risks covered
within an ERM framework. OR is defined by Bank for
International Settlement as “the risk of losses arising from
inadequate or failed internal processes, people, systems,
or external events.”
Targeted for banking institutions by the BIS.
Three “Pillars”: minimum capital requirements,
supervisory review of capital adequacy and
public disclosure.
4
Broad Street Banking I Operational Risk Management
Pillar 1 – Minimum Capital Requirements
Capital is calculated using the amount of the institution’s
available capital as the numerator and risk-weighted
assets as the denominator. The minimum capital ratio is
8%:
Risk-weighted assets come from credit and market
activities and Basel II introduced the added component
of Operational Risk.
5
Broad Street Banking I Operational Risk Management
Weighing the Assets of Operational Risk
Basel II provided three methods for calculating the
Operational Risk component the capital equation:
Basic Indicator Approach;
Standardized Approach; and
Advanced Measurement Approaches (AMA).
6
Broad Street Banking I Operational Risk Management
The Basic Indicator Approach
Under the basic indicator approach the “weight of the
asset” is calculated using the three year average of
gross income multiplied by a fixed charge of 15%.
This approach is intended for a financial institution with
less complex operations.
7
Broad Street Banking I Operational Risk Management
The Standardized Approach
Under the standardized approach the gross income of a
defined business unit is multiplied by a percentage
associated with the type of business:
Corporate finance
18%
Trading and sales
18%
Retail banking
12%
Commercial banking
15%
Payment and settlement
18%
Agency services
15%
Asset management
12%
Retail brokerage
12%
8
Broad Street Banking I Operational Risk Management
Advanced Measurement Approaches
A financial institution utilizes its own risk measure
generated by its Operational Risk measurement system.
The specific methodology must be approved by its
regulatory supervisor.
9
Broad Street Banking I Operational Risk Management
Pillar II
Supervisory review of capital adequacy
Capital adequacy is something we are all familiar with
but in the broker/dealer industry there is no specific
requirement to calculate a capital component for OR.
Experience shows that in the distant past regulators
looked to a multiple of regular required capital to cover
undisclosed risk as an informal buffer. The buffer served
as a discussion point with the regulator.
10
Broad Street Banking I Operational Risk Management
Pillar III
Market Discipline
Public disclosure is limited for the broker/dealer industry
as there is no specific requirement for adoption of an
Operational Risk program, its capital nor its disclosure
requirements.
There are however, requirements under Generally
Accepted Accounting Principles that material, expected
losses be disclosed.
11
Broad Street Banking I Operational Risk Management
The implementation process
Requirements
Definition
Results and
Findings
SelfAssessment
Management
Buy-in
Project
Management
12
Broad Street Banking I Operational Risk Management
Implementation Case Study
Implementation began in August 2001 at the US
subsidiary of a fully licensed “universal bank” in France
where implementation was a (regulatory) requirement.
Ixis was an investment bank with two US registered B/D
subsidiaries. The bank’s headcount was about 350, with a
balance sheet of approximately $45 billion in assets and
revenue of $340 million. By the end of implementation,
organic growth had increased headcount to 500, assets
totaled $60 billion and revenue exceeded $500 million .
13
Broad Street Banking I Operational Risk Management
Management Buy In
– The Key to Any Successful Implementation
Ixis’ management was very decentralized in that
departmental management had significant authority
within functional domains and budgetary constraints.
There was a management committee of up to 7
members.
There were 17 departmental cost centers.
These two groups were the focus of attention to sell the
program and establish strategic and operational
mandates.
14
Broad Street Banking I Operational Risk Management
Background and Preparation
The OR compliance manager provided a briefing on the requirements
and sample self-assessment questionnaires.
An intensive study of the BIS information on the subject from their
website provided additional context for the self-assessment and OR
measurement requirements.
Contacts were made with departments who were working together
to perform the self assessment at the bank’s capital markets sister
company in Paris.
In consultation with the CEO, the OR team put together a plan for
local implementation along with a budget for the next year.
15
Broad Street Banking I Operational Risk Management
Implementation of OR Program
Armed with Head Offices’ compliance requirement and the
CEO’s buy-in, a 7 to 8 member working group was
established to build the Self Assessment of OR questionnaire.
The departments heads of this group were selected based on a
number of factors:
Department HC and budget;
Functional risks within departmental domains; and
Departmental manager’s relative influence or expected
importance for the OR program’s success.
16
Broad Street Banking I Operational Risk Management
Factors Considered for Committee Members
These factors relate to the OR definition “the risk of losses
arising from inadequate or failed internal processes,
people, systems, or external events” such as the
department headcount and budget and the risks
associated with the department’s responsibilities.
Another consideration was the departmental manager’s
relative influence or expected importance for the OR
program’s success.
17
Broad Street Banking I Operational Risk Management
Selling OR to Management
The following rationale helped convince working group or committee
members of the value of the OR program and their active
participation:
A better idea that we direct the program rather than have HO define
local implementation;
Better to establish a local process for management of capital
requirements than accept a HO push-down;
An opportunity to perform a company-wide self-assessment
Individual departments get a 2 for 1 – as risks are defined and acted
upon audit findings diminished with OR budget footing the bill.
Departments don’t get penalized for weaknesses related to the risks
identified.
18
Broad Street Banking I Operational Risk Management
Self Assessment of Operational Risk
The working group began the development of a baseline
self-assessment questionnaire. The questions were
categorized according to the BIS table “Detailed Loss
Event Type Classification.” A key objective for the selfassessment was that it follow the BIS classification and
that the end product questionnaire would quantify loss
risk and produce an “heat map” by business lines.
Business lines were based on departments which
aligned with the business types of BIS on page 8 of the
presentation.
19
Broad Street Banking I Operational Risk Management
Loss Event Types
BIS classifies loss events in the following Level I Categories:
Internal Fraud
External Fraud
Employment Practices and Workplace Safety
Clients, Products & Business Practices
Damage to Physical Assets
Business Disruption and System Failures
Execution, Delivery & Process Management
Theses events are defined and broken down further into Levels 2 & 3
having greater detail at each succeeding level.
20
Broad Street Banking I Operational Risk Management
The Questionnaire and the Heat Map
The working group defined risks along the guidelines established
from the BIS guidance including the Loss Event Type Categories.
Additionally we established the definitions of the control processes.
The result was put into MS Excel as questions with boxes that
indicated control over the specific event derived from the question
and quantification of losses under normal operations and those of
very severe events.
In the background a worksheet quantified both the control and loss
severity as two points on scatter chart which was the heat map.
The heat map was divided into 4 quadrants: low loss and good
control, high loss and good control, low loss and low control and
high loss and low control.
21
Broad Street Banking I Operational Risk Management
Answer Scoring
• External Catastrophe
• External Service
Provider Failure
Impact of Risk
By employing a scoring
methodology, the answers
on the questionnaire can
be used to plot the risks of
a business area by type.
• Regulatory
• Compliance with Policies,
Procedures, and Practices
• External Fraud
• Customer
Risk Management
• Key Control
Effectiveness
Ability to Control Risk
22
Broad Street Banking I Operational Risk Management
Results of the Questionnaire
Action plans were put in place in cases where the expected loss
was high and control was low – thus fulfilling the 2 for 1 commitment
on areas of weakness (no audit finding.)
Key indicator reports were created to address the most frequent
smaller losses and the high losses. The indictors were specific to
each department and agreed as to report frequency. Indicators
included things like fails, aged open items and audit
recommendations that had not been addressed.
Each department assigned indicator and event monitoring and
reporting staff . Typically this was the department head’s deputy.
Loss events were entered into a HO system by the departmental
staff responsible for monitoring and reporting of Key Indicators.
23
Broad Street Banking I Operational Risk Management
ORM Management and Organization
24
Broad Street Banking I Operational Risk Management
ORM Roles & Responsibilities
The Board of Directors – Head of OR reported to the
Audit Committee of the BOD twice annually.
Management – Head of OR at Managing Director
level.
Risk Managers – each department assigned OR
monitoring and reporting to a senior staff member typically a VP or a Director. This liaison staff was
supported by a second staff member to provide
back-up for absences etc.
25
Broad Street Banking I Operational Risk Management
ORM Roles & Responsibilities - Continued
Dedicated Staff – From 2001 to 2006 there was no authorized
headcount, rather the department was staffed using
temporary staff for major projects and cost allocations from
each department for Risk Managers and support staff –
typically 5 to 15% of a fully charged staff, while no charges
were allocated to small departments. 25% of OR Head’s
departmental cost (including admin staff) was allocated to the
project, and system administration support was provided by a
junior officer in the audit team. Key indicator chase and followup was performed by either the OR Head or admin support.
Significant loss events were often followed up by audit staff as
audit issues and thus not charged to OR.
26
Broad Street Banking I Operational Risk Management
The Obligatory COSO Slide
The eight components
of the ERM framework
apply equally to OR…
27
Broad Street Banking I Operational Risk Management
ORM Recap
Operational Risk is a component of Enterprise
Risk Management.
Basel II with its rich European taste provides
excellent guidance for a comprehensive
Operational Risk program.
A good program can be put in place for an
organization of 250 – 1,000 headcount using a
combination of in place and temporary
resources.
28
Broad Street Banking I Operational Risk Management
ORM Recap
Gentle and persistent persuasion is required to
bring a program like ORM from seed to fruit.
Selection of committee, work group or internal
partners for program such as ORM is critical. As
is carrying through on campaign promises. The
corollary is don’t do a George Bush I “read my
lips no new taxes.”
29