Risky Business
Jaidev Iyer
Operational Risk Expert, CEO J-Risk Advisors
Speaker Information
Jaidev Iyer Enterprise & Operational Risk Expert J-Risk Advisors
Jaidev Iyer is a veteran of Citigroup, where he worked for 28 years, in a variety of positions in many geographies and businesses, starting with the Citibank India trading room in 1981, and retiring in 2008 as Global Head of Operational Risk for its Corporate & Investment bank businesses.
During his tenure, Jaidev’s roles included Global Head of Risk for Asset Management, Global Head of Derivatives for Private Banking, Head of Market Risk for the Americas, Head of Middle East Capital Markets, Head of Asia Derivatives Financial Engineering, and Head of Asia Market Risk.
Upon retiring from Citi in 2008, Jaidev held a variety of not-for-profit and Risk consulting roles including directorship of GARP (2004-2009), and CEO of J-Risk Advisors. He was most recently CEO & co-Founder of Insorce Operational Optimizers, immediately prior to which he was Global Head of Operational Risk at UBS, based in NYC.
Jaidev’s academic background is in Statistics and Economics. He is a Chartered Financial Analyst, and has completed management programs at the Kellogg School of Management (Northwestern University) as well as the John F. Kennedy School of Government (Harvard University).
Risk is a Forward View of Vulnerability
3
An Enterprise Risk Management
Approach Continuously Solves for
A – B = C < = D
Where
A = Inherent Risk Due Chosen Business
B = Control-based Mitigation
C = Residual Risks
D = Risk Appetite
Risk vs. Boundaries
Risk vs. How taken i.e. Market/Product
Risk vs. Reward
Operational Risk Event Types
4
Fraud, Theft and
Unauthorized Events
Clients, Products and
Business Practices
Employment Practices and
Workplace Environment
Physical Assets and
Infrastructure Events
Execution, Delivery and
Process Management
5
Enterprise Risk as a Program
6
• Severity and likelihood
• Vulnerability and speed
• Heat-map/matrix
• Required policies
• Reflect business
• Include procedures
• Chosen “responses” to risks
• Policy implementation
• Reporting
• Iterative exercise
• Periodic revisit with Metrics, and
• Risk Control Self Assessment
• Informed by actual Issues and Events
Operational Risk
Management
Exec Team Oversees
• Issues
• Metrics
• Assessments
• Corrective actions
Monthly Reporting
• Metrics trends
• RCSA* results
• Remediation plans
Metrics (Key Risk Indicators)
• Indicators of good health
• Smoke detectors
Risk-Control Self-assessment*
Identify
Risks
Assess
Risks
Install
Policies
Implement Controls
Metrics
and RCSA*
Monitor Controls and Risk
Governance and
Assurance
7
Risk at Summary
Event Level
Risk at Category Level—
Basel II Level 2
Risk at Activity Level—
Basel II Level 3
Internal Fraud Unauthorized (Rogue) Activity Transactions intentionally not reported
Transaction/type is Unauthorized
Positions are deliberately mis-marked
Theft and Fraud (Internal) Fraud (internal party) of any type e.g. Credit Fraud, Worthless Deposits
Theft (internal party) of any type e.g. embezzlement, extortion, robbery,
misappropriations
FORGERY: Involving at least one internal party
Other Criminal Conduct: Intentional Tax non-compliance, bribes, kickbacks by
employee/s
Insider Trading: By firm’s employee/s for own account
External Fraud Theft and Fraud (External) Theft and robbery, by a third-party
Forgery, by a third-party
Systems Security (Hacking etc.) Hacking, third-party originated
Theft of Information by an external party
Employment
Practices, and
Workplace Safety
Employee Relations Compensation, Benefits, Termination Issues
Organized Labor activity, strikes, union issues
Safe Environment General Liability issues
Employee Health and safety, workers compensation …
Workplace Practices Discrimination, Diversity, Harrassment … issues
8
Risk at Summary
Event Level—
Basel II Level 1
Risk at Category Level—
Basel II Level 2
Risk at Activity Level—
Basel II Level 3
Clients, Products
and
Business Practices
Suitability, Disclosure and
Fiduciary
Fiduciary Breaches, guideline violations, suitability/KYC issues, disclosure violations,
breach of privacy
Aggressive sales, account churning, misusing information
Improper Business or
Market Practices
Antitrust, improper market practices, market manipulation, firm a/c insider trading
Money laundering
Product Flaws, Defects, Errors Product Defects
Model errors
Client disputes (e.g. performance of advisory activities)
Physical Assets Damage to Assets, Disasters Natural Disasters, Losses from terrorism and vandalism
Business Disruption
and System Failure
Systems Hard/software failures, telecomms, outages and disruptions
Business Continuity Disruption of of business and client-service given natural and man-made disasters;
Disaster recovery
Execution, Delivery
and Process
Management
Transaction Capture, Execution,
and Maintenance
Errors of all kinds: Data entry or maintenance, deadlines, system inoperation, accounting
errors, Miscommunication
Failures: Delivery, Collateral, Reference data maintenance
Missed or Inaccurate
Mandatory Reports
Failed mandatory reporting obligation
Inaccurate external reporting: Loss or fine incurred
Customer Intake and
Documentation
Client Onboarding issues—permissions and disclaimers missing, missing KYC and other
opening requirements
Documentation Issues of all types—new or existing clients
Customer/Client Account Mgt Unapproved access to client accounts, Incorrect client records, negligent loss or damage
to client assets
Trade Counterparties
Misperformance and Disputes
Counterparty mis-performance, or disputes
Vendors and Suppliers
Outsourcing and Disputes
Vendor disputes, outsourcing related errors and losses
Illustrative Severity Scale
9
Rating Descriptor Definition. Note: Each Successive Bullet-point must be Read as “and/or”
5 Extreme/
Catastrophic
Financial loss of $350 Million or more (say)
Long-term or significant negative media; loss of status or market share
Hearings, prosecution, fines, litigation including class actions, incarceration
Significant injuries or fatalities to employees, customers or vendors
Multiple senior leaders leave
4 Major
Financial loss of $200M up to $350M (say)
Long-term negative media; significant loss of market share and reputation
Reports to regulators requiring major project for corrective action
Care required for employees or third parties, such as customers or vendors
Seniors leave, high turnover of experience, no longer premier employer
3 Moderate
Financial loss of $50M up to $200M (say)
Short-term but impactful negative media coverage
Report of breach to regulator with immediate correction to be implemented
Medical treatment required for employees, customers or vendors
Widespread staff morale problems and high turnover
2 Low
Financial loss of $5M up to $50M (say)
Reputational damage
Reportable incident to regulator, no strong follow up
No or minor injuries to employees or 3rd-parties, customers or vendors
General staff morale problems and increase in turnover
1 Insignificant
Financial loss up to $5M (say)
Local media attention, if at all, quickly remedied
Not immediately reportable to regulator
No injuries to employees or third parties, such as customers or vendors
Isolated staff dissatisfaction can be managed locally
Illustrative Likelihood Scale
10
Rating
Frequency
Description Definition
Probability
Description Definition
5 Very
Frequent
Once a year
or more
Almost Certain 90% or greater chance of occurrence
over life of asset or project or in a
time window such as Annual
4 Quite Likely Once every 1 to
10 years
Likely 60% up to 90% chance of
occurrence over life of asset or
project or annually
3 Occasional Once in 25 to up to
50 years
Possible 30% up to 60% chance
of occurrence
2 Unlikely Once in 50 years up
to once in 100 years
Unlikely
10% up to 30% chance
of occurrence
1 Rare Once in 100 years
or less often
Remote Less than 10% chance of occurrence
Risk Assessment Heatmap
11
5Definitely
Unlikely 1
Seldom 2
Likelihood
Possibly 3
Likely 4
Major Extreme
1 2 3
Severity Insignificant Minor Moderate
4 5
Risk Assessment (Hypothetical)
12
5Definitely
Unlikely 1
Seldom 2
Likelihood
Possibly 3
Likely 4
Major Extreme
1 2 3
Severity Insignificant Minor Moderate
4 5
Inaccurate Reporting Systems Business
Continuity
Hacking – Data Theft
Client Suitability
Product Defects
Employee Relations Insider Theft
Fraud
Business Practices
AML Issues
Client Account Mgmt
Regulatory Censure
Transaction Errors
Compensation Issues Physical Assets Unauthorized Accts Workplace Mgmt
Vendor Mgmt Staff Health
Hiding Transactions
Mismarking Positions Theft by 3rd Party
Reconciling Risk Appetite with Assessment
13
Impact
Lik
elih
ood
Control Risk Avoid/Terminate
Accept Risk Contain/
Transfer Risk
Reduce Risk
Operational Risk Control Framework
14
Contextualize vs. Objectives …
Client satisfaction
Business performance
No-surprises
Full compliance
Information flow
– Controls-framework must
work for all stakeholders,
for real and perceived risks
– Cost of Control must
be clear
Access control – physical
Access control – systems, applications, network
Accurate and complete transaction capture and
execution
Business continuity management
Client account servicing, monitoring, oversight
(from onboarding onwards)
Confirmations and reporting
Documentation management and review
Employee management
Product management: supervision and
compliance
Limits and approvals
Information security management
MIS
Model control
Monitoring business practices
Operational risk management
Governance, review and compliance
Reconciliations – positions, P/L and balances
Systems control – software/hardware and
change management
Monitoring and managing use of email and
social networks
Valuation – value recon, controlled environment
Third-party/Vendor management
Business Continuity and Disaster Recovery
15