of 44
8/3/2019 Ops- Risk Presentation
1/44
WORKSHOP
ONMANAGING OPERATIONAL RISK
Javed Ahmed
Risk ManagerMeezan Bank Ltd.
8/3/2019 Ops- Risk Presentation
2/44
Operational Risk
Operational risk is the Risk of loss
resulting from inadequate or failedinternal processes, people and systemsor from external events.
includes legal risk, but
excludes strategic and reputational risk
8/3/2019 Ops- Risk Presentation
3/44
Definition of Operational Risk
The risk of loss resulting from any inadequate or failed
internal processes or from external events
Potential orForward looking
Causal Categories:Employee BehaviourCorporate BehaviourInformationTechnologyForce Majeure
Inadequate collateralmanagementFailed matching of cash &securitiesMissed timelinesUnenforceabledocumentationInternal fraud
People and systems in the
regulatory definition arecaptured in internal process
External Fraud,Fire, Flood,Legal action,Tax, Regulations,False money,Terrorism
8/3/2019 Ops- Risk Presentation
4/44
Why Operational Risk Included
8/3/2019 Ops- Risk Presentation
5/44
Why Operational Risk Included
Citigroup US$70M fine for failing to comply with federal lendingregulations.
First National Bank of Keystone US$691M embezzlement & loan fraudby senior managers
Bank of America US$490M lawsuit settled for failure to adequately 3rdparty relationships at the time of merger with Nations Bank
Legal settlements by several firms for unfair business practices.
Providian US$300M, FirstUSA US$40M, Advanta US$7.2M, SearsUS$36M.
CIBC paid US$25M penalty to SEC and USD100MM restitution tocustomers for rapid trading and market timing of hedge funds
August 05 Arab Bank New York Branch USD24MM penalty for failingto properly implement anti-money laundering controls.
August 05 CIBC - USD2.4B settlement with University of California forlost investments. Two CIBC executives have also paid personal fines fortheir role in the fraud.
August 05 Merrill Lynch - $37MM settlement with stockbrokers not paidproper overtime.
8/3/2019 Ops- Risk Presentation
6/44
SBP Penalty
Fraud, Forgery and Dacoity Cases
No. of Cases: 62 (2006-09) No. of Outstanding Cases: 23
Amount involved in outstanding cases: Rs. 163 million
Amount outstanding: Rs. 84 million
Nature of Cases Issuance of cheque book on forged requisition slip
Fraudulent withdrawal/ Forged cheque
Mis-appropriation of security deposit
Pocketing of deposits
Opening of fake account and transfer of money Fraudulent withdrawals through internet banking/ ATM
Fake property documents
Issuance of Fake deposit slip
Dacoity
8/3/2019 Ops- Risk Presentation
7/44
8/3/2019 Ops- Risk Presentation
8/44
MinimumCapital
RequirementRisk-weighted
Exposures
Market Risk
No Change MajorChanges
New elementadded
Risk of losses in on andoff balance sheet
positions arising frommovements in market
prices
Credit Risk
Potential that a bankborrower or
counterparty will fail tomeet its obligations in
accordance with agreedterms
OperationalRisk
Risk of direct or indirectloss resulting from
inadequate or failedinternal processes,
people and systems orexternal events
Basel IIEvolution of Ops Risk
8/3/2019 Ops- Risk Presentation
9/44
Defining & Understanding Operational
Risk
8/3/2019 Ops- Risk Presentation
10/44
Defining & Understanding Operational
Risk
8/3/2019 Ops- Risk Presentation
11/44
Defining & Understanding Operational
Risk
8/3/2019 Ops- Risk Presentation
12/44
Incident Definition
Cause Event Effect
An actual event resulting from inadequate or failedinternal processes or from external events which has,could, or could have, led to a loss, a gain, or anopportunity cost
8/3/2019 Ops- Risk Presentation
13/44
Risk Drivers and Indicators
Drivers
Transaction Volume
Staff TurnoverMarket Volatility
Training hours vs.
planProduct complexity
Indicators
Transaction errors
Aged confirmationsReconciliation
Audit points
outstandingSettlement fails
Operational loss
8/3/2019 Ops- Risk Presentation
14/44
Operational Risk Loss Event Types
Operational Risk
Internal Fraud External Fraud Employment ClaimsTransaction
Processing Errors /
Omissions
Business disruption
and system failures
Damage to Physical
Assets
Clients & Third Party
Claims
Unauthorized Activity
Theft and Fraud
Theft and Fraud
System Security
Employee Relations
Safe Environment
Diversity &
Discrimination
Suitability, Disclosure
& Fiduciary
Improper B usiness or
Market Practices
Product Flaws
Selection,
Sponsorship &
E x o su re
Advisory Activities
Disasters & Other
Events
SystemsTransaction Capture,
Execution &
Maintenance
Monitoring &
Reporting
Customer Intake &
Documentation
Customer / Client
Account Management
Trade Counterparties
Vendor & Suppliers
Risk categorization scheme divides operational risk into seven major risk
types and twenty sub risk types.
8/3/2019 Ops- Risk Presentation
15/44
Basel II - Loss Event Types DefinitionsLevel 1 Categories Definition
Internal Fraud Losses due to acts of a type intended to defraud, misappropriate property
or circumvent regulations, the law or company policy, excluding diversity/
discrimination events, which involves at least one internal party
External fraud Losses due to acts of a type intended to defraud, misappropriate property
or circumvent the law, by a third party
Employment Practices andWorkplace Safety
Losses arising from acts inconsistent with employment, health or safetylaws or agreements, from payment of personal injury claims, or from
diversity / discrimination events
Clients, Products & Business
Practices
Losses arising from an unintentional or negligent failure to meet a
professional obligation to specific clients (including fiduciary and suitability
requirements), or from the nature or design of a product.Damage to Physical Assets Losses arising from loss or damage to physical assets from natural disaster
or other events.
Business disruption and
system failures
Losses arising from disruption of business or system failures
Execution, Delivery & Process
Management
Losses from failed transaction processing or process management, from
relations with trade counterparties and vendors
8/3/2019 Ops- Risk Presentation
16/44
Loss
Gain
Opportunity Cost
Near Miss
(Undetermined)
Individual Behaviour
Organisational & Corporate Behaviour
Information Technology
External Banking Environment
Non Banking External Environment
Internal fraud
External Fraud
Employment Practices & Workplace Safety
Clients, Products & Business Practices
Business Disruption & Systems FailuresExecution, Delivery & Process Management
Damage to Physical assets
Regulatory & Compliance
Legal Liability
Loss/Damage to Assets
RestitutionLoss of Recourse
Write- Off
Incident Types
Effects TypesCategories of Event Types
Incidents Causes Types
8/3/2019 Ops- Risk Presentation
17/44
Managing Operational Risk
Risks can not be mitigated 100%, but they can bemanaged within appropriate tolerance levels
Identification, measurement, monitoring andcontrolling
8/3/2019 Ops- Risk Presentation
18/44
Operational Risk Management Principles
1
2
3
Board sets strategy and framework plus oversight
Framework subject to effective and comprehensiveinternal audit.
Senior Management responsible for implementing theFramework
Developing an Appropriate RiskManagement Environment
4
5
6
7
Identify & Assess Risks in Products, activities,
Processes systems by RCSA. and KRIs etc
Monitor Risk Profiles and Losses KRIs
Policies, Processes and Procedures tomitigate Risks
Contingency and Business ContinuityPlans.
Risk Management: Identification,measurement, monitoring and control
8
9
Ensure Banks have effectiveframework in place
Regular evaluation ofstrategies policies, procedures& practices
Role of Supervisors
10 Public disclosure of riskexposure & quality of
management
Disclosure
8/3/2019 Ops- Risk Presentation
19/44
Governance Structure
BOD/ Board Risk Committee
Operational Risk Management Committee
Head of Risk Management
Risk Management Department
Unit RiskManagers
Risk Manager
Market Risk Operational
Risk
Credit Risk
Risk Manager
Depends on size of the organization(all risks vs. specific risks)
Mandate defines membership /authorities / responsibilities
Ultimate responsibility for all riskslies with business units
Risk managers provide tools andguidance in managing risks
Governance models and reporting lines vary given below is themost common risk governance structure
8/3/2019 Ops- Risk Presentation
20/44
Framework Overview
Governance
Modelling
ReportingB
usinessStra
tegy
Indep
endentAssurance
Policy &Guidelines
Risk Mgmt.Committees
Risk UniverseCategorisation
Scheme
Tools
key Risk &Control
Indicators
Risk & ControlSelf -
Assessments
Internal LossData
External LossData / Scenario
Analysis
Operational RiskCredit Risk Market Risk
8/3/2019 Ops- Risk Presentation
21/44
Operational Risk Framework Components
Operational
Risk
Operational
Loss Data
Key Risk
Indicators
Risk & Control
Self-
Assessments
Employee ClaimsClient & Third
Party Claims
Damage to
Physical AssetsInternal Fraud External Fraud
Business
Disruption &
System Failures
Transaction
Processing
Errors/ Omissions
8/3/2019 Ops- Risk Presentation
22/44
Assessing Operational Risk Exposure
Process of Continuous Risk Assessment, Monitoring and
Reporting
Reporting
Mitigation Planning
& Execution
Measuring/
Monitoring
Likelihood and
Severity
Control
Assessment
Risk
Identification
8/3/2019 Ops- Risk Presentation
23/44
Operational Risk Management Tools
Control and Risk Self Assessment
Key Risk Drivers and Indicators
Loss Data
Issue and Event DataAudit and Compliance Reports
Scenario Analysis
8/3/2019 Ops- Risk Presentation
24/44
Self Assessment Methodology
There are three main parts to risk & control self assessment (selfassessment), namely
risk identification,
risk assessment and
control evaluation.
8/3/2019 Ops- Risk Presentation
25/44
Risk & Control Self Assessment
Define Objectives
Identification of risks that could inherently impactachievement of objectives,
Impact (Low to Very High)
Likelihood (Unlikely to Frequent) Identification of Controls mitigating risks
Design
Performance
Assess residual risk (Inherent Controls = Residual)
Develop action plans
8/3/2019 Ops- Risk Presentation
26/44
Risk & Control Self Assessment
Objectives Level of granularity Generic or specific or a combination of bothRisks Open discussion on risks Cultural issues Bosss view is the right view
Controls
Key Controls VS Controls Control weighting Design VS PerformanceInherent Risk Difficult concept to digest but critical Impact / Likelihood estimation still subjective Developing Grids Granularity and Scale
Residual Risk How much risk is mitigated by controls Impact / Likelihood estimation Developing Grids Granularity and Scale
8/3/2019 Ops- Risk Presentation
27/44
Risk assessment A typical risk profile
8/3/2019 Ops- Risk Presentation
28/44
8/3/2019 Ops- Risk Presentation
29/44
Why KRIs Are Important?
Indicators are not easy to do however,running a business withoutindicators is the same as driving a motor vehicle on a longjourney without a fuel gauge, a speedometer or engine/oiltemperature gauges you simply would not contemplate indoing so.
KRIs identify areas of greater concern or exposure to the firm andare a means of provide management focus where it is neededmost.
8/3/2019 Ops- Risk Presentation
30/44
Why are they important?
Risk managementthe ability of KRIs to predict potential riskhotspots can help a franchisee avoid or minimise losses;
KRIs help identify process and/or control weaknesses and thus
enable action to be taken to strengthen controls and resolve
issues; and
targets for KRIs can be set to drive behaviour and desired
outcomes for the entity.
Regulatory complianceidentification and management of KRIs is
an area of regulatory focus; and
8/3/2019 Ops- Risk Presentation
31/44
KRI Identification
Sources & Methods
Historical LossEvents
Losses
Near Misses
Claims
Risk andControl Self-Assessment
ProcessMapping
Risk and
ControlIdentification
ControlEffectivenessTesting
Internal &External AuditFindings
Audit Reports
OutstandingAudit Issues
RegulatoryInspectionFindings
Market DrivenRisks
RegulatoryRequirements
BusinessIntelligence
Short
Approach
8/3/2019 Ops- Risk Presentation
32/44
KRI - Identification
You are the Pilot of your business unit you are monitoring all the
indicators required to have a safe flight
1) List down top 5-10 risks your department manages on adaily/weekly/monthly basis
2) List down ALL reports produced as a summary of daily/ weekly/monthly activity for the reviewer
3) List down ALL reports produced as a summary of activities for
management reporting
Maker Checker ReviewerManagement
Reporting
8/3/2019 Ops- Risk Presentation
33/44
Sr. No. DESCRIPTION OF KRI MEASUREMENT
1 Physical damage to ATM per year
2 Discontinuity of operation per day (ATM, Call Centre, Internet Banking)
3 Number of frauds on ADC per month
4 Number of incomplete processing of transactions per day
1 Number of exceptions of SBP guidelines per month
2 Number of non-compliance of internal guidelines
3 Number of NPL accounts per year
4 Number of policy / guidelines exception cases which subsequently lead to default
5 Number of cases rejected : total cases approved
6 Number of cases w here financials and/or risk rating is unavailable
7 Number of overdue / classified accounts to Total accounts
8 Number of new customers made in a month to total customers
9 Number of approvals made beyond delegation matrix
- Deadline/Compliance based Circulars
- Non-Deadline/Information based Circulars
- Deadline/Compliance based Circlulars
- Non-Deadline/Information based Circulars
3 Number of late / w rong/ incorrect submission of returns to SBP per month
4 Number of suspicious/ AML transactions in the month
5 Number of anti-money laundering transactions not monitored by Compliance but
subsequently detected per quarter
6 Number of polices not reviewed/ revised during last three years
2
ALTERNATE DISTRIBUTION CHANNELS
COMMERCIAL & SME
COMPLIANCE
1
Number of circulars issued by SBP circulated to wrong departments per month:
Number of circulars issued by SBP w hich w ere not circulated internally per month:
8/3/2019 Ops- Risk Presentation
34/44
8/3/2019 Ops- Risk Presentation
35/44
Sr. No. DESCRIPTION OF KRI MEASUREMENT
1 Number of cases w here annual review w as not performed
2 Number of NPL accounts per year
3 Number of exceptions of SBP regulations / guidelines4 Number of policy / guidelines exception cases w hich subsequently lead to default
5 Number of cases rejected : total cases approved
6 Number of cases renewed after expiry per month
7 Number of cases w here financials and/or risk rating is unavailable
8 Number of overdue / classified accounts to Total accounts
9 Number of total cases processed to cases received in a month
10 Number of new customers made in a month to total customers
11 Breaches in delegation of authority limits
12 Customer calls due but not conducted in a month
1 No. of employees w ho did not avail mandatory leaves in a year
2 Number of employee leaving w ithin 1 year service w it the Bank
3 Number of employees terminated in a quarter
4 Employee absenteeism rate in the month
5 Number of employees w hose Job description were not available
6 Number of cases w here antecedent of new joiners not obtained
7 Number of vacant positions
8 Percentage of staff appraisal below satisfactory
CORPORATE FINANCE
HUMAN RESOURCES
8/3/2019 Ops- Risk Presentation
36/44
Loss Data
Pinpoints actual areas of control failures
Highlights cost of operational risk
Losses should be assigned to the business areaswhere they originated
Data required for modelling Operational Risk
Capital requirement.
Both internal and external loss data can be utilised
8/3/2019 Ops- Risk Presentation
37/44
Internal Loss Data
Apply a minimum reporting threshold E.g. Losses> Rs. 5000
Make sure you record at least the 4 Ws (What,
when, where, why)
Allocate losses to correct business line and riskcategory.
Ensure that you can revise the individual losses torecord recoveries
Include all losses !
8/3/2019 Ops- Risk Presentation
38/44
Regulatory
BusinessLines
Corporate Finance
Operational Risk Categories
Trading & Sales
Retail Banking
Commercial Banking
IF EF EPWS CPBP DPA BDSF EDPM
Regulatory Framework
Retail Brokerage
Asset Management
Agency Services
Payment & Settlement
8/3/2019 Ops- Risk Presentation
39/44
Scenario Analysis
Apply some formal real world what if
analysis to your processes
Highlight control weakness before itresults in losses
Stress test identified points of failure totest resilience
Test again to ensure mitigation is working
8/3/2019 Ops- Risk Presentation
40/44
Roles & responsibilities
Control owner roles and responsibilities
ensuring effectiveand efficient
control design tomanage the impact
and likelihood of
the riskanalysis of this
data conversioninto indicative
information
sourcing andcollating relevant
data concerning the
performance ofcontrols
effectiveperformance of
control activities asdesigned
creating andimplementing
corrective actiondriven by the risk
information
identifying andassessing the
appropriatenessand effectiveness
of controls
8/3/2019 Ops- Risk Presentation
41/44
Roles & responsibilities
Risk owner roles and responsibilities
to identify, regularlymaintain and
communicate up todate risk
information
sourcing, collatingand analysingrelevant data
indicating
movements inimpact and
likelihood of risk;
reportinginformation to the
appropriateindividuals / forums
/ committees;
creating andimplementing
appropriate actiondriven by the
information;
ongoing monitoringof risks for changes
in their impact orlikelihood
ensuring effectiveimplementation ofrisk management
action plans.
identifying and
assessing theappropriateness
and effectivenessof controls
G Ri k C i i
8/3/2019 Ops- Risk Presentation
42/44
Governance - Risk CategorizationEvent Categories
Internal Fraud
External Fraud
Employment Practices &Workplace Safety
Clients, Products &Business Practices
Damage to PhysicalAssets
Business Disruption& System Failures
Execution, Delivery &Process Management
Causal Categories
People Risk
Process Risk
Technology Risk
External Events Risk
Organization could develop its own or
adopt what is availableneed to
map
Challenges
Neither categorization works ideally for
all tools in operational risk framework
Event categories good for loss data,
scenarios & risk measurement - causalcategories good for RCSA and KRIs
Using different categories for different
tools could make aggregation of results
difficult
Benefits
Provides a common risk language within
the organization
Facilitates participation in industry data
consortiums
Facilitates regulatory reporting
Consistent use across risk tools willfacilitate data aggregation
Basel II & Industry
8/3/2019 Ops- Risk Presentation
43/44
Problems and Practicalities
Risk based culture and continued management support.Business Line Buy-in and Resources.
Coordination with Existing Control Initiatives
KRIs focussed on performance.
Loss data collection.
External loss data availability.
Real world scenario analysis.
Access to Appropriate Information and Reporting.
System Support.
8/3/2019 Ops- Risk Presentation
44/44
Thank You
Q &A