ORM in Banks and Financials Institutions

8/12/2019 ORM in Banks and Financials Institutions

1/16

MetricStream

Operational Risk Management (ORM)

Roadmap to Advanced Measurement Approach (AMAand Better Business Performance

in Banks and Financial Institutions

Solution Brief

Governance, Risk, Compliance and Quality Management Solutions


2/16


3/16

Table of Contents

Operational Risk: Changing Face of Compliance

Challenges in Managing Operational Risk

Building an Operational Risk Framework

Business Benefits: Moving Beyond Compliance

MetricStream Solution for ORM

Roadmap to Advanced Measurement Approaches (AMA)

References

2

4

6

8

9

12

12


4/16

OpOpOpOpOperererereraaaaational Rtional Rtional Rtional Rtional Risk:isk:isk:isk:isk:CCCCChanging Fhanging Fhanging Fhanging Fhanging Facacacacace of Ce of Ce of Ce of Ce of Compliancompliancompliancompliancomplianceeeee

2

Banks and financial institutions are undergoing a sea change and today face an environment marked bygrowing consolidation, rising customer expectations, increasing regulatory requirements, proliferatingfinancial engineering, uprising technological innovation and mounting competition. This has increased theprobability of failure or mistakes from the operations point of view resulting in increased focus on manag-ing operational risks.

Operational risk losses have often led to the downfall of financial institutions, with more than 100 reported

losses exceeding US$100 million in the recent years. The regulators of financial companies and banks aredemanding a far greater level of insight and awareness by directors about the risks they manage, and theeffectiveness of the controls they have in place to reduce or mitigate these risks. Further, compliance regula-

tions, like Basel II and SOX, mandate a focus on operational risks, forcing financial organizations to identify,measure, evaluate, control and manage this ubiquitous risk. This has led to an increased emphasis on theimportance of having a sound operational risk management (ORM) practice in place, especially when deal-ing with internal capital assessment and allocation process. This makes ORM one of the most complex andfastest growing risk disciplines in financial institutions.

Alan Greenspan, Chairman of the Federal Reserve American Bankers Association, during AnnualConvention on October 5, 2004 held, It would be a mistake to conclude that the only way to succeed in

banking is through ever-greater size and diversity. Indeed, better risk management may be the only truly

necessary element of success in banking.

Old perceptions and behaviors toward risk are changing. ORMis acquiring new credibility as a roadmap to add value to thebusiness; and is garnering new attention from regulators and

key stakeholders.

A recent Chartis Research's1report on ORM systems, suggeststhat the worldwide financial services ORM market will con-tinue to grow, reaching a total value of $1.55 billion by 2011.

This indicates a growing concern among banks and financialinstitutions for managing their operational risk. The report hasthree main findings:

Basel II and Operational Risk:Basel II and Operational Risk:Basel II and Operational Risk:Basel II and Operational Risk:Basel II and Operational Risk:

Operational risk is as old as thebanking industry itself and yet theindustry has only recently arrived at adefinition of what it is. Operationalrisk is defined by the Basel Commit-tee on Banking Supervision (2006) as:the risk of loss resulting from inad-equate or failed internal processes,

people and systems or from external

events. This definition includes legal

risk but excludes strategic and

reputational risk.

Many US and European financial institutions continue toreplace their first generation ORM systems - largely due to

inflexible and rigid product design and the ongoingevolvement of ORM methodologies.

Some market segments, such as emerging regions (e.g.Middle-East, Asia-Pacific, South America), and verticalsectors (e.g. insurance, asset management) have begun investing in formal and sophisticated ORMsystems.

Average investment in ORM projects is increasing, as more and more financial institutions are focusing onORM's strategic business benefits

Additionally, the report claims financial institutions working on the demand side of the market are re-examining their approach, culture and systems for managing operational risk.


5/16 3

There are two main drivers for this development. First, there is a growing acknowledgement from banks thata consistent and effective operational risk management framework can help them achieve organizationalobjectives and superior performance. For example, by including a well-constructed operational risk process

in the entire value chain, a bank can help ensure that the risks inherent in those activities are understood andaddressed. In many instances an early involvement of operational risk management can increase the devel-opment speed of new initiatives. The second key development is the launch of the Basel II Capital Accord(the New Accord) by the Basel Committee for Banking Supervision, which requires banks to set aside regula-tory capital for operational riskan important development that has affected most financial services institu-tions worldwide. One of the major improvements in Basel II is that it ensures closer linkages between capitalrequirements and the ways banks manage their actual risk.As summed up by one of the U.S. regulators, The

advanced approaches of Basel II represent a sea change in how banks determine their minimum level of required

capital for regulatory purposes. It intends to better align regulatory capital with inherent risks and banks' internal

economic capital.

The advanced approach for measurement of operational risk requires economic capital to be calculatedbased on banks own operational risk management & measurement technique. It is imperative to strengthenthe soundness and stability of operational risk management practice by employing Advanced MeasurementApproach (AMA), in order to ensure that it does not become a significant source of competitive inequity overrival banks & financial institutes. Further, AMA fosters risk sensitive environment and promotes efficiency inmanaging risk. The road ahead should lead to Advanced Measurement Approach (AMA) as described underBasel II accord.

Passive

Banks

ActiveBanks

Avanced

Measurement

Approch

Standardized

Approch

Basic

Indicator

Approch

LowRisk Sensitivity

High

High

Low

Capital Charge

Figure 1: Operational Risk Management Approaches


6/16

To comply with the accord, banks are making significantinvestments to improve their internal risk processes, datainfrastructure, and analytical capabilities. Firms focused on

competing effectively are already incorporating many ele-ments of the Basel II requirements into their risk and capitalmanagement practices, as a blueprint of improved growth andprofitability.

As a result, Basel II compliance programs offer a rare opportu-nity to rethink the way banks approach risk measurement andmanagement, and to look again how risk measures can beintegrated with each other and with managements approach

to running the business. Susan Schmidt Bies2, one of the U.S.regulators, stressed, The emphasis in the new Accord on im-proved data standards should not be interpreted solely as a re-

quirement to determine regulatory capital standards, but rather as

a foundation for risk management practices that will strengthen

the value of the banking franchise.

Although Basel II compliance opens up many strategic oppor-

tunities to leverage improved data standards and risk manage-ment practices, it also offers many implementation challenges.

The next section highlights the major challenges in success-fully implementing ORM.

Challenges of Managing Operational RiskChallenges of Managing Operational RiskChallenges of Managing Operational RiskChallenges of Managing Operational RiskChallenges of Managing Operational Risk

The discipline of operational risk is at a crossroads. Despite the industry's efforts to control operational risk,institutions still have much work to do. Risk Managers are grappling with questions like, How does the

discipline add value to my organization?; What does the advanced measurement approachs (AMA) model-ing techniques say about the operational risks my firm is facing? or What is the strategic role of operationalrisk that my firm should adopt?. Lets take a look at some of the unique challenges that ORM brings:

4

An Ernst and Young's Global BaselSurvey in 2006 indicates that seniorbanking executives are beginning toappreciate the long term businessimpacts of Basel II on their organiza-tions and banking industry as awhole. It suggests a realization thatBasel II adoption is a growing im-

perative in order to succeed in thecompetitive race. About 89% of theparticipants in the survey believedthat the banks with robust risk infra-structures will have competitiveadvantage over others.

Reference:http://www.ey.com/Global/Assets.nsf/

International/Basel_II_Survey_Report_2006/$file/EY_GFSRM_Basel_II_Survey2006.pdf

Rising Costs of Compliance:Rising Costs of Compliance:Rising Costs of Compliance:Rising Costs of Compliance:Rising Costs of Compliance: Development of an ORM model as part of a regulatory and economiccapital framework is complex and takes time. There is a general agreement that the major ORMchallenge is the escalating cost of compliance.

Access to Appropriate Information and Reporting:Access to Appropriate Information and Reporting:Access to Appropriate Information and Reporting:Access to Appropriate Information and Reporting:Access to Appropriate Information and Reporting: Effective management of operational risk requires

diverse information from a variety of sourcesincluding, for example, risk reports, risk and controlprofiles, operational risk incidents, key risk indicators, risk heat maps, and rules and definitions forregulatory capital and economic capital reporting.

Development of Loss Databases:Development of Loss Databases:Development of Loss Databases:Development of Loss Databases:Development of Loss Databases: A well-structured operational risk framework requires development ofbusiness-line databases to capture loss events attributable to various categories of operational risk. BaseII specifically requires a minimum of three years of data for initial implementation and ultimately fiveyears for the Advanced Measurement Approaches (AMA). The need for historical data (including externadata) has been a cause of concern for many enterprises.


7/16 5

Lack of Systematic Measurement of Operational Risk:Lack of Systematic Measurement of Operational Risk:Lack of Systematic Measurement of Operational Risk:Lack of Systematic Measurement of Operational Risk:Lack of Systematic Measurement of Operational Risk: Many enterprises hold that their institutions aremeasuring operational risk. However, very few of them have been able to complete the Basel IIquantification requirements, or are yet to formalize the measurement process around the Basel II

framework.

ImplemenImplemenImplemenImplemenImplementing ORM syting ORM syting ORM syting ORM syting ORM systststststems:ems:ems:ems:ems:Amid regulatory efforts to re-vamp the industrys immunity to operationarisk, and its implications on efficient financial intermediation, many organizations are looking to go

beyond traditional siloed approaches and implement a consolidated ORM framework across entirevalue chain. Development of an ORM model as part of a regulatory and economic capital framework,however, is complex and takes time. Some banks may either still be struggling with the requirements ofthe "Sound Practices for ORM" BIS paper, which spells out how to introduce ORM principles, or may notyet have in place the required governance or framework. Factors like lack of understanding of upcomingtechnology regarding operational risk management, failure to get the top management to focus on thebenefits of the program, improved productivity and quality, as well as on loss reduction, and lack ofmeaningful and timely data across business unit and product lines make the implementation of an ORMsystem all the more formidable.

TTTTTone aone aone aone aone at thet thet thet thet theTTTTTop :op :op :op :op : Effective risk management program starts with The Tone at the Top- driven by the topmanagement and adhered by the bottom line. However, if banks top leaders perceive operational riskmanagement solely as a regulatory mandate, rather than as an important means of enhancingcompetitiveness and performance, they may tend to be less supportive of such efforts. Management andthe board must understand the importance of operational risk, demonstrate their support for its

management, and designate an appropriate managing entity and framework - one that is part of thebanks overall corporate governance framework.

By adopting an integrated operational risk framework, companies can ensure that all operational risksmanagement initiatives are sustained and are aligned with the corporate strategy. Next section throws lighton essentials of an ideal operational risk framework.

Review of management

and measurement pro-cesses by internal/external

audit

I d e n t i f y R i s k sI d e n t i f y R i s k sI d e n t i f y R i s k sI d e n t i f y R i s k sI d e n t i f y R i s k s

Risk Management CycleRisk Management CycleRisk Management CycleRisk Management CycleRisk Management Cycle

Analysis ofworkflows andprocesses

List risks andcauses

Assess the RiskAssess the RiskAssess the RiskAssess the RiskAssess the Risk Se lec t r i s k Se lec t r i s k Se lec t r i s k Se lec t r i s k Se lec t r i s k

control measurescontrol measurescontrol measurescontrol measurescontrol measuresImplement riskImplement riskImplement riskImplement riskImplement risk

controlscontrolscontrolscontrolscontrolsMonitor andMonitor andMonitor andMonitor andMonitor and

R e v i e wR e v i e wR e v i e wR e v i e wR e v i e w

Assess riskseverity

Assess riskprobability

Identify controlchoices

Determinepriorities

Make controldecisions

Establishauthority andresponsibility

Definestructure

Defineprocesses andprocedures

Definemonitoring

Infrastructure

Monitorprocess

Reviewprocesses

R i s k R i s k R i s k R i s k R i s k

ManagementManagementManagementManagementManagement

Objec t iv esObjec t iv esObjec t iv esObjec t iv esObjec t iv es


8/16

Operational risk management is at the core of a bank's opera-tions - integrating risk management practices into processes,systems and culture. As a pro-active partner to senior manage-ment, ORM's value lies in supporting and challenging them to

align the business control environment with the bank's strat-egy by measuring and mitigating risk exposure, contributingto optimal return for stakeholders. For instance, HSBC3 hasinvested heavily in understanding customer behavior throughnew systems initially designed for fraud detection, which isnow being leveraged beyond compliance to address moreeffective customer service.

The ORM group of an organization keeps its people up-to-date

on problems that have happened to other financial institu-tions, allowing it to take a more proactive approach. "Our goal

is for employees to look at ORM as a business stakeholder and ashareholder, involving them on all levels and bring stability into

their jobs," said senior vice president of Operational and Com-pliance Risk Management Group. A noted financial servicescompany, on the other hand, incorporates its ORM approach asan extension of its business line and not a separate entity. Thecompany has implemented an operational risk umbrella that

encompasses all aspects of potential risks - bank protection,fraud prevention, key risk indicators, capture of operationalloss data, business line risk oversight and new products and

initiatives for data security. Its Chief Risk officer quotes, "Weutilize our ORM practices to gain respect and appreciation of allour business lines by really understanding their issues, and being

part of the overall solution."

What elements should a financial institution consider when

developing an analytical framework for operational risk?

There is no one-size-fits-all approach to ORM as every enterprise follows a framework that is specific to itsown internal operating environment. When inquired about the standard ORM framework, a risk expert notes,There is no "standard" standard. Ultimately, the Operational risk framework should not merely be Basel-compli-

ant; it should also provide the bank with mechanisms for improving overall risk culture and behavior towardsoperational risk management. Understanding our risks should lead to better decision making and reflect in our

performance. A robust operational risk management framework is made up of the following core compo-

nents:

BBBBBuilding an Opuilding an Opuilding an Opuilding an Opuilding an Operererereraaaaational Rtional Rtional Rtional Rtional Risk Fisk Fisk Fisk Fisk Frrrrrameameameameamewwwwworororororkkkkk

6

An award winning Banking Groupstates that it is focused on the regularmonitoring of its operational riskprofiles and material exposures tooperational losses- with senior

management supporting the proac-tive management of operational

risks. Its Operational Risk Manage-ment department (ORM)

Carries out risk-audit activities,assessments of operational risksand prepares recommendationsfor risk mitigation.

Implements a number of toolsrecommended by the Basel Com-

mittee including: internal losscollection and reporting, key riskindicators, external loss datacollection; and control and risk

self-assessments.

Analyzes new products and intra-bank regulations.

Holds comprehensive insurancepolicy, which is designed withORM participation.

The group has received the Opera-tional Risk Achievement Award fortwo consecutive years.


9/16 7

Governance:Governance:Governance:Governance:Governance: It is the process by which the Board of Directors defines key objectives for the bank andoversees progress towards achieving those objectives. It defines overall operational risk culture inorganization, and sets the tone as to how a bank implements and executes its operational riskmanagement strategy. A successfully executed risk strategy often results in risk being firmly embeddedin the vision, strategies, tools, and tactics of the organization. Governance sets the precedence for

Strategy, Structure and Execution.

SSSSStrtrtrtrtraaaaatttttegegegegegyyyyy :::::A banks strategy for operational risk drives the other components within the managementframework and provides clear guidance on risk appetite or tolerance, policies, and processes for day-to-day risk management.

Appetite and Policy: Appetite and Policy: Appetite and Policy: Appetite and Policy: Appetite and Policy: An ideal risk management process ensures that organizational behavior isdriven by its risk appetite. Adopting an operational risk strategy aligned to risk appetite, leads toinformed business and investment decisions.

C C C C Clear Dlear Dlear Dlear Dlear Definition & Cefinition & Cefinition & Cefinition & Cefinition & Communicommunicommunicommunicommunicaaaaation of Ption of Ption of Ption of Ption of Policolicolicolicolicyyyyy::::: An organizations top management must identify,

assess, decide, implement, audit and supervise their strategic risks. There should be a strategic policy

at the board level to focus on managing risk at all levels and conscious efforts should be made toensure that these policies are communicated at all levels and across entire value chain.

Periodic Evaluations Based on Internal & External Changes: Periodic Evaluations Based on Internal & External Changes: Periodic Evaluations Based on Internal & External Changes: Periodic Evaluations Based on Internal & External Changes: Periodic Evaluations Based on Internal & External Changes: An ideal risk management process

puts improvement of risk performance on a competitive level with other important missionconcerns periodically evaluating the ORM performance goals in the light of internal and externalfactors. Depending upon the criticality of internal operating environment and key external factors,organization must review the strategic policies inside out.

Governance

Control and self

Assessment

Key Risk

Indicators (KRIs)

Loss Data -

Internal andExternal

IssueManagement

Figure 2: Operational Risk Management Framework


10/168

SSSSStrtrtrtrtrucucucucuctu rturtu rturture:e:e :e:e :When designing the operational risk management structure, the banks overall risk scenarioshould serve as a guideline. This includes initiatives like laying down a hierarchical structure thatleverages current risk processes, developing risk measurement models to assess regulatory and

economic capital,and allocating economic capital vis--vis the actual risk confronted. Centralizedaggregation of operational risk information collected via various self assessments across theorganization, further, provides useful insight for the desired hierarchial structure. The implementation ofthese concepts allows risk to be handled consistently throughout the organization.

Execution:Execution:Execution:Execution:Execution: Once operational risk management structure have been established by an organizationadequate procedures should be designed and implemented to ensure execution of and compliancewith these policies at business line level. The first step includes identification and assessment ofoperational risk inherent in day-to-day processes of the bank. After assessment of inherent risk, targettolerance limit of risk should be established. This is commonly accomplished by calculating theprobability/ likelihood of materialization of risk, by considering the drivers or causes of the risk togetherwith the assessment of its impact. The results of the risk assessment and quantification process enablesmanagement to compare the risks with its operational risk strategy and policies, identify those riskexposures that are unacceptable to the institution or are outside the institutions risk appetite, and select

and prioritise appropriate mechanisms for mitigation. Finally appropriate risk mitigation and internal

controls procedures are established by the business units such that residual risk is mitigated to theacceptable level. Regular reviews must be carried out, to analyse the control environment and test theeffectiveness of implemented controls, thereby ensuring business operations are conducted withinacceptable risk limits. Further, it is essential that the top management ensures consistent monitoring andcontrolling of operational risk, and that risk information is received by the appropriate people, on timelybasis, in the form and format that will aid in the monitoring and control. Operational risk metrics or KeyRisk Indicators (KRIs) are established to ensure timely warning is received prior to the occurance of an

event. Key to effective KRIs lies in setting threshold at the acceptable level of risk. Execution andimplementation of Operational Risk framework is key to setting up effective Operational Riskenvironment ensuring that business is conducted within appropriate risk tolerance limit.

Business Benefits: Moving Beyond ComplianceBusiness Benefits: Moving Beyond ComplianceBusiness Benefits: Moving Beyond ComplianceBusiness Benefits: Moving Beyond ComplianceBusiness Benefits: Moving Beyond ComplianceAs ORM efforts mature, and gain both the support and the confidence of management, they are becomingincreasingly valuable to the business. Perceived initially to support regulatory requirements, these efforts can

be leveraged and aligned with business performance management. To be successful, however, such align-ment must be based on a clear vision of the potential benefits. Few of the benefits are discussed below:

Identified and assessed key operational risk exposures:Identified and assessed key operational risk exposures:Identified and assessed key operational risk exposures:Identified and assessed key operational risk exposures:Identified and assessed key operational risk exposures: ORM enables an organization to identifymeasure, monitor and control its inherent risk exposures of the business at all levels. Elements like RiskAssessment, Event Management, and Key Risk Indicator play an important role; enabling the

organization to evaluate the risk controls, based on the identified inherent risk, and to measure theresidual risk which remains after the implementation of controls.

Clarified personal accountabilities, roles and responsibilities for managing operational risks:Clarified personal accountabilities, roles and responsibilities for managing operational risks:Clarified personal accountabilities, roles and responsibilities for managing operational risks:Clarified personal accountabilities, roles and responsibilities for managing operational risks:Clarified personal accountabilities, roles and responsibilities for managing operational risks: Clearcut specification of roles and responsibilities of personnel regarding risk profile is an imperative part ofimplementing an integrated ORM framework. It not only streamlines the risk management process, butalso allows risk managers to better incorporate accountability into the work culture of the organization.

EEEEEvvvvvolvolvolvolvolved and enabled efficiened and enabled efficiened and enabled efficiened and enabled efficiened and enabled efficient allot allot allot allot allocccccaaaaation of option of option of option of option of operererereraaaaational rtional rtional rtional rtional risk cisk cisk cisk cisk capital:apital:apital:apital:apital: With streamlined riskmanagement process, efficient allocation and utilization of operational risk capital can be ensured.

7


11/16

Consistent and timely operational risk management information and reporting capabilities:Consistent and timely operational risk management information and reporting capabilities:Consistent and timely operational risk management information and reporting capabilities:Consistent and timely operational risk management information and reporting capabilities:Consistent and timely operational risk management information and reporting capabilities:Through the development of a well-tailored risk management strategy, a robust ORM system supportsfeatures like role-based dashboards, control diagrams and scorecards that provide visibility into the

ongoing risk management efforts and bring high-risk areas into focus.

Sustained risk-smart workforce and environment:Sustained risk-smart workforce and environment:Sustained risk-smart workforce and environment:Sustained risk-smart workforce and environment:Sustained risk-smart workforce and environment: Application of an ORM framework, in conjunctionwith related risk management activities, will support cultural shift to a risk-smart workforce and

environment in the organization. An essential element of a risk-smart environment is that it ensures thatthe organization has the capacity and tools to be innovative while recognizing and respecting the needto be prudent in protecting its interest.

Ensured continuous risk management learning:Ensured continuous risk management learning:Ensured continuous risk management learning:Ensured continuous risk management learning:Ensured continuous risk management learning: Most business units today acknowledge thatcontinuous learning is fundamental to more informed and proactive decision-making; and a successful

learning organization must align itself to the businesses it supports. To ensure continuous riskmanagement learning, these business units are sharing their experience and best risk managementpractices - internally and across organizations. This supports innovation, capacity building andcontinuous improvement, and fosters an environment that motivates people to learn.

However, successfully navigating the road from compliance to value creation can be daunting without a

roadmap and a clear vision. By taking a holistic approach to ORM organizations can significantly lower itsrisk profile and contribute to its responsiveness in the marketplace - thereby delivering strategic and opera-tional benefits.

MetricStream Solution for ORMMetricStream Solution for ORMMetricStream Solution for ORMMetricStream Solution for ORMMetricStream Solution for ORMMetricStream offers industrys most advanced and comprehensive solution designed to meet OperationalRisk needs of banks & financial services. The solution is based on an integrated Enterprise Compliance Plat-form (ECP) for successfully managing risk and meeting regulatory requirments while lowering the associatedcosts that can otherwise be substantial. ECP, a proven infrastructure for building risk and compliance applica-

tion, provides core modules and services to automate and streamline Opertaional Risk processes.

MetricStream uniquely combines software and content to deliver ORM solutions. Its embedded best practicecontent helps define the scope of processes and sub-processes for which risk management needs to be

Expected loss is the amount a business should budget to cover its annual cost of operational failure whileunexpected loss is the amount the business ought to reserve as capital.

Expected

lossUnexpected loss Tail Events

Amount of loss


12/1610

performed and guides development of control and test libraries. It brings together all risk managementrelated data - a reusable library of risks and their corresponding controls and assessments, results from indi-vidual assessments, key risk indicators, events such as losses and near-misses, issues and remediation plans -

in a single solution. It also provides other intelligent and content driven features such access to trainingcontent from an expert community from within the solutions and integration of business processes withregulatory notifications and industry alerts. Key components of MetricStream solution for ORM would in-clude:

RRRRRisk Aisk Aisk Aisk Aisk Analynalynalynalynalysis and Rsis and Rsis and Rsis and Rsis and Risk Sisk Sisk Sisk Sisk Self Aelf Aelf Aelf Aelf Assessmenssessmenssessmenssessmenssessment:t :t :t :t :TheMetricStream solution for ORM provides a centralizedrisk framework to document all risks faced by anorganization. It supports risk assessment andcomputations based on configurable methodologiesand algorithms giving an insight into organizations riskprofile enabling the risk managers to prioritize their

response strategies for optimal risk/reward outcomes.

Risk Control Self Assessment (RCSA) forms a core part ofthe MetricStream solution. MetricStream's risk self-assessment capabilities enable organizations todocument and evaluate their risk frameworks, includingprocesses, risks, events, key risk indicators (KRI) andcontrols. Executive-level dashboard and reports providevisibility into the risk analysis, highlighting key risk

metrics and policy compliance. Business processautomation capabilities provide for real-time eventescalation, automated risk processes and streamlinedremediation of issues and action items.

Control Design and Assessments:Control Design and Assessments:Control Design and Assessments:Control Design and Assessments:Control Design and Assessments: Once the key risks areidentified and prioritized, MetricStream leverages theoperational risk framework to enable companies todefine a set of controls that mitigate those risks. Thesolution also allows associated policy and proceduredocuments to be attached for reference. The systemsupports assessments based on predefined criteria andchecklists and has a mechanism for scoring, tabulatingand reporting results. The repository of all assessments

with an easy search capability ensures that the users can

check to see if a specific control was tested, access theassessment results and confirm whether it requires aremedial action plan.

LLLLLossossossossossTTTTTrrrrrac kac kac kac kac king and King and King and King and King and Keeeeey Ry Ry Ry Ry Risk Indicisk Indicisk Indicisk Indicisk Indicaaaaatttttors (KRIors (KRIors (KRIors (KRIors (KRIs) :s):s) :s):s) :With lossevent tracking, risk managers can track loss incidents andnear misses, record amounts, and determine root causesand ownership. MetricStream provides statistical andtrend analysis capabilities and enables end-users to trackremedies and action plans. Key risk indicators (KRIs)


13/16

provide capabilities for tracking risk metrics and thresholds, with automated notification whenthresholds are breached. MetricStream provides facilities for both manual and automatic data inputsfrom internal and external data sources.

Issue Management and Remediation:Issue Management and Remediation:Issue Management and Remediation:Issue Management and Remediation:Issue Management and Remediation: For issues arising from the assessment and auditing processes orfrom any other external events such as loss-events, scenario analysis or near-misses', the MetricStreamsolution provides seamless issue management and remediation management capabilities. Once issues

are identified, documented and prioritized, a systematic mechanism of investigation and remediation isset off by the underlying workflow and collaboration engine. The solution supports triggering automaticalerts and notifications to appropriate personnel for task assignments for investigation and remedialaction.

Internal Audit:Internal Audit:Internal Audit:Internal Audit:Internal Audit: MetricStream solution provides seamless integration with internal audit management

for streamlining the auditing process in the organization. It provides the flexibility to manage a widerange of audit-related activities, data and processes to support risk management. It supports all types ofaudits, including internal audit, operational audit, finanacial statement audit, IT audits and quality audits.Advanced capabilities like built-in remediation workflows, time tracking, email-based notifications andalerts and offline functionality for conducting at remote field sites allow organizations to implement theindustry best practices for efficient audit execution and ensure integration of the audit process with therisk and compliance management system.

RRRRRepepepepeporororororts and Dts and Dts and Dts and Dts and Dashbashbashbashbashboa roa roa roa roa rds :ds:ds :ds:ds :The solution has the ability to track risk profiles, control ownership,assessment plans, remediation status, etc. on graphical charts that can be accessed globally and displayreal-time information. Ability to drill-down provides an easy way to access the data at finer levels ofdetail. In addition to pre-configured standard risk reports, the system provides flexibility by enablingstakeholders to configure ad-hoc or scheduled reports to view metrics on a variety of parameters such asby process, by business units, by status, etc. Quarterly and monthly trending analysis along with the

ability to drill-down into each report and dashboard to see the underlying details enables risk managersand process owners to stay in constant touch with the ground reality and progress on risk managementprograms. Automated alerts for events such as exceptions and failures eliminate any surprises and make

the process predictable.


14/1612

Roadmap to Advanced Measurement Approaches (AMA)Roadmap to Advanced Measurement Approaches (AMA)Roadmap to Advanced Measurement Approaches (AMA)Roadmap to Advanced Measurement Approaches (AMA)Roadmap to Advanced Measurement Approaches (AMA)MetricStream ORM solution provides a platform for organizations to develop an integrated ORM approachwhich can help them qualify for Basel II AMA approach. Solution implements strategies, methodologies andrisk reporting functionality to identify, measure, monitor, control and mitigate operational risk. It ensures thatthe organizations internal systems and controls are credible and appropriate, well reasoned and welldocumented, transparent and accessible, and are capable of being validated by internal and external

auditors. Moreover, it provides capability to ensure that the risk management practices are embedded acrossthe entire value chain.

The figure below maps MetricStream solution to the qualifying criteria for AMA.

ReferenceReferenceReferenceReferenceReference

1. Operational Risk Management Systems 2008 - Navigating through a fragmented market http://www.chartis-research.com/assets/RR08011.pdf2. Remarks by Governor Susan Schmidt Bies: At the International Center for Business Information's Risk

Management Conference: Basel Summit, Geneva, Switzerland http://www.federalreserve.gov/boarddocs/speeches/2005/20051206/default.htm3. http://www.opriskandcompliance.com/public/showPage.html?page=480328

Systematic tracking of 35years of historic loss data

Sound Operational RiskManagement System

Measurement integrated in

day-to-day risk manage-ment

Review of management

and measurement pro-

cesses by internal/externalaudit

Figure 3: Roadmap to Advanced Measurement Approaches by MetricStreamFigure 3: Roadmap to Advanced Measurement Approaches by MetricStreamFigure 3: Roadmap to Advanced Measurement Approaches by MetricStreamFigure 3: Roadmap to Advanced Measurement Approaches by MetricStreamFigure 3: Roadmap to Advanced Measurement Approaches by MetricStream

Risk & Control Self Assessment (RCSA)

Key Risk Indicators (KRI)

Loss Event Database

External Loss Data interface

Integrated RCSA & Loss Event Data

Internal Audit

Dashboards & Reports

Qualifying CriteriaQualifying CriteriaQualifying CriteriaQualifying CriteriaQualifying Criteria MetricStream solution capabilityMetricStream solution capabilityMetricStream solution capabilityMetricStream solution capabilityMetricStream solution capability


15/16

1


16/16

About MetricStreamAbout MetricStreamAbout MetricStreamAbout MetricStreamAbout MetricStream

MetricStream is a market leader in Enterprise-wide Gover-

nance, Risk, Compliance (GRC) and Quality Solutions for global

corporations. MetricStream solutions are used by leading

corporations such as Pfizer, Philips, American Airlines, NASDAQ,

SanDisk, BP, Entergy, Subway, Fairchild Semiconductor, Hitachi

and TaylorMade-Adidas Golf in diverse industries such as

Pharmaceuticals, Medical Devices, High Tech Manufacturing,

Food & Beverage, Energy and Financial Services to manage

their quality processes, regulatory and industry-mandated

compliance and corporate governance initiatives, as well as byover a million compliance professionals worldwide via the

ComplianceOnline.com portal.

MetricStream, Inc.MetricStream, Inc.MetricStream, Inc.MetricStream, Inc.MetricStream, Inc.

2600 E. Bayshore Road

Palo Alto, CA 94303

Phone: 650-620-2900

Fax: 650-632-1953

[email protected]

Copyright 2010 MetricStream. All rights reserved.

For More Information

about MetricStream GRC and Quality

Management Solutions

please visit www.metricstream.com

Date post:	03-Jun-2018
Category:	Documents
Upload:	raulrivera
View:	220 times
Download:	0 times

ORM in Banks and Financials Institutions

Documents