Date post: | 16-Apr-2015 |
Category: |
Documents |
Upload: | safsgsgshg |
View: | 109 times |
Download: | 6 times |
1
SAP BusinessObjects Governance, Risk and ComplianceOperational Risk Management for Financial Institutions
Lahoucine Afif – Business Solution Architect Banking - SAP
October 30, 2012
Managing Operational Risk Today Challenges and Trends
2
© 2011 SAP AG. All rights reserved. 3
What’s happening in the Marketplace?
Multiplication of serious events affecting Banks and the Financial Sector
showing the rise of global risks and need for increased scrutiny:
• Impact of 9-11 on global markets
• Huge losses generated by rogue-trading cases (Leeson-Barings, Kerviel –SG, K. Adoboli-
UBS *…)
• Sub-prime crisis in the US, Northern Rock collapse in the UK
• 2008 global financial crisis triggered by Lehman Brothers bankruptcy
• Pressure on EU banks in the context of the Greek debt crisis, etc..
“Regulatory failure, not low interest rates, was
responsible for the housing bubble and subsequent
financial crisis of the last decade…”
Ben Bernanke - speech at the US Federal Reserve
Atlanta, Jan. 2, 2010
“To prevent future crises, we absolutely require
intelligent regulation that will prevent self-
destruction...''
Jean-Claude Trichet, European Central Bank
Frankfurt, March 11, 2010
“Dow Jones Industrial
8000
8500
9000
9500
10000
10500
11000
11500
12000
Jan-00
Apr-00
Jul-00
Oct-00
Jan-01
Apr-01
Jul-01
Oct-01
Jan-02
Apr-02
(*) Official inquiry is still in process ,but initial findings lean towards clear gaps in Governance and Internal Controls
© 2011 SAP AG. All rights reserved. 4
What is the Impact? The Cost of Not Knowing…
Operational
Risk
Financial
Risk
Access
Risk
Diminished customer loyalty
Increased cost of capital
Lost of revenue streams
Decreased shareholder value
…
3
© 2011 SAP AG. All rights reserved. 5
Increasing Number, Complexity and Costs
of Regulations
MAP
IAS
Regulatory Capital
Country regulations
US GAAP
Basel II
SOX
Patriot Act/AML
Dodd
Frank
CreditCard Act
AML III
BASEL III
1995 2000 2005 2010
Com
ple
xity, D
eg
ree
of R
eg
ula
tio
n
REG NMS
MIFID
IRFS 9
Solvency II
More granular information required
Deeper level of enquiry
Overwhelming amount of data to sort
and organize
Basel II /III Operational Risk Categories show expansion and
complexity
Risk Category Definition Example
Internal Fraud An act intended to defraud, misappropriate
property, or circumvent regulation, the law or
company policy, which involves at least one
internal party.
Between 1983 and 1995, Daiwa Bank
incurred $1.4 billion in losses due to
unauthorized trading and related fines.
External Fraud An act intended to defraud, misappropriate
property, or circumvent the law by a third party.
In 2002, three men who ran a precious
metals trading firm deceived a group of
banks by $800M loss.
Employment
Practices and
Workplace Safety
Acts inconsistent with employment, health or
safety laws or agreements, from payment of
personal injury claims, or from diversity/
discrimination events.
In 1999, Merrill Lynch paid $250M to
settle a gender discrimination lawsuit.
Clients, Products,
and Business
Practices
An unintentional or negligent failure to meet a
professional obligation to specific clients, or
from the nature or design of a product.
In 2000, Providian Financial paid $405M
in settlements relating to aggressive sales
and billing practices.
Damage to Physical
Assets
Losses arising from loss or damage to physical
assets from natural disaster or other events.
In 1982, a fire gutted Norwest Bank‘s
headquarters, causing a $100M damage.
Business Disruption
and System Failures
Losses arising from disruption of business or
system failures.
Bank of New York estimated the impact of
the 9/11 disaster to be $242M pretax.
Execution, Delivery,
and Process
Management
Losses from failed transaction processing or
process management, from relations with trade
counterparties and vendors.
In 1998, UBS announced 650M SFr in
Losses due to a calculation error in an
option pricing model.
4
© 2011 SAP AG. All rights reserved. 7
Risk Management:Today’s reality?
The bank examiners
arrive in 10 minutes…
And they are
NOT happy
© 2011 SAP AG. All rights reserved. 8
What are the Challenges?
Lack of visibility on top
risks and exposures
Fragmented processes
/ excessive workload
Lack of integration
(incl. with other
business systems)
Inability to proactively
mitigate /prevent risks
Caution:
Access
Risks
Ahead
Operational
Risk
Management
5
© 2011 SAP AG. All rights reserved. 9
What is the Impact?
Today, financial institutions spend time and effort to manage their risks with insufficient results to be
fully confident in their exposure and the achievement of their performance objectives
Risk Management
Fragmented processes /
excessive workload
What are the top 10 risks,
trends, aggregated exposures
(value at risk)…? Is our risk
information up to date?
How to efficiently centralize
and consolidate risk
information?
How can we more effectively
reduce risks and detect
potential risk events before
they materialize?
Outdated, unreliable and
inconsistent risk
information can lead to
inadequate decisions
Sub-optimal capital
allocation
Potential loss of market
confidence and increased
scrutiny
Excessive time spent on
manual processes prevents
teams to focus on higher
value tasks
Risk of errors, gaps and
inaccuracies
Despite efforts, compliance
is not ensured and
sustainable, whilst the
regulatory pressure
increases
High focus on complying
and reporting risk leaves
little resource and time for
risk mitigation (yet another
labor-intensive process)
Insufficient reduction of loss
events and impacts
Insufficient reduction of risk
levels may compromise
overall performance
Lack of visibility on top
risks and exposuresLack of integration
How to optimize the overall risk
management process and
connect it to other business
systems and key processes?
lack of synergy in
managing the different
components: loss events,
RCSAs, KRI…
Risk management is
discontinuous and
disconnected, and some
risk-generating events may
be missed
Misrepresentation of risks?
Finance
Inability to proactively
mitigate /prevent risks
Internal AuditCompliance
EPM, GRC and LoB Finance Boost Call – 16th November 2011 Internal
SAP Solution Overview
6
© 2011 SAP AG. All rights reserved. 11
Interest rate risk
Currency risk
Equity risk
Commodity risk
Refinancing risk
Financial Risk ManagementComplete Coverage of Basel III Requirements through SAP GRC and other
Components of the SAP Portfolio for the Financial Sector
Credit Risk Market Risk Liquidity Risk Other RisksOperational Risk
Concentration risk
Counterparty risk
Securitization risk
Reputational risk
Strategic risk
Volatility risk
Systemic risk
Organizational risk
Bus. process risk
Technology risk
People-related risk
External events risk
Requirements for Basel III of the Financial Services Industry: comprehensive
coverage with the SAP and SAP BusinessObjects product portfolio
Basel III
SAP Basel II
Solution
SAP Regulatory
Reporting (Partner)
SAP Enterprise Risk
Reporting
SAP Enterprise
Risk Reporting 2.0
Planned in 2012
SAP GRC Risk
Mangmnt for Fin.
Institutions
Basis: Cash-Flow
Engine
SAP Enterprise Risk
Reporting 2.0
Liquidity Risk
Mangmnt @ HANA
Capital Definition
SAP Enterprise
Risk Reporting 2.0
© 2011 SAP AG. All rights reserved. 12
Creditworthiness
CheckAccounting
Trade
Capture
Clearing
Settlement
Debt
Rescheduling
Operational Risk Solution based on SAP GRC Risk ManagementIntegrated with SAP GRC Access Control and Process Control
SAP Differentiators
SAP Solution
Enterprise-wide Banking Business Applications
SAP BusinessObjects Risk Management (ORM for Financial Institutions Service Pack)
SAP BusinessObjects Access Control SAP BusinessObjects Process Control
SAP NetWeaver Business Process Applications
GRC Solution
7
© 2011 SAP AG. All rights reserved. 13
Maximize ongoing risk
visibility and compliance
assurance
Protect value by proactively
preventing and mitigating
risks
Increase and sustain
performance
SAP® BusinessObjects™ Governance, Risk and Compliance
Solution – Overall Objectives
Streamlined, continuous and
automated risk and control
management and monitoring
In-depth risk mitigation and
prevention capabilities integrated
with business systems
Minimize the cost of risk and
compliance activities while
aligning risks and controls with
performance objectives
© 2011 SAP AG. All rights reserved. 14
Operational Risk Management for Financial Institutions by SAP
GRC - Specific Objectives
Ensure ORM compliance (Basel II /III)
Unlike credit- or market risk management systems, the solution tracks the exposure on the entire bank:
Whole organization (e.g. business conduct) with human resources,
Technology, internal processes and work flows,
Assets, claims and liabilities, etc.
Enterprise-wide solution, which can be interconnected with various operative systems:
HR, Credit Processing, Transactional Banking, etc.,
Other solutions covering the variety of risk management requirements (e.g. Basel II, III),
Back-Office (SAP or other ERPs…)
Help improve performance across the whole institution, in addition to Basel compliance,
through:
Loss reduction,
ORM process optimization,
Capital reduction, and contribution to increasing profitability
Increased rating agency confidence .
Deeper risk mitigation: SAP Operational Risk solution integrated with other GRC
components:
GRC Access Control, GRC Process Control, GRC Risk Management
8
© 2011 SAP AG. All rights reserved. 15
Operational Risk Scope
SAP ORM for Financial Institutions solution refers to Basel II definition:
• Operational Risk is the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events. This definition includes legal risk, but excludes strategic and reputational risk.
Operational risks
ProcessesOrganisation
Structure
Communication
Lack of control
Settlement risk
Transaction risk
Internal control
system
Systems risk
IT Security
Virus
ATM down time
Technology
Human risk
Compensation,
Benefits, Incentives
Loss of key
personnel
Fraud
Misselling
External event risk
Regulatory risk
Taxation risk
Disaster risk
Terrorist
© 2011 SAP AG. All rights reserved. 16
Solution Components
9
© 2011 SAP AG. All rights reserved. 17
Risk Mitigation
SAP BusinessObjects Risk Management FlowEnd-to-end coverage of the operational risk cycle
Differentiators
SAP Solution
■ Define the context within which
business risks are to be managed
■ Identify and assess the impact of
risk events
■ Prioritize the risks to be addressed
and create risk responses
■ Monitor risk, risk responses, issue
resolution on a continuous basis
■ Provide extensive reporting and
analytics for qualitative and
quantitative measurements
■ Continuously monitor key risk indicators across end-to-end business processes
■ In-depth, automated risk mitigation & prevention capabilities integrated with business systems
Data /Org.
Structures
Management
Issue
Management
Risk Assessment - R.C.S.A.s
Risk Monitoring
/Key Risk
Indicators
Compliance
/Controls
Management
Policy
Management
Loss Event
Management
Access
Risk
Scenario
Analysis /Risk
Engine (AMA)
Risk
Reporting
and
Analytics
© 2011 SAP AG. All rights reserved. 18
Key Capabilities
10
© 2011 SAP AG. All rights reserved. 19
Static Data ManagementOrganization Structures
Consistent organization structuring to
support all components and processes of
a complete operational risk management
Collection and reporting of all operational
risk and loss event data through all
required types of structures:
Operational risks breakdown into risk
categories
Multiple breakdowns for the Bank:
Organizational Units and/ or
Processes (one hierarchy for the whole
bank) and/ or
Products (different hierarchies for different
business lines needed)
Other possible breakdowns:
By Projects
By Causes ...
Extensive Organizational Modelling Possibilities
Bank
Group
Corp. &
Markets
CM1 CM2 B1 B2
Banking
Bank
Group
Bank inc
BAG1 BAG2 S1 S2
Sub-
sidiary
Processes
Finance
Exp. Trade FT1 FT2
Funds
Transfer
Products
Fixed
Income
FI1 FI2 CC1 CC2
Credit
Cards
Basel II
Categ.
Internal
Fraud
Theft Fraud E1 E2
Exec.
© 2011 SAP AG. All rights reserved. 20
Static Data Management Structure Mapping
Central maintenance of master
structures; data is pushed to dependent
structures:
• Organisation units
• Risk categories
• Processes /products
Complete structure mapping:
• Management structure
• Basel II structure
Automatic reassignments of data
when re-structuring:
• Losses
• Risks
• KRIs
Easier Maintenance and Flexibility – Structure Mapping and Inheritance
All
Fraud
Int. Ext. B1 B2
Banking
All
Fraud
Int. Ext. BP1 BP6
Bus.
Practice
All
Internal
Fraud
Theft Fraud E1 E2
Exec.
All
Internal
Fraud
Fraud Sec. D1 D2
Damage
11
© 2011 SAP AG. All rights reserved. 21
Loss Event ManagementInternal Loss Events
• Transparency in terms of:
• loss event detection and processing
• impacted banking processes and systems
• external impacts and personal risks
• Comprehensive process for collection of loss data
to allow:
• proper quantification of levels of operational risk
• better communication and awareness on operational
risk losses amongst employees
• migration capability to incorporate past losses
information
• integration of external losses data to calibrate loss
distributions for quantitative models and benchmarking
(see following slide)
• Configurable workflow:
• initial recording of loss event /notification to relevant
personnel
• complete documentation of details, impacts etc.
• review by managers /approval (s)
Optimize loss event information for risk visibility and improvement
© 2011 SAP AG. All rights reserved. 22
Loss Event ManagementComprehensive Coverage of Process flow
12
© 2011 SAP AG. All rights reserved. 23
Loss Event ManagementExternal Loss Events
• Use of external loss data as benchmark for
internal loss information or for validation
• External data needed for the Advanced
Measurement approaches (usually the bank
wasn’t faced with big losses in the past)
• Leverage external loss data (i.e. operational
loss data of other financial institutions) collected
via different data consortia (providing banks with
a standardized exchange of internally collected
loss data):
• ORX, Operational Risk Exchange Association
• GOLD, Global Operational Loss Database
• OpVantage (Algorithmics)
• Further local consortia:
o Germany: VÖB, Verband öffentlicher Banken
o Italy: DIPO, Database Italiano delle Perdite
Operative
Leverage External Loss Event Data Enhancing Operational Risk Management
© 2011 SAP AG. All rights reserved. 24
Risk MonitoringKey Risk Indicators
• Early warning system based on the most
relevant measurable data to reflect internal
operational risk levels of the bank
• Business Rules can be defined to generate
alerts when KRI values get above thresholds:
• One-level, from above or below: Optimal value,
warning level, alarm level
• Two-level: Optimal value, 2 warning levels, 2
alarm levels
• Fully configurable rules for calculations
/aggregations
• Automated /integrated capabilities for KRI
monitoring:
• KRIs are updated based on actual, real-time
data and events monitored into business
systems
• Helps validate risk assessments and review
exposures where applicable
Proactively prevent risk from occurring
13
© 2011 SAP AG. All rights reserved. 25
Risk AssessmentR.C.S.As
Business Context Based Assessments – a Dynamic Process
Preparation
In the preparation phase, questions are combined to
surveys to be used in plans:
• Question Library
• Survey Library
Surveys are generated from chosen questions.
Planning
Plan definition:
• Plan Name (ex. RCSA Survey)
• Plan Activity (ex. Perform Risk Survey)
• Survey Name
• Start Date
• Due Date
Execution /Monitoring
Tracking of recipients status, response and overall
statistics
Aggregation of results
Across organisation units, risk categories – various
calculation rules
© 2011 SAP AG. All rights reserved. 26
Issue Management Ad hoc Issues and Action Plans
Manage Issue at all levels and effectively track action items
• Global and comprehensive management of issues arising from risks, loss events, KRI's,
RCSA's, Controls:
• Detection of issues, documentation and ownership assignment
• Tracking of action items, escalations...
• Can additionally be enabled through:
• Audit Findings Management (internal and external)
• Policy Management
Issue Management - Process Overview
Report Issue
Corrective
Actions
Issue
Completed
Action Items
Owner 1
Action Items
Owner N
Preventive
Actions
Remediation
required
Nature of
remediation
Simple CAPA
No
Yes
14
© 2011 SAP AG. All rights reserved. 27
Scenario Analysis and Risk EngineScenario Analysis
Clearer, Integrated View of Risk Potentials in Multiple Dimensions
• Evaluate the exposure to high-
severity events and derive the need
of internal process enhancements
• Tightly linked with Risk Control Self-
Assessments and Key Risk
Indicators for more in-depth scenario
analysis
• Scenario losses can be generated
from within Loss Event Management
or from the Risk
• Loss distribution approach can be
performed by risk type and business
line
© 2011 SAP AG. All rights reserved. 28
Scenario Analysis and Risk EngineRisk Engine - Advanced Measurement Approach (AMA)
• Advanced Measurement
Approach:
• Develop empirical models
through calibration of loss
frequency and loss severity
distribution
• Allows to simulate future
capital requirements)
• Supported with partner
solution OpVision from
QRR(see next slide)
Internal
Losses
Monte Carlo
RCSA
Key Risk
Indicator
Insurances
Pre-Adjustments Post-Adjustments
Pre-EC
Post-EC
External
Losses
Business
ExpertsOperational
Systems
*: : OpVision
15
© 2011 SAP AG. All rights reserved. 29
Advanced Measurement Approach CoverageQRR OpVision
Quantitative Risk Research (www.qrr.es) provides NetWeaver certified solution
OpVision.
OpVision is designed to import multiple data sources with its Data Component and an integration
with an extended GRC Risk Management solution is possible.
Various distributions, tests and estimators as wells as the most important Loss Distribution
Approach (LDA) are supported.
Reporting
Data
Analysis
Capital
OpVision
© 2011 SAP AG. All rights reserved. 30
Risk Reporting and Analytics (Enterprise-wide and Specific)
• Monitor the operational risk management program
with a comprehensive set of new reports and
analytics
• Reports provide loss event historical views with
categorization, trends, business metrics, and identification
of hot spots
• Analytics provide aggregated views with drill down
capabilities
• Key reports and analytics:
• Loss Event Matrix Analysis
• Loss Event Overview
• Loss Event Structure
• Top Loss Events
• Gross Loss Amount by Organizational Unit
• Loss Events by Organizational Unit
• Loss Events by Risk Category
• Insurance Payments by Organizational Unit
• Loss Effect Allocations by Organizational Unit
• KRI Aggregation Report
• RCSA Aggregation Report
Extensive Range of Reports & Dashboards Available for Different Management Levels
16
© 2011 SAP AG. All rights reserved. 31
Risk Reporting and Analytics(Enterprise-wide and Specific)
• Reports include numerous filter and configuration
options
• Reports and analytics leverage GRC10
personalization options and display formats (ALV and
Crystal)
• Other reports:
• Narratives from Risk Officers
• Historical: past losses, failures and outages
• (Major) Internal losses (trends /frequencies by business line,
risk category, period...)
• External events (external losses, industry trends, regulation
information, competitors)
• Near misses (weakness cases, failures without loss)
• Operational risk capital levels with provisions and insurances
• Scenario analysis and stress test results
• Current issues (from KRI, Self Assessments, Audit) - Issue
tracking on major initiatives
• Business-specific metrics: KRIs and error rate development, risk
process measures
• Predictive: Risk outlook from risk self-assessments, KRIs and
legal data
• Self-assessments (current snapshot of firm’s status, projection
on firm’s exposure)
• Risk Maps with probability and severity derived from scenario
and risk analysis
• Enterprise view: aggregated risks
© 2011 SAP AG. All rights reserved. 32
Risk MitigationLeverage SAP BusinessObjects GRC Access Control & Process Control
Effectively Reduce Risk with Control Automation and Continuous Monitoring
Access Control:
• Integration in terms of organisation unit
hierarchies
• Implement specific bank rules to
segregate users via role definition
(...and help avoid cases like Leason and
Kerviel)
Process Control:
• Integration in terms of organisation unit
and risk hierarchies
• Risk mitigation with responses and
controls tracked in Process Control
(control monitoring)
• Leverage and manage policies to mitigate
specific risks
17
© 2011 SAP AG. All rights reserved. 33
Benefits
© 2011 SAP AG. All rights reserved. 34
Why SAP?
Increased Insight
Better context of information and compliance
Proactive and strategic
Prevent issues
Increased Transparency
Unify silos of information
Full visibility into losses and risks
Strong context of risks across processes through integration with backend systems
Improved Efficiencies
Reduced costs
Automated risk and control management
Aligning risk and performance objectives
Improve Predictability and Performance
Continuous monitoring of risk indicators and risk responses
More reliable, trustworthy risk and compliance data
Standardized risk methodologies and measurements