Operational Risk Management:

Overview of Frameworks, Governance and Evolution Jonathan Dix 5/18/2015

for internal use only

Where are you from? 15% Americas

16% Asia Pacific Bangladesh Taiwan Indonesia Thailand Philippines Republic of Korea Singapore Sri Lanka

Canada Curacao El Salvador Mexico Nicaragua Suriname

34% Africa/Middle East

35% Europe

Angola Egypt Ghana Israel Jordan Kuwait

Cyprus Czech Repub. Denmark Germany Italy Montenegro

Pakistan Palestine Saudi Arabia Sierra Leone Tanzania Uganda

UAE Zambia

Norway Switzerland Poland Russian Fed. Slovakia Spain Sweden

2

Your Role in the Institution

Auditor

42.62%

Other

31.15%

Corporate Risk Management

14.75%

Business Area Risk Management

6.56%

Business Continuity

4.92% 0

0.05

0.1

0.15

0.2

0.25

0.3

0.35

0.4

0.45

3

Operational Risk

4

Business Continuity

5

Investment Review

6

Project Management

7

Agenda • • • • •

Risk Management Culture Framework and Governance Evolution and Elements of Risk Reporting Continuous Improvement Summary: Key Success Factors

8

Building our Risk Management Culture •

2005 to 2008: Strengthen the Bank’s operational risk management by adopting private sector best practice – – –

•

2009 to 2010: Focus on financial risk – – – –

•

Engaged external consulting firm with expertise in risk management. Established Chief Risk Officer role and built out financial risk analysis and reporting. Formed Risk Oversight Committee to consider difficult financial risk issues. Advised to merge risk areas at future time.

2011 to 2012: Emphasis on end-to-end process improvement – – –

•

Formed Operational Risk Committee. Bank established risk event reporting, escalation process, and a risk assessment template. Supported by an independent operational risk management function.

Established business process excellence program. Provided new control policies to apply lessons learned in one area to all areas. Focus included end-user developed tools (e.g., spreadsheets) and contingent workers.

2013 to 2014: Focus on integration – – – –

Established Risk Group under Chief Risk Officer with responsibility for operational and financial risk. Developed risk grid to show residual risk exposure across risk management disciplines and Bank core functions. Developed business process risk and control mapping framework to evaluate and establish controls at the activity level. Transformed the Risk Oversight Committee (predominantly focused on financial risks) to be the Bank’s Risk Committee, inclusive of all risks.

9

Cultural Influences •

We don’t do this alone!

Internal Audit provided strong motivation – Management focused on new ways to strengthen the overall control environment, based on audit observations. • • • •

•

Insisted on business ownership of risk and controls. Highlighted stronger risk management of end-to-end processes. Inspired wider use of business process excellence and business risk and control mapping. Introduced targets for past due audit findings and “effective” audit ratings.

Board of Directors Audit and Risk Committee (ARC) – ARC Chairs during the financial crisis pushed for an integrated risk management structure under the Chief Risk Officer and an integrated view of risk. – The current ARC Chair guided us toward providing an integrated view of risk through a residual risk grid.

10

Framework & Governance

11

Framework – why it works… •

Quick and transparent escalation of risk events – Bank Risk Event Disclosure, Escalation and Reporting Policy – Local area risk event reporting policies – Analysis of risk events by risk advisors

•

Standard classification of risk categories – ERM Risk Framework/Key Operational Risk Categories (Business Continuity, Business Process, External Environment, Human Resources, and Technology & Info. Mgmt.)

•

Thoughtful, consistent evaluation and discussion within/across Groups – Risk Committee and other risk-focused assemblies – share risk events, discuss impact, plan for mitigation – Regular meetings between business areas and Internal Audit & Operational Risk

•

Timely enterprise risk profile – Reporting expectations for business areas (data, metrics, information) – Central risk area reporting captures aggregate information

12

Governance

Formal Risk Governance Committees

Board of Directors

•

Audit and Risk Committee (ARC) approves risk management approach

Management Committee

•

Risk Sub-committee

•

Provides sponsorship, approvals, and oversight of risk management activities Supports the MC through the development of the enterprise risk framework.

Risk Forum & Risk Advisory Council

• •

Collaborative session hosted by the CRO where key operational risk themes within the Bank are discussed. Working group focused on specific risk objectives.

Risk Functions (Operational, Financial, Compliance)

•

Perform risk management assessments of processes, aggregate and analyze Bank-view of risk, and present analysis to senior management and ARC.

Risk Advisors

•

Support business areas in assessing controls, vulnerabilities, and implementing mitigation strategies.

Business

•

Identify and take ownership of risks, assess controls, and make ultimate decision on mitigation based on cost/impact.

Internal Audit

•

Provides independent assessment of control environment

13

Role of Central Operational Risk (COR) •

Facilitate and manage operational risk program – – – – –

•

Perform aggregate risk analysis – – – –

•

Develop comprehensive framework Define standard language Support and coordinate with business areas Monitor and oversee risk and control issues Lead Risk Forum and Risk Advisory Council Business areas’ self assessments Risk events Audit and Risk Committee residual risk ratings (i.e. ARC grids) Other assessment processes (e.g. business risk and control mapping)

Develop integrated risk profile and action items for the Bank – Identify key risk themes and raise them for decision points – Present and monitor key risks and mitigating actions – Present profile through the various risk governance committees.

14

Role of Risk Advisors & Business Business

Risk Advisors •

Partner with COR and business – Assist in assessing residual risk – Assess shared risk and centralized controls

•

•

– Monitor risk issues, develop mitigating action plans

•

Communication

Risk Event reviews – Analyze Bank-wide risk events – Opine on certain event attributes

Perform self assessments – Assess level of inherent risk within the business – Assess effectiveness of controls and determine residual risk level

– Co-author operational risk profile – Provide status of ongoing risk mitigation initiatives

•

Own and manage risk

•

Report Risk Events – Perform root cause analysis, resolve issues, and communicate lessons learned.

Participate on Risk Forum and Risk Advisory Council

15

Evolution & Elements of Risk Reporting

16

Evolution of Risk Reporting •

Original risk assessment information was very limited and prescriptive – Business area approached it like a checklist – Detailed list of risks with little commentary – Did not facilitate risk management discussions

•

Current risk assessment information is more meaningful – Provides the opportunity for detailed commentary – Facilitates discussion with Functions and Groups

•

Residual Risk Rating Grid – Introduces historic and future views of residual risk, in addition to the current rating – Facilitates discussions across all levels of the organization and risk governance

•

Operational Risk Profile Report – Identifies key risk themes, trends, and mitigating action plans – Primary source is business area self-risk assessments & risk event information – Facilitate discussions with the risk governance committees

17

Elements of Risk Reporting (ARC) •

Challenged to show a comprehensive residual risk view across the Bank

•

Depicts risks related to the Bank’s core responsibilities (rather than business silos) – E.g. For FOMC, Lender of Last Resort, As Fiscal Agent, etc.

•

Names executives accountable for risk and risk mitigation

•

Requires assessment of risk more frequently

•

General Feedback (after some pain-points) – Business areas find value is seeing themselves within the “enterprise” view of risk – Drives a more consistent understanding of risks across the Bank’s businesses.

Refer to Appendix A for summarized Risk Grid.

18

Elements of Risk Reporting (RCSA) Field Name

Overview of Field

Risk Title

Concise summary of the risk being assessed

Risk Description

Discussion of the risk being assessed

Likelihood

The probability that an event will occur over a given time horizon. Assessed as Low, Moderate, or High. Typical time frame is one year.

Impact

A measure of the effect that an incident, problem, or change is having or might have on the Bank. Assessed as Low, Moderate, or High.

Inherent Risk Rating

The risk to the entity in the absence of actions that management may take to alter the likelihood or impact of the risk. Assessed from the responses to the Likelihood and Impact ratings as Low, Moderate, or High.

Mitigation

Description of actions taken to reduce the likelihood and/or impact of the identified risks occurring. The description should convey which aspects of the risks are mitigated by the specific controls, as well as which aspects of risk are not mitigated.

Residual Risk Rating

The portion of inherent risk that remains after controls or other mitigating actions have been applied. Assessed as Low, Moderate, or High.

Risk Acceptance or Steps to Further Mitigate Risk

A statement indicating the plans for future steps that will further reduce the level of residual risk OR an indication that the business accepts the level of residual risk. Required if the residual risk is assessed as Moderate or High.

Emerging Risks

A newly developing or changing risk that may have an impact on the Bank.

19

Elements of Risk Reporting (Risk Events) •

Developed a policy that defines: – a risk event and severity levels – risk event notification and escalation process – risk analysis and reporting process – Initial and final information requirements

•

Every employee, regardless of rank or tenure, is responsible for ensuring that risk events are reported

•

Enhances risk/control culture at all levels by engaging multiple levels of staff and management

•

Serve as an input to a variety of analysis within the Bank

•

No penalty for reporting a risk event

20

Elements of Risk Reporting (BRCM) •

Three step process: – Map business process, including handoffs – Identify and assess process risk – Define mitigation strategies and controls.

•

Provides cross business end-to-end view of risks and controls.

•

Supports a process for accepting residual risk and provides insight where to direct investment.

Refer to Appendix B & C for supporting artifacts.

21

Continuous Improvement

22

Continuous Improvement •

Development of Taxonomy for Processes, Risks and Controls – To facilitate a more robust “common language” for risk – To provide a means to collect meaningful, quantitative data (improve reporting) – To identify shared risks (and common controls) across the Bank.

•

Enhancing & Streamlining the RCSA process – To better facilitate control function integration (e.g. Compliance, SOX) – Will leverage PRC taxonomy.

•

Continue to invest in tools to identify and measure potential and realized risk

•

Continue to improve our risk framework and governance

23

Appendix

24

Appendix A

25

Appendix B

26

Appendix C

27