Operational Risk Management:
Overview of Frameworks, Governance and Evolution Jonathan Dix 5/18/2015
for internal use only
Where are you from? 15% Americas
16% Asia Pacific Bangladesh Taiwan Indonesia Thailand Philippines Republic of Korea Singapore Sri Lanka
Canada Curacao El Salvador Mexico Nicaragua Suriname
34% Africa/Middle East
35% Europe
Angola Egypt Ghana Israel Jordan Kuwait
Cyprus Czech Repub. Denmark Germany Italy Montenegro
Pakistan Palestine Saudi Arabia Sierra Leone Tanzania Uganda
UAE Zambia
Norway Switzerland Poland Russian Fed. Slovakia Spain Sweden
2
Your Role in the Institution
Auditor
42.62%
Other
31.15%
Corporate Risk Management
14.75%
Business Area Risk Management
6.56%
Business Continuity
4.92% 0
0.05
0.1
0.15
0.2
0.25
0.3
0.35
0.4
0.45
3
Operational Risk
4
Business Continuity
5
Investment Review
6
Project Management
7
Agenda • • • • •
Risk Management Culture Framework and Governance Evolution and Elements of Risk Reporting Continuous Improvement Summary: Key Success Factors
8
Building our Risk Management Culture •
2005 to 2008: Strengthen the Bank’s operational risk management by adopting private sector best practice – – –
•
2009 to 2010: Focus on financial risk – – – –
•
Engaged external consulting firm with expertise in risk management. Established Chief Risk Officer role and built out financial risk analysis and reporting. Formed Risk Oversight Committee to consider difficult financial risk issues. Advised to merge risk areas at future time.
2011 to 2012: Emphasis on end-to-end process improvement – – –
•
Formed Operational Risk Committee. Bank established risk event reporting, escalation process, and a risk assessment template. Supported by an independent operational risk management function.
Established business process excellence program. Provided new control policies to apply lessons learned in one area to all areas. Focus included end-user developed tools (e.g., spreadsheets) and contingent workers.
2013 to 2014: Focus on integration – – – –
Established Risk Group under Chief Risk Officer with responsibility for operational and financial risk. Developed risk grid to show residual risk exposure across risk management disciplines and Bank core functions. Developed business process risk and control mapping framework to evaluate and establish controls at the activity level. Transformed the Risk Oversight Committee (predominantly focused on financial risks) to be the Bank’s Risk Committee, inclusive of all risks.
9
Cultural Influences •
We don’t do this alone!
Internal Audit provided strong motivation – Management focused on new ways to strengthen the overall control environment, based on audit observations. • • • •
•
Insisted on business ownership of risk and controls. Highlighted stronger risk management of end-to-end processes. Inspired wider use of business process excellence and business risk and control mapping. Introduced targets for past due audit findings and “effective” audit ratings.
Board of Directors Audit and Risk Committee (ARC) – ARC Chairs during the financial crisis pushed for an integrated risk management structure under the Chief Risk Officer and an integrated view of risk. – The current ARC Chair guided us toward providing an integrated view of risk through a residual risk grid.
10
Framework & Governance
11
Framework – why it works… •
Quick and transparent escalation of risk events – Bank Risk Event Disclosure, Escalation and Reporting Policy – Local area risk event reporting policies – Analysis of risk events by risk advisors
•
Standard classification of risk categories – ERM Risk Framework/Key Operational Risk Categories (Business Continuity, Business Process, External Environment, Human Resources, and Technology & Info. Mgmt.)
•
Thoughtful, consistent evaluation and discussion within/across Groups – Risk Committee and other risk-focused assemblies – share risk events, discuss impact, plan for mitigation – Regular meetings between business areas and Internal Audit & Operational Risk
•
Timely enterprise risk profile – Reporting expectations for business areas (data, metrics, information) – Central risk area reporting captures aggregate information
12
Governance
Formal Risk Governance Committees
Board of Directors
•
Audit and Risk Committee (ARC) approves risk management approach
Management Committee
•
Risk Sub-committee
•
Provides sponsorship, approvals, and oversight of risk management activities Supports the MC through the development of the enterprise risk framework.
Risk Forum & Risk Advisory Council
• •
Collaborative session hosted by the CRO where key operational risk themes within the Bank are discussed. Working group focused on specific risk objectives.
Risk Functions (Operational, Financial, Compliance)
•
Perform risk management assessments of processes, aggregate and analyze Bank-view of risk, and present analysis to senior management and ARC.
Risk Advisors
•
Support business areas in assessing controls, vulnerabilities, and implementing mitigation strategies.
Business
•
Identify and take ownership of risks, assess controls, and make ultimate decision on mitigation based on cost/impact.
Internal Audit
•
Provides independent assessment of control environment
13
Role of Central Operational Risk (COR) •
Facilitate and manage operational risk program – – – – –
•
Perform aggregate risk analysis – – – –
•
Develop comprehensive framework Define standard language Support and coordinate with business areas Monitor and oversee risk and control issues Lead Risk Forum and Risk Advisory Council Business areas’ self assessments Risk events Audit and Risk Committee residual risk ratings (i.e. ARC grids) Other assessment processes (e.g. business risk and control mapping)
Develop integrated risk profile and action items for the Bank – Identify key risk themes and raise them for decision points – Present and monitor key risks and mitigating actions – Present profile through the various risk governance committees.
14
Role of Risk Advisors & Business Business
Risk Advisors •
Partner with COR and business – Assist in assessing residual risk – Assess shared risk and centralized controls
•
•
– Monitor risk issues, develop mitigating action plans
•
Communication
Risk Event reviews – Analyze Bank-wide risk events – Opine on certain event attributes
Perform self assessments – Assess level of inherent risk within the business – Assess effectiveness of controls and determine residual risk level
– Co-author operational risk profile – Provide status of ongoing risk mitigation initiatives
•
Own and manage risk
•
Report Risk Events – Perform root cause analysis, resolve issues, and communicate lessons learned.
Participate on Risk Forum and Risk Advisory Council
15
Evolution & Elements of Risk Reporting
16
Evolution of Risk Reporting •
Original risk assessment information was very limited and prescriptive – Business area approached it like a checklist – Detailed list of risks with little commentary – Did not facilitate risk management discussions
•
Current risk assessment information is more meaningful – Provides the opportunity for detailed commentary – Facilitates discussion with Functions and Groups
•
Residual Risk Rating Grid – Introduces historic and future views of residual risk, in addition to the current rating – Facilitates discussions across all levels of the organization and risk governance
•
Operational Risk Profile Report – Identifies key risk themes, trends, and mitigating action plans – Primary source is business area self-risk assessments & risk event information – Facilitate discussions with the risk governance committees
17
Elements of Risk Reporting (ARC) •
Challenged to show a comprehensive residual risk view across the Bank
•
Depicts risks related to the Bank’s core responsibilities (rather than business silos) – E.g. For FOMC, Lender of Last Resort, As Fiscal Agent, etc.
•
Names executives accountable for risk and risk mitigation
•
Requires assessment of risk more frequently
•
General Feedback (after some pain-points) – Business areas find value is seeing themselves within the “enterprise” view of risk – Drives a more consistent understanding of risks across the Bank’s businesses.
Refer to Appendix A for summarized Risk Grid.
18
Elements of Risk Reporting (RCSA) Field Name
Overview of Field
Risk Title
Concise summary of the risk being assessed
Risk Description
Discussion of the risk being assessed
Likelihood
The probability that an event will occur over a given time horizon. Assessed as Low, Moderate, or High. Typical time frame is one year.
Impact
A measure of the effect that an incident, problem, or change is having or might have on the Bank. Assessed as Low, Moderate, or High.
Inherent Risk Rating
The risk to the entity in the absence of actions that management may take to alter the likelihood or impact of the risk. Assessed from the responses to the Likelihood and Impact ratings as Low, Moderate, or High.
Mitigation
Description of actions taken to reduce the likelihood and/or impact of the identified risks occurring. The description should convey which aspects of the risks are mitigated by the specific controls, as well as which aspects of risk are not mitigated.
Residual Risk Rating
The portion of inherent risk that remains after controls or other mitigating actions have been applied. Assessed as Low, Moderate, or High.
Risk Acceptance or Steps to Further Mitigate Risk
A statement indicating the plans for future steps that will further reduce the level of residual risk OR an indication that the business accepts the level of residual risk. Required if the residual risk is assessed as Moderate or High.
Emerging Risks
A newly developing or changing risk that may have an impact on the Bank.
19
Elements of Risk Reporting (Risk Events) •
Developed a policy that defines: – a risk event and severity levels – risk event notification and escalation process – risk analysis and reporting process – Initial and final information requirements
•
Every employee, regardless of rank or tenure, is responsible for ensuring that risk events are reported
•
Enhances risk/control culture at all levels by engaging multiple levels of staff and management
•
Serve as an input to a variety of analysis within the Bank
•
No penalty for reporting a risk event
20
Elements of Risk Reporting (BRCM) •
Three step process: – Map business process, including handoffs – Identify and assess process risk – Define mitigation strategies and controls.
•
Provides cross business end-to-end view of risks and controls.
•
Supports a process for accepting residual risk and provides insight where to direct investment.
Refer to Appendix B & C for supporting artifacts.
21
Continuous Improvement
22
Continuous Improvement •
Development of Taxonomy for Processes, Risks and Controls – To facilitate a more robust “common language” for risk – To provide a means to collect meaningful, quantitative data (improve reporting) – To identify shared risks (and common controls) across the Bank.
•
Enhancing & Streamlining the RCSA process – To better facilitate control function integration (e.g. Compliance, SOX) – Will leverage PRC taxonomy.
•
Continue to invest in tools to identify and measure potential and realized risk
•
Continue to improve our risk framework and governance
23
Appendix
24
Appendix A
25
Appendix B
26
Appendix C
27