Risk Management Standards of Practice Number 2 Key Risk Indicators in Operational Risk Management Glossary Developed by the Risk Management Standards of Practice Working Group of the Professional Risk Managers International Association Adopted by the Professional Risk Managers International Association
Version 0.X Month Year
Risk Management Standards of Practice Number 2 Key Risk Indicators in Operational Risk Management Version 0.x
2
Approval History Prepared By:
Name(s)
Email
Date
Julian Fisher
[email protected]
08/01/2014
Peer Reviewer(s)
Revision History Date
Version
Description
Risk Management Standards of Practice Number 2 Key Risk Indicators in Operational Risk Management Version 0.x
Author(s)
3
Table of Contents 1 Glossary .................................................................................................................. 5 1.1 1.2 1.3
Additional Background .................................................................................................................................... 5 Standards of Practice - Impact ........................................................................................................................ 5 Standards of Practice - Dependencies ............................................................. Error! Bookmark not defined.
2 Definitions .............................................................................................................. 9 3 Regulations ........................................................................................................... 12 3.1 3.2
Regulations Applicable to SoP 2 – KRIs for Operational Risk ........................................................................ 12 Alternative Practices to SoP 2 – KRIs for Operational Risk ........................................................................... 12
4 Recommended Reading ........................................................................................ 13
Risk Management Standards of Practice Number 2 Key Risk Indicators in Operational Risk Management Version 0.x
4
1 Glossary 1.1 Additional Background Provides additional background on the content referred to in the SOP
1.2 Standards of Practice – Impact & Dependencies This section provides descriptions of the Standards of Practice that are impact SOP 2 - Key Risk Indicators for Operational Risk
Standards of Practice 3 – Operational Risk Losses Risk Management Objective and Definition
Dependencies, or Impacts on other RMOs within universe of SoPs
SOP 3 – Operational Risk Losses RMO 3.01 Define & Maintain Operational Risk Framework The Operational Risk Framework defines the organization’s criteria for defining, building, monitoring and assessing an Operational Risk Framework
SOP 2 – KRIs (I) RMO 2.01 Define and Maintain Operational Risk Framework SOP 4 – Operational Risk Capital Modeling (D) RMO 4.0X
SOP 3 – Operational Risk Losses RMO 3.0Y Loss Event & Root Cause Analysis Investigation procedures for events that breach the organization’s materiality mandates and thresholds.
SOP 2 – KRIs (I) RMO 2.05 Identify & Investigate KRI Exceptions SOP 4 – Operational Risk Capital Modeling (I) RMO 4.0X
Standards of Practice 4 – Operational Risk Capital Modeling
Risk Management Standards of Practice Number 2 Key Risk Indicators in Operational Risk Management Version 0.x
5
Risk Management Objective and Definition
Dependencies on other RMOs within universe of SoPs
SOP 4 – Capital Modeling for Operational Risk RMO 4.0X Capital Modeling - BEICF Methodology for the integration of KRIs into the BEICF and Capital Modeling Framework.
SOP 2 – KRIs RMO 2.04 Monitor KRIs
Standards of Practice 5 – Risk Appetite Risk Management Objective and Definition
Dependencies on other RMOs within universe of SoPs
SOP 5 – Risk Appetite RMO 5.0X Define Risk Appetite Framework that defines and articulates Risk Appetite within and throughout an Organization.
SOP 2 – KRIs (D)
SOP 5 – Risk Appetite RMO 5.0Y Set/ Update Risk Appetite Methodology for setting, monitoring and updating Risk Appetite within and throughout an Organization.
SOP 2 – KRIs (D)
RMO 2.02 Define/ Select KRIs
RMO 2.04 Monitor & Reassess KRIs RMO 2.05 Identify & Investigate KRI Exceptions RMO 2.06 Notify & Escalate KRI Exceptions SOP 3 – Operational Risk Losses (I) RMO 3.0X
Standards of Practice 6 – Risk Controlled Self Assessment Risk Management Standards of Practice Number 2 Key Risk Indicators in Operational Risk Management Version 0.x
6
Risk Management Objective and Definition
Dependencies on other RMOs within universe of SoPs
SOP 6 – Risk Controlled Self-Assessment RMO 6.0X Assessing Control Effectiveness Framework that defines, monitors and assesses control effectiveness within and throughout an Organization
SOP 2 – KRIs (D)
SOP 6 – Risk Controlled Self-Assessment RMO 6.0X Scenario Analysis Methodology for performing Scenario Analysis around events, trends and exceptions
SOP 2 – KRIs (I)
Risk Management Standards of Practice Number 2 Key Risk Indicators in Operational Risk Management Version 0.x
RMO 2.01 Define & Maintain KRI Framework
RMO 2.05 Identify & Investigate KRI Exceptions RMO 2.06 Notify & Escalate KRI Exceptions
7
Risk Management Standards of Practice Number 2 Key Risk Indicators in Operational Risk Management Version 0.x
8
2 Definitions This section contains definitions of words and terms directly associated with the SoP
Term
Definition The words “must” and “should” are used to provide guidance in the SOPs. “Must” as used in the SOPs means that PRMIA does not anticipate that the risk practitioner will have any reasonable alternative but to follow a particular course of action. In contrast, the word “should” indicates what is normally the appropriate practice for a risk practitioner. Situations may arise where the risk practitioner applies professional judgment and concludes that complying with this practice would be inappropriate, given the nature and purpose of the assignment and the principal’s needs, or that under the circumstances it would not be reasonable or practical to follow the practice. Must/ Should Failure to follow a course of action denoted by either the term “must” or “should” constitutes a deviation from the guidance of the SOP. The terms “must” and “should” are generally followed by a verb or phrase denoting action(s), such as “disclose,” “document,” “consider,” or “take into account.” For example, the phrase “should consider” is often used to suggest potential courses of action. If, after consideration, in the risk practitioner's professional judgment an action is not appropriate, the action is not required and failure to take this action is not a deviation from the guidance in the standard. The course of action described is one that would be considered reasonable and appropriate in many circumstances. May
Deviation
“May” in SOPs is often used when providing examples (for example, factors the risk practitioner may consider; methods that may be appropriate). It is not intended to indicate that a course of action is reasonable and appropriate in all circumstances, or to imply that alternative courses of action are impermissible. The act of departing from the guidance of an SOP
Risk Management Standards of Practice Number 2 Key Risk Indicators in Operational Risk Management Version 0.x
9
Known
Principal
Professional Judgment
Reasonable
Reliance
SOPs frequently refer to circumstances, factors, practices of the principal, or other items that are known to the risk practitioner. In many cases, the risk practitioner must rely upon the principal and others acting on the principal’s behalf to supply relevant information. Unless an ASOP clearly indicates otherwise, “known” means that the risk practitioner had actual knowledge of the item in question at the time the risk practitioner rendered risk management services A client or employer of the risk practitioner Risk Practitioners bring to their assignments not only highly specialized training, but also the broader knowledge and understanding that come from experience. For example, the SOPs frequently call upon risk practitioners to apply both training and experience to their professional assignments, recognizing that reasonable differences may arise when actuaries project the effect of uncertain events In many instances, the SOPs call for the risk practitioner to take “reasonable "steps, make “reasonable” inquiries, select “reasonable” assumptions or methods, or otherwise exercise professional judgment to produce a “reasonable” result when rendering risk management services. The intent is to call upon the risk practitioner to exercise the level of care and diligence that, in the risk practitioner’s professional judgment, is necessary to complete the assignment in an appropriate manner. Because the risk management practice commonly involves the estimation of uncertain events, there will often be a range of reasonable methods and assumptions, and two risk practitioners could follow a particular SOP, both using reasonable methods and assumptions, and reach different but reasonable results. Risk Practitioner frequently relies upon others for information and professional judgments that are pertinent to an assignment. Similarly, risk practitioners often rely upon others to perform some component of an actuarial analysis. Accordingly, some SOPs permit the risk practitioner to rely in good faith upon such individuals, subject to appropriate disclosure of such reliance, if required by applicable SOPs
Key Risk Indicator Key Performance Indicator Risk Management Standards of Practice Number 2 Key Risk Indicators in Operational Risk Management Version 0.x
10
Key Control Indicator Risk Appetite
The level of aggregate risk that an organization chooses to take in pursuit of its objectives.
Risk Threshold Risk Limit
A threshold used to monitor the actual risk exposure of a specific unit or units of the organization to ensure that the level of aggregate risk remains within the risk tolerance.
Scenario Analysis Endogenous Exogenous Expected Loss Unexpected Loss Control Risk Self Assessment Risk Profile Risk Tolerance Risk Key Risk Indicator Framework Enterprise Risk Management Scenario Analysis Issue Escalation Management
Risk Management Standards of Practice Number 2 Key Risk Indicators in Operational Risk Management Version 0.x
11
3 Regulations This section details Regulations and their geographical and regulatory based areas of applicability.
3.1 Regulations Applicable to SoP 2 – KRIs for Operational Risk Regulation Name
Geographical Applicability
Regulator
Basle 2
Global
BIS governed, each country has ability to interpret and implement
3.2 Alternative Practices to SoP 2 – KRIs for Operational Risk Outlines current, or alternative, practices associated with the subject addressed by the SoP
Alternate Practice
Geographical Applicability
US Basle 2
United States of America
Risk Management Standards of Practice Number 2 Key Risk Indicators in Operational Risk Management Version 0.x
Reason for alternate prctice Federal Reserve Mandate to exclude external rating agencies for modeling – Form 939A
12
4 Recommended Reading This section details Recommended Reading around the detail contained in SoP2 – Key Risk Indicators
Dcoument Name
Description & Applicability
Emerging Best Practices in Developing Key Risk Indicators and ERM Reporting. James Lam, 2006
xxx
Operational Risk Sound Practice Guidance, Key Risk Indicators, Institute of Operational Risk, 2010 Key Risk Indicators – Their Role in Operational Risk Management and Measurement. Jonathan Davies, Mike Finlay, Tara McLenaghen, Duncan Wilson, RiskBusiness International Limited
Risk Management Standards of Practice Number 2 Key Risk Indicators in Operational Risk Management Version 0.x
13