Risk Management Standards of Practice Number 2 Key Risk Indicators in Operational Risk Management Developed by the Risk Management Standards of Practice Working Group of the Professional Risk Managers International Association Adopted by the Professional Risk Managers International Association Version 0.3 July 2014
Approval History Name(s)
Email
Date
Prepared By:
Julian Fisher
[email protected]
7/24/3014
Peer Reviewer(s)
Dan Roberts
Revision History Date
Version
Description
Author(s)
7/24/2014
0.3
Draft for discussion
Julian Fisher
Risk Management Standards of Practice Number 2 Key Risk Indicators in Operational Risk Management Version 0.x
2
Table of Contents 1 Transmittal Memorandum: Purpose, Scope and Effective Date ............................... 4 1.1 1.2 1.3 1.4
Background ..................................................................................................................................................... 4 Key Issues Addressed ...................................................................................................................................... 5 Key Changes Made .......................................................................................................................................... 6 Committees Responsible for Drafting and Accepting the SoP ........................................................................ 6
2 Purpose, Scope, Effective Date ................................................................................ 7 2.1 2.2 2.3 2.4
Purpose ........................................................................................................................................................... 7 Scope ............................................................................................................................................................... 7 Exposure Draft History .................................................................................................................................... 8 Effective Date .................................................................................................................................................. 9
3 Risk Management Objectives addressed by Guidance ........................................... 10 3.1 3.2 3.3
Dependencies between Risk Management Objectives (RMO) ..................................................................... 10 Risk Management Objectives........................................................................................................................ 10 Associated Standards of Practice .................................................................................................................. 12
4 Recommended Minimum Sound Practice .............................................................. 14 4.1 4.2 4.3 4.4 4.5 4.6
RMO 2.01 Define and Maintain KRI Framework ........................................................................................... 14 RMO 2.02 Define / Select Key Risk Indicators ............................................................................................... 15 RMO 2.03 Set KRI Thresholds........................................................................................................................ 18 RMO 2.04 Monitor & Reassess KRIs .............................................................................................................. 18 RMO 2.05 Identify & Investigate KRI Exceptions .......................................................................................... 19 RMO 2.06 Notify and Escalate KRI Exceptions .............................................................................................. 20
5 Communications and Disclosures .......................................................................... 21 5.1 5.2 5.3
Communication ............................................................................................................................................. 21 Deviation from Guidance in the Standard .................................................................................................... 21 Glossary ......................................................................................................................................................... 21
6 Comments on the Exposure Draft and Responses Communication ........................ 23
Risk Management Standards of Practice Number 2 Key Risk Indicators in Operational Risk Management Version 0.x
3
1 Transmittal Memorandum: Purpose, Scope and Effective Date 1.1 Background Provides background information related to the SoP which may include:
A brief synopsis on the evolution of the topic that the SoP addresses
Version history including Exposure Drafts and any PRMIA papers or SoPs that either contribute to, or have been superseded by, the current SoP
Cross-reference to the section in the PRMIA PRM Handbook that directly relates to the SoP
Risk Management Standards of Practice Number 2- Key Risk Indicators in Operational Risk Management A Key Risk Indicator, also known as a KRI, is a metric used by management to indicate changes in exposure to potential risk events. KRIs enable management to identify, assess and monitor Operational Risks. If a KRI identifies a potential change in exposure to potential events then management can investigate it to determine if there is an actual cause that will result in increased experience of events and assess this exposure based on the likelihood of the occurrence of resultant events and their severity. KRIs are similar to Key Performance Indicator (KPIs). KPIs are metrics used by management to measure how well a business activity is being executed as opposed to a KRI, which is an indicator of the possibility of future adverse impact. KRIs give an early warning to identify potential events that may harm continuity of the activity/project. KPIs and KRIs measure business performance and changes in risk exposure in similar ways by comparing a value against a threshold. The same metric may actually be used as both a KPI and as a KRI if a metric can provide meaningful inference about both performance and changes in risk exposure. The difference between a KPI and KRI is only in the purpose that the metric is being used for. KRIs are an important part of any Operational Risk Framework which include , Internal and External Loss Data Collection and Analysis, Risk and Control Self Assessments, Business Process Mapping, Scenario Analysis and Capital Modeling Version History N/A Associated PRMIA PRM Handbook Chapter(s) Section 3 – Risk Information Chapter 2 – Key Risk Indicators Risk Management Standards of Practice Number 2 Key Risk Indicators in Operational Risk Management Version 0.x
4
1.2 Key Issues Addressed
Provides a short introduction around the key issues that the SoP is intended to address
Illustrates the target audience that the SoP is intended for i.e. Members of The Professional Risk Managers International Association and Other Persons Interested in the SOP
Risk Management Standards of Practice Number 2- Key Risk Indicators in Operational Risk Management Introduction to KRIs In order to be effective, an Operational Risk function needs to be able to translate data into thoughtful, contextual management information which facilitates risk management decision making. Key Risk Indicators (KRIs) are a key tool to aid management with this objective. KRIs are metrics used to monitor risk exposures at a particular instance, or over a period of time, serving as an early warning tool for potential changes in risk exposures. KRIs are an important element of an Operational Risk Framework because they can be trended over time and provide current exposure information, whereas other elements of the framework are less dynamic as
Loss data is historic
Risk assessments are infrequent and subjective
Scenario analysis is concerned with “what-if”, rather than “what-is”
KRIs, if specified intelligently and regularly reviewed, can help a firm determine where it has an elevated exposure to events in excess of its respective risk appetite. Properly selected KRIs can provide predictive information by measuring the causes of events rather than measuring the symptoms or experience of events directly (which is historical information). When implemented effectively, KRIs can be used to
Aid in the quantification of risks and identify opportunities to improve processes Validate and enhance the risk assessment framework by linking KRIs to risk causes Allows management to monitor exposure to adverse events before they occur Help define and set working level risk appetite based on event frequency Aid with scenario analysis and stress test exercises as a means to scale and benchmark internal and external data Establish a framework for reporting business environment and internal control factors
Risk Management Standards of Practice Number 2 Key Risk Indicators in Operational Risk Management Version 0.x
5
1.3 Key Changes Made
Description of key issues related to the development, or revision, of the SoP
Contains information on changes made between versions including:
Impacts from changes in the associated Standards of Practice
Impacts from changes in regulations,
Changes in Industry best practice,
Revisions to PRMIA PRM Handbook, or,
Other
Risk Management Standards of Practice Number 2- Key Risk Indicators in Operational Risk Management Version 1 – No changes made to SOP prototype. Still in discussion stage
1.4 Committees Responsible for Drafting and Accepting the SoP To include names of those involved in drafting and approving the SoP, including:
SoP Standards Board
SoP Working Committee
Other
Risk Management Standards of Practice Number 2- Key Risk Indicators in Operational Risk Management Drafted by the SOP Prototype Working Group
Julian Fisher Approved for discussion by the SoP Working Committee
Justin McCarthy, PRMIA Andy Counderache, PRMIA
The exposure draft of this SoP is still under discussion but is due to be approved for exposure by October 2014, with a comment deadline of 15th November 2014 A date by which the PRMIA Steering Committee is due to adopt this standard has not yet been set.
Risk Management Standards of Practice Number 2 Key Risk Indicators in Operational Risk Management Version 0.x
6
2 Purpose, Scope, Effective Date 2.1 Purpose Details the purpose of the SoP along the lines of the SoP is designed to provide guidance to risk managers when performing professional services in respect of the [subject] of the SoP
Risk Management Standards of Practice Number 2- Key Risk Indicators in Operational Risk Management The purpose of this SoP is to provide guidance on recommended minimum sound practices around
Utilizing the concepts of risk appetite, as detailed in SOP 5 – Risk Appetite, and link this to metrics and key risk indicators used by management in different areas of the firm
The definition for selection, measurement and monitoring of key risk indicators and what is needed to implement an effective key risk indicator framework
The mechanics for embedding best practice in operational risk management into an organization to support everyday business decisions, as well as strategic and change initiatives such as new products or markets
2.2 Scope Outlines the scope of the SoP in terms of:
Who the SoP applies to
The level of applicability and enforceability by participant type i.e.
Mandatory for PRM holder
Minimum sound practice for risk professionals
Optional/ Guideline for those not performing services in any of the industries that PRMIA does not directly cover e.g. manufacturing, entertainment etc.
Mechanics for deviating from the SoP
Risk Management Standards of Practice Number 2- Key Risk Indicators in Operational Risk Management Scope
Risk Management Standards of Practice Number 2 Key Risk Indicators in Operational Risk Management Version 0.x
7
This SoP is industry agnostic and serves as guidance for risk management practitioiners, management and others who are involved in the design, selection, measurement and monitoring of KRIs. KRI selection, monitoring and management is performed as part of an Operational Risk Framework. Within a typical KRI Framework, risks are identified, evaluated and risk appetites chosen, limits are set, risks are accepted or avoided and risk mitigation activities are performed, and actions are taken when limits are breached. This SoP provides minimum recommended standard of sound practice in the design, selection, and measurement and monitoring of KRIs for:
PRMIA PRM holders PRMIA Operational Risk Certification holders
Deviation from SoP If the risk practitioner departs from the guidance set forth in this standard in order to comply with applicable law (statutes, regulations, and other legally binding authority), or for any other reason the risk practitioner deems appropriate, the risk practitioner should refer to Section 5.2 of this SoP. Cross References When this standard refers to the provisions of other documents, the reference includes the referenced documents as they may be amended or restated in the future, and any successor to them, by whatever name called. If any amended or restated document differs materially from the originally referenced document, the risk practitioner should consider the guidance in this standard to the extent it is applicable and appropriate.
2.3 Exposure Draft History Outlines the history of the Exposure Draft including
Date and method of promulgation of 1st Exposure Draft
Comment Period deadlines
Reference to the Appendix regarding PRMIA member comments relating to the SoP
Outcome of member comments
Risk Management Standards of Practice Number 2- Key Risk Indicators in Operational Risk Management
Risk Management Standards of Practice Number 2 Key Risk Indicators in Operational Risk Management Version 0.x
8
The exposure draft of this SoP is still under discussion but is due to be approved for exposure by October 2014
2.4 Effective Date
Date that the SoP and the associated version is effective
Defines retrospective impact of changes to prior SOP
Risk Management Standards of Practice Number 2- Key Risk Indicators in Operational Risk Management Effective Date – TBD
Risk Management Standards of Practice Number 2 Key Risk Indicators in Operational Risk Management Version 0.x
9
3 Risk Management Objectives addressed by Guidance Risk Management Objectives are observable outcomes that result from the execution of the Minimum Recommended Sound Practices encompassed within this Standard of Practice. The Recommended Minimum Sound Practices required to achieve these Risk Management Objectives are described in section 4 of this Standard of Practice.
3.1 Dependencies between Risk Management Objectives (RMO) Risk Management Objectives within this Standard of Practice may be dependent on other Risk Management Objectives, both within this Standard of Practice, and on other Standards of Practice. The following shows the Risk Management Objectives within the scope of this Standard of Practice and its dependencies and which other Risk Management Objectives rely on its outputs.
3.2 Risk Management Objectives This section provides descriptions of the Risk Management Objectives within the scope of the guidance of this Standard of Practice as well as descriptions of dependencies on RMOs contained within other SoPs.
Risk Management Standards of Practice Number 2 Key Risk Indicators in Operational Risk Management Version 0.x
10
Risk Management Objective and Definition
Dependencies on other RMOs
RMOs which are dependent on the RMO
SOP 2 – Key Risk Indicators RMO 2.01 Define and Maintain KRI Framework A framework is defined, implemented and maintained that articulates the objectives for the use of KRIs within the organization. The KRI Framework defines the organization’s specific criteria for the selection of KRIs, criteria for the setting of thresholds and the requirements for investigation, escalation and notification of exceptions.
SOP 3 – Operational Risk Framework
SOP 2 – KRIs RMO 2.02 Define/ Select Key Risk Indicators SOP 6 – RCSA RMO 6.0X Assessing Control Effectiveness
SOP 2 – Key Risk Indicators RMO 2.02 Define / Select Key Risk Indicators An appropriate suite of metrics are defined, selected & set that provide management with effective indicators of changes in exposure to the occurrence of events arising from key risks. Metrics are also defined and/ or selected to enable management to assess whether the organization is operating within defined risk appetite limits.
SOP 2 – KRIs
SOP 2 – Key Risk Indicators RMO 2.03 Set KRI Thresholds Thresholds are set that provide triggers to enable action to be taken in response to increases in exposure to potential events and / or to ensure that the experience of events is constrained within risk appetite tolerances.
SOP 2 – KRIs RMO 2.02 Define/ Select Key Risk Indicators SOP 5 – Risk Appetite
SOP 2 – Key Risk Indicators RMO 2.04 Monitor KRIs KRIs are monitored on an ongoing periodic basis and compared to current thresholds to identify exceptions.
SOP 2 – KRIs RMO 2.03 Set Key Risk Indicator Thresholds
SOP 2 – KRIs RMO 2.05 Identification and Investigation of KRI exceptions SOP 5 – Risk Appetite RMO 5.0Y Set/ Update Risk Appetite Levels
SOP 2 – Key Risk Indicators RMO 2.05 Identification and Investigation of KRI Exceptions Causal event of KRI threshold breach identified and investigated
SOP 2 – KRIs RMO 2.04 Monitor KRIs
SOP 2 – KRIs RMO 2.04 Set KRI Thresholds SOP 5 – Risk Appetite RMO 5.0Y Set/ Update Risk
Risk Management Standards of Practice Number 2 Key Risk Indicators in Operational Risk Management Version 0.x
RMO 3.01 Define & Maintain Operational Risk Framework
RMO 2.01 Define & Maintain KRI Risk Framework
SOP 2 – KRIs RMO 2.03 Set KRI Thresholds
SOP 5 – Risk Appetite RMO 5.0X Define Risk Appetite SOP 2 – KRIs RMO 2.04 Monitor Key Risk Indicators
RMO 5.0Y Set / Update Risk Appetite Levels
11
Risk Management Objective and Definition
Dependencies on other RMOs
RMOs which are dependent on the RMO Appetite Levels SOP 3 – Operational Risk Losses RMO 3.0X Loss Investigation and Root Cause Analysis
SOP 2 – Key Risk Indicators RMO 2.06 Notification and Escalation of KRI Exceptions Valid exceptions reported to appropriate levels of Management to ensure challenge and required action
SOP 2 – KRIs RMO 2.03 Set Key Risk Indicator Thresholds RMO 2.04 Monitor KRIs RMO 2.05 Identification and Investigation of KRI Exceptions
SOP 5 – Risk Appetite RMO 5.0Y Set/ Update Risk Appetite Levels SOP 6 – RCSA RMO 6.0Y Scenario Analysis
3.3 Associated Standards of Practice This section provides descriptions of the Standards of Practice that are dependent on RMOs within SOP 2 - Key Risk Indicators for Operational Risk, or impact RMOs outside SoP 2
Standards of Practice 3 – Operational Risk Losses SoPs that are either dependent on (D) or impact (I) this SoP
Specific RMO with this SoP
SOP 3 – Operational Risk Losses RMO 3.01 Define & Maintain Operational Risk Framework (D) The Operational Risk Framework defines the organization’s criteria for defining, building, monitoring and assessing an Operational Risk Framework
RMO 2.01 Define and Maintain Operational Risk Framework
SOP 3 – Operational Risk Losses RMO 3.0Y Loss Event & Root Cause Analysis (D) Investigation procedures for events that breach the organization’s materiality mandates and thresholds.
RMO 2.05 Identify & Investigate KRI Exceptions
Standards of Practice 4 – Operational Risk Capital Modeling
Risk Management Standards of Practice Number 2 Key Risk Indicators in Operational Risk Management Version 0.x
12
SoPs that are either dependent on (D) or impact (I) this SoP
Specific RMO with this SoP
SOP 4 – Capital Modeling for Operational Risk RMO 4.0X Capital Modeling - BEICF (D) Methodology for the integration of KRIs into the BEICF and Capital Modeling Framework.
RMO 2.04 Monitor KRIs
Standards of Practice 5 – Risk Appetite SoPs that are either dependent on (D) or impact (I) this SoP
Specific RMO with this SoP
SOP 5 – Risk Appetite (I) RMO 5.0X Define Risk Appetite Framework that defines and articulates Risk Appetite within and throughout an Organization.
RMO 2.02 Define/ Select KRIs
SOP 5 – Risk Appetite (I) RMO 5.0Y Set/ Update Risk Appetite Methodology for setting, monitoring and updating Risk Appetite within and throughout an Organization.
RMO 2.04 Monitor & Reassess KRIs RMO 2.05 Identify & Investigate KRI Exceptions RMO 2.06 Notify & Escalate KRI Exceptions
Standards of Practice 6 – Risk and Control Self Assessment SoPs that are either dependent on (D) or impact (I) this SoP
Specific RMO with this SoP
SOP 6 – Risk and Control Self-Assessment RMO 6.0X Assessing Control Effectiveness (I) Framework that defines, monitors and assesses control effectiveness within and throughout an Organization
RMO 2.01 Define & Maintain KRI Framework
SOP 6 – Risk Controlled Self-Assessment RMO 6.0X Scenario Analysis (I) Methodology for performing Scenario Analysis around events, trends and exceptions
RMO 2.05 Identify & Investigate KRI Exceptions
Risk Management Standards of Practice Number 2 Key Risk Indicators in Operational Risk Management Version 0.x
RMO 2.06 Notify & Escalate KRI Exceptions
13
4 Recommended Minimum Sound Practice This section documents the recommended minimum sound practice to achieve each of the Risk Management Objectives within the scope of this Standard of Practice. The guidance is documented as a series of Risk Management Practices (RMP) for each Risk Management Objective.
4.1 RMO 2.01 Define and Maintain KRI Framework Description
A framework is defined, implemented and maintained that articulates the objectives for the use of KRIs within the organization. The KRI Framework defines the organization’s specific criteria for the selection of KRIs, criteria for the setting of thresholds and the requirements for investigation, escalation and notification of exceptions.
Dependencies, or impacts, on other Risk Management Objectives
Practice ID
Recommended Minimum Sound Practice
RMP 2.01.01 KRI Program
Management should publish a framework that articulates the organization’s specific objectives and minimum mandatory requirements to achieve these objectives, for the use of KRIs across the organization.
RMP 2.01.02 KRI Framework
In order for KRIs to be an effective tool for Operational Risk Management, they should be deployed as an integral part of the overall Operational Risk Framework of the organization. The process of defining the objectives and requirements within the KRI framework should consider how the outcomes of the use of KRIs will be used by other parts of the Operational Risk Framework and how the KRI framework will place reliance on the outcomes of other components of the Operational Risk Framework.
RMP 2.01.03 KRI Framework Maturity Level
The level of sophistication regarding the objectives, processes, automation and number of KRIs used should be defined at a level that is commensurate with the current maturity of the organization. Although a more sophisticated KRI framework may result in more effective Risk Management outcomes, introducing a sophisticated KRI methodology to a less mature organization may, in practice, lead to less satisfactory results.
RMP 2.01.04 Sub-Unit Organization KRI
The overall KRI framework should articulate minimum mandatory requirements for the design and use of KRIs across the organization. Sub-units (e.g. divisions within an organization) should be able to articulate their own specific requirmens for
SOP 5 – Risk Appetite, RMO 5.0X Define Risk Appetite (D) SOP 6, RCSA, RMO 6.0x Assessing Control Effectiveness (D)
Risk Management Standards of Practice Number 2 Key Risk Indicators in Operational Risk Management Version 0.x
14
Practice ID
Recommended Minimum Sound Practice
Framework
selection of KRIs and associated framework requirements, that are appropriate for their specific operating requirements. Cost-Benefit analysis should be undertaken prior to creating such KRIs and their associated frameworks. These KRIs should enable comparisons with equivalent metrics used by other units and allow for aggregation across the enterprise where appropriate.
RMP 2.01.05 KRI Framework Minimum requirements
The KRI framework should specify the following:
RMP 2.01.06 KRI continual improvement
Once the initial KRI Framework has been developed and adopted, it should be continually monitored and refined.
Minimum data requirements for defining a KRI and recording the results of monitoring a KRI. Responsibilities for defining and implementing KRIs. Criteria for selecting effective KRIs. Requirements for aggregation of the outputs from KRI monitoring. Requirements for the setting of thresholds for KRIs. Requirements for the investigation of KRI exceptions. Requirements for the notification and escalation of KRI exceptions. Requirements for review and challenge of the selection of KRIs and thresholds and the results of KRI monitoring by the Independent Risk Function.
4.2 RMO 2.02 Define / Select Key Risk Indicators Description
An appropriate suite of metrics are defined, selected and set that provide management with effective indicators of changes in exposure to the occurrence of events arising from key risks. Metrics are also defined and / or selected to enable management to assess whether the organization is operating within risk appetite limits.
Dependencies, or impacts, on other Risk Management Objectives
SOP 5 – Risk Appetite, RMO 5.0X Define Risk Appetite (D)
RMO 2.01 Define and Maintain KRI Framework (D)
Risk Management Standards of Practice Number 2 Key Risk Indicators in Operational Risk Management Version 0.x
15
Practice ID
Recommended Minimum Sound Practice
RMP 2.02.01 KRI Purpose
KRIs should be selected to address two key purposes:
To provide management with forward-looking indicators of the organization’s exposure to potential events arising from key risks to enable management to take proactive preventative or mitigative actions; and / or To provide management with measures of the experience (i.e. frequency and / or severity) to specific types of events in order to enable management to assess if the experience of events is within the tolerances defined within the organization’s risk appetite statement.
RMP 2.02.02 Selection of KRIs to Monitor Changes in Cause not Events
In order to be effective, forward-looking KRIs should be selected to monitor changes in exposure to the causes of events, rather than attempt to correlate to the experience of events directly. Management should take action to reduce, avoid or mitigate the organization’s exposure to the experience of events through management of their causes. Causes of events that are measured by KRIs may be either exogenous or endogenous, however, the way that they are defined, managed and monitored within a KRI framework are the same.
RMP 2.02.03 KRI Selection
KRIs should be selected via a top-down or a bottom-up approach from either a set of existing KRIs or by narrowing down a list of potential KRIs that fulfill the criteria in RMO 2.02.01, .02 and .04
RMP 2.02.04 Properties of Effective KRIs
To be effective, KRIs must possess the following properties:
Relevant: Either be forward looking, causally-aligned indicators used in measuring increases in exposure to events; or measures of the experience of specific types of events that enable compliance with associated risk appetite tolerances
Quantitative: Capable of being captured quantitatively e.g. count, amount, duration, etc. If KRIs capture subjective assessments (i.e. management assessments of staff morale) then these should be objectively transmuted into quantitative scales and values
Actionable: Defined so that the nature of remedial action (if required) is clearly understood. Subject to being:
Consistent and Comparable: KRIs must be capable of being benchmarked between business lines, geographies and /or activities
Efficient and Repeatable: KRIs must be selected, designed and implemented that produce returns in excess of the cost needed to collect them
Auditable: KRIs must be produced from transparent data sources and include any actions performed converting the data into information (including aggregation formulae, weightings, scalars) and must be capable of being repeated at any point in time
Risk Management Standards of Practice Number 2 Key Risk Indicators in Operational Risk Management Version 0.x
16
Practice ID
Recommended Minimum Sound Practice In practice, it will often not be possible to select measures that satisfy all of the above. In these instances KRIs should be selected that best optimize the achievement of the above in a manner that is appropriate for the current maturity of the Risk Framework of the organization.
RMP 2.02.05 KRI key data attributes
Specifications of KRIs should include the following minimum data requirements:
Definition: Narrative description of the metric
Formula: Attributes captured for calculating the measure and rules for how they should be combined to calculate a value for the measure.
Value Format: e.g. decimal, count, percentage, duration, rating scale, monetary amount, ratio
Frequency of Collection: e.g. Hourly, daily, monthly, quarterly etc.
Frequency of Reporting: e.g. Hourly, daily, monthly, quarterly etc.
Data Source
Goal Direction: i.e. where there is an exception, if the metric value is higher or lower than the threshold value.
Threshold value: Current value for threshold
KRI Owner: Individual or (sub-) organization responsible for designing & selecting the KRI.
Associated Risk: Description, or identifier, of the risk that is being monitored
Associated Control: Description, or identifier, of the control associated with the KRI.
Effective Date of KRI
Valid Until Date of the KRI
RMP 2.02.06 KRI Automation
Management should assess the benefits and costs of manual vs. automated data capture
RMP 2.02.07 KRI Capture vs. Reporting Freq.
When evaluating the economics of data capture management should balance the needs between the frequency of data capture versus that of information reporting
RMP 2.02.08 KRI Back Test
KRIs, once selected, should be subject to review and back-tested against the actual experience of events to determine their effectiveness.
RMP 2.02.09 New Business or Products
A process to incorporate new KRIs as it relates to new products or types of business should be developed and implemented. New Business and Product reviews should identify key risks resulting from introduction of new businesses and new products and requirement for key controls to mitigate these risks. Plans for implementation of these key controls should include implementation of Key Control Indicators (KCIs) to measure the effectiveness of these controls. These KCIs once implemented can be used as KRIs
Risk Management Standards of Practice Number 2 Key Risk Indicators in Operational Risk Management Version 0.x
17
Practice ID
Recommended Minimum Sound Practice to measure changes in exposure to the associated risks.
4.3 RMO 2.03 Set KRI Thresholds Description
Thresholds are set that provide triggers to enable action to be taken in response to increases in exposure to potential events and / or to ensure that the experience of events is constrained within risk appetite tolerances.
Dependencies, or impacts, on other Risk Management Objectives
RMO 2.02 Define / Select Key Risk Indicators (D)
SOP 5 – Risk Appetite, RMO 5.0Y Set / Update Risk Appetite Levels (D)
Practice ID
Recommended Minimum Sound Practice
RMP 2.03.01 Set KRI Thresholds
Thresholds should apply for each KRI with breaches as a trigger for management escalation steps. Thresholds should be objectively set at a level where exposure to a loss event is in excess, or below, the associated risk appetite
4.4 RMO 2.04 Monitor & Reassess KRIs Description
KRIs monitored on an ongoing periodic basis and compared to current thresholds to identify exceptions.
Dependencies, or impacts, on other Risk Management Objectives
RMO 2.02 Define / Select Key Risk Indicators
RMO 2.03 Set KRI Thresholds
Risk Management Standards of Practice Number 2 Key Risk Indicators in Operational Risk Management Version 0.x
18
Practice ID
Recommended Minimum Sound Practice
RMP 2.04.01 Monitor KRIs
Once the initial KRI Framework has been developed and adopted, KRIs should be continually monitored to assess their effectiveness
RMP 2.04.02 Reassess KRI Thresholds
KRI thresholds should be continually refined to ensure that thresholds are set such that the lower and upper bounds capture events or trends that can serve as a predictive indicator for management
RMP 2.04.03 Reassess Applicability of KRIs
KRI thresholds should be continually monitored to determine if they’re achieving management objectives in terms of tracking to risk appetite, management actions and associated decisions
4.5 RMO 2.05 Identify & Investigate KRI Exceptions Description
Causal event identified and investigated
Dependencies, or impacts, on other Risk Management Objectives
Practice ID
Recommended Minimum Sound Practice
RMP 2.05.01 Exception Identification
If the value for a KRI passes either above or below the threshold band then a KRI exception should be identified
RMP 2.05.02 Exception Investgation
After an exception has been identified the KRI Owner should investigate the reason for the exception. The KRI Owner should determine if the exception is the result of an actual instance of cause that exceeds a predefined tolerance
RMP 2.05.03 False Flags
If the exception is a “false flag” where inappropriate thresholds or KRIs have been set or selected, then Management should reassess KRI and threshold selection and limit criteria & act accordingly as dictated by SOP 5, Risk Appetite
RMP 2.05.04 Material Exception
If the exception is material, as defined by the size, frequency or nature of deviation from associated thresholds, then a detailed investigation of the cause of the breach should be carried out as dictated by SOP 3 – Operational Risk Losses, RMO 3.0X Loss Investigation and Root Cause Analysis. It may also require inclusion in Scenario Analysis as dictated by SOP 6 – RCSA, Scenario Analysis
RMO 2.04 Monitor KRIs (D) SOP 3 – Operational Risk Losses, RMO 3.0X Loss Event Investigation & Root Cause Analysis (D) SOP 5 – Risk Appetite, RMO 5.0Y Set/ Update Risk Appetite Level (D) SOP 6 - RCSA, RMO 6.0Y Scenario Analysis (D)
Risk Management Standards of Practice Number 2 Key Risk Indicators in Operational Risk Management Version 0.x
19
4.6 RMO 2.06 Notify and Escalate KRI Exceptions Description
Valid exceptions reported to appropriate levels of management to ensure challenge and required action
Dependencies, or impacts, on other Risk Management Objectives
Practice ID
Recommended Minimum Sound Practice
RMP 2.06.01 Exception Management Program
An exception management program must be designed, documented and implemented detailing the course of action to be taken as documented when predefined KRI thresholds are breached
RMP 2.06.02 Notification of Breach
If, after investigation, the exception is determined to be valid, it must be reported to the KRI owner within the timeframe agreed upon within the KRI Framework
RMP 2.06.03 Severe Breach Escalation
If the breach is severe, as defined per the KRI Framework, the KRI Owner and the appropriate level of senior management must be notified as soon as the breach has been identified, rather than after a detailed event investigation has been carried out
RMO 2.05 Identification and Investigation of KRI Exceptions SOP 5 – Risk Appetite, RMO 5.0Y Set/ Update Risk Appetite Level (D)
Risk Management Standards of Practice Number 2 Key Risk Indicators in Operational Risk Management Version 0.x
20
5 Communications and Disclosures 5.1 Communication
Details communication flow, both internal and external, for the organization that the risk manager is providing services or duties for, and the associated disclosures pertinent to the subject of the SOP or associated SoPs are to be handled
Detail any applicable limitations to the need for public or internal disclosure, the risk manager should consider the intended purpose or use of the SoP including:
Inconsistencies between the organization’s financial size, risk profile, and risk environment, and the maturity, level of depth, spend and XXX adopted by the organization under the SoP i.e. if a organization is a SIFI yet the environment is not as would be expected for an organization of its’ complexity
Deviation from Guidance in the Standard – See Section 5.2
Any significant assumptions used in implementing the SoP including, but not limited to:
Anticipated future actions by management to manage or mitigate risks identified by the risk manager
Other related areas (pre-requisites and dependents) covered by either other SoPs or outside the scope of the risk managers purview on which the risk manager has to rely on management to carry out pre-requisites
5.2 Deviation from Guidance in the Standard
If the risk manager departs from the guidance set forth in this standard, the risk manager should include the following applicable disclosure stating:
If any material assumption or method was prescribed by applicable law (statutes, regulations, and other legally binding authority);
If the risk manager disclaims responsibility for any material assumption or method in any situation not covered under the section above; and
If the risk manager otherwise deviated materially from the guidance of this SoP
Specific references within PRMIA’s Code of Conduct that they are being asked to breach
5.3 Glossary
The Glossary is provided for informational purposes, but is not part of the standard of practice
Provides additional background on the content referred to in the SOP
Outlines current, or alternative, practices associated with the subject addressed by the SoP
Risk Management Standards of Practice Number 2 Key Risk Indicators in Operational Risk Management Version 0.x
21
Summary of all comments raised by PRMIA members in the SOP development process and their disposition by the drafting committee
Risk Management Standards of Practice Number 2 Key Risk Indicators in Operational Risk Management Version 0.x
22
6 Comments on the Exposure Draft and Responses Communication The first exposure draft of this SOP, Key Risk Indicators in Operational Risk Management, was issued in August 2014 with a comment deadline of November, 2014 XXX comment letters were received, some of which were submitted on behalf of multiple commentators, such as by firms or committees. For purposes of this section, the term “commentator” may refer to more than one person associated with a particular comment letter. The SoP Management Committee carefully considered all comments received, and the PRMIA Board, reviewed (and modified, where appropriate) the changes proposed by the Management Committee Summarized below are the significant issues and questions contained in the comment letters and the responses. Transmittal Memorandum Comment Response
Practice ID
General Comments
Comment Response
Risk Management Standards of Practice Number 2 Key Risk Indicators in Operational Risk Management Version 0.x
23