People paid in millions dont listen to those paid in thousands

Risk consultant

Workshop on Operational Risk Management

Commercial Bank of Ethiopia Risk Management Sub-Process November, 2011

Workshop on Operational Risk Management Outline I. The purpose the workshop II. The three line of defense a. Roles of the 1st lines of defense b. Roles of the 2nd of defense c. Roles of the 3rd lines of defense III. Understanding Risk management IV. Operational risk management a. Elements of operational risk b. Factors Contributors to operational risks c. Tools for operational risk identification and assessment V. Risk management process
a. Risk identification b. Risk assessment c. Controlling d. Monitoring and reviews

VI. Risk response

VII. Reporting VIII. An effective internal control system

I. The purpose of the workshop

The workshop aimed at creating awareness and the necessary attitude towards operational risk management
This workshop approaches the issue of Operational Risk from definition and its likely manifestation. The needs to understand operational risk management and the lines of defense the Bank uses; In order to create an enabling organisational culture and placing high priority on effective risk management specifically operational risk management and its implementation The basics of operational risk management cycle Roles and responsibility of each processes in managing operational risk. Introducing tools for identifying and assessing operational risk management Gives a typical outline of the organisational set-up in the bank in managing operational risks, together with the roles responsibilities of the Board, Senior Management and other organs of the bank. To familiarize the policies and procedures of RCMP and specifically operational risk management which outline all aspects of the bank's Operational Risk Management Framework which enables the Bank to conduct its business activities in a consistent and controlled manner.

II. The Risk management (Highlights )

What is risk?
The possibility of an event occurring that will have an impact on the achievement of the objective. Risk management covers all the processes involved in identifying, assessing and judging the full range of risks, assigning ownership, taking actions to mitigate or anticipate them, and monitoring and reviewing progress A methodical, systematic and enterprise-wide process that is central to an organizations strategic directions and management , whereby business uncertainties are rationally addressed.

The Risk management (Highlights) continued

Three Types risks

. The risks we take

. The risks we face . The risks we make

The Risk management (Highlights ) continued

Levels of risk management Overall corporate risk management (enterprise risk management ) Systematic risk management process (risk management cycle) Specific risk management programs (e.g financial ,project etc.) Particular risk-based operational actions, decisions, and decision making mechanisms (embedded one)

The Risk management (Highlights) continued

Elements of an Enterprise Risk Management System Risk management strategy Risk strategy (appetite) Sensible and business-focused approach Overall framework and management system Specific risk management programs Risk management cycle Supporting infrastructure Clearly defined responsibilities and organizational structure Commitment at all levels Clearly defined terms

Elements of an Enterprise Risk Management System continued

Underpinning principles and values (principles-based?) eg accountability, transparency Reliable information and effective communication Risk register and reports Integration within the business Continuous monitoring (of risks and RM) and improvement Implementation and development plans Guidance and procedures Independent review, assurance and challenge Oversight

The Risk management (Highlights ) continued

The Risk Management Process (Cycle)
Recognizing risk as an issue Understanding the organization/operation and its context Confirming objectives Identifying specific risks Assessing likelihood and impact (both inherent and residual) Deciding how to deal with the risks Implementing risk acceptance or mitigation measures (the 4 Ts) Monitoring success Recording Reporting Reviewing, learning and improving

The Risk management (Highlights ) continued

Phases of Risk Management
Recognition of need (How do you sell it? Is it still a problem?) Development and design (Use an accepted model?) Introduction (Pilot?) Operation (It wont always work) Administration and management (Dont let it become a number-crunching exercise, an annual chore and costly bureaucratic nightmare) Maintenance (WHY doesnt it always work?) Adaptation, further development and improvement (Things change, it wont be perfect and needs to be refined and extended

The Risk management (Highlights ) continued

Risk management benefits: Earlier exploitation of business opportunities Increased market capitalization Increased likelihood of achieving business objectives More effective use of management time Lower cost of capital. Fewer unforeseen threats- no surprises More effective management of change Clearer strategy setting

The question to be asked?

What do we do at present? What risks do we accept, and why? Is this right and consistent with our risk appetite? Do we have the appetite? How good are the defenses against unwanted risk? Can we prove it? What are the reasons for the residual risks? How tolerable are such risks? What is our overall exposure? Do rewards outbalance risks? Are we sure? What do we do next?

III. The three line of defense

The general operational risk management roles and responsibilities are defined along the three line of defense as follows:

1st Line of Defense: All Processes of the Bank are responsible for managing operational risks within their respective domain.

2nd Line of Defense: The RCMP is responsible for overseeing and ensuring that operational risks are managed in line with the requirement set in ORM framework. 3rd Line of Defense: The Internal Audit Process shall be responsible for providing independent assurance to the BoDs as to the proper management of operational risks.

IV. What is operational risk?

Definition : There is no uniform definition of Operational risk, but according to Basel II framework and banks operational risk management framework it can be defined as, the risk of loss resulting from inadequate or failed internal processes, people and systems, or from external events.

The Objectives of Operational Risk Management

The specific objectives in managing operational risk will differ between organizations but will most commonly include one or more of the following:
reducing avoidable losses reducing insurance costs protecting and enhancing reputation protecting and improving credit rating(NBE rating) improving risk and control culture improving awareness, objectivity, transparency and accountability of risk improving the efficiency and effectiveness of controls and processes providing greater levels of assurance to management assisting management in meeting external requirements identifying opportunities relating to risk.

V. Understanding operational risk :

the need to understand ..
Exists as long as the bank exists; Not organized often scattered and uncoordinated in most institutions, leading important risks unmanaged or unmonitored; Lack of (agreed ) operational risk management framework; (but now developed ) No central overview, lack of 1st echelon management information about operational risk exposures and changes in its levels, leading to surprise; Lack of cost-benefit trade-offs, leading to too many or wrong controls for certain risks or too the contrary; No news (good news)

V. Understanding operational risk :

the need to understand .continued
Therefore communication flows establish consistent operational risk management culture; Information flows with in the organization pay key role in establishing and maintaining effective operational risk management framework; Reporting flows enabling monitoring of effectiveness of operational risk management process; Essential foundation for any rigorous operational risk management process, incident data collection per event type and business line Comprehensive, reasonable, verifiable, validated

V. Understanding operational risk : Operational risk is not new

Unlike other types of risk, operational risk does not merely materialize in the form of visible and direct losses ( or profit declines.) when operational risk materializes, therefore, it is not always easy to identify the resulting losses, including indirect losses in an accurate and comprehensive manner. Embedded in internal processes, people and systems . Example: unclear lines of reporting or lack of control culture, cannot measure it like credit or market risk. Hidden cost, processing failures are often high frequency and low impact but hidden in processing costs, can be the difference between poor/average or great performance.

V. Understanding operational risk : Operational risk is not new..continued

Multiplier effect- some operational risks only materialize due to multiple control breaks. Low frequency high-impact impact leading to underestimation in risk assessment and an exponential multiplier effect of potential/ actual loss. Impact of various forms of operational risk on the bank may vary in degree i.e., some risks may have more potential of causing damages while some may have less potential, some may occur more frequently while some may occur less frequently. People-driven , inertial/leniency, temptation/greed, confidence, denial, lip service. Example: ignoring warnings, or audit/RCMP reports over-

VI. Elements of operational risks

Internal fraud External fraud Employment practices and workplace safety Clients, products and business practices. Damage to physical assets. Business disruption and system failures Execution, delivery and process management

VI. Elements of operational risks continued

Highly Automated Technology Emergence of E- Commerce Emergence of banks acting as very large volume service providers Outsourcing Large-scale acquisitions, mergers, de-mergers and consolidations Engagement in risk mitigation techniques giving rise to legal risk

1.Internal Fraud
Unauthorized Activity. Transactions not reported. Transaction type unauthorized. Mismarking of position. Theft and Fraud. Fraud/credit fraud/worthless deposits. Theft/extortion/embezzlement/robbery. Misappropriation of assets. Forgery. Account take-over/impersonation. Bribes/kickbacks. Insider trading. Money laundering. Willful blindness.

2.External Fraud
Systems Security.
Hacking damage. Theft of information (with monetary loss).

Theft and Fraud.

Theft/robbery. Forgery. Check kiting. Identity theft. Elder financial abuse.

3. Employment Practices and Workplace Safety

Employee Relations.
Compensation, benefit, termination issues. Organized labor issues.

Safe Environment.
General liability (slips and falls). Employee health and safety rules. Workers compensation.

Diversity and Discrimination.

All discrimination types. Harassment. Equal Employment Opportunity (EEO).

3. Clients, Products and Business Practices

Suitability, Disclosure and Fiduciary.
Fiduciary breaches/guideline violations. Suitability/disclosure issues. Retail consumer disclosure violations. Breach of privacy. Aggressive sales. Inadequate product offerings. Account churning. Misuse of confidential information. Lender liability.

3. Clients, Products and Business Practices (CONTINUED)

Improper Business or Market Practices .
Antitrust. Improper trade/market practice. Market manipulation. Insider trading (on firms account). Unlicensed activity. Money laundering.

3. Clients, Products and Business Practices (CONTINUED)

Selection, Sponsorship and Exposure.
Failure to investigate client per guidelines. Exceeding client exposure limits.

Advisory Activities.
Disputes over performance or advisory activities

4. Damage to Physical Assets

Disasters and Other Events.
Natural disaster losses. Human losses from external sources (terrorism, vandalism).

5. Business Disruption and System Failures

Systems.
Hardware. Software. Telecommunications. Utility outage/disruptions

6. Execution, Delivery and Process Management

Transaction Capture, Execution and Maintenance.
Miscommunication. Data entry, maintenance or loading errors. Missed deadline or responsibility. Model/system misoperation. Accounting error/entity attribution error. Other task misperformance. Record retention. Documentation maintenance. Delivery failure. Collateral management failure. Reference data maintenance

6. Execution, Delivery and Process Management (CONTINUED)

Monitoring and Reporting.
Failed mandatory reporting obligations. Inaccurate external loss (loss incurred).

Customer Intake and Documentation.

Unapproved access given to accounts. Incorrect client records (loss incurred). Negligent loss or damage of client assets.

6. Execution, Delivery and Process Management (CONTINUED)

Customer/Client Account Management.
Unapproved access given to accounts. Incorrect client records (loss incurred). Negligent loss or damage of client assets.

Trade Counterparties.
Non-client counterparty misperformance.

Vendors and Suppliers.

Outsourcing. Vendor disputes.

VII. Factors Contributing to operational risks

People Risk Process Risk Transaction Risk Documentation/contract risk. Operational Control Risk Model Risk Systems Risk Technology Risk MIS Risk. Event/external/ Risk Legal and Regulatory Risk /compliance risk/

VIII. Roles and Responsibilities

1. The BoDs/LRRC

The LRRC shall: 1. Approve the operational risk management strategy, policies and appetite of the Bank; 2. Approve the ORMF of the Bank; 3. Ensure the availability of robust operational risk governance structure, process and the implementation of sound operational risk management principles; 4. Review significant operational risk exposure of the Bank; 5. Approve public disclosures on operational risks

2. The Process Council

The PC shall: 1. Oversee the proper implementation of the ORMF; 2. Implement the Banks operational risk management strategy, priorities and policies; 3. Provide sufficient human and technical resources to support effective management of operational risk; 4. Maintain an appropriate culture and set a tone conducive to effective and transparent operational risk management; 5. Eliminate gaps and overlaps in the operational risk management responsibilities and authorities; 6. Ensure that appropriate remedial actions are taken whenever operational risk management breaches are identified.

2. The RCMP
The RCMP shall: 1. Spearhead the proper implementation of the ORMF ; 2. Develop/review the operational risk management principles, process and methodologies and monitoring their proper application; 3. Advise processes in the implementation of ORM framework and ensure consistency and proper implementation across all processes of the Bank; 4. Conduct enterprise wide risk assessment and aggregate operational risk assessment results of all processes of the Bank; 5. Aggregate the operational risk database of the Bank; 6. Ensure the appropriate reporting of deviations and breaches of threshold to the PC/LRRC; 7. Consolidate risk reports of the Processes of the Bank and escalate up to the Management and Board; 8. Review policies and procedures in light of the operational risk profile of the Bank;

2. The RCMP (continued..)

9. Develop the operational risk appetite, limit and threshold; 10. Establishing criteria for setting risk analysis scope; 11. Coordinate appropriate and timely delivery of operational risk management information; 12. Organize operational risk awareness and training program; 13. Ensure the PC/LRRC are made aware of material changes to the Banks operational risk profile; 14. Maintain portfolio of risk response activities and risk database; 15. Collect and maintain database of external loss database; 16. Oversee the effectiveness of operational risk communications; 17. Conducting operational risk training and awareness program; 18. Propose capital for operational risk exposure.

3. The Internal Audit Process

The Internal Audit Process shall: Monitor the effectiveness of ORMF & risk management process; Provide validation/independent assurance around the KRI development process and incorporate output into audit plan; Test and provide assurance as to the effectiveness of internal controls. Identify corrective actions in relation to operation; Report its audit risk findings to the RCMP or Audit Committee, as appropriate.

4. All Processes of the Bank

All Processes of the Bank shall: 1. Identify operational risk events/incidents (operational risk inherent in all material products, activities, processes and systems) and maintain, as appropriate, process level operational risk database (including external loss database) of their respective process; 2. Conduct operational risk and control assessment of their respective process; 3. Monitor operational alignment with applicable limits and tolerances; 4. Monitor control performance and periodically test control design; 5. Document all significant operational events/incidents as well as any measures taken to alleviate the issue; 6. Conduct the required level of operational risk awareness; 7. Identifying IT-related risks and evaluating the level of IT-related risks;

4. All Processes of the Bank(continued..)

8. Creating the required level risk awareness in relation to the IT risk management. 9. Ensure strict adherence to the Banks policies, procedures and standards of the Bank; 10. Monitor operational risk status against the established risk appetite; 11. Compile and report to the RCMP:
Risk assessment findings/results; Control assessment results/finding; Performance/Status on KRIs; Key risk with significant control weaknesses; Breaches and deviations, if any.

12. Drawing action plans for:

Operational risk assessment and control findings; and Other operational risk assessment findings.

13. Ensure compliance to the approved policies and procedures of the Bank;

4. All Processes of the Bank(continued..)

14. Ensure adequacy of the existing control. 15. Identify operational risk events/incidents (actual loss, potential loss and near miss) and forwarding same to the RCMP; 16. Identify, capture, and communicate pertinent information in a form and timeframe that enables staff to carry out their responsibilities; 17. Manage operational found within their respective domain; 18. Assess operational risks and the effectiveness of controls associated with their respective domain;

4. All Processes of the Bank(continued..)

14. Design, operate, and monitor a suitable system of control. 15. Verify that internal controls and practices are in place, appropriate, operating effectively, and consistent with the Bank Policies, legal and contractual obligations, and regulatory requirements. 16. Manage and review operational risks associated with their respective use of IT as part of day to day business activity. 17. Timely contribute to the monitoring, reporting, and escalation processes such that the PC is made aware of material changes to the Banks IT-related risk profile; 19. Devise risk response options and monitor its implementation

IX. Operational risk identification

Operational risk identification refers to the process of identifying operational risks associated with each process of the Bank. Activity Listing : This involves identifying all activities, processes and products of a Process that are susceptible to operational risk. Review Risk Lists and Lessons Learned: A great deal can be learned from reviewing risk databases from similar tasks, talking to process owners about risk management activities in their areas, and reading case studies that identify risks to services or processes Continual Identification: Identification happens as often as changes are able to affect the any processs infrastructure/activities-which is to say, identification happens every day. Discussions: This is a powerful way to expose assumptions and differing viewpoints. The ultimate goal of the identification discussion is to improve the organization's risk management capability. Cause and effect matrix: An effective solution, and one that has benefits later in the process, is to subdivide all of the possible conditions into a table with one row for each of the four causes of risk and one column for each of the four types of downstream effect. Risk Statement Form: Role or function, Related service , Context , Related risks and dependencies among risks

IX. Operational risk identification(continued)

Risk Incident Reporting- Any risk events (loss, near misses, and potential) shall be reported, as happened, to the respective Process owner and the RCMP at the same time. The identified events shall be analyzed and registered in the respective risk event register of the Bank. Incident and loss data collection: Within the RCMP an incident and loss data collection process is in place to collect, assess and monitor the operational losses or potential losses and to define the allocation of resources and to assess the losses due to operational risks. Internal loss events may be viewed as actual loss, potential loss and near miss events experienced by an organisation.
Actual loss an incident that has resulted in a negative financial impact for the business; Potential loss an incident that has been discovered, that may or may not ultimately result in a financial loss; and Near miss an incident discovered through means other than standard operating practices and through good fortune or focused management action which has resulted in nil or a positive financial impact (it should be noted that a near miss could potentially result in a financial gain).

Incident assessment sheet

Incident narration Possible Cause Possible impact Existing control Adequacy Of control Level of risk Required further preventive action

Failure history log sheet

S. No Event (Incident ) ID Particula rs/ details of the event Details of the adverse event Asset affected (failed) Cause Details of damage, loss and/or disruption Actions taken to reverse the situation Duration of disruption (if any) Remark

Risk Impact Analysis Format

Risk No. Risk Summary Risk Impact Risk Impact Rating

X. Operational risk assessment

Operational risk assessment shall refer to the process of assessing the likely frequency and severity of the identified risks. Likelihood and Impact Analysis To assess the likelihood and impact of the identified risks, o the identified risks shall be prioritized and considered against the existing controls; o The residual risk shall be identified after existing controls (preventive and detective) have been applied to the inherent risks; o The impact/likelihood analysis shall be applied on the residual risk; o Based on the result of the assessment, risk have to prioritized significant risks have to be identified, accordingly

Risk Assessment Matrixes

Risk No. Threat Vulnerability Risk Risk Summary Risk Likelihood Rating Risk Impac t Rating Overall Risk Rating Analysis of Relevant Controls and Other Factors Recommendations

X. Operational risk assessment ..Continued

Likelihood Analysis Impact/Magnitude Analysis

Risk Level Determination

Actions Assigning Risk owner

XI. Monitoring of Operational Risk

Monitoring is continual checking, supervising, critically observing or determining the status in order to identify change from the performance level required or expected, it can be applied to a risk management framework, risk management process ,the risk itself or the control. To effectively monitor operational risks processes shall: o The appropriate organ or individuals accepts accountability for operating within its individual and portfolio tolerance levels; o Periodically test control design and operating effectiveness; o Ensure that there is a detailed examination of areas of residual risk outside of tolerance thresholds (e.g., request risk analysis).

XII. An effective internal control system

The process designed, implemented and maintained by: those charged with governance, management and other personnel, to provide reasonable assurance about the achievement of an entity's objectives with regard to: (a) reliability of financial reporting, (b) effectiveness and efficiency of operation, (c) safeguarding of assets, and (d) compliance with applicable laws and regulations.


XII. Controls/Mitigation of Operational Risk

...continued
The internal control process
a sound internal control process is critical to a banks ability to meet its established goals, and to maintain its financial viability internal control is the responsibility of everyone in a bank Almost all employees produce information used in the internal control system or take other actions needed to effect control the recognition by all employees of the need to carry out their responsibilities effectively and to communicate to the appropriate level of management any problems in operations instances of non-compliance with the code of conduct, or other policy violations or illegal actions that are noticed. It is essential that all personnel within the bank understand the importance of internal control and are actively engaged in the process

XII. Controls/Mitigation of Operational Risk

...continued
Requirements of effective internal control should be:
an appropriate control structure set up, with control activities defined at every business level; top level reviews; appropriate activity controls for different processes or divisions; physical controls; checking for compliance with exposure limits and follow-up on noncompliance; a system of approvals and authorisations; and, a system of verification and reconciliation; Areas of potential conflicts of interest should be identified, minimised, and subject to careful, independent monitoring.
Information should be reliable, timely, accessible, and provided in a consistent format. effective channels of communication to ensure that all staff fully understand and adhere to policies and procedures affecting their duties and responsibilities and that other relevant information is reaching the appropriate personnel.


XII. Controls/Mitigation of Operational Risk Audit functions an effective internal audit function that independently evaluates the control systems within the organisation part of the ongoing monitoring of the bank's system of internal controls and of its internal capital assessment procedure,????


XII. Controls/Mitigation of Operational Risk ...continued.
Mitigation of risks
For all material operational risks that have been identified, the bank should decide whether to use appropriate procedures to control and/or mitigate the risks, or bear the risks. the decision to retain or self-insure the risk should be transparent within the organisation and should be consistent with the banks overall business strategy and appetite for risk For those risks that cannot be controlled, the bank should decide whether to accept/tolerate these risks, reduce the level of business activity involved, or withdraw/terminate from this activity completely. Risk mitigation tools or programmes can be used to reduce the exposure to, or frequency and/or severity of such events However, we/banks should view risk mitigation tools as complementary to, rather than a replacement for, thorough internal operational risk control.

XII. Controls/Mitigation of Operational Risk ...continued

Management Responses
Tolerate
o Positively take the risk (opportunity) o Live with the risk o Negatively accept the risk (threat) unable to respond

Terminate
o Stop o Dont start

Transfer
o Insure, hedge, contract out, share (but be careful with this option)

Treat
o Control likelihood, impact or both o Through directive, preventive, detective and corrective controls

XIII. Operational risk reporting requirements

Compile and report to the RCMP:

Risk assessment findings/results; Control assessment results/finding; Performance/Status on KRIs; Key risk with significant control weaknesses; Breaches and deviations, if any.

Incident reporting format

COMMERCIAL BANK OF ETHIOPIA RISK AND COMPLIANCE MANAGEMENT PROCESS OPERATIONAL RISK INCIDENT REPORTING FORMAT For the month: __________________ Submission date Incident date Reported by Discovery date

Process Position Name

Incident narrative

Sub process/branch Name Report submitted to: Telephone Detailed description/update Cause
Data of corrective/preventive action taken Details of corrective/preventive action taken/to be taken Date of action Financial Impact in Birr Recovered amount

Telephone

Impact/Consequence

Action owners

Actual loss

Potential loss

Recovered by

Net Loss (Act. loss - Rec. amt)

Remark

To be completed by ORM team only Operational risk category Logged by (ORM officer-maker) Reviewed by (ORM officer-Checker)

Name Date Name Date

XIV. Tools for operational risk identification and assessment

A. Audit Findings

B. Internal Loss Data Collection and Analysis

C. External Data Collection and Analysis D. Risk Assessments Risk Self Assessment(RSA) Risk Control Self Assessments (RCSA) Scorecards build on RCSAs Business Process Mapping Risk and Performance Indicators Scenario Analysis and Measurements Comparative Analysis