5.

OPERATIONAL RISK MANAGEMENT

The Enat Bank, along with the NBE guidelines, adopts the Basel Committee's
definition of Operational Risk-that is, the risk of loss resulting from inadequate
or failed internal processes, people and systems.

5. 1. OPERATIONAL RISK SCOPE

The Enat Bank considers the following as part of the scope of operational risk
management exercise.
Operational Risk Category Definition and sub-categories
People Risk The risk of a loss intentionally or unintentionally caused by an
employee- that 1s , employee error, employee misdeeds- or involving
employees, such as in the area of employment disputes. This risk class covers
internal organizational problems and losses.
Employee's Errors (general transaction errors, incorrect routing of transaction ,
etc.)
Human Resource Issues (employee una vai la bility , h iring / firin g, etc.)
Personal Injury, Physical Injury (bodily injury, health and safety, etc.)
Personal Injury, Non-Physical Injury(libel/defamation/slander,
discrimination/ harassment, etc.)
Wro ngfu l Acts (fra u d , trading misdeeds, etc.)

Process Risk The risks related to the execution and maintenance of

transactions, and the vanous aspects of running a business, including
products and services.
• Business Process, (lack of proper due diligence,
inadequate/problematic account reconciliation, etc.)
• Business growth risks (new product risk, etc.)
• Errors and Omissions (inadequate/ problematic security,
inadequate/ problematic quality control, etc.)
• Specific Liabilities(employee benefits, employer, directors
and
officers, etc.)
Relationships Losses arising from the relationship or contact that the Bank
has with its customers, shareholders, third parties, or regulators.
• Legal/Contractual (securities law violations, legal liabilities, etc.)
• Negligence (gross negligence, general negligen ce , etc.)
• Sales Discrimination (lending discrimination, customer
discrimination, etc.)
• Sales Related Issues (churning, sales misrepresentation ,
high pressure sales tactics, etc.)
• Specific Omissions (failure to pay proper fees , failure to file proper
report, etc.)
Technology The risk of loss caused by a piracy, theft, failure, breakdown or
other disruption m technology, data or information. It also includes technology
that fails to meet business needs.

• General Technology Problems (operational error-that is, technology

related, unauthorized use/misuse of technology, etc.)
• Hardware (equipment failure, inadequate/ unavailable hardware, etc.)
• Security (hacking, firewall failure, external disruption, etc.)
• Software (computer virus, programming bug, etc.)
• Systems (system fai lu re s , system maintenance, etc.)
• Telecommunications (telephone, fax, etc.)

Systemic
• The danger that problems m a single financial institution might spread
and, in extreme situations, such contagion could disrupt the normal
functioning of the entire financial system.
External The risk of loss due to damage to physical property or assets
from natural or non-natural causes. This category also includes the risk
presented by actions of external parties, such as the perpetration of fraud, or
in the case of regulators, the execution of change that would alter the Bank's
ability to continue operating in certain markets.
• Disasters (natural disasters, non-natural disasters, etc.)
• External Misdeeds (external fraud, external money laundering, etc.)
• Litigation/Regulation (ca p i ta l control, regulatory change,
legal change, etc.)

5 .2 . RESPONSIBLE ORGANS IN OPERATIONAL RISK MANAGE MENT

Un like other risks, operational risk is not contained in specific nsk areas.
Rather it is part and parcel of every type of risk. Thus, operational risk is the
task of every performer.
5 . 2 . 1. THE BOARD OF DIRECTORS
The Board of Directors shall:
a) Approve broad business strategies and policies that govern or influence
the management of operational risk;
b) Approve the Operational Risk Measurement System;
c) Ensure that the Executive Management takes necessary measures to
effectively identify, measure, analyze, control, and monitor operational risk;
and
d) Ensure the availability of robust governance structure, process and the
implementation of sound Operational Risk Management function;
e) Establish clear levels of delegation within business units for the
effective
management of operational risk;
n Ensured that senior management has a full understanding of the operational
risk faced by the bank;
h) Effectively communicate the relevant strategies and policies to all
relevant bank personnel; and
i) Periodically re-evaluate and significant risk management polices as
well as overall business strategies

5.2.2. BOARD'S RISK AND COMPLIANCE COMMITTEE

The Board's Risk and compliance Committee shall:

a) Reviewing and recommending operational risk management strategies,

policies and operational risk tolerance limits for BoD Approval;
b) Reviewing and assessing adequacy of operational risk management
policies and framework in identifying, measu ring, monitoring and controlling
operational risk and the extent to which these are operating effectively;
c) Ensuring the availability of infrastructure, resources and systems are in
place for operational risk management throughout the Bank;
d) Ensuring that the staff of the Bank is responsible for implementing
operational risk management system perform those duties independently to
the Bank's risk taking activities; and
e) Reviewing management's periodic reports on operational risk exposure,
risk management performance indicators and operational risk management
activities
f) Ensure that the bank is in compliance with applicable laws , rules and
directives of the supervisory organ;

5.2.3. THE EXECUTIVE MANAGEMENT

The Executive Management shall:

a) Develop proper procedures and practices lo manage operational risk;

b) Develop strategy to manage operational risks;
c) Review the proper implementation of this Operational Risk Management
strategic actions and the limit of the Bank, as approved by the Board of
Directors;
d) Undertake the management of operational risk m accordance with the
delegated authority;
e) Develop measures for measurement, monitoring and control of
operational risk;
f) Ensure that internal audit reviews the operational risk management
arrangements on an on-going basis;
g) Avail sufficient resources to support effective management of the
operational risk;
h) Inculcate an appropriate culture and set a tone conducive to effective
and transparent operational risk management;
i) Ensure that business area managers are discharging their role of
maintaining/ or ensuring that appropriate operational risk control systems
are in place;
j) Develop lines of communication to ensure the timely dissemination of
relevant policies and other information to all individuals involved in the
process;
k) Develop an effective system of reporting to the Board;
1) Define bank organs' responsibilities in managing Operational Risk; and
eliminate gaps and overlaps m the operational risk management
responsibilities and authorities; and
m) Ensure that appropriate mitigating mechanisms are taken whenever
Operational Risk Management gaps are identified.

5.2.4. RISK AND COMPLIANCE MANAGEMENT DEPARTMENT

The Risk and Compliance Management shall:

a) Regularly review the policy and procedures of all organs of the Bank in
light of operational risk management;
b) Develop, distribute and review operational risk identification and
reporting formats;
c) Measure and report the level of operational risk to the Bank;
d) Ensure that appropriate internal controls and practices are m place
operating effectively and consistently with the Bank's policies, legal and
contractual obligations, and regulatory requirements;
e) Monitor the implementation for the identified risk findings of operational
risk.

5.3. STRATEGY, POLICY AND PROCEDURE OF OPERATIONAL RISK

MANAGEMENT
a) There should be a clear strategy to:
i) Minimize significant losses and customer dissatisfaction due to failures
in the processes;
ii) Focus on flaws in products and their design that can expose the Bank to
losses due to fraud, etc.
iii) Align business structures and incentive systems to m1mm1ze conflicts
between employees and the Bank;
iv) Analyze the impact of failures m technology/ systems and develop
mitigations thereto minimize the impact; and
v) Develop plans for external shocks that can adversely impact the
continuity in the Bank's operations.
b) The Bank shall have in place effective policies, processes and procedures
for managing operational risk in all of the Bank's products, activities ,
processes and systems and the policy and procedure shall incorporate the
following;
i) Recognizing the operational risk as a distinct risk category, and with
approved and periodically reviewed its operational risk management
framework;
ii) A set of principles that apply to specific components of the
operational risk, such as new customer approval, new product approval, new
information technology systems approval, ou ts ou rcin g, bu sin ess continuity
planning, crisis management, and anti-money laundering;
iii) The res pon sibility for defining the operational risk management
strategy, and for ensuring that it is aligned with the overall business objectives;
iv) Defined responsibility for implementing the operational risk management
v) Regular reporting of pertinent information to the BoD's that supports the
proactive management of the operational risk; and
vi) Placement of contingency and business continuity plans to ensure its
ability to operate ongoing basis and limit losses in the event of severe
business disruption.
vii) Ade q u a tel y m ea s u re , monitor and control operational risk;
viii) Establish clear responsibilities and levels of authority among
management staff and business units ;
ix) Ensure that the measures adopted for the management of operational
risk are appropriate in light of th e nature of the ba n k 's p ro du c ts , s erv ice
s a nd operational culture and practices.
x) Establish effective business continuity plans to ensure a quick and
effective resumption of business following a disruption of services or activities
and accountability;
xi) Clearly indicate the specific procedures and approvals necessary for
exceptions to policies, limits and authorizations.

5.4. OPERATIONAL RISK MANAGEMENT PROCESS

Risk management is a process that comprises the sequential steps, which

include identification, evaluation/ measurement, the controlling and
monitoring of risks.
5.4.1. IDENTIFICATION OF OPERATIONAL RISK
As described earlier, opera tional risks have identified at the transaction level,
bottom-up approach, by every performer in their work area using reporting
formats; the identified in cid en ts are d ir ect ly reported to the Risk and
Compliance Management Depa rtm en t and the bank:

• Have an operational risk identification system m place that considers

both internal and external environmental factors;
• Review & monitor activities of third party service providers (outsourced
activities);
• Have an effective monitoring process to ensure compliance with
laws, regulations , internal policies and procedures;
• Report on fraud and losses including amounts involved,
trends and frequency;
• Have a strong MIS for measurement, monitoring and controlling of
operational risk which identifies relevant information and prepares reports
timely manner ;
• Maintain a record of operational risk occurrences or events.

The second way for identification of operational risk is the top-down

approach , which focuses on the identification of operational risks that could
emanate from the Bank's strategic and corporate objective. In this regard, the
identification process is performed by the Risk and Compliance Management
Department.
In a nutshell, risks emanate from the objective we are going to achieve (the
desired outcomes). Therefore, the identification process focuses on the Bank's
objectives, which can be grouped under four perspectives:
a) Financial performance;
b) Business process;
c) Customer satisfaction; and
d) Employee satisfaction;

5.4.2. MEASUREMENT OF OPERATIONAL RISK

Commercial banks need to have robust risk management database m order to

capture identified risks for further analysis, interpretation and to know the risk
exposure level of the Bank. Once risks have been iden tified , they have
to be meas u re d. It is important to understand how the risks are measured.
Risk exists at a "raw" or "inherent" level with no controls in place to manage
the risk. But in most cases, where there is ongoing activity, there are already
controls in place to reduce the level of the risk. It ought to be underscored that
it is the risk that is over and above the control in place, the "residual risk" or
"mitigated risk" that we need to
measure. From this, we can determine whether further controls to manage the
risks are required or not.

The measurement of risk is based on the rating of each risk by usmg two
a) Impa ct refers to the magnitude of the effec t or to the result of a
particular outcome when it is evaluated against the objectives of the Bank; and
b) Like hood refers to the duration or frequency/ probability of the occ u rre
nce of the risk.

Thus, the operational risk measurement is based on the impact and likelihood
of the risk factors. Both factors use a rating of 1(lowest) to 5 (highest). These
two scores are then multiplied together to develop an overall Risk Score. The
formula can be portrayed as:
Potential Impact x Likelihood of Adverse Outcome = Risk Score
• Impact refers to the magnitude of the effect or result of the particular
outcome when it is evaluated against the objective of the Bank.
• Likelihood refers to the duration or frequency/ probability of occurrence
of the risk.
I. Risk scoring- Impact Assessment

internal business process and employees

satisfaction expensive,). Medium-term effect which may be to recover.
Medium/High 4 Major impact on the objective/ s of the Bank (financial
performance, customer satisfaction, efficiency 111 internal business process
and employees satisfaction,). Generally medium and
long term effect and expensive to recover.
High 5 Critical impact on the objective/s of the Bank (fin a n cia l
performance, customer satisfaction, efficiency in internal business process
and employees satisfaction,). Generally very difficult and
possibly takes a long time to recover.

II. Risk Scoring -Probability Assessment

Probability score Likelihood Threshold

Low 1 Rare (0-5%].
materialize only circumstances. The
m risk will exceptional Once in
20+ years every
Low/Me 2 Unlikely, but not impossible (5- Once in every 5-
dium 25%]. The risk will probably not 20 years
materialize.
Medium 3 Possible (25-75%]. The risk might
materialize at some time. Once in every 1- 5 years
Medium/High 4 Likely (75-95%]. The risk will probably materialize at
least once a year. Once in a years
High 5 Almost certain {>95%).The risk will
materialize in most circumstances. More than per year once
Note: The sign (refers to exclusion, while] inclusion
Based on the above assessment, the risk of the Bank can be plotted on to
a 5x5 ma trix. The traffic light system is used for easier identification of risks
into low(green), medium (yellow) and high risk (red) bands. The matrix is
depicted underneath.
III. Risk scoring table Matrix

While the scores have not intended to provide precise measu rements of risk,
they do provide a useful basis for identifyin g vulnerabilities and ensuring that
highly rated risks get the necessary attention, and provide a way of comparing
different risks across the Bank.

5.4.3. CONTROLLING OF THE OPERATIONAL RISK

The next stage in the overall risk management process is to decide on a course
of action to address the risks identified and measured. That is responsiveness
to the risks identified and measured / assessed. The relentless effort in
identifyin g and measuring would be a fu tile exercise unless the Bank
responds to these risks. Where the overall risk rating is 3 or less, which is
flagged in green; that is to mean go on it, as it is safe, there should normally be
no need to consider the risk appetite nor to proceed any further with the
assessment-accept or assume the risk. As the risks identified may migrate to
the "zone" that requires consideration of the risk appetite, they should not be
blotted out from the risk register, however.

The risk management process will continue for those risks with an overall
rating of 4 and a bove . Risks with the scoring of 4 through 14, which is
flagged in yellow; that is to mean "be careful," may be managed by the
Executive Management. Where the overall rating is 15 or above, which is
Hagged in red, meaning "stop!" The risks identified are significan t. Hence, they
may call for the involvement of the Board of Directors.

The Bank shall, therefore, have a system which:

a) Assure that the controlling mechanisms put m place are enough and
effective to address the residual risk factors;
b) The response options are effective either in minimizing the impact or
magnitude of the incident, the frequency of happing or both of them.

5.4.3.1. OPERATIONAL RISK LIMITS

Effective management of operational limit contributes to the attainment of a

wide variety of benefits without compromising the service delivery and
customer satisfaction level. The limit setting exercise shall start with the clear
understanding and appreciation of these benefits attached to it. The recipes
are many but those that can apply to any banks, including ours, are worth
mentioning.
The Bank's operational risk limit shall encompass the following, among other
things:

I. Transaction Authority Limits

Table l 1. Tran saction Au th or ity Limits

Area of Activity Maximum Approval Limit

 css Senior CSS BAA B.Mgr
/ CSM
Origina tion Deposit Withd ra wal
/ Pay ment Origina tion Deposit With d ra wal
/ Paymen t Origina tion Depos it Wit hd ra wal
/ Pay ment ALL
Tran sa ctions
Savings
30,000.00
20,000.00
50,000.00

30,000.00

90,000.00

70,000.00

00
Current
Account

40,000.00

30,000.00

70,000.00

40,000.00

150,000.00

90,000.00
if)
Special
Savings

40,000.00

30,000.00

70,000.00

40,000.00

150,000.00

90,000.00

00
Payment
Instruments

20,000.00

30,000.00

20,000.00

20,000.00

50,000.00
30,000.00

90,000.00

90,000.00

70,000.00

00
Domestic
Transfer

20,000.00

20,000.00
, \•

10,000.00

25,000.00

50,000.00

50,000.00

OC,
,r ;\., , \

II. Employment Authority Limit

There 1s recruitment committee entrusted with the responsibility of selecting
the most appropriate candidate on the basis of the criteria determined for each
vacancy. The committees shall be designated by the President.

The recruitment committee for positions below branch manager and division
manager shall be designated by VP, Corporate Services as follows:

• Director, HRM and SS Department Chairperson

• Director / Division Manager of hiring unit Membcr
• Director/Division Manager/Senior Officer, to be assigned by relevant VP
Membcr
• HRM OfficerMinutes recorder

The recruitment committee for positions of branch manager, division manager

and above shall be designated by the President as follows:

• Relevant VP------ -------------------------------Ch ai rp e rs on.

• Director, HRM & SS Member
• Director/ Divis ion Manager to be assigned by relevant VP Me m be r
• Senior Officer, HRM -------------------------- Minutes recorder

The recruitment committee for positions of Directors and above shall be

designated by the President as follows:

• President/ VP Chairperson.
• Two Directors to be assigned by President--Member
• Director, HRM & SS -------- ------ ------ Member and minutes recorder.

III. Procurement Authority Limit

Procurement Committee Chairperson Approving Organ Limit

_(In Birr)
Executive Management Procurement
Committee President BoardOf
Directors Above 5,000,000.00
Procurement
Committee III V/P Corporate Services President 1,000,001.00 up
to
5,000,000.00
Procurement
Committee II Director Finance and
Accounts V/P Corporate Services 100,001 up to
1,000,000
Procurement
Committee IDirector Finance and
Accounts Director HRM &
SS Department Up to 100,000

5.4.4. MONITORING OF THE OPERATIONAL RISK

The last stage in the risk management process is monitoring, which

encompasses activities of communicating, reviewing and reporting risks. The
monitoring process, among others, includes the follow-up of proper
implementation of the action plan, which is prepared for material and
significant risks. The monitoring phase, among other things, must take into
consideration the following:

5.4.5. REPORTING

The monitoring process also includes producing summarized reports that could
show the operational risk exposure and level of risk to the Bank, which has
been identified, measured and monitored by Risk and Compliance Management
Department to the Board's Risk and Compliance committee on quarterly basis
in brief for informed business decisions and proper management of
operational risk of the Bank. The reporting should be performed as an ongoing
basis; special attention shall be due to significant or high risk categories.

5.5. BUSINESS CONTIUNITY AND DISASTER RECOVERY PLAN

For reasons that may be beyond a ban k's control, a severe event may result
in the inability of the bank to fulfill some or all of its business obligations,
particularly where the bank's physical, telecommunication, or information
technology infrastructures have been damaged or made inaccessible. This can,
in turn, result in significant financial losses to the bank. This requires that the
bank to establish disaster recovery and business continuity plans that take
into account different types of plausible scenarios to which the bank may be
vulnerable.
The Bank shall identify critical business processes, including those where
there is dependence on external vendors or other third parties, for which rapid
resumption of service will be most essential. For these processes, the bank
shall identify alternative mechanisms for resuming service in the event of an
outage. Particular attention shall be paid to the ability to restore electronic or
physical records that are necessary for business resumption, where such
records are backed-up at an off-site facility. The bank shall periodically review
its disaster recovery and business continuity plans so that they are consistent
with their current operations and business strategies. Moreover, these plans
shall be tested periodically to ensure that the bank will be able to execute the
plans in the unlikely event of a severe business disruption. Finally, Enat
Bank's business continuity
and disaster recovery plan singles out how and who would execute the derived
course of actions.

5.6. MANAGEMENT INFORMATION SYSTEM

An effective management information system (MIS) is essential for sound
operational risk management decisions and the effective oversight.
Management information systems are a critical tool for communicating
information to decision makers in a form that enables them to review and act
on the information. Information should be readily available for day-to-day
operations management and risk control. Data should be appropriately
consolidated, comprehensive yet brief, focused and available in a timely
manner. Operational risk can arise very quickly, and effective operational risk
management may require daily internal reporting. Since the banks operation is
affected by different factors therefore, detailed information on every transaction
is essential.

Enat bank shall implement a system to monitor on an ongoing basis its

operational risk exposure and loss events by each major departments and
branches. The bank monitors its operational losses directly, with an analysis
of each occurrence and a description of the nature and causes of losses.

5.7. INTERNAL CONTROLS

In mitigating or reducing operational risk, the value of internal controls is very
critical. Internal controls should be seen as the major tool for managing
operational risk. The controls cited include the full range of control activities
such as segregation of du ties , clear management reporting lines and
adequate operating procedures. In most cases, operational risk events are
associated with internal control weaknesses or lack of compliance with existing
internal control procedures.

Control activities should be designed and implemented to address the risks

that the bank has identified. Control processes and procedures should be
established and there shall be a system in place for ensuring compliance with
documented set of internal policies concerning the risk management system.
Principal elements of this should include:

• Top-level reviews of the bank's progress towards the stated objectives;

• Checking for compliance with management controls;
• Policies, processes and procedures concerning the review, treatment and
resolution of non- compliance issues; and
• A system of documented approvals and authorizations to ensure
accountability to an appropriate level of management.

To be effective , control activities should be an integral part of the regular

activities of the bank and should involve all levels of personnel in the bank,
including both senior management and business unit personnel.
An effective internal control system requires that there be appropriate
segregation of duties and those personnel in the bank are not assigned
responsibilities which may create a conflict of interest. Assigning such
conflicting duties to individuals or a team may enable them to conceal losses,
errors or inappropriate actions. Therefore, areas of potential conflicts of
interest should be identified , minimized and subject to careful independent
monitoring and review.

Activities of internal auditors also form an important element of operational

risk management. In ensuring good internal controls , internal auditors
would need to be proactive in dealing with the bank's operational
weaknesses. In particular, the identification of potential problems,
the independent validation of business management.