Group profile

Risk

 Two meanings of Risk

Variability in outcomes around some Expected Value

Expected Losses associated with a situation.

California’s expected loss from Earthquake is high
relative to other states
 Operational Risk Definition

 Solvency II definition - Operational risk means the

risk of loss arising from inadequate or failed internal
processes, personnel or systems, or from external
events. [It] shall include legal risks, and exclude risks
arising from strategic decisions, as well as
reputation.

 The Solvency II Directive is a Directive in European

Union law that codifies and harmonises the EU insurance
regulation.
 Primarily this concerns the amount of capital that EU
insurance companies must hold to reduce the risk of
insolvency.
 Definition(continue)
 Legal risk - risk of loss due to legal actions or
uncertainty in the applicability or interpretation of
contracts, laws, or regulations. Included.

 Strategic risk – risk arising from decisions

concerning a company’s direction. Excluded.

 Reputational risk - risk related to the

trustworthiness of the company. Excluded.
 Definition(continue)
 Better definition - Operational risk is the risk
arising from execution of a company’s
business function.

This focuses on the risks arising from

people, processes, and systems.

 Note that it includes external events that

affect a company’s operations.
 Definition(continue)
 Operational risk does not include strategic risk
– the risk that arises from decisions concerning
a company’s objectives.

 Reputational risk may arise from operational

risk but is not, in and of itself, an operational
risk. It also can arise from credit risk, market
risk, and strategic risk.

 Operational risk is not used to generate profit,

whereas market risk, credit risk, and strategic risk
can do so.
Mehreen IQBAL
THE SEVEN OPERATIONAL
RISK EVENT TYPES
Employment practices and
workplace safety
 Non-compliance to employment or health-and-safety
laws and regulations are grave operational hazards in
any organization.

 Incompetent maintenance of employee relations takes a

toll on employees, claiming their well-deserved
compensation and benefits. Unethical termination
criteria and discrimination are other operational
risks that subject institutions to serious financial and
reputational damage.
Clients, products, & business
practice
 Organizations fail to meet promises made to their
clients as a result of unintended circumstances rising
from negligent practices. Privacy and fiduciary breaches,
misuse of confidential information, suitability issues,
market manipulation, money laundering, unlicensed
activities and product defects are very common
practices that lead companies to face lawsuits.
 There are many intentional and unintentional
malpractices exercised in the business world.
Entrepreneurs should learn the do’s and don’ts before
starting up
 Internal fraud
• Acts of fraud committed internally in an
organization go against its interest.
• Losses can result from intent to defraud,
• tax non-compliance,
• misappropriation of assets,
• forgery,
• bribes,
• deliberate mismarking of positions and theft.
 External fraud

 External frauds are activities committed by

third parties.

 Theft, cheque fraud, and breaching the system

security like hacking or acquiring unauthorized
information are the frequently encountered
practices under external fraud.
Damage to physical assets
 These are losses incurred by damages caused to
physical assets due to natural disasters or other
events like terrorism and vandalism

 . Rapid and unexpected changes in climatic

conditions have been a constant cause of
concern in the business world for more than a
decade in recent history.
Business disruption and
systems failures

 Supply-chain disruptions and business continuity

have always been a big challenge for banks.

 System failures (hardware or software),

disruption in telecommunication, and power
failure can all result in interrupted business and
financial loss.
Execution, delivery, & process
management
 Failure in delivery, transaction or process management
is an operational risk that has the potential to bring loss
to a business.

 Errors in data entry, miscommunication, deadline misses,

accounting errors, inaccurate reports, incorrect client
records, negligent loss of client assets and vendor
disputes are operational risk events that could bring
about legal threats to the organization.
UMAR Farooq
The Benefits Of Operational
Risk Management
 Improving the reliability of business operations

 Improving the effectiveness of the risk management operations

 Strengthening the decision-making process where risks are involved

 Reduction in losses caused by poorly-identified risks

 Early identification of unlawful activities

 Lower compliance costs

 Reduction in potential damage from future risks

How Does Operational Risk
Management Work?

In-depth:
ideal world, We don’t live in an ideal world, but there are still many situations when
you can take the time to plan for a new project or business venture with in-depth
Operational Risk Management, which can include staff training or and the
Implementation of New Policies and Procedures.

Deliberate: This is still not ‘panic stations’ in the world of risk management but is
undertaken at various stages during the life cycle of a project or a business and can
come in the form of routine safety checks or performance reviews.

Time-Critical: This kind of Operational Risk Management involves more urgency

as it is usually done in the midst of operational change when there is only a limited
amount of time for it to be done before the potential consequences of any non-
identified risks might start to be felt.
 Stages Of Operational Risk Management
 Risk Identification

The identification process needs to involve staff from all levels of the business if

possible, Different Identification can be different from each other.

 Risk Assessment

Once the risks have been identified, they need to be assessed. This needs to be

done from both a quantitative and qualitative perspective and factors like the

frequency and severity of occurrence need to be taken into consideration. The

assessment needs to prioritize the management of these risks in relation to

those factors.
Stages Of Operational Risk Management
 Measurement and Mitigation
Mitigating these risks (if not actually eliminating them altogether) is the next
stage, with controls put in place that should limit the company’s exposure to the
risks and the potential damage caused by them.

 Monitoring and Reporting

Any Operational Risk Management plan must have something in place for the
ongoing monitoring and reporting of these risks if only to demonstrate how
effective the plan has been. Most of all, it’s to ensure that the solutions put in
place are continuing to be effective and doing their job in managing the risks.

There are other processes and models out there, particularly in the banking
world, but most follow similar approaches to the one listed above. As long as
you are picking an approach that suits your specific needs and situation, you will
be on the way to a successful Operational Risk Management strategy.
 Achievements

 Accept no Unnecessary Risk.

 Anticipate and Manage Risk by Planning.
 Make Risk Decisions at the right Level.
Ayaz Hassan
 Challenges of Managing Operational Risk

Rising Costs of Compliance: Development of an ORM model as part of a

regulatory and economic capital framework is complex and takes time.

There is a general agreement that the major ORM challenge is escalating

cost of compliance.

Access to Appropriate Information and Reporting:

Effective management of operational risk requires diverse information from

a variety of sources-including, for example, risk reports, risk and control

profiles, operational risk incidents, key risk indicators, risk heat maps, and

rules and definitions for regulatory capital and economic capital reporting.
 Challenges of Managing Operational Risk

Development of Loss Databases:

A well-structured operational risk framework requires development of
business-line databases to capture loss events attributable to various
categories of operational risk.

Lack of Systematic Measurement of Operational Risk:

Many enterprises hold that their institutions are measuring operational
risk. However, very few of them have been able to complete the Basel II
quantification requirements, or yet to formalize the measurement process
around the Basel II framework.
 Challenges of Managing Operational Risk
Implementing ORM Systems: Amid regulatory efforts to re-vamp the
industry’s immunity to operational risk, and its implications on efficient
financial intermediation, many organizations are looking to go beyond
traditional siloed approaches and implement a consolidated ORM
framework across entire value chain. Development of an ORM model as
part of a regulatory and economic capital framework,

Tone at the Top: Effective risk management program starts with “The
Tone at the Top”- driven by the top management and adhered by the
bottom line. However, if bank’s top leaders perceive operational risk
management solely as a regulatory mandate, rather than as an important
means of enhancing competitiveness and performance, they may tend to
be less supportive of such efforts.
Asad Ali
Elements Should a financial institution consider
when developing an analytical framework for
Operational Risk
 Governance

 Strategy

 Appetite and Policy

 Clear Definition & Communication of Policy

 Periodic Evaluations Based on Internal & External Changes

 Structure
Elements
Governance: It is the process by which the Board of Directors defines
key objectives for the bank and oversees progress towards achieving
those objectives. It defines overall operational risk culture in
organization, and sets the tone as to how a bank implements and
executes its operational risk management strategy. A successfully
executed risk strategy often results in risk being firmly embedded in
the vision, strategies, tools, and tactics of the organization.
Governance sets the precedence for Strategy, Structure and
Execution.

Strategy: A bank’s strategy for operational risk drives the other

components within the management framework and provides clear
guidance on risk appetite or tolerance, policies, and processes for
day-today risk management.
Elements
Appetite and Policy: An ideal risk management process ensures that

organizational Behavior is driven by its risk appetite. Adopting an

operational risk strategy aligned to risk appetite, leads to informed

business and investment decisions.

Clear Definition & Communication of Policy:An organization’s top

management must identify, assess, decide, implement, audit and

supervise their strategic risks. There should be a strategic policy at the

board level to focus on managing risk all levels and conscious efforts

should be made to ensure that these policies are communicated at all

levels and across entire value chain.

Elements
•Periodic Evaluations Based on Internal & External Changes: An

ideal risk management process puts improvement of risk performance

on a competitive level with other important mission concerns –

periodically evaluating the ORM performance goals in the light of

internal and external factors. Depending upon the criticality of internal

operating environment and key external factors, organization must

review the strategic policies inside out.

 Elements
 Structure: When designing the operational risk management structure,
the bank's overall risk scenario should serve as a guideline. This
includes initiatives like laying down a hierarchical structure that
leverages current risk processes, developing risk measurement models
to assess regulatory and economic capital, and allocating economic
capital vis-à-vis the actual risk confronted. Centralized aggregation of
operational risk information collected via various self assessments
across the organization, further, provides useful insight for the desired
hierarchial structure. The implementation of these concepts allows risk
to be handled consistently throughout the organization.
HIRA Arooj
Business Benefits: Moving Beyond Compliance
As ORM efforts mature, and gain both the support and the confidence of
management, they are becoming increasingly valuable to the business. Perceived
initially to support regulatory requirements, these efforts can be leveraged and
aligned with business performance management. To be successful, however, such
alignment must be based on a clear vision of the potential benefits. Few of the
benefits are discussed below:
Identified and assessed key operational risk exposures:
ORM enables an organization to identify measure, monitor and control
its inherent risk exposures of the business at all levels. Elements like
Risk Assessment, Event Management, and Key Risk Indicator play an important
role; enabling the organization to evaluate the risk controls, based on the
identified inherent risk, and to measure the residual risk which remains
after the implementation of controls.
Business Benefits: Moving Beyond Compliance
Evolved and enabled efficient allocation of operational risk capital:
With streamlined risk management process, efficient allocation and utilization
of operational risk capital can be ensured.
Consistent and timely operational risk management information and
reporting capabilities:
Through the development of a well-tailored risk management strategy, a robust
ORM system supports features like role-based dashboards, control diagrams and
scorecards that provide visibility into the ongoing risk management efforts and
bring high-risk areas into focus.
Clarified personal accountabilities, roles and responsibilities for
managing operational risks:
Clear cut specification of roles and responsibilities of personnel regarding risk
profile is an imperative part of implementing an integrated ORM framework. It not
only streamlines the risk management process, but also allows risk managers to
better incorporate accountability into the work culture of the organization.
Business Benefits: Moving Beyond Compliance
Sustained risk-smart workforce and environment:
Application of an ORM framework, in conjunction with related risk management
activities, will support a cultural shift to a risk-smart workforce and environment
in the organization. An essential element of a risk-smart environment is that it
ensures that the organization has the capacity and tools to be innovative while
recognizing and respecting the need to be prudent in protecting its interest.
Ensured continuous risk management learning:
Most business units today acknowledge that continuous learning is fundamental to
more informed and proactive decision-making; and a successful learning
organization must align itself to the businesses it supports. To ensure continuous
risk management learning, these business units are sharing their experience and
best risk management practices - internally and across organizations. This
supports innovation, capacity building and continuous improvement, and fosters
an environment that motivates people to learn.
NIDA Mehmood
Operational Risk
1. Assess the situation.
The three conditions of the Assess step are task loading, additive
conditions, and human factors.

 Task loading refers to the negative effect of increased tasking on

performance of the tasks.

 Additive factors refers to having a situational awareness of the

cumulative effect of variables (conditions, etc.).

 Human factors refers to the limitations of the ability of the human body
and mind to adapt to the work environment (e.g. stress, fatigue,
impairment, lapses of attention, confusion, and wilful violations of
regulations).
Operational Risk
2. Balance your resources.

 Balancing resources and options available. This means evaluating and

leveraging all the informational, labor, equipment, and material
resources available.

 Balancing Resources verses hazards. This means estimating how well

prepared you are to safely accomplish a task and making a judgement
call.

 Balancing individual verses team effort. This means observing individual

risk warning signs. It also means observing how well the team is
communicating, knows the roles that each member is supposed to play,
and the stress level and participation level of each team member.
Operational Risk

Communicate risks and intentions.

 Communicate hazards and intentions.
 Communicate to the right people.
 Use the right communication style. Asking questions is a technique to
opening the lines of communication. A direct and forceful style of
communication gets a specific result from a specific situation.

Do and debrief. (Take action and monitor for change.)

 This is accomplished in three different phases:
 Mission Completion is a point where the exercise can be evaluated and
reviewed in full.
 Execute and Gauge Risk involves managing change and risk while an
exercise is in progress.
 Future Performance Improvements refers to preparing a "lessons
learned" for the next team that plans or executes a task.
Aman Ullah
Risk Analysis and Risk Self Assessment:
Control Design and Assessments: Once the key risks are identified and
prioritized, MetricStream leverages the operational risk framework to enable
companies to define a set of controls that mitigate those risks. The solution also
allows associated policy and procedure documents to be attached for reference.

Loss Tracking and Key Risk Indicators (KRIs): With loss event tracking, risk
managers can track loss incidents and near misses, record amounts, and
determine root causes and ownership. MetricStream provides statistical and
trend analysis capabilities and enables end-users to track remedies and action
plans. Key risk indicators (KRIs) 11 provide capabilities for tracking risk metrics
and thresholds, with automated notification when thresholds are breached.
MetricStream provides facilities for both manual and automatic data inputs from
internal and external data sources.
Risk Analysis and Risk Self Assessment:
Issue Management and Remediation:
Issues are identified, documented and prioritized, a systematic mechanism of
investigation and remediation is set off by the underlying workflow and
collaboration engine. The solution supports triggering automatic alerts and
notifications to appropriate personnel for task assignments for investigation
and remedial action.

Internal Audit: MetricStream solution provides seamless integration

with internal audit management for streamlining the auditing process in
the organization. It provides the flexibility to manage a wide range of
audit-related activities, data and processes to support risk
management. It supports all types of audits, including internal audit,
operational audit, financial statement audit, IT audits and quality audits.
Advanced capabilities like built-in remediation workflows, time tracking,
email-based notifications and alerts and offline functionality for
conducting at remote field sites allow organizations to implement the
industry best practices for efficient audit execution and ensure
integration of the audit process with the risk and compliance
management system.
Risk Analysis and Risk Self Assessment:
Reports and Dashboards: The solution has the ability to track risk profiles,
control ownership, assessment plans, remediation status, etc. on graphical charts
that can be accessed globally and display real-time information. Ability to drill-
down provides an easy way to access the data at finer levels of detail. In addition
to pre-configured standard risk reports, the system provides flexibility by
enabling stakeholders to configure ad-hoc or scheduled reports to view metrics
on a variety of parameters such as by process, by business units, by status, etc.
Quarterly and monthly trending analysis along with the ability to drill-down into
each report and dashboard to see the underlying details enables risk managers
and process owners to stay in constant touch with the ground reality and
progress on risk management programs. Automated alerts for events such as
exceptions and failures eliminate any surprises and make the process predictable.