Title: Operational Risk
1Operational Risk
6th ACSDA International Seminar Punta
del Este, Uruguay - October 27-28, 2005
Mary Ann Callahan, DTCC
2Agenda
- Defining Operational Risk
- Demystifying Operational Risk Management from
Basel II - Key measures and elements of an Operational Risk
Management framework - DTCCs experiences in developing and implementing
an Operational Risk Management Program
3Traditional view of Op Risk
- Generally managed in a less explicit way
- Ambiguous responsibility and accountability for
identification, monitoring and management - Weak issue-monitoring and escalation processes
- Lack of statistically significant loss data
- No common perspective, language and culture
throughout or across organizations - Weak linkage of risk management framework with
measurement of people and business performance
4Operational Risk as defined by the Basel Accord
(2003)
- The risk of loss resulting from inadequate or
failed internal processes, people and systems or
from external events. - -- Basel Committee on Banking Supervision
- and especially for CSDs, dont forget about
reputational harm
5The Basel II Accord
- Effective 2006, some banks will be required to
set aside capital specifically for Operational
Risk. - US implementation for largest banks now set for
three-year transition beginning in 2007. - The accord requires the affected largest banks to
adopt both qualitative and quantitative framework
elements for Risk Management.
6Some Operational Risks at a CSD
Customer Confidentiality Failure
Governance Issues
Fraud
Computer Hacking
Settlement Fails
Incomplete Due Diligence
Terrorist Threats
Missing Certificates
Corporate Actions Losses
Data Entry Errors
7Operational Risk Categories
Customer Service Interaction Risk Liquidity
Risk Legal Regulatory Risk Financial Controls
Reporting Risk
Execution, Delivery Process Management Risk
People Culture Risk
Key Person Risk Brand Image Risk Employment
Practice Risk
Technology Risk
Infrastructure Risk Security Risk Hardware Risk
Business Continuity Risk
Business Resumption Risk
External Fraud Risk Physical Asset Risk Utility
Risk
External Risk
8Mapping the Operational Risk Landscape DTCC
Example
9What Operational Risk is Not
- Credit Risk
- Market Risk
- Strategic Risk
- Operational Risk is NOT LIMITED to the
processing-type of risks generally associated
with a back-office operation.
10Why Focus onOperational Risk Management?
- Largest losses in the financial services industry
are attributed to Operational Risk - Good business sense
- The new world post-September 11, 2001, and
resulting regulatory requirements - Potentially lower capital charges for CSD and its
members
11Examples of Op Risk Failures
Arthur Andersen
Sumitomo Bank
Enron
Tyco
Allied Irish Bank
Parmalat
Barings
August 2003 Blackout
REFCO
Hurricane Katrina!
12Basel II Focus Three Pillars
- Minimum capital requirements
- Supervisory review of capital adequacy
- Market discipline through effective disclosure
13 Basel II
14Further Basel Guidance onSound Practices
- Board of Directors approve framework and
understand major risks - Consistent transparency and reporting of risk and
control - Operational Risk framework that is well
understood and consistently implemented
throughout the institution - Ongoing risk identification and assessment for
all material products, activities, processes and
systems - Risk monitoring and reporting
- Policies, processes and procedures to document
effective mitigation of risks - Regular internal audit coverage of operational
risk framework - An organizations use of third parties does not
diminish the responsibility of the board of
directors and management to ensure that the
third-party activity is conducted in a safe and
sound manner and in compliance with applicable
laws.
15Goals and Objectives
- Consistent approach
- Timely, accurate, meaningful reporting
- More robust analysis
- Risk-focused data
- Better enables decision making and effective
oversight role by Senior Management - Business ownership for risk information embedded
throughout management - Measure actual risk level against risk appetite
- Gain benchmarking perspective
- Less resource intensive
- Leveraging technology
- Determine capital requirements (possible change)
and allocate capital
16Operational RiskManagementComponents
- Identify Assess Risk
- Monitor Risk
- Manage Risk
- Measure Risk
- Disclose Risk
17Program Components
- Risk and Control Self-Assessment
- Key Risk Indicators
- Enterprise-wide reporting
- Leveraging off existing risk event information
18An Op Risk Management Framework
Operational Risk Governance Vision, Guiding
Principles, Risk Strategy, Risk Appetite,
Organization Structure, Risk Glossary
Risk Monitoring
Risk Measurement
Risk Identification Assessment
Strategy
- Common Organizational Hierarchy
- Common Risk Definitions
- Common Control Themes
- Key Process Focus
- Validating Components
Loss Data
Risk and Control Self Assessments (RCSA)
Key Indicators (KIs)
Business Initiatives
Risk Reporting
19DTCCs Operational Risk Management Initiative
20DTCC Operational Risk Objectives
- Establish a common risk language across the
organization - Define the organizations risk tolerance
- Foster a climate where risks are identified and
openly discussed by all departments and employees - Inform senior management and Board about
Operational Risk across the enterprise - Reinforce transparency and comply with regulatory
expectations
2121
22Program Components
- Risk and Control Self-Assessment
- Key Risk Indicators
- Enterprise-wide reporting
- Leveraging off existing risk event information
23An Operational Risk Framework
FOUNDATION
Stage 1 QUALITATIVE ASSESSMENT
Stage 2 RISK MONITORING
Stage 3 QUANTITATIVE VALIDATION
Identification, Prioritization and Assessment of
Operational Risk
Monitoring of Risk and Process Indicators to
Track Operational Risk Level, Modify Risk Profile
and Improve Business Processes
Identification and Measurement of Operational
Risk Events, including Near Misses
Risk Measurement
Risk Monitoring
Risk Monitoring
Risk Mitigation
Risk Mitigation
Risk Mitigation
Risk Assessment
Risk Assessment
Risk Assessment
Risk Identification
Risk Identification
Risk Identification
24Status of Effort to Date
- Governance Structure in place
- Corporate Policy and other documents issued
- Risk Control Self-Assessment (RCSA) process
piloted, improved, formalized and completed for
all identified DTC high risk areas - Six month RCSA process initiated
- Key Risk Indicator process piloted
- Third Party software selected
25Governance Structure
- Board of Directors
- Membership Risk Management Committees
- Audit Committee
- Operations and Planning Committee
- DTCC Management Committee
- DTCC Internal Risk Management Committee
- Operational Risk Working Group
26Our RCSA Process
- Planning Stage
- Conduct RCSA
- Review Validate RCSA (Team)
- Rate Inherent Risks
- Prepare Presentation for Dept. Management
- Management Sign Off
27RCSA Planning Stage
- Research Gather Information
- Conduct a Planning Meeting with Dept. Management
- Identify Assessment Team(s)
- Introduce the RCSA Concept
- Schedule Facilitated Sessions
28Conduct RCSA
- Conduct facilitated sessions
- Populate RCSA Template
- Identify and Describe Risk Mitigants
- Rate Mitigant Importance and Effectiveness
- Provide Additional Comments or Define Issue
- Rate Issue Severity
- Accept Risk or Formulate Action Plan Target Date
29RCSA Review Validation
- Team reviews the template that has been completed
over the course of the facilitated sessions to
ensure accuracy - Team validates its risks, mitigants, action plans
and accepted risks, prepares management
presentation.
30Rate Inherent Risk
- Absence of Mitigants
- Two Components for Each Sub-Risk
- Severity (Impact)
- Frequency
- Requires Consistency Across the Organization
31Inherent Risk Rating Matrix
Severity (Impact)
Frequency
32Inherent Risk Rating Worksheet
33Continuous Improvement
- Team feedback
- Rewards and Recognition
- Chairmans Acknowledgement
- Loop-back to Subject Matter Experts
342005 Objectives
- Complete RCSAs for ALL DTCC High Risk Areas
- Install, test and implement a system for
self-assessments - Enhance Enterprise-wide Operational Risk
Management Reporting
352005 Objectives cont.d
- Considering the purchase an external Loss Event
database to augment internal causal analysis - Continue Regulatory Meetings
- Roll-out Key Risk Indicator methodology