Operational Risk - PowerPoint PPT Presentation

1 / 35
About This Presentation
Title:

Operational Risk

Description:

Operational Risk 6th ACSDA International Seminar Punta del Este, Uruguay - October 27-28, 2005 Mary Ann Callahan, DTCC Agenda Defining Operational Risk Demystifying ... – PowerPoint PPT presentation

Number of Views:129
Avg rating:3.0/5.0
Slides: 36
Provided by: riskmanage3
Category:
Tags: operational | risk

less

Transcript and Presenter's Notes

Title: Operational Risk


1
Operational Risk

6th ACSDA International Seminar Punta
del Este, Uruguay - October 27-28, 2005
Mary Ann Callahan, DTCC
2
Agenda
  • Defining Operational Risk
  • Demystifying Operational Risk Management from
    Basel II
  • Key measures and elements of an Operational Risk
    Management framework
  • DTCCs experiences in developing and implementing
    an Operational Risk Management Program

3
Traditional view of Op Risk
  • Generally managed in a less explicit way
  • Ambiguous responsibility and accountability for
    identification, monitoring and management
  • Weak issue-monitoring and escalation processes
  • Lack of statistically significant loss data
  • No common perspective, language and culture
    throughout or across organizations
  • Weak linkage of risk management framework with
    measurement of people and business performance

4
Operational Risk as defined by the Basel Accord
(2003)
  • The risk of loss resulting from inadequate or
    failed internal processes, people and systems or
    from external events.
  • -- Basel Committee on Banking Supervision
  • and especially for CSDs, dont forget about
    reputational harm

5
The Basel II Accord
  • Effective 2006, some banks will be required to
    set aside capital specifically for Operational
    Risk.
  • US implementation for largest banks now set for
    three-year transition beginning in 2007.
  • The accord requires the affected largest banks to
    adopt both qualitative and quantitative framework
    elements for Risk Management.

6
Some Operational Risks at a CSD
Customer Confidentiality Failure
Governance Issues
Fraud
Computer Hacking
Settlement Fails
Incomplete Due Diligence
Terrorist Threats
Missing Certificates
Corporate Actions Losses
Data Entry Errors
7
Operational Risk Categories
Customer Service Interaction Risk Liquidity
Risk Legal Regulatory Risk Financial Controls
Reporting Risk
Execution, Delivery Process Management Risk
People Culture Risk
Key Person Risk Brand Image Risk Employment
Practice Risk
Technology Risk
Infrastructure Risk Security Risk Hardware Risk
Business Continuity Risk
Business Resumption Risk
External Fraud Risk Physical Asset Risk Utility
Risk
External Risk
8
Mapping the Operational Risk Landscape DTCC
Example
9
What Operational Risk is Not
  • Credit Risk
  • Market Risk
  • Strategic Risk
  • Operational Risk is NOT LIMITED to the
    processing-type of risks generally associated
    with a back-office operation.

10
Why Focus onOperational Risk Management?
  • Largest losses in the financial services industry
    are attributed to Operational Risk
  • Good business sense
  • The new world post-September 11, 2001, and
    resulting regulatory requirements
  • Potentially lower capital charges for CSD and its
    members

11
Examples of Op Risk Failures
Arthur Andersen
Sumitomo Bank
Enron
Tyco
Allied Irish Bank
Parmalat
Barings
August 2003 Blackout
REFCO
Hurricane Katrina!
12
Basel II Focus Three Pillars
  • Minimum capital requirements
  • Supervisory review of capital adequacy
  • Market discipline through effective disclosure

13
Basel II
14
Further Basel Guidance onSound Practices
  • Board of Directors approve framework and
    understand major risks
  • Consistent transparency and reporting of risk and
    control
  • Operational Risk framework that is well
    understood and consistently implemented
    throughout the institution
  • Ongoing risk identification and assessment for
    all material products, activities, processes and
    systems
  • Risk monitoring and reporting
  • Policies, processes and procedures to document
    effective mitigation of risks
  • Regular internal audit coverage of operational
    risk framework
  • An organizations use of third parties does not
    diminish the responsibility of the board of
    directors and management to ensure that the
    third-party activity is conducted in a safe and
    sound manner and in compliance with applicable
    laws.

15
Goals and Objectives
  • Consistent approach
  • Timely, accurate, meaningful reporting
  • More robust analysis
  • Risk-focused data
  • Better enables decision making and effective
    oversight role by Senior Management
  • Business ownership for risk information embedded
    throughout management
  • Measure actual risk level against risk appetite
  • Gain benchmarking perspective
  • Less resource intensive
  • Leveraging technology
  • Determine capital requirements (possible change)
    and allocate capital

16
Operational RiskManagementComponents
  • Identify Assess Risk
  • Monitor Risk
  • Manage Risk
  • Measure Risk
  • Disclose Risk

17
Program Components
  • Risk and Control Self-Assessment
  • Key Risk Indicators
  • Enterprise-wide reporting
  • Leveraging off existing risk event information

18
An Op Risk Management Framework
Operational Risk Governance Vision, Guiding
Principles, Risk Strategy, Risk Appetite,
Organization Structure, Risk Glossary
Risk Monitoring
Risk Measurement
Risk Identification Assessment
Strategy
  • Common Organizational Hierarchy
  • Common Risk Definitions
  • Common Control Themes
  • Key Process Focus
  • Validating Components

Loss Data
Risk and Control Self Assessments (RCSA)
Key Indicators (KIs)
Business Initiatives
Risk Reporting
19
DTCCs Operational Risk Management Initiative
20
DTCC Operational Risk Objectives
  • Establish a common risk language across the
    organization
  • Define the organizations risk tolerance
  • Foster a climate where risks are identified and
    openly discussed by all departments and employees
  • Inform senior management and Board about
    Operational Risk across the enterprise
  • Reinforce transparency and comply with regulatory
    expectations

21
21
22
Program Components
  • Risk and Control Self-Assessment
  • Key Risk Indicators
  • Enterprise-wide reporting
  • Leveraging off existing risk event information

23
An Operational Risk Framework
FOUNDATION
Stage 1 QUALITATIVE ASSESSMENT
Stage 2 RISK MONITORING
Stage 3 QUANTITATIVE VALIDATION
Identification, Prioritization and Assessment of
Operational Risk
Monitoring of Risk and Process Indicators to
Track Operational Risk Level, Modify Risk Profile
and Improve Business Processes
Identification and Measurement of Operational
Risk Events, including Near Misses
Risk Measurement
Risk Monitoring
Risk Monitoring
Risk Mitigation
Risk Mitigation
Risk Mitigation
Risk Assessment
Risk Assessment
Risk Assessment
Risk Identification
Risk Identification
Risk Identification
24
Status of Effort to Date
  • Governance Structure in place
  • Corporate Policy and other documents issued
  • Risk Control Self-Assessment (RCSA) process
    piloted, improved, formalized and completed for
    all identified DTC high risk areas
  • Six month RCSA process initiated
  • Key Risk Indicator process piloted
  • Third Party software selected

25
Governance Structure
  • Board of Directors
  • Membership Risk Management Committees
  • Audit Committee
  • Operations and Planning Committee
  • DTCC Management Committee
  • DTCC Internal Risk Management Committee
  • Operational Risk Working Group

26
Our RCSA Process
  • Planning Stage
  • Conduct RCSA
  • Review Validate RCSA (Team)
  • Rate Inherent Risks
  • Prepare Presentation for Dept. Management
  • Management Sign Off

27
RCSA Planning Stage
  • Research Gather Information
  • Conduct a Planning Meeting with Dept. Management
  • Identify Assessment Team(s)
  • Introduce the RCSA Concept
  • Schedule Facilitated Sessions

28
Conduct RCSA
  • Conduct facilitated sessions
  • Populate RCSA Template
  • Identify and Describe Risk Mitigants
  • Rate Mitigant Importance and Effectiveness
  • Provide Additional Comments or Define Issue
  • Rate Issue Severity
  • Accept Risk or Formulate Action Plan Target Date

29
RCSA Review Validation
  • Team reviews the template that has been completed
    over the course of the facilitated sessions to
    ensure accuracy
  • Team validates its risks, mitigants, action plans
    and accepted risks, prepares management
    presentation.

30
Rate Inherent Risk
  • Absence of Mitigants
  • Two Components for Each Sub-Risk
  • Severity (Impact)
  • Frequency
  • Requires Consistency Across the Organization

31
Inherent Risk Rating Matrix
Severity (Impact)
Frequency

 

32
Inherent Risk Rating Worksheet
33
Continuous Improvement
  • Team feedback
  • Rewards and Recognition
  • Chairmans Acknowledgement
  • Loop-back to Subject Matter Experts

34
2005 Objectives
  • Complete RCSAs for ALL DTCC High Risk Areas
  • Install, test and implement a system for
    self-assessments
  • Enhance Enterprise-wide Operational Risk
    Management Reporting

35
2005 Objectives cont.d
  • Considering the purchase an external Loss Event
    database to augment internal causal analysis
  • Continue Regulatory Meetings
  • Roll-out Key Risk Indicator methodology
Write a Comment
User Comments (0)
About PowerShow.com