1 / 29

Implementing Operational Risk in an Enterprise Risk Management Framework

Implementing Operational Risk in an Enterprise Risk Management Framework. William Gonyer Managing Director williamegonyer@broadstbanking.com. Session Outline. Operational Risk as a component to ERM; BIS II defined and as template to an ORM program;

vevay
Download Presentation

Implementing Operational Risk in an Enterprise Risk Management Framework

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Implementing Operational Risk in an Enterprise Risk Management Framework William Gonyer Managing Director williamegonyer@broadstbanking.com

  2. Session Outline • Operational Risk as a component to ERM; • BIS II defined and as template to an ORM program; • The Pillars of Hercules and Basel II’s European Flavor; • One Man’s Struggle for European Convergence; • Campaign Promises, a Big Stick and the art of moral suasion; • ORM for Less than Million Euros; • COSO, SOX and the World Today.

  3. How Does ORM Fit Within ERM as Defined? “… a process, effected by an entity's board of directors, management and other personnel, applied in strategy setting and across the enterprise, designed to identify potential events that may affect the entity, and manage risks to be within its risk appetite, to provide reasonable assurance regarding the achievement of entity objectives.” Source: COSO Enterprise Risk Management – Integrated Framework. 2004. COSO.

  4. Operational Risk Is a pragmatic approach to many of the risks covered within an ERM framework. OR is defined by Bank for International Settlement as “the risk of losses arising from inadequate or failed internal processes, people, systems, or external events.” • Targeted for banking institutions by the BIS. • Three “Pillars”: minimum capital requirements, supervisory review of capital adequacy and public disclosure.

  5. Pillar 1 – Minimum Capital Requirements Capital is calculated using the amount of the institution’s available capital as the numerator and risk-weighted assets as the denominator. The minimum capital ratio is 8%: Risk-weighted assets come from credit and market activities and Basel II introduced the added component of Operational Risk.

  6. Weighing the Assets of Operational Risk Basel II provided three methods for calculating the Operational Risk component the capital equation: • Basic Indicator Approach; • Standardized Approach; and • Advanced Measurement Approaches (AMA).

  7. The Basic Indicator Approach Under the basic indicator approach the “weight of the asset” is calculated using the three year average of gross income multiplied by a fixed charge of 15%. This approach is intended for a financial institution with less complex operations.

  8. The Standardized Approach Under the standardized approach the gross income of a defined business unit is multiplied by a percentage associated with the type of business:

  9. Advanced Measurement Approaches A financial institution utilizes its own risk measure generated by its Operational Risk measurement system. The specific methodology must be approved by its regulatory supervisor.

  10. Pillar II Supervisory review of capital adequacy Capital adequacy is something we are all familiar with but in the broker/dealer industry there is no specific requirement to calculate a capital component for OR. Experience shows that in the distant past regulators looked to a multiple of regular required capital to cover undisclosed risk as an informal buffer. The buffer served as a discussion point with the regulator.

  11. Pillar III Market Discipline Public disclosure is limited for the broker/dealer industry as there is no specific requirement for adoption of an Operational Risk program, its capital nor its disclosure requirements. There are however, requirements under Generally Accepted Accounting Principles that material, expected losses be disclosed.

  12. The implementation process

  13. Implementation Case Study Implementation began in August 2001 at the US subsidiary of a fully licensed “universal bank” in France where implementation was a (regulatory) requirement. Ixis was an investment bank with two US registered B/D subsidiaries. The bank’s headcount was about 350, with a balance sheet of approximately $45 billion in assets and revenue of $340 million. By the end of implementation, organic growth had increased headcount to 500, assets totaled $60 billion and revenue exceeded $500 million .

  14. Management Buy In – The Key to Any Successful Implementation Ixis’ management was very decentralized in that departmental management had significant authority within functional domains and budgetary constraints. • There was a management committee of up to 7 members. • There were 17 departmental cost centers. • These two groups were the focus of attention to sell the program and establish strategic and operational mandates.

  15. Background and Preparation The OR compliance manager provided a briefing on the requirements and sample self-assessment questionnaires. • An intensive study of the BIS information on the subject from their website provided additional context for the self-assessment and OR measurement requirements. • Contacts were made with departments who were working together to perform the self assessment at the bank’s capital markets sister company in Paris. • In consultation with the CEO, the OR team put together a plan for local implementation along with a budget for the next year.

  16. Implementation of OR Program Armed with Head Offices’ compliance requirement and the CEO’s buy-in, a 7 to 8 member working group was established to build the Self Assessment of OR questionnaire. The departments heads of this group were selected based on a number of factors: • Department HC and budget; • Functional risks within departmental domains; and • Departmental manager’s relative influence or expected importance for the OR program’s success.

  17. Factors Considered for Committee Members These factors relate to the OR definition “the risk of losses arising from inadequate or failed internal processes, people, systems, or external events” such as the department headcount and budget and the risks associated with the department’s responsibilities. Another consideration was the departmental manager’s relative influence or expected importance for the OR program’s success.

  18. Selling OR to Management The following rationale helped convince working group or committee members of the value of the OR program and their active participation: • A better idea that we direct the program rather than have HO define local implementation; • Better to establish a local process for management of capital requirements than accept a HO push-down; • An opportunity to perform a company-wide self-assessment • Individual departments get a 2 for 1 – as risks are defined and acted upon audit findings diminished with OR budget footing the bill. Departments don’t get penalized for weaknesses related to the risks identified.

  19. Self Assessment of Operational Risk The working group began the development of a baseline self-assessment questionnaire. The questions were categorized according to the BIS table “Detailed Loss Event Type Classification.” A key objective for the self-assessment was that it follow the BIS classification and that the end product questionnaire would quantify loss risk and produce an “heat map” by business lines. Business lines were based on departments which aligned with the business types of BIS on page 8 of the presentation.

  20. Loss Event Types BIS classifies loss events in the following Level I Categories: • Internal Fraud • External Fraud • Employment Practices and Workplace Safety • Clients, Products & Business Practices • Damage to Physical Assets • Business Disruption and System Failures • Execution, Delivery & Process Management Theses events are defined and broken down further into Levels 2 & 3 having greater detail at each succeeding level.

  21. The Questionnaire and the Heat Map • The working group defined risks along the guidelines established from the BIS guidance including the Loss Event Type Categories. Additionally we established the definitions of the control processes. • The result was put into MS Excel as questions with boxes that indicated control over the specific event derived from the question and quantification of losses under normal operations and those of very severe events. • In the background a worksheet quantified both the control and loss severity as two points on scatter chart which was the heat map. • The heat map was divided into 4 quadrants: low loss and good control, high loss and good control, low loss and low control and high loss and low control.

  22. Answer Scoring • External Catastrophe • By employing a scoring methodology, the answers on the questionnaire can be used to plot the risks of a business area by type. • External Service Provider Failure • Regulatory Impact of Risk • Compliance with Policies, Procedures, and Practices • External Fraud • Customer Risk Management • Key Control Effectiveness Ability to Control Risk

  23. Results of the Questionnaire • Action plans were put in place in cases where the expected loss was high and control was low – thus fulfilling the 2 for 1 commitment on areas of weakness (no audit finding.) • Key indicator reports were created to address the most frequent smaller losses and the high losses. The indictors were specific to each department and agreed as to report frequency. Indicators included things like fails, aged open items and audit recommendations that had not been addressed. • Each department assigned indicator and event monitoring and reporting staff . Typically this was the department head’s deputy. • Loss events were entered into a HO system by the departmental staff responsible for monitoring and reporting of Key Indicators.

  24. ORM Management and Organization

  25. ORM Roles & Responsibilities • The Board of Directors – Head of OR reported to the Audit Committee of the BOD twice annually. • Management – Head of OR at Managing Director level. • Risk Managers – each department assigned OR monitoring and reporting to a senior staff member - typically a VP or a Director. This liaison staff was supported by a second staff member to provide back-up for absences etc.

  26. ORM Roles & Responsibilities - Continued Dedicated Staff – From 2001 to 2006 there was no authorized headcount, rather the department was staffed using temporary staff for major projects and cost allocations from each department for Risk Managers and support staff – typically 5 to 15% of a fully charged staff, while no charges were allocated to small departments. 25% of OR Head’s departmental cost (including admin staff) was allocated to the project, and system administration support was provided by a junior officer in the audit team. Key indicator chase and follow-up was performed by either the OR Head or admin support. Significant loss events were often followed up by audit staff as audit issues and thus not charged to OR.

  27. The Obligatory COSO Slide The eight components of the ERM framework apply equally to OR…

  28. ORM Recap • Operational Risk is a component of Enterprise Risk Management. • Basel II with its rich European taste provides excellent guidance for a comprehensive Operational Risk program. • A good program can be put in place for an organization of 250 – 1,000 headcount using a combination of in place and temporary resources.

  29. ORM Recap • Gentle and persistent persuasion is required to bring a program like ORM from seed to fruit. • Selection of committee, work group or internal partners for program such as ORM is critical. As is carrying through on campaign promises. The corollary is don’t do a George Bush I “read my lips no new taxes.”

More Related