160 likes | 756 Views
Operational Risk Questionnaire. A Framework for Operational Risk Management . Background on Operational Risk. New Basel capital requirements are based upon market, credit, and operational risk. The New Basel Capital Accord defines operational risk as:
E N D
Operational Risk Questionnaire A Framework for Operational Risk Management
Background on Operational Risk • New Basel capital requirements are based upon market, credit, and operational risk. • The New Basel Capital Accord defines operational risk as: • “The risk loss resulting from inadequate or failed processes, people and systems or from external events” • Market and credit risk both have well-understood market conventions, and are readily quantifiable. Operational risk management is at an earlier stage, and no market consensus on measurement and approach has yet formed. • Best practices and industry trends are moving toward more active means of defining, measuring, monitoring, and mitigating operational risks.
BSB Questionnaire FrameworkBSB proposes the following risk categories to establish what risks exist, and how management is or could be controlling risk: • External Catastrophe • Service Provider Failure • Regulatory • Fraud, Theft, and Vandalism • Compliance with Policies, Procedures and Practices • Customer Relationships • Key Control Effectiveness • Compliance with Commercial Contracts • People Management • Information Risk • IT Security
BSB Approach – Risk IdentificationEach risk category is intended to elicit risk information from a specific perspective • External Catastrophe - The risk that an external event would disrupt the ability of staff to access office locations or perform normally required tasks. These are risks that you can plan against but cannot prevent. • Service Provider Failure - The risk that a service providers failure to deliver expected services would hinder or prevent normal business activity. The risks in this category are those where there is excessive reliance upon an external or internal service provider or outsourced function, or where contingency plans do not exist or are inadequate. The principal risk in this category is that you will be unable to continue business, or will suffer significant deficiencies, due to failures or inadequacies in service provider delivery or outsourced functions. • Regulatory - The risk that your activities will fail to comply with regulatory requirements and restrictions. The risks in this category are those where regulatory non-compliance results in regulator response, up to and including a cease-and-desist order. • Fraud, Theft, and Vandalism - The risk to you of an internal or external party committing fraud, theft, or vandalism, damaging BSB or its clients monetarily or in image. • Compliance with Policies, Procedures, and Practices - The risk that you will fail to comply with internal policies, procedures, and practices, as well as industry best practices and ethical business practices. To not be in compliance with these practices would be to suggest that you are not managing its business and risks according to market standards. • Customer Relationships - The risk that you will fail in the management of customer relationships and in delivery of services to customers, causing monetary and reputational damages. The risks in this category are those that affect your market share, reputation, and profitability.
BSB Approach – Risk Identification • Key Control Effectiveness - The risk that operational control points will fail to function as intended, putting you at risk of significant monetary losses, regulatory action, and reputational damage. The risks of ineffective controls are widespread, and affect many areas with a wide range of monetary, reputational, and regulatory implications. The risk that you will have poorly structured behavioral and physical limits, or that those limits might be unenforced or circumvented. The risk in this category is also of control and efficiency, which would affect risk and control. • Compliance with Commercial Contracts - The risk that you will fail to comply with, or implement properly, commercial contracts, with potential monetary damage, legal exposure, and reputational damage. The risks in this category are those which affect the legal relationships between you and clients / counterparties. Incidents of this type could affect relationships, cause legal action, and adversely impact future ability to do business with the client / counterparty. • People Management - The risk that you will fail to attract, manage, develop, and retain employees with the appropriate skills. The risk in this category is that you will, over the long-term, fail to stay competitive and fail to have employees with the skills and training to engage in business in a prudent, well-controlled fashion. The risk that you will fail to organize its business in an appropriate way, resulting in an inefficient and operationally risky business structure. The risk in this category is largely of control and efficiency, which would affect long-term business risk, profitability, and competitiveness. The risk that you will choose inefficient or inappropriate measures of staff or business performance. • Information Risk - The risk that you might manage your business or generate reporting based upon incomplete, inaccurate or inappropriate information. The risk that you might manage its business or generate reporting based upon incomplete, inaccurate or inappropriate information. The risk that you might manage its business or generate reporting based upon incomplete, inaccurate or inappropriate information, as well as the risk that BSB will not be able to access archived information. • Infrastructure Security (IT View) - The risk that your IT security structure will fail to perform as intended, allowing unauthorized access and data damage or loss.
BSB Risk Categories The original 23 risk categories have been merged into 11, eliminating 12 descriptive answers and approximately 10 more repetitive lines of questioning.
BSB Risk ClassificationFor each risk category, the questionnaire will have one or several scenarios or risks. For each of these scenarios or risks, the following questions need to be answered: • Risk Severity • What would be the impact on P/L? • What would be the effect on customers and on your image? • What is the frequency of this type of event or loss? • What would be a typical loss from an incident of this type? • Management’s Ability to Control • How aware and involved is management in managing this risk? (Responsibilities defined, resources allocated, etc.) • What is your assessment of the effectiveness and efficiency of the internal control system? • Which of the following exist to address this type of operational risk? • Policies, procedures, formal organization, formal limits, risk control system, monitoring system, regular or periodic reporting, management review • Is data regarding this type of event or loss known, reported, and stored?
Questionnaire FormatThe questionnaire is in the form of a question matrix, with risk scenarios and questions listed vertically, and with 8 general questions for each listed horizontally General Questions Risk Scenarios Answer Area
The questionnaire consists of approximately 100 risk scenarios, with 8 general questions to answer for each Questionnaire Function 7 of the 8 questions are multiple choice, and have drop-down selection boxes to simplify the process for the user 1 of the questions asks about the existence of certain risk management tools. In the answer space for this question are checkboxes, with a check signifying yes and an empty checkbox signifying no. • Each of the 23 risk categories has one answer space for a text description of the risk situation, particularly significant risks or scenarios, and additional comments.
Questionnaire Output • BSB has taken the approach that operational risk is best viewed in the context of a four-sectored grid. • Highlighting high impact risks with a high degree of controllability gives BSB a starting point to reduce risk. High Impact / High Ability High Impact / Low Ability Impact of Risk Low Impact / High Ability Low Impact / Low Ability Ability to Control Risk
Answer Scoring • External Catastrophe • By employing a scoring methodology, the answers on the questionnaire can be used to plot the risks of a business area by type. • External Service Provider Failure • Regulatory • Compliance with Policies, Procedures, and Practices Impact of Risk • External Fraud • Customer Risk Management • Key Control Effectiveness Ability to Control Risk
Contact Us David E. Fisher 203.434.7545 davidefisher@broadstbanking.com Maurice A. Krisel 203.331.5644 mauriceakrisel@broadstbanking.com