operational risk n.
Skip this Video
Loading SlideShow in 5 Seconds..
Operational Risk PowerPoint Presentation
Download Presentation
Operational Risk

Operational Risk

587 Vues Download Presentation
Télécharger la présentation

Operational Risk

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. Operational Risk 6th ACSDA International Seminar Punta del Este, Uruguay - October 27-28, 2005 Mary Ann Callahan, DTCC

  2. Agenda • Defining Operational Risk • Demystifying Operational Risk Management from Basel II • Key measures and elements of an Operational Risk Management framework • DTCC’s experiences in developing and implementing an Operational Risk Management Program

  3. Traditional view of Op Risk Generally managed in a less explicit way: • Ambiguous responsibility and accountability for identification, monitoring and management • Weak issue-monitoring and escalation processes • Lack of statistically significant loss data • No common perspective, language and culture throughout or across organizations • Weak linkage of risk management framework with measurement of people and business performance

  4. Operational Risk as defined by the Basel Accord (2003) “The risk of loss resulting from inadequate or failed internal processes, people and systems or from external events.” -- Basel Committee on Banking Supervision … and especially for CSDs, don’t forget about reputational harm

  5. The Basel II Accord • Effective 2006, some banks will be required to set aside capital specifically for Operational Risk. • US implementation for largest banks now set for three-year transition beginning in 2007. • The accord requires the affected largest banks to adopt both qualitative and quantitative framework elements for Risk Management.

  6. Some Operational Risks at a CSD Customer Confidentiality Failure Governance Issues Fraud Computer Hacking Settlement Fails Incomplete Due Diligence Terrorist Threats Missing Certificates Corporate Actions Losses Data Entry Errors

  7. Operational Risk Categories Customer Service & Interaction Risk Liquidity Risk Legal & Regulatory Risk Financial Controls & Reporting Risk Execution, Delivery & Process Management Risk People & Culture Risk Key Person Risk Brand Image Risk Employment Practice Risk Technology Risk Infrastructure Risk Security Risk Hardware Risk Business Continuity Risk Business Resumption Risk External Fraud Risk Physical Asset Risk Utility Risk External Risk

  8. Mapping the Operational Risk Landscape: DTCC Example

  9. What Operational Risk is Not: • Credit Risk • Market Risk • Strategic Risk Operational Risk is NOT LIMITED to the processing-type of risks generally associated with a back-office operation.

  10. Why Focus onOperational Risk Management? • Largest losses in the financial services industry are attributed to Operational Risk • Good business sense • The new world post-September 11, 2001, and resulting regulatory requirements • Potentially lower capital charges for CSD and its members

  11. Examples of Op Risk Failures Arthur Andersen Sumitomo Bank Enron Tyco Allied Irish Bank Parmalat Barings August 2003 Blackout REFCO Hurricane Katrina!

  12. Basel II Focus – Three Pillars • Minimum capital requirements • Supervisory review of capital adequacy • Market discipline through effective disclosure

  13. Basel II 3 PillarConcept Pillar 1 Minimum Capital Charge Pillar 2 Supervisory Review Pillar 3 Market Discipline • Establish risk sensitive minimum capital requirements • Rules for calculating credit and operational risk capital • Menu of options from simple to advanced • Encourages development of better risk management techniques • Assesses ability to measure economic capital • Allows for capital add-ons by supervisors • Reinforces capital regulation/supervisory efforts • Greater transparency/ disclosure trade-off for use of internal measurement approaches

  14. Further Basel Guidance onSound Practices • Board of Directors approve framework and understand major risks • Consistent transparency and reporting of risk and control • Operational Risk framework that is well understood and consistently implemented throughout the institution • Ongoing risk identification and assessment for all material products, activities, processes and systems • Risk monitoring and reporting • Policies, processes and procedures to document effective mitigation of risks • Regular internal audit coverage of operational risk framework • An organization’s use of third parties does not diminish the responsibility of the board of directors and management to ensure that the third-party activity is conducted in a safe and sound manner and in compliance with applicable laws.

  15. Goals and Objectives • Consistent approach • Timely, accurate, meaningful reporting • More robust analysis • Risk-focused data • Better enables decision making and effective oversight role by Senior Management • Business ownership for risk information embedded throughout management • Measure actual risk level against risk appetite • Gain benchmarking perspective • Less resource intensive • Leveraging technology • Determine capital requirements (possible change) and allocate capital

  16. Operational RiskManagementComponents • Identify & Assess Risk • Monitor Risk • Manage Risk • Measure Risk • Disclose Risk

  17. Program Components • Risk and Control Self-Assessment • Key Risk Indicators • Enterprise-wide reporting • Leveraging off existing risk event information

  18. An Op Risk Management Framework Operational Risk Governance Vision, Guiding Principles, Risk Strategy, Risk Appetite, Organization Structure, Risk Glossary Risk Monitoring Risk Identification & Assessment Risk Measurement Strategy • Common Organizational Hierarchy • Common Risk Definitions • Common Control Themes • Key Process Focus • Validating Components Loss Data Risk and Control Self Assessments (RCSA) Key Indicators (KIs) Business Initiatives Risk Reporting

  19. DTCC’s Operational Risk Management Initiative

  20. DTCC Operational Risk Objectives • Establish a common risk language across the organization • Define the organization’s risk tolerance • Foster a climate where risks are identified and openly discussed by all departments and employees • Inform senior management and Board about Operational Risk across the enterprise • Reinforce transparency and comply with regulatory expectations

  21. 21

  22. Program Components • Risk and Control Self-Assessment • Key Risk Indicators • Enterprise-wide reporting • Leveraging off existing risk event information

  23. An Operational Risk Framework FOUNDATION Stage 1: QUALITATIVE ASSESSMENT Stage 2: RISK MONITORING Stage 3: QUANTITATIVE VALIDATION Identification, Prioritization and Assessment of Operational Risk Monitoring of Risk and Process Indicators to Track Operational Risk Level, Modify Risk Profile and Improve Business Processes Identification and Measurement of Operational Risk Events, including Near Misses Risk Measurement Risk Monitoring Risk Monitoring Risk Mitigation Risk Mitigation Risk Mitigation Risk Assessment Risk Assessment Risk Assessment Risk Identification Risk Identification Risk Identification

  24. Status of Effort to Date • Governance Structure in place • Corporate Policy and other documents issued • Risk & Control Self-Assessment (RCSA) process piloted, improved, formalized and completed for all identified DTC “high risk areas • Six month RCSA process initiated • Key Risk Indicator process piloted • Third Party software selected

  25. GovernanceStructure • Board of Directors • Membership & Risk Management Committees • Audit Committee • Operations and Planning Committee • DTCC Management Committee • DTCC Internal Risk Management Committee • Operational Risk Working Group

  26. Our RCSA Process • Planning Stage • Conduct RCSA • Review & Validate RCSA (Team) • Rate Inherent Risks • Prepare Presentation for Dept. Management • Management Sign Off

  27. RCSA Planning Stage • Research & Gather Information • Conduct a Planning Meeting with Dept. Management • Identify Assessment Team(s) • Introduce the RCSA Concept • Schedule Facilitated Sessions

  28. Conduct RCSA • Conduct facilitated sessions • Populate RCSA Template • Identify and Describe Risk Mitigants • Rate Mitigant Importance and Effectiveness • Provide Additional Comments or Define Issue • Rate Issue Severity • Accept Risk or Formulate Action Plan Target Date

  29. RCSA Review & Validation • Team reviews the template that has been completed over the course of the facilitated sessions to ensure accuracy • Team validates its risks, mitigants, action plans and accepted risks, prepares management presentation.

  30. Rate Inherent Risk • Absence of Mitigants • Two Components for Each Sub-Risk • Severity (Impact) • Frequency • Requires Consistency Across the Organization

  31. Very Low = Notify Manager/Director/ Less than $150,000 Very Low = could occur annually Low = Notify Vice President/ $150,000-$249,999 Low = could occur quarterly Medium = Notify Managing Director/$250,000- $499,999 Medium = could occur monthly High = Notify DTCC Management Committee Member/$500,000 - 1,000,000 High = could occur weekly Very High = Notify CEO or COO/ In excess of $1 million Very High = could occur daily Inherent Risk Rating Matrix Frequency Severity (Impact)

  32. Sub-risk Name Severity Frequency Rationale Key Person Risk Adequacy Risk Internal Theft & Fraud Risk Culture Risk Workplace Safety Risk Inherent Risk Rating Worksheet

  33. Continuous Improvement • Team feedback • Rewards and Recognition • Chairman’s Acknowledgement • Loop-back to Subject Matter Experts

  34. 2005 Objectives • Complete RCSAs for ALL DTCC High Risk Areas • Install, test and implement a system for self-assessments • Enhance Enterprise-wide Operational Risk Management Reporting

  35. 2005 Objectives – cont.d • Considering the purchase an external Loss Event database to augment internal causal analysis • Continue Regulatory Meetings • Roll-out Key Risk Indicator methodology