The Role of Operational Risk in ERM FrameworkDr. Abdulaziz Al-TerkiHead of Operational RiskBurgan Bank – 3

Content Risk Management OverviewEnterprise Risk Management (ERM)ERM Standard FrameworkOperational Risk Management (ORM)ORM FrameworkRisk Governance vs. ManagementOperational Risk RegisterORM – The Way

Definitions What is risk management?Risk management is a process of thinking systematically about all possible risks, problems or disastersbefore they happen and setting up procedures that will avoid the risk, or minimize its impact, or copewith its impact. It is basically setting up a process where you can identify the risk and set up a strategy tocontrol or deal with it. What is Operational Risk?Basel II: Operational risk is the risk of loss resulting from inadequate or failed internal processes, peopleand systems, or from external events. This definition includes legal risk, but excludes strategic andreputation

Importance of Risk Management Effective Risk Management is very important for banks as a result ofvarious factors:1.Changing Environment2. Regulatory & Legal Requirements Technology Globalization Governance Expensive Insurance cost Stakeholders changes attitudes FraudRisk Measurement: It is the ability to monitor through qualitative & quantitative models the patterns &behaviors of different risk

Why do we need Risk Management?The only alternative to risk management is crisis management --- and crisis management is muchmore expensive, time consuming and embarrassing.JAMES LAM, Enterprise Risk Management, Wiley Finance 2003Without good risk management practices, government cannot manage its resources effectively.Risk management means more than preparing for the worst; it also means taking advantage ofopportunities to improve services or lower costs.Sheila Fraser, Auditor General of

Enterprise Risk Management What is Enterprise risk management (ERM)?Enterprise risk management (ERM) is the process of planning, organizing, leading, and controlling theactivities of an organization in order to minimize the effects of risk on an organization's capital andearnings.By identifying and proactively addressing risks and opportunities, we can protect and create value for ourstakeholders., ERM supports value creation by enabling management to:ooDeal effectively with potential future events that create uncertainty.Respond in a manner that reduces the likelihood of downside outcomes and increases the

The Risk Management Association (RMA) ERM Definition“the management capability to manage allbusiness risks in pursuit of acceptable returns.”

According to RMA: Enterprise Risk Management, essential for any financial institution, encompasses allrelevant risks.An ERM framework supports management competency to manage risks well,comprehensively, and with an understanding of the interrelationship/correlation amongvarious risks.The successful institution incorporates a robust ERM capability as part of its culture byintegrating what already exists to create a comprehensive and integrated view of theinstitution’s risk profile in the context of its business

COSO defines ERM as:“ a process, effected by an entity's board of directors, management and otherpersonnel, applied in strategy setting and across the enterprise, designed toidentify potential events that may affect the entity, and manage risks to be withinits risk appetite, to provide reasonable assurance regarding the achievement ofentity objectives.”Source: COSO Enterprise Risk Management – Integrated Framework. 2004.The Committee of Sponsoring Organizations of the Treadway Commission (COSO)

COSO ERM Integrated

COSO ERM Integrated Framework Defines essential enterprise risk management components Discusses key ERM principles and concepts Unifies ERM language across the organization Provides clear direction and guidance for enterprise risk

Enterprise Risk Management — Integrated Framework Enterprise risk management expands the process to include not just risks associatedwith accidental losses, but also: Strategic : These concern the long-term strategic objectives of the organization. They can beaffected by such areas as capital availability, sovereign and political risks, legal and regulatorychanges, reputation and changes in the physical environment. Operations : The risk incurred by an organization’s internal activities which and sort of risk comeunder it. E.g.oIT RiskoBusiness Risk Financial : These concern the effective management and control of the finances of the organizationand the effects of external factors such as availability of credit, foreign exchange rates, interest ratemovement and other market exposures. Compliance : These concern such issues as health & Safety, environmental, job descriptions,consumer protection, data protection, employment practices and regulatory

Operational Risk Management Framework (ORMF)Key Elements of an Effective Operational Risk Framework Governance Structure Operational Risk Identification & Assessment methodology/process Operational Risk Measurement methodology Policies, procedures and processes for mitigating and controlling OperationalRisks Process for the timely capture, analysis/monitoring and reporting of Operational Risks to key decision points within the

ORM FrameworkSource: briefs/

ORM Governance Framework StructureSource:

Risk Governance vs. Management The difference between Governance and Management Type of Processes and activities Roles and structures involvedGovernance Aspects Risk Appetite and Tolerance Responsibilities and Accountability for Risk Management Awareness and Communication Risk

Who Manage Risk ? Different levels within an organization need different information from the riskmanagement process.Board of DirectorsProvides oversightRisk ManagementCommitteeApprove risk management policiesEvaluate management of risks“Big Picture” analysis of risk trendsRisk ManagementAssists in setting policies and standards that reflect the riskappetite of the organizationSenior ManagementManages and monitors riskAudit and ComplianceAudit – Provides independent assuranceCompliance – Provides independent reviewBusiness UnitsResponsible for owning and managing their business risksSet and implement policy consistent with

Type Of

Basel II Type of RiskBasel II was intended to create an international standard for banking regulators to control howmuch capital banks need to put aside to guard against the types of financial and operationalrisks banks face. Basel II lists three types of risk: Credit risk Market risk Operational riskWhat about liquidity risk? Market liquidity is the risk that a security can not be sold at all or quickly enough toprevent a loss. Market liquidity risk is a type of market risk. It is addressed in Basel III. Funding liquidity risk is the risk that liabilities can not be met when due. Funding liquidity risk is an operational

Type of Operational Risk System Failure IT Security Breaches Human Error Regulatory Breaches Failure of Service Provider Server Storms Project FailureThe above Risks is sample of operational risk which result into: Direct Loss (e.g. expense, distraction) Indirect Loss (e.g. reputation, opportunity)

Operational Risk RegisterThere are Five steps to identify and qualify a risk into the Risk Register (RR): Identifying the risks that effect strategic and operational objectives Determining the actual owner of the risk Determining and assessing the existing controls in place Assessing the impact and likelihood of the risk after taking into account the existingcontrols to derive the net risk Determining further control improvements to mitigate the risk and indicate what theirimpact on net risk will be when they are fully

Operational Risk Management Role in ERM Identification of Risk: A systematic approach needs to be applied if all operational risks are to be identified andmanaged. By identifying areas of risk before an event or loss occurs, steps can be takento prevent the event occurring and/or minimising the cost to the authority. Reacting toevents only after they have occurred can be a costly method of risk identification.Analysis of risk: Having identified areas of potential risk they need to be systematically and accuratelyassessed. The process requires managers to make:oAn assessment of the probability of a risk event occurringoAn assessment of the potential severity of the consequences should such an eventoccuroAn estimate of the likely cost of future

Operational Risk Management Role in ERMOnce risks have been identified and assessed, all techniques to manage the risk fall into one ormore of these four major categories: Avoidance (eliminate)Reduction (mitigate)Transfer (outsource or insure)Retention (accept and budget)

Operational Risk Management Role in ERM Control of risk: Risk cannot be eliminated completely. Risk control is the process of taking action tominimize the likelihood of the risk event occurring and/or reducing the severity of theconsequences should it occur. There are three options for controlling risk:oAccept monitoroAvoid eliminate (get out of situation)oReduce institute controlsoShare partner with someone (e.g. insurance, outsourcing)Monitoring and review of risk : The risk management process does not end when the risk control actions have beenidentified. Continuous monitoring and review should be applied on the following:oThe implementation of the agreed control actionoThe effectiveness of the action in controlling the riskoHow the risk has changed over

Risk AnalysisRisk IdentificationControl ItProcessLevelMeasurementShare orTransfer ItActivityLevelPrioritizationDiversify orAvoid ItEntity

Risk Assessment MethodologyFor each and every risk category, a list of generic risks has been elaborated (risk register). Risk scenariosare identified using the risk register and assessed in terms of impact and likelihood considering a specific(worst-case) scenario with respect to critical activities / services / processes and their resources. Evaluationtakes account of existing risk mitigation (prevention / protection) measures.Risk Control Self Assessment (RCSA) can be conducted in Five steps: Step 1: Get the buy in from the Board and Upper Management to ensure their continuous supportStep 2: Create a comprehensive Risk Assessment plan in coordination with the Business ownersStep 3: Decide on an effective method to be used for conducting the RCSAStep 4: Register all information into the risk management toolStep 5: Monitor, report and incorporate the whole process into the yearly

Risk Assessment Methodology Sample of Risk Matrix:LIKELIHOOD IMPACT RISK LEVEL Suggested Impact Matrix: Financial Impact Operational (IT & Business)(Impact on other activities / Services / processes) Quality of Service /Customer Satisfaction Impact Reputational Impact Legal / Compliance / Regulatory

Operational Risk Register - Sample Asset Risks:o Human Resource Risks:o E.g. Sever StormEnvironmental Risks:o E.g. Insufficient expertiseNatural Hazards Risks:o E.g. Building Collapse / construction defectsE.g. Civil commotion, war, terrorismIT Security Risks:oE.g. Virus /

Risk Register - SampleRiskDescriptionBreach of ITsecurityRisk CategoryOperationalRisk rket iskSeverity4x3 12Residual Risk2ResidualRiskSeverity4x2 8Risk MitigationDocumented IT securitypoliciesStaff training / awarenesssessionsInternal/ External AuditReportsRisk AssessmentLogical Access Control

Risk Appetite & Tolerance Risk appetite: is the amount of risk an entity is prepared to accept whentrying to achieve its objectives. Two factors are important: oThe enterprise's objective capacity to absorb loss, e.g., financial loss, reputationdamageoThe (management) culture or predisposition towards risk taking – cautious oraggressive. What is the amount of loss the enterprise wants to accept to pursue areturn?Risk tolerance is the tolerable deviation from the level set by the risk appetitedefinition, e.g. standards require projects to be completed within of 10% ofbudget or 20% of time are tolerated Risk appetite and tolerance change over time; New technology, new organizational structure, new market conditions, newstrategy and many other factors require the enterprise to reassess its riskportfolio at regular intervals and reconfirm the risk appetite at regular

Risk Appetite & Tolerance - Cont. The cost of mitigation options where the cost/business impact of risk mitigation optionsexceeds an enterprise’s capabilities / resources, thus forcing higher tolerance for one of morerisk conditions.oE.g. if a regulation says that ‘sensitive data at rest must be encrypted’. Yet there is no feasibleencryption solution or the cost of implementing a solution would have a large negativeimpact, the enterprise may choose to accept the risk associated with regulatory noncompliance, which is a risk

Risk Culture Risk Culture – Potential Issues: Misalignment between ‘real’ culture and policieso Resulting in potential non-compliance and/or undue riskBlaming culture versus Learning

Risk CultureRisk Management Reference GuideCan be used across the enterprise to disseminate Risk Management culture and to asset the ERM1- State Objectives2- Identify Risk and Controls3- Assess Risk and Control4- Plan and Take Action5- Monitor and ReportSee the following



Operational Risk Management (The way forward)Key Elements of an Effective Operational Risk within ERM Framework ORM Governance Structure needs to be developed using best practices and quality standards Effective Operational Risk Identification & Assessment methodology, process and techniques Effective Operational Risk Measurement methodology (qualitative & quantitative ) and maturity Unification of policies, procedures and processes for mitigating and controlling Operational Risks Effective monitoring and reporting of Operational Risks to the decision makers and stakeholders Adopting effective and simplified risk assessment techniques that fits your organizational needs Connecting strategic objectives with risks to continue focusing on critical activities Effective and comprehensive Enterprise Risk Appetite will tie up all organizational risks together Develop and communicate ERM Reference Guide to disseminate the RM

In Summary Risk Management OverviewEnterprise Risk Management (ERM)ERM Standard FrameworkOperational Risk Management (ORM)ORM FrameworkRisk Governance vs. ManagementOperational Risk RegisterORM – The Way



According to RMA: Enterprise Risk Management, essential for any financial institution, encompasses all . and the effects of external factors such as availability of credit, foreign exchange rates, interest rate . Staff training / awareness