Risk Capacity
level risk firm’s resources can tolerate / ability withstand worst case outcome of risk taking
Risk Appetite
expression of risk boundaries / desired level risk taking
Risk Appetite -
- eg of quantification
- escalation,
- link to loss expectation
eg. no appetite indiv losses above $x within 12mo.
Losses above $y reported to risk committee
Loss expectation is effectively its appetite -sb included in budget. Most fin institutions expect loss of 2% revenue annually to OpRisk
Risk Appetite zero eg
If appetite says zero appetite phone outages and had 30min outage lost $5k, and backup sys costs $60K, willing to invest?
Risk Culture
policing of risk appetite / incentives
Threshold for investigation
What op risk threshold triggers investigation (what mean, AUO?)
$10k? EB okay with this? Give them analysis
Requirements in Policy
-start with what are obligations? What do on top of that?
Communication tip
Policy approved -email to all staff -1 thing want you to remember we’ve changed threshold op risk events from 8K to 10K
Mtgs op risk
not say monthly discuss all incidents over 10K. What is obligation -put in policy and ensure it done e.g meet quarterly incidents >50K or 100K
Exceptions approved?
Yes no
Stress tests
must perform monthly, qtly, yrly
Process flows every area -ask 3 qs:
- Controls effective? 2. Proper reporting? 3. Risk part everything do
Incident reporting
if 29 events in year, 14 full op losses, ensure reports for each
3 lines alternatives:
- Initial control, 2. Challenge, 3. Assurance
Diagram op loss by category -% of total loss
- damage physical assets
- business disruption, sys fail
- internal fraud
- empl practices-workplace safety
- clients, products and bus practices
- external fraud
- exec delivery process mgmt
Risk assessment lifecycle
1.Define Risk assessment units (e.g. settlements, finance etc);
Determining risk
- function approach (easier owner, not easy end-to-end) e.g. asset mgmt -private banking, mortgage etc
- process approach (easier end-to-end, easier hand-off points -biggest risk, difficult one owner) e.g. onboarding -KYC, account setup etc
- blended e.g. asset management -client onboarding
Risk assessment
1.heatmap:
Risks name (lending, fees, external fraud, legal violations, employee discrimination, privacy, systems failure, sustainability)
Inherent risk of each of above (H, M, L)
Linked control (regulatory rules matrix, privacy procedures, regular salary demographic analysis etc)
Linked process (client onboarding, credit underwriting, account setup, transaction monitoring, regulatory reviews, salary audits, securities trading)
Notes (recent audit findings, no recent findings, non-critical audit findings, parallel servers not up-to-date
2.top down workshops
- mgmt determines inherent risk
- sr mgmt priorities, hand-offs, people set impact and ranking). Top down e.g. scenarios (may not found with walk-through
Helps us get our emerging risks -if talk about competitor in scenarios what happened to them, might new risk worry about
Initial risk qs:
- top risks ranked (e.g. AML, data protection, IT related) -which processes carry highest risk e.g.
- state of controls to deal w the risks?
- control gaps?
- who own action plans to address gaps?
- what learnt to apply to next risk assessment cycle?
(Buy-in, getting people to admit to issues, needs high level support
Short email saying in prep i want consider scenarios affect your part org. “What if” lost power both offices as same time? How would losing one sites affect us? Gets people talking how deal scenarios. Ask list of internal events happened, losses in last 2yrs -if nothing, then ask, I see lot IT issues -is this power, people?
On KYC -ask how get documentation? Do customers come to branch?
Ask q -can this happen here)
Scenarios
- construct from peer loss events (Get GEMS data)
- history of breaches internally e.g. jeopardize customer info, rogue trader etc.
- new scenarios where potential IC fail/repu risk occur
- link new scenarios to pre-workshop materials
- Eg 1 pager
Facilitator
- ask about Audit findings on risk X,Y,Z -does this risk concern you and how? (Read AUO reports) risks identified in audit findings?
- look at risk taxonomy, x risks not discussed -what are exposures?
- what processes carry highest risk?
- hand-offs -what you do with it once received? Higher risk on handoff, hand-ins
Nice documentation of eg on disaster recovery -key risks, controls, external, internal losses, KRIs, quick color coding on top
3.identify controls
-Bottom up e.g. process mapping (seen by people working with related processes)
Material risks from top down approach drive process part of risk assess
4.process reviews
- Walkthroughs, process maps, find control gaps -s document owner, team members, compliance persons, where obligations
- where control breaks, when process crosses boundary, swim lane
- talk about how loan put together -yellow stickies and find things not aware of
- look for segregation issues, reporting loss events, poor audit
- look for increase volumes 300% uptick, means more errors
- helps develop KRIs
5.control substantiation/assess
-determines control effectiveness
-bottom up view of effectiveness of control environment
-controls mapped via above
-linked to material top down -sb assessed first
-start with 1.design of control effective/well designed (design)
-then 2.how effective control is executed/quality control (performance)
-both above look at control effectiveness (design) and performance (execution) -best way walkthrough
-best to have effective control easy to do and automated than manual one
E.g. report from system that shows what’s executed in day v tick boxes
-control 1/week if an account is reactivated, what happens after?
-need rating scale for both above
E.g. control on monthly a/c recons -done but manual and ad-hoc. We come back in a month to walkthrough to test design effective and executed effectively.
-Test executed effectively (performance), following q:
1.control occur right frequency?
2.control occur right point in the process?E.g. ahead of or concurrent with
3.Executor have proper knowledge/expertise?
4.Attributes of control e.g. detective (impl concurrent or post-execution) or preventative, key (primary to mitigate the risk) or non-key (supplement key, not mitigate risk on their own)/manual/auto, impact impl?
-Hierarchy evaluating control effectiveness: ROEI (1.Reperformance, 2.Observation, 3.Examination, 4.Inquiry -for lower risk areas)
- Control Testing/sustantiation programme qs:
1. independence -control validation snot performed person resp executing control or in person’s chain of command - E.g. payments, maybe lots of non-key controls and key control is only 1 person has authority to make payment.
- not pass fail, but is it well designed, quality executed?
- sample size? Too large costly esp. re-performance -balance population, frequency, severity of risk
6.identify issues
things:
- issue of ineffective controls/gaps identified and articulated
- linked to corporate taxonomy for tracking
- root cause analysis
7.design action plans
- action plan owned/executed by business but validated by Controllership to address root cause
- 14 actions from assessment, 12 completed, 2 not done 3mo overdue - progress on impl of action plan monitored corporate sys, reported to Governance committees
- closure of action plan formal tollgate process ensure it addressed issue
- if execution req time, compensating controls interim
- newly impl control tested at least 1 time in 12mo after execution ensure working
8.oversight and monitoring
.
9.management validation
- Residual Risk calculated before this step and over-ridden if nec based on knowledge and appetite (in some areas like AML, any level risk managed)
- mgmt team together -these are risks found, these controls improving, new level of residual risk
