2. It is a very broad concept which focuses on the risks
arising from the people, systems and processes
through which a company operates.
It also includes other categories such as:
fraud risks
legal risks
physical or environmental risks
“The risk of loss resulting from inadequate or
failed internal processes, people and systems
or from external events.”
3. Operational Risk is NOT LIMITED to the processing-type
of risks generally associated with a back-office operation.
Strategic
Risk
Market
Risk
Credit
Risk
4. OR exists almost everywhere in the organization.
OR vary in their components. some are high occurrence
low value risks, while some are low occurrence high
value risk.
OR in the organization continuously change especially
when an organization is undergoing changes.
5. Board: responsible for the high level policies
Top management: responsible for creating a structured
control environment and laying down procedures
Middle management: implement the Risk practices
conforming to the above.
Statutory Auditors: Ascertain if the Internal controls are
adequate enough to mitigate the risks.
7. People oriented causes Negligence ,incompetence , insufficient
training ,integrity, key man
Process oriented (transaction based)
causes
Business volume fluctuation,
organizational complexity , product
complexity , and major changes.
Process oriented( operational
control based) causes
Inadequate segregation of duties, lack of
management supervision, inadequate
procedures.
Technology oriented causes Poor technology and telecom , obsolete
application, lack of automation,
information system complexity, poor
design , development and complexity.
External causes Natural disasters, operational failures of a
third party, deteriorated social or political
context.
9. Internal Fraud Misappropriation Of Assets, Tax Evasion, Intentional
Mismarking Of Positions, Bribery
External Fraud Theft Of Information, Hacking Damage, Third-party
Theft And Forgery
Employment Practices and Workplace
Safety
Discrimination, Workers Compensation, Employee
Health And Safety
Clients, Products, & Business Practice Market Manipulation, Antitrust, Improper Trade,
Product Defects, Fiduciary Breaches, Account
Churning
Damage to Physical Assets Natural Disasters, Terrorism, Vandalism
Business Disruption & Systems
Failures
Utility Disruptions, Software Failures, Hardware
Failures
Execution, Delivery, & Process
Management
Data entry errors, accounting errors, failed mandatory
reporting, negligent loss of client assets
10. In commercial enterprises, operational risk management is
the supervision of different types of operational risk occurring
on a daily basis.
These risks include the risk of loss consequent to poor or
unsuccessful internal methods, machinery and human
resource, or extraneous happenings.
11. Basel II document provides a guideline in the matter of ORM
practices by way of certain principles that should govern the
process. This is called ‘sound practices for the management of
operational risks’.
12. PRINCIPLE 1
Board of directors should be aware of the major aspects of
bank’s OR as a distinct risk category that should be managed.
And it should approve and periodically review the bank’s ORM
framework.
PRINCIPLE 2
The board of directors should ensure that the ORM framework is
subject to effective and comprehensive internal audit by
operationally independent and competent staff
13. • PRINCIPLE 3
Senior management should have responsibility for implementing
ORM framework approved by board of directors. They should
also have responsibility for developing policies, processes and
procedure for managing OR in all of the bank’s material
products, processes and systems
• PRINCIPLE4
Banks should identify and assess OR inherent in all material
products, processes and systems
14. • PRINCIPLE 5
Banksshould implement a process to regularly monitor OR profiles
profiles and material exposures to losses.
• PRINCIPLE 6
Banksshould periodically review their risk limitation and control
strategies and should adjust their OR profile accordingly using
appropriate strategies
• PRINCIPLE 7
Banksshould have in place contingency and business continuity
plans to ensure their ability to operate on anongoing basis and
limitlosses in the event of severe business disruption
15. CONTIN…..
Operational risk management practices should be based on a
well laid out policy duly approved at the board level that
describes the processes involved in controlling operational
risks.
17. 17
Board of Directors
Risk Management Committee of the Board
Operational Risk Management Committee
Operational Risk Management Department
Operational Risk Managers
Support Group for operational risk management
18. ROLE AND
RESPONSIBILITIES
Role of board
Role of operational risk
management committee
Role of operational risk
management department
Role of internal
audit/business functions
19. It should approve bank’s ORM framework and review
it periodically.
It should provide a firm-wide definition of OR.
It should lay down the principles of how OR is to be
identified ,assessed, monitored, controlled/mitigated
20. ORM committee should identify the OR to which
bank is exposed to
formulate policies and procedures for ORM
Set clear guidelines on risk assessment
/measurement and ensure adequacy of risk
mitigating controls
The committee has responsibility for
implementing ORM framework approved by
board of directors.
21. The ORMD is the nodal department for identifying, managing and
quantifying OR
ORMD , in conjunction with groups, lays down procedure for
management of operational risks
It should identify and assessOR inherent in allmaterial products
,activities, processes and systems.
To regularly monitor OR profiles and material exposures to losses and
regular reporting of pertinent information to senior management and
the board of directors
22. Role and responsibilities relating to internal audit/business
functions in the OR processes should be clearly defined.
26. OPERATIONAL RISKAPPROACHES
Approach Basic Indicator Standardized Advanced
Measurement
Calculation of
Capital charge
Average of
Gross
Income for
three years
as indicator
Capital
charge
equals 15%
of the
indicator
Gross income
per
regulatory
line as
indicator
Depending on
business line
12, 15 or 18
% of the
indictor as
capital
charge
Total capital
charge equals
sum of charge
per business
line
Capital charge
equals
internally
generated
measures
based on,
Internal loss
data
External loss
data
Scenario
analysis
Business
environment
and internal
control factors
Recognition of
risk mitigation
(upto 20%)
26
27. Approach Basic Indicator Standardized Advanced
Measurement
Qualifying
criteria
No specific
criteria
Compliance
with the Basel
Committee’s
“Sound
Practices for
the
Management
and
Supervision of
Operational
Risk”
recommended
Active
involvement
of Board of
directors and
Senior
management
Existence of
OpRisk
Management
function
Sound
OpRisk
Management
system
Systematic
tracking of
loss data
Same as
standardized plus
Measurement
integrated into
day-to-day risk
management
Review of
management
and
measurement
processes by
internal/extern
al auditor
Numerous
quantitative
standards—in
particular 3-5
years of
historic data
27
28. RISKMONITORING AND CONTROLPRACTICES
Collectionofoperationalrisk data
Regular monitoringandfeedbackmechanisminplaceformonitoringany
deteriorationinoperationalrisk profile
Collationofincidentreportingdatatoassessfrequencyandprobabilityof
occurrenceofoperationalrisk events
Monitoringandcontrolofmanagementoflarge exposures.
29. • Reduction of operational loss.
• Lower compliance/auditing costs.
• Early detection of unlawful activities.
• Reduced exposure to future risks.
• Maintain Competitive Edge through Proactive Operational
Risk Management
• Clarified personal accountabilities, roles and responsibilities
for managing operational risks
• Sustained risk-smart workforce and environment
• Ensured continuous risk management learning
30. Increase in Bank Op Risk Exposures
Globalization
Growth of e-commerce
Large-scale mergers and
acquisitions
More highly automated
technology
Large volume service providers
Increased outsourcing
Complexity and breadth of
products
Increased business volume
Increased litigation
The growing risks
have caused
increased focus
by banking
regulators.
Increased regulatory
focus has caused a
surge in development
by banks in op risk
management and
measurement.
31. Rising Costs of Compliance
Access to Appropriate Information and Reporting
Development of Loss Databases
Lack of Systematic Measurement of Operational
Risk
Implementing ORM Systems
Tone at the Top
32.
33. Governance: It is the process by which the Board of
Directors defines key objectives for the bank and oversees
progress towards achieving those objectives. It defines
overall operational risk culture in organization, and sets the
tone as to how a bank implements and executes its
operational risk management strategy. Governance sets the
precedence for Strategy, Structure and Execution.
Strategy: A bank’s strategy for operational risk drives the
other components within the management framework and
provides clear guidance on risk appetite or tolerance,
policies, and processes for day-today risk management.
34. CONTIN….
• Appetite and Policy: An ideal risk management process ensures
that organizational behaviour is driven by its risk appetite.
Adopting an operational risk strategy aligned to risk appetite,
leads to informed business and investment decisions.
• Clear Definition & Communication of Policy: An organization’s
top management must identify, assess, decide, implement, audit
and supervise their strategic risks. There should be a strategic
policy at the board level to focus on managing risk all levels and
conscious efforts should be made to ensure that these policies are
communicated at all levels and across entire value chain.
35. • Periodic Evaluations Based on Internal & External Changes: An
ideal risk management process puts improvement of risk
performance on a competitive level with other important mission
concerns – periodically evaluating the ORM performance goals
in the light of internal and external factors.
• Structure: When designing the operational risk management
structure, the bank's overall risk scenario should serve as a
guideline. This includes initiatives like laying down a hierarchical
structure that leverages current risk processes, developing risk
measurement models to assess regulatory and economic capital, and
allocating economic capital vis-à-vis the actual risk confronted
36. CONTD
Execution: Once operational risk management structure
have been established by an organization adequate
procedures should be designed and implemented to
ensure execution of and compliance with these policies at
business line level.
The first step includes identification and assessment of
operational risk inherent in day-to-day processes of the
bank. After assessment of inherent risk, target tolerance
limit of risk should be established.
The results of the risk assessment and quantification
process enables management to compare the risks with its
operational risk strategy and policies, identify those risk
exposures that are unacceptable to the institution or are
outside the institution's risk appetite, and select and
prioritise appropriate mechanisms for mitigation.