Presentation is loading. Please wait.

Presentation is loading. Please wait.

NOTICE: Proprietary and Confidential This material is proprietary to Chase Cooper. It contains trade secrets and confidential information which is solely.

Similar presentations


Presentation on theme: "NOTICE: Proprietary and Confidential This material is proprietary to Chase Cooper. It contains trade secrets and confidential information which is solely."— Presentation transcript:

1 NOTICE: Proprietary and Confidential This material is proprietary to Chase Cooper. It contains trade secrets and confidential information which is solely the property of Chase Cooper. The material is solely for the Client’s internal use. This materials shall not be used, reproduced, copied, disclosed, transmitted, in whole or in part, without the express consent of Chase cooper. Copyright 2012 Chase Cooper Limited. All rights reserved IOR Scottish Chapter: The Use Test in Practice Friday 26 th October 2012

2 2 Agenda Use Test: What is it – in terms of operational risk? How are you using your data? What do the regulators say? What data have we got already? How can we use it in the business? Combining the data for the RC and the Board

3 3 Use test: What is it? Showing that the operational risk management framework is used in the management of the firm As well as Governance, o Is the data used by the business? o Is the business involved in the generation of the data? For example, how is operational risk appetite reported to and discussed by the business? It is NOT ‘doing the process for the regulators’

4 4 Governance Indicators Scenarios & Modelling Reporting Appetite Identify key risk & key control indicators Specify escalation triggers Events Appetite Identify & capture internal & external events Analyse causes: failing or missing controls Risk & Control Assessment Appetite Identify risk & owner Assess inherent & residual risk Identify control & owner Assess design & performance Operational Risk Environment ORM Framework Three lines of defence New activities, processes, products, systems

5 5 Reporting: BCBS commentary Regular reports from both business units and internal audit Breaches of risk appetite Recent significant internal events and losses Relevant external events Top level (objectives) review Compliance with controls Identification and treatment of non-compliance Authorisation at appropriate level, if no treatment

6 6 Reporting: FSA (additionally) Results of identification, measurement and monitoring Actions taken to control risks Exposure thresholds and actual exposures Effectiveness of tools Board of Directors to receive information identifying, measuring, managing and controlling risks of regulatory concern fair treatment of customers protection of consumers confidence in financial system reduction in financial crime

7 7 The Use Test (ORIAG paper) “The effective management of OR depends on consistent and timely reporting of exposures” “…imperative that business line managers can make the connection between the overall view and what they need to achieve on the ground” “OR MIS plays the key role in linking senior management and staff level incentives to deliver the OR strategy”

8 8 What RCA data have we got already? Risks Likelihood Impact Risk owners Controls Design Performance Control owners

9 9 Do you have this data? 1: Yes 2: No VOTE

10 10 Using the data that we’ve got Heatmaps Spidergrams Min-Max spidergrams

11 11 Heatmaps: a good place to start

12 12 Spidergram: High level Risk Control

13 13 Spidergram: IT & Systems Risk Control

14 14 Do you use: 1: Heatmaps only 2: Spidergrams only 3: Heatmaps and spidergrams 4: Neither VOTE

15 15 What Event data have we got already? Event Department of discovery, Department of origination Dates event occurred (starting, discovery, end) BII loss event type & business line Losses Monetary value

16 16 Do you have these data? 1: Yes 2: No VOTE Event Department of discovery, Department of origination Dates event occurred (starting, discovery, end) BII loss event type & business line Losses Monetary value

17 17 How good are our preventative controls? Is there an effective/ineffective department?

18 18 How good are our detective controls?

19 19 Do you use Events to challenge: 1: Prevent controls 2: Detect controls 3: Both types 4: Neither VOTE

20 20 What KRI data have we got already? Thresholds (green, yellow, red) Values Areas data is drawn from Period of data (e.g. monthly) Linked risks, controls, actions, events Event data which can be used as indicator data

21 21 Do you have these data? 1: Yes 2: No VOTE Thresholds (green, yellow, red) Values Areas data is drawn from Period of data (e.g. monthly)

22 22 KRI Dashboard

23 23 Do you have a KRI dashboard? 1: Yes 60% 2: No 40% VOTE

24 24 Linking KRIs to Risks

25 25 Have you linked KRIs to risks? 1: Yes 2: No VOTE Thresholds (green, yellow, red) Values Areas data is drawn from Period of data (e.g. monthly) Linked risks, controls, actions, events Event data which can be used as indicator data

26 26 The RED Report: Red risks with Red KRIs with Overdue Actions

27 27 Risk Performance Current LevelPerformanceAppetiteOverall Risk EventImpactProb.Actual KRITrendTarget KRIBetter / (Worse) Actions / Summary Rating* Major Technology Infrastructure Failure HLNo. of weeks free from severity 1 Failure = 7 +310 free weeks during year +3No action required Breach of confidentiality MMComplaints received from Customers re alleged breach = 0 0Zero material breaches of VIP customers’ / major corporate customers’ confidentiality 0High potential for risk occurrence due to customer / client base Employee processing error LMError reporting: - 5 events - £4,000 loss + 2 +1000 No more than 10 errors per quarter. No single event > £10,000 +5No action required. Internal Fraud MHNo. of frauds over £10,000 Detected: 7 No. of these frauds committed: 4 Potential Loss: $300,000 Actual Loss: £65,000 +2 +50000 Not more than 1 a month £10,000 acceptable (6)Action required, retrain staff, redesign processes *Chair of the Committee decides on overall rating for each risk event

28 28 Top risks and their KRIs

29 29 Governance Indicators Scenarios & Modelling Reporting Appetite Identify key risk & key control indicators Specify escalation triggers Events Appetite Identify & capture internal & external events Analyse causes: failing or missing controls Risk & Control Assessment Appetite Identify risk & owner Assess inherent & residual risk Identify control & owner Assess design & performance Operational Risk Environment ORM Framework Three lines of defence New activities, processes, products, systems

30 30 Contact details Tony Blunden Head of Consulting, Chase Cooper Hon Professor, Glasgow Caledonian University Tel: +44 (0) 207 377 2269 Fax: +44 (0) 207 426 0882 Mob: +44 (0) 770 325 7480 E-mail:tony.blunden@chasecooper.comtony.blunden@chasecooper.com www.chasecooper.com


Download ppt "NOTICE: Proprietary and Confidential This material is proprietary to Chase Cooper. It contains trade secrets and confidential information which is solely."

Similar presentations


Ads by Google