OPERATIONAL RISK MANAGEMENT IMPLEMENTATION – Best practices and experience
Risk The chance of something happening that will have an impact on objectives. A risk is often specified in terms of an event or circumstance and the consequences that may flow from it. Risk is measured in terms of a combination of the consequences of an event and their likelihood. Risk may have a positive or negative impact.
Why implement risk management? Success = Vision Achievement + Associated Strategic Objectives. Ultimately, must know the risks faced in achieving these goals, manage the risks effectively and ensure that effective risk treatments are, and continue to be in place as the environment changes over time. Risk management is importance for EPF. Alternative is risky management which will not ensure desired outcomes.
Benefits of risk management Increase risk awareness at all level of staff in order for them to effectively manage their risks. No unexpected surprises! Staff personal wellbeing Accountability, assurance and governance - Maintain integrity and confidence amongst stakeholders and the public in general. Strengthening competitive strategic and operational efficiency to increase long term stakeholder’s value. Safeguarding assets and resources. Exploitation of opportunities Improved planning, performance and effectiveness Improved information for decision making Minimise unexpected impact to earnings and returns to members. . Management of risk is an integral part of good business practice and quality management. Learning how to manage risk effectively enables managers to improve outcomes by identifying and analysing the wider range of issues and providing a systematic way to make informed decisions. A structured risk management approach also enhances and encourages the identification of greater opportunities for continuous improvement through innovation. The underlying principles of managing risk are generic in nature and largely independent of any individual type of organizational structure. Risk management techniques provide people, at all levels, with a systematic approach to managing the risks that are integral parts of their responsibilities. Some of the specific benefits of risk management include: (a) Fewer surprises . _ (b) Exploitation of opportunities (c) Improved planning, performance and effectiveness (d) Economy and efficiency (e) Improved stakeholder relationships (f) Improved information for decision making (g) Enhanced reputation (h) Director protection (i) Accountability, assurance and governance (j) Personal wellbeing 5 5
Enterprise Risk Framework Strategic Risk Credit Risk Market Risk Investment Risk Liquidity Risk Operational Risk Regulatory Risk Project Risk Strategic risk arises from the inability to implement appropriate business plans, strategies, decision-making, resources allocation and its inability to adapt to changes in its business environment. Credit risk arises from counterparty’s inability or unwillingness to fully meet its on and/or off-balance sheet contractual obligations. Exposure to this risk results from financial transactions with a counterparty, e.g. debtors, borrowers or guarantors. Market risk arises from changes in market rates or prices. Exposure to this risk can result from market-making, dealing, and position-taking activities in markets such as interest rates, foreign exchange, equity, commodity and real estate. Liquidity risk arises from the inability to purchase or otherwise obtain the necessary funds, either by increasing liabilities or converting assets, to meet its on-and off balance sheet obligations as they come due, without incurring unacceptable losses. Operational risk refers to the risk of loss resulting from the inadequate or failed internal processes, people or systems, or from external events. This includes legal and regulatory risks. Legal and Regulatory risk arises from non-conformance with laws, rules, regulations, prescribed practices, or ethical standards in any jurisdiction in which EPF operates. Reputational risk is a risk arising from negative public opinion that will result in financial and non-financial losses, such as loss of public confidence. This may affect EPF’s ability to establish new relationships or services or continue servicing existing relationships. This risk may expose EPF to litigations. Reputational Risk
Risk Management Risk management is the culture, processes and structures that are directed towards the effective management of potential opportunities and adverse effects within the organisation environment. It is an enterprise wide process multifaceted in dimension. It is best achieved by a multidisciplinary team. Risks must be appropriately communicated and shared.
Risk Management Process Establish the Context: for strategic, organisational and risk management and the criteria against which busineess risks will be evaluated. Identify Risk: that could ‘prevent, degrade, delay or enhance’ the achievement of an organisation’s business and strategic objectives. Analyse Risk: consider the range of potential consequences and the likelihood that those consequences could occur. Evaluate Risks: compare risks against the firm’s pre-established criteria and consider the balance between potential benefits and adverse outcomes. Treat Risks: develop and implement plans for increasing potential benefits and reducing potential costs of those risks identified as requiring to be ‘treated’. Monitor and Review: the performance and cost effectiveness of the entire risk management system and the progress of risk treatment plans with a view to continuous improvement through learning from performance failures and deficiencies. Communicate and Consult: with internal and external ‘stakeholders’ at each stage of the risk management process. Note that: Identify, Analyse and Evaluate Risks are collectively grouped as ‘Risk Assessment’.
Sample Risk Scorecard Gross risk Nett risk Target risk
For every risk Identify Causes and Consequences. Rate gross risk in term of possibility and impact (without controls or controls totally ineffective). Identify Primary Controls (preventive, detective and corrective) and Secondary Controls Rate control effectiveness (to reduce possibility and impact). Risk software calculate: Nett Risk Rating = Gross Risk – Control Effectiveness. Set Risk Targets Identify management actions to mitigate the risks.
Assurance Framework Ministry of Finance Investment Panel Board of Directors Investment Panel Risk Committee Board Risk Management Committee Board Audit Committee Management Risk Committee Risk Management Department Management Operations Risk Committee Internal Audit External Audit Investment Risk Management Section Operational Risk Management Section
Who manages risks? Board of Directors Provides oversight Board Risk Management Committee Approve risk management policies. Evaluate management of risks. “Big Picture” analysis of risk trends. Senior Management Manages and monitors risk Executive Committees MORC assists Senior Management monitors risk. Audit and Compliance Audit – Provides independent assurance. Compliance – Provides independent review. Risk Management Assists in setting policies and standards that reflect the risk appetite of the organisation. Business Units Responsible for owning and managing risk. Set and implement policy consistent with enterprise-level policy.
Who manages risks in business units? Risk scorecard owner Responsible for risk management in department/branches/section/unit. To report effectiveness of risk management activities Risk owner Responsible to manage assigned risk by ensuring effectiveness controls and to recommend new Management Action Plans (MAP) to mitigate risk. Recommend risk rating to Risk Scorecard Owner. Control owner Responsible to ensure effectiveness of control. To report on control effectiveness to Risk owner. Management Action Plan (MAP) owner To ensure MAP is carried out as planned to mitigate risk. To report on MAP status to risk owner. Risk Champion Coordinator and risk advisor. Assist risk scorecard owner and ‘other owners’ on risk management. Individual staff Aware about risk and risk management. To highlight any new key risks to risk champion and/or risk scorecard owner.
Key Success Factors Full support from the Board, Investment Panel, CEO and Management. Committed Risk Champions. Competence and committed consultant. Effective Project Management. Risk Awareness Training and Facilitation Workshops. Computerised System. Organisation culture