Presentation on theme: "Operational Risk Questionnaire"— Presentation transcript:
1 Operational Risk Questionnaire A Framework for Operational Risk Management
2 Background on Operational Risk New Basel capital requirements are based upon market, credit, and operational risk.The New Basel Capital Accord defines operational risk as:“The risk loss resulting from inadequate or failed processes, people and systems or from external events”Market and credit risk both have well-understood market conventions, and are readily quantifiable. Operational risk management is at an earlier stage, and no market consensus on measurement and approach has yet formed.Best practices and industry trends are moving toward more active means of defining, measuring, monitoring, and mitigating operational risks.
3 BSB Questionnaire Framework BSB proposes the following risk categories to establish what risks exist, and how management is or could be controlling risk:External CatastropheService Provider FailureRegulatoryFraud, Theft, and VandalismCompliance with Policies, Procedures and PracticesCustomer RelationshipsKey Control EffectivenessCompliance with Commercial ContractsPeople ManagementInformation RiskIT Security
4 BSB Approach – Risk Identification Each risk category is intended to elicit risk information from a specific perspectiveExternal Catastrophe - The risk that an external event would disrupt the ability of staff to access office locations or perform normally required tasks. These are risks that you can plan against but cannot prevent.Service Provider Failure - The risk that a service providers failure to deliver expected services would hinder or prevent normal business activity. The risks in this category are those where there is excessive reliance upon an external or internal service provider or outsourced function, or where contingency plans do not exist or are inadequate. The principal risk in this category is that you will be unable to continue business, or will suffer significant deficiencies, due to failures or inadequacies in service provider delivery or outsourced functions.Regulatory - The risk that your activities will fail to comply with regulatory requirements and restrictions. The risks in this category are those where regulatory non-compliance results in regulator response, up to and including a cease-and-desist order.Fraud, Theft, and Vandalism - The risk to you of an internal or external party committing fraud, theft, or vandalism, damaging BSB or its clients monetarily or in image.Compliance with Policies, Procedures, and Practices - The risk that you will fail to comply with internal policies, procedures, and practices, as well as industry best practices and ethical business practices. To not be in compliance with these practices would be to suggest that you are not managing its business and risks according to market standards.Customer Relationships - The risk that you will fail in the management of customer relationships and in delivery of services to customers, causing monetary and reputational damages. The risks in this category are those that affect your market share, reputation, and profitability.
5 BSB Approach – Risk Identification Key Control Effectiveness - The risk that operational control points will fail to function as intended, putting you at risk of significant monetary losses, regulatory action, and reputational damage. The risks of ineffective controls are widespread, and affect many areas with a wide range of monetary, reputational, and regulatory implications. The risk that you will have poorly structured behavioral and physical limits, or that those limits might be unenforced or circumvented. The risk in this category is also of control and efficiency, which would affect risk and control.Compliance with Commercial Contracts - The risk that you will fail to comply with, or implement properly, commercial contracts, with potential monetary damage, legal exposure, and reputational damage. The risks in this category are those which affect the legal relationships between you and clients / counterparties. Incidents of this type could affect relationships, cause legal action, and adversely impact future ability to do business with the client / counterparty.People Management - The risk that you will fail to attract, manage, develop, and retain employees with the appropriate skills. The risk in this category is that you will, over the long-term, fail to stay competitive and fail to have employees with the skills and training to engage in business in a prudent, well-controlled fashion. The risk that you will fail to organize its business in an appropriate way, resulting in an inefficient and operationally risky business structure. The risk in this category is largely of control and efficiency, which would affect long-term business risk, profitability, and competitiveness. The risk that you will choose inefficient or inappropriate measures of staff or business performance.Information Risk - The risk that you might manage your business or generate reporting based upon incomplete, inaccurate or inappropriate information. The risk that you might manage its business or generate reporting based upon incomplete, inaccurate or inappropriate information. The risk that you might manage its business or generate reporting based upon incomplete, inaccurate or inappropriate information, as well as the risk that BSB will not be able to access archived information.Infrastructure Security (IT View) - The risk that your IT security structure will fail to perform as intended, allowing unauthorized access and data damage or loss.
6 BSB Risk CategoriesThe original 23 risk categories have been merged into 11, eliminating 12 descriptive answers and approximately 10 more repetitive lines of questioning.
7 BSB Risk Classification For each risk category, the questionnaire will have one or several scenarios or risks. For each of these scenarios or risks, the following questions need to be answered:Risk SeverityWhat would be the impact on P/L?What would be the effect on customers and on your image?What is the frequency of this type of event or loss?What would be a typical loss from an incident of this type?Management’s Ability to ControlHow aware and involved is management in managing this risk? (Responsibilities defined, resources allocated, etc.)What is your assessment of the effectiveness and efficiency of the internal control system?Which of the following exist to address this type of operational risk?Policies, procedures, formal organization, formal limits, risk control system, monitoring system, regular or periodic reporting, management reviewIs data regarding this type of event or loss known, reported, and stored?
8 Questionnaire Format The questionnaire is in the form of a question matrix, with risk scenarios and questions listed vertically, and with 8 general questions for each listed horizontallyGeneral QuestionsRisk ScenariosAnswer Area
9 Questionnaire Function The questionnaire consists of approximately 100 risk scenarios, with 8 general questions to answer for eachQuestionnaire Function7 of the 8 questions are multiple choice, and have drop-down selection boxes to simplify the process for the user1 of the questions asks about the existence of certain risk management tools. In the answer space for this question are checkboxes, with a check signifying yes and an empty checkbox signifying no.Each of the 23 risk categories has one answer space for a text description of the risk situation, particularly significant risks or scenarios, and additional comments.
10 Ability to Control Risk Questionnaire OutputBSB has taken the approach that operational risk is best viewed in the context of a four-sectored grid.Highlighting high impact risks with a high degree of controllability gives BSB a starting point to reduce risk.High Impact / High AbilityHigh Impact / Low AbilityImpact of RiskLow Impact / High AbilityLow Impact / Low AbilityAbility to Control Risk
11 Ability to Control Risk Answer ScoringExternal CatastropheBy employing a scoring methodology, the answers on the questionnaire can be used to plot the risks of a business area by type.External Service Provider FailureRegulatoryCompliance with Policies, Procedures, and PracticesImpact of RiskExternal FraudCustomer Risk ManagementKey Control EffectivenessAbility to Control Risk
12 Contact Us David E. Fisher 203.434.7545 Maurice A. Krisel