Operational Risk

1
Operational Risk

6th ACSDA International Seminar Punta
del Este, Uruguay - October 27-28, 2005
Mary Ann Callahan, DTCC
2
Agenda

• Defining Operational Risk
• Demystifying Operational Risk Management from
  Basel II
• Key measures and elements of an Operational Risk
  Management framework
• DTCCs experiences in developing and implementing
  an Operational Risk Management Program

3
Traditional view of Op Risk

• Generally managed in a less explicit way
• Ambiguous responsibility and accountability for
  identification, monitoring and management
• Weak issue-monitoring and escalation processes
• Lack of statistically significant loss data
• No common perspective, language and culture
  throughout or across organizations
• Weak linkage of risk management framework with
  measurement of people and business performance

4
Operational Risk as defined by the Basel Accord
(2003)

• The risk of loss resulting from inadequate or
  failed internal processes, people and systems or
  from external events.
• -- Basel Committee on Banking Supervision
• and especially for CSDs, dont forget about
  reputational harm

5
The Basel II Accord

• Effective 2006, some banks will be required to
  set aside capital specifically for Operational
  Risk.
• US implementation for largest banks now set for
  three-year transition beginning in 2007.
• The accord requires the affected largest banks to
  adopt both qualitative and quantitative framework
  elements for Risk Management.

6
Some Operational Risks at a CSD
Customer Confidentiality Failure
Governance Issues
Fraud
Computer Hacking
Settlement Fails
Incomplete Due Diligence
Terrorist Threats
Missing Certificates
Corporate Actions Losses
Data Entry Errors
7
Operational Risk Categories
Customer Service Interaction Risk Liquidity
Risk Legal Regulatory Risk Financial Controls
Reporting Risk
Execution, Delivery Process Management Risk
People Culture Risk
Key Person Risk Brand Image Risk Employment
Practice Risk
Technology Risk
Infrastructure Risk Security Risk Hardware Risk
Business Continuity Risk
Business Resumption Risk
External Fraud Risk Physical Asset Risk Utility
Risk
External Risk
8
Mapping the Operational Risk Landscape DTCC
Example
9
What Operational Risk is Not

• Credit Risk
• Market Risk
• Strategic Risk
• Operational Risk is NOT LIMITED to the
  processing-type of risks generally associated
  with a back-office operation.

10
Why Focus onOperational Risk Management?

• Largest losses in the financial services industry
  are attributed to Operational Risk
• Good business sense
• The new world post-September 11, 2001, and
  resulting regulatory requirements
• Potentially lower capital charges for CSD and its
  members

11
Examples of Op Risk Failures
Arthur Andersen
Sumitomo Bank
Enron
Tyco
Allied Irish Bank
Parmalat
Barings
August 2003 Blackout
REFCO
Hurricane Katrina!
12
Basel II Focus Three Pillars

• Minimum capital requirements
• Supervisory review of capital adequacy
• Market discipline through effective disclosure

13
Basel II
14
Further Basel Guidance onSound Practices

• Board of Directors approve framework and
  understand major risks
• Consistent transparency and reporting of risk and
  control
• Operational Risk framework that is well
  understood and consistently implemented
  throughout the institution
• Ongoing risk identification and assessment for
  all material products, activities, processes and
  systems
• Risk monitoring and reporting
• Policies, processes and procedures to document
  effective mitigation of risks
• Regular internal audit coverage of operational
  risk framework
• An organizations use of third parties does not
  diminish the responsibility of the board of
  directors and management to ensure that the
  third-party activity is conducted in a safe and
  sound manner and in compliance with applicable
  laws.

15
Goals and Objectives

• Consistent approach
• Timely, accurate, meaningful reporting
• More robust analysis
• Risk-focused data
• Better enables decision making and effective
  oversight role by Senior Management
• Business ownership for risk information embedded
  throughout management
• Measure actual risk level against risk appetite
• Gain benchmarking perspective
• Less resource intensive
• Leveraging technology
• Determine capital requirements (possible change)
  and allocate capital

16
Operational RiskManagementComponents

• Identify Assess Risk
• Monitor Risk
• Manage Risk
• Measure Risk
• Disclose Risk

17
Program Components

• Risk and Control Self-Assessment
• Key Risk Indicators
• Enterprise-wide reporting
• Leveraging off existing risk event information

18
An Op Risk Management Framework
Operational Risk Governance Vision, Guiding
Principles, Risk Strategy, Risk Appetite,
Organization Structure, Risk Glossary
Risk Monitoring
Risk Measurement
Risk Identification Assessment
Strategy

• Common Organizational Hierarchy
• Common Risk Definitions
• Common Control Themes
• Key Process Focus
• Validating Components

Loss Data
Risk and Control Self Assessments (RCSA)
Key Indicators (KIs)
Business Initiatives
Risk Reporting
19
DTCCs Operational Risk Management Initiative
20
DTCC Operational Risk Objectives

• Establish a common risk language across the
  organization
• Define the organizations risk tolerance
• Foster a climate where risks are identified and
  openly discussed by all departments and employees
• Inform senior management and Board about
  Operational Risk across the enterprise
• Reinforce transparency and comply with regulatory
  expectations

21
21
22
Program Components

• Risk and Control Self-Assessment
• Key Risk Indicators
• Enterprise-wide reporting
• Leveraging off existing risk event information

23
An Operational Risk Framework
FOUNDATION
Stage 1 QUALITATIVE ASSESSMENT
Stage 2 RISK MONITORING
Stage 3 QUANTITATIVE VALIDATION
Identification, Prioritization and Assessment of
Operational Risk
Monitoring of Risk and Process Indicators to
Track Operational Risk Level, Modify Risk Profile
and Improve Business Processes
Identification and Measurement of Operational
Risk Events, including Near Misses
Risk Measurement
Risk Monitoring
Risk Monitoring
Risk Mitigation
Risk Mitigation
Risk Mitigation
Risk Assessment
Risk Assessment
Risk Assessment
Risk Identification
Risk Identification
Risk Identification
24
Status of Effort to Date

• Governance Structure in place
• Corporate Policy and other documents issued
• Risk Control Self-Assessment (RCSA) process
  piloted, improved, formalized and completed for
  all identified DTC high risk areas
• Six month RCSA process initiated
• Key Risk Indicator process piloted
• Third Party software selected

25
Governance Structure

• Board of Directors
• Membership Risk Management Committees
• Audit Committee
• Operations and Planning Committee
• DTCC Management Committee
• DTCC Internal Risk Management Committee
• Operational Risk Working Group

26
Our RCSA Process

• Planning Stage
• Conduct RCSA
• Review Validate RCSA (Team)
• Rate Inherent Risks
• Prepare Presentation for Dept. Management
• Management Sign Off

27
RCSA Planning Stage

• Research Gather Information
• Conduct a Planning Meeting with Dept. Management
• Identify Assessment Team(s)
• Introduce the RCSA Concept
• Schedule Facilitated Sessions

28
Conduct RCSA

• Conduct facilitated sessions
• Populate RCSA Template
• Identify and Describe Risk Mitigants
• Rate Mitigant Importance and Effectiveness
• Provide Additional Comments or Define Issue
• Rate Issue Severity
• Accept Risk or Formulate Action Plan Target Date

29
RCSA Review Validation

• Team reviews the template that has been completed
  over the course of the facilitated sessions to
  ensure accuracy
• Team validates its risks, mitigants, action plans
  and accepted risks, prepares management
  presentation.

30
Rate Inherent Risk

• Absence of Mitigants
• Two Components for Each Sub-Risk
• Severity (Impact)
• Frequency
• Requires Consistency Across the Organization

31
Inherent Risk Rating Matrix
Severity (Impact)
Frequency

 

32
Inherent Risk Rating Worksheet
33
Continuous Improvement

• Team feedback
• Rewards and Recognition
• Chairmans Acknowledgement
• Loop-back to Subject Matter Experts

34
2005 Objectives

• Complete RCSAs for ALL DTCC High Risk Areas
• Install, test and implement a system for
  self-assessments
• Enhance Enterprise-wide Operational Risk
  Management Reporting

35
2005 Objectives cont.d

• Considering the purchase an external Loss Event
  database to augment internal causal analysis
• Continue Regulatory Meetings
• Roll-out Key Risk Indicator methodology