Operational Risk Management: Major Processes and Assignments

Transcription

1 Operational Risk Management: Major Processes and Assignments Gabriel Andrade Deputy-Head of the Risk Management Department 19 September 2017 Cambridge

2 Agenda 1. ORM Framework Operational Risk Operational Risk Management Governance Model & Regulatory Support 2. ORM Lifecycle & Value Creation ORM Workflow & Risk Assessment Matrices Risk Incident s Follow-up Workflow Business Continuity Management (BCM) Value creation to the Board s strategic decisions Medium-term challenges 3. International Relations Eurosystem/ESCB International Operational Risk Working Group (IORWG) Cooperation with other Central Banks/Monetary Authorities 2 19 September 2017

3 1. ORM Framework Operational risk The risk of adverse financial, business and/or reputational impacts resulting from inadequate or failed internal governance, business processes, people, systems, or from external events September 2017

4 1. ORM Framework (cont.) Operational risk management (ORM) Continuous and systematic process Ensures the accomplishment of both the organization s mission and objectives Provides effective responses to risks that will invariably surface Promotes operational risk management awareness among business units Provides the Board with an overall operational risk environment perspective Identify Assess Monitor Response 4 19 September 2017

5 1. ORM Framework (cont.) Governance Model Board Risk Committee Risk Management Dept. (2 nd line of defence) Business units risk agents Business Units (BU) (1 st line of defence) Internal Audit Dept. (3 rd line of defence) 5 19 September 2017

6 1. ORM Framework (cont.) Reference frameworks & operationalization Framework Operationalization ESCB / EUROSYSTEM OPERATIONAL RISK MANAGEMENT AND BUSINESS CONTINUITY MANAGEMENT FRAMEWORK COSO FRAMEWORK ORM model of Banco de Portugal 6 19 September 2017

7 2. ORM Lifecycle Business functions identification and mapping RCSA Workshops ( top-down ) Business units identify and assess each of their own top risks as well as their respective control environment Assessment performed in light of an extreme event which would trigger every one of them Both an intrinsic and residual perspective are considered In depth analysis ( bottom-up ) Through an hybrid approach (workshops and surveys), business functions whose residual risks were rated the most severe by the RCSA are subjected to a detailed risk and control assessment Risk response Residual risks whose either impact or likelihood are inconsistent with the organization s risk tolerance policy must be addressed through mitigation, transfer, or acceptance Report Outputs are reported to the respective business units, the internal audit as well as the Risk Commission 7 19 September 2017

8 2. ORM Lifecycle (cont.) Risk incident s follow-up workflow: There has been an incident Address the incident Incident Form Report the incident What? When? Assess the incident 8 19 September 2017

9 2. ORM Lifecycle (cont.) Risk incident s analysis workflow: Fieldwork Meetings are scheduled with every staff member whose role in the event or background knowledge is key for its understanding Report draft Outlines the incident s chain of events and any mitigation measures deemed suitable Submission Upon reviewed by business lines, the report is submitted to their Senior Management, the Audit Dept. & the Risk Committee 9 19 September 2017

10 2. ORM Lifecycle (cont.) Business Continuity Management (BCM): As the organization s BCM covers several disruption scenarios(*), which are mostly related to key resources and premises unavailability, ORM s role in securing a timely recovery of its critical functions entails: Providing risk assessments related to strategic decision-making processes Providing a risk profile from all business units, especially those whose functions have the shortest MTPD Fostering BCM awareness among the institution s staff (*) 1. IT unavailability, 2. Main building unavailability, 3. Key human resources unavailability, 4. Key stakeholder unavailability & 5. Natural disaster in Lisbon s area September 2017

11 2. ORM Lifecycle (cont.) BCM overview (main actors & plans): BCM Steering Committee Crisis Management Plans Premises Recovery Plan IT Recovery Plan Business Continuity Plans HR Response Plan Crisis Communication Plan Stakeholders September 2017

12 Technology Business Lines BCM s course of action (in case of disaster): 1. Upon detection, the event must be reported to BCM s senior management for its assessment 2. If the event is deemed significant, BCM s senior management asks the Governor s clearance to set off a specifically designed crisis management plan 3. Business functions recovery procedures are set in motion 2. ORM Lifecycle (cont.) 4. Once normal state is restored, and upon the Governor s clearance, distress plans are called off and business lines may resume their functions as usual Emergency Response Crisis Management Business Recovery Emergency Response IT Technological Recovery Time September 2017

13 2. ORM Lifecycle (cont.) Value creation to the Board s strategic decisions: Since its inception, the Risk Management Dept. has been requested to perform several risk assessments concerning several strategic decisions Main decisions at stake: 4 year Strategic Plan The replacement the secondary cash centre premises with a brand-new building The choice on the data recovery structure would better suit the organization s business continuity requirements The amount of capital buffer required to safeguard the institution from its operational risk exposure The outline of a risk budget and economic capital estimation The definition of scenarios and requirements pertaining the revamp of the organization s BCM process September 2017

14 2. ORM Lifecycle (cont.) Medium-term challenges: Both the financial industry and technology are constantly evolving Main emerging risks stemming from those developments: Cyber risk and data security Operational risk capital adequacy Increasing resort to outsourcing Compliance risks related to wrongdoing Physical attack As a key player in the financial industry, CBs are particularly required to safeguard against these looming risks, as apart from their straightforward implications, they may jeopardize the organization s reputational status, which is perhaps its most important asset September 2017

15 3. International Relations Participation & cooperation activities related to ORM & BCM At the Eurosystem/ESCB level, BdP is represented at the Organisational Development Committee (ODC), supported by the Operational Risk Management Taskforce (ORM-TF) and the Business Continuity Management Taskforce (BCM-TF) BdP is also an active member of the International Operational Risk Working Group (IORWG), which aims to promote exchange of ORM best practices in the Central Banking community (more than 70 Central Banks) Bilateral cooperation with other Central Banks/Institutions is also an hallmark of BdP international activity in these domains, allowing the sharing of experiences is specific topics or peer reviews/comparisons September 2017

16 Operational risk management is not just about avoiding losses or reducing their effect. It is also about finding opportunities for business benefit and continuous improvement. T. Blunden & J. Thirlwell Thank you very much for your attention! September 2017