how to manage effectively operational risk
TRANSCRIPT
-
7/31/2019 How to Manage Effectively Operational Risk
1/19
-1-
How to Manage EffectivelyOperational Risk
ForBasel II, Solvency II and Arrow
White Paper
September 2008
-
7/31/2019 How to Manage Effectively Operational Risk
2/19
-2-
Table of Contents
Loss Data ........................................................................................................ 5
Risk and Cont rol Self Assessment (RCSA) .................................................. 7
Key Risk Indicators ....................................................................................... 13
Act ion and Remediat ion Plans ................................................................... 15
Risk Simulation ............................................................................................. 16
Reporting ....................................................................................................... 17
Key Benefits of Proposed Solut ion ............................................................ 18
About Dynasec .............................................................................................. 18
-
7/31/2019 How to Manage Effectively Operational Risk
3/19
-3-
IntroductionOperational r isk exists everywhere in the business environment. It is the
oldest risk facing any commercial institution and in particular banks,
insurance companies and other financial institutions. Any financial institution
wil l face operat ional risk long before it decides on it s f irst market t rade or
credit t ransact ion.
Of all t he dif ferent types of r isks f inancial inst it utions face, operat ional risk
can be the most devastating and at the same time, the most difficult to
ant icipate. Its appearance can result in sudden and dramat ic reduct ions in the
value of a f irm.
Operat ional ri sk cannot be managed successfully with a few spreadsheet s or
databases developed by an int ernal risk management department . In fact , one
of the biggest mistakes an inst it ution can make is to rely on simpl ist ic and
t radit ional solut ions, which can lead to less than ideal choices about managing
operational risk.
easy2complyenables organizations to eff icientl y meet and adapt to internal
operat ional r isk practices as well as external regulat ions such as: Basel II,
Solvency II, FSA mandates and others by automat ing and simplif ying the
process of collecting, storing, analyzing, t racking and report ing on
informat ion relevant to operat ional l osses, ri sk and control assessments,
definit ion and management of key risk indicators and scenarios.
-
7/31/2019 How to Manage Effectively Operational Risk
4/19
-4-
easy2complyOperational Risk Architecture
-
7/31/2019 How to Manage Effectively Operational Risk
5/19
-5-
Loss Data
The loss database is a key, standard element of the Operat ional Risk
Management module. The coll ect ion and analysis of internal l oss data provides
management information which can be fed back into the operational risk
management and mit igat ion process. In addit ion, t he database of int ernal
loss events builds up over t ime and provides the basis for quantit ative analysis
and the calculat ion of capit al all ocat ion .
Data quality of loss report ing is oft en a maj or concern in many organizat ions.
Dynasec Enterprise simpl if ies the collection of loss report ing by offering a 3-
step process wit h built -in workflow capabil it ies:
1. Loss Event CapturingIn the fi rst stage, authorized users can report on a loss event, a suspectedloss event or a near miss. This loss event capturing process is performed
with a comprehensive and customizable form that contains all the
necessary f ields and informat ion for later loss event analysis.
2. Loss Event EvaluationIn the second stage, authorized users, generally from the risk management
depart ment, are automat ically alerted of any loss event report ed in t hesystem. They can assess t he impact of the loss event and describe the
associated risks and damages in various formats which provide t he basis for
later in depth analysis and loss event report ing.
3. Loss Event Conclusions and Follow Up ActionsAt this stage, authorized users can summarize t he conclusions result ing
from a loss event; define fol low up act ion it ems wit h due dates, and assign
responsible persons for each act ion item. All act ion it ems are incorporated
-
7/31/2019 How to Manage Effectively Operational Risk
6/19
-6-
int o easy2comply s int egrated act ion and remediat ion plan for t racking
and management of tasks.
easy2comply s flexible plat form enables organizat ions to tailor t heir own
fields in the loss database forms above, although certain standard fields such
as select ing the appropriat e Business Line and categorizing the Event Type are
mandatory. Addit ional f ields can easil y be defined during the system
configuration, requiring no programming.
easy2complyoffers the following standard fields:
Event Name Event ID Event Report ing Date Report er Name Event Type (Internal/ External) Related Organizational Unit Related Processes Related Business Line Related Event Category Related Controls First Event/ Repeat ing Event/ Near Miss Correlat ive Events (In case of a Repeating Event) Event Descript ion Event Ident if icat ion Day Start Handling Date End Handl ing Date Participants Key Personnel Involved Implemented Risks
-
7/31/2019 How to Manage Effectively Operational Risk
7/19
-7-
Implemented Risk Direct Damage Implemented Risk Indirect Damage Implemented Risk Unquantif iable Damage Insurance Cover Conclusions Follow Up Act ion Task Follow Up Action Date Follow Up Act ion Responsible At tached Fil es Authorizat ion process
-
7/31/2019 How to Manage Effectively Operational Risk
8/19
-8-
Risk and Control Self Assessment (RCSA)
Risk and Cont rol Self Assessment (RCSA) is one of the integrated components
that easy2complyoffers for effective management of operational risk.
easy2complyestablishes a coherent st ructure t hat automates the ent ire
workflow for managing the risk and control framework including: systematic
documentation of processes and sub processes, ident if icat ion of t he risks that
could prevent the at tainment of process object ives and mapping of t hecont rols that should be in place to mit igate these risks.
easy2complyis designed in a way that enables companies to const ruct both
actual and horizontal or vir tual organizat ional st ructures for t he operat ional
ri sk management process. The f lexible system provides up to 1024 layers of
hierarchy in t he organizational st ructure that can be defined by the system
administ rator. Furt hermore, easy2complyenables the creat ion of an
unlimit ed number of horizontal or virt ual organizat ional unit s which cross
the actual organizational t ree. Authorized users subjecti vely select single or
groups of hierarchical organizational units wit hin a horizontal unit . Such
horizontal organizational units are used to identify cross- company trends and
to perform compet it ive analysis between cross- company business unit s. (For
example: all wholly-owned subsidiaries or all purchasing depart ments
throughout the organization).
Organizat ional processes and sub-processes can be documented using an
integrated flowchart engine which graphically represents the process flow.
Each component in t he flowchart is linked t o the RCSA mat rix, providing for
easier documentation maint enance, consistency and improved change
management.
-
7/31/2019 How to Manage Effectively Operational Risk
9/19
-9-
Organizat ions who already document t heir structure in an external system can
take advantage of easy2comply s open systems environment and import or
link to pre-documented organizational trees.
Furt hermore, processes are li nked to organizational unit s using an m:n
approach. This enables analyzing risk and cont rols from both perspect ives:
organizat ional and process-oriented.
Risk Control Self Assessment can be performed at any level, including
organizat ional unit s and processes. The self assessment can be based on datafrom 3 dif ferent sources: pre-populated data using a sophist icated templates
mechanism, data built from scratch in t he system during the assessment (and
saved as a template if necessary) or legacy data previously accumulated and
automat icall y inputted int o the system. Adding, delet ing and modifying
information is easy and intuit ive, alt hough, subject to the user access rights
that have been pre-selected.
Documenting and assessing risk both qualitat ively and quantit atively includes
but is not limited to t he following informat ion:
Risk Name
Risk Descript ion
Qualitative Information (can be based on a risk assessment wizard)
o Severityo Probabilityo Other
-
7/31/2019 How to Manage Effectively Operational Risk
10/19
-10-
Quant it ative Information (can be based on a risk assessment wizard)o Severityo Probability
Scenario Analysiso Normal Scenario
Description Loss Frequency More...
o Serious Case Scenario Description Loss Frequency More...
o Disaster Scenario Description Loss Frequency More
Risk CategoryKRI
Key Risk Risk Type Tolerance Level Risk Response
-
7/31/2019 How to Manage Effectively Operational Risk
11/19
-11-
Documenting and assessing controls includes but is not limit ed to the
following information:
Control ID Control ActivityDescription Control Objective Control Activity In Place Control Weight Key Control Control in Place Control Design Rating Control Owner Control Nature Control Frequency Relat ion t o COSO Financial Effect Preventive/ Detect ive Recommended Test ing Procedure Sample Size Required Criteria for Effecti veness Test ing Criteria for Ineff ectiveness Test ing Tester Testing Start Date Test ing Due Date Attachment Findings Recommendation KPI Attachments On Management Procedures
-
7/31/2019 How to Manage Effectively Operational Risk
12/19
-12-
The relat ions between risks and controls is based on an m:n approach where
each risk can be mitigated by several controls and every control can impact
various risks.
The system also al lows for a correlat ion of m:n between cont rols.
easy2complyallows for control hierarchies and dependencies between
controls. For example, a control status can be based on a calculation of sub-
cont rols. Each cont rol in the system might have a dif ferent index of status
which can be defined by the authorized users.
easy2complyprovides funct ionalit y for copying, import ing and export ing risk
and controls between dif ferent segments of t he organizat ion tree and/ or the
process tree and can define multiple types of relations between them.
Throughout t he lif ecycle of t he operat ional risk management process, the
system enables the reduction of the overall number of risks and controls being
managed in the organization which results in a more efficient operation.
-
7/31/2019 How to Manage Effectively Operational Risk
13/19
-13-
Key Risk Indicators
Key Risk Indicators (KRI) al location and analysis is a core feature of Dynasec
Enterpr ise Operational Risk module. The KRI module provides management
with an earl y-warning system, underscoring t hose areas where pre-def ined
thresholds are exceeded and thus highlight ing potential danger spots in a
timely fashion.
Each Key Risk Indicator can be automatically generated or manually entered.
Dynasec Enterprise provides t he inf rast ructure t o develop and determine both
of these methods. KRIs are freely definable and there is (practically) no limit
to the number or type of KRIs which can be set up.
Some of the basic information for an automatic KRI is held within the Dynasec
Enterprise system. In fact, t he information can be embedded in the risk
control self assessment process as for example, a KRI when there are anumber of missing controls in a process. Organizations can take advantage of
this integrated approach to reduce the time required for reconcil iat ion or
other cross-checking requirements.
Alternatively, if the required information is located in external, typically
t ransact ion-based systems, easy2complycan link to those systems via
standardized protocols to gather the required information. For example: thenumber of dealer t ransact ions rej ected for exceeding t rading limi ts can be a
KRI created and tracked in t he system which has been linked to the external
applicat ion t hat manages dealer t ransact ions and calculates this figure.
There are situations where the information is more readily available manually
or where it is not found in any other system. In these cases, suit ably
authorized managers can enter t he KRI values direct ly int o the system, online.
-
7/31/2019 How to Manage Effectively Operational Risk
14/19
-14-
Documenting and assessing KRI s includes but is not limit ed to the fol lowing
information:
KRI ID KRI Name KRI Descript ion KRI Type (KRI, KCI,KPI) KRI Source KRI Norm Related Risk(s) KRI period KRI Test KRI Impact KRI Change Correlated KPI/ KCI Conclusion Action Plan Other
-
7/31/2019 How to Manage Effectively Operational Risk
15/19
-15-
Action and Remediation Plans
easy2complyprovides int egrated risk measure/ act ion plan funct ionalit y in
the operational risk management module. This functionality enables creation,
execution, management and follow-up of act ion and remediat ion plans in
order t o improve organizat ional processes and controls and to mit igate risk
exposure.
Act ion plans can be defined by authorized users as a result of:
Poor Control Loss Event KRI Simulation Other general events
:
Each act ion plan includes but is not limit ed to the following informat ion:
Task Owner Due Date Task Descript ion Related Organizat ional Unit s/ Processes/ Risks/ Controls Task Status Authorizat ion Process Log of Authorized Changes Log of Rej ected Changes More
Open tasks can be distributed to the owners. An email will be automatically
sent by the system to notify each owner of his or her tasks with a link to the
system. A reminder will be sent if the task date has passed and escalat ion
alert s and procedures can be defined to enable addit ional emails to be sent to
selected managers or other individuals.
-
7/31/2019 How to Manage Effectively Operational Risk
16/19
-16-
Risk Simulation
Risk simulation is an integral feature of the easy2complyOperational Risk
module. A typical operational ri sk f ramework in many organizations includes
several sources of i nformat ion such as internal and external l oss data, r isk and
control self assessment and key risk indicators. The Risk Simulat ions enable
the analysis of this information by creating correlations between the different
sources of informat ion using various mathematical and statist ical met hods.
easy2complyRisk Simulation includes, but not limi ted to, t he following
information:
Organizat ional Loss Dist ribut ion Approacho Severityo Probabilityo Periodic (Annual, 3 years, 5 years)
Various vertical and horizontal angles of analyzing LDA:o Per Business Unito Per Business Lineo Per Processo Per Category Typeo Per Horizontal Unit s
Value at Risk Calculat ions using :o Monte Carlo Simulat iono Historical Simulation (in development)o Variance Covariance Matrix (in development)
Residual Risk Dist ribut ion Control Status Analysis Heat Maps Horizontal Risk and Cont rol Analysis More
-
7/31/2019 How to Manage Effectively Operational Risk
17/19
-17-
Reporting
easy2complyprovides management report ing tools for both regular and ad-
hoc report ing requirements including dashboards, pre-buil t , standardized
reports and a user-f riendly report generator. The outputs generated by the
different reporting options can also be exported to external tools such as
Excel, PDF, Power Point and Word and allow the organizat ion to ident ify
t rends and to perform analysis from mult iple perspect ives as outlined below.
The Operat ional Risk Management Module support s mult iple building blocks
including:
Organizat ional Unit s Processes Risks Controls Loss Data KRIs Simulat ions IT Systems Business Lines Risk Categories People
In easy2comply, each building block can serve as a basis for analyzing the
informat ion and aggregating the data. You can view graphic dashboards with
drill-down capabilities and run both textual and graphical reports, such as pie
charts and distribution schemes.
easy2complyReport Generator enables authorized users to define on t heir
own report templates and re-use these templates at any time or in
conjunct ion wit h any building block. When building a report template, all
data base f ields are available for select ion and can serve as a basis to f il t er
the informat ion when running the report .
-
7/31/2019 How to Manage Effectively Operational Risk
18/19
-18-
Key Benefits of Proposed Solution
The main benefit s an organizat ion can enjoy from deploying easy2comply
Operat ional Risk Management modules are:
Increase accuracy and visibility of your risk information More quickly identify and remediate deficiencies Increased management insight Opt imizat ion of business performance Reduce the cost and complexity of your operational risk process Integrat ion of all risk management components on a single, coherent
platform
Incorporate a robust software architecture to incorporate current andfuture operat ional risk management needs
About easy2comply
easy2complysoft ware plat form is composed of 5 solut ion famil ies:
Operat ional Risk Management Internal Control Management including SOX, MiFID, Turnbull, JSOX,
etc.
IT Risk and Governance - including CobiT, ISO27001/ 17799, BCP,BCM, ITIL, etc.
Internal Audit Management module General Compliance Framework a toolkit for customizat ion to
specif ic governance and compl iance needs (eg. LOPD, etc.)
-
7/31/2019 How to Manage Effectively Operational Risk
19/19
About Dynasec
Dynasec Ltd. is a leading provider of Governance, Risk Management andCompliance (GRC) solut ions. Our f lagship product , easy2complyis the
perfect answer for businesses of all sizes seeking to simpl ify their compliance
and risk management processes.
easy2complycan be deployed either on-demand (SaaS) or on-sit e to suit
each customer's preferred configurat ion. We serve customers in many market s
including: financial institutions, telecom, energy, and government,
pharmaceutical, healt hcare, commercial organizat ions.
Dynasecs customers include f inancial inst it ut ions, telecom, energy and other
many other enterprises. The Dynasec customer base includes:
Financial Sector Government, Energy, Telco, Other Sectors
Rabobank Dutch Minist ry of SocialServices
Generali (Migdal) Israel Electricit y Company
Mitsui Sumitomo Insurance Ormat Thermal Power
Dexia Israel Water Authorit y
Prisma Financial Services Clalit Healt h Services
Mastercard Israel Cellcom
Phoenix Insurance Blue Square ret ail
Bank Igud Gilat Satellit es
Leumi Group Ministry of Finance, Divison of
Bank Hapoalim Capit al Market s, Insurance, Savings
First Internat ional Bank of Israel Zim Shipping Lines
Unit ed Mizrahi-Tfahot Bank Netafim Drip Irr igat ion
easy2comply Practical Compliance Solutions
affordable. reliable. easy2deploy.
www.easy2comply.com