Ppt Bcg Model Strategic Management by fhq89400

VIEWS: 1,727 PAGES: 26

Ppt Bcg Model Strategic Management document sample

More Info

Perspectives on operational risk management
Oxial Breakfast Meeting

London, 15 July 2010
BCG in risk management
Integrating risk with business and strategy

               Business needs:                             BCG proposition:                              BCG products:
           “Rethinking the role of risk                “Turn risk management into                       “ From strategy to
                 management ”                            competitive advantage ”                         implementation”
    • Risk function needs to evolve to be more      • Focus on aligning risk strategy with        Examples:
      efficient and effective                         business goals and organisation             • Risk management diagnostic
    • Banks are changing their focus from risk      • Implement economic capital management         (market, credit and OpRisk)
      methods and data to governance and risk         and integrate it into strategic decision-   • Design and organization of an
      strategy                                        making                                        effective and efficient risk function
    • Time to implement complex risk concepts       • Improve risk management processes           • Implementation of economic capital
      (e.g. economic capital, risk-based pricing,   • Identify and leverage risk management         and active portfolio management
      etc..) and turn them into business              capabilities that can add value to the        strategy
      advantage                                       business                                    • Implementation of a risk-based
    • Post subprime crisis, necessity to improve    • Design and implement new risk                 pricing approach
      control and management of innovation            management operating model for greater      • Treasury processes and liquidity
      process (e.g. introduction and                  efficiency and effectiveness                  risk management
      management of complex instruments)            • Improve risk culture within the             • Operational risk management
                                                      organisation                                • Risk management process

                         BCG is ideally positioned to serve the FS industry with its unique combination of
                               expertise in risk management, organisation and business strategy

BCG Presentation OpRisk 15-07-2010.ppt                                                                        Confidential                  1

Operational risk management today

Lessons learned from a recent rogue trading event

Guiding principles of the new OpRisk approach


BCG Presentation OpRisk 15-07-2010.ppt              Confidential   2
What we are hearing (1)

                                     CULTURE                        CONTROLLER INDEPENDENCE
                                             on                     “Controllers shou
             “We have a culture of producti                       challenge the busi
                                                                                      ld be independent
                                                                                                           and able to
                & not a culture of control”                                          ness. Today, it is
                                                                                                        hardly the case”
                                              ore how much I
                   “Our culture has been m
                                            how I earned it”                                  e is at cost of effectiveness
                     earned, rather than                           “But too much independenc
                                                                                                 e away from the business ?"
"It is key than putt
                    ing new means for                             How can you add value if you'r
        second level control          the
                            s do not                                           "Ensure the functio
       deresponsibilise the st                                                                    n is high up in the
                            1 level"                                              Capital Markets man

                          ACCOUNTABILITY                               HUMAN CAPITAL & MEANS
                                                                                           re complex, and we lack the
                                                                  “Products are more and mo
                                                                                             lly challenge the pricing”
         “We tried sending alerts on anomalies, but                 product knowledge to rea
          they were often too vague so that no one
                       felt responsible”
                                   trols and compliance of                                         r control function
     “Who is accountable for con                                     We have difficulty staffing ou
                                 partially processed in Lond
  operations initiated a abroad,
                                                                            "It is key to have ex
                      "Who should be ac                                                           perienced people on
                                       countable for end to                   this function and to
                          security on busines               end                                     pay them well"
                                             s processes ?"
BCG Presentation OpRisk 15-07-2010.ppt                                                          Confidential               3
What we are hearing (2)

                                                          “We have launched a huge IT project to improve security”
                “Most of our controls are histor
                No one tells us whether they
                                                                    "We are creating
                                                                                     an OpRisk networ
                                                                                                         k at the MO
                       appropriate or not”                                level to exchange
                                                                                             good practice”
                                                        “A lot of new tools and new initiatives launched
                                          view on our
                    “N o one has a global                      since one year by the OpRisk guys"
                          control effectivene                             “We are thinking
                                                                                            to create new expe
                                                                                                d processes who co
                                                                       func tion on products an
                                                                                                   ess definition”
                                                                              have a role for proc

                              PRACTICALITY                                       SCOPE

                                                                                         tions are
                                                              “Controls made in the loca
                                                                                      t follow them”
    “I don’t want a clever but unrealistic proposal.        managed locally. We do no
        I want to be sure we can implement it”                   “Rogue t
                                                                         rading sh
                                                                     the oper      ould not
                                                                              ations se      be the on
     We are to take into                                                                curity de      ly focus o
                         account from the                                                         partmen        f
            implementation in             beginning                                                        t”
                               our locations

BCG Presentation OpRisk 15-07-2010.ppt                                                    Confidential                4
Operational risk management needs to change
The need to put operational risk management at the top of the business agenda
• Improved risk management is key to improve banks' reputation and for regaining trust of clients and
• Senior management expects a "zero tolerance" objective for operational risk
• However, a new approach that is only driven by the risk function is likely to encounter significant challenges
  as risk culture, superior detection mechanism and effective control management can only be achieved with
  the commitment of all
• Therefore, to be fully effective, the new operational risk management model will need to be embraced
  and supported by the top management, the business lines and obviously the risk function
As expectations are rising, a new operational risk management approach is
• As shown by the recent crisis, most risk management models are not fully equipped to address these
  challenges as relying mainly on formalization of controls and governance as well as capital measurement
• While these features are important, a new approach needs to emerge from five guiding principles
The deployment of such new model will face significant challenges though
• Operational risk management has been vastly underrated in many financial institutions in spite of its
  critical role in the crisis and its potential to create or destroy the value for banks
• While in the past, effectiveness was the main driver of risk management, now top management is also
  focusing on efficiency matters. Risk management functions will have to do better with less.
• Most banks are in the process of a significant transformation that could increase its risk profile.
BCG Presentation OpRisk 15-07-2010.ppt                                               Confidential            5

Operational risk management today

Lessons learned from a recent rogue trading event

Guiding principles of the new OpRisk approach


BCG Presentation OpRisk 15-07-2010.ppt              Confidential   6
Recent fraud example

 Fictitious transactions
    • Entry of deals into FO system and then cancellation or modification of those fictitious deals before
        any controls or confirmations with counterparty is made
          – Use of "pending" counterparty name in the system. Counterparty not yet referenced in the
             global customer system
          – Use of counterparty where no collateral agreements were in place
          – For certain types of trades (e.g. OTC trades with differed start date (around D+30)) the
             cancellation of these trades is done before the confirmation date. For those types of
             counterparties, the confirmation is only done 5 days before value date so technically no
             possible controls for 25 days.
          – Use of internal counterparties; the cancellation of these trades is done when a control is
             occurring or just before
 P&L adjustment
    • Entry of fictitious buy/sell transactions for the same notional but at different prices
    • Intra-month "reserve P&L" adjustment
 Use of false emails
    • To show email confirmation from counterparties
    • To justify cancellations or modifications of trades to BO and MO

 BCG Presentation OpRisk 15-07-2010.ppt                                                    Confidential      7
How frauds are being discovered

Alert: counterparty exposure too high!

20 days to discover the fraud
     •    Monday 31st of December: entry of 8 fictitious deals
               –    Entry of 8 forwards with internal counterparty name which is then changed two days later to a external counterparty (a broker)
     •    Saturday 19th of January 2008: discovery of the fraud

27 agents involved in the discovery process
     •    BO
     •    MO
     •    Counterparty risk
     •    IT
     •    Accounting
     •    Basel II team
     •    Compliance

64 exchanges (email, meetings, calls)
     •    14 exchanges with the fraudster
     •    50 exchanges between departments (MO, Counterparty risk, Compliance, Basel II, Accounting)

BCG Presentation OpRisk 15-07-2010.ppt                                                                                           Confidential        8
Contributing factors to the fraud

 1     Deep knowledge of controls and systems by the fraudster
         • In SG, Jerome Kerviel came from BO and MO positions
 2     Large volumes of operations and use of diverse instruments
         • More than 400 transactions per day
 3     Stressed environment
          • Market crisis (e.g. subprime crisis) distract attention
 4     Fragmented controls; lack of certain controls
          • Out of market prices, internal deals reconciliations, holidays checking, remote access, application
            access, etc..
 5     Market practices on confirmation
 6     Cost cutting environment
         • No Futures position at trader and desk level – only at LOB level –
 7     P&L driven culture
         • Very difficult to challenge FO
         • Passive attitude to controls

BCG Presentation OpRisk 15-07-2010.ppt                                                       Confidential         9
Basel II did not help much ....

        A very "controlled" environment...                                           ...that masks critical weaknesses

                 Oversight                                 Tools and data                    Oversight                             Tools and data

                                              OpRisk Loss database            Risk culture                          Detection tools
  Regulators              External auditors

  Internal control        Risk                Risk control self-assessment                                          Integrated view across controls and risks

                                              Trading surveillance
  Internal auditors       MO                                                                                        Overview of controls in place
  Compliance             Management                                                                                 Relevant and accurate reporting
                                              Monthly reporting

      Organization and people                                Governance           Organization and people                             Governance

                                                                             Compensation                           Effective "governance model"
Central OpRisk department                     OpRisk Committees
                                                                                                                    Strong role of Risk in innovation and
"Local" OpRisk managers                       Vast set of controls                                                  growth related decision

                                                                             "Real" independence                    Stress testing of controls
Independent control functions

                                                                             Adequate allocation of control staff   Clear formalisation of roles and accountability

                                                   A new operational risk model is now required

BCG Presentation OpRisk 15-07-2010.ppt                                                                              Confidential                                      10
Key themes to consider

     • Too much quantitative analysis: the current lack of judgment

     • Weak signals not converting into strong signals

     • Poor risk-aware culture

     • The illusion of total control

     • Innovation and industrialisation of processes

     • Sociologic aspects not taken into account

BCG Presentation OpRisk 15-07-2010.ppt                           Confidential   11

Operational risk management today

Lessons learned from a recent rogue trading event

Guiding principles of the new OpRisk approach


BCG Presentation OpRisk 15-07-2010.ppt              Confidential   12
Proposed operational risk management guiding principles
Based on five key pillars

                                                          Structural alignment
                                                           of key capabilities

                         1                     2                     3                 4                         5

                Effective and             Superior             Coherent and       Strong risk             Process
                 efficiency               detection              efficient         culture &           effectiveness
                   control               capabilities            risk and        accountability             and
                environment                                     compliance                             competency
                   "Fewer                "Be proactive                               "Make
                 controls but             not reactive"          "Integrate,       individuals           "Enable the
                better control"                                     don't         responsible"            business"

                              Experience has shown that effective operational risk management
                                   can only be achieved with all these critical capabilities
BCG Presentation OpRisk 15-07-2010.ppt                                                            Confidential         13
               Pillar 1. Fewer and better controls
               Risk controls are vulnerable under extreme stress

                   While traditional audits revealed limited                                                                                         … large losses occurred when “acceptable”
                                 weakness …                                                                                                                  controls failed under stress

                                                                                                                                                                         Currencies (Europe)                    Currencies (U.S.)

                                                                                                                                      Control adequacy1
                                                                                                                                                                        41%               24%                  24%      4%    13%

                                                                                                                                                                         4%      7%       17%                  4%       4%    33%
                                                                                                     31%                                                  Acceptable
                                                                                   41%                                   41%
                   Control adequacy1

                                              Strong                65%                                                                                                                   7%                            4%    11%
                                                                                                                                                                        Low    Medium High
                                                                                   41%                                                                                  Control vulnerability 2
                                                                                                                                                                         High Yield (Europe)                         MBS (U.S.)
                                         Acceptable                 28%

                                                                                                                                     Control adequacy1
                                                                                   18%               21%                                                                13%               18%                  17%      4%        20%
                                           Deficient                                                                     14%                                  Strong
                                                                  Currencies     Currencies        High Yield             MBS                                            4%      7%       37%                           4%        41%
                                                                   (Europe)        (U.S.)          (Europe)              (U.S.)                           Acceptable

                                                                                                                                                                                          21%                                     14%
                                                                                                                                                                        Low    Medium High
                                                                                                                                                                        Control vulnerability 2

                                            Strong Controls                    Adequate Controls                Deficient Controls                               Vulnerability Quadrant             Failure Point

                                       Disguised Client Example

(1) Control Adequacy: Ability of risk controls, if faithfully
executed, to mitigate risk and hold up well under everyday
(2) Control Vulnerability: Degree to which the risk control can
be subverted by application of extraordinary stress

             BCG Presentation OpRisk 15-07-2010.ppt                                                                                                                                             Confidential                            14
  Pillar 1. Fewer and better controls
  Ensuring consistency and consistency of controls

                                                                                   Through process control integration

                                                    Access      Deal booking       Limit check   Confirmation           Reconciliation   Payments           P&L

                               FO             2.3    2.1        4.1   3.2            3.1a

    Cross                      MO              2.1             3.1a 3.2                                                                      3.7
   control                     BO              2.1                                               3.3     3.4              3.4
                               RISK            2.1                3.1a               3.1b

                                IT           2.1    2.4

                                              Support             3.6

                         2.1    Password changes             3.1a Controls on nominals                 3.3     Deferred dates trades         3.7    Payments check
                                                                  of transactions                              control
                         2.3    Biometric system             3.1b Limits on open interests             3.4     Internal counterpart          4.1    Ban between FO and
                                                                  and nominals                                 confirmation                         MO
                         2.4    HT/IT consistency            3.2 Supervision of errors                 3.6     Holidays Monitoring
                                check                             and cancellation

                                            Objective is to reduce over complexity, distraction to the
                                               business, resource constraints and cost increase
   BCG Presentation OpRisk 15-07-2010.ppt                                                                                                    Confidential                15
Pillar 1. Fewer and better controls
Important to rethink the control framework to avoid gaps, duplications and false sense of protection


         Periodic                                                                           Audit

                             Check controls
                              effectiveness                       Culture                                         of controls
                Supervision of
                                                                                                             Account           Indepen
                                                                                                              - able            - dence
                        Check that controls         Permanent supervision                                                                          PC = Product Control
                                 are done                                                                                                          FO = Front-Office
                                                                                                            External Permanent                     BO = Back-Office
                                                                                                                                                   MO = Middle-Office
                                                                                                                  Control                          COM = Compliance
         control                    Execute
                                    controls                                                                                                                 Gaps
                                               FO       MO     BO                                                        BO/
                                                                                                          Risk   COM            PC   Fraud

                       Define control policy                               Policies and standards
                             and standards

                                                                      Control excellence and standards
                                                Staff             Hierarchy          Dedicated function      Operating          Specialized   Person in
                                                                                        in the entity        Function1           function2      charge

                                                             Within entity control                                 External to entity
                                                              (where risk occurs)                                  (where risk occurs)

BCG Presentation OpRisk 15-07-2010.ppt                                                                                                        Confidential                16
Pillar 2. Be proactive not reactive
Interactions drive weak-signal acuity: applications to OpRisk detection system

                            Signal transmission                  The power of connectivity

                    High degree of separation                        Poor connectivity

                    Low degree of separation                         Rich connectivity

                  Lower attenuation of signals                 Better triangulation of signals

                    Signal/Noise ~ Attenuation L                  Signal/Noise ~ k ; ~ P

BCG Presentation OpRisk 15-07-2010.ppt                                           Confidential    17
Pillar 2. Be proactive not reactive
Creation of an OpRisk department with three areas of focus

                                           1                                                  2                                    3
                     Operational risk management
                                                                               Controls effectiveness                 Looking for trouble
       Operational risk                            Operational limits
                                                     monitoring                Ensure effectiveness of              Team to focus on extreme
   coordination & reporting
                                                                               controls through frequent            and new risks
                                                                               reviews                                •   Detect fraud patterns
Develop and manage OpRisk                      Permanently monitor              •   Maintenance of control                (based on a tool compiling
framework                                      operational risks                    repository                            indicators)
  • Define & ensure Governance                  • Based on operational          •   Control standard, quality         •   Anticipate new risks (e.g.
  • Define policies & standards                    indicators by process            and policy definition                 IT, contagion)
  • Set-up training                                /products /geo/desk          •   Monitoring of control             •   Alert and propose adequate
  • Controls repository                            (available FTEs, IS/IT           execution and detection of            remediation
                                                   indicators, operations           abnormal control situations
Measure, coordinate and advise                     stocks,… )                       (transversal view)
OpRisk management                                                               •   Identification of control
 • Identify key op risks                       Monitor trading volumes and          areas at risk
 • Monitor alerts & foster resolution          set-up limits to the business    •   Targeted and detailed
 • Measure OpRisk                                • Trading volumes                  assessment of
 • Advise operations                             • Pending trades                   effectiveness and efficiency
                                                 • New products / innovation        of controls in place
                                                 • Specific process             •   Control improvement
                                                    requirements                    recommendations

                                                                               Moving from advisory to             Development of new tools
     Advisor or controller?                     Problem of governance
                                                                                     challenger                            needed

Note: BCM=Business Continuity Management
BCG Presentation OpRisk 15-07-2010.ppt                                                                             Confidential                    18
Pillar 4. Make individuals responsible
Ensure clear formalization of roles and responsibilities along the OpRisk process

                                                   Define policy and             Define & Execute        Check controls are done Challenge controls
         Operational Risk Type                         standards                     Controls                                      effectiveness

               Execution / Process Risk                            Corporate               Business

                   P&L / Accounting Risk                            Finance

                                                                    OpRisk                            OpRisk Dpt.
                                     Fraud Risk                      Dpt.       Business
                                                     OpRisk Dpt.

                                         HR Risk                      HR                                            OpRisk Dpt.         OpRisk Dpt.
                                  System Risk                          IT
                            Compliance Risk                        Compliance
               Commercial Dispute Risk                               Legal

BCG Presentation OpRisk 15-07-2010.ppt                                                                                   Confidential                 19
Pillar 4. Make individuals responsible
OpRisk department to play a key role in compensation calculation

           Develop the bank              • Results orientation      Acting
                                         • Client focus             responsibly

                                                                    Client & bank long term
           Define strategy               • Strategic ability
                                         • People development
                                                                    Rigor & transparency
                                                                    Courage & discipline

           Teamwork                      • Change leadership
                                         • Cooperation
                                         • Team leadership
                                                                   (Ratio between 0 and 1)
                      (Same process as previous year)

                                                                      X M€ x 0 = .... 0 !
BCG Presentation OpRisk 15-07-2010.ppt                                       Confidential     20
Pillar 5. Enable the business
Example of BCG project for a large European bank

                                                      Risk Mitigation         Cost Optimization      Business Enablement

                                                Pricing and Hedging      Control Return           Capacity Management
                     Risk Advisory Services                              Business Architecture

                                                Loss Awareness           Change Risk Management   Top-down Risk Grading
                     Risk Insight Services      Scenarios

                                                     Historical Losses              Tools             Expected Losses
                     Risk Control & Monitor                                                                        Inherent
                     Services                                                                                        Risk

                                         Objective is to rebuild a new value proposition for OpRisk

BCG Presentation OpRisk 15-07-2010.ppt                                                                       Confidential     21

Operational risk management today

Lessons learned from a recent rogue trading event

Guiding principles of the new OpRisk approach


BCG Presentation OpRisk 15-07-2010.ppt              Confidential   22
 Understand where you are before changing

                                                                 Structural alignment
                                                                    key capabilities

                             1                      2                        3                  4                        5

                   Effective and               Superior               Coherent and        Strong risk           Center of
                    efficiency                 detection                efficient          culture &           competency
                      control                 capabilities               risk &          accountability        & business
                   environment                                         compliance                                services

                    Effectiveness of            "Looking for          Effectiveness of                            Client risk
                                                                                           Risk culture
                        controls             trouble" capacity         organisation                              management
Domains                                                                                                                          Low

                                               IT, tools and
                      Efficiency of                                    Efficiency of                             Product risk
                                               reporting for                               Governance
                        controls                                       organisation                              management
                                                 detection                                                                      Strong

                                          Diagnostic to provide a clear view of starting point
                                                          and potential gaps
 BCG Presentation OpRisk 15-07-2010.ppt                                                                   Confidential          23
Make it clear how you will contribute to the rest of the firm

           Raw and primitive                            Advanced and tailored to business needs

                              It does the job ...          ... Competitive advantage

                Satisfy the bare requirements:          Improve client experience: use
                minimize the potential legal,           enhanced risk management
                liability, and reputation risks, e.g.   capabilities as a value-added
                  • Mis-selling                         service:
                  • Fraud                                • Know the client better
                  • Technology breakdown                 • Educate the client
                  • Operational errors                   • High quality financial advice

BCG Presentation OpRisk 15-07-2010.ppt                                        Confidential        24
Questions ?

BCG Presentation OpRisk 15-07-2010.ppt   Confidential   25

To top