Documents
Resources
Learning Center
Upload
Plans & pricing Sign in
Sign Out
Get this document free

Prmia Handbook Professional Risk Managers Handbook

VIEWS: 497 PAGES: 51

Prmia Handbook Professional Risk Managers Handbook document sample

More Info
									                     OPS RISK
                  MANAGEMENT101

  A Higher     – people, process and systems
Standard for          considerations
    Risk
Professional
     s           Sofia Cachuela Ladores,
                 Regional Director PRMIA

                     Makati, April 22, 2009



www.prmia.or
     g
                          Objectives



               • To effectively manage
  A Higher
Standard for
                 operations risks
    Risk
Professional
     s
               • To learn the best practices on
                 ops risk management




www.prmia.or
     g
                    Presentation Outline

               • Risk Definition
               • Types of Risks
  A Higher     • Models for Risk Management
Standard for     Action
    Risk
Professional   • Sources of Ops Risk
     s         • Elements of an Effective Risk
                 Management System
               • Risk Management Framework
               • Ops Risk Tools

www.prmia.or
     g
               What is Risk?


                 - the possibility of a loss;
  A Higher
Standard for     -   the potential that events
    Risk             (expected or unexpected) may
Professional         have an adverse impact on
     s               capital or earnings.


                 Risk = Uncertainty

www.prmia.or
     g
               All of life is the management
                of risk, not its elimination.

  A Higher            Walter Wriston
Standard for
                   former Citibank N.A.
    Risk
Professional            Chairman
     s




www.prmia.or
     g
                     Risks




  A Higher        Business
Standard for
    Risk
               involves taking
Professional   RISKS in order to
     s
                 earn profits




www.prmia.or
     g
                              Risks


               Is the existence of
               risk a cause of
  A Higher     concern?
Standard for
    Risk
Professional
     s
               Not necessarily, as long
               as the management
               exhibits the ability to
               effectively manage that
               level of risk.

www.prmia.or
     g
                  Models for Risk Management Actions
                Transfer                             Terminate
               Transfer the risk or the     Terminate the potential risk in
               consequences of the          the business – the probability
               risk to a Third party, or    of occurrence is too high
               to the insurance market      /when it occurs. The
                                            severity / financial impact will
  A Higher                                  be too great for your business.
Standard for
    Risk                              HOW TO
Professional                          MANAGE
                                       RISK
     s
               Accept the risks -           Severity impacts will not
               probability and severity     adversely affect the business
               impacts will not adversely   or you are able to manage
               affect the business or you   those risks internally by
               are able to manage those     providing protection systems
               risks internally.            & procedures.
                Tolerate                               Treat
www.prmia.or
     g
                            Types of Risks
                BSP Circular No. 510 – Supervision by Risk




  A Higher                 Credit       Market
Standard for                             Cir. 544
    Risk        Cir. 544
Professional   Interest         Operations          Liquidity
                                                     Cir. 545
     s           rate
                      Compliance        Strategic

                                Reputation


www.prmia.or
     g
                                                                 Operations

                      Operational Risk                   Compliance           Strategic


                                                                 Reputation




               •Arises from problems with
  A Higher
Standard for
               service or product delivery
    Risk
Professional
     s
               •A function of:

           Internal    x
                           Information   x
                                             Employee    x
                                                             Operating
 F(x) =
           controls        systems           integrity       processes



www.prmia.or
     g
                                                                         Operations

                       Operational Risk                          Compliance           Strategic


                                                                         Reputation


               Sources of Operational Risk:
  A Higher
Standard for   •People          internal/external fraud
    Risk
Professional   •Process            inadequate controls, no std procedures, no
     s         controls on outsourced functions, no contingency plan, no check and
               balance,


               •System            lack of maintenance, inadequate security
               measures,




www.prmia.or
     g
               Risk Management Framework




  A Higher
Standard for
                  Identify     Measure
    Risk
Professional
     s                 RISKS
                 Monitoring    Control



www.prmia.or
     g
                Identify   Measure




                                     Risk Identification
                 Monitor   Control




               • Identify and assess risk in the context
                 of firm’s strategic plan
  A Higher
Standard for   • Identify and assess risk in the context
    Risk
                 of firm’s target
Professional
     s         • Identify critical systems that gather,
                 process and store information

               • Identify the risk in each phase of the
                 process

www.prmia.or
     g
                 Identify   Measure




                                        Risk Identification
                  Monitor   Control




               • Identify gaps/vulnerabilities
                            Determine if existing process provides
                              adequate controls to protect important
  A Higher                    information.
Standard for                Identify    and   prioritize  gaps    or
    Risk                      vulnerabilities
Professional                    Vulnerabilities are weaknesses that are
     s                          present in a system or an environment
                                that, if attacked, could result in
                                significant harm.
                            Vulnerability assessment may require firm
                              to have tools and expertise to properly
                              assess the technology that enables its
                              system.

www.prmia.or
     g
                Identify   Measure          Risk Identification

                 Monitor   Control




               • Identify threats
               Threats represents agents that can act on the
  A Higher        vulnerabilities, to exploit them, and thereby
Standard for      cause harm; events or actions that could
    Risk          violate Confidentiality, damage Integrity,
Professional                     Internal threats (malicious or incompetent
     s                             employees, contractors, service providers,
                                   insider that retained information or access
                                   privileges)
                                 External     threats     (malicious    hackers,
                                   recreational       hackers,       competitors,
                                   terrorists, natural and manmade disasters)



www.prmia.or
     g
                Identify   Measure    Risk Measurement

                Monitor     Control




               Peter Drucker: “"If you can't
  A Higher     measure it, you can't manage it."
Standard for
    Risk
Professional
     s




www.prmia.or
     g
                     Risk Measurement

               Total Risk = Rate of Occurrence x
                 Impact of an event
  A Higher
Standard for   Probability of Occurrence = low or
    Risk
                 high; unlikely and very likely to
Professional
     s           happen

               Impact or potential loss from
                 threats/event may range from
                 low to high impact or
www.prmia.or
                 insignificant to major damage
     g
                                       Risk Control
                 Identify    Measure




                 Monitor
                            Control




               Approaches to control risks:
  A Higher     • Risk management via internal
Standard for     controls, policies, procedures
    Risk
Professional
               • Risk management via
     s           outsourcing or contracting out
                 the activity
               • Risk transfer via purchase of
                 insurance coverage


www.prmia.or
     g
Identify     Measure

                         Risk Control via Internal
                                 Controls
Monitor     Control




  A Higher
                        CONTROLS
Standard for                               Business
    Risk                               objectives will be
       Policies
Professional
                                              met
     s
           Procedures     Reasonable
           Practices      assurance
                                       Undesired events
                                       will be prevented
                                        or detected and
                                            corrected
www.prmia.or
     g
                           Internal Controls
Identify   Measure




Monitor         Management should implement a control
           Control
                 environment   consistent   with   its   risk
                 assessment.
  A Higher
Standard for         •Environmental controls;
    Risk             •Preventive maintenance;
Professional
     s
                     •Physical security;
                     •Personnel controls;
                     •Change management;
                     •Information Controls
                     •Event Management
www.prmia.or
     g
                  Identify   Measure




                             Control
                                       Internal Controls
                  Monitor




               POLICIES
               •Should be approved by the Board
  A Higher
Standard for   •Provide broad guidance in addressing
    Risk       risk tolerance and management
Professional   •Address key areas such as personnel,
     s         process      and     system,   capital
               investment, physical security, change
               management, strategic planning, and
               business continuity.


www.prmia.or
     g
                 Identify   Measure




                                      Internal Controls
                 Monitor    Control




               PROCEDURES
  A Higher
               •Should be written and should describe
Standard for
               the   processes  used   to  meet    the
    Risk
               requirements of the firm’s policies and
Professional
               standards.
     s

               •Establish       accountability      and
               responsibility, provide specific controls
               for risk management policy guidance,


www.prmia.or
     g
                 Identify    Measure




                 Monitor    Control
                                       Internal Controls




  A Higher     • Environmental controls
Standard for
                            Continuous uninterrupted power source
    Risk
                            Adequate heating, ventilation and air
Professional
                              conditioning
     s
                            Heat, smoke and water detectors
                            Fire suppression systems




www.prmia.or
     g
 Identify    Measure


                                   Internal Controls
 Monitor    Control



                       • Personnel controls
  A Higher
Standard for
                           Background checks for applicants
    Risk                   Org. structure should include dual
Professional                 controls and separation and
     s                       rotation of duties
                           Life style checking




www.prmia.or
     g
                   Identify    Measure




                                                      Internal Controls
                   Monitor
                              Control




               •       Information controls
                                 Output controls
  A Higher                               Automated report management software and
Standard for                              similar tools can facilitate the implementation
                                          of output controls.
    Risk
Professional                     Transmission
     s                                   Use of encryption technology in data
                                           transmission for authentication and to control repudiation,

               •       Storage/Backup
                                 Data storage solutions to ensure the integrity
                                   and availability of data




www.prmia.or
     g
                                          Risk Monitoring
                    Identify   Measure




                                Control
                   Monitor




               •   Performance Monitoring
  A Higher           Report on performance vs. target
Standard for         Activity logs
    Risk             Problems logs
Professional
     s         •   Control self-assessment
                     validates the adequacy and effectiveness
                       of the control environment




www.prmia.or
     g
                  Elements of a Sound Risk
                    Management System


                            Identify       Measure    Effective Risk
 Active Board
  A Higher                                            Measurement,
Standard for
and Senior Mgt.                        Risks           Monitoring
    Risk
   Oversight                Monitor        Control       and MIS
Professional
     s

  Adequate
 Procedures,                                         Comprehensive
 Policies and                                           Audit
    Limits

www.prmia.or
     g
                       Board and
                  Senior Mgt. Oversight



  A Higher
Standard for   •Review, approve, and monitor risk policies
    Risk
Professional   •Responsible for good governance and ensuring
               that the firm operates in a safe, sound, and
     s         efficient manner




www.prmia.or
     g
    Elements of a Sound Risk Management
                   System


                        Identify       Measure    Effective Risk
 Active Board
  A Higher                                        Measurement,
Standard for
and Senior Mgt.                    Risks           Monitoring
    Risk
   Oversight            Monitor        Control       and MIS
Professional
     s

  Adequate
                                                 Comprehensive
 Procedures,
                                                    Internal
 Policies and
                                                  Controls and
    Limits
                                                     Audit
www.prmia.or
     g
               Comprehensive Internal Audit



                  Audit     provides     important
  A Higher
Standard for      control      mechanism       for
    Risk          detecting    deficiencies   and
Professional      managing risks.
     s




www.prmia.or
     g
                         OpsRisk Tools



  A Higher
Standard for
    Risk
Professional
               Car Race Analogy:
     s
               Equip the car with
               instruments



www.prmia.or
     g
                   Risk Identification & Measurement Tool

               •    Risk & Control Self Assessment (RCSA)
                   A process where all known risks are identified and their
                    likelihood of occurrence and impact (quantitative or
                    qualitative) are estimated.
  A Higher
Standard for
             Benefits:
    Risk
Professional 1. Cultural Change – proactively manage operational risk
                through self-assessment of the effectiveness of internal
     s          controls.
               2. Promote awareness of operational risk and control within
                  units.
               3. Basis for internal control certification to management.




www.prmia.or
     g
                          Probability vs. Severity

Risk            Probability Severity    High

                                                      6                  3
   A Higher                                                              3
                   Low       High
 Standard for
     Risk                                                 2   5
                 Medium    Medium
 Professional
                   High      High Probability
      s

                                                                         1
                   Low       High
                 Medium    Medium
                                                                     5       4
                                       Low
                   High      Low
                                                Low                      High
                                                          Severity

 www.prmia.or
      g
               Control/Mitigation Tools

               • Policies & Procedures
               •   Product Manuals
  A Higher     •   Manual on Signing Authority (MSA)
Standard for   •   Code of Conduct
    Risk
Professional
               •   Risk Transfer (Insurance)
     s         •   Business Continuity Plan (BCP)




www.prmia.or
     g
                          What is BCP

               A plan which provides for continuity of
  A Higher      business in instances where potential
Standard for    emergency situations or risks may
    Risk        become successful in causing major
Professional    damage and/or disruption to the
     s          company’s critical operations.




www.prmia.or
     g
                    Elements of the BCP to be Tested



               a) Business Recovery Team
  A Higher
               b) Back-up Site
Standard for
    Risk       c)   Back-up System
Professional
               d)   Procedures for Communicating
     s
                    Emergency Condition
               e) Back-up Personnel




www.prmia.or
     g
                     Elements of the BCP Manual to be
                          Reviewed and Updated

               a.   Back-up operating site and covering
                    MOA/SLA with the back-up site provider

  A Higher     b.   Directory and succession list of officers
Standard for        and staff
    Risk
Professional   c.   Program for cross training of personnel
     s

               d.   List of back-up personnel for each critical
                    function of the business unit



www.prmia.or
     g
                    Elements of the BCP Manual to be
                         Reviewed and Updated

               e. List    of  individuals,  companies,   law
                  enforcement agencies, hospitals, fire dept.
  A Higher        utilities whose assistance may be required
Standard for      during an emergency situation.
    Risk
Professional   f. Directory list of policies, documents, files,
     s            forms, programs, diskettes, etc. and
                  personnel in-charge

               g. Calling Tree

               h. Other elements of the BCP manual, which
www.prmia.or      appropriately needs updating.
     g
                    Risk Monitoring Tools

               1. Audit


  A Higher
Standard for   2. Reporting (Loss Event Report)
    Risk
Professional
     s         3. Key Risk Indicator (KRI)




www.prmia.or
     g
                                      Report on Loss Events


               Date                                      Amount                                           Activity     Full description of
               Disco                            recoveries                        Net loss                 Code               loss
               vered              -   Amt      Recovery    Source            Amount      Actual/
                          Gross                  Date                                   Potential
  A Higher
Standard for
    Risk
Professional
     s




               1/ indicate if actual or potential loss.
               2/ must be full description of the event. A full detail is essential to allow any post-facto analysis of the event as required.

               * refer to Glossary of Risk Events


www.prmia.or
     g
               Report on Loss Events - Purpose




  A Higher
               (1) To build operational loss database for Basel II
Standard for
    Risk
               (2) To prevent recurrence of loss via lessons
Professional
                   learned.
     s

                (3) To help management focus on high risk
                    areas



www.prmia.or
     g
                    contn. . Risk Monitoring Tools

               Key Risk Indicator (KRI)
                      - a tool to estimate potential risks by monitoring
                      early warning signals/red flags which serves as
                      caution to avert losses.
  A Higher            Purpose:
Standard for
               a.     To provide forward-looking alerts / trends on
    Risk              operational risk.
Professional
               b.     To cross-validate integrity of RCSA and risk event
     s                reporting process.
               c.     To measure the risks of operating processes based
                      on preset thresholds.




www.prmia.or
     g
                 contn… Risk Monitoring Tools
               Threshold Setting:
                Thresholds and triggers communicate risk
                appetite, and provide a mechanism for
                monitoring and ensuring appropriate actions
  A Higher
Standard for   » Green – (low risk range) indicates normal
    Risk       operating condition.
Professional
     s         » Yellow – (medium risk range) requires
               management attention.

               » Red – (high risk range) requires
               immediate management attention.


www.prmia.or
     g
               We are in the business of risk taking;
                hence.

  A Higher
Standard for
    Risk
                      Let Us All Be Risk Conscious .
Professional    .
     s
               "Anything that can go wrong, will—at the worst
               possible moment".
                                                The Murphy’s Law



www.prmia.or
     g
               And finally. . . . .

               Risk Management must be an
  A Higher           ongoing process!!
Standard for
    Risk
Professional   Risk Management is everyone’s
     s             business in the company.




www.prmia.or
     g
  A Higher
Standard for
    Risk
Professional
     s




www.prmia.or
     g
                   Professional Risk Managers
                    International Association
               PRMIA - [PREE/mee/ah]



               The meeting place of the risk profession:
  A Higher
Standard for
    Risk       •    A “non-profit” organization governed by its
Professional
                    members.
     s
               •    Where ideas, people, resources and standards
                    from around the world meet,

               •    These ideas must be improved and introduced
                    in the local risk professional activities.


www.prmia.or
     g
                      PRMIA CHAPTERS and
                         MEMBERSHIP

               • Over 60 chapters around the world and
                 more on the way. New chapters – Los
  A Higher
                 Angeles, Delhi, Brussels, Miami, West
Standard for
    Risk         Indies, Turkey, Bermuda, Romania,
Professional
     s           Trinidad, Madrid, Bangkok, Taiwan and
                 Australian chapters amongst others.

               • These chapters host local meetings for
                 those interested in the advancement of
                 the risk mgmt profession.
www.prmia.or
     g
  A Higher
               Worldwide
Standard for
    Risk             Over 44,500 members in
Professional
                      179 Countries
     s


               Philippines

               • Almost 1000 members
www.prmia.or
     g
               •PRM EXAM - The worlds most
               comprehensive risk manager’s
               exam.
  A Higher
Standard for
    Risk
               •Foundation PRM = NON-
Professional
     s         QUANTITATIVE PRM exam, entry-
               level exam, released Q1 2008

               •On-line exam

www.prmia.or
     g
                         PRM HANDBOOK

               •Electronic & hard format

               •Available for download from
  A Higher     PRMIA website.
Standard for
               •Contributions from 25
    Risk
Professional   leading risk and finance
     s
               practitioners from a

               •round the world.

               •Wealth of case studies,
               practical information.
www.prmia.or
     g

								
To top