Welcome to

Operational Risk Management

Webinar Series with
Dr. Ariane Chapelle

© 2017 The Professional Risk Managers’ International Association

 Ariane Chapelle, PhD
• Active in Operational Risk Management since 2001

• Certified Internal Auditor (IIA), Member and Trainer from PRMIA since 2012,
Fellow Member of the Institute of Operational Risk (FIOR) and Honorary
Member of the Institute of Risk Management (MIRM)

• Honorary reader at University College London on Operational Risk Measurement

• Columnist for Operational Risk Magazine (risk.net)

• Formerly
• Head of Operational Risk Management at ING Group SWE (Belgium)
• Head of Insight and Operational Risk Framework Analysis at Lloyds Banking
Group (UK)
• Owner and Director of Ariane Chapelle Consulting Ltd:
www.chapelleconsulting.com

© 2017 The Professional Risk Managers’ International Association

 Audio and Questions
Your Participation
Open and hide your control panel

Join audio:
• Choose “Mic & Speakers” to
use VoIP
• Choose “Telephone” and dial
using the information
provided

Submit questions and comments

via the Questions panel

Note: Today’s presentation is

being recorded and will be
available within 48 hours using
the recording link provided in the
syllabus.

This material is the intellectual property of PRMIA and shall not be reproduced or used without the express written permission of PRMIA.

© 2017 The Professional Risk Managers’ International Association

 Attentiveness
An attendee will appear as "inattentive"
during a session if that the attendee no
longer has GoToWebinar as the "active"
window on their computer.

This is monitored during the poll

questions. If you are shown as
inattentive and you do not answer a poll
question, you will not receive CPE
credit.

The correct answer is not required to

receive credit.

© 2017 The Professional Risk Managers’ International Association

 How Poll Questions Work

1. Click circle
next to your
answer

2. Click Submit

This material is the intellectual property of PRMIA and shall not be reproduced or used without the express written permission of PRMIA.

© 2017 The Professional Risk Managers’ International Association

 Resources
• Operational Risk Manager Handbook
• Slide deck for today’s presentation

Bookmark and use the syllabus page!

http://www.prmia.org/orm-certificate/orm-
online-series

© 2017 The Professional Risk Managers’ International Association

 Session 1

Regulation and Governance

© 2017 The Professional Risk Managers’ International Association

 Introduction
• How does this course relate to the PRMIA handbook?
• Closely
• With additional content

• How does the webinar works?

• Feel free to ask (written) questions anytime
• All questions will be addressed, either live or after the session

• What to expect from the exam?

• It’s completely feasible, but attentive reading and understanding of the
handbook is necessary
• Much information on questions distributions on the PRMIA website

• What if I don’t want to sit the exam?

• Not a problem, it’s optional. Content is useful anyway.
© 2017 The Professional Risk Managers’ International Association 8
 Overall Content – Webinar series

• Session 1: Regulation and Governance

• Session 2: Risk Management Framework
• Session 3: Risk Appetite
• Session 4: Risk Assessment
• Session 5: Operational Risk Analysis
• Session 6: Scenario Analysis
• Session 7: Key Risk Indicators
• Session 8: Risk Modelling
© 2017 The Professional Risk Managers’ International Association 9
 POLL QUESTION - 1

• What is your main objective for this course (all sessions)?

a) Upgrade my practice in operational risk

b) Obtain the Certificate
c) Compare what I know in risk management to PRMIA’s handbook
d) Just curious
e) Other

© 2017 The Professional Risk Managers’ International Association 10

 Content of Session 1
• Chapter 1: Foreword (handbook)
• Embedding Good Practice in a Changed Regulatory Environment

• Chapter 2: Risk Governance (handbook)

• Governing and Governance
• People
• Process
• Results
• Horizons of Governance

© 2017 The Professional Risk Managers’ International Association 11

 Chapter 1:
Changing Regulatory
Environment

© 2017 The Professional Risk Managers’ International Association 12

 Changing Environment
• Context:
• 1988 – 2008 : “Great Moderation” period; unparalleled
economic growth, but also growing complacency and
deregulation
• 2008: crisis and “Great Recession”, leading to re-regulation
movements, reconstituted FSB (Financial Stability Board),
Basel III and renewed Core Principles for Banking
Supervision
• “Best” practices are always changing; embedding “good”
practices is more encouraging and robust

© 2017 The Professional Risk Managers’ International Association 13

 Aims of Financial Regulation
• Regulation – Three policy objectives:
1. To ensure the solvency and soundness of all financial
intermediaries
2. To provide depositors protection from undue risks (failure, fraud,
opportunistic behaviour)
3. To promote the efficient and competitive performance of
financial institutions

• Supervision
• Implementation of regulation

• Internal controls
• Undertaken by a financial institution to prevent or detect fraudulent
behaviour
© 2017 The Professional Risk Managers’ International Association 14
 Basel II: Operational Risk
.. is the risk of loss resulting from inadequate or failed internal processes, people,
and systems or from external events. (Basel II, Solvency II)

Execution errors

Employment practice

© 2017 The Professional Risk Managers’ International Association 15

 Regulatory Focus Areas Today

• Risk managers to engage with non-executive directors

• Good quality management information (especially risk reports)
• Test whether decision processes are being used
• How outsourcing is managed
• Ensure rewards structures are appropriate, and protecting
whistle blowers
• Understanding risk concentrations (within and across risk types)
• Three lines of defence
• Genuine intentions, good faith
© 2017 The Professional Risk Managers’ International Association 16
 Chapter 2:
Risk Governance

© 2017 The Professional Risk Managers’ International Association 17

 Governance: Definition
• Governance is a structure specifying the policies, principles,
and procedures for making decisions about corporate
direction. Governance structures typically distribute rights
and responsibilities among stakeholders in the corporation
such as the board of directors, managers, employees,
shareholders, creditors, auditors, regulators, governments,
the public, and other stakeholders.
• The structures can be categorized roughly as organization
of people, implementing process, and evaluating results.

ORM Handbook, p. 25
© 2017 The Professional Risk Managers’ International Association 18
 Origin: CG Reports
• 1992 Cadbury Report – “The Financial Aspects of Corporate Governance: Final
Report”
• 1995 Greenbury Report – “Directors' Remuneration: Report of a Study Group
Chaired by Sir Richard Greenbury”
• 1998 Hampel Report – “Committee on Corporate Governance” that initiated The
Combined Code
• 1999 Turnbull Report – “Internal Control: Guidance for Directors on the
Combined Code”
• 2001 Myners Report – “Institutional Investment In The United Kingdom: A
Review On Institutional Investors”
• 2003 Higgs Report – “Review Of The Role And Effectiveness Of Non-Executive
Directors”
• 2009 Walker Review – “A Review Of Corporate Governance In UK Banks And
Other Financial Industry Entities”

• The starting point for Turnbull compliance is that the directors have
identified and assessed significant risks facing the company
© 2017 The Professional Risk Managers’ International Association 19
 Turnbull Report:
Risk and Responsibilities
• “(Board) policies should take account of the risks faced by the company, its risk
appetite, the controllability of the risks and the cost/benefit of the controls
identified. The control system should be embedded and responsive, it should
include procedures for reporting failures and weaknesses, together with the
corrective action taken.”
• General Imperative
• [Listed] companies are expected to have a sound system of internal control in place to
safeguard shareholders’ investment and the company’s assets.
• Risk Review Process
• Management needs to review the effectiveness of internal controls on at least an annual
basis; The risks facing the organization should be regularly evaluated; Your review should
include risk management, operation and compliance, as well as financial controls.
• Board Responsibilities
• Risk management is the collective responsibility of the whole Board; The Board is
ultimately responsible for internal control, but may delegate aspects of the review work;
The Board needs to keep under review the need for an internal audit department.

© 2017 The Professional Risk Managers’ International Association 20

 OECD 2004: Six core principles
• The corporate governance framework should:
1. Promote transparent and efficient markets
2. Protect and facilitate the exercise of shareholders’ rights.
3. Ensure the equitable treatment of all shareholders, including minority
and foreign shareholders.
4. Recognize the rights of stakeholders established by law or through
mutual agreements
5. Ensure that timely and accurate disclosure is made on all material
matters regarding the corporation
6. Ensure the strategic guidance of the company, the effective monitoring
of management by the board, and the board’s accountability to the
company and the shareholders.

© 2017 The Professional Risk Managers’ International Association 21

 Risk Governance

• “risk governance is a structure specifying the policies, principles, and

procedures for making decisions about managing corporate risks.”
• PRMIA’s 10 principles of good governance:
1. Key competencies
2. Resources and processes
3. Ongoing education and development
4. Compensation architecture
5. Independence of key parties
6. Risk appetite
7. External validation
8. Clear accountability
9. Disclosure and transparency
10. Trust, honesty and fairness of key people
ORM Handbook, p. 30
© 2017 The Professional Risk Managers’ International Association 22
 Risk Management: People

Decision
Authority Group Recommend Board Risk
Board Committee
Strategic
Risk Appetite
Risk Governance & Escalation

Escalate

Budgetary Divisional Challenge Divisional Risk

Boards Committees

Implement Escalate
Risk Taking
Business Challenge Business
Function Risk/Control
Management Monitor Committees
Controlling

Board
ORM Handbook, p.32

© 2017 The Professional Risk Managers’ International Association 23

 Board

• Under the OECD and other guidance, the board has full
responsibility for risk. The board should:
• confirm that the set of strategic risks and their priorities adequately
reflects the current environment;
• ensure that substantial audit processes are in place ;
• consider and then decide whether controls for identified areas of risk are
appropriate;
• ensure that outcomes from the risk management process form the basis
for the development of the strategic audit and annual audit work plans;
• review and comment on the annual risk management report by the chief
risk officer.

© 2017 The Professional Risk Managers’ International Association 24

 Roles of the Risk Function

• “The Board is responsible for determining the nature and

extent of the significant risks it is willing to take in achieving
its strategic objectives (…) and should maintain sound risk
management and internal control systems.” – UK Corporate
Governance Code, 2010
• Three fundamental roles of the risk function:
1. Assist in the definition of risk appetite for the business and the
Board.
2. Monitor the risk exposure within risk appetite and own the risk
management framework.
3. Challenge and advise on business decisions regarding risk-taking.
Source: A. Chapelle, M. Sicsic, “Building an invisible framework for risk management,” Operational Risk and
Regulation, July 2014
© 2017 The Professional Risk Managers’ International Association 25
 Risk function reporting to the Board

• Advise on operational risk appetite

and capacity
• Present a risk map of the

Risk Frequency
Division/
Activity
organisation, highlighting:
• Risks approaching or in excess of
risk appetite
•
Division/
Action plans for risk mitigation Activity

priorities Risk Severity

• Important emerging risks
• Prime objective: avoid
catastrophic losses though
monitoring and effective challenge

© 2017 The Professional Risk Managers’ International Association 26

 POLL QUESTION - 2

• How would you qualify the level of risk awareness / risk

education of your Board (anonymous answers!)

a) Good. They all received specific training

b) Partial. Only risk committee members have been trained
c) Insufficient. More training is needed
d) I don’t believe they need specific risk training
e) Other

© 2017 The Professional Risk Managers’ International Association 27

 Chief Risk Officer
• The Walker Report (2009) : “Alongside an internal reporting line to the
CEO or CFO the CRO should report to the board risk committee, with
(...) direct access to the chairman of the committee in the event of need
(…)”
• The priority for the CRO is to ensure that the organization is managing risks
and in full compliance with applicable regulation. Compliance is not
performance.
Typical set of responsibilities:
•
Provide a risk strategy, a summary of risks and how they are being
managed and measured; Inform the Board about critical and emerging
risks
• Establish and maintain risk analysis and reporting.
• Ensure compliance & business continuity.
• Establish links on common risk issues for organization-wide resolution.
•Handbook,
ORM Embedp.a34firm-wide culture of risk awareness and risk management..
© 2017 The Professional Risk Managers’ International Association 28
 Risk Aware CEO
• The CEO of a business is ultimately responsible for every
incident and risk event.
• Therefore, the CEO should:
• Seek the most transparent and comprehensive information on risk
issues and potential threats.
• Require full risk awareness and contingent planning from his or her
direct reports.
• Promote a risk culture throughout the organisation.
• Support the risk function and internal audit.
• Promote risk communication.
• Punish risk negligent behaviour.

© 2017 The Professional Risk Managers’ International Association 29

 Risk Roles and Responsibilities:
Businesses and Functions

• Own the risks arising from their business activities.

• Measure and control those risks.
• Record and communicate relevant risk events using group
taxonomies.
• Regularly self-assess risks and controls using group
taxonomies.
• Define and implement appropriate corrective actions to
mitigate excessive risk.

© 2017 The Professional Risk Managers’ International Association 30

 Three lines of defense model
First line: business operations

• Front line of risk management

• Real line of risk management
• Risk is managed where it is generated

Second line: risk management

• Methodology unit and coordination

• Oversight and harmonisation of practice
• Advice and support
• Challenge if need be

Third line: internal audit

• Independent review and assurance

© 2017 The Professional Risk Managers’ International Association
 Partnership Model:
Bupa Global Market Unit
Line 1 Line 2

BGMU Partnership Model

Implement the
Partnership between 1st LoD and 2nd LoD
ERMF Develop the ERMF

Identify all material

Aligning the Business
Monitor changes in risks via the Provide oversight and
and Risk Strategy
the Risk Profile Governance process independent challenge

Assess changes in
Escalate Risk Appetite
Risk Profile against Agree Risk Appetite Agree Key Risk
breaches
Appetite Limits /Thresholds Indicators

Implement the Risk Provide risk assurance

Policies (ERMF including
Set an appropriate
SAST/RST Workshop Controls)
capital buffer
Deliver the Provide an independent
Business Plan and forward looking
within Appetite view
Deliver the elements of Validation of the Capital
Consider risk in all ORSA Report Model
significant business Line 2 Validation Report
decisions

Source: A. Y’Barra, Head of Risk BGMU, IOR presentation 2013, reproduced with permission
© 2017 The Professional Risk Managers’ International Association 32
 Risk Management: Process

• Regarding risk management, the corporate view might be that

it is the risk management process that:
• attempts to identify, assess, and manage corporate risks;
• supports the strategic plan and defines appetite for risk;
• assigns clear responsibilities for risk management;
• monitors and tracks individual, departmental, and corporate progress
on managing risks.

ORM Handbook, p. 39

© 2017 The Professional Risk Managers’ International Association 33

 differing assumptions (e.g., staff headcount over the next three years) or qualitative
information (e.g., likely improvement in productivity due to increased staff morale
Input of the System :
arising from better working conditions). Disinformation (i.e., information that has
not been validated, and that is deliberately false or misleading) can damage risk
Risk Profile (& Information Quality)
analysis seriously. Strategic decisions involve high risks and rewards, but poor
quality information might mean other strategic risks are misclassified as
unimportant. The following presents this diagrammatically:

! Be aware of information
quality to avoid misleading
results

Low severity, high likelihood

For example, all computers fail eventually, but is it worth having a maintenance
contract, Association
© 2017 The Professional Risk Managers’ International or is it better to have a “chuck and replace” policy (i.e. throw the machine 34
 Process: Viable System Model (VSM) in Control & Monitoring (System 3)

Cybernetics A simpler, more memorable rearrangement and renaming of the seven

this:
1. Input
• Quality, completeness, and
relevance of data 7

• Correct application and control of

models 4 6 5

• Expert judgment to challenge and

augment data and models
2. Process 1 2 3

• Accept, mitigate, transfer risk

• Or eliminate risk by exiting or
fundamentally changing underlying
The viable systems model can be summarized as saying that all succes
activities in complex environments have seven identifiable elements working toge
3. Output
• Agreement on and resourcing for 31 Copyright © 2014 Professional Risk Managers’ International Ass
agreed process
• Prioritization needed when
ORM Handbook, p. 37–43
resources are limited

© 2017 The Professional Risk Managers’ International Association 35

 Process: Viable System Model (VSM) in Control & Monitoring (System 3)

Cybernetics A simpler, more memorable rearrangement and renaming of the seven

this:
4. Feedforward
• Anticipate risk implications of
business strategies 7
• Anticipate and budget required risk
processes 4 6 5
5. Feedback
• Evaluate effectiveness of risk
management activities by looking
at actual vs expected outcomes 1 2 3

• Evaluate and seek to improve

cost/benefit of risk management
activities
6. Monitoring The viable systems model can be summarized as saying that all succes

• Establish clear requirements for risk

7.
in complex environments have seven identifiable elements working toge
Governance
reporting/data from the • Downward flow of risk
organization 31 Copyright © 2014 Professional Risk
appetite/capacity Managers’ International Asso
information,
• Monitor and measure exposure policy and reporting requirements
relative to risk appetite • Upward escalation of policy
exceptions, excessive risks,
ORM Handbook, p. 37–43 resource gaps
© 2017 The Professional Risk Managers’ International Association 36
 Result: did we reach our goals?

• The purpose of risk management is to help people throughout

the firm make better decisions, or more specifically, to:
• set direction – where are we going?
• gain commitment - what does the audience want?
• keep control – have we arrived where we wanted to be?
• resolve uncertainty – can we direct our decisions to achieve our goals?
• Types of measurements
• Standard-based: against international standards (e.g. ISO)
• Comparative: against peers
• Predictive: against prior predictions

ORM Handbook, p. 43-46

© 2017 The Professional Risk Managers’ International Association 37
 ISO 31000: International Standard for
Risk Management
a) Creates value
Mandate and
b) Integral part of commitment
organisational processes (4.2)
Establishing the context
c) Part of decision making (5.3)

d) Explicitly addresses Design of

uncertainty Risk assessment (5.4.2)
framework for

Communication and consultation (5.2)

managing risk
e) Systematic, structured and (4.3)
timely Risk identification

Monitoring and review (5.6)

(5.4.2)
f) Based on the best
available information Continual
Implementing
improvement
risk
g) Tailored of the Risk analysis
management
framework (4.4) (5.4.3)
h) Takes human and cultural (4.6)
factors into account

i) Transparent and inclusive Risk evaluation

(5.4.4)
j) Dynamic, iterative and Monitoring and
responsive to change review of the
framework
k) Facilitates continual (4.5)
improvement and Risk treatment
enhancement of the (5.5)
organisation

Principles Framework Process

(Clause 3) (Clause 4) (Clause 5)

Reproduced from ISO 31000:2009

© 2017 The Professional Risk Managers’ International Association 38

 POLL QUESTION - 3

• Do you / your firm assess the effectiveness of risk management?

a) Yes, explicitly against prior set objectives and mandated

b) Yes but informally; no real measures are in place
c) No, but we are thinking of doing it / it’s developing
d) No, we haven’t thought about it
e) Other

© 2017 The Professional Risk Managers’ International Association 39

 Horizons of Risk Governance
1. Learning from other industries:
• Avoid short-term focus and incentives and rather adopt a 10-25 year
perspective
• Improve quality control and consistency in quality (high cost variances
correlated with quality problems)
2. Manage conflicts and tensions between specialists risk roles
• Regulator, Finance, Risk.., and Business
3. Adopt confidence accounting
• Range of values instead of exact numbers
4. Include the human factor in risk
5. Enhance risk data and analytics
© 2017 The Professional Risk Managers’ International Association 40
 Thank you for your attention

© 2017 The Professional Risk Managers’ International Association 41