Download - Operational risk (by ms.sweta vijuraj)
![Page 1: Operational risk (by ms.sweta vijuraj)](https://reader033.vdocuments.site/reader033/viewer/2022060111/5567fffdd8b42a242a8b464c/html5/thumbnails/1.jpg)
OPERATIONAL RISK MANAGEMENT
Presented bySweta Vijuraj
![Page 2: Operational risk (by ms.sweta vijuraj)](https://reader033.vdocuments.site/reader033/viewer/2022060111/5567fffdd8b42a242a8b464c/html5/thumbnails/2.jpg)
Take away…
What is Risk Management?
What are the types of Risk?
What is Operational Risk?
Why Operational Risk Mgt ?
How to identify & monitor Operational Risk?
How to measure Operational Risk?
How to mitigate and control Operational Risk?
![Page 3: Operational risk (by ms.sweta vijuraj)](https://reader033.vdocuments.site/reader033/viewer/2022060111/5567fffdd8b42a242a8b464c/html5/thumbnails/3.jpg)
Risk – probability of a loss or of a danger. The concept of risk combines the probability of an event occurring with the impact that event may have & its various circumstances of happening.
Risk Management (RM) is the identification, assessment, and prioritization of risks followed by coordinated and economical application of resources to minimize, monitor, and control the probability and/or impact of unfortunate events or to maximize the realization of opportunities.
RM is thus a tool to create business value through an integrated process of identification, estimation, assessment, and controlling risks.
Defined as the complete set of policies and procedures which organizations have in place to manage monitor and control their exposure to risk
RISK MANAGEMENT
![Page 4: Operational risk (by ms.sweta vijuraj)](https://reader033.vdocuments.site/reader033/viewer/2022060111/5567fffdd8b42a242a8b464c/html5/thumbnails/4.jpg)
Its main objectives are to protect the institution from unacceptable losses, to make optimal use of capital
It has assumed lot of importance in present scenario when there is heightened awareness of risk.
More than a regulatory reporting exercise.
Should not be viewed as a defensive activity.
Requires Senior Management’s involvement.
RISK MANAGEMENT
![Page 5: Operational risk (by ms.sweta vijuraj)](https://reader033.vdocuments.site/reader033/viewer/2022060111/5567fffdd8b42a242a8b464c/html5/thumbnails/5.jpg)
Credit Risk - Default risk, Concentration risk, Country risk
Market Risk – Interest rate risk, Currency risk, Equity risk, Commodity risk
Operational Risk - Legal risk, Model risk Liquidity Risk – Asset liquidity, Funding liquidity Strategic Risk Reputational Risk Systemic Risk
Types of Risks
![Page 6: Operational risk (by ms.sweta vijuraj)](https://reader033.vdocuments.site/reader033/viewer/2022060111/5567fffdd8b42a242a8b464c/html5/thumbnails/6.jpg)
Basel I
The first Basel Accord, known as Basel I, was issued in 1988 and focuses on the capital adequacy of financial institutions.
Originally developed to cover credit risk capital requirements.
Assets sorted into four categories based on risk exposures. 8% capital requirement. Amended in 1996 to include market risk capital
requirements.
![Page 7: Operational risk (by ms.sweta vijuraj)](https://reader033.vdocuments.site/reader033/viewer/2022060111/5567fffdd8b42a242a8b464c/html5/thumbnails/7.jpg)
Basel-II
IntroductionBasel I - the existing framework introduced in 1988 -
felt to be inadequate for evaluating the risks in the evolving financial system which was becoming more complex, innovative and diversified.Hence Basel II was developed as the answer to this requirement.
Basel II - Introduced in 2004, as
• Basel I felt to be inadequate for evaluating the risks in the evolving financial system which was becoming more complex, innovative and diversified.
• Hence Basel II was developed as the answer to this requirement.
Basel II addressed not only credit & market risk capital but also operational risk capital.
![Page 8: Operational risk (by ms.sweta vijuraj)](https://reader033.vdocuments.site/reader033/viewer/2022060111/5567fffdd8b42a242a8b464c/html5/thumbnails/8.jpg)
Basel II – the Three Pillars
Basel II
PILLAR 1 PILLAR 2 PILLAR 2
Pillar IMinimum Capital Requirement
Pillar IIIMarketDiscipline(Disclosure)
Pillar IISupervisoryReviewProcess
RulesTo CalculateRequired Capital
IncreasedSupervisoryPower
IncreasedDisclosureRequirements
![Page 9: Operational risk (by ms.sweta vijuraj)](https://reader033.vdocuments.site/reader033/viewer/2022060111/5567fffdd8b42a242a8b464c/html5/thumbnails/9.jpg)
What is Operational
?
![Page 10: Operational risk (by ms.sweta vijuraj)](https://reader033.vdocuments.site/reader033/viewer/2022060111/5567fffdd8b42a242a8b464c/html5/thumbnails/10.jpg)
Just think of the following scenarios –
What if your signature was forged on your stolen cheque and amount
was fraudulently withdrawn from your account,
Suddenly the bank’s branches close for a few days on account of floods,
The system server is down during the peak working hours,
Your fund transfer was successfully done but transferred to the wrong
account,
Busy operations in dealing rooms of major banks come to a halt?
![Page 11: Operational risk (by ms.sweta vijuraj)](https://reader033.vdocuments.site/reader033/viewer/2022060111/5567fffdd8b42a242a8b464c/html5/thumbnails/11.jpg)
Catastrophic losses on account of OR Events (External):
i)9/11 - Terrorist attack on WTC
(2001)
ii)26/07 – Mumbai Floods
(2005)
iii)26/11 – Mumbai Terror Attacks
(2008)
iv)11/03 – Japan – Earthquake, Tsunami
(2011) and Nuclear Crisis
Global OR Events (External)
![Page 12: Operational risk (by ms.sweta vijuraj)](https://reader033.vdocuments.site/reader033/viewer/2022060111/5567fffdd8b42a242a8b464c/html5/thumbnails/12.jpg)
Financial Losses due to OR Events :
ii)1999 – Ketan Parekh Scam –Illegal borrowings from GTB &
others by pledging shares as collaterals (GTB collapse)
iii)2008 – Societe Generale – 2nd largest Bank in France
lost € 4.9 bn by the fraudulent future trader
iv)2009 – Satyam Scam – Fudging of accounts by its
founder – Biggest Corp Fraud of Rs.8000 crores
v)2010 – Citibank Fraud –Mutli-crore (Rs.400 cr) fraud by RM
– luring HNIs to invest in bogus Invst schemes –36%
vi) 2013 - Cybercrime syndicate committed fraud through compromised POS terminal across Europe. 36000card holders in 16 countries affected
vii) 2013- USD 45 million prepaid card fraud. (2 Middle East banks affected)
viii) 2014 – INR 250 crores scam in public sector Bank in India wherein the branch manager and a private person allegedly took loan using forged documents on behalf of seven private companies which had deposits in the bank.
Global OR Events (Financial losses)
![Page 13: Operational risk (by ms.sweta vijuraj)](https://reader033.vdocuments.site/reader033/viewer/2022060111/5567fffdd8b42a242a8b464c/html5/thumbnails/13.jpg)
Example
Barrings Bank – The incident involved loss of roughly $1.25 bn due to unauthorized trading activities during 1993 to 1995 of a single, relatively junior trader named Nick Leeson.
Leeson, who was supposed to be running a low-risk limited return arbitrage business for Barrings in Singapore, was actually taking increasingly large speculative positions in Japanese stocks & interest rate futures and options. He was taking positions on behalf of fictitious customers, booking losses to non-existent customer accounts.
Losses happened because of movement of market variables not in favour of Leeson’s positions. – Market risk vs Ops risk?
![Page 14: Operational risk (by ms.sweta vijuraj)](https://reader033.vdocuments.site/reader033/viewer/2022060111/5567fffdd8b42a242a8b464c/html5/thumbnails/14.jpg)
Ops risk losses often contingent on market movements.
This particular case is classified under Operational Risk because it involved – Fraud - Unauthorized trading (Internal fraud), forging signature, non disclosure, criminal breach of trust etc.
& The Failure of Internal Controls• No clearly laid down reporting lines • Several managers responsible for monitoring Leeson’s
performance did not do their job (Not questioning the unexpected sources of profit )
• No segregation of front and back office activities • No comprehensive review of Leeson’s funding requirements
![Page 15: Operational risk (by ms.sweta vijuraj)](https://reader033.vdocuments.site/reader033/viewer/2022060111/5567fffdd8b42a242a8b464c/html5/thumbnails/15.jpg)
Basel II has defined Operational Risk as - “ the risk of loss resulting from inadequate or failed
- internal processes,
- people and
- systems or
- from external events”.
Basel II has clarified that OR includes legal risk but specifically excludes strategic & reputational risks.
How Operational Risks is defined?
![Page 16: Operational risk (by ms.sweta vijuraj)](https://reader033.vdocuments.site/reader033/viewer/2022060111/5567fffdd8b42a242a8b464c/html5/thumbnails/16.jpg)
OR Management – Why?
Why Operational Risk Management (ORM)?
![Page 17: Operational risk (by ms.sweta vijuraj)](https://reader033.vdocuments.site/reader033/viewer/2022060111/5567fffdd8b42a242a8b464c/html5/thumbnails/17.jpg)
It has been believed that banks are exposed to two main risks - Credit risk and Market risk
Serious changes in the global financial markets in the last 20 years have caused noticeable shifts in banks’ risk profile – globalization and deregulation, technological innovation and advances in the information network, and an increase in the scope of financial services and products – complex network.
OR occur in the banking industry every day. Most of the losses are small in magnitude (frequent/predictable/ preventable) and some are severe in magnitude of loss.
Loss due to OR events are far reaching and catastrophic
ORM – Why?
![Page 18: Operational risk (by ms.sweta vijuraj)](https://reader033.vdocuments.site/reader033/viewer/2022060111/5567fffdd8b42a242a8b464c/html5/thumbnails/18.jpg)
Economy is fragile
Loss due to OR events are far reaching and catastrophic
Historic OR events exhibit that they are totally distinct from one
another – either globally or in our Bank
History proves whoever puts in place BCP/Risk Mitigants manage
OR events better than others
Banks need to move towards advanced approaches for calculation
of OR capital
Advanced approaches involve statistical method of calculation of
capital
OR - Significant in Recent Years
![Page 19: Operational risk (by ms.sweta vijuraj)](https://reader033.vdocuments.site/reader033/viewer/2022060111/5567fffdd8b42a242a8b464c/html5/thumbnails/19.jpg)
The term Operational Risk Management (ORM) is defined as a continual cyclic process which includes risk assessment, risk decision making, and implementation of risk controls, which results in acceptance, mitigation, or avoidance of risk.
ORM
![Page 20: Operational risk (by ms.sweta vijuraj)](https://reader033.vdocuments.site/reader033/viewer/2022060111/5567fffdd8b42a242a8b464c/html5/thumbnails/20.jpg)
How to identify
& monitor
Operational
Risk?
![Page 21: Operational risk (by ms.sweta vijuraj)](https://reader033.vdocuments.site/reader033/viewer/2022060111/5567fffdd8b42a242a8b464c/html5/thumbnails/21.jpg)
ORM Tools
Loss Data Collection Exercise and Analysis
Conduct of RCSA (Risk and Control Self-Assessment)
exercise.
Tracking of KRIs (Key Risk Indicators) at Branch level
and Bank level.
Scenario Analysis
![Page 22: Operational risk (by ms.sweta vijuraj)](https://reader033.vdocuments.site/reader033/viewer/2022060111/5567fffdd8b42a242a8b464c/html5/thumbnails/22.jpg)
What is loss data?
Loss Data consist of Losses arising due to inadequate or failed
Internal Process
People
Systems
External events
![Page 23: Operational risk (by ms.sweta vijuraj)](https://reader033.vdocuments.site/reader033/viewer/2022060111/5567fffdd8b42a242a8b464c/html5/thumbnails/23.jpg)
Examples of loss data
![Page 24: Operational risk (by ms.sweta vijuraj)](https://reader033.vdocuments.site/reader033/viewer/2022060111/5567fffdd8b42a242a8b464c/html5/thumbnails/24.jpg)
Historical loss experience provides meaningful information for assessing bank’s exposure to OR
The Bank undertakes the Loss Data Collection exercise on a half yearly basis and has loss event data base since 1st April 2008
Analysis of Loss data is undertaken by RMD on a half-yearly basis and the findings along with mitigation measures are submitted to CORM/R.Com
LDRT (Loss Data Reporting Template) introduced since 01.01.2012 for Reporting/Accounting of OR Loss incidents
Tracking OR loss incidents on real-time basis through SAS OR Monitor (EGRC)
Collection of loss data
![Page 25: Operational risk (by ms.sweta vijuraj)](https://reader033.vdocuments.site/reader033/viewer/2022060111/5567fffdd8b42a242a8b464c/html5/thumbnails/25.jpg)
Loss event type classification
EL1 EL2 EL3 EL4 EL5 EL6 EL7
BUSINESS LINES Internal Fraud
External Fraud
Employment practices & workplace safety
Clients,Products & Buz Prac
Damage to physical assests due to natural disaster
Business disruption & System failures
EDPM
Corp Fin BL1 T & S BL2 Retail Bkg BL3 Comm. Bkg BL4 P & S BL5 Agency Serv BL6
Asset Mgt BL7 Retail Brkge BL8
Mapping Of Loss Data As Per Basel Business Lines
![Page 26: Operational risk (by ms.sweta vijuraj)](https://reader033.vdocuments.site/reader033/viewer/2022060111/5567fffdd8b42a242a8b464c/html5/thumbnails/26.jpg)
Major Frauds,Natural Disasters (such as Fire,
flood, Earthquake),Terrorist attack etc.
High Im
pact
Minor accounting errors, leakage of income, routine mistakes
(available from internal audit)
Low Im
pact
High FrequencyLow Frequency
Measuring OR - Findings
![Page 27: Operational risk (by ms.sweta vijuraj)](https://reader033.vdocuments.site/reader033/viewer/2022060111/5567fffdd8b42a242a8b464c/html5/thumbnails/27.jpg)
RCSA is a risk management program where risks and controls are examined and assessed to provide reasonable assurance to management that business objectives will be met.
Steps:
1. self assessment exercise - list out all activities that are susceptible to OR - List out the main business lines, products/processes in each of these business lines, then list out the risks associated with each of these products/processes (combination of experience, judgement, intuition and past losses)
2. Evaluate: Risk (in terms of frequency and severity) and arrive at Inherent Risk
3. Evaluate: Controls (in terms of Control Design Effectiveness & Control Operating Effectiveness) and arrive at Residual Risk.
Risk and Control Self Assessment (RCSA)
![Page 28: Operational risk (by ms.sweta vijuraj)](https://reader033.vdocuments.site/reader033/viewer/2022060111/5567fffdd8b42a242a8b464c/html5/thumbnails/28.jpg)
RCSA exercise helps in identification and design of appropriate Key Risk
Indicators (KRIs).
(KRIs) are early warning signals, which enable management to monitor
and mitigate operational risks that are reaching beyond acceptable levels.
Example of KRIs would be –For branches; number of days, day end cash
did not tally, number of days cash retention limit was breached, number of
days ATM cash tally did not happen.
They also provide a backward looking view on risk events, so lesson
can be learned by the past.
They are one of the Basel recommendations for Sound Operational
Risk Management.
Key Risk Indicators (KRIs)
![Page 29: Operational risk (by ms.sweta vijuraj)](https://reader033.vdocuments.site/reader033/viewer/2022060111/5567fffdd8b42a242a8b464c/html5/thumbnails/29.jpg)
Tracking of KRIs - How it is done ?
Bank level KRIs : Presently 15 KRIs covering Treasury, IT and HR tracked quarterly by the respective departments.
Branch level KRIs : Presently 25 KRIs covering domestic branches tracked quarterly by Concurrent Auditors and ZO Risk Management Cell Officials. 20 KRIs covering foreign branches. The Branch level KRIs helps in identifying High/ Medium/Low Risk Rating branches.
The KRIs are tracked and reported to Operational Risk Management Cell in RMD who in turn analyze the results and report to the Senior Management.
Zones are also advised to conduct workshops to sensitize high risk branches in order to strengthen internal control measures in these branches.
![Page 30: Operational risk (by ms.sweta vijuraj)](https://reader033.vdocuments.site/reader033/viewer/2022060111/5567fffdd8b42a242a8b464c/html5/thumbnails/30.jpg)
How to
measure
Operational
Risk?
![Page 31: Operational risk (by ms.sweta vijuraj)](https://reader033.vdocuments.site/reader033/viewer/2022060111/5567fffdd8b42a242a8b464c/html5/thumbnails/31.jpg)
Measuring Operational Risk
Operational Risk is comparatively difficult to
quantify.
However, as Operational Risk impact is positively
correlated with income size and dispersion of
business units – capital charge for OR is
calculated as %age of Gross Income
![Page 32: Operational risk (by ms.sweta vijuraj)](https://reader033.vdocuments.site/reader033/viewer/2022060111/5567fffdd8b42a242a8b464c/html5/thumbnails/32.jpg)
Calculation of Capital Charge on OR
Basel Committee on Banking Supervision [BCBS]has put forward three methods for calculatingoperational risk capital charge:
Three approaches –
Basic Indicator Approach (BIA)The Standardised Approach (TSA)Advanced Measurement Approaches (AMA)
![Page 33: Operational risk (by ms.sweta vijuraj)](https://reader033.vdocuments.site/reader033/viewer/2022060111/5567fffdd8b42a242a8b464c/html5/thumbnails/33.jpg)
Three Approaches for ORCC
Basic Indicator Approach (BIA)
·Average of Gross income for three years as indicator.
·Capital charge equals 15% of the indicator.
The Standardized Approach (TSA)
· Gross income per regulatory line as indicator.
· Depending on business line 12, 15 or 18% of the indicator as capital charge.
· Total capital charge equals sum of charge per business line.
Advanced Measurement Approach (AMA)
· capital charge equals internally generated measures based on Internal loss data, External loss data, Scenario analysis and BECIFs .
· Recognition of risk mitigation - insurance – upto 20%
![Page 34: Operational risk (by ms.sweta vijuraj)](https://reader033.vdocuments.site/reader033/viewer/2022060111/5567fffdd8b42a242a8b464c/html5/thumbnails/34.jpg)
Capital Charge computation under TSA
• Gross Income = Interest Income + Non Interest Income (-) Interest expense
![Page 35: Operational risk (by ms.sweta vijuraj)](https://reader033.vdocuments.site/reader033/viewer/2022060111/5567fffdd8b42a242a8b464c/html5/thumbnails/35.jpg)
Usage of GI as proxy indicators
BIA and TSA – simpler approaches - but charge more capital.
Risk indicator based on income level (Gross Income) and not on risk exposures.
BIA- one size fits all, doesn’t consider risks separately for different activities.
TSA: Ambiguity in BL descriptions – activity allocations to Business Lines (BL) with lower Beta.
Negative Gross Income allowed to be off set against positive.
![Page 36: Operational risk (by ms.sweta vijuraj)](https://reader033.vdocuments.site/reader033/viewer/2022060111/5567fffdd8b42a242a8b464c/html5/thumbnails/36.jpg)
Inputs for AMA
Under AMA, banks are required to incorporate four key data inputs/elements in capital modeling:
1) Internal loss data 2) External loss data 3) Scenario analysis data4) Business environment and internal control factors
(BEICF)
(BE factors: Employee attrition, Growth factor, Product complexity.IC factors: RCSA scores, Key risk indicators, Internal audit ratings and Operational risk appetite.Estimated capital is scaled up/ down based on BE factors & IC factors).
![Page 37: Operational risk (by ms.sweta vijuraj)](https://reader033.vdocuments.site/reader033/viewer/2022060111/5567fffdd8b42a242a8b464c/html5/thumbnails/37.jpg)
OPERATIONAL DATA
![Page 38: Operational risk (by ms.sweta vijuraj)](https://reader033.vdocuments.site/reader033/viewer/2022060111/5567fffdd8b42a242a8b464c/html5/thumbnails/38.jpg)
Modeling Approach in AMA
Being an evolving area, regulators have given flexibility of selecting modeling methodology to the banks.
Some of the Approaches used: Loss Distribution Approach (LDA) Scenario Based Approach (SBA) Hybrid Approach
![Page 39: Operational risk (by ms.sweta vijuraj)](https://reader033.vdocuments.site/reader033/viewer/2022060111/5567fffdd8b42a242a8b464c/html5/thumbnails/39.jpg)
OpVaR model (illustrative)
Internal Loss Data
External loss data
Scenario Analysis
BEICF adjustments
Distribution Fitting
Distribution Fitting
Frequency & Impact –
Output: Simulated
Internal losses
Simulation – Output:
CombinedLoss value
Source data Modeling Simulations Aggregation
Frequency – Output:
Simulated Scenarios
lossesBank level
OpVaRComponent VaR
(business line wise)
Adjusted Component VaR
![Page 40: Operational risk (by ms.sweta vijuraj)](https://reader033.vdocuments.site/reader033/viewer/2022060111/5567fffdd8b42a242a8b464c/html5/thumbnails/40.jpg)
OR Capital Adequacy-Economic Capital
Eg: If the bank has a Maximum loss (Op Var) of 100 & Expected loss (mean) of 20, then , Economic Capital = 100 – 20 = 80
![Page 41: Operational risk (by ms.sweta vijuraj)](https://reader033.vdocuments.site/reader033/viewer/2022060111/5567fffdd8b42a242a8b464c/html5/thumbnails/41.jpg)
LOSS DISTRIBUTION APPROACH
![Page 42: Operational risk (by ms.sweta vijuraj)](https://reader033.vdocuments.site/reader033/viewer/2022060111/5567fffdd8b42a242a8b464c/html5/thumbnails/42.jpg)
AMA: Key challenges
Non-availability of historical data in majority of cells and dependence on scenarios in the absence of India specific external loss data.
Incorporation of correlation among scenarios.
Incorporation and identification of BEICF elements in the capital computation/allocation.
Back-testing of OpVaR computation.
![Page 43: Operational risk (by ms.sweta vijuraj)](https://reader033.vdocuments.site/reader033/viewer/2022060111/5567fffdd8b42a242a8b464c/html5/thumbnails/43.jpg)
How to mitigate
and control
Operational
Risk?
![Page 44: Operational risk (by ms.sweta vijuraj)](https://reader033.vdocuments.site/reader033/viewer/2022060111/5567fffdd8b42a242a8b464c/html5/thumbnails/44.jpg)
Damages due to natural disasters, fire, etc – INSURANCE
Losses from Disruptions – electricity / telecommunication – BACKUP
Losses due to internal reasons - STRONG INTERNAL AUDIT PROCEDURE
OR Events leading to severe business disruption – Business Continuity Plans (BCPs)
[Mitigants put in place to be reviewed periodically to ensure contingency strategies remain consistent with current operations, risk & threats, resiliency requirement and to facilitate BC with minimum loss of time.]
Mitigating Operational Risk
![Page 45: Operational risk (by ms.sweta vijuraj)](https://reader033.vdocuments.site/reader033/viewer/2022060111/5567fffdd8b42a242a8b464c/html5/thumbnails/45.jpg)
Bank Of India – Journey of Corporate Office1906 1950
19732003
![Page 46: Operational risk (by ms.sweta vijuraj)](https://reader033.vdocuments.site/reader033/viewer/2022060111/5567fffdd8b42a242a8b464c/html5/thumbnails/46.jpg)
Risk Management Architecture in BOI
Risk Management Architecture
![Page 47: Operational risk (by ms.sweta vijuraj)](https://reader033.vdocuments.site/reader033/viewer/2022060111/5567fffdd8b42a242a8b464c/html5/thumbnails/47.jpg)
Operational Risk
BOI
![Page 48: Operational risk (by ms.sweta vijuraj)](https://reader033.vdocuments.site/reader033/viewer/2022060111/5567fffdd8b42a242a8b464c/html5/thumbnails/48.jpg)
![Page 49: Operational risk (by ms.sweta vijuraj)](https://reader033.vdocuments.site/reader033/viewer/2022060111/5567fffdd8b42a242a8b464c/html5/thumbnails/49.jpg)
OR - Organizational setup [ORMF]
Board of Directors Risk Management Committee of the Board (R.Com) Committee for Operational Risk Management (CORM) Operational Risk Management Department (ORMD) Business Operational Risk Managers (BORM) Support Group - Operational Risk Management
Specialist (ORMS) RMD set-up at ZOs/LCBs/DOs/Foreign Centres Business Line OR Management (Branch Level)
![Page 50: Operational risk (by ms.sweta vijuraj)](https://reader033.vdocuments.site/reader033/viewer/2022060111/5567fffdd8b42a242a8b464c/html5/thumbnails/50.jpg)
The Operational Risk Management policy has been framed considering various regulatory guidelines issued from time to time. This policy document describes the approach to Operational Risk Management within the Bank as part of Enterprise-wide Risk Management and also to comply with the regulatory guidelines.
ORM Policy covers-Scope & ApplicabilityOperational Risk Management Framework – Governance
structure, three lines of defence, roles and responsibilitiesOperational Risk Management ProcessCapital MeasurementIndependent EvaluationSound Industry Practice
BOI Progress in ORM I – Comprehensive ORM Policy
![Page 51: Operational risk (by ms.sweta vijuraj)](https://reader033.vdocuments.site/reader033/viewer/2022060111/5567fffdd8b42a242a8b464c/html5/thumbnails/51.jpg)
Mapping of products to business lines through Risk Registers
Bank`s total products(aggregating more than 100 in Deposits, Advances, Remittances & Miscellaneous Services have been mapped to Business Lines as per Basel II norms
Mapping of income & expenses for capital charge computation under TSA – automated using SAS
BOI Progress in ORM II – Business Line Mapping
![Page 52: Operational risk (by ms.sweta vijuraj)](https://reader033.vdocuments.site/reader033/viewer/2022060111/5567fffdd8b42a242a8b464c/html5/thumbnails/52.jpg)
Risk & Control Self Assessment (RCSA)
11 Risk Registers covering all the products and processes in all the Business Units and Support functions have been prepared to aid in Risk and Control Self Assessment (RCSA) exercise.
RCSA exercise done online using SAS system.
Sample Retail Banking Assets Risk register
BOI Progress in ORM III - RCSA
![Page 53: Operational risk (by ms.sweta vijuraj)](https://reader033.vdocuments.site/reader033/viewer/2022060111/5567fffdd8b42a242a8b464c/html5/thumbnails/53.jpg)
Key Risk Indicators (KRIs) Key Risk Indicators (KRIs) are revised based on the RCSA results
and in all there are 60 KRIs (15 Bank level, 25 Domestic branch level and 20 Foreign branch level).
Revised KRIs are tracked and analyzed and reported to Senior Management on a quarterly basis.
KRI examples
BOI Progress in ORM IV - KRIs
![Page 54: Operational risk (by ms.sweta vijuraj)](https://reader033.vdocuments.site/reader033/viewer/2022060111/5567fffdd8b42a242a8b464c/html5/thumbnails/54.jpg)
Loss Data Collection Loss data reported using “Loss Data Reporting Template
(LDRT)”
Reporting process will be automated with help of SAS
from January 2014.
Loss accounted using Finacle P&L Heads: PLOE061
(frauds) & PLIP034 (non-frauds)
Loss data collection since 2008. We have six years loss
database.
BOI Progress in ORM V – Loss data collection
![Page 55: Operational risk (by ms.sweta vijuraj)](https://reader033.vdocuments.site/reader033/viewer/2022060111/5567fffdd8b42a242a8b464c/html5/thumbnails/55.jpg)
Analysis of high value loss events
Fraud analysis is undertaken on a periodical basis by Fraud Risk Management Department.
Operational Risk Management Cell analyses loss events above Rs.50 lakhs in terms of failure of controls, systems, process and people and suggests mitigation measures to control/prevent such loss events. This analysis is then reported to the Senior Management .
BOI Progress in ORM VI – Analysis of high value loss events
![Page 56: Operational risk (by ms.sweta vijuraj)](https://reader033.vdocuments.site/reader033/viewer/2022060111/5567fffdd8b42a242a8b464c/html5/thumbnails/56.jpg)
Business Continuity Plan Disaster Recovery management
Bank's Data Center is located at CBD Belapur and DR site in Bangalore which are in different seismic zones.
Data at both the sites is always in mirrored status which ensures uninterrupted services to customers.
Bank has Global Processing Center at Singapore for all overseas centers which ensures centralized monitoring of transactions
BOI Progress in ORM VII – BCP & DRM
![Page 57: Operational risk (by ms.sweta vijuraj)](https://reader033.vdocuments.site/reader033/viewer/2022060111/5567fffdd8b42a242a8b464c/html5/thumbnails/57.jpg)
Risked Based Internal Audit
Bank has migrated to Risked Based Internal Audit from 01/04/2007 and the assessment is being done based on exposure of the branches to various types of risks like Operational Risks, Credit Risks, Compliance Risks, Earning Risks. Technology Risks etc. Suitable mitigating measures are initiated immediately on the receipt of requisite report.
BOI Progress in ORM VIII - Audit
![Page 58: Operational risk (by ms.sweta vijuraj)](https://reader033.vdocuments.site/reader033/viewer/2022060111/5567fffdd8b42a242a8b464c/html5/thumbnails/58.jpg)
IT Risks & Cyber Crime prevention
Bank has put in place comprehensive Information System Security Policy.
Bank has appointed Chief Information System Security Officer dealing exclusively with the system security and risks related to IT and cyber crimes.
Bank has introduced Information Security Portal on Bank's website which alerts all concerned about the IT Risk threats on an ongoing basis.
BOI Progress in ORM IX – IT Risks
![Page 59: Operational risk (by ms.sweta vijuraj)](https://reader033.vdocuments.site/reader033/viewer/2022060111/5567fffdd8b42a242a8b464c/html5/thumbnails/59.jpg)
New Product Group
BOI Progress in ORM X
Any new product/process is first passed through a Sub-Group called “Product Group” before submission to Committee on Operational Risk Management (CORM) for clearance and to ED/CMD/Board for approval.
Risk Assessment Questionnaire for New Product/Process
![Page 60: Operational risk (by ms.sweta vijuraj)](https://reader033.vdocuments.site/reader033/viewer/2022060111/5567fffdd8b42a242a8b464c/html5/thumbnails/60.jpg)
KYC & AML Policies Bank has put in place elaborate KYC &
AML policies KYC is being done for deposit & credit
customers as well as those effecting remittances from the Bank
The Bank has also purchased AML software
BOI Progress in ORM XI
![Page 61: Operational risk (by ms.sweta vijuraj)](https://reader033.vdocuments.site/reader033/viewer/2022060111/5567fffdd8b42a242a8b464c/html5/thumbnails/61.jpg)
Employee Fraud Prevention
Maker Checker concepts & Dual ControlAdequate Remuneration & compensation to
staff commensurate with performanceVarious Staff incentive schemesAppropriate Training & GuidelinesDocumented Service conditions & Service
Regulations
BOI Progress in ORM XII
![Page 62: Operational risk (by ms.sweta vijuraj)](https://reader033.vdocuments.site/reader033/viewer/2022060111/5567fffdd8b42a242a8b464c/html5/thumbnails/62.jpg)
Unauthorized Activity Control
Laid down procedures & guidelines Delegated Powers for credit & Non credit
matters System of Noting & Reporting of
sanctions to next higher authority
BOI Progress in ORM XIII
![Page 63: Operational risk (by ms.sweta vijuraj)](https://reader033.vdocuments.site/reader033/viewer/2022060111/5567fffdd8b42a242a8b464c/html5/thumbnails/63.jpg)
Employee Practice & Work Place Safety Documented HR Policy for appointment,
transfer, promotion, placement and overseas posting
Adherence to all local labour & industrial laws
Proper Succession Planning Redressal of staff grievances through
welfare committees Direct communications to staff by Top
Management
BOI Progress in ORM XIV
![Page 64: Operational risk (by ms.sweta vijuraj)](https://reader033.vdocuments.site/reader033/viewer/2022060111/5567fffdd8b42a242a8b464c/html5/thumbnails/64.jpg)
Outsourcing Risk Management Laid down procedures for selection of
panel of vendors Fool Proof agreement documents Periodic Review of outsourcing
arrangements Customer/Shareholder complaint
redressal mechanism
BOI Progress in ORM XV
![Page 65: Operational risk (by ms.sweta vijuraj)](https://reader033.vdocuments.site/reader033/viewer/2022060111/5567fffdd8b42a242a8b464c/html5/thumbnails/65.jpg)
Security Measures:- Effective security measures put in place
to safeguard banking assets
Security Guards, CCTVs, Burglar Alarms, Smoke Detectors, Fire Proof vaults and cabinets for documents storage, insurance etc.
BOI Progress in ORM XVI
![Page 66: Operational risk (by ms.sweta vijuraj)](https://reader033.vdocuments.site/reader033/viewer/2022060111/5567fffdd8b42a242a8b464c/html5/thumbnails/66.jpg)
Ops Risks embedded in other risks :-
Cash Management – Cash retention limit, Cash van management including transit insurance, Counterfeit notes
Credit Mgt-Timely review & inspections, Vetting of documents by advocates, Up to date maintenance of mortgage register
Treasury Mgt – Front & Back office control, Exposure limits, Stop Loss limits
Investment Mgt – ALCO committee for fresh investments/review of existing investments.
Marketing –Deployment of trained staff with full product knowledge
BOI Progress in ORM XVII
![Page 67: Operational risk (by ms.sweta vijuraj)](https://reader033.vdocuments.site/reader033/viewer/2022060111/5567fffdd8b42a242a8b464c/html5/thumbnails/67.jpg)
Operational Risk if the most important of all risks as it involves managing the unknown! Most difficult to quantify & manage!
ORM framework must be closely integrated into the day-to-day risk management processes of the bank.
Use ORM tools (loss data, RCSA, KRI) to gather information and perform analysis to report findings to Senior Management for business decision making.
ORM to identify those risks which needs to be taken and those which needs to be insured.
Spreading Risk culture in the Organization is important for successful implementation of Operational Risk Management Framework in the Organization.
To Summarize…