how to manage effectively operational risk

7/31/2019 How to Manage Effectively Operational Risk

1/19

-1-

How to Manage EffectivelyOperational Risk

ForBasel II, Solvency II and Arrow

White Paper

September 2008


2/19

-2-

Table of Contents

Loss Data ........................................................................................................ 5

Risk and Cont rol Self Assessment (RCSA) .................................................. 7

Key Risk Indicators ....................................................................................... 13

Act ion and Remediat ion Plans ................................................................... 15

Risk Simulation ............................................................................................. 16

Reporting ....................................................................................................... 17

Key Benefits of Proposed Solut ion ............................................................ 18

About Dynasec .............................................................................................. 18


3/19

-3-

IntroductionOperational r isk exists everywhere in the business environment. It is the

oldest risk facing any commercial institution and in particular banks,

insurance companies and other financial institutions. Any financial institution

wil l face operat ional risk long before it decides on it s f irst market t rade or

credit t ransact ion.

Of all t he dif ferent types of r isks f inancial inst it utions face, operat ional risk

can be the most devastating and at the same time, the most difficult to

ant icipate. Its appearance can result in sudden and dramat ic reduct ions in the

value of a f irm.

Operat ional ri sk cannot be managed successfully with a few spreadsheet s or

databases developed by an int ernal risk management department . In fact , one

of the biggest mistakes an inst it ution can make is to rely on simpl ist ic and

t radit ional solut ions, which can lead to less than ideal choices about managing

operational risk.

easy2complyenables organizations to eff icientl y meet and adapt to internal

operat ional r isk practices as well as external regulat ions such as: Basel II,

Solvency II, FSA mandates and others by automat ing and simplif ying the

process of collecting, storing, analyzing, t racking and report ing on

informat ion relevant to operat ional l osses, ri sk and control assessments,

definit ion and management of key risk indicators and scenarios.


4/19

-4-

easy2complyOperational Risk Architecture


5/19

-5-

Loss Data

The loss database is a key, standard element of the Operat ional Risk

Management module. The coll ect ion and analysis of internal l oss data provides

management information which can be fed back into the operational risk

management and mit igat ion process. In addit ion, t he database of int ernal

loss events builds up over t ime and provides the basis for quantit ative analysis

and the calculat ion of capit al all ocat ion .

Data quality of loss report ing is oft en a maj or concern in many organizat ions.

Dynasec Enterprise simpl if ies the collection of loss report ing by offering a 3-

step process wit h built -in workflow capabil it ies:

1. Loss Event CapturingIn the fi rst stage, authorized users can report on a loss event, a suspectedloss event or a near miss. This loss event capturing process is performed

with a comprehensive and customizable form that contains all the

necessary f ields and informat ion for later loss event analysis.

2. Loss Event EvaluationIn the second stage, authorized users, generally from the risk management

depart ment, are automat ically alerted of any loss event report ed in t hesystem. They can assess t he impact of the loss event and describe the

associated risks and damages in various formats which provide t he basis for

later in depth analysis and loss event report ing.

3. Loss Event Conclusions and Follow Up ActionsAt this stage, authorized users can summarize t he conclusions result ing

from a loss event; define fol low up act ion it ems wit h due dates, and assign

responsible persons for each act ion item. All act ion it ems are incorporated


6/19

-6-

int o easy2comply s int egrated act ion and remediat ion plan for t racking

and management of tasks.

easy2comply s flexible plat form enables organizat ions to tailor t heir own

fields in the loss database forms above, although certain standard fields such

as select ing the appropriat e Business Line and categorizing the Event Type are

mandatory. Addit ional f ields can easil y be defined during the system

configuration, requiring no programming.

easy2complyoffers the following standard fields:

Event Name Event ID Event Report ing Date Report er Name Event Type (Internal/ External) Related Organizational Unit Related Processes Related Business Line Related Event Category Related Controls First Event/ Repeat ing Event/ Near Miss Correlat ive Events (In case of a Repeating Event) Event Descript ion Event Ident if icat ion Day Start Handling Date End Handl ing Date Participants Key Personnel Involved Implemented Risks


7/19

-7-

Implemented Risk Direct Damage Implemented Risk Indirect Damage Implemented Risk Unquantif iable Damage Insurance Cover Conclusions Follow Up Act ion Task Follow Up Action Date Follow Up Act ion Responsible At tached Fil es Authorizat ion process


8/19

-8-

Risk and Control Self Assessment (RCSA)

Risk and Cont rol Self Assessment (RCSA) is one of the integrated components

that easy2complyoffers for effective management of operational risk.

easy2complyestablishes a coherent st ructure t hat automates the ent ire

workflow for managing the risk and control framework including: systematic

documentation of processes and sub processes, ident if icat ion of t he risks that

could prevent the at tainment of process object ives and mapping of t hecont rols that should be in place to mit igate these risks.

easy2complyis designed in a way that enables companies to const ruct both

actual and horizontal or vir tual organizat ional st ructures for t he operat ional

ri sk management process. The f lexible system provides up to 1024 layers of

hierarchy in t he organizational st ructure that can be defined by the system

administ rator. Furt hermore, easy2complyenables the creat ion of an

unlimit ed number of horizontal or virt ual organizat ional unit s which cross

the actual organizational t ree. Authorized users subjecti vely select single or

groups of hierarchical organizational units wit hin a horizontal unit . Such

horizontal organizational units are used to identify cross- company trends and

to perform compet it ive analysis between cross- company business unit s. (For

example: all wholly-owned subsidiaries or all purchasing depart ments

throughout the organization).

Organizat ional processes and sub-processes can be documented using an

integrated flowchart engine which graphically represents the process flow.

Each component in t he flowchart is linked t o the RCSA mat rix, providing for

easier documentation maint enance, consistency and improved change

management.


9/19

-9-

Organizat ions who already document t heir structure in an external system can

take advantage of easy2comply s open systems environment and import or

link to pre-documented organizational trees.

Furt hermore, processes are li nked to organizational unit s using an m:n

approach. This enables analyzing risk and cont rols from both perspect ives:

organizat ional and process-oriented.

Risk Control Self Assessment can be performed at any level, including

organizat ional unit s and processes. The self assessment can be based on datafrom 3 dif ferent sources: pre-populated data using a sophist icated templates

mechanism, data built from scratch in t he system during the assessment (and

saved as a template if necessary) or legacy data previously accumulated and

automat icall y inputted int o the system. Adding, delet ing and modifying

information is easy and intuit ive, alt hough, subject to the user access rights

that have been pre-selected.

Documenting and assessing risk both qualitat ively and quantit atively includes

but is not limited to t he following informat ion:

Risk Name

Risk Descript ion

Qualitative Information (can be based on a risk assessment wizard)

o Severityo Probabilityo Other


10/19

-10-

Quant it ative Information (can be based on a risk assessment wizard)o Severityo Probability

Scenario Analysiso Normal Scenario

Description Loss Frequency More...

o Serious Case Scenario Description Loss Frequency More...

o Disaster Scenario Description Loss Frequency More

Risk CategoryKRI

Key Risk Risk Type Tolerance Level Risk Response


11/19

-11-

Documenting and assessing controls includes but is not limit ed to the

following information:

Control ID Control ActivityDescription Control Objective Control Activity In Place Control Weight Key Control Control in Place Control Design Rating Control Owner Control Nature Control Frequency Relat ion t o COSO Financial Effect Preventive/ Detect ive Recommended Test ing Procedure Sample Size Required Criteria for Effecti veness Test ing Criteria for Ineff ectiveness Test ing Tester Testing Start Date Test ing Due Date Attachment Findings Recommendation KPI Attachments On Management Procedures


12/19

-12-

The relat ions between risks and controls is based on an m:n approach where

each risk can be mitigated by several controls and every control can impact

various risks.

The system also al lows for a correlat ion of m:n between cont rols.

easy2complyallows for control hierarchies and dependencies between

controls. For example, a control status can be based on a calculation of sub-

cont rols. Each cont rol in the system might have a dif ferent index of status

which can be defined by the authorized users.

easy2complyprovides funct ionalit y for copying, import ing and export ing risk

and controls between dif ferent segments of t he organizat ion tree and/ or the

process tree and can define multiple types of relations between them.

Throughout t he lif ecycle of t he operat ional risk management process, the

system enables the reduction of the overall number of risks and controls being

managed in the organization which results in a more efficient operation.


13/19

-13-

Key Risk Indicators

Key Risk Indicators (KRI) al location and analysis is a core feature of Dynasec

Enterpr ise Operational Risk module. The KRI module provides management

with an earl y-warning system, underscoring t hose areas where pre-def ined

thresholds are exceeded and thus highlight ing potential danger spots in a

timely fashion.

Each Key Risk Indicator can be automatically generated or manually entered.

Dynasec Enterprise provides t he inf rast ructure t o develop and determine both

of these methods. KRIs are freely definable and there is (practically) no limit

to the number or type of KRIs which can be set up.

Some of the basic information for an automatic KRI is held within the Dynasec

Enterprise system. In fact, t he information can be embedded in the risk

control self assessment process as for example, a KRI when there are anumber of missing controls in a process. Organizations can take advantage of

this integrated approach to reduce the time required for reconcil iat ion or

other cross-checking requirements.

Alternatively, if the required information is located in external, typically

t ransact ion-based systems, easy2complycan link to those systems via

standardized protocols to gather the required information. For example: thenumber of dealer t ransact ions rej ected for exceeding t rading limi ts can be a

KRI created and tracked in t he system which has been linked to the external

applicat ion t hat manages dealer t ransact ions and calculates this figure.

There are situations where the information is more readily available manually

or where it is not found in any other system. In these cases, suit ably

authorized managers can enter t he KRI values direct ly int o the system, online.


14/19

-14-

Documenting and assessing KRI s includes but is not limit ed to the fol lowing

information:

KRI ID KRI Name KRI Descript ion KRI Type (KRI, KCI,KPI) KRI Source KRI Norm Related Risk(s) KRI period KRI Test KRI Impact KRI Change Correlated KPI/ KCI Conclusion Action Plan Other


15/19

-15-

Action and Remediation Plans

easy2complyprovides int egrated risk measure/ act ion plan funct ionalit y in

the operational risk management module. This functionality enables creation,

execution, management and follow-up of act ion and remediat ion plans in

order t o improve organizat ional processes and controls and to mit igate risk

exposure.

Act ion plans can be defined by authorized users as a result of:

Poor Control Loss Event KRI Simulation Other general events

:

Each act ion plan includes but is not limit ed to the following informat ion:

Task Owner Due Date Task Descript ion Related Organizat ional Unit s/ Processes/ Risks/ Controls Task Status Authorizat ion Process Log of Authorized Changes Log of Rej ected Changes More

Open tasks can be distributed to the owners. An email will be automatically

sent by the system to notify each owner of his or her tasks with a link to the

system. A reminder will be sent if the task date has passed and escalat ion

alert s and procedures can be defined to enable addit ional emails to be sent to

selected managers or other individuals.


16/19

-16-

Risk Simulation

Risk simulation is an integral feature of the easy2complyOperational Risk

module. A typical operational ri sk f ramework in many organizations includes

several sources of i nformat ion such as internal and external l oss data, r isk and

control self assessment and key risk indicators. The Risk Simulat ions enable

the analysis of this information by creating correlations between the different

sources of informat ion using various mathematical and statist ical met hods.

easy2complyRisk Simulation includes, but not limi ted to, t he following

information:

Organizat ional Loss Dist ribut ion Approacho Severityo Probabilityo Periodic (Annual, 3 years, 5 years)

Various vertical and horizontal angles of analyzing LDA:o Per Business Unito Per Business Lineo Per Processo Per Category Typeo Per Horizontal Unit s

Value at Risk Calculat ions using :o Monte Carlo Simulat iono Historical Simulation (in development)o Variance Covariance Matrix (in development)

Residual Risk Dist ribut ion Control Status Analysis Heat Maps Horizontal Risk and Cont rol Analysis More


17/19

-17-

Reporting

easy2complyprovides management report ing tools for both regular and ad-

hoc report ing requirements including dashboards, pre-buil t , standardized

reports and a user-f riendly report generator. The outputs generated by the

different reporting options can also be exported to external tools such as

Excel, PDF, Power Point and Word and allow the organizat ion to ident ify

t rends and to perform analysis from mult iple perspect ives as outlined below.

The Operat ional Risk Management Module support s mult iple building blocks

including:

Organizat ional Unit s Processes Risks Controls Loss Data KRIs Simulat ions IT Systems Business Lines Risk Categories People

In easy2comply, each building block can serve as a basis for analyzing the

informat ion and aggregating the data. You can view graphic dashboards with

drill-down capabilities and run both textual and graphical reports, such as pie

charts and distribution schemes.

easy2complyReport Generator enables authorized users to define on t heir

own report templates and re-use these templates at any time or in

conjunct ion wit h any building block. When building a report template, all

data base f ields are available for select ion and can serve as a basis to f il t er

the informat ion when running the report .


18/19

-18-

Key Benefits of Proposed Solution

The main benefit s an organizat ion can enjoy from deploying easy2comply

Operat ional Risk Management modules are:

Increase accuracy and visibility of your risk information More quickly identify and remediate deficiencies Increased management insight Opt imizat ion of business performance Reduce the cost and complexity of your operational risk process Integrat ion of all risk management components on a single, coherent

platform

Incorporate a robust software architecture to incorporate current andfuture operat ional risk management needs

About easy2comply

easy2complysoft ware plat form is composed of 5 solut ion famil ies:

Operat ional Risk Management Internal Control Management including SOX, MiFID, Turnbull, JSOX,

etc.

IT Risk and Governance - including CobiT, ISO27001/ 17799, BCP,BCM, ITIL, etc.

Internal Audit Management module General Compliance Framework a toolkit for customizat ion to

specif ic governance and compl iance needs (eg. LOPD, etc.)


19/19

About Dynasec

Dynasec Ltd. is a leading provider of Governance, Risk Management andCompliance (GRC) solut ions. Our f lagship product , easy2complyis the

perfect answer for businesses of all sizes seeking to simpl ify their compliance

and risk management processes.

easy2complycan be deployed either on-demand (SaaS) or on-sit e to suit

each customer's preferred configurat ion. We serve customers in many market s

including: financial institutions, telecom, energy, and government,

pharmaceutical, healt hcare, commercial organizat ions.

Dynasecs customers include f inancial inst it ut ions, telecom, energy and other

many other enterprises. The Dynasec customer base includes:

Financial Sector Government, Energy, Telco, Other Sectors

Rabobank Dutch Minist ry of SocialServices

Generali (Migdal) Israel Electricit y Company

Mitsui Sumitomo Insurance Ormat Thermal Power

Dexia Israel Water Authorit y

Prisma Financial Services Clalit Healt h Services

Mastercard Israel Cellcom

Phoenix Insurance Blue Square ret ail

Bank Igud Gilat Satellit es

Leumi Group Ministry of Finance, Divison of

Bank Hapoalim Capit al Market s, Insurance, Savings

First Internat ional Bank of Israel Zim Shipping Lines

Unit ed Mizrahi-Tfahot Bank Netafim Drip Irr igat ion

easy2comply Practical Compliance Solutions

affordable. reliable. easy2deploy.

www.easy2comply.com

how to manage effectively operational risk

Documents