Operational Risk

Management Course
RMI232
LE C TUR E R:M S FAITH M AR IWI
fa it h ma r iwi84@gma il . com
0 7 7 3298145
Chapter 1:Introduction to operational
risk management
1. INTRODUCTION TO OPERATIONAL RISK MANGEMENT

1.1 Overview and definition of Operational Risk Management

1.2 Key risk Indicators
1.2.1People
1.2.2Processes
1.2.3Systems
1.2.4 External Factors
1.3 Basel Framework on Operational Risk Management
1.3.1 Basel Operational Risk Categories
1.4 Relationship Between ORM and ERM
1.1Definition of operational Risk Management
Operational risk is defined as: ‘The risk of loss resulting from inadequate or
failed internal processes, people and systems, or from external events.’ Basel
Committee on Banking Supervision, 2004 . This definition includes legal risk,
but excludes strategic and reputation risk.

Risk management is: ‘A process of understanding and managing the risks that the
entity is inevitably subject to in attempting to achieve its corporate objectives.
For management purposes, risks are usually divided into categories such as
operational, financial, legal compliance, information and personnel. One example
of an integrated solution to risk management is enterprise risk management.’
CIMA Official Terminology, 2005
Background
Operational risk is often viewed as difficult to analyse. However,
interest in the active management of operational risk has been kick-
started in recent times by:
• The advent of enterprise-wide risk management.
•The introduction of new regulatory capital requirements (which
include a requirement to assess operational risk)
•The increasing emphasis on sophisticated quantitative models for
other sorts of risk.
•Unlike many other forms of risk it has no inherent upside potential. It
is worth noting, with regard to the final point above, that although
operational risks may not be sought (due to a lack of upside), a cost-
benefit analysis may result in some operational risks being accepted
rather than mitigated.
Background
Operational risk has traditionally been managed on an informal basis, but
there are three main reasons why a more formal approach is advantageous:
❑ Operational risk has been the main driver behind many cases of major
financial disaster in recent times.
❑ Operational risk is inter-linked with credit and market risk and it is
particularly important to minimise the likelihood of operational risk
failure during already stressed market conditions.
❑ Operational risk may be treated differently in different areas of the
company. This can lead to key risks being overlooked and decisions
being taken based on inaccurate information or an incorrect assessment
of a business unit’s risk adjusted returns.
Background
The 2008 financial crisis led to the discussion of different aspects as the reason
for the failure of most banks and financial institutions, and this is the reason why
there is extensive literature on operational risks in financial institutions.
Sabato (2010) contends that a strong belief that banks were too vast to fail is one
of the reasons that led to the failure of financial institutions in 2008. Another
issue was the lack of clearly defined strategy that could be used for risk
allocation.
Hess (2011) observed that one of the major causes is the failure of financial
institutions in 2008 and even now is the lack of proper operational risk
management strategy in particular.
Schwartz-Gârliste (2013) adds that the relevance of the issue of operational risk
management has grown so much to attract the attention of the global banking
sector. Because of this, constant and advance research on operational risk in
financial institutions has been identified as one of the ways that can be used to
ensure coherence and efficient financial management, which in future can be
used to avoid the challenges witnessed during the great financial crisis.
 The need to assess operational risk
The benefits of consistent and effective operational risk management include:
• It minimises day-to-day losses and reduces the potential for more extreme and costly
incidents.
• It improves a company’s ability to meet its business objectives (by reducing the time
spent on crisis management).
•It strengthens the overall ERM process and framework.
•It minimises the impact of reputational damage arising from incidents linked to
operational loss. Such incidents can give the company the appearance of being badly
managed and ill-equipped to deal with errors.
Operational risk management is still very much a developing area but it is widely
accepted that all companies should be considering this issue. A comprehensive approach
should be adopted with the focus being primarily on the management rather than the
measurement of the risks present.
Operational risks associated with business
Operational risks range from the very small, for example, the risk of loss due to
minor human mistakes, to the very large, such as the risk of bankruptcy due to
serious fraud. Operational risk can occur at every level in an organisation.
The type of risks associated with business and operation risk relate to:
• Business interruption
• Errors or omissions by employees
• Product failure
• Health and safety
• Failure of IT systems
• Fraud
• Loss of key people
• Litigation
• Loss of suppliers.
1.2 Key Operational Risk Classes
1.2.1People Risk
People risk is the risk of financial losses and negative social performance related to inadequacies in
human capital and the management of human resources. This encompasses the inability to attract,
manage, motivate, develop, and retain competent resources and often results in human errors, fraud, or
other unethical behaviour, both internal and external to the institution .

❑ The management of employee's behaviour and human resources are regarded as major
sources of the operational risks.
❑ Overworked employees and poorly trained may inadvertently expose errors that lead to
operational risk in companies. Also, understanding of confidence, mandate, and strategies
are significant for efficient operations.
❑ Furthermore, availability of employees, ability to replace them may influence company`s
ability to continue with its activities and recover from interruptions. With this employee
should be aware of such operational risks as well as learn them from their mistakes.
❑ According to Knežević (2013), retail banks have more employees and transactions than
large corporate banks. He notes that there is a higher possibility of unintentional errors
because most of the workers get tired due to the many operations daily. During the time of
expansion, coupled with the growing number of workers, there is a high risk of insufficient
training of the employees, and this eventually leads to an increase in accidental errors.
1.2.2Internal Processes
Process risk is the risk of financial losses and negative social performance related to failed internal
business processes within every aspect of the business. This can include product design flaws and
internal project failures.
It is widely held that the most challenging driver of risk in financial institutions lies in the internal
procedures and processes. Operational risk in the banking sector are inherent to the
internal processes, and sometimes it can be difficult to differentiate the risk caused by
people and those that are due to the failure of the internal processes.
Knežević (2013) notes that failures and omissions in the bank’s internal operations can
be unintentional due to a minor misunderstanding of the process or intentional with the
aim of gaining more profits by exposing the institution to higher risks.
Overlapping of responsibilities within a company can lead to a failure in the internal
processes. When the employees are not set adequately and adequately, overlapping of
duties can happen, and this often leads to omissions and inefficiency during work
(Rahim et al., 2017).
Company procedures can have loopholes that allow individuals to make personal
gains or expose the firm to higher risks than what is expected. If the company
procedures do not cover all aspects of the internal process, there is a high chance of
breach of responsibility by the employees.
1.2.3 IT System Risks
Systems risk is the risk of financial losses and negative social performance related to failed
internal systems. This encompasses inter-branch connectivity, management information and
core systems, information technology systems, power backup systems, and other technical
systems.
❑ Different processes and systems support company operations. These include
human resource management, market, insurance, liquidity risk management
and credit systems and IT systems. All these require different components to
operate.
❑ An example is a system that deals with credit risk management in a bank
should require processes for the measurement, monitoring, identification
and credit risk control.
❑ Poorly and complex designed systems may lead to a rise of operational risk
in banks due to their unfit for purpose and malfunction.
❑ The range of problems is experienced when they fail namely fraud,
processing errors and data security failures. Also, our reliance on
information technology may lead to the major transforming of risk
1.2.3 IT System Risks
Systems sometimes fail, and typically it leads to losses that have
significant implications for the organization for example the Master Card
Computer virus that involved a computer virus capturing client
information for fraud. Another example is that of November 2010, where
an extensive computer disruption in one of the Swedish bank affected the
whole bank system including the ATMs and the branches.

IT system problems are majorly caused by Cyber- attacks, viruses and

other failures and this result in significant issues that affect the whole
system. Because of this, technology and system risk can be classified as
the risk of loss due to imperfect systems. Moreover, such imperfection
includes inappropriate data processing, lack of system capacity, and poor
quality of data or using low technology.
1.2.4 External Events
❑ External events risk is the risk of financial losses and negative social performance related to the
occurrence of external events typically outside of a company `s control. This encompasses both
natural disasters such as hurricanes, flooding, earthquakes, and fires, as well as man-made events
such as civil disruptions, war, robberies, arson, road blockades, and terrorist attacks.
❑ External event risks include; Accidental – Industrial accidents such as fires and explosions.
Intentional – Terrorism and sabotage.Disease – Human (e.g. Pandemic Flu,Covid) or Animal (e.g.
Foot & Mouth)
❑ The terrorist attack on September 11, 2001 was a massive external event which disrupted business activities
and caused huge shareholder losses in the airline and financial services industries.
❑ External events as stated in these examples are however not limited to the above but very broad.
Incidences like floods (Cyclone Idai). Boko Haram, Niger Delta militancy, Kidnapping of
expatriates and local professionals when on field engagements, etc could also be categorized under
this heading.
❑ External Events are therefore synonymous with the natural disasters and other similar types of
emergencies that confront organizations on a daily basis and should be considered as part of the
Business Continuity Planning (BCP) risk assessment process. Within the simple risk model
External Events are treated as threats, agents of potential harm to the organization.
Key Risk Indicators
Key Risk Indicators (KRIs) are critical predictors of unfavourable events that can adversely
impact organizations. They monitor changes in the levels of risk exposure and contribute to the
early warning signs that enable organizations to report risks, prevent crises and mitigate them in
time.
Key risk indicators (KRIs) are a great way for businesses to keep track of issues and
opportunities. There are many risk indicators; businesses have the choice to pick the indicators of
their choice and track them as their key indicators. This helps isolate the signal from the noise;
instead of looking at hundreds of indicators, management can choose the indicators that provide
the insights needed to make executive decisions
•Key Operational Risk Indicators for banks
• Fraud
• Customer Request Volume
Key Risk Indicators
Key risk indicators can be regarded as metrics that can be used to monitor the identified risk factors over time.
However, it is important to note that an indicator becomes key when it tracks a risk exposure, which could have a
major influence on the organisation. According to the Institute of Operational Risk (2010), an operational risk
indicator is a metric that provides information on the level of exposure to a given operational risk that the
organisation is experiencing at any time.
Alexander (2003) defines KRIs as statistics and/or metrics, often financial, which can provide insight into a
bank’s risk position. These indicators tend to be reviewed on a periodic basis to alert banks to changes that may
be indicative of risk concerns. Such indicators may include the number of unsuccessful and failed trades, staff
turnover rates and the frequency and/or severity of errors and omissions.
KRIs should have the following characteristics in order to be used as a tool to management of operational
risk:
• The data must be available;
• The data must be quantifiable in either percentage, value or volume;
• A tolerance threshold must be determined by management and must only change according to
changing circumstances,
• The KRIs must be monitored on a regular basis
Challenges Associated with the KRI concept
Davis (2007) states that KRIs sounds like a straightforward concept, measuring and reporting the
items that may give cause for concern; however, there are many challenges associated with the
concept, for example:
❑Is the right thing being measured?
❑Are the measures accurate?
❑Are the definitions clear?
❑Are the true key risk indicators identified?
❑How are the KRIs depicted?
❑Can the KRIs be used to determine the current risk exposures?
According to Hoffman (2002), operational risks will not be effectively identified without first
identifying the key risk indicators of operational risk.
1.3 Basel Framework on Operational Risk
The committee was started in 1974, by all the governors of central banks from the G-10 countries. The
committee aimed to provide supervisory practices and regulations in the aftermath of what was a serious
disturbance of the global financial market and currency. The countries that produced the committee
members were Canada, Belgium, Germany, France, UK, USA, Sweden, Spain, Japan, and Luxemburg. The
Bank provides the secretariat of the committee for International Settlement, where all committee sittings
take place. At the start of the 80s, the Basel Committee developed its very first framework for financial
supervisory that came to be called BASEL I.
It was majorly on capital adequacy and capital risk. The committee recommended all financial institutions
to set aside 8 percent of all the capital spent on loans using a single matrix system. In essence, it meant that
when financial institution sanctions a loan of one hundred million, eight million should be set aside as own
funds for the institution. According to Bitar et al. (2017), The paper provides substantial evidence that
proves something that adherence of Basel Core principles (BCPs) has a strong positive influence on the Z-
score of conventional banks, although less evident on the Z-score of Islamic banks. Using a sample of banks
operating in 19 developing countries, the results appear to be driven by capital ratios, a part of Z-score for
the two types of banks. Even though smaller on Islamic banks, individual chapters of BCPs also suggest a
positive effect on the firm and steady nature of conventional banks. The findings support the useful role of
BCP standards in improving bank strength.
However, the BASEL I faced a lot of criticism on the ground that the system used was biased towards the
financial institutions and system of the G-10 countries and was seen as narrow and incapable of
guaranteeing the stability of global financial institutions. Thus leading to the development of BASEL II.
Based on Basel Committee on Banking Supervision (BCBS) (2004), BASEL
1.3 Basel Framework on Operational Risk
Basel Committee on Banking Supervision (BCBS) (2004), BASEL II depends on three reinforcement
pillars in protecting financial institutions from operational risks and bring transparency in the banking sector.
They include the minimum capital requirement, supervisory review process, and enhanced disclosure,
Di Renzo (2007).
It was BASEL II that led to the explicit treatment of operational risk in financial institutions resulting in a
capital measure of operational risk. According to Ibrahimovic and Franke (2017).
According to the first pillar of Basel II agreement, the interruption of information technology in the banking
sector leads to increased capital requirements, thus creating additional regulatory costs, in addition to direct
and indirect costs of disruption. BASEL II is an established standard that was initially issued by the BCBS
(2004). It was intended to facilitate the rules and procedures of managing operational risks in financial
institutions. BASEL II requires the consideration of proper measures by financial institutions to have a
culture of high-risk management across all financial institutions. Further, it reflects Business and Economic
Research ISSN 2162-4860 2018, Vol. 8, No. 2 14 http://ber.macrothink.org on the improvements of ORM
practices that can assist banks and other financial institutions in planning and foresee the future. Although
BASEL II has been widely accepted and adopted as part of the bank practices, there are several negative
opinions regarding its applications in risk management. Because of the negativity associated with BASEL II,
in 2010, BCBS issued the third accord which was a new and a much-improved standard for the management
of banks liquidity risks. BASEL III aimed at intensifying the existence of capital requirements in banks to
enhance the overall strength of the global banking system
BASEL III on Operational Risk Management
BASEL III aimed at intensifying the existence of capital requirements in banks to
enhance the overall strength of the global banking system
BASEL III has proved useful in providing the necessary directions for the
improvement of the overall financial stability of the institutions. The primary
need for Basel III was to develop a new and efficient internal control system that
could be applied during the period of financial distress. However, since Basel III
was an improvement of BASEL II, it still faces many shortcomings. As an
example, BASEL III framework only manages foreseeable risks. Also, the
implementation of Basel III has raised several discussions because it applications
changed many apparatuses in the banking system globally.
BASEL III on Operational Risk Management
The explanation provided by BCBS (2004) is a breakdown of four causes of
operational risks in a financial institution: processes, people, and system and
external events.
Under Basel III regulations, banks must calculate operational risk capital (ORC)
using the standardized measurement approach. This will limit a bank’s influence
over ORC to a single variable: the internal loss multiplier (ILM).
Cummins et al. (2006) write that one of the most significant and perfect
examples of operational risk in a financial institution was the $ 1.3 billion loss
that Barings Bank incurred. The loss was caused by a single individual, Nick
Leeson, who assumed an unauthorized speculative position and meant the bank
to accumulate losses until it was declared bankrupt in 1975 continually.
1.4 Enterprise Risk Management
Enterprise Risk Management is defined as: “...a process, effected by an entity’s board of directors,
management and other personnel, applied in strategy setting and across the enterprise, designed to identify
potential events that may affect the entity, and manage risk to be within its risk appetite, to provide reasonable
assurance regarding the achievement of the entity’s objectives.” Source: COSO Enterprise Risk Management
– Integrated Framework. 2004.
Enterprise risk management (ERM) is the process of planning, organizing, leading, and controlling the activities
of an organization in order to minimize the effects of risk on an organization's capital and earnings. By
identifying and proactively addressing risks and opportunities to protect and create value for stakeholders.
ERM supports value creation by enabling management to:
•Deal effectively with potential future events that create uncertainty.
•Respond in a manner that reduces the likelihood of downside outcomes and increases the upside.
In summary, ERM: Is a comprehensive, systematic, disciplined and proactive process that is used to identify,
assess, manage and report on the significant strategic, business and process level risks related to the achievement
of the credit unions objectives which are inherent in the business strategy and operations at any point in time.
1.3 Basel Operational Risk Categories
Enterprise risk management expands the process to include not just risks
associated with accidental losses, but also:
Strategic : These concern the long-term strategic objectives of the
organization. They can be affected by such areas as capital availability,
sovereign and political risks, legal and regulatory changes, reputation and
changes in the physical environment.
Operations: The risk incurred by an organization’s internal activities
which and sort of risk come under it. E.g. o IT Risk o Business Risk
Financial : These concern the effective management and control of the
finances of the organization and the effects of external factors such as
availability of credit, foreign exchange rates, interest rate movement and
other market exposures.
Compliance : These concern such issues as health & Safety,
environmental, job descriptions, consumer protection, data protection,
employment practices and regulatory issues.
Purpose of ERM
❑ The purpose of ERM is to create, protect, and enhance company value by managing the uncertainties that
could influence achieving its objectives.
❑ Provides the ability for management to make more efficient use/allocation of capital and resources within
the organization to optimize capital levels;
❑ Optimizes risk management by balancing the cost of risk with the cost of control for all aspects of the
credit unions potential risk areas to ensure organizational objectives are met;
❑ Is an integral part of sound business and financial management from the strategic planning process to the
day-to-day operations of the credit union that helps identify and manage all material internal and external
risks and opportunities that may affect its performance, reputation and viability;
❑ Seeks to enhance value and preserve the longer term viability of the firm- and is a fundamental
responsibility and accountability of the Board and senior management. ERM involves a pro-active holistic
enterprise-wide view of all risks and their associated risk appetite and tolerances to ensure that they are
fully aligned with the institution’s objectives and strategies, and reflects the quality, competencies and
capacity of people, technology and capital.
❑ ERM also helps identify the interdependency and interaction of risks across the organization and provides
the tools to rationalize risk management activities.
Objectives of ERM
Implementing an effective ERM achieves the following key objectives:
Oversight: All critical risks have been identified and are being managed
and monitored under a holistic approach consistent with the Board
approved risk appetite statement.
Ownership and Responsibility: The ownership of risk is assigned to
management individuals who are responsible for identifying, evaluating,
mitigating and reporting risk exposures.
Assurance: The Board, management and members have reasonable
assurance that risk is being appropriately managed within defined levels to
bring value to the organization.
Benefits of ERM
An organization which successfully implements ERM should expect the following
benefits:
❑ More efficient use of capital and resources
❑ Reduced likelihood of operational loss
❑ Lower compliance/auditing costs
❑ Earlier detection of unlawful activities
❑ Fewer surprises
❑ Focus on lower cost prevention rather than higher cost resolution strategies
❑ Cost savings by using risk information to streamline and improve processes
❑ Increased awareness and integrated view of risks (existing and emerging)
❑ Systematic, repeatable approach to mitigate risks and identify opportunities
❑ Clearer, better informed decisions
1.4 The relationship between ORM and ERM
ERM as a strategic Management Tool
Though ORM is practiced enterprise wide, its practicality and implementation is
limited to operational risk matters and issues with little or no direct linkage to an
organisations`strategy.ERM is a strategic management tool that needs to be applied
enterprise wide.
Value creation vs Value Preservation
ERM is proactive.ORM is protective. While ERM seeks to optimise risk,ORM
seeks to eliminate or minimise risk. ERM it can be a reasonable step to attempt to
increase risk so that there will be higher return. In ORM there is no such thing as a
return on risk.ORM as an essential but limited framework, should be integrated as
part of an overall ERM Strategy.
Chapter 2
2 OPERATIONAL RISK MANAGEMENT PROCESS
2.1 Risk policy and organization
2.2 Risk identification and assessment
2.3 Capital allocation and performance measurement
2.4 Risk mitigation and control
2.5 Risk transfer and finance.
What is Operational Risk Management
ORM is a continuous, systematic process of identifying and
controlling hazards. This process includes detecting hazards,
assessing risks, implementing controls, and monitoring risk controls
to support effective risk-based decision making.
ORM involves identifying, assessing, decision making, implementing
controls, and supervising. Furthermore, ORM seeks to harness
feedback and input from all organizational levels to make the most
informed decisions possible while reducing unintended outcomes.
ORM has a specific goal: Enhance employee’s ability to anticipate
hazards and reduce the risk.
Risk Policy and Organization
Policy: Develop well-defined operational risk policies that explicitly articulate
the desired standards for risk measurement.
A comprehensive operational risk management policy should include:
❑Principles for operational risk management.
❑Definitions and taxonomy (classification) for operational risk.
❑Objectives and goals for risk management.
❑Roles and responsibilities of different business areas involved in operational
risk management.
Operational Risk Management Process
Risk Identification
Risk Identification: Establish a common language of risk identification. For example, the term “people risk”
would include a failure to deploy staff. “Process risk” would include execution errors. “Technology risk”
would include system failures, etc.
Develop an “operational risk catalogue” that categorizes and defines the various operational risks arising
from each organizational unit in terms of people, process, and technology risks. This catalogue should be a
tool to help with operational risk identification and assessment
List the hazards associated with each phase of the project. Potential failures, i.e., things that could go
wrong, encompass equipment or operational problems both internal and external to the project. The key to
successfully analyzing risk is to carefully define the hazards and identify and evaluate safeguards. In
brainstorming sessions, asking the question "What if?" is an excellent tool to help identify as many potential
hazards as possible. It is important to remember that risk management is not fool proof, nor is it a guarantee
that we might not experience catastrophic outcomes, but it does improve the odds of mission success.
Specific hazard identification is important since it leads to assessing risk more accurately and subsequently
developing risk control options or safeguards more thoroughly.
Risk Identification
Identification is one of the most important areas of managing risk. Failure to
identify risk will certainly mean that no action is taken to manage that risk. There
are a number of different techniques that can be used to identify risk. A common
method used in risk identification is the use of workshops to ‘brainstorm’.
Risk Assessment
Various methods may be used to assess the severity of each risk once it
has been identified. One of the reasons for measuring risk is that it allows
the most significant risks to be prioritised. The result or impact of a risk
occurring may be financial loss, damage to reputation, process change or
a combination of these. One of the simplest ways to measure risks is to
apply an impact and likelihood matrix which provides an assessment
matrix.
Determine individual risk levels for each hazard identified. Assess risk by
evaluating specific elements or factors that, when combined, define risk. Begin
by identifying the potential consequences associated with the given task. Then
determine the probability or likelihood of experiencing that outcome based on
experienced persons, such as subject matter experts. This is subjective and will
vary among individuals.
Risk Assessment Matrix – used to determine the risk level.
Risk Assessment Matrix
Risk Assessment Matrix The Risk Assessment Matrix (Figure 3) is used to assign Risk Assessment
Codes to each hazard that may be experienced while completing an objective. This matrix is
based on the concept that Risk is a function of probability and severity.
It consists of three areas:
Probability categories – Likely/Unlikely
Severity/consequences categories – Minor,Significant,Severe/Catastrophe
Risk assessment codes – High,Medum,Low
Various methods may be used to assess the severity of each risk once it has been identified. One
of the reasons for measuring risk is that it allows the most significant risks to be prioritised. The
result or impact of a risk occurring may be financial loss, damage to reputation, process change
or a combination of these. One of the simplest ways to measure risks is to apply an impact and
likelihood matrix.
Example of a risk Matrix
Manage Risk :Develop Controls &Make
Decisions
Decide how to manage operational risk exposure and take appropriate
action to hedge the risks.
There are three basic actions necessary for making informed risk decisions:
1. Identifying risk management strategies.
2. Determining the effect of these controls, or the residual risk, on the
hazard.
3. Evaluating risk versus gain to inform a decision.
For each identified risk the institution should establish an appropriate
“response” option in order to optimize risk management. These
generally range from accept to avoid.
Manage Risk :Develop Controls &Make
Decisions
• Accept: The institution decides to accept, manage and monitor the level of risk and take no action to reduce the
risk. Risk can be accepted when the benefits of meeting the objective clearly outweigh the risks involved, but only
as much as necessary to meet the objective (accomplish the mission or task).
• Mitigate: The institution is willing to accept some risk by implementing control processes to manage the risk
within established tolerances. reduce the potential for loss, maintain risk at acceptable levels, or enhance the
potential for benefits in a manner consistent with objectives, desired outcomes, and the management context.
Examples of risk control in the wildland fire context might be reducing hazardous fuel loads, constructing fireline
to contain fire spread, and implementing standard LCES (lookouts, communications, escape routes, safety zones)
procedures. Using protective devices, engineering controls, and personal protective equipment are some examples
that usually help control severity. Training, situational awareness, attitude change,.The term ‘control’ is essentially
synonymous with ‘mitigation’ and ‘abatement’. For aviation, examples of risk control or mitigation might include
waiting for weather to improve, utilizing aircraft/crew with increased capability.
Manage Risk :Develop Controls &Make
Decisions
Transfer: The institution chooses to transfer the risk to a third party (e.g. obtaining insurance) The use of actions
to manage risk by shifting some or all of the risk to another entity, asset, resource, or system. Transferring risk
shifts uncertainty to another entity. For example, transferring risk to a contractor is sometimes an effective way to
mitigate risk.
Avoid: The institution feels the risk is unacceptable and will specifically avoid the risk (e.g. cease selling a
product or lending in a specific market) Generally, if the magnitude or severity of the risk under consideration is
high, the risk response needs to be strong (mitigate, transfer or avoid). Each risk and related response should be
assigned to the manager who is responsible for the area affected by the risk. As part of the response process,
management should determine and document what actions (prevention or detection) are necessary to manage the
risk. The use of actions or measures that effectively prevent or bypass exposure to a risk. You can avoid specific
risks, e.g., avoid risks associated with a night operation by planning the operation for daytime.
Control
Implement Controls Once the risk decision is made, resources must be made available to
implement the specific controls.
Implementation requires that the plan is clearly communicated to all involved personnel.
Part of implementing control measures is having a dialog with the personnel in the system of the
risk management process.
If personnel disagree, the decision makers and personnel should work together to come to a
mutual understanding and acceptance.
Documenting the decision and all steps in the process can facilitate communications and clarify
the rationale process behind risk management decisions.
If it is determined that the risk level is too high or the controls implemented are not as effective
as thought, then decision must be revisited to either develop additional or alternate controls,
make modifications, or reject the course of action.
Monitor
The final step in the ORM process is to monitor the situation to ensure the
controls are effective and remain in place. Changes requiring further risk
management must be identified and acted on. When necessary, actions must be
taken to correct ineffective risk controls and reinitiate the risk management steps
in response to new hazards.
Communicate, Evaluate, Validate It is important to remember that risk
management is a continuous process, and that communication, evaluation, and
validation are core elements to all of the steps in the ORM process. Throughout
each step of the ORM process, individuals should consistently communicate,
evaluate, and validate actions taken to manage risk. This will ensure they are
meeting project objectives by enhancing employees' ability to anticipate hazards
and reduce the potential for loss.
Monitor
Risks and risk response activities should be monitored by the responsible manager to ensure that
significant risks remain within acceptable risk levels, that emerging risks and gaps are identified
and that risk response and control activities are adequate and appropriate. Internal Audit and the
Audit Committee (or other committee delegated to by the Board) play an important oversight role
in confirming that management is monitoring and managing risks in accordance with established
levels.
Indicators that fall outside of acceptable risk levels should be escalated with appropriate action
plans to bring the risk back within established risk levels. Those risks that still remain above
acceptable risk levels should be considered by the Board for their approval of any necessary
resolution strategies. This activity will form the basis for reporting to the Board and on-going
monitoring by management.
Chapter 4 :ZICARP
ZICARP
Zimbabwe recently launched the Zimbabwe Integrated Capital and Risk Programme (ZICARP)
Framework. ZICARP is a risk-based capital solvency regime that seeks to create a sound
insurance regulatory and supervisory framework to enhance policyholder protection and stability
of the insurance industry.
The ZICARP, solvency framework is designed to help the fragile insurance sector in a move
which will see local insurers have capital aligned to the risk they carry.
 ZICARP
ZICARP aims to: Introduce proportionate, risk-based approach to supervision with
appropriate treatment for large and small insurers Improve consumer protection and
assurance to policyholders and beneficiaries, whilst:
• Providing incentives to insurers to measure and properly manage their risks .
• Enabling insurers to absorb significant unforeseen losses Introduce a principles-based
approach to regulation.
Achieve convergence of regulatory capital and risk based (economic) capital Ensure better
allocation of capital resources in insurer firms.
Implement best practice regulation and supervision aimed at promoting financial system
stability.
Align supervision of all insurance entities and make sector attractive to investors.
Consolidate existing solvency management regulatory initiatives eg. Circular 11 of 2016 and
SI 95 of 2017.
3 Pillar Framework for Solvency Management
Regimes
PILLAR I
Quantitative Requirements
•Capital Estimation
•Assets Estimation
•Labilités Estimation

Involves :
Technical provisions
Asset valuation
Eligible Capital
Risk measures and assumptions
Risk dependencies
Standard Approach
Internal model approach
3 Pillar Framework for Solvency Management Regimes
Pillar 11
Qualitative Requirements
•Risk management processes
•Governance systems
•Supervisory Review Process
InternalControlSystem,RiskManagement System,System of Governance,Own
Risk and Solvency Assessment (‘ORSA’),StressTesting,ContinuityTesting,IPEC
Review Process.
3 Pillar Framework for Solvency
Management Regimes
Pillar 111
Disclosure Requirements
•Public disclosure
•Supervisory disclosure
Public Disclosures, Disclosures to IPEC,Solvency and Financial
Condition Report,Regular Supervisory Report (RSR),Quarterly
Return Templates under ZICARP (QRT’s),Risk Disclosures.
 ZICARP
ZICARP aims to: Introduce proportionate, risk-based approach to supervision with
appropriate treatment for large and small insurers Improve consumer protection and
assurance to policyholders and beneficiaries, whilst:
• Providing incentives to insurers to measure and properly manage their risks .
• Enabling insurers to absorb significant unforeseen losses Introduce a principles-based
approach to regulation.
Achieve convergence of regulatory capital and risk based (economic) capital Ensure better
allocation of capital resources in insurer firms.
Implement best practice regulation and supervision aimed at promoting financial system
stability.
Align supervision of all insurance entities and make sector attractive to investors.
Consolidate existing solvency management regulatory initiatives eg. Circular 11 of 2016 and
SI 95 of 2017.
Components of ORM Policy
Operational risk is a fast emerging area in banking. Awareness of operational risk as a
separate risk category has been relatively recent in most banks. Unlike market and credit
risk, the operational risk factors are largely linked to internal policies and procedures of
the bank. There is no mathematical link between individual risk factors and the
likelihood and size of operational loss. Losses arising from a bank’s operational risks
may, on occasion, exceed those stemming from credit losses. It is, therefore, a vital
focus for management in ensuring a properly controlled approach to the risks inherent in
their business.
Banks must put in place suitable risk management policies and procedures to enable
them to identify, assess, monitor and control/mitigate operational risk. These policies
and procedures should be commensurate with the scale and complexity of the
institution’s operations.
In particular, bank’s policies and procedures should cover the
following critical elements:
•Operational risk framework.
•Role of board and senior management in overseeing the operational risk framework.
•Responsibility for implementation of the framework.
•Independent control review.
•Collection of operational risk loss event data.
•Monitoring and reporting.
Banks must also ensure that their operational risk framework and arrangements are
kept under regular review and amended as necessary, having regard to changes in
banks’ risk profiles as well as external market developments. Changes in banks’
strategies, policies and procedures for operational risk management must be properly
reviewed and approved.
Key Components of an ORM Policy
The first step towards developing an operational risk framework is to develop a
comprehensive operational risk policy. Each bank must have policies and
procedures that clearly describe the major elements of the operational risk
management framework including identifying, assessing, monitoring and
controlling/mitigating operational risk. These policies and procedures should be
commensurate with the scale and complexity of the bank’s operations.
Definition of operational risk
One of the essential elements of an operational risk policy is the definition of
operational risk, including the loss event types that will be monitored.
Operational risk is defined as the risk of loss resulting from inadequate or failed
internal processes, people and systems, or from external events.
Key Components of an ORM Policy
Roles and responsibilities
The policy should clearly explain the roles and responsibilities of the independent bank-
wide operational risk management function and line of business management. The
different roles in an operational risk management function could be the risk committee
of the board, executive risk committee, operational risk manager, etc. The
responsibilities of these functions should be clearly explained in the policy.
Management oversight
The operational risk policy should contain the procedure for top-level reviews of the
bank’s progress towards the stated objectives. Senior management needs to review the
risk exposure and the monitoring mechanisms on a regular basis. The policy needs to
define the risk tolerance level for the bank, and break it down to appropriate sub-limits,
prescribing reporting levels and breach of limits.
Key Components of an ORM Policy
Capture and use of operational risk loss data
The methodology for the capture and use of internal and external operational risk loss data
including data potential events (including the use of scenario analysis) should be explained in
detail. Extensive documentation is required for the process of identifying, capturing, assessing
and accepting loss data. Banks must put in place systems enabling them to identify and
systematically track all material operational loss events.
Business environment and internal control factor assessments
The development and incorporation of business environment and internal control factor
assessments into the operational risk framework is another essential element of operational risk
policy. An effective control mechanism is a qualitative factor that will have a great impact in
controlling operational risk. The policy should cover a detailed discussion of risk and control self-
assessment and its methodology, the frequency with which it has to be done and the persons
involved in the process. The policy should also include a discussion of qualitative factors and risk
mitigants and how they are incorporated into the operational risk framework. The key risk
indicator identification and assessment methodology has to be described in the policy.
Key Components of an ORM Policy
Internal audit review and management review

A description of how the operational risk framework needs to be regularly

reviewed by independent audit is an important element in operational risk policy.
The operational risk management processes and procedures are subject to audit
review. In addition to the audit review, management also needs to check
compliance with management controls and regularly review the internal control
mechanisms.
Indicate the process to be adopted for immediate corrective action when the issues
are identified in audit review. There should be a documented procedure for review,
treatment and resolution of non-compliance issues. A discussion of the models
testing and verification processes and procedures needs to be documented.
Key Components of an ORM Policy
Analytical framework
The policy should contain a description of the internally derived analytical framework that quantifies the operational risk
exposure of the institution. The operational risk policy needs to describe how the operational risk exposure is calculated
by using loss data, scenario analysis, risk and control assessments, etc.
Review and approval mechanism
The process for the review and approval of significant policy and procedural exceptions should be incorporated in the
operational risk policy.
Banks must ensure that their operational risk framework and arrangements are kept under regular review and amended as
necessary, having regard to changes in institutions’ risk profiles as well as external market developments. Changes in
institutions’ strategies, policies and procedures for operational risk management must be reviewed and approved by the
board of directors. A documented procedure should exist for approving changes in policies and procedures, the persons
responsible for approving changes and the procedure for notifying the changes.
The policy should indicate a system of documented approvals and authorizations and ensure accountability at an
appropriate level of management. The roles and responsibilities of the persons responsible for approvals and
authorizations have to be clearly mentioned.
Key Components of an ORM Policy
Reporting requirements
A documented procedure should exist for risk reporting. The board/senior management receives
regular reports on critical risk issues facing the bank and its control/mitigations. Management
should develop operational loss databases that track loss events on the basis of the mapping
approach to event type categories and business lines. Senior management also needs to receive
regular reports on risk assessments, control assessments and risk exposure. Operational risk
reports will reflect the scope and sophistication of institution’s operational risk frameworks. For
example, such a report might include information on the level and trend of historical operational
losses including, where relevant, a summary of recent operational losses by loss event type, a
brief description of the most significant operational losses for the prior quarter.
IPEC Directive on Governance and
Risk Mgt 2016
Pursuant of the Insurance and Pensions Commission’s mandate to protect the rights, benefits and
other interests of policyholders in terms of section 5(a) of the Insurance Act [Chapter 24:07], the
Commission hereby issued this directive on “Governance and Risk Management for insurers”.
❑This directive is issued in terms of section 6(c) of the Insurance Act [Chapter 24:07], which
empowers the Commissioner to formulate standards for the conduct of insurance business with
which registered insurers may be required to comply.
❑ This directive is meant to provide minimum guiding principles to ensure that insurers have
effective systems of risk management including governance structures, internal controls and
oversight functions.
IPEC Directive on Governance and Risk Mgt 2016
Objectives of the Directive
❑ The objective of this directive is to outline the minimum IPEC expectations and requirements for shareholders,
board and management control functions of an insurer to ensure an effective governance and risk management
framework is in place.
❑ This directive is also meant to ensure that underwriters are managed in a sound and prudent manner by having
in place systems for identifying, assessing, monitoring, and mitigating the risks that affect their ability to meet
their obligations to policyholders. An insurer shall adopt sound and appropriate governance practices and
procedures to support its work in a manner that promotes efficient, objective and independent judgment and
decision-making.

The directive is based on the Three Lines of Defence model which is

emerging as the best practice standard for the positioning of key
control functions within an underwriter.
The three lines of Defence Model
The three lines model below illustrates the different positioning of the different functions in an
underwriter’s structure for effective governance.
The three lines of Defence Model
First Line of Defense – Management
The first line of defence lies with the business and process owners. Operational
management is responsible for maintaining effective internal controls and for executing
risk and control procedures on a day-to-day basis.
As a first line of defence, operational management, has ownership, responsibility, and
accountability for running the affairs of the underwriter, including designing and
implementing internal control measures, assessing, controlling, and mitigating the risks
faced by an underwriter.
The first line of defence (functions that own and manage risks)This is formed by managers
and staff who are responsible for identifying and managing risk as part of their
accountability for achieving objectives. Collectively, they should have the necessary
knowledge, skills, information, and authority to operate the relevant policies and
procedures of risk control. This requires an understanding of the company, its objectives,
the environment in which it operates, and the risks it faces.
 The three lines of Defence Model
Second Line of Defense – Risk Management and Compliance
The second line supports management to help ensure risk and controls are effectively managed. Management establishes various risk
management and compliance functions to help build and/or monitor the first line-of-defense controls. Typical functions in this second
line of defense include:
• “A risk management function (and/or committee) that facilitates and monitors the implementation of effective risk
management practices by operational management and assists risk owners in defining the target risk exposure and
reporting adequate risk-related information throughout the organization.
•A compliance function to monitor various specific risks such as noncompliance with applicable laws and regulations. In
this capacity, the separate function reports directly to senior management.
•A controllership function that monitors financial risks and financial reporting issues.”
Management establishes these functions to ensure the first line of defense is properly designed, in place, and operating as intended. The
second line of defense serves an important purpose but because of their management function, they cannot be completely independent.
The second line of defence (functions that oversee or who specialise in compliance or the management of risk)This provides the
policies, frameworks, tools, techniques and support to enable risk and compliance to be managed in the first line, conducts monitoring
to judge how effectively they are doing it, and helps ensure consistency of definitions and measurement of risk.
As a second line of defence, the risk management function facilitates and monitors the implementation of effective risk management
practices by operational management and assists the risk owners in the management of all material risks. Compliance is responsible for
ensuring implementation of the necessary procedures to comply with legal and other obligations, both internal and external to the
insurer. The actuarial function provides assurance to the board of directors and management regarding the accuracy of the calculations
and the appropriateness of the assumptions underlying the premiums, insurance liabilities and the capital adequacy requirements.
The three lines of Defence Model
Third Line of Defense – Internal Audit
The third line of defence provides assurance to senior management and the board that the first and second lines’
efforts are consistent with expectations. The main difference between this third line of defence and the first two
lines is its high level of organizational independence and objectivity. Internal Audit may not direct or
implement processes, but they can provide advice and recommendations regarding processes. Additionally,
Internal Audit may support enterprise risk management but may not implement or perform risk management
other than inside of its own function. Internal auditors accomplish their objectives by bringing a systematic
approach to evaluating and improving the effectiveness of risk management, control, and governance processes.

As a third line of defence, the Internal Audit Function will, through a risk based approach, provide assurance to
the underwriter’s board and senior management, on how effective the underwriter assesses and manages its
risks, including the manner in which the first and second lines of defence operate. This assurance task covers all
elements of an underwriter’s risk, compliance, and actuarial management framework i.e. from risk
identification, risk assessment and response to communication of risk related information (throughout the
underwriter and to senior management and the board.)
The three lines of Defence Model
The third line of defence (functions that provide independent assurance)This is
provided by internal audit. Sitting outside the risk management processes of the
first two lines of defence, its main roles are to ensure that the first two lines are
operating effectively and advise how they could be improved. Tasked by, and
reporting to the board / audit committee, it provides an evaluation, through a risk-
based approach, on the effectiveness of governance, risk management, and
internal control to the organisation’s governing body and senior management. It
can also give assurance to sector regulators and external auditors that appropriate
controls and processes are in place and are operating effectively.
Risk Net Ranking top 10 Operational risks 2022
2022 2021
IT disruption 1 1

Theft and fraud 2 4

Talent risk 3 –
Geopolitical risk 4 9

Information security 5 2

Resilience risk 6 3

Third-party risk 7 5

Conduct risk 8 6
Climate risk 9 –
Regulatory risk 10 7
Risk Net Ranking top 10 Operational risks
2022
Baker McKenzie partnered with Risk.net in its annual ranking of the top operational risks for
2022. The report is based on interviews and in-depth discussions with 100 chief risk officers,
heads of operational risk and senior practitioners at financial services firms, including banks,
insurers, asset managers and infrastructure providers.
The top ten risks identified for 2022 are:
1.IT disruption
2.Theft and fraud
3.Talent risk
4.Geopolitical risk
5.Information security
6.Resilience risk
7.Third-party risk
8.Conduct risk
9.Climate risk
10.Regulatory risk
 1. IT Disruption
Ukraine is a salient reminder of the omnipresent danger of state-sponsored cyber attacks that aim to disrupt
and disable IT systems. As banks brace for an escalation in hacking attempts from Russia-linked groups, op
risk managers have never been more aware of the hazards posed to their institutional infrastructure by
malevolent actors. Last year marked the first anniversary of the devastating Russian hack of SolarWinds,
which is thought to have compromised US government servers as well as banks and other financial
institutions. Among respondents to this year’s Risk.net survey of top op risks, an op risk manager at a
Japanese bank says the thought of business disruption due to successful cyber attacks on financial market
infrastructures or domestic internet service providers keeps him awake at night. The head of cyber risk at a
European bank says he also fears IT disruption from extreme cyber attacks or outages beyond his control. And
his views echo those of the largest US banks, which voiced their fears to Congress in May. Perhaps the danger
of disruption is perennially top of mind for risk managers precisely because potential threats come from such
a vast, amorphous number of sources. Concerns expressed this year range from faulty cables and backdoor
threats in the Internet of Things through to runaway algorithms inflicting losses as banks explore ever more
complex forms of machine learning in internal modelling. Hardware failures can have unexpected
ramifications, as those affected take desperate remedial action. In January, Risk.net blew the lid on a dispute
that emerged over vendor strategy at DBS after it suffered a critical outage on its trading systems at the height
of the Covid market panic. New dangers on the horizon include the prospect that quantum computing could
decode the current cryptography protecting data and other assets.
2.Theft and Fraud
Theft and fraud risk jumps several places this year, to second – perhaps owing as much to the bulk of
last year’s largest op risk losses emanating from huge external frauds as to the current state of roiling
markets and their propensity to drive episodes of internal fraud. Banks have good reason to fear a wave
of ransomware attacks emanating from Russian state-sponsored cyber criminals targeting the theft of
funds from banks and their clients. The FBI notes a strong correlation between economic sanctions and
an increase in cyber theft with the aim of replenishing national coffers. “The events in Ukraine have
increased the likelihood of a sovereign state [cyber] attack, in retaliation for our retaliations,” says one
veteran op risk practitioner. “Clearly, firms are constantly under cyber attack: there are nation states and
criminal gangs trying to breach firms’ cyber security, with stealing information or stealing funds in
mind.” The single largest loss in 2021 occurred in a commodities market that Russia’s invasion has sent
into a tailspin – but the source of the loss was more mundane. It featured an alleged elaborate
investment fraud centred on nickel trading in Singapore. In March 2021, the Monetary Authority of
Singapore cited firms in the Envy Group – Envy Asset Management and Envy Global Trading – for
their part in an investment fraud that amounted to $1.23 billion. What banks and asset managers fear
most in such cases is malicious external actors benefiting from inside help – something new hybrid
working models make more likely, senior practitioners fear. “We don’t know some of the impacts on
behaviours when massive organisations adopted a work-from-home model,” says a senior op risk
manager at one UK bank. “It’s not so much that fraud is [more likely] during homeworking, it’s more
when people work from home, your controls may not be as effective as having people in the office.”
3.Talent Risk
Talent risk re-enters the top 10 op risk list this year in explosive fashion, rocketing all the way to third place amid a fight
for talent on Wall Street that’s driving up pay and bonuses, against a backdrop of roiling markets, record profits, fears of
burnout, and a need to attract and retain staff with wanderlust. In a period when several of the world’s largest banks and
fund managers have seen veteran chief risk officers hang up their spurs, it’s small wonder that the head of op risk at one
large US buy-side firm says “human capital” is now one of his shop’s biggest concerns for the year ahead. Failure to
manage it appropriately could leave firms exposed at times of crisis, or widespread staff shortages due to Covid, he adds.
“The competitive environment for talent has never been greater: the ‘great resignation’ means many organisations are
being challenged with retention, attraction and compensation of employees,” he tells Risk.net. The trend also extends to
quant finance graduates, where starting pay among the top schools is rocketing amid a fight for the best and brightest –
something one master’s programme director attributed to Goldman Sachs’s move to offer students a higher starting
salaries, which other dealers, including Morgan Stanley, were then forced to match. “For me, the talent demand is
inevitably a cost driver,” says a senior op risk manager at a UK bank. “You clearly seek to be comparable from a
compensation and benefits perspective, and put in place various plans for both retention and replacement – but every firm
has [a] common management approach to recruiting and retaining talent.” But the risk is twofold: firms of all stripes say
there simply aren’t enough skilled employees to fill open vacancies in certain critical functions, particularly in first -line
risk controls: that leaves open the danger that a “skills shortage leads to weak oversight of business operations,
[particularly in] risk compliance personnel”, says a senior risk manager at a Japanese bank. Even the official sector is not
immune: the Financial Times reported in December that the UK’s Financial Conduct Authority was calling in consultants
and external lawyers to fill staffing gaps, as it struggled to fill some 500 vacancies out of a total staff of 4,000. Rapidly
evolving regulatory and stakeholder pressures in areas such as climate risk can also create shortages amid pressure for
specialised talent and the need to reassign staff from other functions. One veteran op risk practitioner says turnover
among key functions is their top op risk for the year ahead: “Demand for staff with specialised experience and technical
4. Geopolitical Risk
Geopolitical risk Russia’s invasion of Ukraine, with its unpredictable and far-reaching effects, poses a
complex threat to the operations of financial firms. The chief risk officer at a large European asset
manager succinctly sums up the impact of the conflict on his firm’s operational risk profile: “We have
[an invasion] in Europe. Not just small blips: things that move our business entirely.” The conflict
propels geopolitical risk into the top five operational risks for the first time since 2017, when Donald
Trump’s presidential election victory and the UK’s decision to leave the European Union brought
politics to the forefront of risk managers’ attention. Geopolitical events pose direct and indirect risks
for financial firms. Direct risks include the financial or physical consequences from nation state actors
themselves. Indirect risks are the propensity for losses caused by mis-steps or malfeasance amid the
economic chaos that follows. In the case of the Russian invasion of Ukraine, concerns centre on
supply chain failures and the effect on the global economy as energy and commodity prices spiral.
The headline risk of a rise in state-sponsored cyber attacks in response to sanctions is “a probability”,
says one head of cyber risk. Banks and other key financial institutions are among a range of natural
targets for such activity. The day before Russia’s invasion, Ukrainian companies were affected by
malware believed to have originated from Russia. However, the impact of global instability has wider
potential ramifications for the threat profile of banks. “Geopolitical risk has a cyber element, but also
supply chain and resilience elements too,” the risk head says. Within hours of Russia’s invasion, the
country was the subject of sweeping sanctions by the US, EU, UK, Japan and other countries.
5 Information Security
Information security Information security risk slips to fifth place in this year’s top 10 operational risk
survey, having ranked second (as ‘data compromise’) in both the 2021 and 2020 editions. Risks that
were evident during the Covid-19 pandemic – including a rise in phishing attacks designed to exploit
cyber vulnerabilities of home workers – have largely abated for financial firms. However, these tech-
related risks have given way to another type of threat following Russia’s invasion of Ukraine.
Respondents to this year’s survey, speaking before the February 24 invasion, told Risk.net that a
conflict would have significant implications for information security risk. Sanctions against Russia have
raised the prospect of retaliatory hacking attempts by entities sympathetic to the Russian state. Bank
risk managers are focusing on how to protect the data that the institution holds, rather than plugging
every possible entry point for attackers. Any data that is compromised must be quickly reinstated.
“We tend to think of cyber as intrusions and vulnerability. But the greater impact is how we deal with
data that’s been compromised and how we restore it,” says an op risk executive at a large US financial
institution. Companies that experience data breaches usually see long-lasting impact. Hackers often
try to install programs that allow backdoor access long after the initial breach has occurred. Firms
need to detect and patch such vulnerabilities in the infrastructure. As the head of cyber risk at one of
the world’s largest banks puts it, the focus is on making sure that the firm’s “defence mechanisms”
are up to scratch, and that its risk and control frame
5. Operational Resilience
Operational resilience – the ability to maintain critical business activities during a disruption – has been sorely tested since the start
of the pandemic. Now, it is being put to the test once again, as the world nervously watches the unfolding horror in eastern Europe. Large-
scale cyber attacks – or very real ones – are among the threats keeping resilience teams awake at night. “It’s moving so quickly,” says the
head of enterprise risk at a US investment firm. “Ukraine has crystallised resilience risk. With all the sanctions in place, we must take risk-
based decisions on that basis. We’re having to manage that risk as we speak.” The invasion of Ukraine has underlined the impo rtance of
maintaining resilient systems, but also the people and processes that maintain them, one senior market data manager at a Euro pean
banknotes. “As a result of nearshoring efforts, a significant number of banks have a lot of their back offices in places adjacent to Ukraine:
Poland, Estonia, Romania, Hungary. It’s something you don’t [usually] pay attention to,” he adds nervously. Prudential Regulation Authority,
London The UK Prudential Regulation Authority’s operational resilience principles require businesses to identify their key services and set
impact tolerances – the maximum disruption the service could withstand without causing “intolerable harm” to clients or, in the case of
larger firms, without posing systemic financial risk. The deadline for setting impact tolerances is March 31. Businesses will then have
exactly three years to show the regulator that they can remain within those tolerances. “The PRA is very proactive,” says the head of
enterprise risk. “Operational resilience in the UK is likely to spread to the rest of the world. You’re losing staff, and meanwhile there’s
regulatory pressure to do more. That puts pressure on resources.” The US Federal Reserve’s own resilience principles require firms to
identify risks pertaining to business continuity, as well as recovery and resilience planning. The firms then have to incorporate these risks
into “severe but plausible” scenarios outlining the impact of risk events on their critical operations and core business lines. Rather than
prescribing scenarios, the Fed expects each firm to design its own scenarios that can then be used to test the business’s tolerance for
disruption. “We need to increase tabletop exercises and rethink continuity management,” says an operations executive at a US bank. “We
need to create better connectivity to bring alignment with respect to critical applications and critical third parties.” The impact of the moves
by the UK and US regulators is being felt throughout the financial services industry, where business continuity teams are making the
transition into becoming resilience teams. These new teams are being challenged to think more broadly and to come up with precise
measures of resilience, such as the time needed to get systems up and running after an outage and the maximum level of acceptable data loss.
 RD
3 PARTY RISK
Third-party risk Universal banks are the equivalent of the Swiss army knife, offering something to everyone. But even the
largest rely on outside help to provide some of their services. In fact, the bigger the bank, the more third-party
relationships it tends to have. And third parties bring extra risks. European Union regulators have stressed the
importance of third-party risk management to a company’s operational resilience. They note that it is hard for a firm to
demonstrate thorough and proportionate risk management when it has outsourced a large number of operational tasks.
New guidance proposed by US prudential regulators also makes it clear that although banks can outsource
administration of their operations, they cannot outsource the risks. Instead, they need to establish sound risk
management practices for overseeing external providers. These should be commensurate with the criticality of the
services provided by the third parties. However, the proposed guidance does not distinguish between different types of
third-party services. As an example, cyber-security experts say the use of cloud providers presents unique risks, including
disruption from key supply chain entities and potential concentrations with individual providers. “Concentration risk and
the ability to transfer at short notice to another provider are a major concern,” says a senior operational risk executive at
a European bank. A key problem with shifting services to the cloud is that a grey area often exists in the functions that
banks will continue to perform in-house and those that are outsourced to the cloud provider. Any uncertainty in the
delineation of responsibilities between bank and vendor can lead to costly mistakes in how systems are set up. It can also
spark lengthy contract renegotiations. A typical area of confusion is in the shared-services model. Here, the cloud vendor
is responsible for security of the underlying architecture, while the customer must ensure that its own systems are
configured securely within the cloud. Customers often misunderstand this dynamic, vendors complain. Cracks in the
relationship between bank and vendor can open the way for cyber breaches and expensive losses of data. Banks are
asking US regulators to provide more detailed guidance on the risks posed by these providers, including ‘the big three’:
Amazon Web
8 Conduct Risk
Conduct risk Conduct risk falls a few places in this year’s top 10 – perhaps owing to a lack of mega fines making it top of mind for
respondents. Publicly reported op risk losses stemming from failings related to clients, products and business practices halved to €5.7
billion ($6.3 billion) last year, and, while losses from internal fraud held steady at €4.8 billion, that tally remains a fraction of the ugly
multi-billion-dollar losses from fines and settlements for wrongdoing witnessed in years past. But op risk managers warily eyeing the
global economy’s slow recovery from Covid and the invasion of Ukraine have seen this movie before. Times of great economic disruption
and physical upheaval are breeding grounds for misconduct – ones that invariably take time to come to light, before the perpetrators can be
brought to book. “We’ve had the pandemic: we’ve had two years of people working from home, doing God knows what – doing what they
might not have been able to do in an open-plan office,” says one veteran op risk executive. “So, I think there is potential for conduct risk
events taking a while to crystallise. If there has been mis-selling, for example, that is unlikely to crystallise in the next 12 months. If it’s
something big, we will see that in two or three years’ time.” The big fear talked of quietly among banks since the early days of the
pandemic is a mis-selling scandal concerning hastily written Covid loans – something many warned regulators about in the advent. The
UK’s bounceback loan scheme alone extended nearly £50 billion ($66.7 billion) to borrowers – as much as a 10th of which may have gone
to fraudulent applicants, government auditors estimate. Banks blame the speed at which they were forced to roll out the loans, with many
insisting privately that promises of indemnity made when concerns were aired must now be honoured. Other Covid-era losses are likely to
follow a familiar pattern: rogue trading stemming from front-office staff finding it far easier to collude with one another outside the normal
working environment remains a risk, as do desperate decisions made by people to cover losses amid whipsawing markets. US regulators
are understood to be probing the conduct of banks during their exit of positions from Archegos, the family office that blew up spectacularly
a year ago. The long legacy of the Libor scandal and the ongoing shift to new rate benchmarks continue to pose a risk for banks. Dealers
freely admit they are reliant on clients to self-police when it comes to observing US regulators’ ban on trading most instruments that
reference legacy dollar Libor. Elsewhere in markets, heated debates over the practice of pre-hedging during 2021, in which financial firms
attempt to create offset positions for client trades before the trade is actually executed, described by critics as akin to frontrunning. The
consequences of such conduct can take a long time to crystallise. Citi, for instance, was struck with a $44.7 million fine by the Securities
and Futures Commission of Hong Kong, which found that Citi staff had repeatedly misrepresented certain stocks to institutional clients to
encourage trading activity as early as 2008, and highlighted “serious and systemic” lapses in the bank’s controls frameworks. The
regulator’s chief executive officer, Ashley Alder, described the firm as home to “a culture of dishonesty”, which “encouraged chasing
revenue at the expense of b
9 Climate Risk
Climate risk appears in Risk.net’s annual survey for the first time this year, as regulators and
financial firms alike attempt to grapple with a daunting gamut of potential op losses stemming
from the physical and economic ramifications of anthropogenic climate change. But while the
former could take years or even decades to crystallise, plenty of the latter are already staring
banks and fund managers in the face. One op risk manager rates the threat of climate litigation
from investors and other stakeholders over claims of greenwashing as significant for his firm in
the next 12 months. The cornerstone of banks’ first line of defence against such losses will be a
strong controls framework. Goldman Sachs, among other banks, is working to hardwire climate
risk controls into its framework – for instance, an otherwise healthy borrower’s business model
becoming challenged by emissions targets or divestment from shareholders – via integrated
assessment modelling and scenario analyses. Once the potential impacts are evaluated – an
evolving process as more firms become subject to disclosures – the bank’s risk teams set
tolerances for key business areas such as lending and financing. risk
 10.Regulatory Risk
Regulatory risk – the risk of noncompliance stemming from the magnitude of changes to rule sets and
supervisory expectations – is a perennial feature of the Top 10. The potential to incur hefty fines and penalties,
not to mention the enormous resources required to stay current with regulations, comes up in nearly every
conversation with op risk managers. European regulatory dissonance on everything from the supervision of central
counterparties to the implementation of Basel III also increases the risk of noncompliance and makes for an overly
complex, needlessly costly operating environment, banks complain. To say nothing of the seemingly permanent
transatlantic schism in supervisors’ attitudes towards internal modelling. Risk managers also cite model risk as a
continuing area of focus by regulators in the wake of the pandemic, when risk models for financial crime and credit
risk were thrown off course because they were unable to anticipate sudden changes in consumer behaviour and the
impact of government stimulus programmes. Managers are struggling to validate their models, especially those
sourced from external providers. “There’s a lot coming from the regulatory front on model bias, with algorithms
having to be documented. That presents challenges because models may be easy to identify, but are very hard to
validate, especially when the product may not be yours,” says the head of enterprise risk at a US financial services
firm. By its nature, regulatory risk is continually evolving: in a regulatory first in December, the UK’s Financial
Conduct Authority sued NatWest in a criminal court for £269.5 million ($360 million), including a fine of £264.8
million, over anti-money laundering oversight failings. The settlement was the fourth-largest loss of the year.
Compliance with a raft of new environmental, social and governance risk has been cited as one of the top regulatory
risks this year (see #8: Climate risk). On the buy side, the chief risk officer of a large European asset manager cites
the EU’s Investment Firm Regulation, which came into force in 2021, as a major headache. The rules could result in
greater regulatory scrutiny of how firms manage various operational risks.
Chapter 5 :Risk Resilience
The Basel Committee defines operational resilience as “the ability to
deliver critical operations through disruption.” Impact from COVID-19
has shown that while capital and liquidity requirements have improved
banks' ability to absorb financial shocks, more work is needed to
strengthen their ability to absorb losses.
Operational resilience is defined as “the ability of an organization to
deliver critical operations through disruption. This ability enables an
organization to identify and protect itself from threats and potential
failures, respond and adapt to, as well as recover and learn from disruptive
events in order to minimize their impact on the delivery of critical
operations through disruption.”
Chapter 5 :Risk Resilience
Businesses today must take a new approach to operational resilience so that they can be
more adept at anticipating disruptive events and agile in responding to and recovering
from them.
In a world where risks and compliance requirements rapidly expand and evolve, it’s not
a question of if there will be a disruption to your services, systems or processes
but when.
An organization that improves its approach to operational resilience can greatly
minimize its risk when business disruptions occur. That includes external disruptions
such as natural disasters, extreme weather conditions and far-reaching medical crises. It
also includes internal disruptions such as system outages.
Until quite recently, operational resilience was developed with a risk-avoidance mindset.
It was focused on the likelihood of a particular type of disruption occurring, then
planning accordingly for that. Given finite resources, disruptions that seemed relatively
unlikely to occur were considered low risk and might not be planned for at all.
All players in the organization are engaged in the process of complete business recovery, as depicted in Figure Below.The recovery
may be from a natural disaster, ransomware attack, power outage or fire, among other possible risks. Regardless of the crisis, an
operational resilience framework includes all necessary departments.
Chapter 5 :Operational Risk Resilience
The operational resilience framework
Given all this, what should organizations do to improve their approach to operational resilience? We’ve developed a
framework that identifies 12 management disciplines that can be grouped together in different ways to ensure appropriate
operational resiliency responses for different risks. The core solutions and services that are available as part of the
Operational Resilience Framework combine multiple components of Enterprise Technology Stack, including
applications, security .You don’t have to tackle implementing these disciplines all at once. But together, they can enable
and strengthen your organization’s operational resilience.
Currently, for many organizations, operational resilience is at the top of the agenda of the Board and senior
management. The COVID-19 pandemic clearly showed how vulnerable societies and organizations can be to
unexpected and unforeseen events.
The pandemic is just one example of an event that can disrupt critical operations and businesses, leading to fragile and
eventually collapsing businesses. Cybercrime threats, climate change events, technological changes and geopolitical
developments are just a few other examples of potential sources of disruption. Regulators have realized that a range of
potential disruptive events is unpreventable and explore possibilities of guiding financial institutions to improve their
operational resilience.
 Chapter 5 :Operational Risk Resilience
The business functions closely associated with operational disruption response are all interlinked. Each has a stake in an
organization's ability to recover from a disruptive incident. These business activities are the work of the following teams:
•Business continuity. Gathers data from all business units and understands the criticality of each unit, the technology
requirements and the timeliness of recovery activities.
•IT disaster recovery. Coordinates the recovery and resumption of all IT systems and related technologies following an
event.
•Incident management. Performs the initial analysis of a potentially disruptive event, makes decisions regarding employee
safety, and communicates with emergency teams, senior management and business unit leaders on the initial status of the
event.
•Crisis management. Coordinates long-term activities of business units, senior management, health management for injured
employees, communications with external organizations and families, and engages other teams.
•IT/telecoms technology. Collaborates with the DR team to ensure all hardware, software and networking resources are
effectively managed and repaired.
•Facilities management. Protects the physical facilities for the company, such as buildings, HVAC systems, and power and
water supplies.
•Physical security management. Ensures physical access into company locations is guarded.
•Cybersecurity management. Protects the company from external or internal access breaches to critical systems, networks
and data. Attacks can come via hackers, phishing schemes, viruses and ransomware attacks.
Chapter 5 :Operational Risk Resilience
Operational risk framework’s 12 disciplines and the actions they enable :
• Continuity management: Analyze business impacts, set return-to-work tactics
• Corporate incident response: Manage health, safety and environmental risks, proactively mitigate risk
• Crisis management and communications: Orchestrate response plans, achieve a 360-degree of the current crisis status view
• Critical enterprise assets: Discover, map and apply governance to key assets
• Cyber and information security: Respond and recover from attacks
• Governance, audit and compliance: Continuously monitor compliance, apply industry guidelines
• IT disaster recovery: Minimize the impacts, structure and test recovery plans
• Operational risk management: Identify and assess business risks, monitor and minimize issues
• Organizational behavior: Drive and measure effective attitudes and practices
• People and culture: Encourage an operating model for resilience
• Service operations: Assure operational excellence and efficiency
• Supply-chain management: Manage vendor risk, assure continuity
◦ The End

God Bless !!!