MetricStream

Operational Risk Management (ORM)

Roadmap to Advanced Measurement Approach (AMA)
and Better Business Performance
in Banks and Financial Institutions
Solution Brief
Governance, Risk, Compliance and Quality Management Solutions
Table of Contents
Operational Risk: Changing Face of Compliance
Challenges in Managing Operational Risk
Building an Operational Risk Framework
Business Benefits: Moving Beyond Compliance
MetricStream Solution for ORM
Roadmap to Advanced Measurement Approaches (AMA)
References
2
4
6
8
9
12
12
Op Op Op Op Oper er er er era aa aational R tional R tional R tional R tional Ri sk: i sk: i sk: i sk: i sk: C CC CChanging F hanging F hanging F hanging F hanging Fac ac ac ac ace of C e of C e of C e of C e of Complianc omplianc omplianc omplianc ompliance ee ee
2
Banks and financial institutions are undergoing a sea change and today face an environment marked by
growing consolidation, rising customer expectations, increasing regulatory requirements, proliferating
financial engineering, uprising technological innovation and mounting competition. This has increased the
probability of failure or mistakes from the operations point of view resulting in increased focus on manag-
ing operational risks.
Operational risk losses have often led to the downfall of financial institutions, with more than 100 reported
losses exceeding US$100 million in the recent years. The regulators of financial companies and banks are
demanding a far greater level of insight and awareness by directors about the risks they manage, and the
effectiveness of the controls they have in place to reduce or mitigate these risks. Further, compliance regula-
tions, like Basel II and SOX, mandate a focus on operational risks, forcing financial organizations to identify,
measure, evaluate, control and manage this ubiquitous risk. This has led to an increased emphasis on the
importance of having a sound operational risk management (ORM) practice in place, especially when deal-
ing with internal capital assessment and allocation process. This makes ORM one of the most complex and
fastest growing risk disciplines in financial institutions.
Alan Greenspan, Chairman of the Federal Reserve American Bankers Association, during Annual
Convention on October 5, 2004 held, It would be a mistake to conclude that the only way to succeed in
banking is through ever-greater size and diversity. Indeed, better risk management may be the only truly
necessary element of success in banking.
Old perceptions and behaviors toward risk are changing. ORM
is acquiring new credibility as a roadmap to add value to the
business; and is garnering new attention from regulators and
key stakeholders.
A recent Chartis Research's
1
report on ORM systems, suggests
that the worldwide financial services ORM market will con-
tinue to grow, reaching a total value of $1.55 billion by 2011.
This indicates a growing concern among banks and financial
institutions for managing their operational risk. The report has
three main findings:
Basel II and Operational Risk: Basel II and Operational Risk: Basel II and Operational Risk: Basel II and Operational Risk: Basel II and Operational Risk:
Operational risk is as old as the
banking industry itself and yet the
industry has only recently arrived at a
definition of what it is. Operational
risk is defined by the Basel Commit-
tee on Banking Supervision (2006) as:
the risk of loss resulting from inad-
equate or failed internal processes,
people and systems or from external
events. This definition includes legal
risk but excludes strategic and
reputational risk.
Many US and European financial institutions continue to
replace their first generation ORM systems - largely due to
inflexible and rigid product design and the ongoing
evolvement of ORM methodologies.
Some market segments, such as emerging regions (e.g.
Middle-East, Asia-Pacific, South America), and vertical
sectors (e.g. insurance, asset management) have begun investing in formal and sophisticated ORM
systems.
Average investment in ORM projects is increasing, as more and more financial institutions are focusing on
ORM's strategic business benefits
Additionally, the report claims financial institutions working on the demand side of the market are re-
examining their approach, culture and systems for managing operational risk.
3
There are two main drivers for this development. First, there is a growing acknowledgement from banks that
a consistent and effective operational risk management framework can help them achieve organizational
objectives and superior performance. For example, by including a well-constructed operational risk process
in the entire value chain, a bank can help ensure that the risks inherent in those activities are understood and
addressed. In many instances an early involvement of operational risk management can increase the devel-
opment speed of new initiatives. The second key development is the launch of the Basel II Capital Accord
(the New Accord) by the Basel Committee for Banking Supervision, which requires banks to set aside regula-
tory capital for operational riskan important development that has affected most financial services institu-
tions worldwide. One of the major improvements in Basel II is that it ensures closer linkages between capital
requirements and the ways banks manage their actual risk. As summed up by one of the U.S. regulators, The
advanced approaches of Basel II represent a sea change in how banks determine their minimum level of required
capital for regulatory purposes. It intends to better align regulatory capital with inherent risks and banks' internal
economic capital.
The advanced approach for measurement of operational risk requires economic capital to be calculated
based on banks own operational risk management & measurement technique. It is imperative to strengthen
the soundness and stability of operational risk management practice by employing Advanced Measurement
Approach (AMA), in order to ensure that it does not become a significant source of competitive inequity over
rival banks & financial institutes. Further, AMA fosters risk sensitive environment and promotes efficiency in
managing risk. The road ahead should lead to Advanced Measurement Approach (AMA) as described under
Basel II accord.
Passive
Banks
Active
Banks
Avanced
Measurement
Approch
Standardized
Approch
Basic
Indicator
Approch
Low
Risk Sensitivity
High
High
Low
Capital Charge
Figure 1: Operational Risk Management Approaches
To comply with the accord, banks are making significant
investments to improve their internal risk processes, data
infrastructure, and analytical capabilities. Firms focused on
competing effectively are already incorporating many ele-
ments of the Basel II requirements into their risk and capital
management practices, as a blueprint of improved growth and
profitability.
As a result, Basel II compliance programs offer a rare opportu-
nity to rethink the way banks approach risk measurement and
management, and to look again how risk measures can be
integrated with each other and with managements approach
to running the business. Susan Schmidt Bies
2
, one of the U.S.
regulators, stressed, The emphasis in the new Accord on im-
proved data standards should not be interpreted solely as a re-
quirement to determine regulatory capital standards, but rather as
a foundation for risk management practices that will strengthen
the value of the banking franchise.
Although Basel II compliance opens up many strategic oppor-
tunities to leverage improved data standards and risk manage-
ment practices, it also offers many implementation challenges.
The next section highlights the major challenges in success-
fully implementing ORM.
Challenges of Managing Operational Risk Challenges of Managing Operational Risk Challenges of Managing Operational Risk Challenges of Managing Operational Risk Challenges of Managing Operational Risk
The discipline of operational risk is at a crossroads. Despite the industry's efforts to control operational risk,
institutions still have much work to do. Risk Managers are grappling with questions like, How does the
discipline add value to my organization?; What does the advanced measurement approachs (AMA) model-
ing techniques say about the operational risks my firm is facing? or What is the strategic role of operational
risk that my firm should adopt?. Lets take a look at some of the unique challenges that ORM brings:
4
An Ernst and Young's Global Basel
Survey in 2006 indicates that senior
banking executives are beginning to
appreciate the long term business
impacts of Basel II on their organiza-
tions and banking industry as a
whole. It suggests a realization that
Basel II adoption is a growing im-
perative in order to succeed in the
competitive race. About 89% of the
participants in the survey believed
that the banks with robust risk infra-
structures will have competitive
advantage over others.
Reference:
http://www.ey.com/Global/Assets.nsf/
International/Basel_II_Survey_
Report_2006/$file/EY_GFSRM_Basel_
II_Survey2006.pdf
Rising Costs of Compliance: Rising Costs of Compliance: Rising Costs of Compliance: Rising Costs of Compliance: Rising Costs of Compliance: Development of an ORM model as part of a regulatory and economic
capital framework is complex and takes time. There is a general agreement that the major ORM
challenge is the escalating cost of compliance.
Access to Appropriate Information and Reporting: Access to Appropriate Information and Reporting: Access to Appropriate Information and Reporting: Access to Appropriate Information and Reporting: Access to Appropriate Information and Reporting: Effective management of operational risk requires
diverse information from a variety of sourcesincluding, for example, risk reports, risk and control
profiles, operational risk incidents, key risk indicators, risk heat maps, and rules and definitions for
regulatory capital and economic capital reporting.
Development of Loss Databases: Development of Loss Databases: Development of Loss Databases: Development of Loss Databases: Development of Loss Databases: A well-structured operational risk framework requires development of
business-line databases to capture loss events attributable to various categories of operational risk. Basel
II specifically requires a minimum of three years of data for initial implementation and ultimately five
years for the Advanced Measurement Approaches (AMA). The need for historical data (including external
data) has been a cause of concern for many enterprises.
5
Lack of Systematic Measurement of Operational Risk: Lack of Systematic Measurement of Operational Risk: Lack of Systematic Measurement of Operational Risk: Lack of Systematic Measurement of Operational Risk: Lack of Systematic Measurement of Operational Risk: Many enterprises hold that their institutions are
measuring operational risk. However, very few of them have been able to complete the Basel II
quantification requirements, or are yet to formalize the measurement process around the Basel II
framework.
Implemen Implemen Implemen Implemen Implementing ORM sy ting ORM sy ting ORM sy ting ORM sy ting ORM syst st st st stems: ems: ems: ems: ems: Amid regulatory efforts to re-vamp the industrys immunity to operational
risk, and its implications on efficient financial intermediation, many organizations are looking to go
beyond traditional siloed approaches and implement a consolidated ORM framework across entire
value chain. Development of an ORM model as part of a regulatory and economic capital framework,
however, is complex and takes time. Some banks may either still be struggling with the requirements of
the "Sound Practices for ORM" BIS paper, which spells out how to introduce ORM principles, or may not
yet have in place the required governance or framework. Factors like lack of understanding of upcoming
technology regarding operational risk management, failure to get the top management to focus on the
benefits of the program, improved productivity and quality, as well as on loss reduction, and lack of
meaningful and timely data across business unit and product lines make the implementation of an ORM
system all the more formidable.
T TT TTone a one a one a one a one at the t the t the t the t the T TT TTop: op: op: op: op: Effective risk management program starts with The Tone at the Top- driven by the top
management and adhered by the bottom line. However, if banks top leaders perceive operational risk
management solely as a regulatory mandate, rather than as an important means of enhancing
competitiveness and performance, they may tend to be less supportive of such efforts. Management and
the board must understand the importance of operational risk, demonstrate their support for its
management, and designate an appropriate managing entity and framework - one that is part of the
banks overall corporate governance framework.
By adopting an integrated operational risk framework, companies can ensure that all operational risks
management initiatives are sustained and are aligned with the corporate strategy. Next section throws light
on essentials of an ideal operational risk framework.
Review of management
and measurement pro-
cesses by internal/external
audit
I dent i f y Ri sks I dent i f y Ri sks I dent i f y Ri sks I dent i f y Ri sks I dent i f y Ri sks
Risk Management Cycle Risk Management Cycle Risk Management Cycle Risk Management Cycle Risk Management Cycle
Analysis of
workflows and
processes
List risks and
causes
Assess the Ri sk Assess the Ri sk Assess the Ri sk Assess the Ri sk Assess the Ri sk
Sel ect r i sk Sel ect r i sk Sel ect r i sk Sel ect r i sk Sel ect r i sk
control measures control measures control measures control measures control measures
I mpl ement ri sk I mpl ement ri sk I mpl ement ri sk I mpl ement ri sk I mpl ement ri sk
control s control s control s control s control s
Moni tor and Moni tor and Moni tor and Moni tor and Moni tor and
Revi ew Revi ew Revi ew Revi ew Revi ew
Assess risk
severity
Assess risk
probability
Identify control
choices
Determine
priorities
Make control
decisions
Establish
authority and
responsibility
Define
structure
Define
processes and
procedures
Define
monitoring
Infrastructure
Monitor
process
Review
processes
R i s k R i s k R i s k R i s k R i s k
Management Management Management Management Management
Obj ect i ves Obj ect i ves Obj ect i ves Obj ect i ves Obj ect i ves
Operational risk management is at the core of a bank's opera-
tions - integrating risk management practices into processes,
systems and culture. As a pro-active partner to senior manage-
ment, ORM's value lies in supporting and challenging them to
align the business control environment with the bank's strat-
egy by measuring and mitigating risk exposure, contributing
to optimal return for stakeholders. For instance, HSBC
3
has
invested heavily in understanding customer behavior through
new systems initially designed for fraud detection, which is
now being leveraged beyond compliance to address more
effective customer service.
The ORM group of an organization keeps its people up-to-date
on problems that have happened to other financial institu-
tions, allowing it to take a more proactive approach. "Our goal
is for employees to look at ORM as a business stakeholder and a
shareholder, involving them on all levels and bring stability into
their jobs," said senior vice president of Operational and Com-
pliance Risk Management Group. A noted financial services
company, on the other hand, incorporates its ORM approach as
an extension of its business line and not a separate entity. The
company has implemented an operational risk umbrella that
encompasses all aspects of potential risks - bank protection,
fraud prevention, key risk indicators, capture of operational
loss data, business line risk oversight and new products and
initiatives for data security. Its Chief Risk officer quotes, "We
utilize our ORM practices to gain respect and appreciation of all
our business lines by really understanding their issues, and being
part of the overall solution."
What elements should a financial institution consider when
developing an analytical framework for operational risk?
There is no one-size-fits-all approach to ORM as every enterprise follows a framework that is specific to its
own internal operating environment. When inquired about the standard ORM framework, a risk expert notes,
There is no "standard" standard. Ultimately, the Operational risk framework should not merely be Basel-compli-
ant; it should also provide the bank with mechanisms for improving overall risk culture and behavior towards
operational risk management. Understanding our risks should lead to better decision making and reflect in our
performance. A robust operational risk management framework is made up of the following core compo-
nents:
B BB BBuilding an Op uilding an Op uilding an Op uilding an Op uilding an Oper er er er era aa aational R tional R tional R tional R tional Risk F isk F isk F isk F isk Fr rr rrame ame ame ame amew ww wwor or or or ork kk kk
6
An award winning Banking Group
states that it is focused on the regular
monitoring of its operational risk
profiles and material exposures to
operational losses- with senior
management supporting the proac-
tive management of operational
risks. Its Operational Risk Manage-
ment department (ORM)
Carries out risk-audit activities,
assessments of operational risks
and prepares recommendations
for risk mitigation.
Implements a number of tools
recommended by the Basel Com-
mittee including: internal loss
collection and reporting, key risk
indicators, external loss data
collection; and control and risk
self-assessments.
Analyzes new products and intra-
bank regulations.
Holds comprehensive insurance
policy, which is designed with
ORM participation.
The group has received the Opera-
tional Risk Achievement Award for
two consecutive years.
7
Governance: Governance: Governance: Governance: Governance: It is the process by which the Board of Directors defines key objectives for the bank and
oversees progress towards achieving those objectives. It defines overall operational risk culture in
organization, and sets the tone as to how a bank implements and executes its operational risk
management strategy. A successfully executed risk strategy often results in risk being firmly embedded
in the vision, strategies, tools, and tactics of the organization. Governance sets the precedence for
Strategy, Structure and Execution.
S SS SStr tr tr tr tra aa aat tt tteg eg eg eg egy yy yy: :: :: A banks strategy for operational risk drives the other components within the management
framework and provides clear guidance on risk appetite or tolerance, policies, and processes for day-to-
day risk management.
Appetite and Policy: Appetite and Policy: Appetite and Policy: Appetite and Policy: Appetite and Policy: An ideal risk management process ensures that organizational behavior is
driven by its risk appetite. Adopting an operational risk strategy aligned to risk appetite, leads to
informed business and investment decisions.
C C C C Clear D lear D lear D lear D lear Definition & C efinition & C efinition & C efinition & C efinition & Communic ommunic ommunic ommunic ommunica aa aation of P tion of P tion of P tion of P tion of Polic olic olic olic olicy yy yy: :: :: An organizations top management must identify,
assess, decide, implement, audit and supervise their strategic risks. There should be a strategic policy
at the board level to focus on managing risk at all levels and conscious efforts should be made to
ensure that these policies are communicated at all levels and across entire value chain.
Periodic Evaluations Based on Internal & External Changes: Periodic Evaluations Based on Internal & External Changes: Periodic Evaluations Based on Internal & External Changes: Periodic Evaluations Based on Internal & External Changes: Periodic Evaluations Based on Internal & External Changes: An ideal risk management process
puts improvement of risk performance on a competitive level with other important mission
concerns periodically evaluating the ORM performance goals in the light of internal and external
factors. Depending upon the criticality of internal operating environment and key external factors,
organization must review the strategic policies inside out.
Governance
Control and self
Assessment
Key Risk
Indicators (KRIs)
Loss Data -
Internal and
External
Issue
Management
Figure 2: Operational Risk Management Framework
8
S SS SStr tr tr tr truc uc uc uc uctur tur tur tur ture: e: e: e: e: When designing the operational risk management structure, the banks overall risk scenario
should serve as a guideline. This includes initiatives like laying down a hierarchical structure that
leverages current risk processes, developing risk measurement models to assess regulatory and
economic capital,and allocating economic capital vis--vis the actual risk confronted. Centralized
aggregation of operational risk information collected via various self assessments across the
organization, further, provides useful insight for the desired hierarchial structure. The implementation of
these concepts allows risk to be handled consistently throughout the organization.
Execution: Execution: Execution: Execution: Execution: Once operational risk management structure have been established by an organization
adequate procedures should be designed and implemented to ensure execution of and compliance
with these policies at business line level. The first step includes identification and assessment of
operational risk inherent in day-to-day processes of the bank. After assessment of inherent risk, target
tolerance limit of risk should be established. This is commonly accomplished by calculating the
probability/ likelihood of materialization of risk, by considering the drivers or causes of the risk together
with the assessment of its impact. The results of the risk assessment and quantification process enables
management to compare the risks with its operational risk strategy and policies, identify those risk
exposures that are unacceptable to the institution or are outside the institutions risk appetite, and select
and prioritise appropriate mechanisms for mitigation. Finally appropriate risk mitigation and internal
controls procedures are established by the business units such that residual risk is mitigated to the
acceptable level. Regular reviews must be carried out, to analyse the control environment and test the
effectiveness of implemented controls, thereby ensuring business operations are conducted within
acceptable risk limits. Further, it is essential that the top management ensures consistent monitoring and
controlling of operational risk, and that risk information is received by the appropriate people, on timely
basis, in the form and format that will aid in the monitoring and control. Operational risk metrics or Key
Risk Indicators (KRIs) are established to ensure timely warning is received prior to the occurance of an
event. Key to effective KRIs lies in setting threshold at the acceptable level of risk. Execution and
implementation of Operational Risk framework is key to setting up effective Operational Risk
environment ensuring that business is conducted within appropriate risk tolerance limit.
Business Benefits: Moving Beyond Compliance Business Benefits: Moving Beyond Compliance Business Benefits: Moving Beyond Compliance Business Benefits: Moving Beyond Compliance Business Benefits: Moving Beyond Compliance
As ORM efforts mature, and gain both the support and the confidence of management, they are becoming
increasingly valuable to the business. Perceived initially to support regulatory requirements, these efforts can
be leveraged and aligned with business performance management. To be successful, however, such align-
ment must be based on a clear vision of the potential benefits. Few of the benefits are discussed below:
Identified and assessed key operational risk exposures: Identified and assessed key operational risk exposures: Identified and assessed key operational risk exposures: Identified and assessed key operational risk exposures: Identified and assessed key operational risk exposures: ORM enables an organization to identify
measure, monitor and control its inherent risk exposures of the business at all levels. Elements like Risk
Assessment, Event Management, and Key Risk Indicator play an important role; enabling the
organization to evaluate the risk controls, based on the identified inherent risk, and to measure the
residual risk which remains after the implementation of controls.
Clarified personal accountabilities, roles and responsibilities for managing operational risks: Clarified personal accountabilities, roles and responsibilities for managing operational risks: Clarified personal accountabilities, roles and responsibilities for managing operational risks: Clarified personal accountabilities, roles and responsibilities for managing operational risks: Clarified personal accountabilities, roles and responsibilities for managing operational risks: Clear
cut specification of roles and responsibilities of personnel regarding risk profile is an imperative part of
implementing an integrated ORM framework. It not only streamlines the risk management process, but
also allows risk managers to better incorporate accountability into the work culture of the organization.
E EE EEv vv vvolv olv olv olv olved and enabled efficien ed and enabled efficien ed and enabled efficien ed and enabled efficien ed and enabled efficient allo t allo t allo t allo t alloc cc cca aa aation of op tion of op tion of op tion of op tion of oper er er er era aa aational r tional r tional r tional r tional risk c isk c isk c isk c isk capital: apital: apital: apital: apital: With streamlined risk
management process, efficient allocation and utilization of operational risk capital can be ensured.
7
Consistent and timely operational risk management information and reporting capabilities: Consistent and timely operational risk management information and reporting capabilities: Consistent and timely operational risk management information and reporting capabilities: Consistent and timely operational risk management information and reporting capabilities: Consistent and timely operational risk management information and reporting capabilities:
Through the development of a well-tailored risk management strategy, a robust ORM system supports
features like role-based dashboards, control diagrams and scorecards that provide visibility into the
ongoing risk management efforts and bring high-risk areas into focus.
Sustained risk-smart workforce and environment: Sustained risk-smart workforce and environment: Sustained risk-smart workforce and environment: Sustained risk-smart workforce and environment: Sustained risk-smart workforce and environment: Application of an ORM framework, in conjunction
with related risk management activities, will support cultural shift to a risk-smart workforce and
environment in the organization. An essential element of a risk-smart environment is that it ensures that
the organization has the capacity and tools to be innovative while recognizing and respecting the need
to be prudent in protecting its interest.
Ensured continuous risk management learning: Ensured continuous risk management learning: Ensured continuous risk management learning: Ensured continuous risk management learning: Ensured continuous risk management learning: Most business units today acknowledge that
continuous learning is fundamental to more informed and proactive decision-making; and a successful
learning organization must align itself to the businesses it supports. To ensure continuous risk
management learning, these business units are sharing their experience and best risk management
practices - internally and across organizations. This supports innovation, capacity building and
continuous improvement, and fosters an environment that motivates people to learn.
However, successfully navigating the road from compliance to value creation can be daunting without a
roadmap and a clear vision. By taking a holistic approach to ORM organizations can significantly lower its
risk profile and contribute to its responsiveness in the marketplace - thereby delivering strategic and opera-
tional benefits.
MetricStream Solution for ORM MetricStream Solution for ORM MetricStream Solution for ORM MetricStream Solution for ORM MetricStream Solution for ORM
MetricStream offers industrys most advanced and comprehensive solution designed to meet Operational
Risk needs of banks & financial services. The solution is based on an integrated Enterprise Compliance Plat-
form (ECP) for successfully managing risk and meeting regulatory requirments while lowering the associated
costs that can otherwise be substantial. ECP, a proven infrastructure for building risk and compliance applica-
tion, provides core modules and services to automate and streamline Opertaional Risk processes.
MetricStream uniquely combines software and content to deliver ORM solutions. Its embedded best practices
content helps define the scope of processes and sub-processes for which risk management needs to be
Expected loss is the amount a business should budget to cover its annual cost of operational failure while
unexpected loss is the amount the business ought to reserve as capital.
Expected
loss
Unexpected loss Tail Events
Amount of loss
9
10
performed and guides development of control and test libraries. It brings together all risk management
related data - a reusable library of risks and their corresponding controls and assessments, results from indi-
vidual assessments, key risk indicators, events such as losses and near-misses, issues and remediation plans -
in a single solution. It also provides other intelligent and content driven features such access to training
content from an expert community from within the solutions and integration of business processes with
regulatory notifications and industry alerts. Key components of MetricStream solution for ORM would in-
clude:
R RR RRisk A isk A isk A isk A isk Analy naly naly naly nalysis and R sis and R sis and R sis and R sis and Risk S isk S isk S isk S isk Self A elf A elf A elf A elf Assessmen ssessmen ssessmen ssessmen ssessment: t: t: t: t: The
MetricStream solution for ORM provides a centralized
risk framework to document all risks faced by an
organization. It supports risk assessment and
computations based on configurable methodologies
and algorithms giving an insight into organizations risk
profile enabling the risk managers to prioritize their
response strategies for optimal risk/reward outcomes.
Risk Control Self Assessment (RCSA) forms a core part of
the MetricStream solution. MetricStream's risk self-
assessment capabilities enable organizations to
document and evaluate their risk frameworks, including
processes, risks, events, key risk indicators (KRI) and
controls. Executive-level dashboard and reports provide
visibility into the risk analysis, highlighting key risk
metrics and policy compliance. Business process
automation capabilities provide for real-time event
escalation, automated risk processes and streamlined
remediation of issues and action items.
Control Design and Assessments: Control Design and Assessments: Control Design and Assessments: Control Design and Assessments: Control Design and Assessments: Once the key risks are
identified and prioritized, MetricStream leverages the
operational risk framework to enable companies to
define a set of controls that mitigate those risks. The
solution also allows associated policy and procedure
documents to be attached for reference. The system
supports assessments based on predefined criteria and
checklists and has a mechanism for scoring, tabulating
and reporting results. The repository of all assessments
with an easy search capability ensures that the users can
check to see if a specific control was tested, access the
assessment results and confirm whether it requires a
remedial action plan.
L LL LLoss oss oss oss oss T TT TTr rr rrack ack ack ack acking and K ing and K ing and K ing and K ing and Ke ee eey R y R y R y R y Risk Indic isk Indic isk Indic isk Indic isk Indica aa aat tt ttors (KRI ors (KRI ors (KRI ors (KRI ors (KRIs): s): s): s): s): With loss
event tracking, risk managers can track loss incidents and
near misses, record amounts, and determine root causes
and ownership. MetricStream provides statistical and
trend analysis capabilities and enables end-users to track
remedies and action plans. Key risk indicators (KRIs)
11
provide capabilities for tracking risk metrics and thresholds, with automated notification when
thresholds are breached. MetricStream provides facilities for both manual and automatic data inputs
from internal and external data sources.
Issue Management and Remediation: Issue Management and Remediation: Issue Management and Remediation: Issue Management and Remediation: Issue Management and Remediation: For issues arising from the assessment and auditing processes or
from any other external events such as loss-events, scenario analysis or near-misses', the MetricStream
solution provides seamless issue management and remediation management capabilities. Once issues
are identified, documented and prioritized, a systematic mechanism of investigation and remediation is
set off by the underlying workflow and collaboration engine. The solution supports triggering automatic
alerts and notifications to appropriate personnel for task assignments for investigation and remedial
action.
Internal Audit: Internal Audit: Internal Audit: Internal Audit: Internal Audit: MetricStream solution provides seamless integration with internal audit management
for streamlining the auditing process in the organization. It provides the flexibility to manage a wide
range of audit-related activities, data and processes to support risk management. It supports all types of
audits, including internal audit, operational audit, finanacial statement audit, IT audits and quality audits.
Advanced capabilities like built-in remediation workflows, time tracking, email-based notifications and
alerts and offline functionality for conducting at remote field sites allow organizations to implement the
industry best practices for efficient audit execution and ensure integration of the audit process with the
risk and compliance management system.
R RR RRep ep ep ep epor or or or orts and D ts and D ts and D ts and D ts and Dashb ashb ashb ashb ashboar oar oar oar oards: ds: ds: ds: ds: The solution has the ability to track risk profiles, control ownership,
assessment plans, remediation status, etc. on graphical charts that can be accessed globally and display
real-time information. Ability to drill-down provides an easy way to access the data at finer levels of
detail. In addition to pre-configured standard risk reports, the system provides flexibility by enabling
stakeholders to configure ad-hoc or scheduled reports to view metrics on a variety of parameters such as
by process, by business units, by status, etc. Quarterly and monthly trending analysis along with the
ability to drill-down into each report and dashboard to see the underlying details enables risk managers
and process owners to stay in constant touch with the ground reality and progress on risk management
programs. Automated alerts for events such as exceptions and failures eliminate any surprises and make
the process predictable.
12
Roadmap to Advanced Measurement Approaches (AMA) Roadmap to Advanced Measurement Approaches (AMA) Roadmap to Advanced Measurement Approaches (AMA) Roadmap to Advanced Measurement Approaches (AMA) Roadmap to Advanced Measurement Approaches (AMA)
MetricStream ORM solution provides a platform for organizations to develop an integrated ORM approach
which can help them qualify for Basel II AMA approach. Solution implements strategies, methodologies and
risk reporting functionality to identify, measure, monitor, control and mitigate operational risk. It ensures that
the organizations internal systems and controls are credible and appropriate, well reasoned and well
documented, transparent and accessible, and are capable of being validated by internal and external
auditors. Moreover, it provides capability to ensure that the risk management practices are embedded across
the entire value chain.
The figure below maps MetricStream solution to the qualifying criteria for AMA.
Reference Reference Reference Reference Reference
1. Operational Risk Management Systems 2008 - Navigating through a fragmented market
http://www.chartis-research.com/assets/RR08011.pdf
2. Remarks by Governor Susan Schmidt Bies: At the International Center for Business Information's Risk
Management Conference: Basel Summit, Geneva, Switzerland
http://www.federalreserve.gov/boarddocs/speeches/2005/20051206/default.htm
3. http://www.opriskandcompliance.com/public/showPage.html?page=480328
Systematic tracking of 35
years of historic loss data
Sound Operational Risk
Management System
Measurement integrated in
day-to-day risk manage-
ment
Review of management
and measurement pro-
cesses by internal/external
audit
Figure 3: Roadmap to Advanced Measurement Approaches by MetricStream Figure 3: Roadmap to Advanced Measurement Approaches by MetricStream Figure 3: Roadmap to Advanced Measurement Approaches by MetricStream Figure 3: Roadmap to Advanced Measurement Approaches by MetricStream Figure 3: Roadmap to Advanced Measurement Approaches by MetricStream
Risk & Control Self Assessment (RCSA)
Key Risk Indicators (KRI)
Loss Event Database
External Loss Data interface
Integrated RCSA & Loss Event Data
Internal Audit
Dashboards & Reports
Qualifying Criteria Qualifying Criteria Qualifying Criteria Qualifying Criteria Qualifying Criteria MetricStream solution capability MetricStream solution capability MetricStream solution capability MetricStream solution capability MetricStream solution capability
19
About MetricStream About MetricStream About MetricStream About MetricStream About MetricStream
MetricStream is a market leader in Enterprise-wide Gover-
nance, Risk, Compliance (GRC) and Quality Solutions for global
corporations. MetricStream solutions are used by leading
corporations such as Pfizer, Philips, American Airlines, NASDAQ,
SanDisk, BP, Entergy, Subway, Fairchild Semiconductor, Hitachi
and TaylorMade-Adidas Golf in diverse industries such as
Pharmaceuticals, Medical Devices, High Tech Manufacturing,
Food & Beverage, Energy and Financial Services to manage
their quality processes, regulatory and industry-mandated
compliance and corporate governance initiatives, as well as by
over a million compliance professionals worldwide via the
ComplianceOnline.com portal.
MetricStream, Inc. MetricStream, Inc. MetricStream, Inc. MetricStream, Inc. MetricStream, Inc.
2600 E. Bayshore Road
Palo Alto, CA 94303
Phone: 650-620-2900
Fax: 650-632-1953
info@metricstream.com
Copyright 2010 MetricStream. All rights reserved.
For More Information
about MetricStream GRC and Quality
Management Solutions
please visit www.metricstream.com