Welcome to

Operational Risk Management

Webinar Series with
Dr. Ariane Chapelle

© 2016 The Professional Risk Managers’ International Association

 Session 2

Risk Management Framework

© 2016 The Professional Risk Managers’ International Association

 Overall Content – Webinar series

• Session 1: Regulation and Governance

• Session 2: Risk Management Framework
• Session 3: Risk Appetite
• Session 4: Risk Assessment
• Session 5: Operational Risk Analysis
• Session 6: Scenario Analysis
• Session 7: Key Risk Indicators
• Session 8: Risk Modelling
© 2016 The Professional Risk Managers’ International Association 3
 POLL QUESTION - 1

• How satisfied are you with your risk management

framework?

a) Very / Mostly satisfied, it is useful and make senses

b) Not entirely happy, we are currently working on it
c) We are planning to change it completely
d) We don’t have one (at least no written one)
e) Other

© 2016 The Professional Risk Managers’ International Association 4

 Content of Session 2

• Chapter 3: The Risk Management Framework (handbook +

other frameworks)
• Essential steps in risk management
• ISO 31000 and other risk management frameworks
• Implementing a framework
• Risk policy and good practice
• Risk Culture

© 2016 The Professional Risk Managers’ International Association 5

 Frameworks
Examples and Ideas

© 2016 The Professional Risk Managers’ International Association 6

 Essentials of Risk Management

Risk Risk
Identification Measurement

To ensure that the

firm can withstand
potential losses
Risk Risk arising from
Monitoring Assessment identified (and
unidentified) risks

Risk
Mitigation

© 2016 The Professional Risk Managers’ International Association 7

 Risk Management Steps

Risk is the effect of uncertainty on objectives

Preventative Incident management /

Controls Corrective Controls
Exposure/Causes, Risks Impacts
due to: • Turning into incidents • Financial, Non financial
• Strategy when materialized
• Environment

© 2016 The Professional Risk Managers’ International Association

 Risk Management Steps and Tools
Risk Management Actions Risk Management Tools

Risk Identification ILD, ELD, Interviews, Workshops

Risk Assessment Exp. Losses – RCSA - Scenarios

Internal Controls & Testing / Bow-tie

Risk Mitigation analysis + preventive action plans

How do you know it works?

Risk Monitoring KPI , KPI , Risk reporting

© 2016 The Professional Risk Managers’ International Association

 ISO 31000: International Standard for
Risk Management
a) Creates value Through
Mandate and Risk
b) Integral part of commitment Appetite
organisational processes (4.2)
Establishing the context
c) Part of decision making (5.3)

d) Explicitly addresses Design of

uncertainty Risk assessment (5.4.2)
framework for

Communication and consultation (5.2)

managing risk
e) Systematic, structured and (4.3)
timely Risk identification

Monitoring and review (5.6)

(5.4.2)
f) Based on the best
available information Continual
Implementing
improvement
risk
g) Tailored of the Risk analysis
management
framework (4.4) (5.4.3)
h) Takes human and cultural (4.6)
factors into account

i) Transparent and inclusive Risk evaluation

(5.4.4)
j) Dynamic, iterative and Monitoring and
responsive to change review of the
framework
k) Facilitates continual (4.5)
improvement and Risk treatment
enhancement of the (5.5)
organisation

Principles Framework Process

(Clause 3) (Clause 4) (Clause 5)

Reproduced from ISO 31000:2009

© 2016 The Professional Risk Managers’ International Association 10

 describe practices that can be applied in different ways for different organizations regardless
-
COSO Revised ERM Framework 2016:
agement and the board that the organization understands and is able to manage the risks
LEVEL 2
associated with the strategy and business objectives to an acceptable level.
“Aligning Risk with Strategy and Performance”
lic Exposure
ISE RISK MANAGE
RPR ME
NTE NT
E

Missio n, Visio n, St rat eg y and Enhanced

and Co re Values Business Ob ject iv es Perfo rm ance

Risk Governance Risk, Strategy, Risk in Execution Risk Information, Monitoring Enterprise
and Culture and Objective-Setting Communication, Risk Management
and Reporting Performance
© 2016 The Professional Risk Managers’ International Association
1. Exercises Board Risk 7. Considers Risk and 12. Identifies Risk 18. Uses Relevant
 COSO Revised ERM Framework 2016:
“Aligning Risk with Strategy and Performance”

Risk, Strategy, Risk in Execution Risk Information, M

and Objective-Setting Communication,
and Reporting

Risk 7. Considers Risk and 12. Identifies Risk 18. Uses Relevant 22.
Business Context in Execution Information
nance 8. Defines Risk Appetite 13. Assesses Severity 19. Leverages 23.
del of Risk Information Systems
9. Evaluates Alternative
Strategies 14. Prioritizes Risks 20. Communicates Risk
haviors Information
10. Considers Risk while 15. Identifies and Selects
mmitment Establishing Business Risk Responses 21. Reports on Risk,
hics Objectives Culture, and Performance
16. Assesses Risk
ability 11. Defines Acceptable in Execution
Variation in Performance
, and 17. Develops Portfolio View
ndividuals

© 2016 The Professional Risk Managers’ International Association

 11 Principles for the Sound
Management of of Operational risk

Revised version, October 2014

© 2016 The Professional Risk Managers’ International Association
 Operational Risk – Benchmarking by BIS

© 2016 The Professional Risk Managers’ International Association

 ORM Framework (Capital One)

REPORTING R
I
G
MEASUREMENT AND MODELLING S
O
K
V
E
A
R
Internal Loss
Risk and
P
N Data Scenario Key Risk
Control Self P
A External Analysis Indicators
Loss Data
Assessment E
N
T
C
POLICIES AND PROCEDURES I
E
T
CULTURE AND AWARENESS E

Source: Philippa Girling,Operational Risk Management, Wiley, 2011.

© 2016 The Professional Risk Managers’ International Association 15

 POLL QUESTION - 2

• Does your risk management framework look like one of the

above?

a) Yes, we follow ISO

b) Yes, we follow COSO (old or new)
c) Yes, approximately like the steps and tools (identification to
monitoring)
d) Yes, approximately like Capital One’s
e) None of the above

© 2016 The Professional Risk Managers’ International Association 16

 Embedding an Invisible Framework
 Make the Framework Invisible , i.e.:
• Adjust to the business and not the other way around
• Slip into what is already existing
• Allocate current risk management actions to the corresponding
parts of the framework
• Avoid jargon outside of the Risk Management function
• Fill the gaps
• Solve problems
• Allow the business to grow (in a safe way)
• Provide technical support
• Make friends
For more detail: A. Chapelle, M. Sicsic, “Building an invisible framework for risk management” , Operational
Risk and Regulation. 13 June 2014.
© 2016 The Professional Risk Managers’ International Association
 Chapter 3:
Risk Management Framework
Risk Capacity

© 2016 The Professional Risk Managers’ International Association 18

 PRMIA Framework Definition
A risk-management framework facilitates dialogue with the governing body
and communicates adequately and articulately to the whole company.
This risk framework includes:
• Risk Capacity: enabling the governing body to understand the level of risk
that the firm’s resources can tolerate;
• Risk Appetite: calibration and expression of risk boundaries
commensurate with the governing body’s comfort level;
• Risk Policies: detailed measurement, identification, and detailed cascade
of the risk appetite;
• Risk Pricing: measurement of adequate return for risk;
• Culture and Incentives: policing of risk appetite.
The first two of these are primarily to engage the governing body and
executive, and the latter elements facilitate engagement of the entire
organization.
© 2016 The Professional Risk Managers’ International Association 19
 not likely to be life threatening to the firm, but since
contained or avoided, their occurrence
Risk Capacity and Impactundermines
Zones con
management.

ORM Handbook, p. 58
© 2016 The Professional Risk Managers’ International Association 20
 Risk Severity Categories

Inevitables
# of Losses • Below a certain level, these losses are a cost ofdistribution
Severity doing business.
• Best understood through historical loss data.
• Absorbed by annual earnings.
Intermediates
• Uncommonly large losses that may exceed annual earnings.
• Best understood through firm and industry large losses.
• Absorbed in part by capital.
Improbables
• Highly unusual and catastrophic losses that may well
exceed multiple years’ earnings.
• Best understood through stress testing, scenarios.
• Absorbed by capital.

Size of Loss

ORM Handbook, p. 73
© 2016 The Professional Risk Managers’ International Association 21
 Chapter 3:
Risk Management Framework
Risk Policy

© 2016 The Professional Risk Managers’ International Association 22

 Risk Policy Framework
• Principles: • Structure:
• Number of policies • Purpose
• Quality of policies • To whom it applies
• Relevance • Policy rules
• Implementation
• Policy guidance
• Simple language
• Reporting requirements
• Coverage:
• Policy owner
• Overarching layer (group
policy) • Exception approval process
• Risk function layer (per risk) • Date of the next review
• Process guide layer (“how to”)

© 2016 The Professional Risk Managers’ International Association 23

 POLL QUESTION - 3

• Are you satisfied with your risk policies?

a) Yes, they are mostly embedded and up-to-date

b) Yes mostly, we just renewed them and about to implement them
c) Mostly not, they need a refresh or to be written
d) No, and it’s a major drag
e) We outsourced the writing of our risk policies (to consultants)

© 2016 The Professional Risk Managers’ International Association 24

 Chapter 3:
Risk Management Framework
Risk Culture

© 2016 The Professional Risk Managers’ International Association 25

 Mission

Risk Management Mission Statement

Primary Mission:
To provide assurance to stakeholders that risk decision making in
the firm is balanced and within the agreed risk appetite and that
control processes are rigorously designed and applied.
Secondary Mission:
To support the firm’s business strategy through provision of
efficient and effective delivery of risk management advice,
challenge, and decision making.

ORM Handbook, p. 101

© 2016 The Professional Risk Managers’ International Association 26
 Vision
Risk Management Vision
• To be the respected and empowered provider of effective,
independent, and efficient risk management advice, challenge, and
decisions for the firm.
• To be the influential force that ensures that the business and
support functions are adequate and effective in executing their
respective roles and responsibilities relating to risk management.
• To be the link with the external market that identifies, champions,
and educates the firm on best practice risk management.
• To be admired by the industry as an employer that develops risk
management talent.
ORM Handbook, p. 101
© 2016 The Professional Risk Managers’ International Association 27
 Risk Management Values

• Independence
• Expertise
• Leadership
• Influence
• Talent Development
• Team Work

ORM Handbook, p. 102

© 2016 The Professional Risk Managers’ International Association 28

 Communicating Values

• Humility

• Anticipation

• Courage

• Cohesion
Source: Stéphane Chassard, Chief Risk Officer UK, BNP Paribas, 2013.

© 2016 The Professional Risk Managers’ International Association

 POLL QUESTION - 4

• Do you /did you face challenges when establishing a risk

culture?

a) Mostly not, our culture is quite prudent and risk aware

b) Yes, establishing a risk culture is our biggest challenge in risk
management
c) There are / were some pockets of resistance in the business but we
are mostly ok
d) The biggest challenge came from top management
e) Other

© 2016 The Professional Risk Managers’ International Association 30

 Managers’ Role in Creating Risk Culture

• The Five Step Guide: A supervisor in respect of each of his or

her employees:
1. Tell them what their job is.
2. Tell them how to do their job.
3. Show them how to do their job.
4. Check they have done the job.
5. Reward them for how they did the job.

© 2016 The Professional Risk Managers’ International Association 31

 Managers’ Role in Creating Risk Culture

• Assess performance against:

• Did they do the whole job in the job description?
• Did they complete objectives?
• Did they take responsibility outside of the definition where needed?
• Did they pursue standards beyond the minimum?
• Did they do all this exercising judgment and behaving in the manner
that meets our cultural expectations?

© 2016 The Professional Risk Managers’ International Association 32

 Evaluating Risk Culture

• Quantum of self-raised issues

• Fixing root causes
• Survey of staff

© 2016 The Professional Risk Managers’ International Association 33

 PRMIA Learning Objectives

© 2016 The Professional Risk Managers’ International Association 34