OPERATIONAL RISK MANAGEMENT IN CENTRAL ...

78 downloads 14646 Views 5MB Size Report
Business continuity policy. - ”Data recovery”. - Probability of repeating past events. - Communication. External risk. - External events risk. People and culture.
OPERATIONAL RISK MANAGEMENT IN CENTRAL BANKS WITH SPECIAL FOCUS ON THE CENTRAL BANK OF MONTENEGRO

Radoica Luburić Executive Director Central Bank of Montenegro

Central Bank of the Republic of Turkey Istanbul, 8 April 2015

OPERATIONAL RISK MANAGEMENT IN CENTRAL BANKS WITH SPECIAL FOCUS ON THE CENTRAL BANK OF MONTENEGRO

Key Management Processes in Central Banks

Leadership

Project Management

Quality Management

Risk Management

Figure 1. Key Management Processes in Central Banks

OPERATIONAL RISK MANAGEMENT IN CENTRAL BANKS WITH SPECIAL FOCUS ON THE CENTRAL BANK OF MONTENEGRO



• •

The success of managing an organisation, including management in Central Banks, entails the art of using the knowledge, skills, willingness, enthusiasm, habits, preferences and other positive characteristics of employees to achieve the goals set, and build the confidence of clients. This confidence is a source of new energy for both development and improvement. Therefore, four key processes have been selected, among which, one stands out in particular: Risk Management.

OPERATIONAL RISK MANAGEMENT IN CENTRAL BANKS WITH SPECIAL FOCUS ON THE CENTRAL BANK OF MONTENEGRO

What should it be like? define objectives; action planning

What else is there to be done? identify room for improvement

What should we do and how should we do it? implement actions

Plan

Do

Act

Check What was achieved? check the achievement of objectives

Figure 2. Deming’s PDCA cycle of continual improvement of processes

OPERATIONAL RISK MANAGEMENT IN CENTRAL BANKS WITH SPECIAL FOCUS ON THE CENTRAL BANK OF MONTENEGRO

 The PDCA cycle is a universal approach - a methodology suitable

for all areas of work (production, education, health, financial institutions, and the like). It contains the main attributes of the basic philosophy of quality management and a scientific approach to the process of understanding and improvement.  PDCA cycles are ongoing processes and are to be applied to all areas in an organisation. If applied, this approach clearly demonstrates the management’s commitment to its basic role – continual improvements.  PDCA methodology implies continual training and the transfer of knowledge.

OPERATIONAL RISK MANAGEMENT IN CENTRAL BANKS WITH SPECIAL FOCUS ON THE CENTRAL BANK OF MONTENEGRO

 PDCA methodology implies that a completed cycle encourages the

beginning of a new cycle, with a new plan, new information and the implementation of knowledge acquired from the previous cycles.  Each successive cycle has an improved plan, improved processes activities, improved checks and analysis and other new improvements.  This methodology is a dynamic process with the role of a catalyst to improve the process.

OPERATIONAL RISK MANAGEMENT IN CENTRAL BANKS WITH SPECIAL FOCUS ON THE CENTRAL BANK OF MONTENEGRO

Figure 3 . Continual improvement of processes

OPERATIONAL RISK MANAGEMENT IN CENTRAL BANKS WITH SPECIAL FOCUS ON THE CENTRAL BANK OF MONTENEGRO

 What is Risk management?  The essence of risk management is to timely recognize the risk

and choose the most appropriate measures to prevent it.  What is the essence of operational risk?  Operational risk is one of the most important risks in any organisation.  Operational risk is the risk of loss as a consequence of inadequate and unsuccessful processes and systems, errors by people and the result of external events.

OPERATIONAL RISK MANAGEMENT IN CENTRAL BANKS WITH SPECIAL FOCUS ON THE CENTRAL BANK OF MONTENEGRO Process -Errors in processes

People and culture - Leadership and culture - Competency and knowledge

-Information -Human interaction

Information management - Information management - Budgeting and planning

- Employees mistakes

- Project management

External risk

Technology

- External events risk

- Infrastructure

Operational Risk Universe in Central Banks

Business continuity

- Systems - System integration - Flexibility - System protection

Financial reporting

- Business continuity policy - ”Data recovery” - Probability of repeating past events

-Financial statements

- Communication

Legal risk - Obligations - Contracts - Harmonisation - Ethics

Protective measures - Protection of people - Protection of resources

Figure 4. Operational risk universe in Central Banks

OPERATIONAL RISK MANAGEMENT IN CENTRAL BANKS WITH SPECIAL FOCUS ON THE CENTRAL BANK OF MONTENEGRO

 Risk, as the effect of uncertainty of the expected result, is of great

importance in management theory and practice.  Management based on risk as a driver of preventive action is highlighted in the new quality management standards.  The entire financial system, as well as the entire banking sector, and in this context, the central banks, have a great need to develop a risk management system with a broader approach than that required by the current standards.

OPERATIONAL RISK MANAGEMENT IN CENTRAL BANKS WITH SPECIAL FOCUS ON THE CENTRAL BANK OF MONTENEGRO Performing and managing processes

Internal fraud

External fraud Business disruption and system failure

Employment and protection at work Damage of tangible assets

Products and business practices

Clients

Figure 5. Operational risks in the Banking Sector according to Basel II

OPERATIONAL RISK MANAGEMENT IN CENTRAL BANKS WITH SPECIAL FOCUS ON THE CENTRAL BANK OF MONTENEGRO

 According to Basel II, operational risk is "the risk of loss resulting

from inadequate or failed internal processes, people and systems, or from external events".  Basel II provides the following structure of operational risks in the banking system:  internal frauds, external frauds, employment and protection at work, clients, products of business practices, damage of tangible assets, business disruption and system failure, as well as performing and managing processes.

OPERATIONAL RISK MANAGEMENT IN CENTRAL BANKS WITH SPECIAL FOCUS ON THE CENTRAL BANK OF MONTENEGRO Internal fraud

Performing and managing processes

External fraud Business disruption and system failure

Plan

Do

Act

Check

Employment and protection at work

Damage of tangible assets

Products and business practices Continual improvements

Clients

Legal Risk IT Risk Reputational Risk

Figure 6. How does Basel II definition of Operational risk contain certain flaws and ambiguities?

OPERATIONAL RISK MANAGEMENT IN CENTRAL BANKS WITH SPECIAL FOCUS ON THE CENTRAL BANK OF MONTENEGRO

 The structure of operational risk defined by Basel II has certain

flaws and ambiguities.  This primarily refers to the unstated or insufficient highlighting of the clear role of IT, legal and reputational risks, as well as the process of continual improvement.  Basel II includes legal risk, although it is not separetely singled out. It also does not separately highlight the IT and reputational risks, and they are not clearly visible within the general structure of operational risks.  Bearing all this in mind, the continual improvement of processes is hardly truly feasible in practice.

OPERATIONAL RISK MANAGEMENT IN CENTRAL BANKS WITH SPECIAL FOCUS ON THE CENTRAL BANK OF MONTENEGRO

 The successful application of the PDCA cycle is connected to the

model of risk management.  Its success depends on the early recognition of risk in the context of the organisation concerned, in this case a Central Bank, followed by its evaluation, treatment and monitoring.  This universal model, which is based on a process approach is shown in the following slide.

OPERATIONAL RISK MANAGEMENT IN CENTRAL BANKS WITH SPECIAL FOCUS ON THE CENTRAL BANK OF MONTENEGRO

Model of Operational Risk Management in Central Banks Early identification of risks

Identification of risks

Evaluation of risks

Communication of risks

Treatment of risks

Monitoring of risks

Controls

Internal audit

Figure 7. Universal model of Operational Risk Management in Central Banks

OPERATIONAL RISK MANAGEMENT IN CENTRAL BANKS WITH SPECIAL FOCUS ON THE CENTRAL BANK OF MONTENEGRO

 Unlike the structure of operational risks as defined by Basel II, in

many Central Banks it clearly includes both the legal and IT risks.  Also, in most Central Banks, project risk is sometimes treated as part of the other operational risks and sometimes separetely.  Reputational risk is dealt with in all Central Banks, in various ways.  Here are a few illustrative examples.

OPERATIONAL RISK MANAGEMENT IN CENTRAL BANKS WITH SPECIAL FOCUS ON THE CENTRAL BANK OF MONTENEGRO

Business Risk Strategic Risk

External Risk Portfolio Management Risk

Information Technology Risk

Strategic Risk

Human Resources Risk

Operational Risk

External Stakeholder Risk

Project Risk Financial Risk

Project Scope/Time/Co st Risk

Methodology Risk

Business Disruption Risk

Liquidity Risk

Compliance &Business Practice Risk

Market Risk Credit Risk Security Risk Legal Risk

Reputational Risk

Figure 8. Risk categorisation model at the Bank of Canada

OPERATIONAL RISK MANAGEMENT IN CENTRAL BANKS WITH SPECIAL FOCUS ON THE CENTRAL BANK OF MONTENEGRO

 There is a big difference in the model of risk management in the

  



Bank of Canada, where legal risk and information technology risk are particularly stressed compared to Basel II. In addition to operational risk, the model includes strategic, financial and project risks. A special place is given to reputational risk and its interdependence with other risks. These four groups of risks form a network which efficiently reduces the effect of uncertainty, that is risk. This was best seen during the period of the current financial crisis, when this model of risk management proved to be very successful.

OPERATIONAL RISK MANAGEMENT IN CENTRAL BANKS WITH SPECIAL FOCUS ON THE CENTRAL BANK OF MONTENEGRO

IT systems Monitoring processes

Monetary policy

Financial stability

Human resources

Strategic risk “Project “ risk

Business disruption

Operational risk

Credit risk

Financial risk

Compliance

Market risk Security

Legal risk

Figure 9. Risk structure at the Banque de France

OPERATIONAL RISK MANAGEMENT IN CENTRAL BANKS WITH SPECIAL FOCUS ON THE CENTRAL BANK OF MONTENEGRO

 The risk structure at the Banque de France also highlights legal

risk, IT risk as well as „project risk“, which are all part of operational risk according to this model.  We can see that, in addition to operational risk, the overall risk structure in the French model includes financial risk and strategic risk.  A few years ago, ORM experts from the Banque de France, visited the Central Bank of Montenegro, and using their knowledge and experience assisted us in developing our model of Risk Management.

OPERATIONAL RISK MANAGEMENT IN CENTRAL BANKS WITH SPECIAL FOCUS ON THE CENTRAL BANK OF MONTENEGRO

Reputational loss Business Risks Currency Risks

Financial loss

Damage to persons

Operational Risks Employee Risks

Technical Risks

External Risks Primary Maintenance Risks

Interest Rate Risks

Human Failures

IT Risks

Counterparty Risks

Incorrect Conduct

Critical

Liquidity Risks

Misallocation of Staff

Gold Price Risks

Inadequate Qualification of Staff

Infrastructure

Figure 10. Risk structure at the Deutsche Bundesbank

Dependencies on Third Parties

Negative Press Coverage Legal Risks Natural Risks

General Security Risks

OPERATIONAL RISK MANAGEMENT

 The risk model at the Deutsche Bundesbank also corrects the lack

of clarity of Basel II, as it clearly shows the importance of legal risk and IT risk.  Also, this model particularly emphasizes the importance of reputational risk in the overall risk structure.

SYNERGISTIC EFFECTS OF TOTAL QUALITY MANAGEMENT AND OPERATIONAL RISK MANAGEMENT IN CENTRAL BANKS: process approach

Human Resources

Technology and Information Management Business Processes

Business Continuity Planning

External Environment/Events

•Competency/intellectual capital, succession planning, training, values and cultures •Employee Misdeeds •Leadership and Culture

•Reliability/integrity of data and information systems •Infrastructure, Systems (includes hardware, applications and operating systems) •Interface/Integration, Scalability/Flexibility •Security

•Process Errors, quality assurance, safeguarding of people and assets •Compliance with policies, regulatory requirements, contracts •Budgeting & Planning, Project Management •Financial reporting, revenue and expense management

•Business Continuity/Resumption •Data Recoverability •Contingency Recovery •Communications •Weak internal control environment or failure of a service provider (whether inside or outside the FRS), fraud by external party •Other External Events

Figure 16. Framework for operational risk in the System of Federal Reserve in New York

OPERATIONAL RISK MANAGEMENT IN CENTRAL BANKS WITH SPECIAL FOCUS ON THE CENTRAL BANK OF MONTENEGRO

 The Federal Reserve Bank of New York places special emphasis on

Human Resources, in particular interllectual capital, education and culture.

OPERATIONAL RISK MANAGEMENT IN CENTRAL BANKS WITH SPECIAL FOCUS ON THE CENTRAL BANK OF MONTENEGRO Project risk External risk Liquidity risk

Information technology risk

Human resources risk

Operational risk

External stakeholder risk

Plan

Do

Act

Check

Business disruption risk

Credit risk

Financial risk

Market risk Compliance and business practice risk

Security risk Legal risk

Reputational risk

Figure 11. Risk categorisation model at the Central Bank of Montenegro

OPERATIONAL RISK MANAGEMENT IN CENTRAL BANKS WITH SPECIAL FOCUS ON THE CENTRAL BANK OF MONTENEGRO

 The model of risk management in the Central Bank of

Montenegro also gives an appropriate position and role to legal risk and IT risk.  The overall structure of Operational Risk also includes project risk which is denoted separately by some of the other models.  In addition to Operational risk, the Montenegrin model also includes financial risk. (Due to our unilateral euroisation we do not monitor exchange rate risk.)  As is the case with the Canadian model, a special role is given to reputational risk and its inter-dependence with other risks.

OPERATIONAL RISK MANAGEMENT IN CENTRAL BANKS WITH SPECIAL FOCUS ON THE CENTRAL BANK OF MONTENEGRO Project risk External risk Legal risk

Information technology risk

Plan

Do Security risk

Act

Check

Human resources risk

Compliance and business practice risk External stakeholder risk

Business disruption risk

Reputational risk

Figure 12. Deming’s PDCA cycle in the function of minimizing operational risks at the Central Bank of Montenegro

OPERATIONAL RISK MANAGEMENT IN CENTRAL BANKS WITH SPECIAL FOCUS ON THE CENTRAL BANK OF MONTENEGRO

 As already mentioned, PDCA cycles represent a suitable

methodology for improving processes and products. This methodology can be successfully used to minimise operational risk.  Each component of operational risk is observed with respect to the PDCA cycle and it is improved in terms of risk identification and finding the ways to prevent and reduce the risk to acceptable levels.  Also, according to a similar procedure, each element of the component can be analysed and improved, as shown in the following slide.

OPERATIONAL RISK MANAGEMENT IN CENTRAL BANKS WITH SPECIAL FOCUS ON THE CENTRAL BANK OF MONTENEGRO Managing IT incidents and problems

Managing, training and improving employees

Assuring continuity of IT services

Support to the users of IT services

Planning, developing and maintaining IT system components

Plan

Do

Act

Check Managing access rights to IT services

Planning, organisation and improving work processes

Managing IT projects Contractual relations with external suppliers

Reputational risk

Managing security of IT services

Managing IT services and equipment procurement

Figure 13. Deming’s PDCA cycle in the function of minimizing risks in the IT sector of the Central Bank of Montenegro

OPERATIONAL RISK MANAGEMENT IN CENTRAL BANKS WITH SPECIAL FOCUS ON THE CENTRAL BANK OF MONTENEGRO

 PDCA cycle in the function of minimising risks in the IT sector of

the Central Bank of Montenegro is an example of the application of the methodology at the micro level in the whole operational risk structure  In this case, the methodology was applied to eleven elements of IT risk.  In order to manage each risk successfully, they need to be recognised, evaluated, acted upon and continually monitored.

OPERATIONAL RISK MANAGEMENT IN CENTRAL BANKS WITH SPECIAL FOCUS ON THE CENTRAL BANK OF MONTENEGRO

 The formal Operational Risk Management Program in CBM was

established in 2006, with the help of a World Bank consultant.

 The Directorate for Operational Risk Management, information

security, and business continuity was established in 2013.

 Enterprise Risk Management approach is used, as developed by COSO

(Committee of Sponsoring Organizations)

 The system is based on risk self-assessment by each of the

organizational units. Through a bottom-up approach, potential risks are identified and assessed through any failures of business processes.

 Heads of organizational units (sectors and directorates) are responsible

for identifying and managing risks in their units. Identification, evaluation, treatment, monitoring and reporting are carried out at the lowest organizational units (divisions).

OPERATIONAL RISK MANAGEMENT IN CENTRAL BANKS WITH SPECIAL FOCUS ON THE CENTRAL BANK OF MONTENEGRO

 Reporting of the Bank’s operational risk is done quarterly.

Organizational units submit their reports to the Operational Risk Management Department, which prepares a summary report to the Bank’s senior management.

 The Bank is considering the establishment of a Risk Committee.

The aim of the Risk Committee would be to give a complete overview of all the risks embedded in the activities of the institution, including operational risk, in order for the Senior Management to be able to assess its global risk. This activity is in line with the recommendation of the International Monetary Fund.

OPERATIONAL RISK MANAGEMENT IN CENTRAL BANKS WITH SPECIAL FOCUS ON THE CENTRAL BANK OF MONTENEGRO

 Standardized risk terminology is used

 Organizational units assess risks through self-assessment  Key risk indicators (KRI) are defined for each risk and

constantly monitored. KRIs are defined on a quarterly basis and used for monitoring the status of the identified risks.

 Organizational units report all incidents related to risks

 Training is ongoing to continuously improve the risk

awareness of the employees

OPERATIONAL RISK MANAGEMENT IN CENTRAL BANKS WITH SPECIAL FOCUS ON THE CENTRAL BANK OF MONTENEGRO

 Internal

Audit receives quarterly reports from the organizational units, analyzes them and plans revisions accordingly. Internal audit played a key role in the introduction of the current system for managing operational risk in CBM.

 Through their recommendations to organizational units

related to operational risks, Internal Audit also has a role in both the monitoring and continual improvement of the overall ORM process.

OPERATIONAL RISK MANAGEMENT IN CBCG – planned changes

 The plan is to improve the existing system and achieve

compliance with the system for operational risk management in the Eurosystem of central banks and the European Central Bank

 Accordingly, the Bank plans to adopt a new policy and

methodology for operational risk management

 Needs assessment programme for Central Bank of

Montenegro was carried out. (September 2014 – March 2015)

ORM lifecycle in ECB - overview

• High level overview of the main risks from the Committee experts’ perspective, taking into consideration the existing control environment and likelihood of risk events occurring • Identification of the products and deliverables under the Committee’s responsibility 2

Action Plan 5

Risk acceptance

4

5

5. Review cycle

3

3. Quick scan 2. Criticality assessment

1. Identification of products and deliverables

• Assessment of the criticality of products assuming controls/ control objectives have failed (worst case scenarios)

4. In-depth analysis • Verification of the risk picture gained through the quick scan • In addition, validation of: (i) the compliance of existing controls at CBs with control objectives defined by the Committees, and (ii) the level of risk assessment at CBs considering also the local control environment

• Regular review of the status of key risks and related controls/control objectives (business environment scan and emerging risks detection)

37

Step by step approach to risk management - ECB

BCM Lifecycle – Deming Cycle (PDCA approach)

Understanding the organisation

Testing, maintaining reviewing and reporting

Business Continuity Management Programme

Developing and implementing response

Determining BCM strategy

Business Continuity Management Programme and BCM Lifecycle

 Business Continuity Management (BCM) is a holistic

management process with the aim of building up organisational resilience with an improved capability to create an effective response to business disruptions. It is designed to safeguard the interests, reputation and activities of the organization.  BCM is made up of the planning for and management of the recovery and the continuation of business activities.  The BCM lifecycle includes the following basic activities:  understanding the organisation;  determining a BCM strategy;  developing and implementing responses;  testing, maintaining, reviewing and reporting;

Design of the BCM roll-out and relation to ORM (operational risk management)

 Business continuity risks are operational risks related to

any long term disruption of business functions and processes.  The assessment process for the BC is conducted through the assessment of the business, financial and reputational impact of any disruption lasting for up to one week. Analysis is carried out using worst case scenarios.  For impact evaluation ORM grading scales for business, financial and reputational impact are used.

RISK 1st LINE OF DEFENCE

2nd LINE OF DEFENCE

3rd LINE OF DEFENCE

OPERATIONAL RISK MANAGEMENT IN CENTRAL BANKS WITH SPECIAL FOCUS ON THE CENTRAL BANK OF MONTENEGRO

 The variety and complexity of risks facing today’s organizations is rising rapidly, due in part to emerging technologies, globalization, and increased regulation.  How can audit committees and other governing bodies get their arms around these growing risks? How can they ensure that each one is carefully considered and that “somebody” in the organization is looking out for each risk area? Moreover, how can they ensure that the people charged with responsibility for these various risk areas are working together to avoid gaps in risk management or duplication of efforts?  Seeking answers to these very questions, more and more company leaders are beginning to pay attention to a risk management and control model that many European organizations have been using successfully for years: Three Lines of Defense.  The premise of the Three Lines of Defense model is that each area within the company has a clearly defined and specific role to play. And when each does its assigned task effectively, the likelihood that a risk will slip past all of the defense lines and penetrate the organization diminishes. Not only that, but with a structure like this in place, the audit committee or other governing body can be confident that it’s getting impartial information about the organization’s most significant risks — and it knows whether management is responding to them appropriately.

OPERATIONAL RISK MANAGEMENT IN CENTRAL BANKS WITH SPECIAL FOCUS ON THE CENTRAL BANK OF MONTENEGRO

Business

1st line of defence

Management are primarily responsible for managing its own process Responsible for identifying and controlling risks by using business control frameworks, implement internal processes and adequate controls

Risk Management

2nd line of defence

Setting Enterprise Risk Management frameworks Independent reporting to management board and audit committee Ensure first line takes ownership Advisor / consultant to first line

Three lines of defence model

Audit

3rd line of defence

Provides assurance about design and effectiveness of 1st and 2nd line Reporting line to audit committee

Advisory role to improve processes

OPERATIONAL RISK MANAGEMENT IN CENTRAL BANKS WITH SPECIAL FOCUS ON THE CENTRAL BANK OF MONTENEGRO

The Three Lines of Defense model depicts three groups on which senior management and the board can rely to detect and address risk: 1. Operating management 2. Risk and compliance functions 3. Internal audit  As the first line of defense, operational management manages the

organization’s risks by implementing and maintaining effective internal control procedures on a day-to-day basis. This line encompasses the mid-level and front-line managers who are responsible for identifying control breakdowns and inadequate processes and fixing whatever problems they find.  The second line of defense is made up of a number of specialty risk management and compliance functions that work to make sure the first-lineof-defense controls are designed appropriately and operating as intended. Second-line professionals collaborate with operations managers to develop and monitor processes and controls to mitigate identified risks.

OPERATIONAL RISK MANAGEMENT IN CENTRAL BANKS WITH SPECIAL FOCUS ON THE CENTRAL BANK OF MONTENEGRO

 Internal audit serves as the organization’s third line of defense, reviewing controls and risk management procedures, identifying problems, and keeping the board and senior management informed. What distinguishes internal audit

from the other two lines of defense is its high level of independence and objectivity. Due to its distinct responsibilities and uniquely independent positioning, internal audit is able to provide reliable assurance on the effectiveness of the organization’s overall governance, risk management, and internal control processes. The Three Lines of Defense model provides clarity to governing bodies, management, and internal auditors around the roles of each function — particularly those that may appear to have overlapping objectives or responsibilities — and illustrates how they can work together to manage the organization’s high-priority risks with the greatest efficiency and effectiveness.