Business continuity policy. - âData recoveryâ. - Probability of repeating past events. - Communication. External risk. - External events risk. People and culture.
OPERATIONAL RISK MANAGEMENT IN CENTRAL BANKS WITH SPECIAL FOCUS ON THE CENTRAL BANK OF MONTENEGRO
Radoica Luburić Executive Director Central Bank of Montenegro
Central Bank of the Republic of Turkey Istanbul, 8 April 2015
OPERATIONAL RISK MANAGEMENT IN CENTRAL BANKS WITH SPECIAL FOCUS ON THE CENTRAL BANK OF MONTENEGRO
Key Management Processes in Central Banks
Leadership
Project Management
Quality Management
Risk Management
Figure 1. Key Management Processes in Central Banks
OPERATIONAL RISK MANAGEMENT IN CENTRAL BANKS WITH SPECIAL FOCUS ON THE CENTRAL BANK OF MONTENEGRO
•
• •
The success of managing an organisation, including management in Central Banks, entails the art of using the knowledge, skills, willingness, enthusiasm, habits, preferences and other positive characteristics of employees to achieve the goals set, and build the confidence of clients. This confidence is a source of new energy for both development and improvement. Therefore, four key processes have been selected, among which, one stands out in particular: Risk Management.
OPERATIONAL RISK MANAGEMENT IN CENTRAL BANKS WITH SPECIAL FOCUS ON THE CENTRAL BANK OF MONTENEGRO
What should it be like? define objectives; action planning
What else is there to be done? identify room for improvement
What should we do and how should we do it? implement actions
Plan
Do
Act
Check What was achieved? check the achievement of objectives
Figure 2. Deming’s PDCA cycle of continual improvement of processes
OPERATIONAL RISK MANAGEMENT IN CENTRAL BANKS WITH SPECIAL FOCUS ON THE CENTRAL BANK OF MONTENEGRO
The PDCA cycle is a universal approach - a methodology suitable
for all areas of work (production, education, health, financial institutions, and the like). It contains the main attributes of the basic philosophy of quality management and a scientific approach to the process of understanding and improvement. PDCA cycles are ongoing processes and are to be applied to all areas in an organisation. If applied, this approach clearly demonstrates the management’s commitment to its basic role – continual improvements. PDCA methodology implies continual training and the transfer of knowledge.
OPERATIONAL RISK MANAGEMENT IN CENTRAL BANKS WITH SPECIAL FOCUS ON THE CENTRAL BANK OF MONTENEGRO
PDCA methodology implies that a completed cycle encourages the
beginning of a new cycle, with a new plan, new information and the implementation of knowledge acquired from the previous cycles. Each successive cycle has an improved plan, improved processes activities, improved checks and analysis and other new improvements. This methodology is a dynamic process with the role of a catalyst to improve the process.
OPERATIONAL RISK MANAGEMENT IN CENTRAL BANKS WITH SPECIAL FOCUS ON THE CENTRAL BANK OF MONTENEGRO
Figure 3 . Continual improvement of processes
OPERATIONAL RISK MANAGEMENT IN CENTRAL BANKS WITH SPECIAL FOCUS ON THE CENTRAL BANK OF MONTENEGRO
What is Risk management? The essence of risk management is to timely recognize the risk
and choose the most appropriate measures to prevent it. What is the essence of operational risk? Operational risk is one of the most important risks in any organisation. Operational risk is the risk of loss as a consequence of inadequate and unsuccessful processes and systems, errors by people and the result of external events.
OPERATIONAL RISK MANAGEMENT IN CENTRAL BANKS WITH SPECIAL FOCUS ON THE CENTRAL BANK OF MONTENEGRO Process -Errors in processes
People and culture - Leadership and culture - Competency and knowledge
-Information -Human interaction
Information management - Information management - Budgeting and planning
- Employees mistakes
- Project management
External risk
Technology
- External events risk
- Infrastructure
Operational Risk Universe in Central Banks
Business continuity
- Systems - System integration - Flexibility - System protection
Financial reporting
- Business continuity policy - ”Data recovery” - Probability of repeating past events
-Financial statements
- Communication
Legal risk - Obligations - Contracts - Harmonisation - Ethics
Protective measures - Protection of people - Protection of resources
Figure 4. Operational risk universe in Central Banks
OPERATIONAL RISK MANAGEMENT IN CENTRAL BANKS WITH SPECIAL FOCUS ON THE CENTRAL BANK OF MONTENEGRO
Risk, as the effect of uncertainty of the expected result, is of great
importance in management theory and practice. Management based on risk as a driver of preventive action is highlighted in the new quality management standards. The entire financial system, as well as the entire banking sector, and in this context, the central banks, have a great need to develop a risk management system with a broader approach than that required by the current standards.
OPERATIONAL RISK MANAGEMENT IN CENTRAL BANKS WITH SPECIAL FOCUS ON THE CENTRAL BANK OF MONTENEGRO Performing and managing processes
Internal fraud
External fraud Business disruption and system failure
Employment and protection at work Damage of tangible assets
Products and business practices
Clients
Figure 5. Operational risks in the Banking Sector according to Basel II
OPERATIONAL RISK MANAGEMENT IN CENTRAL BANKS WITH SPECIAL FOCUS ON THE CENTRAL BANK OF MONTENEGRO
According to Basel II, operational risk is "the risk of loss resulting
from inadequate or failed internal processes, people and systems, or from external events". Basel II provides the following structure of operational risks in the banking system: internal frauds, external frauds, employment and protection at work, clients, products of business practices, damage of tangible assets, business disruption and system failure, as well as performing and managing processes.
OPERATIONAL RISK MANAGEMENT IN CENTRAL BANKS WITH SPECIAL FOCUS ON THE CENTRAL BANK OF MONTENEGRO Internal fraud
Performing and managing processes
External fraud Business disruption and system failure
Plan
Do
Act
Check
Employment and protection at work
Damage of tangible assets
Products and business practices Continual improvements
Clients
Legal Risk IT Risk Reputational Risk
Figure 6. How does Basel II definition of Operational risk contain certain flaws and ambiguities?
OPERATIONAL RISK MANAGEMENT IN CENTRAL BANKS WITH SPECIAL FOCUS ON THE CENTRAL BANK OF MONTENEGRO
The structure of operational risk defined by Basel II has certain
flaws and ambiguities. This primarily refers to the unstated or insufficient highlighting of the clear role of IT, legal and reputational risks, as well as the process of continual improvement. Basel II includes legal risk, although it is not separetely singled out. It also does not separately highlight the IT and reputational risks, and they are not clearly visible within the general structure of operational risks. Bearing all this in mind, the continual improvement of processes is hardly truly feasible in practice.
OPERATIONAL RISK MANAGEMENT IN CENTRAL BANKS WITH SPECIAL FOCUS ON THE CENTRAL BANK OF MONTENEGRO
The successful application of the PDCA cycle is connected to the
model of risk management. Its success depends on the early recognition of risk in the context of the organisation concerned, in this case a Central Bank, followed by its evaluation, treatment and monitoring. This universal model, which is based on a process approach is shown in the following slide.
OPERATIONAL RISK MANAGEMENT IN CENTRAL BANKS WITH SPECIAL FOCUS ON THE CENTRAL BANK OF MONTENEGRO
Model of Operational Risk Management in Central Banks Early identification of risks
Identification of risks
Evaluation of risks
Communication of risks
Treatment of risks
Monitoring of risks
Controls
Internal audit
Figure 7. Universal model of Operational Risk Management in Central Banks
OPERATIONAL RISK MANAGEMENT IN CENTRAL BANKS WITH SPECIAL FOCUS ON THE CENTRAL BANK OF MONTENEGRO
Unlike the structure of operational risks as defined by Basel II, in
many Central Banks it clearly includes both the legal and IT risks. Also, in most Central Banks, project risk is sometimes treated as part of the other operational risks and sometimes separetely. Reputational risk is dealt with in all Central Banks, in various ways. Here are a few illustrative examples.
OPERATIONAL RISK MANAGEMENT IN CENTRAL BANKS WITH SPECIAL FOCUS ON THE CENTRAL BANK OF MONTENEGRO
Business Risk Strategic Risk
External Risk Portfolio Management Risk
Information Technology Risk
Strategic Risk
Human Resources Risk
Operational Risk
External Stakeholder Risk
Project Risk Financial Risk
Project Scope/Time/Co st Risk
Methodology Risk
Business Disruption Risk
Liquidity Risk
Compliance &Business Practice Risk
Market Risk Credit Risk Security Risk Legal Risk
Reputational Risk
Figure 8. Risk categorisation model at the Bank of Canada
OPERATIONAL RISK MANAGEMENT IN CENTRAL BANKS WITH SPECIAL FOCUS ON THE CENTRAL BANK OF MONTENEGRO
There is a big difference in the model of risk management in the
Bank of Canada, where legal risk and information technology risk are particularly stressed compared to Basel II. In addition to operational risk, the model includes strategic, financial and project risks. A special place is given to reputational risk and its interdependence with other risks. These four groups of risks form a network which efficiently reduces the effect of uncertainty, that is risk. This was best seen during the period of the current financial crisis, when this model of risk management proved to be very successful.
OPERATIONAL RISK MANAGEMENT IN CENTRAL BANKS WITH SPECIAL FOCUS ON THE CENTRAL BANK OF MONTENEGRO
IT systems Monitoring processes
Monetary policy
Financial stability
Human resources
Strategic risk “Project “ risk
Business disruption
Operational risk
Credit risk
Financial risk
Compliance
Market risk Security
Legal risk
Figure 9. Risk structure at the Banque de France
OPERATIONAL RISK MANAGEMENT IN CENTRAL BANKS WITH SPECIAL FOCUS ON THE CENTRAL BANK OF MONTENEGRO
The risk structure at the Banque de France also highlights legal
risk, IT risk as well as „project risk“, which are all part of operational risk according to this model. We can see that, in addition to operational risk, the overall risk structure in the French model includes financial risk and strategic risk. A few years ago, ORM experts from the Banque de France, visited the Central Bank of Montenegro, and using their knowledge and experience assisted us in developing our model of Risk Management.
OPERATIONAL RISK MANAGEMENT IN CENTRAL BANKS WITH SPECIAL FOCUS ON THE CENTRAL BANK OF MONTENEGRO
Reputational loss Business Risks Currency Risks
Financial loss
Damage to persons
Operational Risks Employee Risks
Technical Risks
External Risks Primary Maintenance Risks
Interest Rate Risks
Human Failures
IT Risks
Counterparty Risks
Incorrect Conduct
Critical
Liquidity Risks
Misallocation of Staff
Gold Price Risks
Inadequate Qualification of Staff
Infrastructure
Figure 10. Risk structure at the Deutsche Bundesbank
Dependencies on Third Parties
Negative Press Coverage Legal Risks Natural Risks
General Security Risks
OPERATIONAL RISK MANAGEMENT
The risk model at the Deutsche Bundesbank also corrects the lack
of clarity of Basel II, as it clearly shows the importance of legal risk and IT risk. Also, this model particularly emphasizes the importance of reputational risk in the overall risk structure.
SYNERGISTIC EFFECTS OF TOTAL QUALITY MANAGEMENT AND OPERATIONAL RISK MANAGEMENT IN CENTRAL BANKS: process approach
Human Resources
Technology and Information Management Business Processes
Business Continuity Planning
External Environment/Events
•Competency/intellectual capital, succession planning, training, values and cultures •Employee Misdeeds •Leadership and Culture
•Reliability/integrity of data and information systems •Infrastructure, Systems (includes hardware, applications and operating systems) •Interface/Integration, Scalability/Flexibility •Security
•Process Errors, quality assurance, safeguarding of people and assets •Compliance with policies, regulatory requirements, contracts •Budgeting & Planning, Project Management •Financial reporting, revenue and expense management
•Business Continuity/Resumption •Data Recoverability •Contingency Recovery •Communications •Weak internal control environment or failure of a service provider (whether inside or outside the FRS), fraud by external party •Other External Events
Figure 16. Framework for operational risk in the System of Federal Reserve in New York
OPERATIONAL RISK MANAGEMENT IN CENTRAL BANKS WITH SPECIAL FOCUS ON THE CENTRAL BANK OF MONTENEGRO
The Federal Reserve Bank of New York places special emphasis on
Human Resources, in particular interllectual capital, education and culture.
OPERATIONAL RISK MANAGEMENT IN CENTRAL BANKS WITH SPECIAL FOCUS ON THE CENTRAL BANK OF MONTENEGRO Project risk External risk Liquidity risk
Information technology risk
Human resources risk
Operational risk
External stakeholder risk
Plan
Do
Act
Check
Business disruption risk
Credit risk
Financial risk
Market risk Compliance and business practice risk
Security risk Legal risk
Reputational risk
Figure 11. Risk categorisation model at the Central Bank of Montenegro
OPERATIONAL RISK MANAGEMENT IN CENTRAL BANKS WITH SPECIAL FOCUS ON THE CENTRAL BANK OF MONTENEGRO
The model of risk management in the Central Bank of
Montenegro also gives an appropriate position and role to legal risk and IT risk. The overall structure of Operational Risk also includes project risk which is denoted separately by some of the other models. In addition to Operational risk, the Montenegrin model also includes financial risk. (Due to our unilateral euroisation we do not monitor exchange rate risk.) As is the case with the Canadian model, a special role is given to reputational risk and its inter-dependence with other risks.
OPERATIONAL RISK MANAGEMENT IN CENTRAL BANKS WITH SPECIAL FOCUS ON THE CENTRAL BANK OF MONTENEGRO Project risk External risk Legal risk
Information technology risk
Plan
Do Security risk
Act
Check
Human resources risk
Compliance and business practice risk External stakeholder risk
Business disruption risk
Reputational risk
Figure 12. Deming’s PDCA cycle in the function of minimizing operational risks at the Central Bank of Montenegro
OPERATIONAL RISK MANAGEMENT IN CENTRAL BANKS WITH SPECIAL FOCUS ON THE CENTRAL BANK OF MONTENEGRO
As already mentioned, PDCA cycles represent a suitable
methodology for improving processes and products. This methodology can be successfully used to minimise operational risk. Each component of operational risk is observed with respect to the PDCA cycle and it is improved in terms of risk identification and finding the ways to prevent and reduce the risk to acceptable levels. Also, according to a similar procedure, each element of the component can be analysed and improved, as shown in the following slide.
OPERATIONAL RISK MANAGEMENT IN CENTRAL BANKS WITH SPECIAL FOCUS ON THE CENTRAL BANK OF MONTENEGRO Managing IT incidents and problems
Managing, training and improving employees
Assuring continuity of IT services
Support to the users of IT services
Planning, developing and maintaining IT system components
Plan
Do
Act
Check Managing access rights to IT services
Planning, organisation and improving work processes
Managing IT projects Contractual relations with external suppliers
Reputational risk
Managing security of IT services
Managing IT services and equipment procurement
Figure 13. Deming’s PDCA cycle in the function of minimizing risks in the IT sector of the Central Bank of Montenegro
OPERATIONAL RISK MANAGEMENT IN CENTRAL BANKS WITH SPECIAL FOCUS ON THE CENTRAL BANK OF MONTENEGRO
PDCA cycle in the function of minimising risks in the IT sector of
the Central Bank of Montenegro is an example of the application of the methodology at the micro level in the whole operational risk structure In this case, the methodology was applied to eleven elements of IT risk. In order to manage each risk successfully, they need to be recognised, evaluated, acted upon and continually monitored.
OPERATIONAL RISK MANAGEMENT IN CENTRAL BANKS WITH SPECIAL FOCUS ON THE CENTRAL BANK OF MONTENEGRO
The formal Operational Risk Management Program in CBM was
established in 2006, with the help of a World Bank consultant.
The Directorate for Operational Risk Management, information
security, and business continuity was established in 2013.
Enterprise Risk Management approach is used, as developed by COSO
(Committee of Sponsoring Organizations)
The system is based on risk self-assessment by each of the
organizational units. Through a bottom-up approach, potential risks are identified and assessed through any failures of business processes.
Heads of organizational units (sectors and directorates) are responsible
for identifying and managing risks in their units. Identification, evaluation, treatment, monitoring and reporting are carried out at the lowest organizational units (divisions).
OPERATIONAL RISK MANAGEMENT IN CENTRAL BANKS WITH SPECIAL FOCUS ON THE CENTRAL BANK OF MONTENEGRO
Reporting of the Bank’s operational risk is done quarterly.
Organizational units submit their reports to the Operational Risk Management Department, which prepares a summary report to the Bank’s senior management.
The Bank is considering the establishment of a Risk Committee.
The aim of the Risk Committee would be to give a complete overview of all the risks embedded in the activities of the institution, including operational risk, in order for the Senior Management to be able to assess its global risk. This activity is in line with the recommendation of the International Monetary Fund.
OPERATIONAL RISK MANAGEMENT IN CENTRAL BANKS WITH SPECIAL FOCUS ON THE CENTRAL BANK OF MONTENEGRO
Standardized risk terminology is used
Organizational units assess risks through self-assessment Key risk indicators (KRI) are defined for each risk and
constantly monitored. KRIs are defined on a quarterly basis and used for monitoring the status of the identified risks.
Organizational units report all incidents related to risks
Training is ongoing to continuously improve the risk
awareness of the employees
OPERATIONAL RISK MANAGEMENT IN CENTRAL BANKS WITH SPECIAL FOCUS ON THE CENTRAL BANK OF MONTENEGRO
Internal
Audit receives quarterly reports from the organizational units, analyzes them and plans revisions accordingly. Internal audit played a key role in the introduction of the current system for managing operational risk in CBM.
Through their recommendations to organizational units
related to operational risks, Internal Audit also has a role in both the monitoring and continual improvement of the overall ORM process.
OPERATIONAL RISK MANAGEMENT IN CBCG – planned changes
The plan is to improve the existing system and achieve
compliance with the system for operational risk management in the Eurosystem of central banks and the European Central Bank
Accordingly, the Bank plans to adopt a new policy and
methodology for operational risk management
Needs assessment programme for Central Bank of
Montenegro was carried out. (September 2014 – March 2015)
ORM lifecycle in ECB - overview
• High level overview of the main risks from the Committee experts’ perspective, taking into consideration the existing control environment and likelihood of risk events occurring • Identification of the products and deliverables under the Committee’s responsibility 2
Action Plan 5
Risk acceptance
4
5
5. Review cycle
3
3. Quick scan 2. Criticality assessment
1. Identification of products and deliverables
• Assessment of the criticality of products assuming controls/ control objectives have failed (worst case scenarios)
4. In-depth analysis • Verification of the risk picture gained through the quick scan • In addition, validation of: (i) the compliance of existing controls at CBs with control objectives defined by the Committees, and (ii) the level of risk assessment at CBs considering also the local control environment
• Regular review of the status of key risks and related controls/control objectives (business environment scan and emerging risks detection)
37
Step by step approach to risk management - ECB
BCM Lifecycle – Deming Cycle (PDCA approach)
Understanding the organisation
Testing, maintaining reviewing and reporting
Business Continuity Management Programme
Developing and implementing response
Determining BCM strategy
Business Continuity Management Programme and BCM Lifecycle
Business Continuity Management (BCM) is a holistic
management process with the aim of building up organisational resilience with an improved capability to create an effective response to business disruptions. It is designed to safeguard the interests, reputation and activities of the organization. BCM is made up of the planning for and management of the recovery and the continuation of business activities. The BCM lifecycle includes the following basic activities: understanding the organisation; determining a BCM strategy; developing and implementing responses; testing, maintaining, reviewing and reporting;
Design of the BCM roll-out and relation to ORM (operational risk management)
Business continuity risks are operational risks related to
any long term disruption of business functions and processes. The assessment process for the BC is conducted through the assessment of the business, financial and reputational impact of any disruption lasting for up to one week. Analysis is carried out using worst case scenarios. For impact evaluation ORM grading scales for business, financial and reputational impact are used.
RISK 1st LINE OF DEFENCE
2nd LINE OF DEFENCE
3rd LINE OF DEFENCE
OPERATIONAL RISK MANAGEMENT IN CENTRAL BANKS WITH SPECIAL FOCUS ON THE CENTRAL BANK OF MONTENEGRO
The variety and complexity of risks facing today’s organizations is rising rapidly, due in part to emerging technologies, globalization, and increased regulation. How can audit committees and other governing bodies get their arms around these growing risks? How can they ensure that each one is carefully considered and that “somebody” in the organization is looking out for each risk area? Moreover, how can they ensure that the people charged with responsibility for these various risk areas are working together to avoid gaps in risk management or duplication of efforts? Seeking answers to these very questions, more and more company leaders are beginning to pay attention to a risk management and control model that many European organizations have been using successfully for years: Three Lines of Defense. The premise of the Three Lines of Defense model is that each area within the company has a clearly defined and specific role to play. And when each does its assigned task effectively, the likelihood that a risk will slip past all of the defense lines and penetrate the organization diminishes. Not only that, but with a structure like this in place, the audit committee or other governing body can be confident that it’s getting impartial information about the organization’s most significant risks — and it knows whether management is responding to them appropriately.
OPERATIONAL RISK MANAGEMENT IN CENTRAL BANKS WITH SPECIAL FOCUS ON THE CENTRAL BANK OF MONTENEGRO
Business
1st line of defence
Management are primarily responsible for managing its own process Responsible for identifying and controlling risks by using business control frameworks, implement internal processes and adequate controls
Risk Management
2nd line of defence
Setting Enterprise Risk Management frameworks Independent reporting to management board and audit committee Ensure first line takes ownership Advisor / consultant to first line
Three lines of defence model
Audit
3rd line of defence
Provides assurance about design and effectiveness of 1st and 2nd line Reporting line to audit committee
Advisory role to improve processes
OPERATIONAL RISK MANAGEMENT IN CENTRAL BANKS WITH SPECIAL FOCUS ON THE CENTRAL BANK OF MONTENEGRO
The Three Lines of Defense model depicts three groups on which senior management and the board can rely to detect and address risk: 1. Operating management 2. Risk and compliance functions 3. Internal audit As the first line of defense, operational management manages the
organization’s risks by implementing and maintaining effective internal control procedures on a day-to-day basis. This line encompasses the mid-level and front-line managers who are responsible for identifying control breakdowns and inadequate processes and fixing whatever problems they find. The second line of defense is made up of a number of specialty risk management and compliance functions that work to make sure the first-lineof-defense controls are designed appropriately and operating as intended. Second-line professionals collaborate with operations managers to develop and monitor processes and controls to mitigate identified risks.
OPERATIONAL RISK MANAGEMENT IN CENTRAL BANKS WITH SPECIAL FOCUS ON THE CENTRAL BANK OF MONTENEGRO
Internal audit serves as the organization’s third line of defense, reviewing controls and risk management procedures, identifying problems, and keeping the board and senior management informed. What distinguishes internal audit
from the other two lines of defense is its high level of independence and objectivity. Due to its distinct responsibilities and uniquely independent positioning, internal audit is able to provide reliable assurance on the effectiveness of the organization’s overall governance, risk management, and internal control processes. The Three Lines of Defense model provides clarity to governing bodies, management, and internal auditors around the roles of each function — particularly those that may appear to have overlapping objectives or responsibilities — and illustrates how they can work together to manage the organization’s high-priority risks with the greatest efficiency and effectiveness.