Operational Risk and Basel II an IT control Perspective'

1
Operational Risk and Basel II- an IT control
Perspective.
2
Risk General

• There is no risk free activity
• Only degrees of risk - high to low
• Nothing risked nothing gained
• High risks bring in high gains
• Risks if not managed well can result in disaster
• Banking business is one of taking risks

3
Why so much importance to Risk?

• The Managers take risks in pursuit of value.
• Value means the Total Return to the Share holders
  TRS.
• TRS represent the change in capital value of a
  company normally listed companies over a
  period 1 year or longer plus dividends,
  expressed as a plus or minus percentage of the
  opening value.

4
TRS Vs Value.

• Value creation reflected in increased Revenue,
  savings in Costs, Release of locked funds also
  reflect in the Enterprise value.
• The individual risks and exposures increase the
  variability of TRS inherently they predate the
  value . Business continuity threatened in extreme
  cases.
• The firms which have not managed the risks are
  bereft of value and are sure to be damned by the
  shareholders.

5
The Market capitalization and the Reputation
Matters.

• Risk threatens the reputation.
• Look at Dells Story
• Sonys recent supplies of faulty batteries to
  Dells Laptops sparked customers fury leading to
  withdrawal of about millions of Laptops from the
  Market as its reputation took a beating.
• The Analysts and the rating Agencies too stepped
  up their focus on the quality of the Risk
  Management as rating matters in the stock market
  .
• Outsourcing has potential to beat to reputation.
• A bad risk management has far reaching
  implications leading to financial losses, loss of
  confidence in investors and lending
  institutions.
• Lesson Manage Risks Carefully

6
IT-FOCUS

• Spreading Risks and controlling them involves
  complex mathematical and computational tools and
  theoretical underpinning of probability,
  optimization and estimation theories.
• I-T is the savior? Systemic risks come into play
  the new regime of Operational Risk!!

7
The Operational Risk OR

• OR is all about people, processes and systems
  that are present in financial institutions
  intrinsically.
• Once recognized mitigation thru insurance
  possible.
• The O R is fuzzy
• Credit Risk identified as Default Risk is a
  Business Risk. But Manager violating norms of
  sanctioning borders on OR.
• Good to separate FAILURE and STRATEGIC RISKS
  under OR.

8
Operational Failure Risk.

• Arises due to the failure of people, process,
  system in the course of conduct of the business
• Due to the factors internal to the organization.

9
Operational Strategic Risk.

• Arises from
• Business Re-engineering , a new strategic
  initiative, change in the line of business, etc.
• Environmental factors such as the effect of
  nature like the occurrence of Tsunami,
• a change in the political regime,
• introduction of new taxes etc.
• The above failures are due to the factors
  external to the organization beyond the control
  of the Enterprise.

10
O R and BASEL II

• The Basel Committee recognizes and defines
  operational risk in Basel II as
• the risk of loss resulting from inadequate or
  failed internal processes, people and systems or
  from external events.
• The definition includes legal risk but excludes
  strategic and reputation risk.
• Focused on causes/events that trigger OR and
  capable of measurement.

11
BASEL II REQUIRES

• Allocation of capital for the OR
• Adequacy determined by the Regulator oversight
• Market discipline
• Based on three Pillars
• Minimum capital requirements-P1.
• Supervisory review process P2.
• Market discipline-P3

12
Minimum capital requirements.

• This introduces a new capital requirement for
  operational risk.
• Risks better managed professionally leads to
  less charge on capital.

13
SUPERVISORY REVIEW PROCESS4 KEY PRINCIPLES

• Self assessment of the banks capital adequacy
  processes, including sound policies and
  procedures to manage and control capital.
• Supervisors should review and evaluate banks
  internal capital adequacy assessments and
  strategies.
• Banks should operate above the minimum
  regulatory capital ratios.
• Supervisors should seek to intervene at an
  early stage.

14
DISCLOSURE REQUIREMENTS.

• Scope of application
• The name of the top corporate entity in the group
  to which the framework applies should be stated.
• Capital structure provides information to
  market participants on Banks capacity to
  withstand financial risks.
• Actual risk and its structure.
• Capital adequacy.

15
Actual risk and its structure.

• Four main risks credit, market, operational and
  interest rate risks in the banking book are
  defined and separate data have to be disclosed
  for each
• Potential losses for each type of risk estimated
  and actual losses compared for disclosing to
  market participants to assess the appropriateness
  and effectiveness of the risk management system.

16
Capital adequacy.

• The capital requirement equivalent to the
  assumed risks and the overall capital ratio
  should be disclosed.
• Additionally, an analysis of factors that
  affect the overall capital requirement and the
  allocation of economic capital should be
  provided.

17
Managing the Operational Risks.

• Avoiding the unexpected losses and creating a
  No Surprise culture thru judicious risk
  management practices.
• Challenges
• Mergers and Acquisitions
• Alliances Associates Subsidiaries
• Changing customer expectations

18
The External Compulsions.

• Shareholder expectations on good governance and
  effective legal and regulatory compliance.
• Rating agencies focus
• Regulatory forbearance preventing the contagion
  effect
• Better risk management should lead to risk
  appetite that ensures capturing profitable
  opportunities

19
Who should manage OR

• Board responsible for the high level policies
• Top management responsible for creating a
  structured control environment and laying down
  procedures
• Middle management implement the Risk practices
  conforming to the above.
• Statutory Auditors Ascertain if the Internal
  controls are adequate enough to mitigate the
  risks.

20
WHISTLE BLOWING

• Any odd employee can assume responsibility and
  blow the whistle on anything this include Risk
  that may injure the firm .
• In the US S.301 of SOX Act makes it compulsory
  for firms to facilitate whistle blowing
  appropriately.
• Indian Banks yet to introduce this.

21
FRAMEWORK FOR OR

• Risk Strategy.
• Organizational Structure.
• Reporting.
• Information Technology.
• Building Blocks including Definition , linkage
  and Structures Key Risk Indicators Loss Data
  Mitigation Risk assessment and the Capital
  Modeling to determine Economic Capital.

22
Economic capital and the LOBs.

• The Capital modeling encompasses on the
  calculation of Regulatory and the Economic
  Capital.
• The economic Capital can be calculated Top
  down as well as Bottom up.
• In the Top Down , the top management allocates
  the capital to LOBs.
• In the Bottom up the LoBs work out the capital
  requirements , based on which the capital
  allocation is made.

23
KEY RISK INDICATORS

• statistics and/or metrics, often financial
  providing insight into a banks risk position.
• Threshold limits
• Score cards
• Periodical review (often monthly or quarterly) to
  alert banks to changes that may be indicative of
  risk concerns.
• Examples the number of failed trades, staff
  turnover rates and the frequency and/or severity
  of errors and omissions.

24
IT control objectives for Basel II

• The Control Objectives for Information and
  related Technology (COBIT) is a set of best
  practices (framework) for information technology
  (IT) management created by the Information
  Systems Audit and Control Association (ISACA),
  and the IT Governance Institute (ITGI) in 1992.

25
COBIT

• Provides a foundation upon which IT related
  decisions and investments can be based.
• Helps defining
• a strategic IT plan,
• the information architecture,
• Helps acquiring the necessary IT hardware and
  software to execute an IT strategy
• Ensures continuous service, and monitoring the
  performance of the IT system.

26
COSO Components.

• COSO identifies the following eight essential
  components of effective internal control, viz.,
• Internal environment (Basel II principles 1,3,6,
  and 10)
• Objective setting (Effectiveness, Efficiency,
  Profitability goals, Setting safeguards against
  losses)
• Event identification (Principles 4 and 5 of
  Basel II)
• Risk assessment (Likelihood and Impact of the
  events, using qualitative and quantitative
  methods)
• Risk response (risk avoidance, reduction,
  sharing and acceptance)
• Control activities (Risk Mitigation efforts)
• Information and communication
• Monitoring

27
Strategic Objectives.

• These pertain to the high level goals that are
  established by management to define what the
  organization aspires to achieve.
• Objectives are linked to the organizations
  operations and reporting procedures, which should
  directly tie to compliance initiatives and risk
  management.
• Departmental goals and reporting procedures need
  to be tied to managements expectations
  concerning operational risk.
• The objective-setting component relates to Basel
  II Principle 4

28
RISK RESPONSEBASEL II 67

• SharingReducing risk likelihood or impact by
  transferring or otherwise sharing a portion of
  the risk.
• Common techniques include purchasing insurance
  products, engaging in hedging transactions or
  outsourcing an activity.
• AcceptanceNo action is taken to affect risk
  likelihood or impact. This is the residual Risk.
  (management combining SOD and EOD)

29

• COSO suggests that effective monitoring
  should
• Be integrated, to the extent possible, with
  operations
• Provide objective assessments.
• Use knowledgeable personnel to perform the
  evaluations.

30
An IT organization also has many different types
of separate evaluations.

• This include
• Internal audits
• External audits
• Regulatory examinations
• Attack and penetration studies
• Independent performance and capacity analyses
• IT effectiveness reviews
• Control self-assessment

31
Monitoring Principles 2,8 9

• Independent security reviews.
• Project implementation reviews.
• At the entity level, we have the centralized
  monitoring of Security , Internal Audit Report
  Review , for example.
• At the activity level, we may have the local
  monitoring of security , monitoring the SLAs etc.

32
IMPORTANT DATELINES

• The International Convergence of Capital
  Measurement and Capital Standards (Basel II
  Capital Accord or Basel II) published by the
  Basel Committee in June 2006.
• The Principles defined in the Sound Practices
  for the Management and Supervision of Operational
  Risk published by the Basel Committee in February
  2003.
• The Enterprise Risk ManagementIntegrated
  Framework published by COSO in September 2004.

33
ITGP-1 (Operational Risk Awareness)

• Information management and technology form a
  critical part of operational risk management.
• Awareness not restricted to JUST IT risk.
• OR differs from the other risks expected rewards
  not taken into account.
• Any failure to manage OR can enhance the risk
  profile can amount to mis-statements and
  attract penalties.

34
ITGP-2 (Internal Audit Requirement)

• The internal IT audit function should be
  effective and comprehensive.
• Skills, resources and funding should be adequate
  to ensure audit effectiveness.

35
ITGP-3 (Management Policies, Processes,
Procedures)

• Governed by an adequate set of policies,
  processes and procedures for risk management.
• The guidance given to practitioners, internal
  auditors and financial services experts should be
  in line with the organizations GRC framework.

36

• An organization is as strong as its weakest or
  unethical employee . A single person can mar the
  organization.
• Barring is a classic example . Its manager Lee
  single handedly brought about its down fall by
  performing activities he was not supposed to.
  This was catalyzed by a poor oversight by the Top
  Management.

37
ITGP7 (Business Continuity Management)

• Protected by a comprehensive continuity
  management process.
• Organization wide business continuity management
  framework.
• Senior management responsibility for
  implementation and monitoring.
• High level principles include elements of an
  ongoing BCM life cycle, as expressed in other
  standards and publications.
• Should be aligned with overall enterprise wide
  BCM.
• Strong business support and interaction with
  business process owners.
• IT cannot exist alone or be the subject of an
  isolated continuity plan.

38
The entitys objectives

• StrategicHigh-level goals aligned with and
  supporting the mission
• OperationsEffective and efficient use of
  resources
• ReportingReliability
• ComplianceApplicable laws and regulations

39
ITGP9 (Independent Evaluation)

• Information management and technology-related
  risks shall be adequately documented to support
  the supervisory review process.
• An independent audit function should perform
  reviews of IT-related operational risk management
  in line with the operational and information risk
  profile.

40
The Business Line Approach in Basel II

• The Basel Committee requires that all banking
  activities must be mapped to one of the following
  eight lines of business LOB
• Corporate finance
• Trading and sales
• Retail banking
• Commercial banking
• Payment and settlement
• Agency services
• Asset management
• Retail brokerage

41
CRO

• Projects the managements reputation for
  integrity.
• The value lies in exploiting the unknown rather
  than in perfecting the Known
• Expected to give insights and assurance to
  exploit the opportunities and sharpen the
  competitive advantage.

42
IT General Controls.

• IT General controls address to the control
  objectives that are the enablers of Process and
  the application level controls.
• COBIT has defined about 200 controls both
  application specific and applicable through out
  the organization.
• The functional requirements drive the IT General
  control . In turn this trigger application
  specific controls, namely , the Key Controls.

43
ITG vs. Application Control.

• For example the functional requirement may
  warrant an approval of the supervisor for posting
  a document worth more than 5000.This is an
  Internal control requirement.
• To satisfy, the ITG control may require that the
  initial request be sent to the supervisor
  automatically.
• In turn the application control may embark upon
  the creation of the roles , assign the clerk and
  the supervisor to an appropriate Role , set the
  Work flow parameters etc and set key controls.

44
Process level controls.

• Process-level controls are often synonymous with
  application controls.
• The controls are performed by the Applications
  that enable /support a process.
• For example , Automatic payment may a feature of
  the payment process . But to perform this often
  the user may require authorization-this is a case
  of Access control embedded in the process.

45
COBIT and application Control.

• For application controls, COBIT has defined a
  recommended set of six application control
  objectives.
• They are identified by application control number
  (AC)

46
Application Controls

• AC1 Source Data Preparation and Authorization
  Segregation of duty sod exercise.
• AC2 Source Data Collection and Entry Ensure the
  data input is done an authorized employee . For
  correction/re submission the same levels of
  authorization should exist . The document should
  be retained for a defined time before archiving.
• AC3 Accuracy, Completeness and Authenticity
  Checks Ensure the valid data are inputted and
  processed . The correction if any should be
  authenticated by a competent authority.
• AC4 Processing Integrity and Validity Data
  integrity throughout the life cycle of the
  processing.
• AC5 Output Review, Reconciliation and Error
  Handling Error-free output.
• AC6 Transaction Authentication and Integrity
  Maintain authenticity and integrity during
  transmission or transport.

47
IT Controls-some thoughts.

• The Application controls are closed loop
  controls, meaning automatic . This saves time ,
  cost , improves efficiency and efficacy of the
  compliances.
• From the audit perspective , the application
  controls are cheaper and effective Vs its manual
  sibling.
• The IT controls impact the smaller and bigger
  companies in different ways.
• The maturity of the organization influences the
  controls in a big way.
• Higher the maturity, better the controls are.

48
How to get maximum out of IT controls?

• The IT controls should be repositioned as a
  performance improvement tool .
• Clear cut goals ,aggressive but achievable
  targets , well defined SLAs and KPIs -are all a
  good starting point.
• The management should create a culture where the
  best practices are pursued instinctively.
• The Audit should be repositioned as a partner who
  helps us with an assurance that the controls are
  in fact performing as intended through out the
  life cycle of the processes.

49
KEY FOR SUCCESS

• Documentation of the processes and procedures so
  are the changes ,their management and
  communication.
• Rogue culture kills TQM Learning lessons is
  important
• The HR should work with the operating departments
  in bringing about a good culture.

50
Bifocal Approach

• Managers tackle changes in the business and
  defining the characteristics of the risks.
• A bifocal approach where in you take both
  controls in subverting the risks and improving
  the performance in addressing the changed
  business needs is needed.
• IT controls enable this in a significant manner.