Operational risk procedures to meet regulator requirements 2nd Annual Enterprise Wide Risk Forum Ams

1
Operational risk procedures to meet
regulator requirements2nd Annual Enterprise Wide
Risk ForumAmsterdam 2008-02-14

• Allan Palm
• SEB Group Operational Risk Control Centre

2
Agenda

• Risk self assessment examining approaches to
  assessing internal risks and driving a culture of
  operational risk into the business
• Building KRIs to highlight operational risk
  concerns what KRIs can be used
• Developments in operational risk mapping
• Handling of operational risks from a management
  perspective
• Summing-up

3
Driving a culture of operational risk into the
business

• Management commitment
• Common framework
• Usage of common tools for identifying risks
• Involvement of all staff
• open minded attitude
• promote reporting
• Show benefits for the organisation Whats in
  it for me
• Action plans and follow up

4
SEB Framework

• Operational risk policy
• SEB common framework for managing operational
  risks
• New product approval policy
• Policy to secure routines for new products and
  processes
• Operational risk management information system
• Information and reporting structure
• Operational risk forum
• Forum for the op. risk representatives in the
  divisions
• Rating of Units in the division that are
  allocated operational risk capital
• Yearly grading
• Capital allocation

5
Tools for identifying and managing operational
risks

• Self assessment
• Operational risk self assessment
• Rogue trading self assessment
• Incident management
• Key risk indicators
• New product approval procedure
• Business process analysis
• Audit findings
• Business continuity planning
• Employee attitude study
• Operational risk management information system

6
Operational risk self assessment ORSA

• Self assessment in order to identify high risk
  areas
• Entire business line represented
• 50 questions
• Financial impact probability risk level ?
  risk management
• Action plan

• Common risk areas are highlighted

High
Zone with balanced risks
Risk level
Low
High
Risk management
7
Rogue trading self assessment

• Specific focus on
• Segregation of duties
• Professional expertise
• Trading procedures, trade processing and
  operations
• Systems
• Valuation of positions
• Credit and market risk management
• Management reporting
• New product approval procedure

8
Incident management

• Reporting direct by staff in a global system
• Approval by immediate superior
• Showing measures taken
• Determining economic consequences
• Incident management committees in larger units
• Coordination with compliance

9
Operational Risk Management Information System
(ORMIS)

• Functions
• Results and action plans from self-assessments
  with sign off
• Incident reporting with mandatory sign-of from
  manager on each incident
• Key Risk Indicators
• Audit findings with sign off
• Internal control sign off by unit manager
• Reconciled accounts, business continuity test etc
  
• Policies and procedures distribution with sign of
• Customer opinions

10
ORMIS cont.

• Management reports function dashboard for lower
  level overview
• Confidential whistle-blower function for Security
  and HR matters
• Main event function
• A system failure incident will have any other
  incidents occurring due to this registered under
  the main event
• Identified risk function
• external events can be registered

11
Incidents per MonthExample
The number of registered incidents has been
around 800 since August. October peaked because
the X department in X registered ten times more
incidents then they have for any other month
before or after, indicating that the number of
incidents should probably been higher per month
during this autumn.
12
New Product Approval CommitteeNPAC

• All new or changed products, services and
  processes within SEB shall be approved by NPAC
• The aim is to clarify areas of responsibility and
  speed up the development process and improve
  documentation. The effect is a significant
  reduction of operational risks
• Committee members in the divisional NPAC are
  representatives from units in the process chain.
• Local NPAC at international sites. Decision needs
  to be confirmed by Global NPAC.
• The new product approval process is currently
  being reviewed. A proposal is expected before
  year end.

13
New Product Approval CommitteeNPAC cont.

• Management business decision must be taken prior
  to NPAC approval
• Cross SEB Group divisions launches needs to be
  secured
• Products approved by NPAC but not utilised
  (launched/traded) for the last twelve months must
  be brought to the committee for a new approval
• Products that require manual handling, shall have
  a limit of number of transactions with a follow
  up within six months
• Decisions taken outside ordinary meetings, due to
  time constraints, shall always be presented on
  the next NPAC.

14
Audit findings

• Close liaison with Audit
• Primary findings warning signals
• Follow up on action plans in audit reports
• Audit reports part of the overall operational
  risk evaluation

15
Business continuity planning

• Vital factor in customer and supervisory
  relations
• Contingency plans
• Redundancy sites
• Testing
• Group wide system
• Crisis management structure
• Crisis management teams
• Scenario training

16
Agenda

• Risk self assessment examining approaches to
  assessing internal risks and driving a culture of
  operational risk into the business
• Building KRIs to highlight operational risk
  concerns what KRIs can be used
• Developments in operational risk mapping
• Handling of operational risks from a management
  perspective
• Summing-up

17
Building KRIs to highlight operational risk
concerns

• Staff Related KRIs
• Staff Turnover
• Staff Sick Leave
• Staff Employment Tenure
• Staff Age Diversity
• Number of Overtime Hours
• Staff Holiday Regulation Compliance
• Number of Temporary Staff

• Incident Related KRIs
• Number of Incidents
• Number of Incidents with P/L Impact
• Total Value of Incidents with P/L Impact
• Other KRIs
• Audit remarks
• Status of contingency planning
• Interest claims

18
Finding relations between different KRIs.
19
Finding relations between different KRIs.
20
Gross Incident Value Example
21
Agenda

• Risk self assessment examining approaches to
  assessing internal risks and driving a culture of
  operational risk into the business
• Building KRIs to highlight operational risk
  concerns what KRIs can be used
• Developments in operational risk mapping
• Handling of operational risks from a management
  perspective
• Summing-up

22
Developments in process mappingSEB Way one
example

• Business process analysis
• focusing on
• Standardized processes
• Performance management
• Skill building
• Mindset and behaviour

23
Agenda

• Risk self assessment examining approaches to
  assessing internal risks and driving a culture of
  operational risk into the business
• Building KRIs to highlight operational risk
  concerns what KRIs can be used
• Developments in operational risk mapping
• Handling of operational risks from a management
  perspective
• Summing-up

24
Handling of operational risks from a management
perspective

• Build a culture in the organisation that promote
  operational risk management
• Make operational risk management a natural part
  of the business plan
• Focus on findings from tools used
• Take action on identified risks
• Yearly internal rating of units

25
Rating of Units. Factors affecting the grade and
op risk capital. Test model used in one division.
ORSA
KRI
A grade between 1 and 7 is set for operational
risk management 1 (flawless) 2
3 4 5 6 7 (non-existing)
Effect on capital 1 51 2 68
3 83 4 100 5 133 6 161 7
214
Incidents
NPAC
Gives
Internal Audit
Organisational Changes
Policies Procedures
Growth/New Business
Business contingency plans
Other
26
Agenda

• Risk self assessment examining approaches to
  assessing internal risks and driving a culture of
  operational risk into the business
• Building KRIs to highlight operational risk
  concerns what KRIs can be used
• Developments in operational risk mapping
• Handling of operational risks from a management
  perspective
• Summing-up

27
Summing-upAdvanced Measurement Approach
Expected outcome

• Fewer and less severe incidents and losses
• Increased quality in product offerings leading to
  increased customer satisfaction
• Improved processes
• More efficient
• Fewer deviations
• Improved change management in processes
• Reduced regulatory capital for operational risk
• Increased confidence in the market
• Over time contributing to a better rating

28
Contact information

• Allan Palm
• Head Group Operational Risk Control Centre
• SEB
• SE 106 40 Stockholm
• 46 8 7639041
• 46 8 707639041
• allan.palm_at_seb.se