Risk Management Tools and

Techniques
 Operational Risk Framework
• The requirements to manage the risk occur again and again in
global and national regulations and are the bedrock of
successful operational risk management. For this we have
tools to manage.
• In addition to putting these tools in place, a robust
operational risk framework must look at all types of
operational risk.
(We know that there are seven main categories of operational
risk as defined by Basel II.)
 Risk Management Tools
I. Loss data collection programs
II. Risk and controls self-assessments
III. Scenario analysis activities
IV. Key risk indicators
V. Reporting
 Loss data collection programs

To collect all types of data of loss . An incident

might involve more than one loss event, such
as a flammable liquid spill (first loss event)
followed by ignition of a flash fire and pool fire
(second loss event) that heats up an adjacent
vessel and its contents to the point of rupture
(third loss event).
 Risk and control self assessment
• Risk and control self assessment (RCSA) is a
process through which operational risks and
the effectiveness of controls are assessed and
examined. The objective is to provide
reasonable assurance that all business
objectives will be met.
 Scenario analysis Activities
“Scenario analysis under the advanced
approaches rule is a systematic process of
obtaining expert opinions from
business managers and risk
management experts to derive reasoned
assessments of the likelihood and loss impact
of plausible, high-severity operational losses.
 Key risk indicators
• In an operational risk context a risk
indicator (commonly known as a key risk indicator or
KRI) is a metric that provides information on the level
of exposure to a given operational risk which the
organization has at a particular point in time.
• Key Risk Indicators (KRIs) are critical predictors of
unfavorable events that can adversely impact
organizations.
• They monitor changes in the levels of risk exposure
and contribute to the early warning signs that enable
organizations to report risks, prevent crises and
mitigate them in time.
 Risk reporting
• Risk reporting systems Establishes a
comprehensive risk reporting system that is aligned
with other organizational
performance management structures and processes.
• Reports on the strategic and financial impact of risks.
Ensures that risk reporting systems operate efficiently.
• Risk reports are a way of communicating project and
business risks to the people who need to know.
We explain four different types of risk reporting that
enable teams to communicate risk to the right people at
the right time.
 Risk Management Techniques
1. Identifying operational risks.
2. Assessing the size of operational risks.
3. Monitoring and controlling operational risks.
4. Mitigating operational risks.
5. Calculating capital to protect you from operational
risk losses.
 Identifying
• The identification procedure should be comprehensive and
cover enterprise-wide operational risk from business
activities, products, and other sources.
• Business activities are granting credit, accepting deposits,
borrowing funds, purchasing securities, issuing credit cards,
transferring funds, providing custodial services, and providing
agency services.
• Products are service delivery instruments through which
activities are carried out, and are of different types like
deposit and credit products, bill purchase and discount
products, financial guarantee and commitment products, and
credit .
 Assessing
• An operation risk assessment, also known as an operational
risk, is simply a tool or process in which to identify risks and
benefits and then determine the best course of action in
any given situation.
• As with risk management, conducting an operational risk
assessment should be done at all levels of the planning
process of a project, not when circumstances or events
arise.
• This is the very purpose of risk management – to identify
and prevent problems from occurring.
 Steps to Assess
• Identify – this simply means to identify the potential risks that
could or will occur.
• Assess – this is to assess the risks, by using risk qualification.
• Analyze – discover ways in which to prevent or reduce the risk.
• Make Decisions – after analyzing ways to prevent or reduce the
risk, make the decision to choose which way is best.
• Implement – after making a decision, the project manager or group
then decide how they will go about implementing the solution to
the risk.
• Review – this is where constant review must happen, in order to
ensure that the chosen solution is working and will continue to do
so.
 Monitoring and controlling
• Risk indicators are a broad category of measures
used to monitor the activities and status of the
control environment of a particular business area for
a given operational risk category.
• While typical control assessment processes occur
only periodically, risk indicators can be measured as
often as daily.
 Mitigate
07 – Step Approach to Mitigate Operational
Risk Management
Step One – Task segregation. ...
Step Two – Curtailing complexities in business processes. ...
Step Three – Reinforcing organizational ethics. ...
Step Four – The right people for the right job. ...
Step Five – Monitoring and evaluations at regular intervals. ...
Step Six – Periodic risk assessment. ...
Step Seven – Look back and learn.
 Calculating capital
• In the context of operational risk, the standardized approach or
standardised approach is a set of operational risk measurement
techniques proposed under Basel II capital adequacy rules for
banking institutions. Basel II requires all banking institutions to set
aside capital for operational risk.
• Banks using the Basic Indicator Approach calculate operational risk
capital equal to the average over the previous three years of a fixed
percentage number 15%, known as Alpha Multiplier. Only positive
annual gross income is used. If there is negative gross income, it is
excluded from the calculation
 Governance, Risk, and Compliance
(GRC)
• As the operational risk framework has matured,
the overlaps, duplications, and opportunities for
leveraging have become more and more clear.
• There is strong movement toward integrating all
operational risk–related activities, and this is
often referred to as governance, risk, and
compliance (GRC) or convergence.
– For example, integration of operational risk with
business continuity planning, information security,
compliance desk reviews, legal event tracking, audit
reports, and Sarbanes-Oxley assessments.
 Assessment Convergence
• Avoids assessment fatigue and duplication.
• Mapping existing assessment activity.
A Nonconverged Approach to Risk
Assessment
Using RCSA to Leverage Underlying
Assessments
Simplified Communication Model with
Expanded RCSA
 Converged Assessment Data
• Leveraging and sharing of assessment data canhappen only if the data can
be shared among the assessments.
• “Golden Source”:
– Central repository for data that can be used by all parties.
• Assessment taxonomies:
– Common source or Rosetta Stone approach.
– Assistance can be found in the form of straw man taxonomies for each area.
– Risk, control, process, hierarchy taxonomies.
– Mapping can produce additional benefits:
• For example, map expected risks in a process.
• For example, map expected controls for a risk.
– Supports completeness of RCSA:
• Which part of the organization hierarchy is being assessed?
• Which processes exist in this area?
• Which risks are associated with those processes?
• What are the expected controls for those risks?
• Have any underlying assessments already assessed those risks and controls?
Converged Assessment Tools
 Convergence of Metrics

• There are many advantages to such a centralized metrics data approach:

– Consistent data quality standards can be applied.
– Consistent metrics reporting is ensured.
– “‘Golden sources’” of data can be identified.
– Duplicate sources of data can be eliminated.
– Only one connection or “‘pipe”’ is needed to each source of data.
– Efficiency savings.
– Best practices are leveraged.
 Converged or GRC Reporting
• In addition to having assessment and metrics data
mapped to standard taxonomies and held in
centralized data repositories, many firms are now
looking at taking the same approach to their event data
and their action tracking processes.
• For example:
– All operational risk loss events, all audit items, and all
regulatory exam results could be house in one database.
– By housing all of these items in one location, mapped
against standard taxonomies, it is now possible to also
house all related action tracking in one location.
– This fully integrated approach is referred to as a
governance, risk, and compliance (GRC) approach.
 GRC Tools
• Software firms offer off-the-shelf and configurable tools
that promise to do some or all of the following:
– Provide workflow for many different assessments.
– Manage the capture and storage of loss event data.
– Manage the capture and storage of audit items
– Manage the capture and storage of compliance items.
– Manage SOX processes and sign-off.
– Warehouse metrics for all operational risk–related functions.
– Provide taxonomy warehouses for process, risk, control,
organizational hierarchies, and products.
– Support matrixed relationships between taxonomies.
– Provide all underlying data in dashboard and hard-copy
reporting.
 Key Points
• Convergence orgovernance, risk, andcompliance(GRC) are terms
used to describe an integrated approach to managing operational
risk activities and related activities across the firm.
• Assessment integration can lessen the assessment burden on a
firm.
• Metrics convergence can result in higher-quality data practices and
lessen the data request burdens on the firm.
• GRC reporting allows for powerful operational risk management
reporting, including dashboard and management information
systems that facilitate proactive operational risk management
questions.
• Successful convergence requires the development and
implementation of standard taxonomies for process, risk, control,
and organizational hierarchy. Product taxonomies are also
important in many cases.