What is Operational Risk?

Transcription

1 Operational Risk Management DeMP Workshop with E St. Kitts & Nevis March 18-20, 2009 What is Operational Risk? Traditional View Market Risk IR & FX redit Risk Operational Risk Everything Else asel II Definition: The risk of direct or indirect loss resulting from inadequate or failed internal processes, people and systems or from external events. 1

2 Sources of Operational Risk Processes People Sytems Internal Fraudulent ctivities Operational Risk in Execution Policies and Guidelines External Natural Disasters/ Terrorist ttacks Laws and Regulations utomated vs Manual Processes utomated Processes PROS Reduce opportunities for human error Fast Less need for staff (Free staff to do other things) ONS Fewer opportunities for detective controls Heavy reliance on having right systems/system security Greater Systemic Risk OMPUTER LETS YOU MKE MORE MISTKE FSTER THN NY INVENTION IN HUMN HISTORY - Mitch Ratliffe 2

3 Systems dequate and well functioning systems are at the core of a good control environment High level of dependence on spreadsheets outside of core systems introduces high level of risk Inability to trace and track the history of changes Restricting access to spreadsheets Selecting a Debt System: Develop in-house or purchase one off-the-shelf? Systems apacity Planning Hardware and software selection should be considered during growth projections Over/under utilization Scalability 3

4 People - Staffing Related Risks Staff person is unusually bad. Mitigated by: Existence of clear written procedures Two-person sign-offs for important functions Mentoring and regular training Staff person is unusually good Key Person Risk: dependence and repository of institutional memory Mitigated by: Encouraging key people to record processes/past experiences in writing in accessible form Working in teams People - Internal Fraud Internal Fraud Generally for direct financial gain (embezzlement) or to cover losses Nick Leeson arings ank ase Other reasons Royal ank of Scotland ase: GP 21 million fraud at Royal ank of Scotland in 2006 employee created 1,400 false accounts to be named business manager of the year. Defenses gainst Internal Fraud Restricting access to information and systems to need to know staff Segregation of duties Requiring two-person sign-offs Proper audit trail Required 2 week leave policies (NSD, JSD) Establish culture where staff feel comfortable reporting errors 4

5 External Fraud External Fraud ccess of systems/corruption of system by external parties: robbery, computer hacking ollusion of staff with external parties: bribery Fraud by dealers or other market intermediaries Defenses gainst External Fraud uild adequate security and controls in the financial systems that interfaces with external vendors or counterparties uild awareness among staff of the importance of safeguarding the institutions' systems (no downloading of programs on external sites) External Events Damage to Physical ssets Terrorism, Vandalism, Earthquakes, Fires, Hurricanes, Floods, etc Systems Failures Hardware and Software Failures, Telecommunication Problems May be Low Probability but Very High Severity Events Need usiness ontinuity Plans lternative Work Sites ack-up Systems Ensure that Key Market ounterparties also have such plans in place 5

6 World ank HQ Position Legal & Regulatory Environment pproval by Local Securities Regulator ( Registration ) On-going disclosure Requirements nti-fraud Provisions 6

7 nti-fraud Provisions Liability (penal/civil) for materially false statements or omissions Meaning: information that would influence a reasonable investor s decision to purchase or sell the security. INTERNL PROEDURES RE KEY The DeMP scoring methodology emphasizes Debt administration and data security (DPI 12) Segregation of duties, staff capacity, and business continuity (DPI 13) 14 7

8 Debt dministration and Data Security Dim1 Procedures manual for processing debt service Updated every 2 Years Electronic Payment Orders STP Payment Systems DeM Entity Procedures manual for debt recording and validation Independent confirmation of data conducted annually External reditors Major Investors Dim2 Updated every 2 years 15 Debt dministration and Data Security Dim3 Procedures for accessing debt and payment systems Updated when staff changes occur udit Trails of System ccess DeM Entity Daily data back-ups Monthly data back-ups Dim4 Secure Fireproof Location Weekly data back-ups 16 8

9 Segregation of Duties, Staff apacity, and usiness ontinuity Dedicated compliance monitoring staff Risk Monitoring and ompliance Unit Dim1 Payments ccounting reditors Market One compliance monitoring staff Payment and ccounting Staff Debt Recordin g System Negotiating and ontracting Staff DeM Entity Data Entry and hecking Staff 17 Segregation of Duties, Staff apacity, and usiness ontinuity Dim2 ode-of-conduct and conflict-ofinterest guidelines Job descriptions DeM Entity Training and development plans, plus yearly performance assessments DR/ plan Dim3 Tested in past 3 years Recovery Site nnual testing Operational risk management procedures 18 9

10 Thank you! World ank 19 10