Crisis Management and Operational Risk Management. Christoph Stute Guatemala 28 29 March 2012

Crisis Management and Operational Risk Management Christoph Stute Guatemala 28 29 March 2012

Crisis Management Christoph Stute Guatemala 28 29 March 2012

Definition - Bundesbank s methodology of ORM, crisis management and BCM ERM/Operational Risk Management ERM is the overall process for early identification, handling and monitoring of risks ERM includes business risks and OR ERM gives an overview on all risks and helps to decide which risks are acceptable and which not (risk tolerance /risk appetite) ERM/ORM has preventive character Focus: risks emerging from conducting the business Business Continuity Management Crisis Management CM is the ability of an organisation to respond to any crisis situation in a predefined way CM includes a tool box with organisational and technical utilities to support management (BCP is one of the tools ) CM has mainly reactive character BCM identifies potential threats to an organisation and the impacts to its most critical functions BCM includes BCP that put an organisation in a position to manage permanent continuity or adequate recovery of critical functions in the event of crisis situations in a predefined way. BCM has mainly reactive character; Focus: risks that endanger the object of a company crisis management 3

Differentiation crisis management risk management Risk management supervision and prevention at day-to-day business Crisis and business continuity management managing of crises and keep continue of the operational business in exceptional circumstances quick decisions and reaction under pressure crisis management 4

Crisis definition at Bundesbank The term crisis is understood to mean any unusual incident which has a significant (potential or acute) negative impact on the health and safety of the Bundesbank staff and its guests, the execution of Bundesbank s tasks, its material assets, its integrity and/or reputation Every crisis is unique, its cause and course are unpredictable and consequently specific plans cannot be made individual flexible rapid response required crisis management 5

(Potential) causes for a crisis long term breakdown of information technology long term electrical power outage fire epidemic (e.g. avian flu, swine flu, seasonal flu) natural disaster (e.g. flooding, ) armed robbery (with hostage-taking and / or damage to persons) media crisis terrorist attack crisis management 6

CM folder crisis management 7

The Bundesbank s CM concept CRISIS PREVENTION CRISIS MANAGEMENT CRISIS REVIEW Early recognition of crises Incident register Situation report Basis for rapid and systematic response Contingency planning BCP Trained staff Safeguarding the Bundesbank s decision-making function through a central crisis management team at top management level Overcoming the crisis incident through (immediate) operational measures by the contingency team, BCP team, police... Gathering experience from the crisis and making use of it through systematic documentation of the crisis management crisis follow-up and review of the existing plans (as required) crisis management 8

Roles and responsibilities Declaration of crisis Executive Board or (if not capable of acting) Ex. Board member for controlling & organis. Suspension of crisis Board Head of CMT Board member for controlling & organis. CMT senior manager (Core team: controlling & organisation, IT, administration, communication, head of CM secretariat) crisis management 9

Extended CMT Core crisis managementteam Head of the CMT (President (Executive or Executive Board Board member memeber for controlling) for controlling) (as required) CMT coordinator Head of Controlling Head of IT Head of Administration and Premises Head of CrisisCommuncation Communication Head of Crisis Management Secretariat Head of Personnel Head of Legal Department Heads of Cash, Markets, Payment Systems Operational technical level Decides on all measures necessary to overcome crises Decision-making preparation at operational-technical level At least 5 substitutes per function crisis management 10

Support teams Crisis management secretariat assists the CMT (file managers, telecommunications services, minute keepers, secretarial staff) Contingency/BCP teams implements the CMT s and the BCP s resolutions as well as emergency measures (Vb, IT, H, C, M, Z) Urgent measures Crisis communication team (Communication Department) operational implementation of crisis communication Local contacts implements the CMT s resolutions as well as emergency measures throughout Germany crisis management 11

Crisis management in praxis Crisis management concept Detailed concepts a. Organisational structure b. procedures c. Location planning d. Telecommunication e. Crisis communication CM folder - Guidance for CM (every CMT member) Contact data Diagrams & location plans Checklists and templates f. documentation g. training h. CM regional head offices i. CM branches crisis management 12

Procedures in case of a crisis Identification of an incident (staff, sensor, security team etc.) Information of the security team Information head crisis secretariat Information head CMT alerting urgent / emergency measures Information of the business areas police (BCP-Teams, Administration, Fire brigade IT) ambulance Alerting CMT and secretariat crisis management 13

Tasks of the crisis secretariat Tasks of the secretariat Collect information of media, phone calls, email, fax etc. Asses these information about priority, responsibility Compile a current situation report for the CMT Write minutes of the CMT meetings Provide CMT with information for decision making, food and drinking etc. crisis management 14

Tasks of the CMT working phase of the CMT explore proposals ensure the decisions are done CMT meetings Presentation Decision making on the proposals by the head of the CMT crisis management 15

Procedure D e r K ris e n s ta b s p ro z e s s E n ts c h e id u n g s e b e n e (b e i S ta b s b e s p re c h u n g ) o p e r a tio n a l- fa c h lic h e E b e n e K o m m u n ik a t io n s - s t e u e r u n g Working S ta b s a phase rb e it S ta b s b e - meetings s p re c h u n g Working S ta b s aphase rb e it S ta b s b e - meetings s p re c h u n g K r is e n s ta b s s e k re t a r ia t L a g e b ild e rs te llu n g u n d - fo r tf ü h r u n g, ( S e k r e ta r ia ts - ) A u fg a b e n, D o k u m e n t a tio n, S t e u e r u n g M e ld e w e s e n, P r o to k o llf ü h r u n g, S ic h e r s te llu n g K o m m u n ik a tio n c a. 4 5-6 0 M in. c a. 1 0-1 5 M in. c a. 4 5-6 0 M in. c a. 1 0-1 5 M in. t E r s tm a lig : E ra r b e itu n g L a g e b ild g g f. V e ra n la s s u n g S o f o rtm a ß n a h m e n E ra r b e itu n g M a ß - n a h m e n v o r s c h lä g e, K o m m u n ik a tio n s - v o rs c h lä g e E r w e ite r u n g K S / N o tfa llte a m s? Ü b e rp rü fu n g d. d u rc h g e fü h rte n M a ß n a h m e n E r s tm a lig : P r ä s e n ta tio n L a g e b ild P r ä s e n ta tio n B e s c h lu s s v o rs c h lä g e u n d K o m m u n ik a tio n s - e n tw ü rf e (u n d g g f. E rw e ite ru n g K S ) E n ts c h e id u n g d e r o.g. P u n k te d u r c h E n ts c h e id u n g s e b e n e V e r e in b a r u n g w e ite r e s V o rg e h e n, n ä c h s te r T e rm in S - B e s p r e c h u n g V e r a n la s s u n g / U m s e t- z u n g d e r E n ts c h lü s s e a u s d e r S ta b s b e - s p re c h u n g E r a rb e itu n g L a g e b ild E r a rb e itu n g M a ß - n a h m e n v o rs c h lä g e, K o m m u n ik a tio n s - v o r s c h lä g e Ü b e r p rü fu n g d. d u rc h g e fü h rte n M a ß n a h m e n E r s te llu n g / G e n e h m i- g u n g / V e r s a n d P ro to - k o ll S ta b s b e s p re c h u n g P rä s e n ta tio n L a g e b ild P rä s e n ta tio n B e s c h lu s s v o r s c h lä g e u n d K o m m u n ik a tio n s - e n tw ü rfe E n ts c h e id u n g d e r o.g. P u n k te d u rc h E n ts c h e id u n g s e b e n e V e re in b a ru n g w e ite re s V o rg e h e n, n ä c h s te r T e r m in S -B e s p re c h u n g crisis management 16

Basis conditions for CMT One decision maker head of CMT Five representatives for every CMT role Alerting system Arranged rooms for working and meetings Crisis hotlines Functional email addresses crisis management 17

Locations of the CMT Head office Primary premise of the head office main building or Situation room under the guest house Regional head office Frankfurt Second site, if the head office is not available anymore or endangered HV Mainz bzw. situativ HV Berlin Third and fourth site, if the region of Frankfurt is not available anymore or endangered crisis management 18

Locations of the CMT II In all locations there are prepared a Meeting room Working room Secretary room If needed more rooms The rooms are used in daily business so computers and equipment are up to date All locations are provided with the same means (posters, forms, USB- Sticks, handys etc.) crisis management 19

Alerting system Definition of Who alarms Who is to alarm What is to tell / ask during the alarming call Firstly the secretary is alarmed, secondly the CMT If the first representative of a CMT function is not available or cannot reach the CM rooms within one hour, the next representative of the 5 substitutes of the function is called Representatives of a function that are currently not in the CMT can replaces their colleagues if the crisis lasts longer than 6 or 8 hours crisis management 20

Crisis communication I Bundesbank communicates with the media, staff and their related parties in a crisis The aims of crisis communication are Satisfaction of general public s right to information Strengthening credibility, confidence and acceptance Preventing damaging rumours and speculation Crisis communication concept by the PR department crisis management 21

Crisis communication II Crisis communication should be proactive to positively influence public opinion and to avoid being forced on to the defensive. speak with one voice avoid dissents Head of CMT is responsible for crisis communication but one representative of communication department in CMT crisis management 22

Exercises / Incidents in the past I Sept 07 Exercise bomb explosion in Bundesbank buildings Nov 07 Exercise LÜKEX worldwide Influenza pandemic Oct 08 Incident financial crisis Oct 08 Incident coin contamination (ill staff) Mar 09 Exercise alert exercise May 09 Exercise Mainz coffee contamination (dead of staff) Aug 09 Incident Pandemic Oct 09 Exercise Hannover hostage taking in a branch Jan 10 Exercise LÜKEX worldwide threat by islamic terrorism May 10 Exercise München mass demonstration with conflicts May 10 Incident short power outage in branch crisis management 23

Exercises / Incidents in the past II Sept 10 Incident one day IT break down Oct 10 Exercise Düsseldorf - flood water and accident of a BBK cash transport March 11 Incident earthquake in Japan representation closed April 11 Exercise Berlin offices for other Ministry, leak of personal data Sept 11 Exercise Frankfurt - air condition system fell on building Aug 11 Incident Hurricane warning NY Sept 11 Incident DDOS Attack on Bundesbank-website crisis management 24

Reasons for regular exercises Apply the existing CM structures and procedures Train CM team work by using the available means Train the alert system Check the Crisis Communications Sensitise the CM team members Realize weaknesses of the CM concept crisis management 25

Operational Risk Management Christoph Stute Guatemala 28 29 March 2012 26

Definition - Bundesbank s methodology of ORM, crisis management and BCM Operational Risk Management ORM is the overall process for early identification, handling and monitoring of risks ORM includes business risks and OR ORM gives an overview on all risks and helps to decide which risks are acceptable and which not (risk tolerance /risk appetite) ORM has preventive character Focus: risks emerging from conducting the business Crisis Management CM is the ability of an organisation to respond to any crisis situation in a predefined way CM includes a tool box with organisational and technical utilities to support management (BCP is one of these tools ) CM has mainly reactive character Business Continuity Management BCM identifies potential threats to an organisation and the impacts to its most critical functions BCM put an organisation in a position to manage permanent continuity or adequate recovery of critical functions in the event of crisis situations in a predefined way. BCM has mainly reactive character; Focus: risks that endanger the object of a company Seite 27

Definition Risk Management Risk management is a logical and systematic method of identifying, analysing, treating and monitoring risks. Risk management system Early identification of risks Handling of risks Monitoring of risks Identification of risks Evaluation of risks Communication of risks Controls Internal audit 28

Definitions Risk = adverse variance from a reference figure Operational Risk = the risk of direct or indirect loss resulting from inadequate or failed internal processes, people and systems or from external events Transversal Risk = risk which can occur cross-functional and effect several business areas 29

Definitions Transversal Risks some examples: risks related to corruption risks related to compliance risks related to data protection risks related to general/ physical security risks related to money laundering risks related to IT risks related to employees risks related to media/ public relations 30

Definitions Inherent Risk = risk situation without taking any treatment measures into consideration Residual Risk = risk situation considering implemented treatment measures 31

Factors of influence financial impact reputational impact by example to review the RM set up damage to persons crisis 2004 recommendations of internal & external auditors legal background 32

The Framework Implementation after the approval by the board in March 2006 published to the staff via intranet Contents Aims and structure of the framework Legal background Definitions Aims and functions of risk management Risk culture Expertises and responsibilities Risk structure Risk management process Early identification of risks Identification of risks Risk evaluation Communication of risks Handling of risks Monitoring of risks 33

Governance structure of the Bundesbank Internal audit IT Department ERM Office; Security and Crisis Management Office for Risk Control 34

Governance structure of the Bundesbank Responsibilities The Executive Board has the overall responsibility for the management of risks is basically responsible for decision making approves a risk tolerance policy and residual risks in specific risk zone receiver of aggregated risk reports 35

Governance structure of the Bundesbank Business areas are responsible for the according to their tasks overall the whole Bundesbank (decentralisation) The heads of departments are responsible for the identification, assessment and mitigation of their own risks. They have an informal relationship with the risk management office. In some areas, such as the risk management of foreign reserves and other portfolios, IT- security and general security, related tasks are performed by central work units. 36

Governance structure of the Bundesbank Office for Risk Control Department Financial Stability Area V Department This unit is dealing with market risks such as currency risks, interest rate risks, counterparty risks and liquidity risks. It is responsible for the risk management of foreign reserves and other portfolios. Office For Risk Control 37

Governance structure of the Bundesbank IT- Security Management Area VI Department Information Technology IT- Security Management Department Supports the board and the business areas in questions concerning IT-Security and is responsible for the design and maintenance of firewalls, evaluation of information from proxy server, the maintenance and enhancement of IT- security concepts. 38

Governance structure of the Bundesbank Division Organisation Area III The Division Organisation is part of the Department Department Controlling, Accounting and Organisation Department Department Controlling, Accounting Division and Organisation. Organisation ERM Office Security and Crisis Management 39

Governance structure of the Bundesbank Division Organisation ERM Office In context with risk management, the ERM Office is responsible for the maintenance and enhancement of the risk management framework, the methodology, documentation and coordination. In that context reports of the business areas are summarised, results of risk assessments are checked and analyses conducted as well as an annual report drawn up. 40

Governance structure of the Bundesbank Division Organisation C 35: Security and Crisis Management Topic centre for questions concerning general security Design and maintenance of the security framework Business-Continuity-Planning, Crisis Management 41

Governance structure of the Bundesbank Internal Audit Area II Department Department Audit The Internal Audit is directly responsible to one of the board members of the Deutsche Bundesbank. It is as an independent entity not being involved in the working processes. 42

Risk structure Reputational loss Financial loss Damage to persons Business Risks Operational Risks Currency Risks Interest Rate Risks Counterparty Risks Liquidity Risks Gold price Risks Employee Risks Human Failures Incorrect Conduct Misallocation Of Staff Inadequate Qualification Of Staff Technical Risks IT Risks Critical Infrastructure External Risks Primary Maintenance Risks Dependencies On Third Parties Negative Press Coverage Legal Risks Natural Risks General Security Risks 43

Risk Management Process 1. Identification of risks Task of business areas Identification should be output oriented with regard to the underlying task Root causes have also to be identified and documented Helpful information could be gathered from: Audit reports (internal as well as external) Test reports (IT-systems) Incident data bases 44

Risk Management Process 2. Risk Assessment As a basic principle, a risk at the Deutsche Bundesbank can result in the following three categories of losses: Financial loss Damage to persons Reputational loss Each of these categories is evaluated for each risk partly in a qualitative and partly in a quantitative way Risk Event = Probability of loss occuring Event X Impact Event 45

Risk assessment grading scales Risk likelihood grading scale Likelihood level Criteria 5 - Almost certain 4 - Likely 3 - Possible 2 - Unlikely 1 - Rare Frequency of loss events Every year or more Once every 1-2 years Once every 2-5 years Once every 5-10 years Less than once every 10 years If no observable events: Qualitative criteria (fraud and attacks oriented) Motivation Personal gain... Attracting attention ( making a point ) Skills & knowledge Basic skills, sufficient, knowledge not necessary Collaboration Traceability Time and cost <1 day < EUR 100 > 1 year > EUR 100 000 46

Risk assessment grading scales Impact Level Definition Level Definition Very high 10.000.001-25.000.000 * high 1.000.001-10.000.000 medium 100.001-1.000.000 Very high high medium Numerous deaths Individual deaths Life-threatening injuries low 10.001-100.000 negligible 1-10.000 low negligible Major injuries Minor injuries financial impact personal injuries 47

Risk assessment grading scales Impact Level Very high high Definition The occurrence of an event can endanger the Bank's security for a lengthy period or cause critical damage to its interests. Examples: Criminal proceedings against individual members of the Bundesbank's governing bodies The occurrence of an event can endanger the Bank's security or cause major damage to its interests. Examples: medium low negligible The occurrence of an event can be of disadvantage to the Bank's interests. Examples: reputational impact 48

Risk tolerance policy Likelihood of loss occurring Almost certain rare unlikely possible likely Impact on overall loss negligible low medium high very high 49

Risk Management Process 3. Risk Treatment Policy of risk avoidance and risk limitation while implementing preventive measures Principles e.g. : Principle of hierarchy Editorial principle (to use a second set of eyes) Principle of separation of functions Principle that tasks, competences and responsibilities should be located within the same entity 50

risk Risk and threat analysis Actual risk position Risk avoidance Concept of measures Insurances are only used in law driven issues Approval of the Executive Board Preventive measures Usually, there is no risk transfer Residual risk 51

Risk Management Process 4. Communication of risks Risk reporting within the business areas Report within business area (hierarchy) Periodical reports (e.g. daily report of market risks) Ad-hoc reporting if necessary Centralised risk reporting Notification of loss Security relevant matters Compliance, money laundering, corruption Major projects... Centralised annual risk report 52

Centralised annual risk report Annual risk report according to our risk management framework The business areas have to examine their risk assessment. The results were aggregated from the ERM Office. Report to the board and feedback to the business areas The board has to decide whether additional mitigation measures should be taken or not. 53

RMS at the Bundesbank Structure of the ORM template 54

Risk Management Process 5. Monitoring of risks Monitoring is part of the internal supervision by the head of each unit responsibility of business areas no formal KRI in place no centralised monitoring 55

Thank you for your attention! 56