Smart About Risk  
Operational Risk

Operational Risk

Operational risk can be explained simply as a risk of loss caused by operational deficiencies and errors, should be addressed by each company. The purpose is to ensure operational efficiency, to lower costs, to increase competitiveness, to increase the efficiency of insurance policy and in case of financial institutions also the necessity to comply with regulatory requirements (Basel II for banks and Solvency II for insurance companies).

The consultancy firm Advanced Risk Management, s.r.o. would like to offer you its consultancy services in the area of operational risk. Our services in the area of operational risk are classified into the following areas for financial and non-financial institutions. 

 

The company also offers seminars in the area of operational risk in the form of open and in-house seminars.
The company offers developing the software for measurement and management of operational risk.

 

Offer for Financial Institutions 

 

Catalogue of operational risks

  • Creation of a catalogue of operational risks that may jeopardize a company including the description of those risks, allocation of the risk owner and identification of departments and processes affected by the risk.
  • Validation of the structure and contents of the current risk catalogue and suggestion of amendments.

Collection of operational risk events

  • Assessment of current (or development of a new) system of event collection and suggestion of possible adjustments with an emphasis placed on the following areas:
    • does the system monitor all relevant information about operational risk events?
    • is the system user friendly and understandable?
    • does the system comply with requirements for the management and measurement of operational risk (e.g. can information be filtered, exported?)
  • Assessment of whether users are sufficiently acquainted with the system.
  • Set up of a motivation program for the users of the system so that they are more willing to enter information about operational risk events.
  • Analysis of the error rate of information entered and user training in areas with the highest number of errors or a draft of an electronic manual guiding the user through the process of entering a risk event.
  • Control of the database of operational risk events, mainly the control of correctness:
    • classification of events into Loss Event Type and/or Business Line,
    • sufficient description of the event,
    • data reconciliation with book keeping.
  • Analysis of the method of processing information about operational risk events:
    • with what delays is information about operational risk events entered into the system and analysis of the reasons leading to such delay,
    • how long does it take until an operational risk event is processed by the relevant department,
    • which event types are immediately reported to senior management.
  • Analysis of the database of operational risk events with the purpose to identify those parts of a bank/company that have a higher exposure to operational risk, including the analysis of the reasons of such higher exposure.
  • Draft or delivery of a system for the collection of operational risk events in case a company does not have such system.

 

Analysis and audit of an operational risk management system

  • Analysis of the use of information obtained from the system collecting operational risk events.
  • Draft of the composition, competencies and responsibilities of an operational risk committee and setting of event parameters (e.g. amount of damage) that should be discussed by that committee.
  • Control of system of internal regulations:
    • which areas of operational risk are covered by internal regulations?
    • are internal regulations correct, clear and logically structured?
    • are internal regulations updated on a regular basis?
    • what is the accessibility level of internal regulations to employees?
    • do employees know the contents of those internal regulations?
  • Testing the knowledge of regulations onsite and, based on its results, suggestion of amendments in the system of updating and disclosure of regulations.
  • Control of compliance of procedures when an operational risk event occurs, control of whether the officers in charge and employees know how to act accordingly in a given situation.
  • Preparation of a training or e-learning course for officers in charge about the risk management system and their duties.
  • Analysis of the efficiency of communication between individual departments and operational risk departments.
  • Draft or delivery of an administration system for internal regulations.

 

Insurance from the point of view of operational risks

  • Analysis of the administration system of insurance policies relating to operational risk with a primary focus on the following areas:
    • are all departments in a bank with a high exposure to operational risk insured?
    • are parameters of insurance policies set up correctly in light of operational risk events which occurred and which were insured (e.g. what percentage of insurance coverage is rejected by the insurance company and for what reasons and whether the conditions of the insurance policy should not be amended)?
    • what is the efficiency of insurance (analysis of premium paid compared to received insurance coverage and threatening losses)?
  • Draft or delivery of a system for the administration of insurance policies and their linkage to operational risk events. 

Business Continuity Management (BCM)

  • Analysis of processes within the company with the objective to find critical processes and operations.
  • Assistance with the development or updating of BCM plans.
  • Control of existence and functionality of the system of updating and practicing of BCM plans.
  • Control of the level of familiarity with BCM plans by officers in charge and possible suggestions of improvements in the training system.
  • Draft or delivery of a system for efficient administration of BCM plans.

Operational risk scenarios 

  • Assistance with the development of operational risk scenarios:
    • for which risks the company should have stress scenarios,
    • suggestion of the method for the assessment of impact and frequency of a stress scenario.
  • Draft of a method how to include stress scenarios into the system of operational risk measurement..
  • Draft or delivery of a system for the administration and updating of scenarios.

 

Self Assessment of operational risk 

  • Assistance with the development of questionnaires for self assessment of the degree of operational risks by the employees of the bank (Risk and Control Self Assessment).
  • Draft of the method of risk assessment (frequency × impact, and/or another approach) and suggestion of scales for selected parameters.
  • Assistance with filling out questionnaires – oral communication with responsible departments, explanation of principles of self assessment, correction of unrealistic or clearly imprecise estimates. 
  • Draft or delivery of a system for regular self assessment of operational risk.   

 

Key Risk Indicators (KRI) 

  • Assistance with identification of key indicators of the degree of operational risk.
  • Assistance with the setting of limit values of KRI while the excess of such value indicates an increased level of the relevant type of operational risk.
  • Draft or delivery of a system for the definition and regular monitoring of indicators of operational risk.  

 

Measurement of operational risks and reporting 

  • Assistance with drafting a method for measuring individual operational risks – i.e. whether they will be measured through an expert estimate, on the basis of historical data with the use of an appropriate statistical model or whether they are immeasurable or whether measuring is meaningless.
  • Draft of the method for measuring the efficiency of preventive and corrective procedures.
  • Draft of a suitable reporting format (ie what will be the input data, how often reporting will be effected, what will be the structure and to whom reporting is delivered) which should contribute better information about operational risk within the company and also provide relevant data for informed decisions.  

Operational risk according to Basel II and Solvency II 

  • Assessment of compliance of current operational risk management process with Basel II or Solvency II, respectively, and proposed remedies.
  • Validation of the model for calculation of capital/solvency requirement for operational risk both from the point of view of methodological correctness as well as the technical side of the calculation.
  • Assistance with programming of the application for the calculation of capital requirement according to AMA approach or delivery of own software application OpRisk Calc.  

Fraud Management

  • Designing/revision of concept/methodology for fraud risk management.
  • Designing preventive measures.
  • Setting up efficient monitoring.

Fraud risk can also impact credit risk.

Offer for Non-Financial Institutions 

Identifying Types of Operational Risk

  • To analyze the processes of a company/business in order to identify the critical processes and activities.
  • To create an operational risk catalogue relating to the operational risks that may threaten the company, including a description of these risks, assigning an owner to each risk and identification of the departments and processes threatened by these risks.
  • To validate the structure and content of the existing operational risk catalogue.  

Operational Risk Measurement 

  • To design a procedure for measuring operational risk (e.g. expert assessment of the self-assessment process, an estimate based on historical data and carried out using an appropriate statistical model and scenario analysis).
  • To propose a way to evaluate the frequency and severity of the risks identified within the self-assessment process – operational risk assessment with predefined parameters (frequency × impact, or a different approach); to design a scale for the following parameters:
    • To assist in creating questionnaires for operational risk self-assessment by the employees of the company/business (i.e. people in contact with operational risks);
    • To assist with completing questionnaires (communication with employees, explaining the principles of self-assessment, correction of unrealistic or obviously inaccurate estimates).
  • To design a statistical model for estimation of operational risk based on historical data, and, subsequently, to assist in the technical implementation of the proposed model.
  • To assist in the development of operational risk scenarios (including a selection of risks for which it would be appropriate to carry out scenario analysis).

Measurement of Operational Risk Losses 

  • To design a method for measuring operational risk losses (e.g. with an estimate based on historical data and carried out using an appropriate statistical model).
  • To design an appropriate way of reporting (the frequency and structure of reporting as well as people to be reported). 

Action Plans and Business Continuity Management 

  • To check if the system of creating, updating and practicing Business Continuity Management (‘BCM’) plans have been established and are operational.
  • To assess the effectiveness of action plans (i.e. the preemptive and corrective measures).
  • To assist in creating or updating:
    • Action plans to mitigate the impact of operational risks; and
    • BCM plans to maintain the operation of the company/business when an operational risk event occurs.
  • To check the level of knowledge of the BCM plans by the responsible employees, and, if necessary, to propose changes in the training system.

Operational Risk Management 

  • To analyze the operational risk management system, in particular through analysis of existing processes. To assess the accuracy and completeness of and compliance with the internal procedures and guidelines relating to operational risk management by the company/business.
  • To assist in identification of Key Risk Indicators (‘KRI’) relating to operational risk.
  • To assist in setting the limit values of KRI using historical data and our know-how (exceeding the limit values indicates an increased level of a certain type of operational risk).
  • To check the accuracy and relevance of the limits set for KRI in connection with the amount of the loss realized from operational risk.
  • To analyze the system of policies relating to operational risk (to assess the parameters of policies with respect to the history, and to analyze their effectiveness with regard to the premiums paid, claims paid, or impending losses).
  • To design or provide a system for policy administration and linking policies with operational risk events.