23Mar2018 - Operational Risk · Rule 1 = 10 Rule 2 = 10 Rule 3 = 0 Control Assessments = 0 Rule 4 =...

Risk Aggregation23Mar2018

www.riskspotlight.com!

Schools of Thought on Risk Aggregation

Risk information can never be aggregated into any meaningful and useful way due to the complex and multi-dimensional

nature of risks.

S1 S2Some risk information

can be aggregated but accept that all the

information about a risk cannot be aggregated into one number. Also

accept that all aggregation methods

will have pros and cons.

S3All risk information can

be aggregated into meaningful and useful way. Aggregation can

also be automated without requiring any manual intervention.

Why aggregate?

Business Divisions

Business Units

Departments

Teams / !Projects

Risks exist at multiple levels within an organisation structure!

Why aggregate?

Organisation Structure Legal Entity Structure Geographical Structure

Process Structure Product Structure Risk Categories

Risks also exist at different levels of other hierarchies (some highlighted below). !

Why aggregate?

Organisation Structure Geographical Structure

Process Structure Risk Categories

Risks typically exist at intersection of multiple hierarchies!

Why aggregate?

Stakeholders at each level want to view aggregated level of risk exposure for specific risks or categories e.g. External Fraud, Improper Conduct etc. This can be useful for monitoring changes in risk profile over time.!

Why aggregate?

Stakeholders at each level want to easily identify whether any risks or portfolio of risks are approaching risk appetite limits or have already breached the risk appetite limits.!

Why aggregate?

Risk Exposure vs. Risk Appetite Misalignment!

Which risks need escalation/attention?!

BU 1 Risks BU 2 Risks BU 3 Risks

Business Division Risk Profile

Summary At Each Level in a hierarchy

Challenges

Challenge 1

Criticality threshold for each levels are typically different e.g. a £1mln exposure at the business unit level may be High but at the group level may be Low. Considering this across intersection of different hierarchies makes the challenge further complicated.!

There may be multiple thresholds e.g. financial, reputational etc.!

Challenge 2

Combining qualitative & quantitative information. !!Majority information is qualitative.!!Time horizon for information is typically different.!

Statistical functions (e.g. SUM, AVERAGE) cannot be used for most quantitative information!

Aggregation Approaches

Aggregation Path

Credit Cards Personal Banking!

Retail Bank

Information available for each risk

Aggregation Path

Risk Assessments

Perform risk assessments to aggregate all information available about each risk.

•  Likelihood!•  Financial Impacts!•  Non-Financial

Impacts!

•  Completeness of present controls!

•  Percentage of Preventative vs. Detective vs. Responsive controls!

•  Design and operating effectiveness of controls!

•  Independent testing of controls!

•  Open Issues!•  Open Action Plans!

•  Alignment with Risk Appetite (e.g. Within appetite or outside appetite)!

•  Risk indicators!•  Control indicators!

•  Changes in internal business environment!

•  Changes in external business environment!

•  Internal incidents!•  External incidents!

Risk Assessments

Card fraudBriberyIT FailureCyber attack

Risk assessments will provide an aggregated view of risk exposure at an individual risk level.

Risk Assessments

Switch to spreadsheet.

Real-life Aggregation Examples

Weather Forecasts

Credit Score

Corporate Credit Ratings

Country GDP

Stock Market Index

•  Large amounts of detailed information is aggregated!•  A distinct measure is defined for aggregated information, which can be different to

the measurement units of detailed information!•  Some aggregated measures typically update in real-time (e.g. stock index)

Risk Index Approach

Step 1 – Convert different types of risk information into a single measure which can be aggregated (e.g. SUM, AVG)

Step 2– Aggregate the measures for each type of information into a single aggregated measure

Step 3 – Aggregate the measures into a single risk measure

Incidents RCSA KRIs Issues

Risk Index Approach

State of risk management is deficient. Immediate responses required.

Minor concerns

State of risk management is deteriorating. Preventative actions should be considered.

Early signs of problems. Review and respond appropriately.

Define Aggregated Measurement Scale!

Risk Index Approach

Develop rules to convert risk related information into aggregated measures

Rule Example 1: - !

•  If a risk is mapped to one or more high priority open issues, score = 100!

•  If a risk is mapped one or more medium priority open issues, score = 70!

•  If a risk is not mapped to any open issues, score = 0!

Rule Example 2: - !

•  If 81% or more controls mapped to a risk are not effective, score = 100!

•  If 41% to 80% of controls mapped to a risk are not effective, score = 75!

•  If 1% to 40% of controls mapped to a risk are not effective, score = 45!

•  If all controls mapped to a risk are effective, score = 0!

Risk Index Approach

Risk = Identity fraud

Risk AssessmentsRule 1 = 10

Rule 2 = 75Rule 3 = 40

Control Assessments

Rule 4 = 80

Rule 5 = 90

Issues & Action Plans

Rule 6 = 0

Rule 7 = 10

Risk = Online banking fraud

Risk AssessmentsRule 1 = 10

Rule 2 = 10Rule 3 = 0

Control Assessments

Rule 4 = 0

Rule 5 = 0

Issues & Action Plans

Rule 6 = 80

Rule 7 = 0

Score at each rule level

Risk Index Approach

Risk Assessments = 125Rule 1 = 10

Rule 2 = 75Rule 3 = 40

Control Assessments = 170

Rule 4 = 80

Rule 5 = 90

Issues & Action Plans = 10

Rule 6 = 0

Rule 7 = 10

Rule 2 = 10Rule 3 = 0

Rule 4 = 0

Rule 5 = 0

Rule 6 = 80

Rule 7 = 0

Score at each rule category level

Risk = Identity fraud Risk = Online banking fraud

Risk Index Approach

Rule 2 = 75Rule 3 = 40

Rule 4 = 80

Rule 5 = 90

Rule 6 = 0

Rule 7 = 10

Rule 2 = 10Rule 3 = 0

Rule 4 = 0

Rule 5 = 0

Rule 6 = 80

Rule 7 = 0

Score at risk level

305 90Risk = Identity fraud Risk = Online banking fraud

Risk Index Approach

Credit Card Personal Banking

Retail Bank

Risk = Identity fraud 305

Risk = Online banking fraud 90

Risk = Identity fraud 30

Risk = Online banking fraud 10

395 40

Score at each level of hierarchy

Risk Index Approach

Similar to stock prices or stock market index, aggregated scores can be tracked overtime to identify changes in the strength of the risk and control environment.

Credit Card Personal Banking

Time Time

ScoreScoreEscalation Level Escalation Level

Risk Index Approach

l  Overtime as the usage of this approach matures, escalation limits can be defined for the aggregated score at multiple levels.!

l  Implementing this approach in software can provide a real-time or near real-time update of scores. This can support continuous monitoring of risk and control environment between the qualitative aggregation assessments.

www.riskspotlight.com!www.riskspotlight.com!

Thank you.Manoj.kulwal@riskspotlight.com

23Mar2018 - Operational Risk · Rule 1 = 10 Rule 2 = 10 Rule 3 = 0 Control Assessments = 0 Rule 4 =...

Documents

Transcript of 23Mar2018 - Operational Risk · Rule 1 = 10 Rule 2 = 10 Rule 3 = 0 Control Assessments = 0 Rule 4 =...

The 80/20 Rule- The Lost Rule To Greatness

z-Dftt2 471(140/0) 271(80/0) 331(100/0) 121(80/0) (A Eyÿk3 ... · z-Dftt2 471(140/0) 271(80/0) 331(100/0) 121(80/0) (A Eyÿk3.5m) http:/_/_ 2014.7

BASIC DETAILS OAISIS DATA...CLASS TOTAL NUMBER OF SECTIONS TOTAL NUMBER OF INTAKE TOTAL NUMBER OF STUDENTS 1 0 0 0 2 0 0 0 3 0 0 0 4 0 0 0 5 0 0 0 6 2 80 0 7 2 80 79 8 2 80 70 9 2

Major Gift Fundraising - CHARITY SCIENCE FOUNDATION · 2019. 1. 21. · Major Gift Fundraising! The 80-20 Rule! The 80-20 rule (the Pareto Principle) states that often about 80% of

80% Breaker Derating Rule

IAY 0 80 0 Digitaalsüsteemide disain

80/20 Rule… Embrace Your Journey - Unapologetically.

Rule 80%20%

the intentional networker · Start with the 80:20 Rule. Also known as the Pareto Principle, the 80:20 Rule states that typi-cally 80% of most results come from 20% of the causes.

The 80/20 Rule for Desktop KPI's: Less is More!

Reynolds [Re im kompatibility]Permission-based marketing 80/20 Rule 80% of posts should be informative or entertaining. ... 80/20 rule! Sharing is key. Creativity is essential! New

Special Proceedings Powerpoint Reviewer Presentation Rule 75 to 80

0, 112, 192 146, 208, 80...192, 80, 77 Investor Presentation February 2016 0, 112, 192 Current Scenario 146, 208, 80 112, 48, 160 255, 192, 0 102, 51, 0 192, 80, 77 2 Contents Journey

Three Overlooked Attributes of a Successful PMO...A –90%* B –80%* C –70%* Opportunity to improve 0% 0% 0% 0% 0% 20% 40% 60% 80% 100% A –90%* B –80%* C –70%* Opportunity

The Effective Time Management - CHARLTON …7 Effective Time Management The 80/20 Rule The 80/20 rule, also known as Pareto’s Principle Rule states that 80% of your results come

Zipﬁanfrequencydistributionsfacilitateword ...langcog.stanford.edu/papers/KMF-underreview.pdf · 80 120 0 40 80 120 0 40 80 120 0 40 80 120 6 types 0 40 80 120 12 types 0 40 80

80-20 rule

Content marketing- The Power Of The 80/20 Rule

Remedial Law 2 (Rule 72 to 80)

RULE 80 [abrogated 1-09] · 2015-07-01 · RULE 80. DIVORCE AND ANNULMENT [Rule 80 is abrogated, effective January 1, 2009, to be replaced by Chapter XIII of these Rules. The text