Operational Risk Management - CEMLA - Bundesbank’s methodology of ORM, crisis management and BCM...

Crisis Management andOperational Risk ManagementChristoph StuteGuatemala 28 – 29 March 2012

Crisis ManagementCrisis ManagementChristoph StuteGuatemala 28 – 29 March 2012

Definition - Bundesbank’s methodology of ORM, crisis management and BCM

ERM/Operational Risk Management

• ERM is the overall process for early identification, handling and monitoring of risks

• ERM includes business risks and OR

• ERM gives an overview on all risks and helps to decide which risks are acceptable and which not (risk tolerance /risk appetite)

Crisis Management

• CM is the ability of an organisation to respond to any crisis situation in a predefined way

• CM includes a “tool box” with organisational and technical utilities to support management (BCP is one of the “tools”)

crisis management 3

tolerance /risk appetite)

• ERM/ORM has preventive character

• Focus: risks emerging from conducting the business

the “tools”)

• CM has mainly reactive character

Business Continuity Management

• BCM identifies potential threats to an organisation and the impacts to its most critical functions

• BCM includes BCP that put an organisation in a position to manage permanent continuity or adequate recovery of critical functions in the event of crisis situations in a predefined way.

• BCM has mainly reactive character; Focus: risks that endanger the object of a company

Differentiation crisis management – risk management

❙ Risk management

supervision and prevention at day-to-day business

❙ Crisis and business continuity management

crisis management 4

❙ Crisis and business continuity management

managing of crises and keep continue of the operational business in exceptional circumstances

�� quick decisions and reaction under pressure

Crisis definition at Bundesbank

The term crisis is understood to mean any unusual incident which has a significant (potential or acute) negative impact on the health and safety of the Bundesbank staff and its guests, the execution of Bundesbank’s tasks,its material assets , its integrity and/or reputation

Every crisis is unique, its cause and course are unpredictable and

crisis management 5

Every crisis is unique, its cause and course are unpredictable and consequently specific plans cannot be made

➲ individual➲ flexible response required➲ rapid

(Potential) causes for a crisis

❙ long term breakdown of information technology

❙ long term electrical power outage

❙ fire

❙ epidemic (e.g. avian flu, swine flu, seasonal flu)

crisis management 6

❙ epidemic (e.g. avian flu, swine flu, seasonal flu)

❙ natural disaster (e.g. flooding, …)

❙ armed robbery (with hostage-taking and / or damage to persons)

❙ “media crisis”

❙ terrorist attack

CM folder

crisis management 7

The Bundesbank’s CM concept

CRISISPREVENTION

CRISIS REVIEWCRISIS MANAGEMENT

Early recognition of crises

• Incident register• Situation report

Safeguarding the Bundesbank’s decision-making function through

• a central crisis management

Gathering experience from the crisis and making use of it through

crisis management 8

Basis for rapid and systematic response

• Contingency planning

• BCP• Trained staff

• Situation report

Overcoming the crisis incident through

• (immediate) operational measures by the contingency team, BCP team, police ....

• a central crisis management team at top management level

•systematic documentation of the crisis management

•crisis follow-up and review of the existing plans (as required)

Roles and responsibilities

❙ Declaration of crisis � Executive Board or (if not capable of acting) Ex. Board member for controlling & organis.

❙ Suspension of crisis � Board

crisis management 9

❙ Head of CMT � Board member for controlling & organis.

❙ CMT � senior manager (Core team: controlling & organisation, IT, administration, communication, head of CM secretariat)

• Decides on all measuresnecessary to overcome crises

• Decision-making preparationat operational-technical level

Head of the CMT(Presidentor ExecutiveBoard memeber for controlling)

CMT coordinator

Head of Crisis Communcation

Head of Administration and Premises

Head of IT

Head of Controlling

Ope

ratio

nal

tech

nica

lle

vel

Cor

ecr

isis

man

agem

ent t

eam

Head of the CMT(Executive Board member for controlling)

CMT coordinator

Head of Crisis Communication

Head of Administration and Premises

Head of IT

Head of Controlling

Ope

ratio

nal

tech

nica

lle

vel

Cor

ecr

isis

man

agem

ent t

eam

crisis management 10

• At least 5 substitutes perfunction

at operational-technical level Head of Crisis Management Secretariat

Head of Legal Department

Heads of Cash, Markets, Payment Systems

Head of Personnel

(as

requ

ired)

Ope

ratio

nal

Ext

ende

dC

MT

C

ore

Head of Crisis Management Secretariat

Head of Legal Department

Heads of Cash, Markets, Payment Systems

Head of Personnel

(as

requ

ired)

Ope

ratio

nal

Ext

ende

dC

MT

C

ore

Contingency/BCP teams implements the CMT’s and the BCP’s resolutions as well as

emergency measures (Vb, IT, H, C, M, Z)� Urgent measures

Crisis management secretariat assists the CMT (file managers,

telecommunications services, minute keepers, secretarial staff)

Support teams


Crisis communication team (Communication Department)

operational implementation of crisis communication

Local contacts implements the CMT’s resolutions as well as emergency measures

throughout Germany

Crisis management in praxis

Crisis management concept

Detailed conceptsa. Organisational structure

b. procedures

c. Location planning• Contact data

• Diagrams & location plans

CM folder - Guidance for CM(every CMT member)


c. Location planning

d. Telecommunication

e. Crisis communication

f. documentation

g. training

h. CM regional head offices

i. CM branches

• Diagrams & location plans

• Checklists and templates

Procedures in case of a crisis

Identification of an incident(staff, sensor, security team etc.)

urgent / emergency measuresInformation head crisis

Information of the security team


urgent / emergency measures

alerting Information of the business areas

• police (BCP-Teams, Administration,• Fire brigade IT)• ambulance

Information head crisis secretariat

Information head CMT

Alerting CMT and secretariat

Tasks of the crisis secretariat

Tasks of the secretariat

❙ Collect information of media, phone calls, email, fax etc.

❙ Asses these information about priority, responsibility

❙ Compile a current situation report for the CMT


❙ Compile a current situation report for the CMT

❙ Write minutes of the CMT meetings

❙ Provide CMT with information for decision making, food and drinking etc.

working phase of the CMT

❙ explore proposals

❙ ensure the decisions are done

Tasks of the CMT


CMT meetings

❙ Presentation

❙ Decision making on the proposals by the head of the CMT

Procedure

D e r K r is e n s ta b s p ro z e s s

S ta b s a rb e itS ta b s b e -

s p re c h u n g S ta b s a rb e it

S ta b s b e -s p re c h u n g

L a g e b i ld e rs te l lu n g u n d - fo r t f ü h ru n g , (S e k re ta r ia ts - )A u fg a b e n , D o k u m e n ta t io n ,S te u e ru n g M e ld e w e s e n , P r o to k o l l fü h ru n g , S ic h e rs te l l u n g K o m m u n ik a t io n

t

• E n ts c h e id u n g s e b e n e(b e i S ta b s b e s p re c h u n g )

K r is e n s ta b s s e k re ta r ia t

•o p e r a t io n a l- fa c h l ic h e E b e n e

• K o m m u n ik a t io n s -s te u e ru n g

Working phase Working phasemeetings meetings


tc a . 1 0 - 1 5 M in .c a . 4 5 - 6 0 M in . c a . 1 0 - 1 5 M in .c a . 4 5 - 6 0 M in .

E r s tm a l ig :•E ra rb e itu n g L a g e b ild•g g f . V e ra n la s s u n g S o fo r tm a ß n a h m e n•E ra rb e itu n g M a ß -n a h m e n v o rs c h lä g e ,K o m m u n ik a t io n s -v o rs c h lä g e• E rw e ite ru n g K S / N o tfa llte a m s ?•Ü b e rp rü fu n g d . d u rc h g e fü h rte nM a ß n a h m e n

E r s tm a lig :•P rä s e n ta t io n L a g e b ild

•P rä s e n ta t io nB e s c h lu s s v o rs c h lä g e

u n d K o m m u n ik a t io n s -e n tw ü rfe (u n d g g f. E rw e ite ru n g K S )•E n ts c h e id u n g d e r o .g . P u n k te d u rc h E n ts c h e id u n g s e b e n e•V e re in b a ru n g w e ite re sV o rg e h e n , n ä c h s te rT e rm in S -B e s p re c h u n g

•V e ra n la s s u n g / U m s e t-z u n g d e r E n ts c h lü s s ea u s d e r S ta b s b e -

s p re c h u n g•E ra rb e itu n g L a g e b ild•E ra rb e itu n g M a ß -n a h m e n v o rs c h lä g e ,K o m m u n ik a t io n s -v o rs c h lä g e•Ü b e rp rü fu n g d . d u rc h g e fü h r te nM a ß n a h m e n

•E rs te llu n g / G e n e h m i-g u n g / V e rs a n d P ro to -k o ll S ta b s b e s p re c h u n g

•P rä s e n ta t io n L a g e b ild

•P rä s e n ta t io nB e s c h lu s s v o rs c h lä g e

u n d K o m m u n ik a t io n s -e n tw ü r fe •E n ts c h e id u n g d e r o .g . P u n k te d u rc h E n ts c h e id u n g s e b e n e•V e re in b a ru n g w e ite re sV o rg e h e n , n ä c h s te rT e rm in S -B e s p re c h u n g

Basis conditions for CMT

❙ One decision maker � head of CMT

❙ Five representatives for every CMT role

❙ Alerting system


❙ Arranged rooms for working and meetings

❙ Crisis hotlines

❙ Functional email addresses

Locations of the CMT

Head officePrimary premise of the head office main building or Situation room under the guest house

Regional head office Frankfurt

Second site, if the head office is not available anymore or endangered


HV Mainz bzw. situativ HV Berlin

Third and fourth site, if the region of Frankfurt is not available anymore or endangered

Locations of the CMT II

❙ In all locations there are prepared a❙ Meeting room❙ Working room❙ Secretary room❙ If needed more rooms❙ If needed more rooms

❙ The rooms are used in daily business so computers and equipment are up to date

❙ All locations are provided with the same means (posters, forms, USB-Sticks, handys etc.)


Alerting system

❙ Definition of

❙ Who alarms

❙ Who is to alarm

❙ What is to tell / ask during the alarming call

❙ Firstly the secretary is alarmed, secondly the CMT

❙ If the first representative of a CMT function is not available or cannot reach the CM rooms within one hour, the next representative of the 5 substitutes of the function is called

❙ Representatives of a function that are currently not in the CMT can replaces their colleagues if the crisis lasts longer than 6 or 8 hours


Crisis communication I

❙ Bundesbank communicates with the � media, � staff and � their related parties in a crisis

❙


❙ The aims of crisis communication are� Satisfaction of general public’s right to information� Strengthening credibility, confidence and acceptance� Preventing damaging rumours and speculation

�� Crisis communication concept by the PR department

Crisis communication II

❙ Crisis communication should be proactive to positively influence public opinion and to avoid being forced on to the defensive.


❙ speak with “one voice” � avoid dissents

❙ Head of CMT is responsible for crisis communication but one representative of communication department in CMT

Exercises / Incidents in the past I

❙ Sept 07 Exercise bomb explosion in Bundesbank buildings

❙ Nov 07 Exercise LÜKEX – worldwide Influenza pandemic

❙ Oct 08 Incident financial crisis

❙ Oct 08 Incident coin contamination (ill staff)

❙ Mar 09 Exercise alert exercise

❙ May 09 Exercise Mainz – coffee contamination (dead of staff)


❙ May 09 Exercise Mainz – coffee contamination (dead of staff)

❙ Aug 09 Incident Pandemic

❙ Oct 09 Exercise Hannover – hostage taking in a branch

❙ Jan 10 Exercise LÜKEX – worldwide threat by islamic terrorism

❙ May 10 Exercise München – mass demonstration with conflicts

❙ May 10 Incident short power outage in branch

❙ Sept 10 Incident one day IT break down

❙ Oct 10 Exercise Düsseldorf - flood water and accident of a BBK cash transport

❙ March 11 Incident earthquake in Japan – representation closed

❙ April 11 Exercise Berlin – offices for other Ministry, leak of personal data

Exercises / Incidents in the past II

❙ April 11 Exercise Berlin – offices for other Ministry, leak of personal data

❙ Sept 11 Exercise Frankfurt - air condition system fell on building

❙ Aug 11 Incident Hurricane warning NY

❙ Sept 11 Incident DDOS Attack on Bundesbank-website


Reasons for regular exercises

✔ Apply the existing CM structures and procedures

✔ Train CM team work by using the available means

✔ Train the alert system


✔ Check the Crisis Communications

✔ Sensitise the CM team members

✔ Realize weaknesses of the CM concept

Operational Risk Management

26

Christoph StuteGuatemala 28 – 29 March 2012

Definition - Bundesbank’s methodology of ORM, crisis management and BCM

Operational Risk Management

• ORM is the overall process for early identification, handling and monitoring of risks

• ORM includes business risks and OR

• ORM gives an overview on all risks and helps to decide which risks are acceptable and which not (risk tolerance /risk appetite)

• ORM has preventive character

Crisis Management

• CM is the ability of an organisation to respond to any crisis situation in a predefined way

• CM includes a “tool box” with organisational and technical utilities to support management (BCP is one of these “tools”)


Seite 27

• ORM has preventive character

• Focus: risks emerging from conducting the business


Business Continuity Management

• BCM identifies potential threats to an organisation and the impacts to its most critical functions

• BCM put an organisation in a position to manage permanent continuity or adequate recovery of critical functions in the event of crisis situations in a predefined way.

• BCM has mainly reactive character; Focus: risks that endanger the object of a company

operational risk management

❙ Risk management is a logical and systematic method of identifying, analysing, treating and monitoring risks.

Risk management system

Definition – Risk Management

28

system

Early identification of risks Monitoring of risksHandling of risks

Identification of risks

Evaluation of risks

Communication of risks

Controls Internal audit


Definitions

Risk

= adverse variance from a reference figure

Operational Risk= the risk of direct or indirect loss

resulting from inadequate or failed internal processes,

29

resulting from inadequate or failed internal processes, people and systems or from external events

Transversal Risk= risk which can occur cross-functional and effect several business

areas


❙Transversal Risks – some examples:❙risks related to corruption❙risks related to compliance❙risks related to data protection❙risks related to general/ physical security

Definitions

30

❙risks related to general/ physical security ❙risks related to money laundering❙risks related to IT❙risks related to employees❙risks related to media/ public relations❙…


Inherent Risk= risk situation without taking any treatment measures into

consideration

Definitions

31

Residual Risk

= risk situation considering implemented treatment measures


to review the

financial impactreputational impact

damage to persons

Factors of influence

32

to review the RM set up

legal background

by example

crisis 2004

recommendations of internal & external auditors


The Framework

ContentsAims and structure of the frameworkLegal backgroundDefinitionsAims and functions of risk managementRisk cultureExpertises and responsibilitiesRisk structureRisk management process

33

Risk management processEarly identification of risksIdentification of risksRisk evaluationCommunication of risksHandling of risksMonitoring of risks

•Implementation after the approval by the board in March 2006

•published to the staff via intranet


Governance structure of the Bundesbank

Internal audit

IT Department

34

ERM Office;

Security and Crisis Management

Office for Risk Control


Responsibilities

❙ The Executive Board ❙ has the overall responsibility for the management of risks❙ is basically responsible for decision making❙


35

❙ approves a risk tolerance policy and residual risks in specific risk zone

❙ receiver of aggregated risk reports


❙ Business areas❙ are responsible for the operational risk management according to

their tasks overall the whole Bundesbank (decentralisation)

❙ The heads of departments are responsible for the identification, assessment and mitigation of their own risks.


36

assessment and mitigation of their own risks.

❙ They have an informal relationship with the risk management office.

❙ In some areas, such as the risk management of foreign reserves and other portfolios, IT- security and general security, related tasks are performed by central work units.


Area V

DepartmentFinancial Stability

Department…

Office for Risk Control

❙ This unit is dealing with market risks such as currency risks, interest rate risks, counterparty risks and liquidity risks. It is


37

Stability

Office For RiskControl

risks and liquidity risks. It is responsible for the risk management of foreign reserves and other portfolios.


IT- Security Management

❙ Supports the board and the business areas in questions concerning IT-Security and is responsible for the design and

Area VI

DepartmentInformationTechnology

Department

…


38

IT- Security Management

responsible for the design and maintenance of firewalls, evaluation of information from proxy server, the maintenance and enhancement of IT- security concepts.

Technology …


Area III

DepartmentControlling,

Accounting and Organisation

Department…

❙ The Division Organisation is part of the Department

Division Organisation

Department…


39

Security and Crisis

Management

Division

ERM Office

OrganisationControlling, Accounting and Organisation.



ERM Office

❙ In context with risk management, the ERM Office is responsible for the maintenance and enhancement of the risk management framework, the methodology, documentation and coordination.


40

documentation and coordination.

In that context ❙ reports of the business areas are summarised,❙ results of risk assessments are checked and❙ analyses conducted as well as❙ an annual report drawn up.


❙Topic centre for questions concerning general security

C 35: Security and Crisis Management



41

❙Design and maintenance of the security framework

❙Business-Continuity-Planning, Crisis Management


Internal Audit

❙The Internal Audit is directly responsible to one of the board members of the Deutsche Bundesbank. It is

Area II

Department…

DepartmentAudit


42

Deutsche Bundesbank. It is as an independent entity –not being involved in the working processes.

… Audit


Risk structure

Reputational loss Financial loss

Currency Risks

Interest Rate Risks

EmployeeRisks

TechnicalRisks

ExternalRisks

Operational RisksBusiness Risks

Primary Main-IT Risks

Human

Damage to persons

43

Liquidity Risks

Counterparty RisksCritical

Infrastructure

Natural Risks

tenance Risks

Negative PressCoverage

Dependencies On Third Parties

Legal Risks

IT Risks

Incorrect Conduct

Misallocation Of Staff

Inadequate Qualification

Of Staff

Failures

General Security Risks

Gold price Risks


❙Task of business areas❙Identification should be output oriented with regard to the underlying task❙Root causes have also to be identified and documented❙Helpful information could be gathered from:

Risk Management Process1. Identification of risks

44

❙Helpful information could be gathered from:

❙Audit reports (internal as well as external)❙Test reports (IT-systems)❙Incident data bases❙…

❙ As a basic principle, a risk at the Deutsche Bundesbank can result in the following three categories of losses:

Financial loss

Damage to persons

Reputational loss

Risk Management Process2. Risk Assessment

45

❙ Each of these categories is evaluated for each risk partly in a qualitative and partly in a quantitative way

RiskEvent= Probability of loss occuringEvent X ImpactEvent


Risk assessment – grading scales

Risk likelihood grading scale

Likelihood levelCriteria

5 - Almost certain

4 - Likely 3 - Possible 2 - Unlikely 1 - Rare

Frequency of loss events

Every year or more…

Once every 1-2 years

Once every 2-5 years Once every 5-10 years Less than once every

10 years …

If no observable events: Qualitative criteria (frau d and attacks oriented)

Motivation Personal gain ... … … Attracting attention (“making a point”)

46

Skills & knowledge

Basic skills,sufficient, knowledge not necessary

… … … …

Collaboration … … … … …

Traceability … … … … …

Time and cost <1 day < EUR 100 … … … > 1 year > EUR 100 000



Level Definition

Very high 10.000.001 - 25.000.000€*

high 1.000.001€ - 10.000.000€

medium 100.001 € - 1.000.000€

Impact

Level Definition

Very high Numerous deaths

high Individual deaths

medium Life-threatening injuries

47

medium 100.001 € - 1.000.000€

low 10.001 € - 100.000 €

negligible 1 - 10.000 €

financial impact

medium Life-threatening injuries

low Major injuries

negligible Minor injuries

personal injuries



Impact

Level Definition

Very high The occurrence of an event can endanger the Bank's security for a lengthy period or cause critical damage to its interests. Examples:❙Criminal proceedings against individual members of the Bundesbank's governing bodies……

48

high The occurrence of an event can endanger the Bank's security or cause major damage to its interests.Examples: …

medium

low

negligible The occurrence of an event can be of disadvantage to the Bank's interests.Examples: …

reputational impact


Likelihood of loss occurring

Risk tolerance policy

poss

ible

likel

yA

lmos

t ce

rtai

n

49

Impact on overall loss

negligible low medium high very high

rare

poss

ible

unlik

ely


❙Policy of risk avoidance and risk limitation while implementing preventive measures

❙Principles e.g. :❙Principle of hierarchy

❙

Risk Management Process3. Risk Treatment

50

❙Editorial principle (to use a second set of eyes)

❙Principle of separation of functions

❙…

❙Principle that tasks, competences and responsibilities should be located within the same entity


risk

Actual risk position

Risk avoidance

Risk and threat analysis

Concept of measures

51

Preventive measures

Usually, there is no risk transfer

Residual risk

Concept of measures

Approval of the Executive Board

Insurances are only used in law driven issues


❙Notification of loss❙Security relevant matters❙

Risk reporting within the business areas

Centralised risk reporting

❙Report within business area (hierarchy)

Risk Management Process4. Communication of risks

52

❙Compliance, money laundering, corruption❙Major projects❙...

❙Centralised annual risk report

❙Periodical reports (e.g. daily report of market risks)

❙Ad-hoc reporting if necessary


❙Annual risk report according to our risk management framework

❙The business areas have to examine their risk assessment.

❙The results were aggregated from the ERM Office.

Centralised annual risk report

53

❙The results were aggregated from the ERM Office.

❙Report to the board and feedback to the business areas

❙The board has to decide whether additional mitigation measures should be taken or not.


RMS at the Bundesbank

Structure of the ORM template

54operational risk management

❙Monitoring is part of the internal supervision by the head of each unit

❙responsibility of business areas

❙

Risk Management Process5. Monitoring of risks

55

❙no formal KRI in place

❙no centralised monitoring


Thank you for your attention!

56

attention!


Operational Risk Management - CEMLA - Bundesbank’s methodology of ORM, crisis management and BCM...

Documents

Transcript of Operational Risk Management - CEMLA - Bundesbank’s methodology of ORM, crisis management and BCM...