OPERATIONAL RISK MANAGEMENT FRAMEWORK PRESENTATION

www.natbank.co.mw The Bank of the Nation

National Bank of Malawi

Operational Risk Management Framework Presentation


Structure of Risk Management Policy

Risk Management

Policy

Credit Risk Management Framework

Operational Risk Management Framework

-Operational Risk Policy- Operational Risk Loss Event Reporting Guidelines

- Credit Operational Risk Boundary Events Guidelines- Operational Risk Incident Management Guidelines

- Business Line Mapping Guidelines- Procedures for Filling Operational Risk Loss Event Reporting

Template

Market Risk Management Framework

Liquidity Risk Management Framework


Operational Risk Management Policy• Operational Risk is the risk of loss resulting from inadequate or

failed internal processes, people and systems or from external

events.

• Lays the framework for formal operational risk

management architecture

• Establish responsibility for OpRisk identification and

analysis, planning for risk mitigation, management

and oversight

• Purpose of the Policy-ensuring Oprisks to NBM are identified,

analyzed, and managed to maintain them at an acceptable level

R I S K D I V I S I O N


Roles and Responsibilities• Board Risk Committee (BRC) • Enterprise Risk Committee (ERCO)• Senior Management • Risk Division • Internal Audit



Board Risk Committee• Approves broad business strategies and policies that govern Operational Risk• Provide guidance on the level of tolerance for Operational Risk• Establish an appropriate structure and lines of authority for managing Operational Risk• Monitor the Bank’s performance and the overall Operational Risk Profile• Ensure the Bank takes necessary steps to identify, measure, monitor and control OpRisk



Enterprise Risk Committee (ERCO)• Approve the operational risk governance and management structures of the Bank’s units

• Oversee limit breaches and their resolution

• Monitor Financial Performance against OpRisk Capital

• Review the framework regularly to ensure the Bank managing OpRisk associated with New Products, activities and/or systems



Senior Management• Implement OpRisk management framework

• Develop policies, processes, and procedures for managing OpRisk in all material products, activities, processes and systems

• Assign authority, responsibility, and reporting relationships to maintain accountability

• Clear communication of OpRisk policies to staff at all levels Bank’s units that incur material operational risks

• Enforce operational risk policies

• Policies, processes and procedures well-documented



Senior Management cont’d• Implement strategies in a manner that limits operational risks associated with each strategy and ensures compliance with Laws and Regulations • Maintain adequate systs and stds for measuring OpRisk• Maintain a comprehensive OpRisk reporting and management review process• Maintain effective internal controls and ethical standards • Ensure prudent risk taking against the Bank’s OpRisk Capacity and Appetite + where appropriate initiating risk transfer to mitigate against imprudent levels



Risk Division • Develop OpRisk policies, philosophies and methodologies • Develop + oversee implementation of ORMF and risk control • Develop + implement an OpRisk limit + capital allocation framework for OpRisk• Monitor OpRisk utilization against hard limits and mngnt action triggers on a regular basis• If breaches occur assess appropriateness + timeliness of corrective actions• Submit reports to senior mngnt + BRC• Instances of non-compliance raised to Senior Mngnt + BRC



Internal Audit Periodically assess:• Compliance with Banking Act and associated regulations • The validity, reliability and integrity of operational risk information• The valuation process, including the model validation process• The safeguarding of assets in so far as operational risk control is concerned



Operational Risk Management Approach1. Tolerance and Appetite The bank has a low appetite and tolerance for material operational risk it is exposed to. Currently, the operational risk loss and tolerance appetite is less than 0.1% of the Core Capital and the tolerance for breaches and fines is 0%.


2. Principles for Identifying, Assessing, Monitoring and Controlling/Mitigating OpRisk

A. Identification & Assessment i.Risk and Control Self Assessments ii.Risk Maps and Process Flows iii.Risk assessment of new products, processes and systems


B. Monitoring Monitoring techniques shall include:• Risk and Control Self Assessments• Key Risk Registers • Key Risk Indicators

C. Control• Escalation triggers• Breach Logs and Near Misses• Operational Risk Internal Loss data template


Basel II Operational Risk CategoriesThe categories includes the following:• Handling of internal and external frauds• Employment practices + workplace safety• Clients, Products + Business Practices• Prevention of Damage to Physical Assets• Ensure efficient + secure execution, delivery + process management


Other OpRisk Mngnt Approach • Appropriate segregation of duties, including indep authorization of transactns• Reconciliation + monitoring of transactns• Compliance to regulatory + legal rquirents• Documentation of controls + procedures• Reporting of Operational losses + remedial actions• Training + professional development• Ethical + business standards


Measurement of OpRisk Capital ChargeThe bank has adopted The Basic Indicator Approach (BIA) to measure the amount of capital charge that should be put aside to absorb expected operational losses and to protect the institution against unexpected losses that may be encountered in the normal course of business.


Business Continuity PlanningThe Bank shall have a comprehensive business continuity planning (BCP) framework to prepare for disasters and ensure that it will ultimately continue with its business operations of providing services to customers. Disasters in various forms, including fire out breaks, flooding, civil disturbances and equipment failure, can render our bank unit premises (together with their contents) not available for use.


BCP Continued

The BCP process shall include the following:• Business impact analysis (BIA)• Classification of operations and criticality analysis• Development of a BCP and Disaster Recovery Procedures (DRP)• Training and awareness program• Testing and implementation of plan; and• Monitoring.


SESSION 2

OPERATIONAL RISK INCIDENT MANAGEMENT

GUIDELINES


OpRisk Incident Mngnt GuidelinesPurpose

• Ensure operational risk incident management process is fit for the purpose, but also enables compliance with regulatory requirements including the qualifying criteria for the Advanced Measurement Approach;

• Ensure incident data collected is sound in terms of validity, completeness, accuracy and timeliness to ensure that it may be used to manage incidents, assist management in decision-making and be used in scenario analysis, risk and control self-assessments, key risk indicators and capital modeling;


Purpose Continued• Aligns relevant definitions, including the basis for reporting gross and net losses, and ensures that they are used consistently across business units in the bank• The current capital charge under the BIA which is 15% of Gross Revenue is high compared to Advanced Approaches if we adopt these good data collection methods


Roles and Responsibilities1. ERCO

• Set the tone from the top to promote a transparent culture where all staff are encouraged to report incidents while promoting a culture of accountability to avoid a blame culture

• Assess the adequacy of actions being taken to address material incidents or trends of incidents

• Ensure that the criteria being used to assess the materiality of each incident type is consistent with their operational risk appetite /tolerance


Roles and Responsibilities Continued2. Business Units shall:• Ensure that all their staff members are aware of this policy and adhere to its minimum requirements • Ensure that OpRisk incidents are identified and recorded as soon as the incident is recognised to have occurred• Define action plans for those incidents (individually or in aggregate) that highlight risk exposures or control weaknesses beyond an acceptable level• Promote a culture of transparency where staff are encouraged to report incidents


Roles and Responsibilities Continued

3. Risk Division shall •Develop and maintain the incident management methodology that ensures that incident data is adequate to meet both internal management /business needs as well as the qualifying criteria for the Advanced Measurement Approach• Maintain a central database of all incidents captured across the bank• Oversee the compliance with the policy and methodology by all units• Develop a bank-level materiality matrix comprising thresholds for the escalation of OpRisk incidents based on materiality and significance


Minimum RequirementsA. Identification of a Reportable Incident• Incidents must include financial and non-financial impacts, and

also incidents which could potentially lead to such impacts• All incidents which result in financial impact in excess of a

minimum amount must be treated as reportable incidents• All financial crime incidents, irrespective of value, must be

recorded to facilitate consideration for investigation by the Investigations Manager.

• For incidents which do not result in a direct financial impact, an incident shall be treated as reportable if it reflects a failure of a key control, or an inadequacy of the control framework or operating model, which raises lessons to be learnt. As this remains a judgemental area, if there is any doubt over whether an incident is reportable Operational Risk shall provide case by case guidance on how to treat each incident.

user

Let us define the audiances for these presententions and separate them accordinglyInclude the templates in the presentations


Minimum Requirements Cont’dB. Reporting an Incident• All staff members are required to report operational incidents except for fraud, forgeries and losses to Risk Division (RD), as soon as possible and at least within 48 hours after the incident is recognised.

• Anyone who identifies a reportable incident should use the incident reporting form to report the incident to RD.

• In the event that the incident reporting form cannot be completed within the 48 hour deadline, then an e-mail notification of the incident should be sent to RD and the form completed as soon as possible, thereafter.

Microsoft Office Excel Worksheet


Incident Capture and Classification• All reported incidents shall be maintained within a central incident database administered by RD

• Operational Risk shall ensure classification of each incident in accordance with the data requirements prescribed within the central database. This will include classification against each of the prescribed taxonomies.


Measurement of ImpactThe impact of an incident must be measured in a consistent manner by all BUs, based on the loss measurement methodology provided by RD. This will include the following key elements:• Gross loss The loss incurred before mitigation or recoveries. Gross Loss amount is a key input into the capital model as well as a regulatory requirement. The gross loss amount of an incident must be recorded• Net loss The loss incurred after taking into account recoveries from clients, insurance or other sources


Data Quality + Completeness• Each unit is responsible for the completeness and accuracy of incident data reported to the central database. Business line management must review and sign off all incidents reported.• A validation between the incidents reported to the central database and the general ledger will be performed.


Losses that materialize over time

In some cases, an incident can span several reporting periods. Additional recoveries or losses relating to the incident must be linked to the original incident, and the date of capture to the general ledger is a key requirement. A typical example is legal cases.


SESSION 3

OPERATIONAL LOSS EVENT REPORTING GUIDELINES


Operational Loss Event Reporting GuidelinesPurpose:• Formalize and document NBM’s Operational Loss Event Reporting• Ensure effective and comprehensive reporting and classification of loss events that can be attributed to operational risk in line with Basel II regulatory requirements, governance requirements, risk management principles, policies and international best practice• Fulfill the Bank’s legal and statutory obligations


Roles and Responsibilities1. Enterprise Risk Committee (ERCO)• Ensuring that systems, processes and procedures are in place for the recording, monitoring, reporting and reviewing of operational loss events, as defined by regulatory or group requirements; and• Monitoring and analyzing operational risk trends


Roles and Responsibilities continued2. Risk Division (RD)• Creating awareness of the requirements of this policy• Monitoring implementation of this policy and supportive procedures by management• Regular reporting of operational loss events, as defined by regulatory or business requirements• Liaising with Finance Division officers to validate direct losses (per loss database) associated with operational loss events in the general ledger.


Roles and Responsibilities continued• Record-keeping of operational loss events• Validating the correctness of regulatory classifications of loss events3. Heads of Division/Service Centre Mgrs• Reporting, escalating and signing off operational loss events, as defined by regulatory or business requirements• Creating awareness of the requirements of this policy within their area of responsibility


Roles and Responsibilities continued• Implementing or adjusting business processes to meet the requirements of this policy

• Implementing appropriate action plans or controls to address systemic control failures


Operational loss event reporting principles1. Open Risk CultureThe Bank promotes an open, positive and non-punitive approach towards operational loss event reporting and has therefore adopted an open practice policy to encourage staff to report on operational loss events. The Bank is aiming to ensure that employees feel comfortable in reporting operational loss events in the knowledge that the information provided will be treated constructively and shared only as appropriate.No disciplinary action will be taken against an employee reporting a loss, unless there has been a breach of law, dishonesty or wilIful negligence.


Reporting RequirementsIt is the policy of the Bank to report any operational loss event that meets the criteria for being an operational risk direct/indirect loss or a near miss


SESSION 4

CREDIT OPERATIONAL RISK BOUNDARY EVENTS GUIDELINES


CREDIT OPRISK BOUNDARY EVENTS GUIDELINESPurpose:• Is intended to complement and give effect to the principles outlined in the Operational Risk Incident Management Policy in respect of all boundary events• Establishes a set of core principles to drive the identification, monitoring, and reporting of credit risk boundary events within the bank, ensuring alignment to regulatory requirements and industry best practice


CREDIT RISKCredit risk is the risk of loss due to counterparty default. It is understood that, for capital purposes, any write-down value due to loss of recourse may be considered credit lossCredit Risk Boundary EventOperational risk incidents and losses which occur within the credit risk regime (process) and which may on occasion be comingled with credit risk losses.


Control Failure

For management information purposes all Operational Risk / Credit Risk boundary events are to be classified as one of the following:• Opening account document problems• Input into Credit scoring system incorrect / manipulated• Non-compliance with policy • Non-compliance with processes• Non-compliance with legislation• Non-Compliance with conditions of Grant• Security lost/not enforceable • Facility letter incorrect • Facility captured incorrectly• Faulty valuation methodology used Mandate exceeded


Operational RiskOperational Risk is the risk of loss suffered as a result of inadequacy of, or a failure in, internal processes, people and systems or from external events. This includes information risk and legal risk, but excludes reputational risk and strategic risk.


Roles and Responsibilities1. Business Unit Management• Ensure that Credit Risk boundary events i.e.

Type 1 and 2 are reported through to the relevant business Unit, and Risk Division immediately upon identification;

• Ensure that a detailed explanation of the loss is prepared

• Ensure that the root causes are understood and appropriate remedial actions are taken in response to lessons learnt


Roles and Responsibilities Cont’d2. Risk Division• Facilitate a discussion around the underlying causes of the reported credit risk boundary event;• Undertake a review of Business Unit data in order to ensure that all data regarding credit risk boundary event have been duly reported


Roles and Responsibilities Cont’d• Establish whether the reported credit risk boundary event was correctly categorised by Business Unit Management;• Quantify the portion of the credit risk boundary event attributable to the operational risk incident: The rationale used for the attribution must be clearly documented; and Such attribution must be approved by the Heads of Risk and Credit;


Roles and Responsibilities Cont’d• Ensure that the credit risk boundary event is properly captured on the Operational Risk Loss Data Reporting template; and• Ensure that the Business Unit are taking the relevant action to address the root causes of the incidents


Roles and Responsibilities Cont’d3. Enterprise Risk Committee (ERCO)• Consider items raised to it and advise on the relevant classification between the event types defined in this policy;• Consider losses referred to it by the Business Units and decide on the appropriate attribution of the loss amount


Roles and Responsibilities Cont’d

• Ensure such decisions are consistent with the treatment of any similar items;• Ensure that the rationale and assumptions pertaining to such an attribution are clearly documented and available for independent scrutiny• Monitor and report non-compliance with the policy to the Board Risk Committee• Undertake an annual review of these guidelines and underlying methodology to ensure it remains fit for purpose and practical to implement


Minimum Requirements

• Each Business Unit must institute a process in order to identify, monitor and report all material operational risk incidents which are related to credit risk• The Business Unit management, in conjunction with Risk Division must ensure that the incident is captured onto the Operational Risk Loss Data Reporting template and “flagged” as a Boundary Event. The incident report should also comply with the requirements for any operational risk incident set out in the Operational Risk Incident Management Policy.


Minimum Requirements• Where there is a material loss arising from the operational risk component of a credit related incident, this amount must be separately identified in accordance with this policy and separately recorded as an operational risk loss in the operational risk loss data reporting template• However, this loss must be excluded from the operational risk loss data set which is used for operational risk capital modeling purposes


Identification + ClassificationType 1 – Operational Credit Risk Boundary EventWhere there has been an operational risk incident related to a credit process resulting in a loss but where the loss is not related to the credit worthiness of the counterparty, the event is to be treated as an operational credit risk boundary event;

Type 2 – Operational Risk /Credit Risk Boundary EventIn the case of a loss that arises due to the credit worthiness of a counterparty but where an operational risk incident has contributed to the severity of the loss, the event is to be treated as an operational risk /credit risk boundary event;


Identification + ClassificationType 3 – Credit Risk EventIn a case of a loss wholly related to the credit worthiness of the counterparty, it is to be treated as a credit risk event with no further implications for operational risk reporting; and

Type 4 – Operational Risk EventWhere there has been an operational risk incident not related to a credit process and not resulting in a credit default, the event is to be treated as a pure operational risk event. The total amount of loss is to be classified as operational risk loss. The incident is to be captured as an operational risk loss.

OPERATIONAL RISK MANAGEMENT FRAMEWORK PRESENTATION

Documents

Transcript of OPERATIONAL RISK MANAGEMENT FRAMEWORK PRESENTATION