Title in Arial regular 36 pt.
Operational Risk Risk Appetite & Operational Excellence Catherine van Doorslaer Operational Risk Manager at ING Belgium Catherine van Doorslaer – Short Bio • 1990-1996: – University degrees (Namur, Leuven, Louvain-laNeuve) in Economics and International Politics • 1997- 2000: Banca Monte Paschi Belgio • 2000-2003: ING Credit Risk Analyst • 2003-2014: ING Operational Risk Manager – – – – Set up of ORM framework within ING Belgium Team Manager for ORMers (Business Advisory) Scenario Analysis and Risk Assessment Entreprise Risk Management 2 Agenda • ING Belgium in 2 slides • Operational Risk – A young discipline with a lot of dilemmas – Risk Cartography : Risk & Event dilemma – Completeness : The pixel dilemma – Risk Appetite • Operational Risk vs Operational Excellence • Operational Risk – Sharing some trends – Image & Social media – Controls & Communication – Cybercrime • Need for some “industry approach” – Physical security – The next challenge? 3 Online channels made easier Home’Bank: new accounts overview Tablet: launch of ‘Smart Banking’ Home’Bank Plus: sign a business credit online Mobile: ordering ING Visa Classic with ‘MyING.be’ 5 ORM – a young discipline Risks of a bank Credit Risk Credit Risk Market Risk « Operational risks » Basel 1 (1988) Credit Risk Market Risk Basel 1 (1995) Credit Risk Market Risk Operat. Risk Basel 2 (2004) Residual risk 6 Basel II • Context – The increased competitive environment has pushed the various industries to venture into new markets and new products which has increased the complexity of their operations and consequently their risk profile. A deeper analysis of all risks is a necessity. Adequate management and supervision of operational risks is one of the big challenge within the banking industry. – 9/11 has put increased focus on Financial Economic Crime (FEC) a.o. terrorism financing (Compliance) – Financial crisis has put the focus on operational risks with an increased attention to fraud related risks • Definition of Operational Risk – The Basel Committee defined operational risk as “the risk of loss resulting from inadequate or failed internal processes, people and systems, or from external events”. The definition includes legal risk but excludes strategic and reputational risk. The nevertheless, the latest is often included by banks (case of ING). 7 Basel II • Basel II – Capital Measurement – Basic approach • 15 % of income – Standardised approach • capital = * gross income per business line, with between 12% and 18% depending on business line (Corporate Finance, Trading, Retail,…) – Advanced Measurement Approach • Need for compliance with quantitative & qualitative standards, such as incident reporting history of 5 years, independent ORM function, implication of Senior Management, written policies and procedures and active day-to-day ORM – 4 quantitative building elements – – – – 8 Internal Loss data External Loss data Scenario Analysis Business Environment & Internal Control Factors Operation al & Complian ce Risk Basel II – Next to this definition, the Basel Committee defined (7) operational risk events that are commonly considered as having the potential to result in substantial losses and that help to refine the definition of Operational Risk: • • • • • • • Internal Fraud External Fraud Employment practices and Work place safety Clients, products and Business Practices Damage to physical assets Business disruption of system failures Execution, delivery and process management – Institutions can adapt these categories to build their own model. 9 ORM – Risk & Event Dilemma • Literature – All guides related to Operational Risk advises you to start by establishing your « risk cartography » based on existing processes – Identify the possible events (impact/likelihood) to prioritize your risk mitigation/management activities Whatever the root cause… you’ve lost your building! That’s the risk… 10 ORM – Risk & Event Dilemma • Each event can be placed on a impact/likelihood matrix • At the end how will you evaluate the overall risk independently from the cause… Our approach: • • • • Be sufficiently alert in defining the most probable event. Agree on impact. Define an « average » likelihood in order to have something realistic vs experience and expectations Yearly expected loss as a 2nd check 11 ORM – Completeness – The pixel dilemma • All organizations are more and more complex • After the bank crisis, all parties (regulators, external auditors, … board of directors, …) want to have a complete view on all risks at a very granular level • Two dilemmas to handle : 12 ORM – Completeness – The pixel dilemma – Keep the overview despite an increasing number of risk points 13 ORM – Completeness – The pixel dilemma – Avoid to make a risk appear (absurdly) bigger than it is 14 ORM – Completeness – The pixel dilemma 15 ORM – Completeness – The pixel dilemma Risk Management vs Risk Measurement 16 ORM – Completeness – The pixel dilemma Our approach: • • Standard Risk Library Detailed issue & action tracking but aggregated measurement and test results (e.g at value chain level) 17 Risk appetite • Where do you place your call for action? – Keep business aligned – Risk Profile / max Hit / 1 in 10 / Scenario – Integrate the Pixel dilemma in the picture Our approach: • • • • • Relates to gross income at entity level Based mainly on risk profile but other concepts are now being integrated Attention given to scenario but in separate view Split between risk area still to be fine-tuned Some recurring discussions • Discussion on profile vs incidents • Losses vs behaviour • How to quantify (& measure) the reputational risk… 18 Operational Risk & Operational Excellence • Still seen as two separate (and parallel) journeys… and often perceived as the best enemies • Operational Excellence focuses mainly on Processing ensuring an acceptable “Processing Risk” often without looking at the other risk (Lean, 6S, ...) Our approach : • 10 Risk areas • Compliance, Control, Personal & Physical Security, Internal Fraud, External Fraud, Unauthorized Activity, Employment Practice Risk, Processing Risk, Business Continuity Risk, IT Risk • Bringing both together is a key factor for success and long term savings 19 Operational Risk & Operational Excellence • As reducing one risk will increase another one… you best have to find the right balance as from the beginning and regularly re-challenge this balance as environment is also changing – Need an holistic view on the risks… – Many saving programs lead to serious investments once the holistic view is taken Example: • • Payment Name & Address Check Following the law can not be enough… • Solution? ERM • Identify and manage risk across the End-to-End Process 20 Operational Risk & Operational Excellence • Imagine that you improve the following process with the fuel consumption as only focus… 21 Operational Risk – Sharing some trends & feelings • Image & Social Media – Incidents are known by the whole community – Social media is used to complain with exponential exposure – Image/Reputational impact is huge Our approach: • • • Proactive follow-up of discussions about our company Dedicated team to ensure proper communication Pro-active media scripts part of incident management 22 Operational Risk – Sharing some trends & feelings • Controls & Communication Case: In 2010, ING Belgium has been targeted by fraudster due to a higher default limit on their debit card (weekly limit vs day limit). Analysis of the incidents has shown that people above 60 were also specifically targeted. As temporary solution, it has been decided to reduce the default limit of this group of clients. Wrong communication lead to strong reactions in the media and complaints related to discrimination. Control was right but was not sustainable due to wrong communication… In the meantime default daily limit (applicable for all customers) has been implemented without any reaction. 23 Operational Risk – Sharing some trends & feelings • Cybercrime – Global risks requiring an industry broad approach (e.g. awareness) Case study: • Awareness campaign built with Febelfin (Association of Belgian Banks) 24 Operational Risk – Sharing some trends & feelings 25 Operational Risk – Sharing some trends & feelings • Physical security challenge – Staff & Clients – Human become more and more the easiest “point of failure” – Reduction of cash has lead to soften the physical protection… is this right? 26 Thanks for your attention