Operational risk - the risk of loss resulting from inadequate or failed internal processes, people,
systems or from external events - can be sub-divided into a number of elements, each element can be further divided
into key risk factors:
|
Elements operational risk management
|
Key risk factors
|
Examples
|
|
1. Organisation risk
|
Corporate governance Required organisational set-up
Clear tasks and responsibilities
|
Authority, adequate information flow clear reporting lines, overview.
Segregation of functions, dual control, audit, risk control.
Guidelines and procedures, documented, achievable, accountability.
|
|
2. Information Technology risk
|
Technology investment risk
Development and implementation
Project Risk
Reliability
Continuity
Recoverability
Availability
Performance
Confidentiality
Controllability / audibility
Capacity
Infrastructure
|
Cost / time overruns, definition of business requirements.
Availability and usage of standards, documentation, user acceptance
Manageability, effectiveness, efficiency.
Correctness, completeness, timeliness.
Fall back, contingency
Criticality
User satisfaction, capacity, integration with systems / processes.
Logical and physical access controls, privacy, encrypting.
Logging of activities.
Ability to perform tasks
Compatibility, transparency, upgrading possible.
|
|
3. Human Resources risk
|
Quality of management
Integrity Recruitment
Development
Competence Retention
Appraisal
Release
Capacity
Key personnel
|
Leadership skills, integrity, risk awareness
New hirers, yr. Of experience, competence.
Availability and usage of HR strategy and policy, training, code of conduct, understanding of
product.
Availability and usage of HR strategy and policy, training, code of conduct, understanding of
product.’
Clear objectives, uniform.
Wrongful termination
Ability to perform tasks
Potential loss of clients or business
|
|
4. Processing
|
Procedures
Efficiency
Effectively
Working methods
Check and balances
Input error
Model risk
Recording
Privacy and confidentiality
Internal reporting
External reporting
|
Documented, up to date, ownership, in line with standards.
Cost vs. budget
Realisation of objectives, satisfaction.
Authorised, limit adherence, according to prescribed procedures.
Timely reconciliation’s, independent valuations.
Wrong data, incorrect input, incorrect marked-to-market.
Inappropriate parameters, incorrect programming, invalid assumptions, mathematical errors.
Logging
Clean desk, Chinese walls
Present, relevant, error free, actively used by management.
Regulatory-, financial-, tax reporting.
|
|
5. External even risk
|
Natural disasters
Civil disasters
Outsourcing /supplier risk
Political risk
Changed legal / political environment
Liability risk
Business disruption risk
|
Accidents, fire, flood, storm, earthquake.
Terrorist acts, revolt.
Level of dependency, monopoly with providers, misuse of confidential data, breach of service level
agreement.
War, expropriation of assets, business blocked, financial, markets disturbances.
Changes of regime (e.g. by tax or regulatory authorities)
Lawsuits (from e.g. customers, suppliers, government)
Energy failure, external telecommunications failure, failure of transports.
|
|
6. Criminal risk
|
Internal / external fraud
Money laundering
Corruption
theft / robberies
Personal safety
Terrorism / Vandalism
Intentional breaching of bank standards and values.
|
Theft, embezzlement, misappropriation, forgery.
Clients with questionable dealings/reputation.
Bribes (gifts or money).
Loss of assets, casualties, physical security.
Hostage taking, kidnapping and extortion.
Arson, bomb.
Front running, insider trading, rogue trading, sexual harassment, market manipulation, immoral
behaviour.
|
|
