End-to-end for effective operational risk management ...¸„ุณกมลรัตน์-1...Group of Operational Risk Framework and oversight all In her last role, she was the

An End-to-End Process Approach for effective Operational Risk Management

12 November, 201712 November, 2017

BioKamonrat joined Kiatnakin Bank in February 2011, as Senior Vice President - Department Head of Operational Risk Management. As such, she is responsible for implementation of KiatnakinGroup of Operational Risk Framework and oversight all

In her last role, she was the head

of operational risk management;

responsible for implementing of

KGroup operational risk

management framework.

For Education Backgroud, she Framework and oversight all credit ,non-credit ,and investment products related operational risk exposure. This includes IT and Cyber Risk.

Prior to Kiatnakin Bank, she worked at KBank for five years

KamonratKharawamit

SVP, Head of Operational Rsik

For Education Backgroud, she

graduated from Chulalongkorn

University, Accountancy Faculty.

In 2003, she was granted a full

Thai Government Scholarship to

study in USA and graduated

from Cornell University ; Master

Professional Studies in Applied

Statistics in May 2004.

Agenda

• Definition of Operational Risk and Loss Event

• 2017 COSO ERM Updated Framework and Key Changes

• Key Success Factor in Operational Risk Management

• End-to-End Process Approach

Credit Risk is the risk of default on a debt that may arise from a borrower failing to make required payments. In the first resort, the risk is that of the lender and includes lost principal and interest, disruption to cash flows, and increased collection cost.

Market Risk is the risk of losses in positions arising from movements in market prices

Operational Risk is the risk of loss resulting from inadequate or failed

Types of Risk

increased collection cost.

Liquidity Risk is the risk that a company or bank may be unable to meet short term financial demands. This usually occurs due to the inability to convert a security or hard asset to cash without a loss of capital and/or income in the process

resulting from inadequate or failed internal processes, people, and systems, or from external events. This definition includes legal risk, but excludes reputational risk

Strategic Risk is a possible source of loss that might arise from the pursuit of an unsuccessful business plan. Making poor business decisions, from the substandard execution of decisions, from inadequate resource allocation, or from a failure to respond well to changes in the business environment

What is operational risk?

“ Operational Risk is the risk of loss resulting from inadequate or failed internal “ Operational Risk is the risk of loss resulting from inadequate or failed internal processes, people, and systems, or from external events. This definition includes legal risk, but excludes reputational risk”

Types of Operational Risk

Process

Operational Risk Categories (BIS)

Cause

1. Internal Fraud2. External Fraud

ImpactImpact

People

System

External Factor

2. External Fraud3. Employment Practice and

Workplace Safety4. Client,Product, Business

Practice5. Damage to physical Asset6. Business Disruption &

System Failure7. Execution, Delivery, Process

Management

Operational Loss

Cyber AttackBangladesh Bank

Soc Gen, KervielInternal Fraud

Clients, Products, & Business Practice

Damage to Physical Assets

Business Disruption & Systems Failures

911 Attacks �� 2547��

�� 2554

��!""#��

Bangladesh Central Bank: US$ 81 Million Cyber-Attack

The Federal Reserve Bank of New York

• Took place in February 2016, when instructions to steal US$951 million from Bangladesh Bank, the central bank of Bangladesh

• Be issued via the SWIFT network

• Five transactions issued by hackers, worth $101 million and withdrawn from a Bangladesh Bank account at the Federal Reserve Bank of New York, succeeded, with $20 million traced to Sri Lanka (since recovered) and $81 million to the Philippines (about $18 million recovered)

• The New York Fed blocked the remaining 30 transactions, amounting to $850 million, at the request of Bangladesh Bank

• It was identified later that Dridex malware was used for the attack

Atiur Rahman, Governor of Bangladesh Bank who resigned from his post in response to the case

Unauthorized Cross-Selling and The Creation of Fake Accounts

John Stumpf, former CEO of Wells Fargo

• Employees were encouraged to order credit cards for

pre-approved customers without their consent, Employees also created fraudulent checking and savings accounts

• It has found a total of 3.5 million potentially fake bank and credit card accounts, the review found 528,000 potentially unauthorized online bill pay enrollments

• Bank was fined $185 million to settle three government

lawsuits over the bank’s creation of sham accounts

• The bank fired approximately 5,300 employees between 2011 and 2016 as a result of fraudulent sales

CEO of Wells Fargo

Who is Jerome Kerviel

Rogue Trading: SOC GEN Societe Generale

• Jerome Kerviel was a junior level derivatives

trader at Societe Generale, one of Europe’s largest banks

• Kerviel had been trading profitably in • Kerviel had been trading profitably in

anticipation of falling market prices; however, they have accused him of exceeding his authority to engage in unauthorized trades totaling as much as €4.9 billion (US$7.2 billion)

• Thousands of trades were hidden behind offsetting faked hedge trades

World Trade Center Attack, Collapse 9/11

These are losses incurred by damages caused to physical assets due to natural disasters or other events like terrorism and vandalism. Rapid and unexpected changes in climatic conditions have been a constant cause of concern in the business world for more than a decade in recent history..

Internal Fraud: $�� %�� 499 #��"��

�� 499,272,777.95 �� 2552

Background:• ��& 33 �• ()�*+��-�+��/0��1&23 ��4-)�3�� xx 6�7�� xx• �)��/03�� xx 3��8/�1 ��1:� 9 � (�;�*( �.�. 2542 <=� �.7. 2552

7&>3?��(:• ��1�:��8/�8 2 �@� A?�7�?/��41�(��&-�(• ��1�:��8/�8 2 �@� A?�7�?/��41�(��&-�(• �1�:�7B>+��:� 7 +:��A828��/0A?(��C�7�D0��78�:�

��:4��/�8:• 3��7��C-��4� ��EC/8��/;�-��F��4-)� ��3�� A *:43��B -)�1 419 �� 1? 499.27 :�� *:43��F��EC/��(�� +�D�IB�/0��/0�1��-)�1�8/�1�� 4+1��1��/0 20 �.�. 2551 <=� 20 �?.�. 2552• ��<B�2�� ATM -��EC/8��/;�-��F��4-)� �� 3�� A *:43��B A��EC/��(�� +�D�IB�/0��/0�1��+:��6�7��3��?3*71� 1�:4 30 �� :4 30,000 �� 1?��1�:4 700,000 - 900,000 �� &�1� ��1:� 1 �7�=0� 28��O��1:�+:��:�� C1��/0�4��A?�8 �0��)��&-�(�/0�7�D0��7�?�1�(��(28�A??/�7�3�3��

�4�4�1:�:• �4�4�1:��/0�)��&-�( 1 � 5 �8D�

Damage to Physical Assets: �� 2554

�� 2554 �� !�"��#�� $ ��%&�'�� (��" ��)��!" ��#�* ��"�+��!"�� "��(��"�� 7 �� -��!� &�'� �.�#��/�� 5 �� '��"/��# 2 �� "#$��!"��'"�0 840 $�� "3� � !�"��#��!" 237,410 ��7��

Damage to Physical Assets: ��'�� #()��*#��'� � 2547

• �+(&��>7:/03/�?�/0��8�=;��4��OA�� 2547 3�I:��4��&*��(�D;�/0 �7�( 6 -��+1�8 7D� B��R( �� 4�/0 �4�� 3(B: *:4(�� +�� 6��?C�(7��;��0��+E @=0�A?�7��S?��4��OA�� 71�?3BE�3/��+E+:1�8��:�1 *?�� -4-)��8��B�T��4��1>C��F��4�:�� 6 -��+1�8 �7�(��; *(?+�( ��7��;�/;�RA83�I:��4��4��D�(��O�WX�-A��28��1?��B��?��81�

• �31��6�7��/0��B��(�D;�/08��:�1 I:��4��;�)��+6�7��(��4��O�8�)��3��D;�/0 �1?��;�(B ATM *:4�B6*:��:/0��(��(��4��O�3/�+�� 71�?�3/�+��;��3�I:(�:B�7�3�CD0��6�7��81�

Damage to Physical Assets: ��

1��/0 7 �.�. ��8�+(&��:�A+?6�7�� 3)��+E 28�-&8(��:��B�/0��1>C�; 10 ��7�� A @=0��+��R��3�� -��71�?�3/�+��/0��8�=;�)��+3)��(�;�*( C�; 9-11 ��871�?�3/�+�� 7�871�?�3/�+��4?�> 100 :��

1/2

Damage to Physical Assets: ��

*I��+��71�?�3/0��-��+(&��>AZA+??�(��(�?*I3)��T&��T��+��)��: /�� * �9��+��:;��&:;��7��3 ��0#&��.= ��+��#;* ��7��'�7 ��-� �(�#�"�>��#;�)��: �)��7&��"��>�?�7�(��* ��(��:;��*"(� +� ��-�8��R��?B:*:4��3��3)�7�E: /�� "#��-� (��.3��+�"3��'��)� �� $ �"#��)��)��'��A7��(�'�>��#; $ ��(�'�>��#;"#��."#��*"(;)�!� 20 �$��"(��)��'��: /�� * �)��'�� !�"��#;��&��-)��!��'�� 10,510 �7.

2/2

Operational Loss : Banking Industry• In banking industry, Operational Loss had occurred up to 23,061MB over three consecutive years while average

per year was 7,687 MB. Large Bank tends to have 3 year average significant OpLoss than others; 5,662MB.

OpLoss 3 Year Total

Industry = 23,061 MB

OpLoss 3 Year Average

Industry = 7,687 MBL

M

L

M

• Comparing to OpRisk capital; which calculation is mainly based on GROSS INCOME factor, % OpLoss/OpRisk capital was about 13%. The number tends to have higher proportion in bank with small sizes.

Unit: MB

%OpLoss to Capital

Industry = 13%

Unit: MB

L

M

S

M

S S

• OpLoss control in term of Risk management, have an influence on OpLoss decrease and gap expansion between profit and loss

4,643

*

Impact of Risk Management to Organization’s performance

* Estimate 12-Month Net Profit & OpLoss

*

No. of Event (#)

Net Profit (MB)

OpLoss (MB)

586

620536

413267

220 **

** Estimate 12-Month OpLoss Event

Agenda





2017 COSO : Enterprise Risk Management –Integrating with strategy and Performance

�The Original Framework is widely accepted and used to enhance and organization’s ability to manage uncertainty and to consider how much risk to accept as they strive to increase stakeholder value”

Why update the 2004 Enterprise Risk Management – Integrated Framework

“Since 2004, the complexity of risk has changed, significant new risks have emerged and boards have enhanced their awareness and oversight of risk management; therefore, updating to framework provides greater insight into strategy and the role of enterprise risk management in the setting and execution of strategy, enhance the alignment between organizational performance and enterprise risk management”

Explore how ERM practices support identification and assessment of risk that may impact performance

No longer focused on preventive the erosion of value and minimizing risk. It is viewed as integral to strategy setting and the identification of opportunities to create value

2017 COSO ERM : Key Changes

Alignment between

performance and ERM

Emphasizes relationship between risk

and value

Expand three concept1. The possibility of strategy and

business objective not aligning with mission, vision, and value

2. The implication from selected strategy

3. Risk to executing the strategy

Risk is not positioned as a separate activity. It is presented through the lens of supporting an organization’s operations, managing performance

and ERM and value

Focus on the integration of

ERM

Elevates discussion of strategy

The role of risk in strategy selection

• Risk is a consideration in many strategy-setting processes. But risk is often evaluated primarily in relation to its potential effect on an already-determined strategy.

• 2017 COSO will emphasize more on these concepts

• The possibility of the strategy not aligning with an organization’s mission, vision, and core values

• The implication from the strategy chosenThe implication from the strategy chosen

• Risk to executing strategy

A Focused Framework

Benefits of Effective Enterprise Risk Management

Increasing the range of opportunities

Identifying and managing risk entity-wide

Both positive and negative aspects of risk management can identify new opportunities and unique challenges

A risk can originate in one part of the entity but impact different part. Management identifies and manages entity-wide risk to improve performance

Benefit of Effective ERM

Increasing positive outcomes and advantage while reducing negative surprise

Reducing performance variability

Improving resource deployment

ERM helps improve ability to identify risk establish appropriated response, reducing surprises cost & loss

ERM allows organization to anticipate risk that would affect performance and enable them to put proper action

Obtaining robust information of risk allows management assess, overall resource needs, prioritize and enhance resource allocation

Agenda





Key Success Factors for Effective Operational Risk Management

1. Good Governance

Structure

2. Effective ORM Tools

3. End to end risk Management & Integrated Tools

4. Embedding ORM to Day to Day Operation

& Activity

Effective

ORM

Operational Risk Owner Under Three Lines of Defense

Manage day to day Operational RiskORM Framework and

Policy setting

Independent challenge and review of control

effectiveness

Business Unit Supporting UnitRisk ManagementCompliance Unit

Internal Audit

1st line of defense 2nd line of defense 3rd line of defense

• Risk Owner• Identify, Assess, Monitor and Report their own risk

• Establish risk policy and framework• Facilitate and monitor implementation of effective risk management practice

• Independent review of control effectiveness

Effective Operational Risk – Reporting Line

Example : Operational Risk – Reporting Line

RMCManagement Committee

Board of Director

New Product & Process Change Committee

�� RMC �� !"��#��

�� $��#%�&'(/�� *�+� ��!��*!��+�� % ��,� � ��!-�.!� �� # ��/0,(��,� � �*�+�� 0�� +�� *�+% ��++�� 0��1 ��

ORC

Committee


1. Good Governance

Structure


3. End to end risk Management & Integrated Tools

4. Embedding ORM to Day to Day Operation

& Activity

Effective

ORM

Standard Operational Risk Tools

Operational Loss Data Key Risk IndicatorsRisk & Control Self Assessment

• ��'�"��(��$ ��9 1. ��'�7��0+��&�� 2. ��+�"3�-�� 3. !�"��#��#;�� +D�� #(4. ��(��0�#;�� +D�� (��"��>

�� !�"��#��*!* • +�"3��#;��'�"�� * � ��(� ��(��0 !�"��#�� & $�� '��-� ��

• �� Indicator �&:;�(� (�"/ !7 �"/ � !�"��#��)� ��#;* -� LD & RCSA • �9�� Early Warning ��' �7��!�� & ��

• ��-� �A7+�"3� Loss/Near Miss• ��$ � ORM Co +��!��

Operational Risk Loss Reporting

BU/SU ��

Action Plan ��*��*

2� �� !"��#�� #3/!�+��(�� 34��+�� /�� *�+� �#/�� 0��

$�� 3�1 �� action plan 0�� +�� $� ��+�� *�+#��# �� !"��#�� =

��+,-� *�� Loss /Near Miss 4� ORM Co

BU/SU

Action Plan ��*��*

RMC / Management :��+;��*

��*��- ��<=� ��

>��:��-� *��=?�@��A��B Capital

33

!�+A��(�� B �� C� Operational Loss Data�-� *��*��D�� <��+,@*�E�?��<� �� FG?�-� *�� A�@�� *��D leverage A��*��-I=@��,�� *��B��*��@ J��*� exposure �� M �<

Risk and Control Self Assessment

BU/SU :�� Op Risk Profile

P� �!�+�� #�� A�� J4��#3/!�+��(�� +�� *�+� � �3�1 �� action

plan ��!K�� # *�+� � �3��/��+�� L��+��0��.� $� ��+�� +�/ !�+��

*�+!�+��0,�% �� /�=

BU/SU

BU/SU :�� Op Risk Profile�� -��@ ��*��- �>J�� F��>�;��,�J*

RMC / Management :��+;��*��*��- ��<=� ��

��:��-� *��*��*��*@��A��BCapital

34

Key Risk Indicator (KRI)

BU/SU

BU/SU E��E�* KRI S��@��T�� *�E��FU ��<�*��

KRI DI��<,��A��

2#��M�� !-�� #��# �� 0�M��!-� Early Warning Indicator �� BU/SU � � �3� �� &(

�#/� �&(�� # *�+�� #�� !K�� #/� �&(�� =

35

��+,-� *�� KRI 4� ORM Co - ��J��S��

BU/SU KRI DI��<,��A��

RMC / Management:��<,�� KRI

��-� *��=?�� F�<,F�J��S� Capital @��*��*ES

��*��

�*��EJ: �JB�*,<E�- � KRI �� E� ��*��D�<��FGE<��-:�� *��


1. Good Governance

Structure

4. Embedding


3. End to end risk

Management & Integrated

Tools

4. Embedding ORM to Day

to Day Operation &

Activity

Effective

ORM

Having standard operational risk tools, many organizations also still fails with risk identification.

Why???

37

Silo Based – Risk Assessment Approach

• Risk is traditionally assessed via Silo /Department Based

• Business Unit focuses on their own risk profile to manage their own performance , not organization performance

Without considering other

Dept. X

Silo/Department Based

Dept.1

Dept.2

Risk Profile

• Without considering other inter-related functions, risk can not be seen, identified, and properly managed entity-wide

• Resource deployment is for their own dept, not for entity-wide. This result in redundant and not efficiency throughout organization

Dept. 1

Dept. 2Dept. 3

Dept.3

Dept.X

End-to-End Process – Risk Assessment Approach

• In new Era, Risk Assessment evolve in End-to-End Process Based Approach

• Risk Owner identifies and manages risk profile by considering inter-related functions/process. With

Dept. 1

Dept. 2

Dept.1

Dept.2

ProductA

ProductB

ProductC

ProductX

Risk Profile

functions/process. With this way, not only entity performance is focused but also dept and process-wise

• Resource deployment is efficiently used for entity-wide.

Dept. 3

Dept. X

Dept.3

Dept.X

AB CXRisk Profile


1. Good Governance

Structure

4. Embedding


3. End to end risk

Management & Integrated

Tools

4. Embedding ORM to Day

to Day Operation &

Activity

Effective

ORM

Embedding Operational Risk into Day to Day Management

1. Product Development /

Change 4. Product

Review

1. Product Development /

Change 5. Product

Review

Product & Process Change Life Cycle

Old Life Cycle New Life Cycle

Change Management

2. Development &

Implementation

3. Product

Launch

Review Change Management

2. Risk

Assessment

3. Development & Implementation

4. Product

Launch

Review

Benefit & Cost Trade - off

Benefit

Cost Risk

Trade - off

New Product and Process Risk Process

New Product Process and Change in Process Verification after Product Launch

Path Identification

Product/ProcessPerformance Review

Risk AssessmentProduct/service/process Design

Development

Minor ChangeRisk Assessment &Mitigation plan

Fast track

Sign : BU/SU Head

Product/Service Development and Readiness Verification

ReadinessVerification

-Establish Project Team-Feasibility Study &

Business Plan & Budget Approved

Final : MC (in Case that Feasibility study has not approved)

Sign : BU/SU Head/Risk Final : RMC in Case of High Risk Level

Sign : BU/SU HeadFinal: NPPRC Comm**

Path Identification

Development

Review

ReadinessVerification

Auditing

Acceptance Certificate

Product/Process Change Proposal Template e.g- Change Summary - E2E Process Change - Impact - Cost Benefit Analysis

Sign : BU/SU Head

Major Change ( Involve NPPRC )

TOOLS

within 1 year after Launch

Risk Assessment & Mitigation plan

Sign : BU/SU HeadRisk Standard Verification : Risk Division

-Mutual Agreement if any, escalate to NPRC - Definition / Criteria

AUTHORIZER

-Feasibility Study & Business Proposition

-Process Verification: BA-Sign : BU/SU Head* Adhoc during the year, business plan & budgeting must be approved according to delegation of authority first

Agenda





Product-wise Risk Profile Methodology

2) Enhancing of E2E Business Process

4) Prioritizing Risk Profile• In-depth risk analysis on high level risk

- Root cause analysis- Mitigation plan proposal

1) Understanding Business Concept• Business model• Product coverage• Operating model

3) Enhancing Product Risk Profile• Dept-wise RCSA change to E2E product wise• Mapping Loss to process• E2E risk and control assessment

Floor Plan Product: Business Model

Motor/+,� -��!�,#

��

� ��

��

“ Without knowing Business Model, Risk Manager can not be able to deeply understand underlining risk”

Dealer

Retail CustomerOther Bank

KK Bank

��

� ��

� ��

��

!"�� #�$%��

� ��

45

Product Coverage

Product Sub Product Product Manager #Customer

FloorplanLending

- Floorplan

- Term loan- OD/PN/LG

Mr.XXXX 4000

Floor Plan : Operating Model

Overview Front office Supporting Office

Main Processing and Operation

� &�b��(�0c� (� (��3 �� "�� 7�-��7��3� (�!-��7-)��!��>� ��79)��'��3

Relate department �d��9:;�/��-f��&��

� !�� '��'��"�(�g� ��'�"��'�� -� �)�� (��"-)��

� 7��D+�"3�!�� -� �A7�� (�!-��7��:;��*+��7�� 7�-��3� � 7��9#/!��

� d��!�� '�� (�3 �/��- � d��&�/#��9:;�Relate department �d��9:;�/��-f��&��+��d��/��'7��9:;�/��-

Key Main System FP offering sheet, �7�-� )��, Warning System, Work Flow, FMS, FP Lending, SKS, Cash allocation, G-able, LOA-REG, LOA, FCR, KK teller, ABR

� d��!�� '�� (�3 �/��-� d��'�"�� &�� d��9:;��'�9�t:�� d��(��"

� d��&�/#��9:;�� d��?�7�(��'��g� d��?�7�(��9:;�� d��?�7�(��9)��'�� d��7��9#







Floor Plan : High level E2E business process

P2 (� (��3 �

P17 ��7��$ ��#� (�0# ��9)��')

P1 &�b��(�0c

P4 !�� '��'��"�(�g

P5 -� �)��

P3 ��'�"��'��

d��/��9:;�g d��'�"�� g

d��!�� '�� (g

d��g

*P16 (��7��>��'"3� KK*�0#�7��3-��'"3�.3�� KK d��9:;�/��-f��&��-'��3(��7�

d��9:;�/��-f��&��

(�0# ��9)��')

P6 ��"��

P10 ��7�-�(��7��3

P13 (�!-��7-)��!��>

P14 ��79)��'��3

P7 ��(��"-)��

P8 7��D+�"3�!�� P9 -� �A7��

P11 (�!-��7��:;��*+P12 �7�-��3

P15 � 7��9#/!��

P9

�'7!��"�(�

��+� d��(��"

d��?�7�(��9:;�g d��?�7�(��'��g

d��&�/#��gP16

P17(�0# ��9)��')

(�0#9)��' �7>!�)







Dept wise to E2E process wise

Non-Process RelatedOnly Department Assessment

Integrated E2E Process Risk & Loss Analysis

Mapping risk & Loss by process

Floor Plan : Mapping Loss by process (E2E)

P2 (� (��3 �L (-) NM (-) Non (-)

P17 ��7��$ ��#� (�0# ��9)��')

L (-) NM (-) Non (9)

P1 &�b��(�0cL (-) NM (-) Non (-)

P4 !�� '��'��"�(�gL (-) NM (-) Non (10)

P5 -� �)��L (1) NM (-) Non (2)

P3 ��'�"��'��L (-) NM (-) Non (3)

d��/��9:;�g d��'�"�� g

d��!�� '�� (g

d��g

Top Loss Amount1) $Mitsu999 =133M (Mitigated) (P12)2) $��7 (Double Finance)= 11.7M (Mitigated) (P14)

L

Top Frequently 1) #Non �)��(�!-�> = 67 (P13)

F

*P16 (��7��>��'"3� KKL (-) NM (-) Non (-)

d��9:;�/��-f��&��

Mapping Loss Amount and Frequency

F

18 �� 59%&$��%�� %� ��' � 03/2559

P6 ��"��L (-) NM (-) Non (-)

P10 ��7�-�(��7��3L (-) NM (-) Non (1)

P13 (�!-��7-)��!��>L (-) NM (-) Non (68)

P14 ��79)��'��3L (14) NM (48) Non (17)

P7 ��(��"-)��L (1) NM (-) Non (-)

P8 7��D+�"3�!��L (3) NM (-) Non (3)

P9 -� �A7��L (-) NM (-) Non (2)

P11 (�!-��7��:;��*+L (-) NM (-) Non (7)

P12 �7�-��3L (7) NM (3) Non (5)

P15 � 7��9#/!��L (-) NM (-) Non (1)

P9

�'7!��"�(�

��+� d��(��"

d��?�7�(��9:;�g d��?�7�(��'��g

d��&�/#��g

L

1) #Non �)��(�!-�> = 67 (P13)2) $NM ��7 (Double Finance)= 48

(Mitigated) (P14)3) #Non � �"7��. *"��= 7 (P17)

P15

P16(�0# ��9)��')

(�0#9)��' �7>!�)*�0#�7��3-��'"3�.3�� KK d��9:;�/��-f��&��-'��3(��7�

L

F

F

52

Mapping previous RCSA and Loss by process

2. Mapping risk & Loss for accuracy risk level

1. Mapping risk & Loss for unidentified risk

Mapping Loss frequency & impact for accuracy assessment

!�"��#;��#;*"�� 7��(��0 !�"��#��

No Process Risk Risk EventType

RiskLevel

Current Control #Events in 2015

Total GrossLoss in

2015

ProposedRisk Level

1 P14 � ��$��./

� ��0�� Floorplan (Double

Finance)

ET7 M 1. ��2 �� 3��3�/' ��4� #�$%��%5��!6�� 7��3�/�!8��7�9��

2. �$��7��/��.�� :��;�7��:�� '$�� 7 ��

3. ��'� Reconcile �/��.��' �0�� $�� Floor Plan #�$

18 1.7M H

�� $�� Floor Plan #�$ HP & � �5��4�

Product / Dept/ Process Risk Assessment Perspective

FP01 <��A�@,- J*<E��T�� (CA)

de��T�� >J�� f� ��

FP02 ��E��*��*��D��

de��E de�Fh�,<E��T�� >J��

de��F�I�i��j�*��<kk�

(CA)

FP03 J*<E��T�� FP04 <�E<=�� E�* CA E�*��:��<, J*<E�

FP05 �S��<kk�E�*�� :- CA

FP06 ��*@�<kk�







Product Wise – Product Risk Profile

R7 (1) A?8)��+��:�:�+/; (Double Finance)

• *" )��7�7��#��7�9�t:�� tD;��)��"#�� :�� -� �9�t:��7/�� :��7 Dealer

R7 (2) Z��A?��1�7��)�+8��7;)��4�� 3�.

• *"* (�!-��7�� 7)�� )��'�� 7��. +��3��#��)��#��/��:;� �)��'��

�' �7 !�"��#;��

H

Key Risk (RCSA)Key Risk (RCSA)

Res

idual

Risk

Map

M

H

VH

71�?</0

R7(1)R7(3)

H

R7(2)

��/��:;� �)��'��

R7 (3) ��A?)�3��(�1-�<(�?��/0�)�+8

• *"�?�7�(�(�"�'7!��?�7�(�� )��/�� *""#+�"3��(�!-��7(�"��:;��*+��7�� tD;��>��--'>3�)�*��9��:�+��

R7 (4) ��?B:��D0�A��/0�C��1��4?B:A?<B�(��

• ��:;��*+�#;�9(�!-��7�3 �*">3(�� #;�3 �*"��"��>�9!��'"3��>*

Res

idual

Risk

Map

VL M HL VH

VL

L

M

71�?�&*��

MR7(4)

M

��+��:�:�+/; Hire Purchase �� FloorPlan��+��:�:�+/; Hire Purchase �� FloorPlan

3�&��:4��/�8��+(&��>

/�� *"* )��7�7��#��>!�� Floorplan �#;-� �9�t:��7/�� 3��#�7��=�� A tD;�� *��=0' Double Finance ��3��#� -)��!� 56 �� "3� � !�"��#�� 35.1 �7.

1�-�6&��-

A?+��:�:�+/;�<1�� FloorPlan �/0-�8�C�@D;��6�7��

Mitsu Motor

TJ�� A��S�3 4

Dealer Mitsu

999

#,��

KK��%"��* %��.��!��/0

��

��#"#"��/0

Dealer ��7��I:��4��/0(�??�

- 9� �-��3�#; Floorplan - Dealer *"* �)��"�� 9)��' �)��*"��"��>�)�9� �-�-)��*�- �'�7#��7�3 � HP * - ��"�'�7#��A*"* >3$��"��"��/��+��/��

HP S�� Dealer

1

2

�E+��1�7��4+��4�8R71�?�3/0��*�� Silo

Dealer

KK �&?�(1��3�CD0�Floorplan

Motor

��3�CD0�

@D;��<��D0�)�A��

-��+�� Motor

KK F��S��(��3�CD0�6&��-

��'�"�� !�"��#;�� #;��!��"��'� A�+��#;��+��(�� (Silo) -'*"��A� !�"��#;��#;�#;�!��:;�� >�"� 3��=0' End to End -'��A��'� A��#;�� 9�t:��#;(��-�� Dealer *" !�(��-�� :�$ �(�� (��)�"��7�7��#��7/��

KK �&?�(1��3�CD0��C�@D;��<�(

#,��

Dealer

KK F��S��(��3�CD0��

-��+�� Dealer@D;��<��D0�

)�A��C��

��3�CD0�-�(�!��-'��A�!� Dealer "#��#��7/�� +��9:;� Floorplan �&:;�t:��>"�+�� (�":;� Dealer +��>�#;3!�� Floorplan �7/�� * $ ��3 �"�+��9:;��9�t:��7/�� /�� !��#;-'�)��#;�3 �"�-� �9�t:��7�7��#��7 ��9:;� Floorplan +��Dealer *" !�-�� :��7 Dealer

Recovery

Net Loss

No. of Event420.2

Role of Risk Management to Bank Performance

“ Risk Management is the process of identifying, analyzing and responding to risk factors throughout the life of a project and in the best interests of its objectives. Proper risk management implies control of possible future events and is proactive rather than reactive.”

Decreasing Trend of Operational Loss over 6 years

2,247

KK OpLoss vs. Capital

Gross Loss

23.1

252.4

15.2 8.6

44.5 9.1

586 620

536

413

267 194

Y2012 Y2013 Y2014 Y2015 Y2016 Y2017

No. of Event

49.6

420.2

95.4

20.4 34.5 9.9 49.6

420.2

20.4 34.5 95.4 9.9

Y2012 Y2013 Y2014 Y2015 Y2016 Y2017

1,0551,186

1,6171,748

2,1422,247

4.7%35.4%

1.3% 2.0% 4.5% 0.4%

Capital

OpLossNet Loss

Net Profit

Role of Risk Management to Bank Performance

Unit: MB

* Estimate 12-Month Net Profit & OpLoss

Net Profitvs.OpLoss

Gap

Net Profitvs.OpLoss

Gap

Gap

Appendix

Cyber Attack: 12� %��3��"��4/��.�5 ��%��"�'��!4�4�

• 7��)��/(8(�@D;�37�-��IB�3/�+�� 28��:��/0��EC/ *:4+��(��4-)�(�1��4C�C

1. 7��:�?3)��(��4C�C 28��C16/�� “��+�7��” 31?��:�A� *:1<��3)��(��4C�C��3��=;?��+? 28��:��4-)�(�1��4C�C 13 +:��IB�3/�+��*:4)�A��@?��8�+?��8?

2. 7��2��O��A��:/0��+�3I��)�6&��?��A: -3�?��<<��A�A8��/03&8

• 7��O��C��1��(�1-3��?B:��;�IB�+��2��O��*:4��6�7�� @?�+? *:4��:/0��+�3I� -�)��+3�?��<2��-��EC/A8��;�+?8

��71�?�3/�+��

�&77:��01A�:71��4?�8�41��8�I��?B:3)��(��4C�C+�D��?B:31(�1�D0� �C �/0��B 1��8D��8 �D0��-��-<B��C��31?��2?��?B:+�D��2?��-��EC/A8

IB�+��:IB�+��2��O��?D�<D�*:4IB�+��6�7��A:71�(��?/?�(��(�1-3��/0��8�&?�=;��D0��A?�+��871�?�3/�+��:��W>4/;�/��7(

Royal Bank of Scotland: IT Failures

• In June 2012, a failed software error left some customers unable to access their accounts for days, and cost RBS Group £175 million in compensation. A software update was applied on 19th June 2012 to RBS's batch software which controls its payment processing system. It later emerged that the update was corrupted by RBS technical staff. Customers' wages, payments and other transactions were disrupted. Some customers were unable to withdraw cash using ATMs or to see bank account details. Others faced fines for late payment of bills because the RBS system could not process direct debits.

System Error: ��!""#��

• /�� -'"#�'77��#;-� ��:;��$��-��>��d��'�!��7��9#�#;��#�!� Core Banking ��'"#�'77��(�'�!��9� �'77��+� �'77��#��A" �'77/�� *�� '77/�� ":�>:� tD;�"��9:;�"(��&:;��+�"3��+�"�� core banking �#�#��D;� ��'77�� D;� �9� ATM �9��*"* �!��'77�� :� Core Banking A��9��* ��3• ��0#�#��":;��'77 Core Banking �" -D��'77��" �9��*"* tD;��(��$��+�"/�� "�-�/�� :;� !� �":;� )��;��)�/��"+��3 �/�� :;� ��3��'77 ��'77*��#+��/�� :;�$�� 9�� >D��"�'77*"�"(�"*� !��(A��-�'�7(��9��+��3 �� !�"��A! ��(�7��/��"��37��• ��(�+��'77/�� " � !�� -� !�"(��)�/��"�#;�&�;"+D��3�"� $ ��%&�'9!�� :��-��'77��7*"*�! ��#;�'77/�� "9!�� :�� (��0�#;�� (� (�� :��'*"* �� 7/�� &#�� #�! /�� :;�� A�� =0'�#�"��!�9��

Documents

End-to-end for effective operational risk management ...¸„ุณกมลรัตน์-1...Group of Operational Risk Framework and oversight all In her last role, she was the