KM164 Operational Risk 26.01.05 V4.0 © Copyright HBOS plc all rights reserved Operational Risk A Storm is Coming Andrew Smith 16 th August 2005 Draft

KM164 Operational Risk 26.01.05 V4.0

© Copyright HBOS plc all rights reserved

Operational RiskA Storm is

Coming

Andrew Smith

16th August 2005

Draft 4.0

ISDAISDA Seminar

KM164


KM164


KM164


KM164


KM164


Agenda

• Charting the rise of Operational Risk• But …• Operational Risk: RIP

KM164


“The risk of direct or indirect loss resulting from inadequate or failed internal processes, people and systems or from external events” (BIS)

“Operational risk is not a new risk….However the idea that operational risk management is a discipline with its own management structure, tools and processes….is new” (BBA)

Operational Risk

KM164


OR emerged as a result of focus on controls and governance

• Treadway Commission (1987)• Federal Deposit Insurance Corporation Act (1991)• COSO Report (1992)• Cadbury Commission (1992/93)• Public Oversight Board (1993)• COCO (1994/95)• Quality movement (Baldridge/EQA)• General trend towards empowered, self managed

work teams and flatter organisations.

Examples

KM164


External loss history

Internal loss history and KRI

Internal risk profile

OR Infrastructure at HBOS

1

External Loss data

Consortium

Public Loss Database

Search agency

Algo OpData

Key Risk Indicators

Template & Business Specific

Bayesian Analysis tool

Events

Losses

Near Misses

AspectsOR

Risk Register

Risk/Control assessment

Categorisation

Action tracker

@Risk

Aggregation Model

Economic Capital

HORN

2 31

2

3

KM164


Capital Calculator

Project Risk Assessment

Risk BasedSelf Assessment

External LossDatabase

Bayesian &ScenarioModelling

Integrated Reporting

Key RiskIndicators

Issues

Losses &Near Misses

Control Based

Self Assessment

Integrated Reporting at HBOS

KM164


Agenda


KM164


The Problem

…HBOS has been working hard on operational risk since 1996. Last year we won several industry awards for the quality of our operational risk management environment…

But…

…the better we got at the “traditional model” the more it became obvious that it doesn’t work!

KM164


The Problem

…HBOS has been working hard on operational risk since 1996. Last year we won several industry awards for the quality of our operational risk management environment…

But…

…the better we got at the “traditional model” the more it became obvious that it doesn’t work!

KM164


Audience participation…

Is the fundamental problem the commitment and competence of senior management…or…is it the operational risk concept?

Q1: Does senior management in your organisation care passionately about the quality of your business?

Q2: Does senior management take operational risk management seriously - taking part appropriately and using it as a key tool for effective business management?

KM164


Audience participation (2)…

Real need for a clear concept for risk management customised to your organisation.

Q: Is your organisation clear as to what “operational risk management” really means and what it should be achieving?

KM164


Agenda


KM164


KM164


KM164


KM164


KM164


“The essence of risk management lies in maximising the areas where we have some control over the outcome, while minimising the areas where we have absolutely no control over the outcome and the linkage between cause and effect is hidden from us”

Peter Bernstein (Against the Gods)

KM164


Risk Management is

A set of actions used to

contribute towards

the likelihood of achieving and surpassing

planned objectives

over a defined timeframe

. . . . .

KM164


The set of actions used to

contribute towards

the likelihood of achieving and surpassing

planned objectives

over a defined timeframe

Only things that happen make a

difference

RM is part of a business, all must

work together

If there is no uncertainty, RM has no meaning

Stability

Plans are not always realistic but the scope of

ambition drives the nature of the actions required

Because risk = uncertainty in timescale

concept is essential

Without clarity here action is ultimately

meaningless

Outperformance

Risk Management is . . . . .

KM164


Risk Management Culture?

Do what is important to them.

Do things which demonstrably and measurably add value.

Take seriously regulatory initiatives that they don’t believe in.

Keep doing things unless the value arising is evident.

People/Organisations

Will Won’t

can only achieve a risk management culture when there is alignment between the goals of risk management and the goals of the organisation.

KM164



alignment







Will Won’t

KM164


alignment







Will Won’t


alignment

KM164


5 Success Factors

Measure/Report on value arising from risk management.

…only 4 items…

• Operate a Total Risk programme, capturing risks exactly once.

• Align management of risk to the way in which a (good) organisation actually works and the objectives it wishes to achieve.- includes categorisation- includes clarity on where different types of risk are reported and reviewed.

• Distinguish between - Analysis/Reports/Oversight - “Lets do the right things”

- Action/Management - “doing it”- Assurance/Compliance - “did we do what we said we would?”

KM164


Most Critical Element

• Recognise that operational risk is a regulatory construct.

• It doesn’t really exist!!

Operational Risk: RIP

KM164


Operational Risk = Sum of Component Risk Areas

• Financial Risk [Not OR]- ALM/Liquidity/Market Risk- Credit Risk- Insurance Risk- Investment Risk

• Tax and Accounting Risk [Not OR]

• Regulatory Risk [OR]- Interpretation/change- Conduct of business (new)- Public policy (new)?- Contagion Risk

• IT Risk [OR]- Stability- Application Quality- Infrastructure Quality- Hardware- Security

• Business & Strategic [Not OR]- Management Risk [OR?]

• Operations Risk [OR]- HR- Legal- Fraud- Environmental Risk- Physical Security- Procurement- Health and Safety- Controls design (new)- Information Risk- Property- Project Risk- Other

• CEO Advisory Areas [Not OR]

[OR] = BISII definition

E X A M P L E

KM164


What about the regulator?

Sum of specialist risk areas

• Effective risk measurement

• Effective reporting

• Demonstrable RM process

• Co-ordinated coverage of all risk areas relevant to business

KM164


Sum of specialist risk areas

• Effective risk measurement

• Effective reporting

• Demonstrable RM process

• Co-ordinated coverage of all risk areas relevant to business

What about the regulator?

KM164 Operational Risk 26.01.05 V4.0


Effective Risk ManagementA New Concept:

The Three Lines of Attack Model

Virtual Case Study

Andrew Smith

KM164


Documents

KM164 Operational Risk 26.01.05 V4.0 © Copyright HBOS plc all rights reserved Operational Risk A Storm is Coming Andrew Smith 16 th August 2005 Draft