SAP FORUM İSTANBUL 2016 - DİJİTAL DÖNÜŞÜMDE OPERASYONEL RİSK YÖNETİMİ VE DENETİM

SAP FORUM İSTANBUL Reimagine Business for the Digital Economy

SAP Operational Risk Management Konuşmacı Adı :Burcu Kutlu

Firma Adı :SAP Türkiye

© 2016 SAP AG or an SAP affiliate company. All rights reserved. 2

Agenda

Business Context and Challenges

SAP and Risk Management for Banking

SAP ORM Solution Overview

Customer Benefits

Early Customer Experiences


Agenda

Business context and challenges

SAP and Risk Management

Building Blocks

Benefits

Early customer experiences


Why Operational Risk Management?

Sep 2011 UBS announced a 1.4 bn GBP loss due as a result of

unauthorized trading performed by Kweku Adoboli

Credit Suisse loss of EUR 1.9 bn in 2008 due to CDO price

changes by Higgs and Siddiqui

4.9 bn EUR loss at SocGen induced by Jerome Kerviel in Jan 2008

Collapse of Barings Bank caused by Nick Leeson in Feb 1995

In the last 20 years, operational risks have been root cause of major losses in Banks


Operational Risk Categories show expansion and complexity

Internal Fraud

Credit Suisse loss

of EUR 1.9 bn in

2008 due to CDO

price changes by

Higgs and Siddiqui.

External Fraud

In 2002, three men

who ran a precious

metals trading firm

deceived a group of

banks by $800M

loss.

Clients, Products,

& Business

Practices

In 2000, Providian

Financial paid

$405M in

settlements relating

to aggressive sales

and billing

practices.

Employment

Practices &

Workplace Safety

In 1999, Merrill

Lynch paid $250M

to settle a gender

discrimination

lawsuit.

Damage to

Physical Assets

In 1982, a fire

gutted Norwest

Bank‘s

headquarters,

causing a $100M

damage.

Business

Disruption and

System Failures

Bank of New York

estimated the

impact of the 9/11

disaster to be

$242M pretax.

Execution,

Delivery, and

Process

Management

In 1998, UBS

announced 650M

SFr in Losses due

to a calculation

error in an option

pricing model.


Increasing Number, Complexity and Costs

of Regulations

MAP

IAS

Regulatory Capital

Country regulations

US GAAP

Basel II

SOX

Patriot Act/ AML

Dodd

Frank

Credit Card Act

AML III

Basel III

1995

Com

ple

xity, D

egre

e o

f R

egu

lation

REG NMS

MIFID

IFRS 9

Solvency II

• Overwhelming amount of data to

sort and organize

• More granular information

required

• Deeper level of enquiry


Operational Risk Management Today’s reality?

The bank examiners

arrive in 10 minutes…

And they are

NOT happy !


What are the Challenges?

Lack of visibility on top

risks and exposures

Fragmented processes

/ excessive workload

Lack of integration

(incl. with other

business systems)

Inability to proactively

mitigate / prevent risks


Agenda




Customer Benefits



Interest rate risk

Currency risk

Equity risk

Commodity risk

Funding Liquidity

Risk

SAP Financial and Operational Risk Management A Complete Coverage for the Financial Sector

Credit Risk Market Risk Liquidity Risk Operational Risk

Concentration risk

Counterparty risk

Securitization risk

Organizational risk

Bus. process risk

Technology risk

People-related risk

External events risk

Requirements the Financial Services Industry: comprehensive coverage with the

SAP and SAP BusinessObjects product portfolio

SAP Basel III

Solution

SAP Credit Portfolio

Management

SAP Enterprise Risk

Reporting 2.0

SAP Enterprise

Risk Reporting 2.0

SAP GRC Risk

Management

Basis: Cash-Flow

Engine

SAP Enterprise Risk

Reporting 2.0

Liquidity Risk

Managmt@HANA

SAP Regulatory

Reporting (Partner)

Asset Liability

Management

NPV analysis

Gap analysis

Manipulation:

Cashflow splitting

Due date scenarios

SAP Enterprise

Risk Reporting 2.0

Capital Definition

SAP Enterprise

Risk Reporting 2.0


Agenda




Customer Benefits



Scope of SAP Operational Risk Management

Static

Data

Mgmt

Operational Risk Framework

Reporting

Loss

Event

Mgmt

Key

Risk

Indi-

cators

Risk

Control

Self

Assess-

ment

Issues,

Action

Plans,

Work-

flows

Scenario

Analysis

Risk

Engine

: AMA Approach covered by a SAP NetWeaver certified Partner QRR


Static Data Management Organization Structures

Consistent organization structuring to

support all components and

processes of a complete operational

risk management

Operational risks breakdown into risk

categories

Multiple breakdowns for the Bank:

Organizational Units and/ or

Processes (one hierarchy for the whole

bank) and/ or

Products (different hierarchies for different

business lines needed)

Other possible breakdowns:

By Projects

By Causes ...

Extensive Organizational Modelling Possibilities Bank

Group

Corp. &

Markets

CM1 CM2 B1 B2

Banking

Bank

Group

Bank inc

BAG1 BAG2 S1 S2

Sub-

sidiary

Processes

Finance

Exp. Trade FT1 FT2

Funds

Transfer

Products

Fixed

Income

FI1 FI2 CC1 CC2

Credit

Cards

Basel II

Categ.

Internal

Fraud

Theft Fraud E1 E2

Exec.


Static Data Management Structure Mapping

Central maintenance of master

structures; data is pushed to dependent

structures:

• Organisation units

• Risk categories

• Processes /products

Complete structure mapping:

• Management structure

• Basel II structure

Automatic reassignments of data when

re-structuring:

• Losses

• Risks

• KRIs

Easier Maintenance and Flexibility – Structure Mapping and

Inheritance

All

Fraud

Int. Ext. B1 B2

Banking

All

Fraud

Int. Ext. BP1 BP6

Bus.

Practice

All

Internal

Fraud

Theft Fraud E1 E2

Exec.

All

Internal

Fraud

Fraud Sec. D1 D2

Damage


Loss Event Management Internal Loss Events

• Transparency in terms of:

• loss event detection and processing

• impacted banking processes and systems

• Comprehensive process for collection of loss

data to allow:

• proper quantification of levels of operational risk

• better communication and awareness on operational risk

losses amongst employees

• migration capability to incorporate past losses

information

• Configurable workflow:

• initial recording of loss event /notification to relevant

personnel

• complete documentation of details, impacts etc.

• review by managers /approval (s)

Optimize loss event information for risk visibility and

improvement


Loss Event Management External Loss Events

• Use of external loss data as benchmark for

internal loss information or for validation

• Leverage external loss data (i.e. operational loss

data of other financial institutions) collected via

different data consortia (for instance ORX,

Operational Risk Exchange Association)

Leverage External Loss Event Data Enhancing Operational Risk Management


Risk Monitoring Key Risk Indicators

• Early warning system to reflect internal

operational risk levels of the bank

• Business Rules can be defined to generate

alerts when KRI is above thresholds.

• Fully configurable rules for calculations and for

aggregations

• Data feed automation / can integrate to Source

data from external systems.

Proactively prevent risk from occurring


Risk Assessment R.C.S.As

Business Context Based Assessments – a Dynamic Process

Preparation

In the preparation phase, questions are combined into

surveys to be used in plans:

• Question Library

• Survey Library

Surveys are generated from chosen questions.

Planning

Plan definition:

• Plan Name (ex. RCSA Survey)

• Plan Activity (ex. Perform Risk Survey)

• Survey Name

• Start Date

• Due Date

Execution /Monitoring

Tracking of recipients status, response and overall

statistics

Aggregation of results

Across organisation units, risk categories – various

calculation rules


Issue Management Ad hoc Issues and Action Plans

Manage Issue at all levels and effectively track action items

• Global and comprehensive management of issues arising from risks, loss

events, KRI's, RCSA's, Controls:

• Detection of issues, documentation and ownership assignment

• Tracking of action items, escalations...

Issue Management - Process Overview

Report Issue

Corrective

Actions

Issue

Completed

Action Items

Owner 1

Action Items

Owner N

Preventive

Actions

Remediation

required

Nature of

remediation

Simple CAPA

No

Yes


Scenario Analysis and Risk Engine Scenario Analysis

Clearer, Integrated View of Risk Potentials in Multiple

Dimensions

• Evaluate the exposure to high-

severity events and derive the need

of internal process enhancements

• Tightly linked with Risk Control Self-

Assessments and Key Risk

Indicators for more in-depth

scenario analysis

• Scenario losses can be generated

from within Loss Event

Management or from the Risk

• Loss distribution approach can be

performed by risk type and

business line


Scenario Analysis and Risk Engine Risk Engine - Advanced Measurement Approach (AMA)

• Develop empirical

models through

calibration of loss

frequency and loss

severity distribution

• Various distributions,

tests and estimators as

wells as the most

important Loss

Distribution Approach

(LDA) are supported.

• Allows to simulate future

capital requirements Internal

Losses

Monte Carlo

RCSA

Key Risk

Indicator

Insurances

Pre-Adjustments Post-Adjustments

Pre-EC

Post-EC

External

Losses

Business

Experts Operational

Systems

*: : OpVision

AMA supported with SAP NetWeaver

certified partner solution OpVision from

QRR (www.qrr.es)

Supporting Advance Measurement Approach


Risk Reporting and Analytics (Enterprise-wide and Specific)

• Monitor the operational risk management program

with a comprehensive set of reports and analytics

• Reports provide loss event historical views with

categorization, trends, business metrics, and identification

of hot spots

• Analytics provide aggregated views with drill down

capabilities

• Examples of reports and analytics include:

• Loss Event Matrix Analysis

• Loss Event Overview

• Loss Event Structure

• Top Loss Events

• Gross Loss Amount by Organizational Unit

• Loss Events by Organizational Unit

• Loss Events by Risk Category

• Insurance Payments by Organizational Unit

• Loss Effect Allocations by Organizational Unit

• KRI Aggregation Report

• RCSA Aggregation Report

Extensive Range of Reports & Dashboards Available for Different Management Levels


Getting visual – the Bow Tie builder …


Integration with Access Control and Process Control

Mitigating the risks

SAP GRC Access Control:

• Integration in terms of organisation

unit hierarchies

• Implement specific bank rules to

segregate users via role definition

(Help avoid cases like Leeson and Kerviel –

mitigate access risks)

SAP GRC Process Control:

• Integration in terms of organisation

unit and risk hierarchies

• Risk mitigation with responses and

controls tracked in Process Control

(Define and monitor controls; i.e. opening a

customer account: steps/ documents required)


Agenda




Customer Benefits



Solution Benefits

Ensure ORM compliance (Basel II /III)

Fulfillment of audit requirements

Basel II requirements covered and new Principles supported

Loss reduction

Detailled Loss Data Model (e.g. effects, loss allocation, ...)

Generate risk from loss supports prevention of recurring losses

Deeper risk mitigation: SAP Operational Risk solution integrated with other GRC

components:

GRC Access Control, GRC Process Control, GRC Risk Management

ORM process optimization

Reduction of regulatory capital

Scenario Analysis supported with Scenario Losses generated from Risks

AMA banks have lower risk capital to gross income ratio (10.8%) than BIA (15%)

or STA (12-18%)

Profit increase

Increased rating agency confidence

Integration of AC, PC and RM and forward looking in terms of KRI and RCSA

could convince rating agencies having a modern integrated approach


SAP GRC ORM for Banking Value proposition

Reduction of Loss

&Regulatory Capital

Detailed and flexible loss data model,

generating risk from loss to protect against

recurrence of loss & lower risk capital with

Advanced Measurement Approach

-15% Reduction in risk

and loss events

- 3% of Gross Incomes

Reduction in risk capital

with AMA

Compliance

Satisfy regulatory requirements, such as

compliance with Basel II, Basel III, ORX 2011

regulations and the Sarbanes-Oxley Act.

-39%

Fewer compliance and

risk management staff in

companies

Deeper risk mitigation through integration with

SAP Access Control and SAP Process

Control applications & Optimize operational

risk management to handle huge numbers of

losses

Performance

Optimization

-25%

Reduction of insurance

premiums by

implementing ORM

Profit increase Fulfillment of audit

requirements

Increased rating agency

confidence


Agenda




Customer Benefits



Operational Risk Management for Financial Institutions Customer Success Story – Banque Cantonale de Fribourg, Switzerland

Licensed Solutions

SAP BusinessObjects GRC

Risk Management 10.0

SAP BusinessObjects GRC

Process Control 10.0

Customer Pain Points

Combine internal control system with

operational risk management:

o Ability to map and manage Basel II/III

requirements

o Mapping risks to bank specific

processes, mitigate risks by controls

and ad hoc actions

o Upload and manage existing loss

database

o Risk management for all employees

o Specific reporting capabilities

Why SAP?

Holistic GRC approach – internal control

system with operational risk

management

Usability – Adobe interactive forms,

Bow-tie builder, Dashboards, and Role-

based access

Banking specific functionality – loss

event management, static data

management, KRI’s, and simulations

Banking specific content

Using SAP FI/CO/HR with good

experiences

Interested in SAP Analytical Banking

portfolio

Implementation Roadmap

Kick off: January 18th, 2012

Technical installation and basic

configuration: March 2012

Blue Print: June 2012

Go Live: Sept 2012

QUICK FACTS

Banque Cantonale de Fribourg

(www.bcf.ch)

Location: Fribourg Switzerland

Industry: Banking

Member of the Association of Swiss

Cantonal Banks

Products/Services: Address financial needs

for companies and individuals . Secure

investments for saving deposits and capital

Total Balance Sheet: CHF 11'540 Mio

Credit Volume: CHF 10'064 Mio

Deposits: CHF 8'367 Mio

Employees: 436

http://www.bcf.ch/


Operational Risk Management for Financial Institutions Customer Success Story – BNDES – Brazilian Development Bank

Licensed Solutions

SAP GRC Risk Management

10.0

SAP GRC Process Control

10.0


Combine internal control system with

operational risk management:

o Mapping risks to bank specific

processes, mitigate risks by controls

and ad hoc actions

o Upload and manage existing loss

database

o Risk management for critical

processes in scope

o Lack of integrated platform to

compile and consolidate operational

risks for reporting

o Lack of survey capability to help to

automate and escalate risk

management practices

Why SAP?

Banking specific functionality – loss

event management, KRI’s, surveys,

and simulations

Holistic GRC approach – internal

control system with operational risk

management

Usability – Adobe interactive forms,

Bow-tie builder, Dashboards, and

Role-based access

Implementation Roadmap

Implementation Partner: Indra

QUICK FACTS

Bank

Brazil

Industry: Financial Services

Products/Services: Provides financing for

long-term investments projects, specially in

industry and infrastructure, and credit for

acquiring machinery and equipments.

Disbursements: > BRL 120 Mio

Total Balance Sheet: > BRL 600 Mio

Credit Volume: > BRL 400 Mio

Employees: > 2.500


Operational Risk Management for Financial Institutions Customer Success Story – CaixaBank

Licensed Solutions

SAP GRC Process Control

SAP GRC Risk Management

SAP GRC Operational Risk

Management for Banking

SAP GRC Audit Management

SAP HANA

SAP Single Sign On (SSO)


Manual processes, fragmented

approaches, inefficiencies, high risk

in compliance, lack of overall

visibility, increase of costs, have

been the pain in the areas of control

such us Internal Audit Department,

Compliance Department, Internal

Control Department, Operational

Risk Department, IT Security, among

others.

CaixaBank defined as its strategic

goal to go to the Advanced

Measurement Approach (AMA) in

Operational Risk Management

according to the Basel III regulation,

which would allow them to reduce

their capital reserves in several tens

of millions in the balance sheet

Why SAP?

SAP has been the only provider

capable of delivering such a holistic,

integrated, automated approach.

They have fully understood the

holistic SAP GRC approach and

believe it’s what they need.

They believe we have full coverage

of all present and future

requirements.

They have seen the banking specific

content as a clear bet of SAP toward

the banking sector.

Partners Involved:

Deloitte, as a very good services

provider

QRR with the integrated NetWeaver

certified ORM calculation engine, with

the best expertise in AMA for Basel

III.

QUICK FACTS

Bank

Barcelona, Spain

Industry: Financial Services

Annual Revenue (2013): Euro 91,249

million

Employees and Branches (March 2014):

More than 31,500 serving 13.6 million

clients through 5,716 branches

Ranked as the third bank in Spain

Website:

http://www.CaixaBank.com/index_en.html

http://www.caixabank.com/index_en.html


Key Differentiators

•Support Structures/Changes, e.g. Different Organisational Hierarchies, Mappings, Reassignments

Static Data Management

•Support Loss Data specifics (e.g. Effect Types, Allocations), External Data, Generate Risk from Loss

Loss Event Management

•Integration with operative systems, Workflow, Dynamic Aggregation (Scores and/or Weightings)

Key Risk Indicators

•Workflow, Dynamic Aggregation (Scores and/or Weightings), Result Analysis

Risk Control Self Assessment

•Support global and centralized management of issues

Issue Management

•Scenario Losses (e.g. based on Losses, Risks), Approaches BIA, STA supported, Export data for AMA

Scenario Analysis and Risk Engine

•Analytical Reports and Integration with Quantitative Part and other Risk Categories (Market, Credit)

Reporting, system-specific and enterprise-wide

•Integration with Access Control and Process Control regarding Organisational Hierarchy and Risk Mitigation

Access Control and Process Control

Questions?

© 2014 SAP AG or an SAP affiliate company. All rights reserved.

Thank You!

Burcu Kutlu Solution Manager Financial Services

Phone +49 (0) 6227 7-45559 Mobil +49 (0) 170 8555364

[email protected] http://www.sap.com