1 / 21

Existing Methodologies for Operational Risk Mitigation - CDS’s ERM Program

Existing Methodologies for Operational Risk Mitigation - CDS’s ERM Program. ACSDA Seminar - October 26 - 28, 2005 Punta del Este, Uruguay. Agenda. Enterprise Risk Management Framework Governance of Operational Risk Self-Assessments Key Risk Indicators Reporting Internal Controls

Download Presentation

Existing Methodologies for Operational Risk Mitigation - CDS’s ERM Program

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Existing Methodologies for Operational Risk Mitigation - CDS’s ERM Program ACSDA Seminar - October 26 - 28, 2005 Punta del Este, Uruguay

  2. Agenda • Enterprise Risk Management Framework • Governance of Operational Risk • Self-Assessments • Key Risk Indicators • Reporting • Internal Controls • Risk Financing Program • Lessons Learned • Conclusions

  3. Enterprise Risk Management Framework • A process for CDS to manage enterprise-wide risks (including operational risk) in an integrated fashion in order to optimize returns from risk-taking activities. • Mission of ERM: • Identify and understand risks inherent in CDS’s business activities and processes • Enable management to make better decisions through balanced focus on risk and returns of decisions and ongoing education of personnel.

  4. Enterprise Risk Management Framework • Objectives of ERM Framework: • Promote shared vision of risk management to facilitate integrated reviews of risks and provide managers with better understanding of risk/reward trade-offs • Apply leading practice methodologies to identify, assess, measure, manage, monitor and report risks • Assign appropriate attention/resources to key risks • Find appropriate balance between costs and risk controls • More accurately factor risk into decisions, products and projects • Satisfy regulatory requirements.

  5. Enterprise Risk Management Framework • Guiding principles: • Clearly define responsibilities for management of risks: • Each business unit responsible for managing their risks • Overall responsibility for ERM should be independent from business units: Risk Management at CDS • Risk management  risk avoidance • Risk management should be proactive not reactive • Timely, accurate and consistent management, monitoring and measurement of risk • Reporting structure that includes senior management, board of directors, auditors and regulators.

  6. Governance of Operational Risk Board of Directors Board Committees Audit Committee Executive Committee Finance Committee Management Committees Strategy Group Executive Steering Committee Risk Committee Operations Committee Risk Management Functions Information Security and Control Finance Internal Audit Risk Management Human Resources Legal Business Line Management

  7. Self-Assessments • Risk identification and definition using common categories: • Strategic risks • Operational risks (essentially same as Basle II) • People • Processes • Business • Projects • Technology • Legal and regulatory • External • Financial risks.

  8. Self-Assessments • Risk assessment and measurement to rank risks and prioritize action. • Risk exposure determined by the probability and impact of a given event. • Probability ranked on scale of 1 (<25% probability) - 4 (>75%) for a five-year period. • Impact ranked by potential loss of staff, service capability, capital, assets, customer base, reputation or some combination.

  9. Self-Assessments • Multiples of probability x impact yield rankings for prioritizing risks: • Green (1 - 4) • Yellow (4 - 8) • Red (9 - 16). • Risks are grouped by categories to profile areas of higher risks and to produce an average overall risk profile for the company. • Risk profile allows tracking of changes of risk by category and at enterprise level.

  10. Self-Assessments • Risk monitoring reports include: • description of risk • probability x impact ranking, with explanation • risk mitigants • action plans for reducing risk • target dates for implementation.

  11. Key Risk Indicators • Early warning indicators of risks requiring attention. • Suitable for activities that are trackable on a regular basis for trend analysis, such as: • Staff turnover • Financial performance against plan • System interruptions • Participant claims. • Business unit proposes suitable threshold for Risk Committee approval. If threshold is breached, action may be required.

  12. Key Risk Indicators

  13. Reporting • Each meeting, Risk Committee receives a summary risk monitoring report showing: • New and materially-updated self-assessments • Updated risk profile • Updated key risk indicators. • Internal Audit uses risk assessments at year-end to help develop areas of focus for coming year’s audit plan.

  14. Risk Profile Report

  15. Reporting • Audit Committee receives a summary key risks report showing: • Current risk profile • Red risks and other material changes in higher risks • Key risk indicators that have breached their thresholds with actions for mitigation. • Exception is annual risk report presented to Audit Committee after fiscal year-end, which reviews risk profile of last year and risks requiring attention in coming year.

  16. Internal Controls • Intended to provide reasonable assurance regarding: • effectiveness and efficiency of operations • reliability of financial reporting • compliance with applicable laws and regulations. • Adequacy audited under Canadian Auditing Standard 5900 for service organizations and reported in Report on Internal Controls and Safeguards (RICS). • New audit standard 5970, comparable to SAS 70, to be applied in 2006.

  17. Internal Controls • Moving from checklist approach to more thorough COSO-based framework. • Framework based on key processes required to conduct business: • Objectives and risks identified and assessed • Process flowcharted to identify areas requiring control • Existing controls identified, with support documentation and management assurance process • Gaps in controls require remediation within an acceptable time period. • Signed by supervisor upon completion and basis for future testing by audit.

  18. Internal Controls • Internal controls for key processes supporting financial reporting to be completed by 10/31/06. • Will allow CEO/CFO certification of financial reporting by fiscal year-end 2007. • Key reliance will be on internal control structure and attestation by division heads of compliance. • Tone at the top reinforces importance of internal controls. • Structure acceptable to regulators and external auditor.

  19. Risk Financing Program • Insurance (e.g. FIB, D&O, E&O, general liability) to cover catastrophic losses. • Retain significant levels of risk backed by reserves. • Ongoing education of underwriters of unique nature and coverage needs of CDS. • Differentiation from financial institutions to obtain suitable wording. • Ongoing disclosure and rigour of risk management essential.

  20. Lessons Learned • Start with simple concepts to get buy in, then phase in enhancements. • Use common definitions/criteria. • Initial education and reiteration of objectives and benefits of ERM. • Business units take responsibility for their risks. • Regular review of risk tolerances. • Ensure follow up on improved risk mitigants. • Support from the top is essential.

  21. Conclusions • ERM has enhanced risk management culture. • Improves decision-making in evaluating potential returns • Comparable approach used for assessing project risks. • Effective internal controls structure serves multiple purposes. • Ongoing education and monitoring process that must be supported from the top.

More Related