GARP Webcast

Integrating Operational Risk

Management into an Enterprise
Risk Framework
Presented by:

Brenda Boultwood
SVP, Industry Solutions
MetricStream

Mike Finlay
Chief Executive
RiskBusiness International Limited
August 27, 2015
On24 Tech Tips

Make sure your speakers are on

Hit F5 any time your console freezes
For a LIVE event you should be hearing music now
Use the Ask a Question feature to report issues
Webcast starts at the top of the hour

Mike Finlay, Chief Executive, RiskBusiness International Limited

Mike has over 30 years experience in banking and finance, having started out pricing equity derivatives on
the Johannesburg Stock Exchange. The majority of his career has focused on risk, specifically in the middleand back-office environment. He has been responsible for establishing new business departments in the
derivatives area, restructuring international payments businesses, developing regulatory banking law and
implementing risk management frameworks in both international banking firms and in large corporates. He
developed the initial risk management framework for the Bond Market Exchange of South Africa and led the
integration of all trading and financial risk management activities across a leading mining and industrial
conglomerate, while on the insurance side, Mike worked with insurance companies in developing an
operational risk methodology to support the requirements of Solvency II. Mike led the development of the
KRI Framework underlying the KRIeX.org KRI Library, the development of the KRI Library itself and has
worked on the development of loss data consortium requirements for several national and regional banking
associations and consortia. Mike led a large multi-million Euro project in the area of risk and control selfassessment, has led scenario-based ICAAP assessments, assisted firms in achieving AMA accreditation
and recently assisted a leading Western European regulator conduct their periodic AMA accreditation review
programme.
Part of the focus on risk has included technology, risk assessment and training. Mike is a frequent lecturer
on operational risk for banking supervisors at the Bank for International Settlements, as well as at industry
conferences and seminars. Mike is a regular guest lecturer on risk management at Judge Business School,
Cambridge University, as well as at the University of South Africa (UNISA). He has worked with the World
Bank/IFC in the Russian Federation and across Eastern Europe, as well as with the Financial Services
Volunteer Corps and the BIS Financial Stability Institute in ongoing risk management education and
knowledge transfer in Europe and Africa.
Mike obtained a Bachelor of Commerce degree from the University of the Witwatersrand, Johannesburg and
read for a MBA from Henley Management School/Brunel University through the Graduate Institute of
Management and Technology in South Africa. He is a Fellow of the South African Institute of Bankers, a
Director, Vice Chair and Fellow of the Institute of Operational Risk, a member of the Association of Certified
Fraud Examiners and a Charter Member of Risk Whos Who. Mike was recognized in January 2009 by
OpRisk & Compliance magazine as one of the Top 50 Faces of Operational Risk and was responsible for
Riskbeing awarded one of ten Ten Years of Operational Risk Achievement Awards for its work of risk
content and taxonomies.
2

Brenda Boultwood, MetricStream

Brenda Boultwood is Senior Vice President of Industry Solutions at MetricStream.
Before joining MetricStream, Brenda was Senior Vice President and Chief Risk Officer
for Constellation Energy where she led risk management activities for Constellation
Energy and its businesses, including defining and assessing enterprise-wide business
risks and facilitating proactive decision-making to effectively manage the risks
associated with each business line.
Prior to joining Constellation Energy, Brenda served in a number of roles at
JPMorganChase, including serving as head of risk management for their Treasury
Services business. Prior to that, Brenda served as head of market risk, counterparty
credit risk and operational risk management at Bank One Corporation. Brenda also
worked with PricewaterhouseCoopers as a senior manager in its Financial Risk
Management Consulting Practice and was employed with Chemical Bank Corporation
as a financial engineering associate. In addition, she spent six years teaching in the
University of Marylands Master of Business Administration program.
Brenda was a member of the CFTC Technology Advisory Committee, and serves on
the Boards of Committee of Chief Risk Officers (CCRO). She previously served as
Board Member of Global Association of Risk Professionals (GARP). She earned a
Ph.D. in economics.

Enterprise Risk Management (ERM)

COSO definition: enterprise risk management is a process, effected by an

entitys board of directors, management and other personnel, applied in
strategy setting and across the enterprise, designed to identify potential
events that may affect the entity, and manage risk to be within its risk
appetite, to provide reasonable assurance regarding the achievement of
entity objectives.
Covers all eight recognized risk types:
Strategic Risk
Business Risk

Credit Risk
Market Risk
Operational Risk
Liquidity Risk
Insurance (Perils, Underwriting) Risk

Environmental Risk

Operational Risk Management (ORM)

Basel II definition: the risk of loss resulting from inadequate or failed

internal processes, people and systems or from external events. The
definition includes legal risk but excludes strategic and reputational risk.
Business definition: any actual or potential adverse or unexpected impact
upon a business arising from any aspect of its business other than from
pure market risk, credit risk or liquidity risk.
Issues:
Boundaries with other risk types, embedded into all other risk types

No direct correlation to volumes, market volatility, economic cycles or

other easily quantifiable factors
Direct link to the human factor
The business intuitively accept it as part of business as usual and
have difficulty in understanding the regulatory rationale behind
elevating it to a distinct risk type
5

Proliferation of forms of Operational Risk

ORM accepted as including errors, system issues, legal issues,

process failures, natural disasters and fraud, other forms often
considered separate risk types.
Compliance actually the risk of non-compliance, which is either a
people or process issue
Reputation actually measures the impact or consequences of other
risk types, mainly of operational risk manifestation
Information Security the risk of loss of data (error, process failure or
theft), missing data (process failure) or corruption of data (error,
process failure or system issue)
Conduct the risk that staff misbehave, fail to follow procedures or that
the firm has adopts inappropriate business practices (people or process
failures) also referred to as People risk
Culture the risk that the firm has an inappropriate culture (people,
process failure, management)
6

Business continuity the risk that a natural disaster causes business

disruption (systems issues, external factors)

Cross-over between risk types

Consider the 2012 Fukushima Daiichi disaster in Japan:

Overt cause: earthquake which triggered a tsunami which caused
structural damage to nuclear plant, power outages which affected
cooling and contamination of water supplies, preventing cooling, all
leading to a nuclear incident
Overt classification: operational risk
But:
During original construction phase, engineers were aware that sea
defence walls were not high enough to counter known probable sea
levels, but were left due to cost implications

Primary control failure: inadequate sea defence walls

So:
Actual risk type: business risk

Cross-over between risk types

Consider the 2010 BP Deepwater Horizon oil spill in Gulf of Mexico:

Overt cause: pressure in well caused safety collar to rupture, leading to
a spill measured around 1,000 barrels per day, with massive
environmental damage
Overt classification: operational risk
But:
In all other fields, BP employed multiple safety collars
Multiple engineer reports reflected concern about strength of steel
used, cement mixture used, number of collars and centralizers, all
reduced to save costs and time

So:
Actual risk type: business risk

An ethical dilemma

Three lines of defense

The three lines of defense model is actually not a risk model, it is a

governance model.
It focusses on the governance structure of the firm, who is accountable
for what and how accountability is delegated across the firms structure
As a consequence of appropriate delegations and limits on delegations,
risk is managed at the appropriate point within risk appetite tolerances
A sound three lines of defense model is risk agnostic and supports
ERM:
Line 1 is the business and its immediate support functions
Line 2 provides direction, oversight and challenge (#OCD)

Line 3 is responsible for independent assurance

A core function of the three lines of defense model is the establishment
and functioning of accountable governance forum, which in turn report
back to the delegant of authority.

10

Unite Multiple Perspectives on Risk Assessment

Accounts Payable Process

Third Party
Risk

Reputational
Risk

Geo-political
Risk
Human
Capital Risk

BCM Risk
Process
Related Risk

Visualize the Process and

Associate Risks at Each Process
Step
Technology
Risk

Legal Risk

Visualizations of Various
Risk Perspectives aligned
with the Business
Process

11

Business Process
Modeling Capability
Inherent in Federated
GRC Platform
GRC Platform

Integrated Enterprise Risk Framework

Risk and control assessment

of end-to-end business
processes:
Business unit owned
Incorporates integrated functional input in identification
and quantification of risks

Standard libraries of risks and

controls ensures consistent
methodology and facilitates
aggregation by common attributes:
Risk identification
Risk severity and importance ratings
Control effectiveness ratings

Improved risk identification

and control monitoring:
Facilitates risk aggregation across business units,
functions and the enterprise
Controls evaluated once and leveraged by other linked
functions and processes
Highlights interdependencies between risks and controls
spanning numerous processes and functions

12

Implementing an Effective Risk Management Approach

A technology solution serves as the foundation for the companys enterprisewide risk and control activities

Centralised, Integrated risk framework

Same vocabulary, same rating scales, a single risk taxonomy ensuring consistency
Streamlined process for assessment, analysis, mitigation

Access to structured risk information & risk intelligence

Better understanding of risk profiles

Integrate risk management into decision making and strategic planning
Centralized view of risks aligned to corporate strategy & objectives
Real-time information for decision making process
A robust board level reporting and review process
Streamlined framework and an integrated GRC system approach
Build a strong risk culture - alignment among different units, processes
Enterprise-wide visibility and control

13

Risk Data Model: Universal and Consistent

Common Data Objects

Organization

Financial
Account

Question /
Procedure

Function

Product

Objectives

Regulatory
Body
Area of
Compliance

Asset

Risk

Standard

Asset Class

Control

Requirement

Process

Metrics

Risk Assessments

Metric

Perspective

Metric Data

Assessment
Factor

Risk
Assessment
Plan
Risk
Assessment

Compliance Testing
Certification

Test

SelfAssessment /
Test Plan
SelfAssessment

Evidence
Exception
Reference

Regulatory
Alerts

Scenario
Analysis

Regulatory
Review

Scenario
Workshop

Regulatory
Alert

Loss Events

Scenario
Response

External Loss
Internal Loss

14

Scenario

Issues

Incidents

Issue

Incident

Action

Investigation

Risk Intelligence for Business Performance

Severity
Severity

Reporting
& Analytics
Report & Dashboarding

Frequency

Plug n Play Analytics

Advanced Data Visualizations

Risk Metrics,
KRIs / KPIs &
Business
Objectives
KRIs, KPIs

Business Objectives

Heat Maps

Risk Assessments

Control Tests

Self Assessments

Audits

Policy Management

Surveys

Monitoring

Issue Management

GRC
Processes

Internal &
External Data
Organizationa
l
Data

15

Loss Data

Threats &
Vulnerabilities
(Servers/Computers/Mo
bile/Cloud Assets)

External Feeds
Content

(Regulatory Updates,
Social Monitoring, etc.)

Communication of Top Risks, Emerging Risk and

Strategic Risks
To build and maintain an effective risk management framework, a company must continuously
evaluate the risk landscape
Top risks are highlighted to
ensure that executive
management is focusing on
the priority risks to the
company
Emerging risks are identified
based upon new systemic,
political and market factors, as
well as other current events
Strategic risks assess
underlying emerging and
systematic risks incorporated
in the strategic plan that could
derail the strategy and
business plan
By understanding the enterprise risk factors, a company can develop strategies to
optimize controls, improve performance and reduce the negative impacts to the
business
16

Adopt an Integrated Approach to ERM

A centralized risk framework to ensure consistent risk information is maintained across the
organization

Common Risk, Control, & Process Libraries

Classify & categorize risks, assign owners

A single risk taxonomy across the organization

Identification, sharing and mapping of cross organizational risks

Linking of Priority Risks to Strategic Plans

An integrated risk framework to identify, assess and mitigate risk data elements

17

Risk register to document all risks and related events

Assess and Analyze risks based on various factors

Calculate risk metrics and KRIs

Set risk appetite and thresholds

Correlate, analyze and visualize risks

Integrated issues tracking & mitigation

Technology IS the differentiator

Enhance Risk Strategy

Build two way communication

Embed Risk Management

Program manage an enterprise wide risk and
compliance program

Generate risk intelligence for top management

Define Risk Appetite at multiple levels of the

organization

Implement a common risk framework

Stress Testing to validate risk tolerance

Coordinating risk reporting cycles

KRI tracking by business lines

Automated of planned self-assessments
Control design and implementation
effectiveness
Continuous updating of risk and control metrics

Improve Control and Processes

18

Integrated risk management training and

awareness
Standardized reporting and monitoring
Reducing redundancy while increasing
coverage
Communicate risks across the business

Optimize Risk Management Functions

Extend

Sustain

Solution Architecture

Regulatory
Compliance

Anti-Bribery
Program

Managing Sanctions and

Agreements

Corporate Ethics

Supplier
Governance

IT Governance

Risk Mgmt

Compliance Mgmt

Audit Mgmt

Issue Mgmt

Other Products

Issue Tracking
Assessing Severity
Monitor Remediation

Assessment
Mitigation
KRIs
Heat Maps

Self Assessments
Control Testing
Surveys
Certifications

Annual Planning
Audit Planning
Audit Execution
Audit Reporting

Policy Management
Loss Management
Vendor Management
Credit Asset Review

Compliance Online

Application Studio

Leverag
e

AppExchange

Forms

Data

Process Standards/Templates

Content

Community

Alerts and Feeds

Establish

Technology Platform
Core Foundation
Risks Controls Processes Assets
Components

Content

Infrastructure
Security Alerts

19

Organizations Regulations

Dashboards/
Analytics

Integration Engine

Offline Briefcase

Documents

Enable Informed Decision Making Process

Advanced Analytics for decision-making

Better understanding of risk profiles

Effective monitoring and communication

Integrate risk assessment into management decision-making

20

Leverage risk assessment results to enhance controls or the risk acceptance

Enabling decision makers to quickly determine the potential impact of risk and develop action
plan

Powerful dashboards, charts and heat maps provide real-time information, strengthen
transparency into risk and control management

Monitor risk values vs. threshold values

Perform trend analysis

Conduct what-if & scenario analysis

Aggregate and monitor exposures across counterparties, lines of business, etc.

Graphical dashboards and board level scorecards

Operational Risk Management: Key Strengths

Flexible and adaptable Risk and Control framework

Quantities and Qualitative Risk Assessments, Scenario modeling

Advanced Risk Modeling capabilities

Visualization, mitigation strategies, risk relationships & scoring

Internal and External Loss event management

Event recognition, investigations and remediation

Key Risk Indicators (KRIs) for tracking risk metrics and thresholds

21

Based on industry standards such as ISO, COSO, COBIT Standards etc.

Automated notification when thresholds are breached

22

Creating
a culture of Stress Testing
Best
Practices
risk awareness

Global Association of
Risk Professionals
111 Town Square Place
14th Floor
Jersey City, New Jersey 07310
U.S.A.
+ 1 201.719.7210
2nd Floor
Bengal Wing
9A Devonshire Square
London, EC2M 4YN
U.K.
+ 44 (0) 20 7397 9630
www.garp.org

About GARP | The Global Association of Risk Professionals (GARP) is a not-for-profit global membership organization dedicated to preparing professionals and
organizations to make better informed risk decisions. Membership represents over 150,000 risk management practitioners and researchers from banks, investment
management firms, government agencies, academic institutions, and corporations from more than 195 countries and territories. GARP administers the Financial Risk
Manager (FRM) and the Energy Risk Professional (ERP) exams; certifications recognized by risk professionals worldwide. GARP also helps advance the role of
risk management via comprehensive professional education and training for professionals of all levels. www.garp.org

2015 Global Association of Risk Professionals. All rights reserved.