Key RiskTitle

Indicators
September
Date 2022

Lifetime Learning… Building Success… Towards

Globalization
 Vijit Singh Malik
TRAINER PROFILE
• 30 year career commercial banker.
• Has worked with both interna onal
banks (ANZ, ABN Amro, American
Express, Credit Suisse) as well as local
UAE banks (United Arab Bank &
Mashreq).
• 23 years in the UAE.
• Previously was Head Corporate &
Ins tu onal Banking at United Arab
Bank and prior to that was responsible
for the Large Corporate Business (4
years) and Emerging Corporate
Business (2 years) at Mashreq.
3
ti
ti
ti
 Introductions and Objectives

• Ali - Barclays 10 years - branch operation - more knowledge on KRIs

• Danish - RM Ajman Bank - large Corporate 8 years - enhance knowledge - Key Risk Indicators
• Feryal - Regional Manager Compliance - HSBC - identify assess and control risks
• Irfan -
• Oleg - Al Masraf - IT 15 years - 1st year in banking - more info in risk management
• Khalid - Credit Agricole - Chief of Staff of Chairman - learn about operational risk
• Maria - 18 years of experience trade finance, cust. experience HSBC and ENBD - now with ADIB Writing SOPs - ticking
the box
• Mohammed Elamawy - 20 years - prior with ADCB recently joined Afaq Islamic - update knowledge on operational risk
• Mohammed (BOS) - 9 years internal audit - risk related reviews - objective setting of KRIs which will help in reviews
• Mukesh - Credit Risk Officer BOB - 14 years experience - learn more about Operational risk
• Naveed - 20+ years in IT - ADIB 9 years - IT security operations - new role IT risk related - refresh fundamentals in
operational risk
• Noureen - 10+ years in corporate banking - Ajman bk. - more knowledge on KRIs
• Ola - Arab African 17 years mostly in corporate banking - now moved to risk management - fill in knowledge gaps in risk
management
• Racha - DIB compliance - 6 years - enhance knowledge in operational risk
• Rahul - BOB 11 years experience in banking sector - recently in risk management - knowledge in risk management and KRIs
- how to establish KRIs
• Sajan - SRM CB in Ajman Bank - 18 years experience - global factors impacting the market
• Sara - 4 years experience - previously with CBD - now with HSBC - business ad risk control manager - assess and control
risk in a better way
• Waseem - DIB - credit administration - basics of KRIs - purpose, usefulness of KRIs
Introductions and Objectives
Introductions and Objectives
 What is Operational Risk?

• Different categories - systems, human errors

• Process - gap in process, breakdown etc.
• External events - floods, earthquakes, fires
• Fraud
What is Operational Risk?

what is operational risk?

• related to staff or system errors in processing
• losses or potential losses - systems, processes or people
• Risks are increasing
• Covid 19 - digital processing, errors and fraud
• higher level of complexity, maturity leading to increase
• external factors, frauds increasing
• spreading resources thin
why are we quantifying
impacting business so we want to mitigate
Risk based approach - correct deployment of resources
staff
systems
processes
adequate controls, per bank’s risk appetite
data analytics
What is Operational Risk?

• Risk of loss resulting from inadequate or failed

internal processes, people and systems or from
external events.
• Causes of Operational Risk
❑ People
❑ Systems
❑ Processes
❑ External Events
Operational Risk are growing more complex

• greater use of more highly automated

technology transforms risks from manual
processing errors to system failure risks
• Growth of e-commerce brings with it
potential risks (e.g., internal and external
fraud and system security issues) that are
not yet fully understood;
Operational Risk are growing more complex

• Large-scale acquisitions, mergers, de-mergers and consolidations

test the viability of new or newly integrated systems;
• The emergence of banks acting as large-volume service providers
creates the need for continual maintenance of high-grade internal
controls and back-up systems;
Operational Risk are growing more complex

• Banks may engage in risk mitigation techniques (e.g., collateral, credit

derivatives, netting arrangements and asset securitizations) to optimize
their exposure to market risk and credit risk, but which in turn may produce
other forms of risk (e.g. legal risk);
Operational Risk are growing more complex

• Growing use of outsourcing arrangements and the

participation in clearing and settlement systems can mitigate
some risks but can also present significant other risks to banks
Operational risk event types

• Internal fraud
❑ intentional misreporting of positions
❑ employee theft,
❑ insider trading on an employee’s own account.
Operational risk event types

• External fraud
❑ Robbery
❑ forgery,
❑ cheque kiting, and
❑ damage from computer hacking
Operational risk event types

• Employment practices and workplace safety.

❑workers compensation claims
❑violation of employee health and safety
rules
❑ organized labor activities
❑discrimination claims, and general liability.
Operational risk event types

• Clients, products and business practices.

❑ fiduciary breaches
❑ misuse of confidential customer information
❑ improper trading activities on the bank’s account
❑ money laundering
❑ sale of unauthorized products.
Operational risk event types

• Damage to physical assets.

❑ Terrorism
❑ Vandalism
❑ earthquakes
❑ fires
❑ floods.
Operational risk event types

• Business disruption and system failures

❑ hardware and software failures
❑ telecommunication problems and
❑ utility outages.
Operational risk event types

• Execution, delivery and process management.

❑ data entry errors,
❑ collateral management failures
❑ incomplete legal documentation
❑ unapproved access given to client accounts
❑ non-client counterparty misperformance, and
❑ vendor disputes.
What is the problem with Operational Risk?

• not directly taken in return for an expected reward, but exists in the natural course of
corporate activity
• Operational risk is a consequence of other risks
• Exposure is undefined and un-dimensioned
•
What is the problem with Operational Risk?

• Losses are not capped; there are no limits

• Observed loss amounts are not simply related to firm size
• Risks often only recognized ‘ after the fact’
• Often significant lags between cause and effect
•
Basel Operational Risk Management

• Identification
• Assessment
❑ Measurement
❑ Risk Appetite
• Monitoring
• Risk Response
Tools to Identify and assess Operational Risk

• Internal & External Loss Data

• Risk and Control Self Assessment (RCSA)
• Key Risk Indicators
• Scenario Analysis
• Minimum Capital Requirement
How to measure Operational Risk?

• Operational Risk is also measured in terms of Operational Risk weighted assets

• Capital Charge= α x Average Gross Income
• α= alpha= 15%
• Gross Income= Interest on Loans Plus Fees Minus interest paid on deposits
• Average Gross Income= three years average
• OPRWA=Capital Charge/0.12
How to measure Operational Risk?

• Summarizing
• Capital Charge for Operational Risk
• = 15% of Average Gross Income
• But
• Capital Charge= 12% of RWA( as per Basel 2 CAR)
• RWA= Capital Charge/0.12
Risk Monitoring-BASEL Guidelines

• Banks should implement a process to regularly monitor operational risk profiles and material exposures
to losses.
• Effective monitoring process essential for adequately managing operational risk
• Regular monitoring activities can quickly detect and correct deficiencies in the policies, processes and
procedures for managing operational risk.
Risk Monitoring-BASEL Guidelines

• Promptly detecting and addressing these

deficiencies can substantially reduce the potential
frequency and/or severity of a loss event.
• Banks should also identify appropriate indicators
that provide early warning of an increased risk of
future losses.
Risk Monitoring-BASEL Guidelines

• Such indicators (often referred to as key risk

indicators or early warning indicators) should be
forward-looking and could reflect potential sources
of operational risk such
• as rapid growth
• the introduction of new products
• employee turnover
• transaction breaks
• system downtime
Risk Monitoring-BASEL Guidelines

• When thresholds are directly linked to these

indicators an effective monitoring process can
help identify key material risks in a transparent
manner and enable the bank to act upon these
risks appropriately.
Key Risk Indicators

• Risk indicators are an important tool within

operational risk management
• They facilitate
❑ Risk identification
❑ Risk Assessment
❑ Risk Monitoring
• Despite their usefulness relatively little guidance
exists on how to use risk indicators in an effective
manner.
Definitions

• Indicators are metrics used to monitor identified risk exposures over time.
• Therefore any piece of data that can perform this function may be considered a
risk indicator.
• The indicator becomes ‘key’ when it tracks an especially important risk exposure (a
key risk), or it does so especially well (a key indicator), or ideally both.
•
KRI, KCI, KPI

• A metric may be considered to be a

risk indicator when it can be used to
measure:
• The quantum (amount) of exposure
to a given risk or set of risks. ( KRI)
• The effectiveness of any controls that
have been implemented to reduce or
mitigate a given risk exposure. ( KCI)
• How well we are managing our risk
exposures (the performance of our
risk management framework).(KPI)
KRI

• Key risk indicator or KRI is a

metric that provides
information on the level of
exposure to a given
operational risk
• which the organization has
at a particular point in time.
KRI

• The risk indicator has to have an explicit relationship to

the specific risk whose exposure it represents.
• Example
• Customer Complaints related Process errors
• Staff Turnover are related Frauds, Staff shortages and
Process errors
• Virus or phishing attacks (IT systems failure).
Control Effectiveness Indicators

• Control effectiveness indicators,

usually referred to as key control
indicators or KCIs,
• are metrics that provide information
on the extent to which a given control
is meeting its intended objectives (in
terms of loss prevention, reduction,
etc.).
•
 Control Effectiveness Indicators

• The control effectiveness indicator has to have an

explicit relationship to both the specific control and
to the specific
• risk against which the control has been
implemented.
• Examples
• The number of cases of customer identity
misrepresentation detected (which may indicate
deficiencies in KYC processes)
Control Effectiveness Indicators

• The number of network user access rights

not reviewed within a specific
• period (indicating weaknesses in user
access security controls) or
• The number of business continuity plans
not tested/updated within the specified
review period (indicating weaknesses in
continuity planning controls).
Performance Indicators

• Performance indicators, usually referred to as key performance indicators or KPIs, are metrics that measure
performance or the achievement of targets.
• More relevant for finance, accounting and general business management
• Applicable to Operational Risk with respect to exposure reduction, minimisation or mitigation.
Performance Indicators

• Examples
• cumulative hours of IT system outage
• the percentage of products/transactions containing faults/errors or
• the percentage of automated processes requiring manual intervention.
•
Differentiation between KRI, KCI & KPI

• Difference is largely
conceptual
• The reality is that the same
piece of data may indicate
different things to different
users of that data.
Differentiation between KRI, KCI & KPI

• In a financial services trading and sales operation

❑ Front office executes transactions
❑ Mid Office re-confirms details of the transactions with the counter-party
❑ Settlements function settles the resultant obligations.
Differentiation between KRI, KCI & KPI

• If we have a metric:
• the number of transactions that have not yet
been confirmed
• it is interesting to note how it changes in nature,
depending on who is using the indicator
Differentiation between KRI, KCI & KPI

• Front Office- KPI, measuring the number of errors caused during the
dealing process which are subsequently identified by the confirmation
function.
• Mid-office-KCI-represents the number of transactions which have failed to
be confirmed and thus require further work
• Settlements function-KRI-unconfirmed transactions which enter the
settlements process are more likely to result in settlement failures or
default.
Indicators and Risk Monitoring

• Indicators can be used by organizations as a means of control to

track changes in their exposure to operational risk.
Indicators and Risk Monitoring

• If selected appropriately indicators can provide a means for identifying:

• Emerging risk trends and issues on the horizon that may need to be addressed (via ‘leading’ indicators);
• Current exposure levels; and
• Events that may have materialized in the past and which could occur again (via ‘lagging’ indicators)
•
Using Indicators to Support Operational Risk
Assessments
• Indicators can be used to support risk assessments and
also provide a way to track an organization's risk
exposures
• Trends in indicators should provide an indication of
whether an organization's exposure to a particular risk is
increasing or decreasing.
Using Indicators to Support Operational Risk
Assessments
• Indicators that breach pre-assigned thresholds, limits or
escalation triggers may signal a significant change in risk
that requires prompt action
• Use of risk indicators should not be seen as a substitute
for a proper risk and control assessment programme
• Indicators may not always provide a full picture of an
organization's exposure to particular risks.
Using Indicators to Support Operational Risk
Assessments
• Often a number of indicators may need to be monitored to gain insight into changes in exposure
• Data not always available to measure all the indicators .
• One solution is to identify those areas of exposure deemed to be significant
• Select indicators relevant to each of those areas.
•
KRIs & Risk Appetite

• KRIs can indicate whether Risk appetite is

within prescribed levels
• KRIs are linked to actual risk levels and help
us arrive at possible comparison with risk
appetite in the form of Capital Charge or
RWA
KRIs and Governance

• KRIs support governance

• Provide a transparent, repeatable and consistent means
for tracking both risk exposures and management
activity
• Escalation triggers help management to specify
appropriate response, at the appropriate level
• Staff Turnover 10% No action
• Staff Turnover over 10% to 15%- HR Action
• Staff Turnover over 15-20%- Top management action
• Staff Turnover over 20%- Board action
Risk is to be managed not KRI

• Management should not focus on managing the

indicator
• The Risk is to be acted upon
The Desirable Characteristics of Risk
Indicators
• Relevance
• Measurable
• Predictive
• Easy to Monitor
• Auditable
• Comparable
Relevance

• Risk Indicators must have relevance to what is

being monitored.
• Risk indicators should be linked to an
organisation’s operational risk exposures and
provide management with both
❑ a quantum as to current levels of exposure and
❑ the degree to which such exposures are changing
over time
Relevance

• Relevance can change over time

• KRIs must:
• Identify exposures
• Measure exposures
• Monitor exposures
• Manage exposures
Measurable

• KRIs must be capable of being measured with low

errors and on a repeatable basis
• KRIs should be numerical values or counts or
percentages, ratios or deviation from predefined
values
• Indicator values must be comparable over time
Predictive

• KRIs may be
❑ Leading indicators- Predicts the expected level of
exposure
❑ Lagging indicators-change in exposure has
happened sometime back
❑ Current exposures
Predictive

• Leading or preventive indicators help predict problems

to prevent or eliminate them or at least mitigate the
damage.
• Current indicators help reduce exposures
• Lagging indicators tell us about Risks that are hidden
• Customer complaints is a lagging indicator for breaches
that have happened but a leading indicator of future
law suits and current indicator of customer
dissatisfaction
 Key Takeaways

Ali - KRI, KCI, KPI depend on each other

Feryal - focus on managing the risk rather than the KRI
Oleg - difference between KRI, KPI, KCI
Khalid - bunch of tools, variable and flexible that come together to manage risk. Relevance
of Risk management framework.
Maria - Relevant, measurable, manageable. Performance failure based, frequency of
monitoring
Mohamed - Risk matrix -frequency and impact
Mohammad - RCSAs
Mukesh - Cannot ignore the importance of op risk
Naveed - focus on risk rather than just documenting it. Leading and lagging indicators
Noureen - analyse risk factors to run a profitable enterprise. KRIs are key
Ola - OP risk different from other risks. Not directly linked to returns. Don’t rely on KRIs
alone
Racha - importance of ops risk and how to assess it. KRI, KPI, KCI. How to measure ops
risk.
Rahul - KRI is not only main tool. Should focus on other indicators, aspects tools as well.
KCIs and KPIs
Sajan - technological advancement is increasing ops risk. Importance for any org. Going
forward
Sara - Assessing and mitigating ops risk. Focus on managing the risk not the KRI
Waseem - reducing losses by identifying and mitigating relevant risks. Selecting appropriate
indicators
Easy to Monitor

• In terms of ease of monitoring, indicators need to

reflect two characteristics:
❑ The data should be simple and relatively cost
effective to collect and distribute and be
qualitative
❑ The data should be relatively easy to interpret,
understand and monitor.
Auditable

• Data used in KRIs must be easy to verify

• Indicators must be validated by Internal audit
Comparability

• KRIs can only be useful if they can be compared

to benchmarks or thresholds
Thresholds, Limits and Escalation Triggers

• The Risk Indicators approach must have

guidelines on
❑ How to interpret the data
❑ What actions are required
• Threshold values need to be established
• When the threshold is breached, the required
actions must be indicated
• These are needed for an effective ORM
framework
Thresholds, Limits and Escalation Triggers

• Thresholds must be set after great deliberation

of at least one year’s data set
• Data must be assessed and trends studied.
• One can use publicly available data too
Thresholds and Limits

• Threshold and limits establish boundaries, which

when breached alerts managers on the
increased risk exposure
• Limits must also come with escalation
methodologies
• Whenever a limit is breached an appropriate
level of management is alerted.
Thresholds and Limits

• Intervals must be broad enough for appropriate

management/ business unit to be able to act.
• Intervals need to be sufficiently responsive to
further escalation if that level of management
did not act, within the required time frame
Now’s your chance to ask (a few more)
questions