Professional Documents
Culture Documents
T4 - KRIs - Focusing On The Right Risks in Today - S Environment - RiskBusiness Americas (K. Gantt) Experis Finance (T. Diminich) 10-25-11 PDF
T4 - KRIs - Focusing On The Right Risks in Today - S Environment - RiskBusiness Americas (K. Gantt) Experis Finance (T. Diminich) 10-25-11 PDF
and
were done well by the financial institutions that made out OK (relatively
speaking):
IDENTIFIED RISK APPETITE & CONNECTED WITH RISK MITIGATION STRATEGY
The
balance that each firms senior management in general achieved between its desire to do
business and its appetite for risk as reflected in the tone set for developing or enforcing
controls on the resulting risks ;
IDENTIFIED RISK AND TOOK ACTION The role that senior management in particular played in
identifying and understanding material risks and acting on that understanding to mitigate
excessive risks;
A Key Risk Indicator, also known as a KRI, is a measure used in management to indicate
how:
risky an activity is
give us an early warning to identify potential event that may harm continuity of the
activity/project.
A KRI differs from a Key Performance Indicator (KPI) in that a KPI is a measure of how
well something is being done
Identify
Factors
Affecting
Exposure
Tolerance
Management Level
Line of Business Limits / Risk Tolerance &
Thresholds
Divisional Policies
Risk Assessment & Response Decisioning
Approval Level Setting
Organizational Design
Supervisory Level
Scenario Level Risk & Control Activities
Review
Key Risk Indicators
Data Validation
Surveillance Level
Quantitative Analysis (VaR, LGD, OpVar)
Imbedded Testing
Rules-Based or Artificial Intelligence
Monitoring
Business &
Tactical Strategy
Execution
Monitor,
Aggregate,
Analyze,
Report and &
Determine
Mitigating
Action
Risk Tolerance /
Appetite
Corporate & BU
Strategic
Objectives
Define the
KRI, Develop
Measurement
Policy &
Specify the
Threshold
Determine Companys
Risk Tolerance
Within tolerance, how
much Risk Appetite
both qualitative &
quantitative
Translate Tolerance /
Appetite into LOB
Strategic Business
objectives
($)
Risk
$
Oppty
Access
to Capital
Risk Appetite
Internal /
External
Loss
(Potential
Liability)
Analysis
Bottom-up Inherent /
Residual Risk Map
pointing to Processes,
Risks, & Control
Assessment (Using a
Common language big
advantage to tie to #1)
KRI Measurements
borne from intersection
of 1 & 2
2010-2011 RiskBusiness Americas LLC
TIPS:
KRI Measurements
borne from intersection
of 1 & 2
Loss
Determine
(Potentialrelated processes, risks & controls (and their owners)
where
breakdown expected to occur AND motivational drivers.
Liability)
Analysis
Bottom-up Inherent /
Residual Risk Map
pointing to Processes,
Risks, & Control
Assessment (Using a
Common language big
advantage to tie to #1)
M
a
n
a
g
e
m
e
n
t
H
R
Clouds
Sales/ Revenue
Targets
Resourcing
Levels
Workload
Individual
Capability
HR
Practices
Aggressive Sales
Misunderstanding
Miscommunication
Team
Function
Lo
B
Goofs
Task
Difficulty
Product
Complexity
Process
Complexity
Seismic
Vulnerability
Seismic Event
L
o
r
d
Risk Events
Oversight
Training
M
g
mt
Triggers
External /
Seismic
KRIs
2010-2011 RiskBusiness Americas LLC
Execution
Errors
Determine Providers
& Consumers of
Metrics
Determine Tools /
Resource
Requirements for
Aggregation &
Analytics
Execute Data Analytics
Implementation
Test Results,
Usefulness & Actions
Definition
KRI Name
Specifications
Organizational Unit
Geographic Location
Product Type(s)
Other
Post Implementation
Use Test Validation
Operationalize KRI
Measurement &
Monitoring
Deliverables
Deliverables
Post Implementation
Use Test Validation
Operationalize KRI
Measurement &
Monitoring
Before
starting, these are key To Dos:
Evaluate existing technology
Review
the
for monitoring
workflow
Define /Organizational
Topography:
Lines
ofprogram
Business, Business
objectives are working as
capabilities & determine
Units, Cross-Functional Units
platform;
intended through objective
review;
Determine
providers
(inputs)
Establish
C-Level
Buy-In
and consumers (outputs) of
Validate results of KRI
individual
KRI metrics;
Pre-Plan
Communication Structures
(i.e., not used for
information to management
compensation,
discussed throughactions
Risk Management)
Configure
platform with KRI
policies based on
Determine
Appropriate
Level of Resources
are Available
to
Track management
actions
organizational
hierarchy
link
to risk taxonomy;
are
managed
through
Implement a Reliable KRI Development Process
appropriate prioritization &
Design data input
Develop
Implementation Planbudget
e.g., allocation
Targeting a Pilot Area
mechanisms
(e.g.,an
Manual,
API); with Biggest Expected Return for Time Spent
Determine and configure
reporting parameters; and
Deliverables
Deliverables
Use
Test
At the (inputs,
end of the day, KRIs should:
Test
the -process
function, outputs) vs. goals
Prompt Timely Management Risk Response (Documented)
Be
Relevant
Ties
to
risk
tolerance
/ appetite
to KRI feedback loop;
Accompanying
firm-wide
Be Transparent
Easily understood in common business
policies & procedures
language function
Practical Examples
Identify
Factors
Affecting
Exposure
Tolerance
Monitor the
KRI Threshold
TOLERANCE to KRI:
LOSS EVENT
TYPES:
Employment
Practice &
Workplace
Safety
Clients,
Products and
Business
Practices
Business
Disruption &
Failure
Damage to
Physical
Assets
Execution,
Delivery &
Process
Mgmt.
Internal
Fraud
External
Fraud
Strategy
n/a
n/a
Loss of Key
People w/o
Succession
Planning
Product Design
Tied to
Inadequate
Market Liquidity
Selection of
Business
location prone
to damage
Aggregate
Trading Limits
Are Exceeded /
Trade Partner
Selection Risky
Management
Abuse of
Signing
Authority
n/a
UnderDocumented
Termination
Process
Poor Oversight
Over
Application of
Compliance
Rules
Not Providing
Employees with
BCP Training
n/a
Trade or
Margin Fees
not Collected or
Accounted for /
Gross Positions
not Monitored
Conduct
Employee
Cover-up
Poor
Performance
or Error
n/a
Sexual
Harassment /
Comp Plan
Encourages
Risky Conduct
Trade
relationship
established w an
inappropriate
counterparty not
in interest of the
firm
Unintentional
lack of
knowledge to
carry out BCP
Intentional
destruction or
theft of
company
property
Negligence in
Employee
Performance in
Carrying Out
Duties
Processes
Conflicting
Duties s/u in
Organization
Fraudulent
Trade Partner
Documents
n/a
Customer
Identification /
KYC Not
properly
performed
Procedures for
BCP not Clearly
/ Accurately
Communicated
n/a
Trade
Policies/Proced
ures Unclear /
Confirms not
Received
Technology
Logical
Access
Security
Breach
Firewall
Security Lax
n/a
Corporate Credit
Application
Under-Functions
Data is
Corrupted
System to
System
transmission
error
External
Factors
n/a
Damaging
n/a
Massive
Viruses being
Defaults in
Introduced in 2010-2011 RiskBusiness Americas
Corporate
LLC
Cyber Attacks
Credits in US
Outsource
Vendors Fail in
the event of a
Disaster
Fire, Flood
Clearing Firm
Parties Defer
Settlement
LOSS EVENT
TYPES:
Internal
Fraud
External
Fraud
n/a
n/a
Employment
Practice &
Workplace
Safety
Clients,
Products and
Business
Practices
Business
Disruption &
Failure
Damage to
Physical
Assets
Loss of Key
People w/o
Succession
Planning
Product Design
Tied to
Inadequate
Market Liquidity
Selection of
Business
location prone
to damage
Management
Abuse of
Signing
Authority
n/a
UnderDocumented
Termination
Process
Poor Oversight
Over
Application of
Compliance
Rules
Conduct
Employee
Cover-up
Poor
Performance
or Error
n/a
Sexual
Harassment /
Comp Plan
Encourages
Risky Conduct
Bad IB deal
made not in
interest of the
firm
Process
Conflicting
Duties s/u in
Organization
Fraudulent
Trade Partner
Documents
n/a
n/a
Customer
Identification /
KYC Not
KRI
properly
Measurement:
performed
# Disabled
UserIDs
Corporate /Credit
Application
password
Under-Functions
resets
Periodic
(daily?)
Massive
Defaults in
Information
Corporate
Security
Officer
Technology
Logical
Access
Security
Breach
Firewall
Security Lax
External
Factors
n/a
Damaging
n/a
Viruses being
Introduced in
Cyber Attacks 2010-2011 RiskBusiness Americas
Credits LLC
in US
Measurement:
# Gross
Not Providing
n/a
Trades
Employees with
Exceeding
BCP
Training
Set
Threshold
Daily
Unintentional
Intentional
Trade
lack
of
destruction or
knowledge
to
Supervisor
/ theft of
carry out BCP
company
Risk Mgr
property
Procedures for
n/a
BCP not Clearly
KRI
/ Accurately
Measurement:
Communicated
# / $ Open
3pty OTC
Systems
will not
Data is
Confirms
wRecover within
Corrupted
no Cash Flow
Required Time
Weekly
Report to
Outsource
Desk Risk Fire, Flood
Vendors Fail in
Mgr
the event of a
Disaster
Execution,
Delivery &
Process
Mgmt.
Aggregate
Trading Limits
Are Exceeded /
Trade Partner
Selection Risky
Trade or
Margin Fees
not Collected or
Accounted for /
Gross Positions
not Monitored
Negligence in
Employee
Performance in
Carrying Out
Duties
Trade
Policies/Proced
ures Unclear /
Confirms not
Received by
Trade Partner
System to
System
transmission
error
Clearing Firm
Parties
Deferred
Settlement
Aggregating KRIs
If youre looking for the Top10 Best Firm-Wide KRIs, Save Your Energy !
Risk / exposures change continually What may be best are risk scores (Customer
Satisfaction/Technology Service/Employee Satisfaction)
may be correlation to other KRIs. Once implemented, KRIs work immediately so loss history
collected may not be robust enough to Think about joining KRI Exchange or other
Consortium.
Ensuring KRIs tie directly to Risk Event / Loss Categories Focus on the pivot
table concept that all roads lead back to measuring / monitoring against defined loss
categories
Thank You!
Contact:
Tom Diminich
Director, IT Risk Advisory Services
Experis Finance
Direct: (212) 823-8559
Tom.diminich@experis.com
RiskBusiness Americas
(a Madison-Davis & RiskBusiness International Company)