RSK4801: OPERATIONAL RISK MANAGEMENT

WINTER STUDY SCHOOL

Prof A. Mutezo
 Overview

• Introduction and welcome

• Risk identification
• Risk assessment
• Why case studies
• Feedback on assignment 01
• Case study – Eskom
 Introduction & Welcome

“For those organisations that choose to weather this economic storm with the aid of
ERM, the benefits of their efforts today will likely remain long thereafter”
Grant Thornton
 Risk
“Risk is the effect of uncertainty on objectives.”

The effect may be positive, negative or a

deviation from the expected. Risk is often
described by an event, a change in
circumstances or a consequence. (ISO
31000)
NB: Definition of Operational Risk Management
What are the operational risk factors?
 Governance
• Good governance is the starting point for good
ORM
• Framework
• Policy document
• Terms of reference and a timeline for tracking
and reviewing the development of OR
processes in the organisation
• Three lines of defence – depends on culture
and structure of the organisation
 Operational Risk Management Framework

• ORM governance (establishes the 3 lines of

defence) and structure
• ORM strategy and policy
• Based on Fig 3.2 in the prescribed book, but
frameworks can take many forms including
frameworks A, B and C on pages 49-50
• Operational risk policy – what should it
contain?
 Operational risk appetite
• The amount and type of risk that a firm is
willing to take to achieve its strategic
objectives [over a specified time and given
level of confidence].
• Distinguish between risk appetite and
tolerance.
• What are the different ways of expressing risk
appetite?
Risk and control assessments

Cause
Event
Cause
Consequence
Cause
Event
Cause
 Risk assessment
• Many organisations use tables to determine the
impact or severity and the likelihood of the risks
• Should also incorporate the risk appetite of the
organisation
• A value (1–5 in our example) is allocated to a risk
based on the monetary value if available, or
another appropriate factor to indicate the impact
of the risk
• The same process is followed to allocate a value
for the likelihood
Looking at impact
Looking at likelihood
 Risk profile

• The result of the risk assessment is

graphically illustrated in a risk profile –
preparing a separate graph can make it easier
to discuss with executive management as they
can observe all the risks.
• The control strategy for a risk should be
appropriate for the impact and likelihood of the
risk.
Risk profile
Risk treatment
Loss distribution curve
 Why case studies?

• An effective way for students to demonstrate

their learning
• Assists in preparing students for professional
work
• Develop critical thinking skills
• Extraction of valuable information from a
‘noisy’ environment
 What is a case study?

• A case study is a scenario in which students

are guided by specific questions to analyse
and respond to the scenario
• The scenario or case study involves a number
of issues or problems that must be dealt with
in the workplace
 Suggested approach to case studies

• Know the theory

• Read wider than only the text book and study
guide
• Watch the news and read magazines and
newspapers
• Read annual reports
 Suggested approach
• Holistic approach (big picture)
 Suggested approach
• Ask yourself the following questions when
reading the articles/watching news. If I were the
operational risk manager ...
• Is the problem properly defined?
• What happened?
• Why did it happen?
• Who are involved
• Where did it happen?
• When did it happen?
• Will the suggested solutions fix it?
How will you be assessed?
 Approach to answering questions
• Identify the events and causes for the
operational risk of XXX Ltd
• Identify the events and causes and classify
the risks of XXX Ltd

• What is the difference between the two

questions? How would that change your
answer?
• Assess the risks and indicate the top three
operational risks
 Approach to answering questions

• Argue the controls that you will recommend for

the top three operational risks
• What would the impact be on your marks if
you discussed the controls for risks other than
operational risks in the question – especially if
we were testing the learning outcome
regarding the definition and description of
operational risk?
 Tips for assignments

• Scan the case study

• Read the questions
• Analyse the questions
• Read the case study
 Follow the story line
 Tables and other information are given on
purpose
 Look out for red herrings
 Case Study: Eskom
Background
• ESKOM CASE STUDY.pdf
• Power outages caused by incidents.
• Loss of income & human life, dented
reputation as a reliable electricity supplier.
• Questions risk management culture??
• Downgrading of credit rating.
• Management lack of awareness of problems.
 Case Study: Eskom cont...
Process
 Case Study: Eskom cont...
Duvha Power Station

Turbine explosion
(Unit 4) February’11

Image placeholder Boiler overheats

(Unit 3) March’ 14
 Case Study: Eskom cont...
Duvha Power Station Incidents
Feb’11

Feb’11
 Case Study: Eskom cont...
Duvha Power Station Incidents
March’14

Feb’11
 Case study Eskom application
Establish the context
• Electricity supplier to the national power grid.
• Recording losses for the last three years.
• Management created perception that they stumble
from crises to crisis.
• No credible answers on the way ahead or how to
turn company around
• Credit downgrading: difficult to obtain credit
• Concerns on Boards commitment on good
governance
 Case study Eskom application

Risks identified
- People may be injured/killed in an accident
- Equipment can be damaged or destroyed
- Insufficient production
- Damage to roads
- Unavailability of computer systems & data
- Bad weather conditions – flood damage
- Legal claims by the community
 Case study Eskom application
Example of a risk register
Risk/Event Cause Control
1. Supervisors do not have the Supervisors with the right experience and
People required experience and skills must be appointed. Supervisors must be
injured/ skills to supervise workers. trained to refresh or develop the skills.
killed in an
accident Workers are negligent and Workers must be trained in the correct
take unapproved short cuts processes and must be disciplined where the
to feed the boilers. negligence was intentional.

People do not wear safety All dangerous areas must be designated and
equipment (hard hats, safety people who do not adhere to the
glasses, overalls and boots) requirements must leave the designated
in dangerous areas. areas. Repeat offenders must be disciplined.
 Case study Eskom application
Example of a risk register
Risk/Event Cause Control
2. Lack of maintenance. A register of maintenance planned and
Equipment completed must be kept. The maintenance
damage & activities must also be reported to EXCO.
destruction
Below standard coal. Quality inspection at the delivery point and
reporting to EXCO if coal is below standard.
Shift crews must also be trained to identify coal
of inferior standard.

3. Insufficient delivery of coal Review the transport mechanism for capacity

Insufficient
production Inferior quality of coal Monitor volumes daily
Inspect quality
 Case study Eskom application
Example of a risk register
Risk/Event Cause Control
4. Transport by trucks Review appropriateness of the transport method in
Damage to line of the expected lifetime of the power station.
roads
Overloading of Arrange with traffic authorities for periodic load
trucks inspection.

5. Virus attacks Load patches received from head office.

Unavailability Backup servers and systems to enable minimum
of computer disruption in case the main system is unavailable.
systems &
data Data corruption Backup data regularly to ensure that data can be
restored in case it gets corrupted.
 Case study Eskom application
Example of a risk register
Risk/Event Cause Control
6. Damage to Inspect the holding bays (stockpile, staithes, boiler
Weather infrastructure at the bunkers) and other infrastructure for the adequacy of
conditions – power station drainage systems. Improve if necessary.
flood damage Inspect internal roads for drainage and improve
due to heavy where necessary.
rains
Damage to coal Insure against damage

7. Noise pollution Review appropriateness of the transport method.

Legal claims Upgrade road surfaces to decrease noise levels
by the
community Damage to roads Develop alternative roads

Accidents Insure against claims

 Case Study Eskom application
Micro risks
• Operational risk (Senior management & reputation)
• Financial risk (credit risk: downgrading credit rating)
• Project risk (Medupi, delay of ±2yrs, budget cost
doubled, strikes)
• IT risk (EGMS system updates & backups & virus
attack)
• Health & Safety (Explosions & not wearing
protective gear)
 Case Study Eskom application

Macro risks
• Environmental risks (impact of environment on
power stations)
• Social risks (community claims & noise pollution)
• Political risks (Minister of Energy)
Best wishes with your studies