OPERATIONAL RISK

MANAGEMENT
DORO TRAINING

1
PROGRAM OUTLINE

• Introduction to Risk Management

• Duties and Responsibilities

• Risk Management Process

o ORM Framework

o ORM Procedures Manual

• Risk Management Tools

2
WHAT IS RISK?

• Risk measures the uncertainty that an investor is willing

to take to realize a gain from an investment.

3
Is the existence of risk a cause
of concern?

According to BSP…
Not necessarily so, as long as banks
demonstrate the ability to effectively manage
and price for that level of risk.

4
Could we use a crystal ball in risk management? 5
“A company should not
wait for a difficult
situation to happen
before it puts in the
efforts that will enable it
to survive.”
- H e l e n Yu c h e n g c o D e e
(RCBC Chairperson)
On Q&A with Josiah Go

6
WHAT IS RISK MANAGEMENT?

Establishment of
controls to
minimize the
possibility of risk

7
WHAT IS RISK MANAGEMENT RELEVANT TODAY?

02 04 06
Complexity Expansion into Dynamic
of financial new business & customer
geographic
markets preferences
markets

01 03 05 07
Increase in Change in
Technology Regulatory
transactional product nature
advances trends
volumes or delivery

Because of these MARKET INDUSTRY changes and development that banks are more
exposed to risks (upsurge of operational losses)

8
WITHOUT PROPER
RISK MANAGEMENT…

9
EXAMPLES OF OPERATIONAL RISK FAILURES

BARINGS BANK (1995)

• One of the world’s oldest banks, banker to the British royal family
• Nick Leeson, a Singapore-based trader for the bank, made a series of
bad trades.
• He incurred substantial losses ($1.3 billion) which the bank cannot
cover anymore that eventually led to its collapse.
• Barings Bank was bought by ING, a Dutch financial institution for £1.

© Investopedia.com by James Chen 10

EXAMPLES OF OPERATIONAL RISK FAILURES

SUBPRIME CRISIS (2007)

• The collapse in the credit markets in the US driven by the loan crisis has
led to major losses for banks worldwide.

© Bloomberg 11
EXAMPLES OF OPERATIONAL RISK FAILURES

FAT-FINGER INCIDENT
• Accidentally deposited 2.8B shares worth 111.8T won ($104.8B) into
employee accounts-more than 30x the company’s existing issued
shares.
• 16 staff members sold a collective 5M shares worth about $186.9M
minutes shortly after receiving them.
• Intended to pay dividends in “shares” but inputted as (KRW)
• 10% drop in Market Securities shares

© The Wall Street Journal by Eun-Young Jeong 12

EXAMPLES OF OPERATIONAL RISK FAILURES

CUSTOMER FRAUD CASE

• Wells Fargo will pay $190 million to settle customer fraud
case/inappropriate sales practices.
• Pushed customers into costly financial products that they did not need
or even request
• Paid $185 million in penalties
• Paid $5 million to customers
• Fired 5,300 employees

© CNN Philippines and Business Inquirer 13

EXAMPLES OF OPERATIONAL RISK FAILURES

QUALIFIED THEFT (2015)

• Former Citibank executive, Bryan Ang charged with qualified theft for
supposedly stealing around P138 million from his clients.

• Offered higher interest rates

• Offered higher referral fees
• Forged clients signatures

© CNN Philippines and Business Inquirer 14

EXAMPLES OF OPERATIONAL RISK FAILURES

INTERNAL FRAUD BY VP
• Maria Victoria Lopez, a VP at Metrobank reportedly falsified an MC to
an individual, to defraud a total of P1.75M.
• Lopez was charged of qualified theft, falsification, and violation of the
General Banking Law of 2000.
• BSP sanctioned Metrobank ranging from reprimand to suspension of
directors and officers who failed to perform adequate oversight and/or
have been complacent/remiss of their duties and responsibilities.

© CNN Philippines and Business Inquirer 15

BANK FOR INTERNATIONAL SETTLEMENTS

• World’s oldest international financial organization (1930) – Basel, Switzerland

• Association of central banks worldwide (BSP)

• Fosters cooperation among central banks and other agencies in pursuit of

monetary and financial stability

• Carries out its work through Committees –

BCBS (Basel Committee on Banking
Supervision

16
BASEL ACCORDS
• Basel I, Basel II and Basel III issued by BCBS.
(1988) (2004) (2009)

• Refers to global regulatory and economic capital

standard for Financial Institutions.
Higher Risk = Higher Capital Allocation

• Implemented in the Phils. by BSP via:

BSP Circular 510 & 538 (2006)
BSP Circular 900 (2016)

17
TYPES OF RISKS
INFORMATION MARKET
SECURITY
Losses from
Risks associated with OPERATIONAL performance of
the use of IT financial markets

LIQUIDITY CAPITAL
REPUTATIONAL CREDIT

Inability to meet
Losses from damage Risk from default Potential of loss of
short term
of reputation on a debt part or all of an
financial demands
investment

18
OPERATIONAL RISK: DEFINITION

Risk of loss from inadequate or failed internal processes, people, and systems or
from the impact of external events, including legal risks.

• Differs from other risks and are usually

not willingly incurred:
• Not easily quantifiable
• Inherent across the Bank
• Cannot be fully eliminated

19
OPERATIONAL RISK: BASEL CATEGORY
Execution
Delivery and Internal
Process Fraud
Management

Business
Disruption External
and System Fraud
Failure 7 BASEL
EVENT TYPE

Employment
Damage to
Practices and
Physical
Workplace
Assets
Clients, Safety
Products and
Business
Practices
20
OPERATIONAL RISK: BASEL CATEGORY
Execution
Delivery and Internal
Process Fraud
Management

Business
Disruption External
and System Fraud
Failure 7 BASEL
EVENT TYPE

Employment
Damage to
Practices and
Physical
Workplace
Assets
Clients, Safety
Products and
Business
Practices
21
DUTIES AND
RESPONSIBILITIES

22
OPERATIONAL RISK: STRUCTURE
3 LINES OF DEFENSE
• Involved in day-to-day risk management
• Assess, Control, Monitor and Risk Report
• Risk Incident Management
BUSINESS UNITS
• Build a strong risk culture

• Identify and report key material risks

• Challenge the 1st Line RISK, RAG, LEGAL
• Define and maintain policies, limits,
standards, etc.
AUDIT
• Independent of the 1st and 2nd Line
• Provide independent assurance

23
 Board of Directors (BOD)

Risk Oversight Committee (ROC) Audit Committee

1st Line of Defense 2nd Line of Defense 3rd Line of Defense

RISK TAKER MONITOR, REPORT, CONTROL INDEPENDENT ASSURANCE

Operational Risk Control

Business / Support Owners
Line Management
Operational Risk Mgt
Audit
Regulatory Affairs
Deputy Operational
Risk Officer (DORO)
Legal

Note: Depicts working relationship, not reporting lines 24

2nd LINE RISK CONTROL AREAS
COMPLIANCE RISK
Regulatory Compliance
Regulatory Affairs Group
ML/TF RISK
ML/TF Processes
REGULATORY RISK Regulatory Affairs Group
Regulatory Breaches
Regulatory Affairs Group LEGAL RISK
Legal Processes
IT RISK Legal Affairs Group
Information Technology Management
IT Support Services Group FRAUD RISK
Internal/External Crime Management
INFORMATION SECURITY RISK RMG
Information Security Management
RMG BUSINESS CONTINUITY RISK
Disaster Recovery Management
MODEL RISK RMG
Model
RMG PROCESS RISK
Business Process Management
RMG

25
WHO’S RESPONSIBLE FOR MANAGING RISKS?

All Business/Support Units

RMD Units
(the Navigator) (the Driver)
- guides the driver - Units drive the car
- Provides the tools and - Has the best knowledge
strategies for effective of risk exposures and
risk management. processes
- Monitors, measures - Responsible &
and reports the risk Accountable for
managing their own risks

26
 ROLES AND RESPONSIBILITIES
RISK OVERSIGHT COMMITTEE (ROC)
DEFINES REVIEWS
• Overall risk appetite and • ORM principles, strategies,
tolerances policies, process and
control frameworks
recommended by CRO
• ORM Policy to ensure that
it remains aligned with the
overall RM objectives
*ROC meets regularly to discuss trends and risk materiality and endorse to BOD for necessary actions.
OVERSEES APPROVES
• Overall effectiveness of • ORM principles,
the ORM Policy strategies, policies,
• Observance with the risk process and control
appetite and tolerances framework and endorses
and directs immediate to BOD
corrective action to • Risk acceptance and
management if breached control decisions for
material ops risks
27
RESPONSIBILITIES OF A DORO
Exercise authority in
Consistently
Act as a liaison of approving relevant risk
implement unit level
RMG-ORMD requirements
policies & Perform regular
activities and ROC.
procedures. RCSAs within Continuous
your scope/unit. monitoring & timely
Promote culture submission of KRIs
and awareness.
Report on a Establish, maintain
timely manner & update in a timely
Perform Track, monitor of risk events. manner your unit’s
regular CSTs progress & ensure
risk register.
timely
implementation of
action items Disclose & endorse risk
acceptance

28
HOW THEN
CAN WE
MANAGE RISK?

29
 WHY DO WE NEED ORM FRAMEWORK?
 Promote the adoption of effective risk management systems

 Assist management in meeting its responsibility to understand and manage operational

risk exposures.

 Ensure the development and consistent implementation of

operational risk policies, processes, and procedures
throughout the bank.

 Allows us to look across the Bank in a holistic manner.

Source: BSP Circular 900 Guidelines on Operational Risk Management

30
RISK MATERIALITY
BANK’S RISK APPETITE
I

MEDIUM
Material and Key Risks - Residual risk rating of ‘High’ and ‘Very High’

31
RISK MANAGEMENT PROCESS

IDENTIFY

32
IDENTIFY RISKS
What if..?
NOTE:
What can • Include qualitative & quantitative
happen? How can it • Qualitative data sometimes is more
happen? important than quantitative,
particularly when there are recent
changes.

33
PROCESS IDENTIFICATION & OWNERSHIP

SUPPLIER INPUT PROCESS OUTPUT CUSTOMER

WHO? WHAT? HOW? WHAT? WHO?

Providers of the Resources Description of Deliverables Anyone who
required required by the steps in the from the receives a
resources for process process process deliverable from
(main steps only & does not
the process include exceptions or
the process
decisions)

34
ACTIVITY – Let’s Identify
1. Determine one of your Department’s GOAL

2. Identify the processes/activities necessary to achieve your

goal

3. For each process, identify what could possibly go wrong

35
RCSA ACTIVITY
RISK RISK
RISK RISK
RISK RISK

PROCESS 1 PROCESS 2
RISK

PROCESS 3

PROCESS 6 GOAL

PROCESS 4

PROCESS 5
RISK
RISK
RISK RISK
36
RISK MANAGEMENT PROCESS

MEASURE IDENTIFY

37
38
OPERATIONAL RISK ASSESSMENT MATRIX

I H O O D
LEAST LIKELY 5 5 10 15 20 25

UNLIKELY 4 4 8 12 16 20

MODERATE 3 3 6 9 12 15
K E L

LIKELY 2 2 4 6 8 10

ALMOST CERTAIN 1 1 2 3 4 5
I
L

1 2 3 4 5
LEAST SLIGHTLY FAIRLY VERY
SEVERE
SEVERE SEVERE SEVERE SEVERE

OPERATIONAL RISK IMPACT

39
LIKELIHOOD SCALE
THRESHOLD
LIKELIHOOD DESCRIPTION
No known history for past Activities performed 1%
1 – LEAST LIKELY year or less of the time

Previous history for the Activities performed 1%

2 – UNLIKELY past 6 months or more of the time

Previous history for the Activities performed less

3 – MODERATE past 3 months than 50% of the time

Activities performed close

4 – LIKELY Risk event occurs monthly
to 50% of the time

Activities performed more

5 – ALMOST CERTAIN Risk event occurs weekly
than 50% of the time

40
 OPERATIONAL RISK IMPACT SCALE
FINANCIAL REPUTATIONAL/ COMPLIANCE/ IMPACT ON FUTURE
LOSS EARNINGS
Up to P150,000 No adverse Isolated customer No negative
1 – LEAST No regulatory
national media complaints feedback from
SEVERE written notice
coverage stakeholders

P150,001 to Isolated adverse Increasing Negative verbal

2 – SLIGHTLY Written notice
national media complaints with feedback from
SEVERE P500,000 from Regulators
coverage mitigation plans stakeholders
Contained Regulatory actions Negative written
P500,001 to Short term
3 – FAIRLY increase in
adverse national taken by feedback from
SEVERE P1,000,000 customer attrition
media coverage authorities stakeholders

Significant Significant Stakeholder Criminal or civil

Sustained adverse
4 – SEVERE P1,000,001 to increase in regulatory actions complaints that are investigation against
national media taken by authorities publicized in PH the Bank or its
P5,000,000 coverage customer attrition
media Director

Very material Material criminal or

Negative media increase in customer Blacklisting by civil investigation
5 – VERY SEVERE More than
coverage over attrition w/ lasting regulatory against the Bank or
P5,000,000 extended period damage to the brand authorities its Directors

41
RISK MANAGEMENT PROCESS

MITIGATE

MEASURE IDENTIFY

42
ORM FRAMEWORK: CONTROLS

Action, system, process or practice that acts to minimize the likelihood and / or
impact of a risk occurring which should have the following characteristics:

Addresses the risk in question

Mandatory/regulatory

Currently in operation

43
PRINCIPLES OF A GOOD CONTROL DESIGN
MINIMUM BETTER
Where possible, should be aim to
CONTEXT Should be linked to potential event,
PREVENTIVE prevent instances of errors or fraud
AND relevant regulatory/ internal policy
RELEVANCE guidelines

MEASURABLE Should be quantifiable

Should be certifiable via a KRI

VERIFIABLE review and CST Where possible, should be
AUTOMATED automated where automation cost
doesn’t exceed potential benefit

Should be a permanent part of the Should not duplicate other controls

EMBEDDED process EFFICIENT or create an inefficient business
process.

44
TYPES OF CONTROLS

DIRECTIVE PREVENTIVE DETECTIVE RECOVERY

Aims to ensure that Aims to align and is Designed to reduce Aims to reduce the
all processes and designed to reduce impact through impact of a risk
controls are properly the probability of detection of errors event that has
documented and risk event soon after already occurred.
communicated to all (e.g. Training, occurrence and (e.g. Management
employees involved Maker/Checker, Dual prevent escalation. Reviews, Contingency
in the execution. Input, Segregation of
(e.g. Reconciliations,
Plans, Insurance)
Duties)
(e.g. Policies, Procedures, Quality Assurance)
Manuals, Memos

45
CONTROLS BY PROCESS TYPE

Manual Automated
Performed by Integrated into the
individuals application systems

E.g. Maker/Checker, Dual E.g. Workflow tools, STP

Input, Segregation of Duties

46
CONTROL & RESIDUAL RISK ASSESSMENT GUIDE
CONTROL TYPE
PREVENTIVE DETECTIVE RECOVERY DIRECTIVE

AUTOMATED 90% 75% 50% 0%

MANUAL 75% 50% 25% 0%

𝑹𝒆𝒔𝒊𝒅𝒖𝒂𝒍 𝑹𝒊𝒔𝒌 = 𝑮𝒓𝒐𝒔𝒔 𝑹𝒊𝒔𝒌 − (𝑮𝒓𝒐𝒔𝒔 𝑹𝒊𝒔𝒌 𝒙 𝑪𝒐𝒏𝒇𝒊𝒅𝒆𝒏𝒄𝒆 𝑳𝒆𝒗𝒆𝒍)

𝐺𝑟𝑜𝑠𝑠 𝑅𝑖𝑠𝑘 = 25
𝐶𝑜𝑛𝑡𝑟𝑜𝑙 𝑇𝑦𝑝𝑒 = 𝐴𝑢𝑡𝑜𝑚𝑎𝑡𝑒𝑑 𝑎𝑛𝑑 𝑃𝑟𝑒𝑣𝑒𝑛𝑡𝑖𝑣𝑒
𝑅𝑒𝑠𝑖𝑑𝑢𝑎𝑙 𝑅𝑖𝑠𝑘 = 25 − (25 𝑥 0.90)
𝑅𝑒𝑠𝑖𝑑𝑢𝑎𝑙 𝑅𝑖𝑠𝑘 = 25 − 23 (round off to the nearest value)
𝑅𝑒𝑠𝑖𝑑𝑢𝑎𝑙 𝑅𝑖𝑠𝑘 = 2 (Least Likely and Slightly Severe based on the Ops Risk Assessment Matrix)
From a gross risk rating of 25 and with the highest form of control type, the residual risk rating of the process/event has been reduced to
‘Slightly Severe’ (2). This means that the control is effective in bringing down the risk to acceptable levels.

47
RISK MANAGEMENT PROCESS

MONITOR MITIGATE

MEASURE IDENTIFY

48
WHY MONITOR?

Running a business w/o

indicators is the same as
driving a car w/o a fuel
gauge, speedometer or
engine/oil and temperature
gauges.

49
ORM FRAMEWORK - TOOLS

50
ORM FRAMEWORK - TOOLS

Interviews
Process – Activities –
Risk Controls
Risk Mapping

51
RISK AND CONTROL SELF-ASSESSMENT
Tool used for identification of risks, gross and residual risk assessment and risk
and control monitoring.

02 04 06
Identify & Assess and Monitor
evaluate rate RCSA
risks controls results

01 03 05 07
Document Identify
Action Control
control specific
Planning Testing
environment controls

52
RISK & CONTROL SELF-ASSESSMENT

53
RISK & CONTROL SELF-ASSESSMENT
ACTIVITY
01 PROCESS & RISK IDENTIFICATION, OWNERSHIP AND INHERENT RISK ASSESSMENT

Identification of the business/function’s key objectives and activities.

Determination of the end-to-end processes and sub-processes.

Assigning ownership of processes.

Defining SIPOC activities, processes & controls for risk mitigation.

Identification of risk events or failure modes.

Categorization of failure modes based on Basel Event Types levels 1-3.

Assessment based on Likelihood Matrix and Operational Risk Impact Scale.

All material Gross Risks are assessed for Residual Risk.

54
RISK & CONTROL SELF-ASSESSMENT
ACTIVITY
02 CONTROL IDENTIFICATION AND ASSESSMENT

Map controls to processes identified that address the gross risks

Assess the control design using the Bank’s Control Design and Effectiveness Assessment

ACTIVITY

03 RESIDUAL RISK ASSESSMENT

Assess the net risk after offsetting the effects of the controls – Residual
Risk Assessment

55
 RISK & CONTROL SELF-ASSESSMENT
ACTIVITY

04 RISK ACCEPTANCE

Identified material residual risks shall require Risk Acceptance. Only for critical processes
with High and Very High Residual Risks

ACTIVITY

05 INSTALLING TOOLS FOR MONITORING AND REPORTING RISKS

The following activities are to be performed as part of the RCSA exercise.

Key Risk Indicator

Control Sample Testing

*Email confirmation/sign-off from the DORO and Group Head must be provided. 56
RISK & CONTROL SELF-ASSESSMENT
RCSA REQUIREMENTS

• The designated DORO/delegate shall ensure timely completion of the RCSA.

• All RCSA results (reviewed and approved by the DORO/delegate) must be submitted to ORD
(Operational Risk Department).

• The DORO/Delegate and Group Head must confirm via email his/her sign-off and confirm that
the completed RCSA has been approved on their end. Else, RCSA shall not be accepted.

• The completed RCSA with email approval from DORO and Group Head must be submitted to
ORD not later that the set due date. Insufficient information, approvals or delay in RCSA
submission shall be considered as non-submission/reporting.

57
ORM FRAMEWORK - TOOLS

Interviews
Risk Monitoring
Process – Activities –
Trend Analysis
Risk Controls
Early Warning
Risk Mapping

58
KEY RISK INDICATOR
• Risk Monitoring / Early Warning Signal
• Trend Analysis
• Monitoring KRIs will provide management opportunity to
respond before a process fails.

DIMENSIONS INDICATOR TYPES

- Volume of risk events
Severity
- Average risk events

Frequency - Number of risk events

- Total amount of risk losses

Impact
- Cost of mitigation

59
KEY RISK INDICATOR
ESTABLISHING KRI
RESPONSIBLE: DORO

• Establish and assign KRIs for critical processes

• KRI ref ID must be recorded in the RCSA register. KRI details must be captured in the KRI Plan Register Template
• KRI register must be submitted to ORMD along with RCSA results. Email confirmation/sign-off from the Group
Head/DORO must be provided.
• The KRI metrics, thresholds, frequency of reporting, data collection and responsible person/unit must be
defined.

60
KEY RISK INDICATOR
MONITORING & REPORTING KRI
RESPONSIBLE: DORO

• Conduct trend analysis and apply local trigger points to the KRIs. Analyze breaches of thresholds and
adverse trends.

• Develop action plans to mitigate underlying risks. Ensure actions are followed up.

• Report KRI breaches in ORMS and submit to ORMD.

• KRIs must be tracked and reviewed on a regular basis

• Collation and review of KRI results may be completed within a full month from end of the reference
cover period and results must be submitted to ORMD (with Group Head/DORO sign-off/confirmation
via email) through the business/function unit’s KRI report template on or before 5th banking day
from end of the review month.

61
KEY RISK INDICATOR
COLLECT & REPORT KRI RESULTS
RESPONSIBLE: ORMD

• Collect and consolidate KRI results

• Report the aggregate results in the relevant risk committee forums

62
KEY RISK INDICATOR

63
ORM FRAMEWORK - TOOLS

Interviews
Risk Monitoring
Process – Activities –
Trend Analysis
Risk Controls
Early Warning
Risk Mapping

Centralized
Storage Analysis
Objective testing of
controls,
implementation
& execution

64
CONTROL SAMPLE TEST

PROCESS RISK RISK

FAILURE CONTROL EVENT
CONTROL CONTROL IMPACT
(losses)

Evidence of effective control implementation and execution is informed

through monitoring and performance of
Control Sample Testing (CST).

65
CONTROL SAMPLE TEST
• Provides objective evidence that controls are working effectively
• Performed by an independent party
• Frequency & sample size will depend on criticality of underlying inherent risk

CONTROL TESTING
GROSS RISK
FREQUENCY

Medium Annual

High Semi- Annual

Very High Quarterly

66
CONTROL SAMPLE TEST
CONTROL SAMPLE TESTING SAMPLING TECHNIQUES AND
TEST PERIODS
• Sample size should be 10% of the population, minimum of 5, maximum of 30.
• Test periods selected should be dependent on the test frequency i.e. if quarterly; test period
would be past 3 months, if annually, test period would be the past year etc.

IMPORTANT ITEMS TO NOTE:

• Control Sample Test Exceptions
• Control Sample Testing Results Review
• Control Sample Testing Evidence
• Control Sample Testing Execution - performed by individual/s who is not directly involved

67
CONTROL SAMPLE TEST
CONTROL SAMPLE TESTING PLAN
RESPONSIBLE: DORO

• Provide a control testing plan for the assurance review of controls identified to mitigate

• The Control Testing ref ID must be recorded in the RCSA register for reference while the
Control Sample Test details must be captured in the prescribed Control Sample Test Plan
Register

• The completed Control Sample Test Plans must be submitted to ORMD along with RCSA
results. Email confirmation/sign-off from the Group Head/DORO must be provided.

68
CONTROL SAMPLE TEST
PERFORMANCE OF CONTROL SAMPLE TEST
RESPONSIBLE: DORO

• Perform and complete the control testing exercise per the risk based frequency.
• The individual/s assigned to perform the control testing must not be directly involved in the
execution of the control/process for testing.
• Results must be recorded and maintained, for example in a working file, for future
reference.
• Sampling evidence e.g. transaction, documents and recording the ref ID of the transactions
tested, must also be reflected. These must be available for future assurance reviews or
internal/external audit.

69
CONTROL SAMPLE TEST
CST EXCEPTION RESULTS
RESPONSIBLE: ORMD

• Breaches to exception thresholds must be captured in the loss/event database in ORMS.

• Provide action plan to resolve the exception and address the issue
• All control test results must be captured in the control test report of the individual
business/function unit

70
CONTROL SAMPLE TEST
SUBMISSION OF CST RESULTS
RESPONSIBLE: DORO

• Results of Control Sample Tests must be submitted to ORMD on the 5th banking day of the
month from end of the reference review period. i.e. May 5, 2021.

CST RESULTS REVIEW & ANALYSIS

RESPONSIBLE: DORO

• Business/function units must initiate trend analysis on control test results to determine
systemic failures that merit further review and proper address.
• Breaches to exception thresholds, including the observed trends must be reported in
Loss/Event Database in ORMS and must be tracked to completion/resolution.

71
CONTROL SAMPLE TEST
COLLECT & REPORT CST RESULTS
RESPONSIBLE: ORMD

• Collect and consolidate Control Sample Testing Results.

• Assess and report the results in the relevant risk committee forums.

72
CONTROL SAMPLE TEST

73
ORM FRAMEWORK - TOOLS

Interviews
Risk Monitoring
Process – Activities –
Trend Analysis
Risk Controls
Early Warning
Risk Mapping

Centralized
Standard Register Storage Analysis
(ORMS) Objective testing of
Quantitative and controls,
Qualitative Assessment implementation
& execution

74
INCIDENT & LOSS REPORTING
Above the minimum Potential or actual losses, near misses and
threshold (>Php1,000) related insights due to an event/issue

Risks & gaps identified from the Emerging operational risks which
changes in the external business or may cause potential losses
regulatory environment

Lapses or non-compliance to
System changes / process
regulations, policies and procedures
changes

Introducing new products Occupational health and safety events

or services

75
WHY DO WE NEED TO REPORT?

01 Control Lapses “Root Cause” detection

Cause Cause
Cause

PROBLEM

Cause
Cause Cause

76
WHY DO WE NEED TO REPORT?

01 Control Lapses “Root Cause” detection

02 Process enhancement

03 Building of risk register for lessons learned

04 Can act as bottom-up feedback mechanism

77
INCIDENT & LOSS REPORTING
01 RESPONSIBLE : ALL EMPLOYEES

Process failures, risk events / losses identified must be reported and escalated upon
discovery to the designated DORO or delegate of the Business / Operating Unit

02 RESPONSIBLE : Deputy Operational Risk Officer (DORO) / Delegate

Assess and record the risk events identified in the LR report in ORMS or email the LR
template to ORMD (only for units with no ORMS access).

Investigation and analysis

Initial report can be made in case complete details are not yet available. Amend the report
later once additional information becomes available.

Submit every 5th banking day from end of reference.

78
INCIDENT & LOSS REPORTING
03 RESPONSIBLE : Operational Risk Management Department (ORMD)

Upload Manual LR templates submitted by units with no ORMS access.

Track reporting of incidents in ORMS.

Collate, review and asses risk issues and highlight material risks in the risk reports
presented to ROC.

79
INCIDENT & LOSS REPORTING
• Reporting of Loss Events will be through the system, ORMS under Loss Event module.
https://creole/ORMS_Prod.

80
INCIDENT & LOSS REPORTING
The Business Units shall ensure
• Report within 24 hours of first being identified and/or known;
• Follow the correct format of reporting in ORMS
IMPORTANT!
DORO shall ensure ORMS will send an email notification
• Reported within 24 hours of first being identified and/or known; alert i.e. “Op Risk Nil Loss Notification” to
respective DORO/s of each Group every
• ALL losses and incidents are reported
month-end.

Module 3: Risk Management Process 81

INCIDENT & LOSS REPORTING
Loss Title
• Concise
• If reported to Crimes and Losses under Regulatory Affairs (RAG), include the RCL reference no. as applicable

Loss Incident / Description

• Client involved • Brief Description
• Important Dates • Identified by
• Financial Impact – Near Miss, Actual Loss, Potential Loss • Root Cause Analysis
• Status/Updates

Module 3: Risk Management Process 82

INCIDENT & LOSS REPORTING

EXAMPLE:
Damaged Branch Kiosk RCL000XXX-XXXX-07XX

Last June 30, 2021, a branch kiosk was damaged due to flood.

Potential Loss: Php 40,000

Root Cause Analysis: Typhoon and Improper location of the kiosk

Corrective Action: Coordinate with property manager for the replacement and relocation of the kiosk.

Status/Update: Procurement of kiosk ongoing. New branch floor plan has been approved.

Target Date for Closure: September 30, 2021

Module 3: Risk Management Process 83

INCIDENT & LOSS REPORTING
Damaged Branch Kiosk RCL000XXX-XXXX-07XX

Damaged Branch Kiosk RCL000XXX-XXXX-07XX

Last June 30, 2021, the Branch Service Manager discovered that the branch kiosk was damaged due to flood. Total amount of damage is P40,000.
Root Cause Analysis: Typhoon and Improper location of the kiosk
Corrective Action: Coordinate with property manager for the replacement and relocation of the kiosk.
Target Date for Closure: September 30, 2021

18 Feb 2021

Tin Nipid

Branch Service Manager

Status/Update: Procurement of kiosk ongoing. New branch floor plan has been approved.

Module 3: Risk Management Process 84

ORM FRAMEWORK
REPORTING

RISK APPETITE & TOLERANCE

GOVERNANCE MEASUREMENT & ACCEPTANCE

INCIDENT &
SCENARIO
LOSS
DATABASE
RCSA KRI CST ANALYSIS

POLICIES & PROCEDURES

CULTURE & AWARENESS

85
ORM FRAMEWORK: PRINCIPLES
Gross risks must be identified and rated by
risk ratings defined in the Bank’s
Operational Risk Assessment Matrix in
1 order to determine materiality (Key Risks). 3

All potential 2 Controls are properly designed

failure points must be identified through and ensure that detected failures
a systematic review of the end-to-end are rectified within an appropriate
processes and define clear ownership of timeline.
processes, risk and controls.

86
ORM FRAMEWORK: PRINCIPLES
KRIs must be established based on
the materiality of risk exposure and

4 the confidence in the controls that 6

mitigate the risk.

Identified material gross (inherent)

risks are assessed for residual risk
5 Control Sample Test must be
designed to assess the
(taking into account the control
effectiveness of the controls.
design and effectiveness).

87
ORM FRAMEWORK: PRINCIPLES
Accurate and timely completion of RCSA
to support Bank’s Operational
RM approach in identifying, assessing,
7 9
mitigating and accepting risks.

Risk incidents must be reported Data collected through risk reporting, RCSA
8
timely and accurately to appropriate and other tools provide quantified view of
mitigation. incurred risks and can be used for analysis
and recognition of certain trends useful to
tie the Bank’s processes and enhancement
of controls.

88
Q&A

89
90