Professional Documents
Culture Documents
DORO Training - 072121
DORO Training - 072121
MANAGEMENT
DORO TRAINING
1
PROGRAM OUTLINE
o ORM Framework
2
WHAT IS RISK?
3
Is the existence of risk a cause
of concern?
According to BSP…
Not necessarily so, as long as banks
demonstrate the ability to effectively manage
and price for that level of risk.
4
Could we use a crystal ball in risk management? 5
“A company should not
wait for a difficult
situation to happen
before it puts in the
efforts that will enable it
to survive.”
- H e l e n Yu c h e n g c o D e e
(RCBC Chairperson)
On Q&A with Josiah Go
6
WHAT IS RISK MANAGEMENT?
Establishment of
controls to
minimize the
possibility of risk
7
WHAT IS RISK MANAGEMENT RELEVANT TODAY?
02 04 06
Complexity Expansion into Dynamic
of financial new business & customer
geographic
markets preferences
markets
01 03 05 07
Increase in Change in
Technology Regulatory
transactional product nature
advances trends
volumes or delivery
Because of these MARKET INDUSTRY changes and development that banks are more
exposed to risks (upsurge of operational losses)
8
WITHOUT PROPER
RISK MANAGEMENT…
9
EXAMPLES OF OPERATIONAL RISK FAILURES
• One of the world’s oldest banks, banker to the British royal family
• Nick Leeson, a Singapore-based trader for the bank, made a series of
bad trades.
• He incurred substantial losses ($1.3 billion) which the bank cannot
cover anymore that eventually led to its collapse.
• Barings Bank was bought by ING, a Dutch financial institution for £1.
© Bloomberg 11
EXAMPLES OF OPERATIONAL RISK FAILURES
FAT-FINGER INCIDENT
• Accidentally deposited 2.8B shares worth 111.8T won ($104.8B) into
employee accounts-more than 30x the company’s existing issued
shares.
• 16 staff members sold a collective 5M shares worth about $186.9M
minutes shortly after receiving them.
• Intended to pay dividends in “shares” but inputted as (KRW)
• 10% drop in Market Securities shares
INTERNAL FRAUD BY VP
• Maria Victoria Lopez, a VP at Metrobank reportedly falsified an MC to
an individual, to defraud a total of P1.75M.
• Lopez was charged of qualified theft, falsification, and violation of the
General Banking Law of 2000.
• BSP sanctioned Metrobank ranging from reprimand to suspension of
directors and officers who failed to perform adequate oversight and/or
have been complacent/remiss of their duties and responsibilities.
16
BASEL ACCORDS
• Basel I, Basel II and Basel III issued by BCBS.
(1988) (2004) (2009)
17
TYPES OF RISKS
INFORMATION MARKET
SECURITY
Losses from
Risks associated with OPERATIONAL performance of
the use of IT financial markets
LIQUIDITY CAPITAL
REPUTATIONAL CREDIT
Inability to meet
Losses from damage Risk from default Potential of loss of
short term
of reputation on a debt part or all of an
financial demands
investment
18
OPERATIONAL RISK: DEFINITION
Risk of loss from inadequate or failed internal processes, people, and systems or
from the impact of external events, including legal risks.
19
OPERATIONAL RISK: BASEL CATEGORY
Execution
Delivery and Internal
Process Fraud
Management
Business
Disruption External
and System Fraud
Failure 7 BASEL
EVENT TYPE
Employment
Damage to
Practices and
Physical
Workplace
Assets
Clients, Safety
Products and
Business
Practices
20
OPERATIONAL RISK: BASEL CATEGORY
Execution
Delivery and Internal
Process Fraud
Management
Business
Disruption External
and System Fraud
Failure 7 BASEL
EVENT TYPE
Employment
Damage to
Practices and
Physical
Workplace
Assets
Clients, Safety
Products and
Business
Practices
21
DUTIES AND
RESPONSIBILITIES
22
OPERATIONAL RISK: STRUCTURE
3 LINES OF DEFENSE
• Involved in day-to-day risk management
• Assess, Control, Monitor and Risk Report
• Risk Incident Management
BUSINESS UNITS
• Build a strong risk culture
23
Board of Directors (BOD)
25
WHO’S RESPONSIBLE FOR MANAGING RISKS?
RMD Units
(the Navigator) (the Driver)
- guides the driver - Units drive the car
- Provides the tools and - Has the best knowledge
strategies for effective of risk exposures and
risk management. processes
- Monitors, measures - Responsible &
and reports the risk Accountable for
managing their own risks
26
ROLES AND RESPONSIBILITIES
RISK OVERSIGHT COMMITTEE (ROC)
• Overall risk appetite and • ORM principles, strategies, • Overall effectiveness of • ORM principles,
tolerances policies, process and the ORM Policy strategies, policies,
control frameworks • Observance with the risk process and control
recommended by CRO appetite and tolerances framework and endorses
• ORM Policy to ensure that and directs immediate to BOD
it remains aligned with the corrective action to • Risk acceptance and
overall RM objectives management if breached control decisions for
material ops risks
*ROC meets regularly to discuss trends and risk materiality and endorse to BOD for necessary actions. 27
RESPONSIBILITIES OF A DORO
Exercise authority in
Consistently
Act as a liaison of approving relevant risk
implement unit level
RMG-ORMD requirements
policies & Perform regular
activities and ROC.
procedures. RCSAs within Continuous
your scope/unit. monitoring & timely
Promote culture submission of KRIs
and awareness.
Report on a Establish, maintain
timely manner & update in a timely
Perform Track, monitor of risk events. manner your unit’s
regular CSTs progress & ensure
risk register.
timely
implementation of
action items Disclose & endorse risk
acceptance
28
HOW THEN
CAN WE
MANAGE RISK?
29
WHY DO WE NEED ORM FRAMEWORK?
Promote the adoption of effective risk management systems
30
RISK MATERIALITY
BANK’S RISK APPETITE
I
MEDIUM
Material and Key Risks - Residual risk rating of ‘High’ and ‘Very High’
31
RISK MANAGEMENT PROCESS
IDENTIFY
32
IDENTIFY RISKS
What if..?
NOTE:
What can • Include qualitative & quantitative
happen? How can it • Qualitative data sometimes is more
happen? important than quantitative,
particularly when there are recent
changes.
33
PROCESS IDENTIFICATION & OWNERSHIP
34
ACTIVITY – Let’s Identify
1. Determine one of your Department’s GOAL
35
RCSA ACTIVITY
RISK RISK
RISK RISK
RISK RISK
PROCESS 1 PROCESS 2
RISK
PROCESS 3
PROCESS 6 GOAL
PROCESS 4
PROCESS 5
RISK
RISK
RISK RISK
36
RISK MANAGEMENT PROCESS
MEASURE IDENTIFY
37
38
OPERATIONAL RISK ASSESSMENT MATRIX
I H O O D
LEAST LIKELY 5 5 10 15 20 25
UNLIKELY 4 4 8 12 16 20
MODERATE 3 3 6 9 12 15
K E L
LIKELY 2 2 4 6 8 10
ALMOST CERTAIN 1 1 2 3 4 5
I
L
1 2 3 4 5
LEAST SLIGHTLY FAIRLY VERY
SEVERE
SEVERE SEVERE SEVERE SEVERE
40
OPERATIONAL RISK IMPACT SCALE
FINANCIAL REPUTATIONAL/ COMPLIANCE/ IMPACT ON FUTURE
LOSS EARNINGS
Up to P150,000 No adverse Isolated customer No negative
1 – LEAST No regulatory
national media complaints feedback from
SEVERE written notice
coverage stakeholders
41
RISK MANAGEMENT PROCESS
MITIGATE
MEASURE IDENTIFY
42
ORM FRAMEWORK: CONTROLS
Action, system, process or practice that acts to minimize the likelihood and / or
impact of a risk occurring which should have the following characteristics:
Mandatory/regulatory
Currently in operation
43
PRINCIPLES OF A GOOD CONTROL DESIGN
MINIMUM BETTER
Where possible, should be aim to
CONTEXT Should be linked to potential event,
PREVENTIVE prevent instances of errors or fraud
AND relevant regulatory/ internal policy
RELEVANCE guidelines
44
TYPES OF CONTROLS
Aims to ensure that Aims to align and is Designed to reduce Aims to reduce the
all processes and designed to reduce impact through impact of a risk
controls are properly the probability of detection of errors event that has
documented and risk event soon after already occurred.
communicated to all (e.g. Training, occurrence and (e.g. Management
employees involved Maker/Checker, Dual prevent escalation. Reviews, Contingency
in the execution. Input, Segregation of
(e.g. Reconciliations,
Plans, Insurance)
Duties)
(e.g. Policies, Procedures, Quality Assurance)
Manuals, Memos
45
CONTROLS BY PROCESS TYPE
Manual Automated
Performed by Integrated into the
individuals application systems
46
CONTROL & RESIDUAL RISK ASSESSMENT GUIDE
CONTROL TYPE
PREVENTIVE DETECTIVE RECOVERY DIRECTIVE
47
RISK MANAGEMENT PROCESS
MONITOR MITIGATE
MEASURE IDENTIFY
48
WHY MONITOR?
49
ORM FRAMEWORK - TOOLS
50
ORM FRAMEWORK - TOOLS
Interviews
Process – Activities –
Risk Controls
Risk Mapping
51
RISK AND CONTROL SELF-ASSESSMENT
Tool used for identification of risks, gross and residual risk assessment and risk
and control monitoring.
02 04 06
Identify & Assess and Monitor
evaluate rate RCSA
risks controls results
01 03 05 07
Document Identify
Action Control
control specific
Planning Testing
environment controls
52
RISK & CONTROL SELF-ASSESSMENT
53
RISK & CONTROL SELF-ASSESSMENT
ACTIVITY
01 PROCESS & RISK IDENTIFICATION, OWNERSHIP AND INHERENT RISK ASSESSMENT
Assess the control design using the Bank’s Control Design and Effectiveness Assessment
ACTIVITY
Assess the net risk after offsetting the effects of the controls – Residual
Risk Assessment
55
RISK & CONTROL SELF-ASSESSMENT
ACTIVITY
04 RISK ACCEPTANCE
Identified material residual risks shall require Risk Acceptance. Only for critical processes
with High and Very High Residual Risks
ACTIVITY
*Email confirmation/sign-off from the DORO and Group Head must be provided. 56
RISK & CONTROL SELF-ASSESSMENT
RCSA REQUIREMENTS
• All RCSA results (reviewed and approved by the DORO/delegate) must be submitted to ORD
(Operational Risk Department).
• The DORO/Delegate and Group Head must confirm via email his/her sign-off and confirm that
the completed RCSA has been approved on their end. Else, RCSA shall not be accepted.
• The completed RCSA with email approval from DORO and Group Head must be submitted to
ORD not later that the set due date. Insufficient information, approvals or delay in RCSA
submission shall be considered as non-submission/reporting.
57
ORM FRAMEWORK - TOOLS
Interviews
Risk Monitoring
Process – Activities –
Trend Analysis
Risk Controls
Early Warning
Risk Mapping
58
KEY RISK INDICATOR
• Risk Monitoring / Early Warning Signal
• Trend Analysis
• Monitoring KRIs will provide management opportunity to
respond before a process fails.
59
KEY RISK INDICATOR
ESTABLISHING KRI
RESPONSIBLE: DORO
60
KEY RISK INDICATOR
MONITORING & REPORTING KRI
RESPONSIBLE: DORO
• Conduct trend analysis and apply local trigger points to the KRIs. Analyze breaches of thresholds and
adverse trends.
• Develop action plans to mitigate underlying risks. Ensure actions are followed up.
• Collation and review of KRI results may be completed within a full month from end of the reference
cover period and results must be submitted to ORMD (with Group Head/DORO sign-off/confirmation
via email) through the business/function unit’s KRI report template on or before 5th banking day
from end of the review month.
61
KEY RISK INDICATOR
COLLECT & REPORT KRI RESULTS
RESPONSIBLE: ORMD
62
KEY RISK INDICATOR
63
ORM FRAMEWORK - TOOLS
Interviews
Risk Monitoring
Process – Activities –
Trend Analysis
Risk Controls
Early Warning
Risk Mapping
Centralized
Storage Analysis
Objective testing of
controls,
implementation
& execution
64
CONTROL SAMPLE TEST
65
CONTROL SAMPLE TEST
• Provides objective evidence that controls are working effectively
• Performed by an independent party
• Frequency & sample size will depend on criticality of underlying inherent risk
CONTROL TESTING
GROSS RISK
FREQUENCY
Medium Annual
66
CONTROL SAMPLE TEST
CONTROL SAMPLE TESTING SAMPLING TECHNIQUES AND
TEST PERIODS
• Sample size should be 10% of the population, minimum of 5, maximum of 30.
• Test periods selected should be dependent on the test frequency i.e. if quarterly; test period
would be past 3 months, if annually, test period would be the past year etc.
67
CONTROL SAMPLE TEST
CONTROL SAMPLE TESTING PLAN
RESPONSIBLE: DORO
• Provide a control testing plan for the assurance review of controls identified to mitigate
• The Control Testing ref ID must be recorded in the RCSA register for reference while the
Control Sample Test details must be captured in the prescribed Control Sample Test Plan
Register
• The completed Control Sample Test Plans must be submitted to ORMD along with RCSA
results. Email confirmation/sign-off from the Group Head/DORO must be provided.
68
CONTROL SAMPLE TEST
PERFORMANCE OF CONTROL SAMPLE TEST
RESPONSIBLE: DORO
• Perform and complete the control testing exercise per the risk based frequency.
• The individual/s assigned to perform the control testing must not be directly involved in the
execution of the control/process for testing.
• Results must be recorded and maintained, for example in a working file, for future
reference.
• Sampling evidence e.g. transaction, documents and recording the ref ID of the transactions
tested, must also be reflected. These must be available for future assurance reviews or
internal/external audit.
69
CONTROL SAMPLE TEST
CST EXCEPTION RESULTS
RESPONSIBLE: ORMD
70
CONTROL SAMPLE TEST
SUBMISSION OF CST RESULTS
RESPONSIBLE: DORO
• Results of Control Sample Tests must be submitted to ORMD on the 5th banking day of the
month from end of the reference review period. i.e. May 5, 2021.
• Business/function units must initiate trend analysis on control test results to determine
systemic failures that merit further review and proper address.
• Breaches to exception thresholds, including the observed trends must be reported in
Loss/Event Database in ORMS and must be tracked to completion/resolution.
71
CONTROL SAMPLE TEST
COLLECT & REPORT CST RESULTS
RESPONSIBLE: ORMD
72
CONTROL SAMPLE TEST
73
ORM FRAMEWORK - TOOLS
Interviews
Risk Monitoring
Process – Activities –
Trend Analysis
Risk Controls
Early Warning
Risk Mapping
Centralized
Standard Register Storage Analysis
(ORMS) Objective testing of
Quantitative and controls,
Qualitative Assessment implementation
& execution
74
INCIDENT & LOSS REPORTING
Above the minimum Potential or actual losses, near misses and
threshold (>Php1,000) related insights due to an event/issue
Risks & gaps identified from the Emerging operational risks which
changes in the external business or may cause potential losses
regulatory environment
Lapses or non-compliance to
System changes / process
regulations, policies and procedures
changes
75
WHY DO WE NEED TO REPORT?
Cause Cause
Cause
PROBLEM
Cause
Cause Cause
76
WHY DO WE NEED TO REPORT?
02 Process enhancement
77
INCIDENT & LOSS REPORTING
01 RESPONSIBLE : ALL EMPLOYEES
Process failures, risk events / losses identified must be reported and escalated upon
discovery to the designated DORO or delegate of the Business / Operating Unit
Assess and record the risk events identified in the LR report in ORMS or email the LR
template to ORMD (only for units with no ORMS access).
Initial report can be made in case complete details are not yet available. Amend the report
later once additional information becomes available.
Collate, review and asses risk issues and highlight material risks in the risk reports
presented to ROC.
79
INCIDENT & LOSS REPORTING
• Reporting of Loss Events will be through the system, ORMS under Loss Event module.
https://creole/ORMS_Prod.
80
INCIDENT & LOSS REPORTING
The Business Units shall ensure
• Report within 24 hours of first being identified and/or known;
• Follow the correct format of reporting in ORMS
IMPORTANT!
DORO shall ensure ORMS will send an email notification
• Reported within 24 hours of first being identified and/or known; alert i.e. “Op Risk Nil Loss Notification” to
respective DORO/s of each Group every
• ALL losses and incidents are reported
month-end.
EXAMPLE:
Damaged Branch Kiosk RCL000XXX-XXXX-07XX
Last June 30, 2021, a branch kiosk was damaged due to flood.
Corrective Action: Coordinate with property manager for the replacement and relocation of the kiosk.
Status/Update: Procurement of kiosk ongoing. New branch floor plan has been approved.
Last June 30, 2021, the Branch Service Manager discovered that the branch kiosk was damaged due to flood. Total amount of damage is P40,000.
Root Cause Analysis: Typhoon and Improper location of the kiosk
Corrective Action: Coordinate with property manager for the replacement and relocation of the kiosk.
Target Date for Closure: September 30, 2021
18 Feb 2021
Tin Nipid
Status/Update: Procurement of kiosk ongoing. New branch floor plan has been approved.
INCIDENT &
SCENARIO
LOSS
DATABASE
RCSA KRI CST ANALYSIS
86
ORM FRAMEWORK: PRINCIPLES
KRIs must be established based on
the materiality of risk exposure and
87
ORM FRAMEWORK: PRINCIPLES
Accurate and timely completion of RCSA
to support Bank’s Operational
RM approach in identifying, assessing,
7 9
mitigating and accepting risks.
Risk incidents must be reported Data collected through risk reporting, RCSA
8
timely and accurately to appropriate and other tools provide quantified view of
mitigation. incurred risks and can be used for analysis
and recognition of certain trends useful to
tie the Bank’s processes and enhancement
of controls.
88
Q&A
89
90