Smart About Risk  
Operational Risk

Operational Risk

Operational risk, which can be simply understood as a risk of loss caused by operational deficiencies and errors, should be addressed by each company. The purpose is to ensure operational efficiency, to lower costs, to increase competitiveness, to increase the efficiency of insurance policy and in case of financial institutions also the necessity to comply with regulatory requirements (Basel II/III for banks and Solvency II for insurance companies). By managing operational risks, a company reduces the frequency and/or impact of operational risk events – and if a major operational risk event does occur, its impact is relatively smaller, and the company is better prepared to respond.

Advanced Risk Management, s.r.o. offers its services in the area of operational risk management to both financial and non-financial institutions.

In the area of operational risk, we also offer specialized training, both as open courses and in-house seminars.
For the measurement and management of operational risk, you can use a system designed for operational risk measurement and management.
 

Offer for Financial Institutions 

Creation of a Catalogue of Operational Risks 

  • Creation of a catalogue of operational risks that may potentially threaten the company; in addition to a description of each risk, the risk catalogue includes information on the assignment of a risk owner and a list of departments and processes that may be affected by the risk
  • Validation of the structure and contents of the current risk catalogue and suggestion of amendments
 

Operational Risk Event Collection Process

  • Design/implementation of a motivation program encouraging users to record information about occurred operational risk events in the system
  • Design of an electronic guide to assist users throughout the process of entering information into the operational risk event collection system, including user training focused on the most common input errors
  • Design/assessment of the operational risk event collection system, including the development of a methodology and analysis of data processing methods
    • When assessing the operational risk event collection system, we focus primarily on the following key aspects:
      • Are all relevant details about operational risk events tracked in the system?
      • Is the system user-friendly and easy to understand?
      • Does the system meet the requirements for operational risk management and measurement (e.g., is it possible to filter, export, and otherwise process the information)?
      • Are users sufficiently familiar with the system?
      • What is the error rate in the entered data?
      • With what delay are operational risk event details entered into the system, and what are the causes of such delays?
      • How long does it take the operational risk department to process a reported event?
      • Which types of events are immediately reported to senior management?
  • Review of the operational risk event database, focused primarily on verifying:
    • correct classification of events in the event type register (Loss Event Type) and in the organizational structure (Business Line)
    • sufficiency of event descriptions
    • reconciliation of data with accounting records
  • Analysis of the operational risk event database aimed at:
    • identifying departments that are more exposed to operational risk
    • determining the causes of higher exposure
 

Analysis and Audit of an Operational Risk Management System

  • Analysis of the use of information obtained from the operational risk event collection system
  • Assessment of / proposal for the use of an external database of operational risk events for management purposes
  • Proposal for organizational structure, roles, and responsibilities
  • Review of the internal regulation system:
    • Which areas of operational risk are covered by internal regulations?
    • Are internal regulations correct, clear and logically structured?
    • Are internal regulations updated on a regular basis?
    • What is the accessibility level of internal regulations to employees?
    • Do employees know the contents of those internal regulations?
  • Testing the knowledge of regulations onsite and, based on its results, suggestion of amendments in the system of updating and disclosure of regulations
  • Verification of compliance with procedures in case of an operational risk event and assessment of whether responsible employees know how to proceed in such situations
  • Preparation of training or e-learning courses on the risk management system and related employee responsibilities
  • Analysis of the efficiency of communication between other departments and operational risk department
  • Draft/delivery of a system for managing internal regulations
 

Analysis and Audit of the Insurance Contract Management System

  • Analysis of the system for managing insurance contracts related to operational risk, aimed at verifying whether:
    • are all departments in the company with a high exposure to operational risk insured
    • are parameters of insurance policies set up correctly in light of operational risk events which occurred and which were insured (e.g. what percentage of insurance claims are rejected by the insurer and for what reasons; whether the terms of the current insurance contracts are suitable from the perspective of risk management and loss minimization)
    • the insurance coverage is effective (analysis of premium paid compared to received insurance coverage and threatening losses)
  • Draft or delivery of a system for the administration of insurance policies and their linkage to operational risk events. 
 

Business Continuity Management (BCM)

  • Analysis of processes within the company with the objective to find critical processes and operations
  • Development, update, or assessment of Business Continuity Management (BCM) plans
  • Verification of the existence and functionality of the system of updating and practicing of BCM plans
  • Assessment of BCM awareness among responsible personnel and proposal of improvements to the training system
  • Draft or delivery of a system for efficient administration of BCM plans
 

Operational Risk Scenarios

  • Assistance in the development/update of operational risk scenarios, including:
    • identification of risks for which stress scenarios should be developed
    • suggestion of the method for the assessment of impact and frequency of a stress scenario
    • design/delivery of a system for managing and updating scenarios
  • Draft of a methodology for incorporating stress scenarios into the operational risk measurement system
 

Self-Assessment of Operational Risk (RCSA)

  • Design/delivery of a system for regular self-assessment of operational risks
  • Proposal of a methodology for measuring and evaluating operational risks
  • Workshop: facilitation of the self-assessment of operational risk exposure by employees of the financial institution (Risk and Control Self-Assessment)
 

Key Risk Indicators (KRI) 

  • Design of Key Risk Indicators (KRI) for measuring the level of operational risk and setting their threshold values
  • Design/delivery of a system for defining and regularly monitoring operational risk indicators
 

Measurement of Operational Risks and Reporting

  • Design of methodologies for measuring individual operational risks:
    • Are the risks measurable, or does measuring them not make sense?
    • Is an expert judgment approach or a statistical model based on historical data more appropriate?
  • Draft of the method for measuring the efficiency of preventive and corrective procedures
  • Design of an appropriate reporting framework specifying, for example:
    • input data
    • reporting structure and frequency
    • reporting recipients — with the objectives of:
      • providing relevant data for informed decision-making
      • increasing overall awareness of operational risk within the organization
 

Compliance with Banking Regulation and Calculation of the Capital Requirement

  • Assessment of compliance of current operational risk management with the requirements of Basel II/III or Solvency II, and proposal of corrective measures
  • Validation of the model used for the calculation of the (solvency) capital requirement for operational risk, both from the methodological accuracy and technical implementation perspectives
  • Support in developing an application for calculating the capital requirement under the AMA approach, or delivery of ARM’s software solution OpRisk Calc
 

Offer for Non-Financial Institutions 

Identifying Types of Operational Risk

  • Identification of critical processes and activities, that may potentially threaten the company; in addition to a description of each risk, the risk catalogue includes information on the assigned risk owner and a list of departments and processes that may be affected by the given risk
  • Validation of the structure and content of the existing operational risk catalogue and proposal of relevant modifications
 

Operational Risk Measurement

  • Design of a methodology for measuring operational risk, for example:
    • expert assessment as part of the self-assessment process
    • estimation based on historical data using an appropriate statistical model
    • scenario analysis
  • Proposition of a way to evaluate the frequency and severity of the risks identified within the self-assessment process – operational risk assessment with predefined parameters (frequency vs. impact, or a different approach) and proposal of rating scales for these parameters:
    • Workshop: Operational Risk Self-Assessment (for staff exposed to operational risks), including:
      • preparation of questionnaires for operational risk self-assessment
      • explanation of self-assessment principles
      • adjustment of unrealistic or clearly inaccurate estimates
  • Design of a statistical model for estimation of operational risk based on historical data, and, subsequently, assistance in the technical implementation of the proposed model
  • Design of operational risk scenarios (including a selection of risks for which it would be appropriate to carry out scenario analysis)
 

Measurement of Operational Risk Losses

  • Proposal of a method for measuring operational risk losses (e.g. with an estimate based on historical data and carried out using an appropriate statistical model)
  • Proposal of an appropriate form of reporting (how often reporting will be conducted, in what structure, to whom the reports will be provided, etc.)
 

Action Plans and Business Continuity Management (BCM)

  • Verification of the functionality of the system for creating and updating BCM plans and implementing their training programs
  • Assessment of the effectiveness of action plans (i.e., preventive and corrective measures)
  • Assistance in the preparation/update of:
    • action plans mitigating the impact of operational risks
    • BCM plans maintaining the operation of the company/business when an operational risk event occurs
  • Verification of the level of awareness of BCM plans among responsible employees and, where necessary, proposal of changes to the training system
 

Operational Risk Management

  • Analysis of the operational risk management system focused primarily on:
    • the analysis of existing processes
    • the assessment of the accuracy and completeness of internal procedures and policies for operational risk management, and verification of their compliance
  • Identification of Key Risk Indicators (KRI) relating to operational risk
  • Setting threshold values for KRIs (exceeding a KRI indicates an increased level of a specific type of operational risk) using historical data and ARM’s know-how
  • Verification of the accuracy and relevance of the limits set for KRI in connection with the amount of the loss realized from operational risk
  • Analysis of the insurance policy system related to operational risk (assessment of policy parameters in light of historical data and analysis of their effectiveness relative to premiums paid, actual insurance compensation, or potential losses)
  • Design/delivery of a system for policy administration and linking policies with operational risk events
[Back]