Operational Risk Management & Compliance Officers Where are we now? Where are we going?

Risk Management Framework (example) Governance Key indicators Risk & Control Assessment Losses Identify risk and control indicators Specify risk appetite Identify risk and owner Assess likelihood and impact Identify control and owner Assess design and performance Identify and capture internal and external losses Analyse loss causes Action plans Action plans Action plans Modelling Reporting

Risk Management Framework (example) Governance Key indicators Risk & Control Assessment Losses Identify risk and control indicators Specify risk appetite Identify risk and owner Assess likelihood and impact Identify control and owner Assess design and performance Identify and capture internal and external losses Analyse loss causes Action plans Action plans Action plans Modelling Reporting

Operational risk governance A policy: to have or not to have? Who approves it? How do you disseminate it? Committees: Separate RM or ORM? What role does internal audit play? And the other control functions? And the business units?

Risk and Control Assessment What are the main contents of a RCA? Gross risk (likelihood and impact) Owners of risks and controls Controls (design and performance) Action plans to enhance/add controls

RCA (client example) Risk Factor Control Factor

KRI Dashboard The dashboard shows key risk indicators you define. The example shows Key performance indicators and key risk indicators (previously set up) and every month you would use this tool to enter the latest figures for these indicators by the chosen business model, our example shows by business line We have designed our dashboard to have three tabs Year to date, CLICK month and CLICK key risk indicators You can see immediately the traffic light and trend arrows to alert you to potential problem areas. THE Projects Failing Checkpoints is still green even though the trend is upwards. Because of the threshold settings being used. CLICK The dashboard tool allows charts in various forms to be viewed/printed to identify the trends The dashboard can also take aggregate figures from your other systems that manage the other risks to your organisation, e.g. market risk, credit risk so the dashboard tool gives an overview of the total risk picture.

Risk Performance (client example) Current Level Performance Appetite Overall Risk Event Impact Prob. Actual KRI Trend Target KRI Better / (Worse) Actions / Summary Rating* Major Technology Infrastructure Failure H L No. of weeks free from severity 1 Failure = 7 +3 10 free weeks during year No action required Breach of confidentiality M Complaints received from Customers re alleged breach = 0 Zero material breaches of VIP customers’ / major corporate customers’ confidentiality High potential for risk occurrence due to customer / client base Employee processing error Error reporting: 5 events £4,000 loss + 2 +1000 No more than 10 errors per quarter. No single event > £10,000 +5 (8000) . Internal Fraud No. of frauds over £10,000 Detected: 7 No. of these frauds committed: 4 Potential Loss: $300,000 Actual Loss: £65,000 +2 +50000 Not more than 1 a month £10,000 acceptable (6) Action required, retrain staff, redesign processes *Chair of the Committee decides on overall rating for each risk event

Risk Management Framework (example) Governance Key indicators Risk & Control Assessment Losses Identify risk and control indicators Specify risk appetite Identify risk and owner Assess likelihood and impact Identify control and owner Assess design and performance Identify and capture internal and external losses Analyse loss causes Action plans Action plans Action plans Modelling Reporting

Contact details Tony Blunden, Director, Head of Consulting Tel: +44 (0) 207 017 3086 Fax: +44 (0) 207 253 2516 Mob: +44 (0) 770 325 7480 E-mail: tony.blunden@chasecooper.com www.chasecooper.com