OPERATIONAL RISK

RISK ASSESSMENT
1
 OVERVIEW

• Inherent Risk
• Risk Management
• Composite or
Net Residual Risk
• Trend

2
 INHERENT RISK

ƒ Definition
ƒ Sources
ƒ Identification
ƒ Quantification

3
 Definition

OPERATIONAL RISK DEFINED

“The risk of direct or indirect loss due to

inadequate or failed internal processes,
people, and systems, or from external
events.” – Basel, “Sound Practices for the Management &
Supervision of Operational Risk”

Translation: Everything that’s not credit and

market risk.
4
 Risk Sources

SOURCES OF RISK
ƒ People
ƒ Fraud
ƒ Breach of authorized limits
ƒ Human error
ƒ Processes
ƒ Execution failure
ƒ Product failure
ƒ Systems
ƒ Systems disruption or failure
ƒ Vendor/service provider failure
ƒ External events
ƒ Natural disaster
ƒ Political events
5
 Risk Sources

UNDERSTANDING THE
OPERATIONAL AREA
People
ƒ Organization chart and reporting lines
ƒ What is department’s position within
organization? What is department’s
organization structure? Clear, direct, and
sufficiently high reporting lines?
ƒ Interfaces with other departments
ƒ What data, reports, or risk management
responsibilities flow across departmental
boundaries?
ƒ Role definitions or job descriptions
ƒ Are departmental activities—and
management’s roles—clearly defined?
ƒ Staff and management qualifications
ƒ What is the experience level and expertise 6
of management and key staff?
 Risk Sources

UNDERSTANDING THE
OPERATIONAL AREA
Processes
ƒ Workflow diagrams
ƒ Work process documents from business line or
internal audit; Management interviews
ƒ Dependencies and interfaces
ƒ With other internal departments; With external
service providers.
ƒ Products
ƒ Transaction volumes and dollar amounts
ƒ Risk & control assessments
ƒ Procedures
ƒ Monitoring reports
ƒ Obtain a complete list of MIS; Identify distribution
and frequency. 7
ƒ Strategy and major projects
 Risk Sources

UNDERSTANDING THE
OPERATIONAL AREA
Systems
ƒ Major systems and components
ƒ Architecture; Hardware and software
inventories
ƒ System interfaces
ƒ IT topologies; Data flow diagrams
ƒ Outsourcing vendors
ƒ Security
ƒ GLBA security report for board
ƒ Contingency plans
ƒ Corporate contingency plan; business 8
line and support area continuity plans
 Risk Indicators

PERFORMANCE VERSUS RISK

ƒ Performance Indicators
ƒ Shorter term orientation
ƒ Profit & loss or income statement derived
ƒ Used by business or functional unit managers
ƒ Larger number of metrics useful to more people
ƒ Risk Indicators
ƒ Longer term orientation
ƒ Balance sheet and capital
ƒ Used by executive management and the board
ƒ Fewer number of metrics useful to fewer people
9
INHERENT VERSUS RESIDUAL RISK

ƒ Inherent – Risks intrinsic to the activity

ƒ Residual – Risks remaining after
consideration of the control environment or
mitigants
ƒ Indicators may be of either or both types,
but the differences—and purposes—must
be understood.
10
 Risk Indicators

CATEGORIES FOR RISK INDICATORS

Basel Categories for Operational Loss: Categories for Operational Risk:

ƒ Fraud: Internal & External ƒ People

ƒ Employment Practices &
Workplace Safety
ƒ Execution, Delivery, & ƒ Process
Process Management
ƒ Business Disruption and ƒ Systems
Systems Failures
ƒ Clients, Products, and
Business Practices
ƒ Damage to Physical ƒ Events
Assets

11
 Risk Indicators

PEOPLE RISK INDICATORS

-- QUANTITATIVE MEASURES --
Inherent Residual

ƒ Turnover rates ƒ Misuse of systems

ƒ Vacancy rates ƒ Misuse of confidential
ƒ Tenure of business or information
functional area and senior ƒ Position vacancies and
management time vacant
ƒ Organizational changes ƒ Internal fraud rates
ƒ Staff size in relation to ƒ False expense claims
activity volumes ƒ FTE to budget
ƒ Reliance on key staff and
management succession 12
 Risk Indicators

PROCESS RISK INDICATORS

-- QUANTITATIVE MEASURES --
Inherent Residual

ƒ Complexity ƒ # deposit return items

ƒ Activity volumes – Monetary ƒ ACH rejects
value per transaction & in ƒ Customer and internal help desk
aggregate call abandon rate
ƒ Structural changes or growth ƒ Statement cycle errors
rates: merger, consolidation, ƒ % account balancing completed
integration, outsourcing by deadline
ƒ New or changing product or ƒ % new loans processed by
process internal goal
ƒ Fraud and operational losses ƒ Error rates in new products or
ƒ Policy breaches, exceptions, processes
and overrides
ƒ Customer satisfaction
ƒ Remoteness of operations
13
 Risk Indicators

SYSTEMS RISK INDICATORS

-- QUANTITATIVE MEASURES --
Inherent Residual

ƒ Clarity of IT strategy ƒ Vendor performance to SLAs

ƒ Vendor dependence ƒ $-weighted or criticality-weighted
ƒ Mature vs. emerging technology project status
ƒ Degree & complexity of projects ƒ Mainframe and network
ƒ Processing performance availability
ƒ Availability and stability ƒ Capacity utilization: processing,
storage, and data communication
ƒ Capacity and scalability ƒ Disaster recovery response time
ƒ Level of integration vs. goal
ƒ Contingency planning & ƒ Volume, severity, and duration of
resiliency system outages
ƒ Access control and security ƒ Volume, severity, and type of
security incidents
ƒ System response time
14
 Risk Indicators

EXTERNAL RISK INDICATORS

-- QUANTITATIVE MEASURES --

Inherent Residual

ƒ Economy ƒ Time required to reposition

ƒ Competitive environment balance sheet or modify
ƒ Regulatory business activity
ƒ Laws and regulations ƒ Insurance coverage and
ƒ Nationalization deductible amounts
ƒ Social unrest ƒ Business continuity
recovery time versus goal
ƒ External/criminal threats
ƒ Natural disasters
15
 Risk Indicators

OTHER RISK INDICATORS

-- QUALITATIVE MEASURES --
General Measures: Unique Measures:

ƒ Organization culture ACH

ƒ Organization structure ƒ Number and type of correspondents
ƒ Compensation structures and used for processing or settlements
incentives ƒ Type of transactions (WEB, TEL,
ƒ Systems RCK, ARC)
ƒ Complexity and maturity Accounting/Financial Reporting
ƒ External connectivity ƒ Attestation / certification processes
ƒ Centralized versus distributed Human Resources
ƒ Level of automation and integration ƒ Hiring practices
ƒ Existence of quality assurance ƒ Training practices
programs and metrics
Other
ƒ Internal and external
ƒ Existence of comprehensive ƒ Examination ratings by other
regulatory bodies (nonbanking
compliance risk management activities)
ƒ Geographic footprint
16
 Risk Identification

RISK IDENTIFICATION
-- INFORMATION SOURCES --

General Information Sources:

Financial statements Management reports

Websites Organization charts
Interviews Audit reports (internal and external)
Media publications Examination reports
Brochures Competitors and market share

Specialized Information Sources:

Information technology schematics Economic studies

Regulatory publications Industry studies
17
 Risk Quantity

INFORMATION SOURCES
-- GENERAL --

ƒ Accounts: number by type, growth rates

ƒ Transaction: volumes by account type, individual and
aggregate size,
ƒ Fraud losses: stratified by account type and cause
ƒ Litigation: stratified by type, exposure, and cause
ƒ Error rates: granular by account type and cause
ƒ Quality of performance rates and error resolution times
ƒ Policy and limit breaches
ƒ Geographic footprint

18
 Risk Quantity

INFORMATION SOURCES
-- SPECIALIZED --
ƒ Human Resources
ƒ Management succession plan
ƒ Training costs and penetration
ƒ Technology
ƒ Topology and data flow diagrams
ƒ Loan Operations
ƒ Payment processing exceptions
ƒ Document handling measurements
ƒ Overrides & limit exceptions
ƒ Suspense account resolution
ƒ Deposit Operations
ƒ Deposit processing exceptions
ƒ Encoding error rates
ƒ Research request response time
ƒ Statement mailing measurements 19

ƒ Suspense account resolution

 Risk Quantity

QUANTITY OF RISK

ƒ Volume
ƒ Measurement
ƒ Information sources

For some operational risks,

measures are necessarily
qualitative rather than
quantitative!
20
 Risk Quantity

QUANTITY OF RISK

ƒ Frequency and severity

ƒ High frequency / Low impact
ƒ Low frequency / High impact
ƒ Probability

21
 Risk Quantity

QUANTITY OF RISK - HIGH

People:
ƒ Staff performing operational duties demonstrate
unfamiliarity with job requirements or are not adequately
trained.
ƒ Turnover is at a level where difficulty filling open positions
impacts the business process and /or the number of
assets per employee significantly exceeds peer.
ƒ Critical activities are heavily dependant on a small
number of staff / management (e.g., their loss will
significantly impact operations).
ƒ Staff size small in relation to peer, or the volume and
complexity of activities conducted. Workloads such that
staff frequently works overtime.
22
 Risk Quantity

QUANTITY OF RISK - HIGH

Process:
ƒ Activities consists of multiple control points, several
interrelationships with other activities, and / or requires a high
level of staff proficiency.
ƒ Activities where transaction volume is high relative to
infrastructure capacity, and / or significantly exceeds peer
transaction volumes.
ƒ Activities with individual transactions of above-average
monetary value, or where core activities pose a high dollar
exposure.
ƒ Business process requires extensive manual processing.
ƒ The organization: is undergoing significant changes (mergers,
consolidations, or system conversions); maintains branch
offices, operations centers, and personnel over several states
or countries; and / or has a significantly greater number of
facilities per asset size than peer. 23
 Risk Quantity

QUANTITY OF RISK - HIGH

Systems:
ƒ The organization’s business operations are highly dependent
on an extensive, complex network infrastructure.
ƒ Performance upgrades and capacity planning hampered by
serious system constraints, and / or substantial system
downtime.
ƒ Existing / legacy systems unstable. Obsolete or not supported
effectively by outside vendor or in-house staff.
ƒ Excessive access granted to internal / external parties for
critical applications / data.
ƒ Significant amount of complex systems development and
acquisition projects in light of the entity’s size and complexity.
Projects affect critical business processes.
ƒ The rate of adoption of technological change and the
aggressive implementation of emerging technologies may 24
impact the organization’s ability to operate its internal systems.
 Risk Quantity

QUANTITY OF RISK - HIGH

External Events:
ƒ The organization operates in areas highly susceptible to natural
disasters, or infrastructure dislocations (e.g., water quality,
telecommunications, and electrical power).
ƒ The organization operates in areas highly susceptible to acts of
war or terrorist activity.
ƒ The organization engages in businesses with highly complex
laws and regulations (e.g., cross-border issues, securities law).
ƒ Significant reliance on outsourcing arrangements / outside
vendors for critical services or systems.
ƒ Market is highly competitive and several other financial
institutions are creating pressure for changes in product or
technology.
ƒ Activities that are highly susceptible to major-market
fluctuations, (e.g., capital markets, labor markets, stock 25
markets, etc.).
 Risk Quantity

QUANTITY OF RISK - MODERATE

People:
ƒ Staff possesses basic skills to perform job
responsibilities. Some staff may require additional
expertise and guidance.
ƒ Turnover precludes the business from retaining optimal
staffing levels; however, basic business functions
satisfactorily.
ƒ Critical activities are supported by a reasonable number
of key staff / management.
ƒ Staff size adequate in relation to peer, or the volume &
complexity of activities conducted; overtime is
insignificant.
26
 Risk Quantity

QUANTITY OF RISK - MODERATE

Process:
ƒ An activity that consists of traditional well-established products
and services, and requires some experience as a prerequisite
(e.g., retail services, trade finance, commercial lending).
ƒ Infrastructure on par with volume.
ƒ An activity with individual transactions of average monetary
value.
ƒ The organization is moving toward straight-through processing
and currently has limited manual intervention.
ƒ The organization is implementing insignificant mergers,
consolidations, or conversions.
ƒ The organization maintains branch offices, operations centers,
and personnel within a regional geographic area. 27
 Risk Quantity

QUANTITY OF RISK - MODERATE

Systems:
ƒ The organization’s business operations utilize industry standard
networks.
ƒ Systems are flexible enough to upgrade performance levels
and increase capacity within reasonable time frames.
ƒ Existing / legacy systems relatively stable and supported
adequately by outside vendor or in-house staff, but significant
enhancements may be necessary to support all or parts of
critical business processes.
ƒ Restricted access granted to internal / external parties.
ƒ Manageable amount of systems development and acquisition
projects given the entity’s size and complexity.
ƒ The organization retains a reasonable level of technological
innovation, and selectively implements emerging technologies 28
that are consistent with its business plan.
 Risk Quantity

QUANTITY OF RISK - MODERATE

External Events:
ƒ The organization operates in areas with limited potential for, or
some prior history of natural disasters and / or has access to
relatively stable infrastructure with some providers available.
ƒ The organization operates in areas with limited potential for
acts of war or terrorist activity.
ƒ The organization engages in businesses which have a
generally stable legal framework, however, it may engage in
activities with some exposure to legal and regulatory issues.
ƒ Moderate reliance on outsourcing arrangements/outside
vendors for standard, noncomplex services.
ƒ The market is moderately competitive and only a few
competitors exist, with modest pressure for changes in products
or technology.
ƒ Activities with average susceptibility to market fluctuations. 29
 Risk Quantity

QUANTITY OF RISK - LOW

People:
ƒ Staff is knowledgeable and proficient in performing job
responsibilities.
ƒ Turnover is low and / or the number of assets per
employee is significantly less than peer.
ƒ Critical activities are supported by a considerable number
of staff / management (e.g., the loss of individual staff
members has little impact on operations).
ƒ Staff size generous in relation to peer, or the volume and
complexity of activities conducted. Staff rarely works
overtime.
30
 Risk Quantity

QUANTITY OF RISK - LOW

Process:
ƒ Activity consists of few control points; simple, easy to
understand activities and a relatively non-specialized
knowledge base (e.g., teller operations, check processing).
ƒ Volume well below infrastructure capacity and / or is far less
than peer transaction volumes.
ƒ An activity with individual transactions of below-average
monetary value (e.g., items processing).
ƒ Extensive use of straight-through processing with little or no
manual intervention.
ƒ The organization is relatively stable with no major mergers,
consolidations, or system conversions.
ƒ branches, operations center, and personnel operate within a
local geographic area, and / or the firm has a significantly 31
smaller number of facilities per asset size than peer.
 Risk Quantity

QUANTITY OF RISK - LOW

Systems:
ƒ The organization uses simple networks of proven network
components with minimal reliance on new technologies (e.g.,
land based voice networks).
ƒ Minimal resources required upgrading performance levels and
increasing system capacity as warranted.
ƒ Existing / legacy systems stable and receive effective vendor /
in-house support. Systems support business strategies.
ƒ Logical / physical access is appropriate for the size and
complexity of operations.
ƒ Level of systems development and acquisition projects
appropriate for entity’s size and complexity.
ƒ The organization adopts technological change only after it has
been proven effective with minimal reliance on emerging
technologies and a robust systems development life cycle 32
process.
 Risk Quantity

QUANTITY OF RISK - LOW

External Events:
ƒ The organization operates in areas not known to be susceptible
to natural disasters and/or operates in geographic areas with
varied and robust access to infrastructure facilities.
ƒ The organization operates in areas not known to be susceptible
to acts of war or terrorist activity.
ƒ The organization operates in an environment with a relatively
stable and thoroughly tested laws and regulations (e.g.,
consumer compliance regulations).
ƒ Reliance on outsourcing arrangement / outside vendors is
minimal.
ƒ Competition in the market is slight and there is little or no
pressure for changes in products or technology.
ƒ Market fluctuations have little effect on the institution’s business
lines. 33
 INHERENT RISK:
Overall

High Moderate Low

People X
Processes X
Systems X
Events X
Overall ? ? ?
34
 Risk Management

QUALITY OF RISK
MANAGEMENT

ƒ Board and Senior Management Oversight

ƒ Policies, Procedures, and Limits
ƒ Measurement, Monitoring, and MIS
ƒ Internal Controls and Internal Audit

35
 Risk Management

BOARD & SENIOR

MANAGEMENT OVERSIGHT
What to look for
ƒ Operations & technology
oversight
ƒ Board diversity; management
experience
Information sources
ƒ Organization charts
ƒ Committee minutes
ƒ Board & committee packages
36
 Risk Management

POLICIES, PROCEDURES,
AND LIMITS
What to look for
ƒ Policies, procedures & limits for
major operational areas
ƒ Policy compliance testing and
enforcement
Information sources
ƒ Policy, procedures, & limits
documentation
ƒ Compliance mechanisms;
exception reports 37
 Risk Management

MEASUREMENT, MONITORING,
AND MIS
What to look for
ƒ Comprehensive & appropriate
board, committee, and
management reporting
ƒ Reporting validation
Information sources
ƒ Board and committee packages;
management reports
ƒ Internal audit reports
38
 Risk Management

INTERNAL CONTROLS AND

AUDIT
What to look for
ƒ Effective control environment
ƒ Audit staff knowledgeable of
operations and technology risks
Information sources
ƒ Internal audit risk assessments and
audit plan
ƒ Internal audit reports
ƒ External auditor management letters
39
 Risk Management

RISK MANAGEMENT - STRONG

ƒ Management clearly understands and actively manages operational risks.
Risk management practices are appropriately adjusted to reflect industry
and regulatory developments.
ƒ A comprehensive written operational risk management framework place,
including an appropriate definition, tolerance levels, and effective
processes for identification, assessment, response, monitoring, and
controls. The framework is consistent with the institution’s size,
complexity, and risk profile. Policies clearly delineate accountability and
lines of authority across the institution’s activities. Policies provide for the
review of new activities before they are initiated.
ƒ Monitoring and MIS reports address all material risks. Assumptions, data
sources, and procedures used for monitoring are appropriate, adequately
documented, and tested for reliability. Operational risk is systematically
identified and assessed at least annually. Indicators have been
developed for the most important risks. Comprehensive reporting is
included in regular board and executive packages.
40
 Risk Management

RISK MANAGEMENT - STRONG

ƒ The audit function exceeds expectations. Risk-assessment processes
comprehensively identify and routinely monitors risk. The board actively
oversees internal and external audit functions. Audit staff is qualified,
sufficient, and independent. Risk-assessment allows audit managers to
quickly adapt to changing conditions. Audit plans and scope are well
defined and provide full coverage within the audit cycle. Work programs
are appropriate. Audit reports are actionable, and there is immediate
corrective action to resolve audit and regulatory concerns.
ƒ No internal control weaknesses exist in high-risk areas, and weaknesses
in low-risk areas are minor. Identified control weaknesses are addressed
timely. Material assets are safeguarded against unauthorized access.
Segregation and rotation of duties are in place and enforced. Potential
conflicts of interest are identified, minimized, monitored, and reviewed.
Authority and risk limits are documented and enforced. Staffing is
appropriate and employees are well-trained and competent.
Performance and exception reports are reviewed, variances investigated,
and appropriate action taken. Reconciliations, verifications, and controls
testing are timely and effective in all material areas. Timely self-
assessments have identified no—or minimal—exceptions, and audit has
verified the findings. 41
 Risk Management

RISK MANAGEMENT - ACCEPTABLE

ƒ The board and senior management have a good understanding of

operational risks and provide adequate oversight, although practices may
be lacking in some modest degree.
ƒ A written framework is in place for managing operational risk, covering all
major business areas. Any deficiencies or gaps are minor in nature and in
the process of being addressed. Policies provide for the review of new
activities before activities are initiated.
ƒ Monitoring and MIS reports for operational risk cover major risks and
business areas. The institution is beginning to comprehensively identify
and assess operational risk, but some risks are inadequately covered or
documented. Some indicators have been developed, but some key risks
are omitted, or monitoring needs improvement. Some reporting of
operational risks is done, but the quality is uneven and not on a par with
credit and market risk.
42
 Risk Management

RISK MANAGEMENT - ACCEPTABLE

ƒ Only minor internal control weaknesses are found in higher-risk processes.
More significant concerns may be noted in low-risk business lines, but no
weakness significantly impacts safety and soundness. All weaknesses are
correctable in the normal course of business. Segregation of duties is in
place in all high-risk processes, and inability to segregate duties in lower-risk
areas is mitigated. Conflicts are appropriately identified and monitored, but
additional action may be needed to minimize them. Authority and risk limits
are in place, but compliance monitoring may need improvement. Employees
responsible for high-risk functions or critical control processes have
appropriate expertise. Lower-risk processes may be lacking in proper self-
assessments. Audit has identified only minor exceptions to self-assessment
findings.
ƒ The internal audit function is adequate. Staffing is adequate, and auditors
are independent. Risk-assessment processes adequately identify and
periodically monitor risk. Annual risk assessments and audit plans are
defined but may require clarification, better coordination, or improved
communication. Audit management anticipates but fails to respond quickly to
changes in market, business, and technology. Work programs include
appropriate general steps but may not be sufficiently detailed. Audit reports
include all findings and management normally takes appropriate action;
however too much reliance is placed on audit and regulatory intervention 43
to
identify and resolve concerns.
 Risk Management

RISK MANAGEMENT - WEAK

ƒ Management may not be adequately informed about key aspects of
operational risk and may not be able to provide timely corrective actions for
deficiencies identified. Deficiencies involve a wide range of activities or are
material to a major business line or activity and include lack of knowledge,
insufficient oversight of risk management, under-utilized management
reporting, or inability to respond to industry or regulatory developments.
ƒ A written framework for managing operational risk may be lacking or may not
adequately identify, assess, monitor, or control key operational risks. These
deficiencies involve a wide range of activities or are material to a major
business line or activity. Policies may not be consistent with the institution’s
size, complexity, and risk profile. Policies may not provide for adequate due
diligence before engaging in new activities or products.
ƒ There may no comprehensive identification or assessment of operational
risk, or risk identification may be impaired by inappropriate assumptions,
inaccurate data, poor documentation, or lack of testing. Deficiencies involve
a wide range of activities or are material to a major business line or activity.
Operational risk may not be monitored or reported as a separate discipline.
MIS reports may not be distributed to the appropriate decision-makers,
adequately monitor significant risks, or properly identify adverse trends and
the level of risk faced by the institution. 44
 Risk Management

RISK MANAGEMENT - WEAK

ƒ There are serious chronic weaknesses that require substantial improvement in
internal controls. Conditions may result in unreliable financial records or managerial
reports, or in operating losses affecting safety and soundness. Management has
been unresponsive or slow to correct control weaknesses. Material assets are not
appropriately safeguarded. Job duties in high-risk processes are not appropriately
segregated. Conflicts are not disclosed or are not monitored to restrict inappropriate
transactions. Authority and risk limits are either absent or not enforced in material
functions or processes. Employees in high-risk areas or responsible for critical
control points lack expertise. Performance and exception reports are not generated,
or variances are not investigated. Reconciliations and verifications are not timely.
Self-assessments are not completed or audit has found them ineffective.
ƒ The audit function is inadequate. The board provides little or no oversight. Audit
staff may lack the expertise or independence to perform its duties. Risk
assessments do not effectively identify risks and may not be appropriate for the size,
complexity, or risk profile of the organization. Annual audit plans do not provide
adequate audit coverage for the audit cycle or may not provide adequate audit
programs for auditable units. Management has difficulty responding to changes in
business, market, and technology. Work programs do not address all controls to be
tested. Audit reports do not include all findings or may not be rated. Management
is generally reactive to audit or regulatory exceptions. Repeat concerns may exist,
indicating that management lacks the ability or willingness to resolve concerns.
45
 Trend

RISK ASSESSMENT:
Determine Trend

ƒ The probable change in the risk

profile over the next 12 months.
The risk trend is characterized
as decreasing, stable, or
increasing.
ƒ The direction of risk often
influences the supervisory
strategy, including how much
validation is needed.
46
 Hypothesis

RISK ASSESSMENT:
Develop Hypothesis
High Quantity High Exposure High Quantity
Weak RM Process Strong RM Process

Weak RM Strong RM
Process Process

Low Quantity Low Quantity

Weak RM Process Low Exposure Strong RM Process

47
 Exam Strategy

RISK ASSESSMENT:
Examination Scope Based on Hypothesis
High Qty. - Weak Mgmt. High Qty. - Strong Mgmt.
ƒ Confirm risk assessment ƒ Confirm risk assessment
ƒ Low reliance internal ƒ Rely on internal measures
measures ƒ Modified on-site procedures
ƒ Full on-site procedures targeting specific areas
Low Qty. - Weak Mgmt. Low Qty. - Strong Mgmt.
ƒ Confirm risk assessment ƒ Confirm risk assessment
ƒ Low reliance internal ƒ Rely on internal measures
measures ƒ Minimal on-site procedures
ƒ Target “Management”
section of on-site 48

procedures
 Risk Relationship

Risks Are Interactive

Market

Operational Legal

Reputational

Credit Liquidity
49
OPERATIONAL RISK
RISK ASSESSMENT

50
 RESOURCES
ƒ “Sound Practices for the Management and
Supervision of Operational Risk,” Basel
Committee on Banking Supervision, February
2003
ƒ “Operational Risk Data Collection Exercise -
2002,” Basel Committee on Banking
Supervision, June 2002
ƒ “Framework for Internal Control Systems in
Banking Organisations,” Basel Committee on
Banking Supervision, September 1998
ƒ “Internal Control – Integrated Framework,”
Committee of Sponsoring Organizations (COSO)
51