Next Gen Operational Risk

Management

MENA CRO Forum

December 8, 2014

CONFIDENTIAL AND PROPRIETARY

Any use of this material without specific permission of McKinsey & Company is strictly prohibited
Why does operational risk matter?

Overall cumulative average abnormal returns1

Percent

0.5
Event date
Time to event, working days
0.0

7x actual
-0.5 loss 10x actual
loss
Decline in market
-1.0 Actual loss = cap is 12x actual
0.16% of loss after 120 days
market
-1.5 capitalization

-2.0

-2.5
-40 -20 0 20 40 60 80 100 120

1 Based on sample of more than 350 operational loss events, normalized for industry performance

SOURCE: Fitch, Datastream McKinsey & Company | 1

Our discussions indicate that most banks currently focus on a number
of key operational risk challenges
Examples of key challenges faced by banks Commonly observed gaps
1 Meeting heightened regulatory expectations for AMA ▪ Scenario analysis process is not sufficiently formalized
elements including ensuring that the core elements of and is not seen as value adding
AMA are well integrated and “talk” to each other ▪ Loss data not “put to work”
▪ Lack of integration of different risk identification and
monitoring tools

2 Need for heightened level of ownership of operational ▪ Operational risk management too concentrated in
risk within the 1st line and better clarification of roles and second line of defense
responsibilities across the three lines of defense ▪ Senior business managers not sufficiently involved in
core ops risk processes (e.g., BEICF, Scenario analysis)

3 Operational risk appetite statement needs to have both ▪ Operational risk appetite statement not defined or very
quantitative and qualitative elements and needs to be high level lacking quantitative elements
cascaded down to business groups and processes ▪ Consequently, banks struggling to determine whether
they are within their operational risk appetite

4 De-risking high risk business processes including ▪ Lack of alignment on key risks and their owners
focusing on prioritized risks and controls that truly matter ▪ Insufficient remediation plans given the changing nature
and higher levels of inherent risk in areas such as cyber
security and AML

5 Developing a well-prioritized set of top of the house KRIs ▪ Too many KRIs without clear identification of which
and reports reflecting the overall risk profile of the ones are critical
bank, with assigned thresholds based on risk appetite ▪ Lack of forward looking KRIs
▪ Operational risk reporting not integrated and not
reflecting overall risk profile

McKinsey & Company | 2

A“strong” operational risk framework includes 12 core elements

Core elements of the Ops Risk framework

Description of “Strong” that will meet regulatory expectations
Granular risk appetite that cascades across businesses and ultimately to the
1 Operational Risk Strategy, Policy and Appetite business process level

Sufficient staffing and skills, strong business and risk representation in committees,
2 Org and Gov (including Staffing, Skills and Escalation) strong oversight and challenge across the Lines of Defense

Loss and near miss data collection is comprehensive and of good quality and is used
3 Internal Loss Data for effective challenge, supporting mitigation

External data used to inform modeling, scenario analysis and as an input into
4 External Loss Data ongoing monitoring and reporting
Risk
Identification RSCAs are conducted at the right level of granularity, has strong first line ownership
5 BEICF (RCSA) to identify residual risks and includes strong data driven challenge

Some scenario analysis is used to identify material tail risks and strengthen controls.
Core Ops 6 Scenario Analysis SA is business-led and has sufficient challenge and bias control
Risk
processes Top of the house and business process level KRIs are well prioritized, reflect true risk
7 KRIs profile, predictive in nature, directly tied to business risk metrics and drive actions
Monitoring
Op Risk reports draw feeds from key elements of the framework, are actionable,
8 Reporting used to inform business judgment and drive executive and business-level decisions

Risk mitigation is owned by the first line, driven by risk areas and control weaknesses
Mitigation 9 Remediation and supported by strong and regular control testing activities

Frequency and severity are modeled separately, involve careful selection of

Modeling 10 Op Risk model distributions, is enhanced by other data sources

11 Culture mindsets and behaviors The Bank has the right culture mindsets and behaviors to risk ownership,
responsiveness, co-operation and challenge

12 Ops Risk Technology and systems Necessary functionality to support each element of the framework, drive automation
and support data driven challenge/backtesting

McKinsey & Company | 3

2 There needs to be decentralized ownership of operational risk
with business involvement and accountability
Decentralized ownership with business management accountability
Business In-business management Functional specialists (for
▪ Owns its risks, including its ▪ Identify and report operational example O&T)
operational risk, and is risks as they emerge and ▪ Advise on, contribute to,
1st responsible for its communicate these risks to execute, and/or oversee key
management independent risk controls in support of efficient
management and and effective management of
control functions operational risk

Oversight by independent risk management and control functions

Independent risk management Control functions

▪ Triangulates on risk through product business and regional/legal ▪ Which include compliance,
entity dimensions finance, human resources
▪ Triangulates on controls through subject matter experts, regional and legal
2nd dimensions and foundational elements which include operational
risk management and the fraud surveillance unit

Risk and control functions partner with business to manage operational risk by designing, implementing and
assessing the effectiveness of controls

Independent assessment by internal audit

3rd Internal audit
▪ Recommends enhancements on an ongoing basis and provides independent assessment and evaluation

McKinsey & Company | 4

 3 – 6 Regulatory expectations extend beyond the individual data
elements to ensure strong linkages between the elements

Governance and reporting

Data elements
External loss Operational risk
database management
Inputs to support Used for
scenario validation of
brainstorming assessment
Qualitative
adjustment for model
Scenario analysis BEICFs

Unanticipated losses may

lead to identifying new Operational risk
risks/updating thresholds capital
measurement
Internal loss
database
Direct inputs

SOURCE: Interagency guidance on the advanced measurement approaches for operational risk, June 2011 McKinsey & Company | 5
 Core focus for this scenario
6 Example of estimating severity for rogue trader scenario Relevant to this scenario

Not impactful to this scenario

Key drivers of scenario severity

Mismarking losses Position built up Degree of

over time mismarking
Losses from market moves
Trading losses Volume traded
during event (pre detection) Market move
per unit of time during event
Losses incurred while unwinding
position (post detection) Exposure per Market move
trade during unwind
Cost of clean-up of IT Duration of
event
Total Remediation
Customer service related costs
severity costs

Forensic cost

Regulatory fines
Legal costs
Lawsuits

Amount recovered
Note: Opportunity cost excluded from the
Recovery operational risk estimation but may be
Client liability relevant for business

McKinsey & Company | 6

8 Operational Risk reporting – best practice examples ILLUSTRATIVE

1 Operational Risk Summary 4 Detailed risk analysis 7 Emerging risks

Internal loss, near miss data, and

2 Operational risk heat map 5 8 Control review results
KRIs

3 Business and risk-level KRIs 6 Notable external loss events 9 Scenario Analysis Results
Elements Description

Quantitative ▪ Severity:
outputs ▪ Likelihood:
▪ Severity:
▪ Likelihood:

Refresh triggers ▪ Refresh triggers, e.g.:

for scenario ▪ Similar external loss event at a peer institution:
under ▪ Similar near miss at the bank or similar institution:
discussion ▪ Significant change in the bank’s control environment (i.e. existing control fails):
▪ Substantial expansion of business relevant to the scenarios under discussion:

Management ▪ TBD
actions (if any) ▪ TBD
▪ TBD
▪ TBD

Spill- ▪ TBD
over/regional ▪ TBD
implications (if ▪ TBD
any) ▪ TBD

McKinsey & Company | 7

11 Elements of “Strong” Risk Culture includes timely information sharing,
rapid elevation of risks and willingness to challenge practices
A culture where individuals A culture where the organization
challenge each other’s perceives external changes and
attitudes, ideas and actions reacts quickly and/or embraces
innovation or impact of change
Challenge Speed of
A culture where management response
and employees feel
empowered about passing on A culture which instills a
bad news or learning from Openness
responsibility to react to situations
mistakes or to care about the outcome of
Acknowl- Respon- actions and decisions
edge- siveness Level
A culture where people do not ment of care
believe their organization is Confid- Definition:
immune/ insulated from risk ence The norms of behavior
as a result of its superior within an organization that
position or people, that it determine collective risk-
doesn’t have an “edge” taking and the ability to
identify, understand, and
Commun- act on the organization's
A culture where warning signs ication current and future risks A culture where groups do not take
of both internal or external Cooper- risks or embrace projects which
Trans-
risks are shared Respect ation benefit them to the detriment of the
parency
wider organization, or are not in line
A culture where leadership with the broader organization’s risk
has communicated a clear risk appetite
Tolerance
appetite or has presented a
coherent approach or strategy
Adherence A culture where people’s risk
Level
to rules appetites are aligned with the
of insight
A culture where the organization’s, reducing the
organization understands the probability of fraud or an
risks it is running operational/ reputational event

McKinsey & Company | 8

Why we need a new paradigm for operational risk management:
The challenges in traditional approaches to managing operational risk

Focus on input (“do we have controls”) rather than the output (“how are the
risks performing”) implying that critical risks may be missed

Banks’ Inventory of risks often not formally defined or prioritized and risk
historical identification is largely a subjective exercise executed inconsistently
approach
to
Measures of residual risks are not integrated in systems of record creating
managing
lack of management transparency into the objective performance of critical
operational
risks with KRIs often being backward looking
risks has a
number of
short- Risk appetite statement for operational risk is based on aggregate loss
comings levels and is not tied to risk identification and monitoring

Primary responsibility of second line of defense with minimal

coordination across various functions and overlap between responsibilities
Compliance and Operational Risk as well as of 1 st and 2nd line of defense

McKinsey & Company | 9

Focus on residual risks in critical process breakpoints Significant residual risk
Insignificant residual risk
leads to greater effectiveness of risk identification
▪ Identifying critical
Core process breakpoints
business Process step 1 Process step 2 helps focus on the
processes critical processes
▪ Monitoring relatively
Process Process limited key risk
defects defects indicators for residual
risks versus testing the
far more numerous
Controls on controls results in
C1 C2 C3 C4 … C10 C11 C12 C13 C14 … C25
breakpoints efficiencies for QA/QC
(4 KRIs vs. 25 control
tests in this example)
Controls
testing T1 T2 T3 T4 … T10 T11 T12 T13 T14 … T25 ▪ Not all residual risks
are significant enough
to be monitored
▪ Aligning operational
Residual risk and compliance
Residual Residual Residual Residual
risk against the critical
risk 1 risk 2 risk 3 risk 4
breakpoints and
residual risks leads to
improved effectiveness
Key risk
indicators
Key risk Key risk indicator Key risk
indicator 1 2 and 3 indicator 4

McKinsey & Company | 10

Integrated Operational Risk and Compliance Risk Taxonomy CASE EXAMPLE

1.1 Internal Business 6.1 System continuity and recovery

1 Fraud 6
Disruption 6.2 Core process continuity and recovery
1.2 External

2.1 Improper business practice 7.1 Internal systems infrastructure flaw

7.2 IT process management error
2.2 Product/process design failure 7 Systems
7.3 IT platform support error
2.3 Payment settlement error
7.4 Data accuracy and integrity
2.4 Trade capture error
2 Operations 8.1 Data loss
2.5 Process execution error Information
8
Security 8.2 Disruptive cyber-security attack
2.6 Monitoring execution error

2.7 Reporting error 9.1 Contractual

9.2 Litigation
2.8 Improper account management 9 Legal
9.3 Legislation
3.1 Employment practices
9.4 Statutory/regulatory
3 People 3.2 Workplace safety
11.1 AML/BSA/OFAC
3.3 Resource management
11.2 Fair & Responsible banking
4.1 Accidental damage 11.3 Residential mortgage
Security of 4.2 Physical criminal action 11.4 Other lending
4 Physical
Assets 4.3 Natural disasters 10 Compliance 11.5 Deposits
11.6 Fiduciary
4.4 Political risk
11.6 Securities compliance
5.1 Third party performance issue
11.7 International compliance
5 Third Party 5.2 Compromise of third party financial position 11.8 Safety, soundness and other
5.3 Inadequate third party oversight

McKinsey & Company | 11

Enterprise-wide taxonomies cascade down to the business line and
structure the identification of critical risks by tier across businesses
Level 1 (top of the house) Level 2 Level 3 Mortgage Cards Deposits …
Fair lending &
responsible banking UDAAP Product disclosure &
Tier 1 Tier 1 Tier 2 …
marketing practices
Fiduciary … Third party risk
…
management
Product design,
Securities … suitability, usage Tier 2 Tier 3 Tier 1 …
Advice & financial
Compliance risks

…
planning
AML/BSA/OFAC Product approval
Tier 2 Tier 2 Tier 2 …
Mortgage & lending decisions
compliance …
KYC … Customer
Deposits & banking … communications & Tier 1 Tier 1 Tier 3 …
operations …
Sanctions (OFAC) servicing
International compliance …
Patriot Act …
Regulatory change …
management AML/BSA Money laundering Tier 2 Tier 3 Tier 1 …
… monitoring
Fraud
Other operational risks

Technology, information … Terrorist financing Tier 3 Tier 3 Tier 2 …

& cyber security

Third Party …
Funds gained from
Tier 3 Tier 3 Tier 1 …
illegal activity
Business change
…
Business resiliency … Monitoring of intl.
Tier 3 Tier 3 Tier 2 …
correspondents
People …

McKinsey & Company | 12

BREAKPOINT ANALYSIS
Breakpoint analysis: middle office settlement process example
Front Back
Middle office
office office

Verify/
Operations Capture amend/ Maintain
Booking trade cancel trade 5 trade
as needed
2
1 Generate Deal with
Match trade Identify Reconcile
Operations trade confirms Post-trade 1▪ Failure to match
details with settlement 4 trade with
Settlement (internal and settlement trade details match
client obligations exchange
external) issues exactly with CCP/
client
Operations Calculate
Manage 2▪ Failure to match
collateral trade with client,
Cash mgmt margin
requirements exchange, and trader
3▪ Breaks in PnL
Manage
Operations between trading
broker fees
Administrative desks and Finance
and
memberships 4▪ Lack of
reconciliations of
trade with exchange
Calculate
Finance PnL PnL and
Month/ 5▪ Lack of oversight of
3 quarter end trade booking,
reconcile with
PnL checks processing, and
trading desk
maintenance (e.g.,
asset servicing)
Verify 6▪ Trades assigned to
inventory and
Finance incorrect legal
manage
Hedging entities
hedging
instruments

Ensure that Prepare Month/ quarter

Finance legal entities Funding capital and end cash and
6
Mgmt are correct attribution liquidity securities
for bookings analyses management

McKinsey & Company | 13

BREAKPOINT ANALYSIS
Breakpoint analysis: AML example Manual intervention
required
Fully automated

KYC process

Turnaround
Sample new customer onboarding & KYC process – Current state
time 5-6 days1
1 5 6
Follow up with No Contact No
Customer completes App Disposition
customer regarding customer Issues Close
application online complete? incomplete app
missing info regarding resolved? account
Yes restriction
No

Review application
App Yes Open account,
completeness (per generate Yes
complete? High risk accounts per Relationship Clear
product requirements) account #
risk policy (e.g., SMEs; Manager account
organizational
investment accounts)
All other 2 3 4
accounts ID validation Yes
checks CIP review; CDD Yes Restrict
Red flag? Issues?
(LexisNexis, as necessary account
D&B, Equifax)
No No
7
Sanctions Clear Clear File reports (internal &
screening account account regulatory)

1 KYC requirements are not embedded into the application process 5 Unclear responsibilities between AML staff and relationship
managers as well as the unexpected restriction of the account that
2 Lots of red flags generated down the line due to missing ID info that could
the customer thought was open / fully functional creates confusion
have been requested / validated upfront at the time of application
and detriments for the customer experience
submission
6 No system triggers to support customer outreach, info and doc
3 Lack of effective risk scoring upfront complicates CDD – trade-off assembly
between resources and compliance
7 Reporting process is manual and policy-based
4 CIP, EDD and sanctions Screening processes are manual; ‘swivel chair’
between various vendor apps

1 For the ‘unhappy path’ when additional DD / investigation is required

McKinsey & Company | 14

BREAKPOINT ANALYSIS
Regulatory requirements can be mapped to business process
breakpoints with clearly identified KPIs and required controls
Action/process completed Error in action/process

Approach Example: trade capture and reporting

▪ Create log of Process

regulatory Regulation Bank policy Process owner MIS KPI
requirements and A trade report shall be All required FO trade Front office % of trades
bank policy submitted to the exchange in trades to be capture input
respect of every on submitted to correctly
▪ Map to key business exchange trade to which a exchange
processes (e.g. member firm is a party in
transaction reporting, accordance with the trade
client money reporting responsibility
segregation,
registration process)
… T+1 P&L Trade % of trades
▪ Assign owner to each production capture with
action/process team duplication
errors
▪ Create indicator of
completion of
action/process … Daily Financial Balance
consolidated control sheet
▪ Provide ongoing reporting recon-
updates as new ciliation
regulation arises

McKinsey & Company | 15

BREAKPOINT ANALYSIS ILLUSTRATIVE
Example report for monitoring trading breakpoints Inside tolerance
Outside tolerance
Materially outside
Residual risk report generated by each accountable process owner tolerance

Residual risk vs. limit

Escalation
Policy and risk limits May Jun Jul Aug Sep Oct Trend Limit Actual (as needed)

Trade processing errors

1. FO trade entry errors 5% 2%
2. Structured trade reviews with 100 90
errors
3. Trades booked after T+0 1% 5%

Conflicts of interest
1. Employees without training 2% 1%
certification
2. Reviews with issues 100 90
3. Conflict of interest incidents 20 30

Suitability
1. Trades with unapproved 2% 1%
counterparties
2. Clients without signed disclosures 20 10
3. Number of trades outside
tolerance 50 80

P&L / Valuation
1. Valid client complaints 50 40
2. P&L red flags outstanding 40 30
Regulatory risk
3. P&L not available T+0 review
3% 6%

In addition to policy and risk limits, qualitative commentary will be included on the priority risk issues

McKinsey & Company | 16

 ILLUSTRATIVE
Residual risk can be measured directly using a combination Very high
High
of objective KRIs, qualitative risk markers, audit and regulatory Moderate
Low
findings, etc. Minimal
Risk markers
Example: Assessment of residual risk for TILA CCRs in Mortgage Underwriting

Objective KRIs Other testing

Residual (independent / 2nd Qualitative 1st line Audit Reg Litigation/
risk line testing) risk marker testing … findings findings fin. loss
% inaccurate NA
1%
Re- re-disclosures
disclosures % untimely
3%
re-disclosures

% APR & NA
2%
finance charges
Fees
outside of
tolerance

NA MLO comp
tied to TILA
Incentives
compliance

Overall rating is driven first by Qualitative risk markers can

Quantitative KRIs are the
objective KRIs and then be used to assess risks for
indicators with which we
adjusted as needed based on which quantitative
lead the assessment
MRAs, audit findings etc. assessments are difficult

McKinsey & Company | 17

Residual risk map pinpoints ‘hot spots’ and directs ILLUSTRATIVE

management attention to the right set of actions for remediation

Example for BU 1 assessment point

Very high High Moderate Low

Inherent Residual Insights in

OpRisk risk Control effectiveness risk controls design Management action
KRIs ▪ Controls are ▪ Provide feedback to business
Audit findings largely line to do a quick diagnostic
automated and assess remediation
Reg findings
and all are options – balancing
Financial loss
preventive remediation requirements
Reporting Testing finding (e.g., automation of all
error CRA controls) against the
Op losses materiality of exposure may
lead to tactical actions only
(e.g., additional training of the
frontline)

▪ Rating driven ▪ High inherent risk is mitigated by ▪ Residual risk mapping leads to
by control satisfactory controls in place, thus specific management action;
effectiveness the residual risk is moderate and one of the main objectives of
factors there is no immediate call to the RCSA
management action

McKinsey & Company | 18

Suite of reports aggregates individual risks in a way that ILLUSTRATIVE

effectively escalates critical issues in a timely manner Legend:

Very high Moderate
High Low

Example residual risk rating – Systems

Systems enterprise-wide Q1 Q2 Q3 Q4 Details for Q4

Internal systems infrastructure flaw XX% XX% XX% XX%
IT process management error XX% XX% XX% XX%
IT platform support error XX% XX% XX% XX%
Data accuracy and integrity XX% XX% XX% XX%
Overall Systems XX% XX% XX% XX%

▪ Residual risk scores based on ▪ Details on distribution of

assessment points underlying assessments of
▪ Point scoring system, based residual risk provide
on very high (5), high (3), additional transparency
moderate (2) or low (1) ▪ Ability to “double click” on
residual risk rating, increasing very high risks to facilitate
prominence of very high risks management action

McKinsey & Company | 19

Based on risk materiality assessment, control activities can be
rationalized increasing the overall operational effectiveness
Inventory of operating and
1st line 2nd line 3rd line
regulatory risk
breakpoints
Business BU-level risk Corporate Risk Compliance Audit
A
Establishes controls, policies Reviews risk levels and Provides Conducts Conducts regular
Mortgage sales and procedures, QC and MIS effectiveness of controls, independent independent independent
Identifies emerging risks collaborates with risk monitoring oversight and audits of
B Owns escalation and operations on control Oversees QA testing control testing for operations;
remediation enhancements compliance risks Audits Risk and
Runs independent QA Compliance
Fulfillment testing
A
C
Operating Controls: Responsibilities Responsibilities ▪ Conduct ▪ Regular
Performing
risk ▪ FC and BK team verifies ▪ Collaborates with ▪ Runs independent independent
breakpoint accuracy business to ensure independent testing to audit of the
D servicing
example ensure filings process and
▪ Management review prior effectiveness of monitoring
to handoff to execution processes, controls program for comply with its effective-
Collections ▪ Affidavit ▪ Enhanced affidavit (e.g. results of the effectiveness of state-level ness training
E factual auditable trail) and in- controls requirements
training
errors or line QC – with a ▪ Completes
▪ Auditable trail
improper defined schedule independent ▪ Independent
Loss mitigation execution ▪ Notary logs ▪ Conducts regular risk monitoring of QA monitoring of
F
Attorney oversight: assessments testing (e.g. controls for
▪ Attorney quality ▪ Monitors MIS and sampling, test compliance
Foreclosure & monitoring overall risk level design) with state-level
G bankruptcy
▪ Attorney management ▪ Runs monthly detective ▪ Establishes requirements
QA process overall defect
In-line QC:
3rd party tolerances ▪ Monitoring of
▪ 100% in-line QC Escalation:
▪ In collaboration compliance
oversight
H monitoring and ▪ QC defect exceed X% with compliance, training
measurement ▪ QA defect > Y% runs spot-check
REO Remediation: file testing
▪ Control performance and
I
remediation actions
Cross-cutting ▪ Accountability for
regulatory changes

McKinsey & Company | 20

Trend towards integration of Operational Risk and Compliance?
RECENT EXAMPLES

Legal-led organization: Risk-led organization: Stand-alone Compliance and

Compliance as part of Legal Compliance as part of Risk Operational Risk functions

2013

2012

2013

McKinsey & Company | 21