THE KEY RISK INDICATORS: A WORKING EXAMPLE

Dr. Zakaria Salah

2015

Oper

atio

nal R

isk

Man

agem

ent

OPERATIONAL RISK Operational risk is defined as “the risk of losses resulting from operational failures due to processes, people and systems or from external events”. Examples: human errors, IT failure, fraud, flood..etc. Main sources of operational risk are People, Systems, Processes and External Events The main objectives of managing OpRisk:Changing the risk culture in the institution.Avoiding or minimizing operational risk losses.Providing early warning signals.Improving work-flow quality.

Oper

atio

nal R

isk

Man

agem

ent

OPERATIONAL RISK LOSSES John Rusnak and Allied Irish Bank – fraud Bank of Credit and Commerce International – major fraud Nick Leeson and Barings Bank – bank collapse Soc Gen and Jerome Kerviel – Euro 7.2 bn major fraud

3

Oper

atio

nal R

isk

Man

agem

ent

OPERATIONAL RISK GOVERNANCE AND STRUCTURE

2 13

Oper

atio

nal R

isk

Man

agem

ent

WHAT ARE THE APPLE & WHAT IS THE FORKS AND HOW MANY FORKS?

6

Oper

atio

nal R

isk

Man

agem

ent

KEY INDICATORSKey Indicators

Key Control Effectiveness Indicators

KCIs

Key Performance

indicatorsKPIs

Key Risk Indicators

KRIsIs a metric that provides information on the level of exposure to a given operational risk which the organization has at a particular point in time.

Are metrics that provide information on the extent to which a given control is meeting its intended objectives (in terms of loss prevention, reduction, etc.).

Are metrics that measure performance or the achievement of targets.

Oper

atio

nal R

isk

Man

agem

ent

KEY RISK INDICATORS (KRIS) KRIs, as the name suggests, are indicators over the key risks to which the organization is exposed to.They are identifiable pieces of information that can act as a proy or indicator of the current, or potential level of that key risk.Since the rogue trading incidents at Société Générale in 2008 and UBS in 2011, many banks have developed the monitoring of specific KRIs for rogue trading. Risk Indicators are an important tool within operational risk management, facilitating the monitoring and control of risk.KRI is a metric that provides information on the level of exposure to a given risk which the organization has at a particular point in time.

8

Oper

atio

nal R

isk

Man

agem

ent

KEY RISK INDICATOR (KRIS) Developing KRIs is a prerequisite for effective risk management. Useful risk indicators help identify rises in probabilities of occurrence of incidents early enough to prevent them.

Credit analysts know which financial ratios, management behaviors and economic conditions will trigger a rise in credit risk.

In Paris, Taxi meters are limited to eleven hours per day, preventing cab drivers overworking, since tiredness is a well- documented contributor to car accidents. Same for our staff, overtime leads to human errors and severe operational risk

Oper

atio

nal R

isk

Man

agem

ent

KEY RISK INDICATORS The risk indicator has to have an explicit relationship to the specific risk whose exposure it represents. For example,

Further examples of risk indicators include staff turnover (which may be linked to risks such as fraud, staff shortages and process errors), the number of data capture errors (process errors) and the number of virus or phishing attacks (IT systems failure). another examples of KRIs: number of limit breaches, number of outstanding items on the bank reconciliation..etc.

Take the number of customer complaints, which is likely to be linked to the risk of process errors – as customer complaints increase, the probability that there are some underlying and potentially systemic mistakes and errors of judgment being made is likely to rise.

Oper

atio

nal R

isk

Man

agem

ent

KEY RISK INDICATORSKRIs are focused primarily on identifying and tracking current risk. Objectives of KRIs:

Monitor current level of operational risk.Detect problems as part of an early warning system.Report risk levels in as timely manner as possible.Implement an effective risk appetite.Promote the awareness of risk issues across the staff.

05/03/2023 11

Oper

atio

nal R

isk

Man

agem

ent

PROCESS TO IDENTIFY KRIS Identify and analyse a business process (process flow analysis). Perform a risk and control self-assessment of the business process to identify the inherent risk, control measures and residual risks of the business process. Prioritise the residual risks in terms of high, medium and low risks. Identify the indicators according to the characteristics of a KRI: the risk must be a high priority (high risk); the KRI must be quantifiable; and the data must be available.

All stakeholders agree to a threshold for the KRIs. Register the indicator as a KRI. Determine the roles and responsibilities in managing the KRIs. Determine the reporting frequency and method, including escalation process.

Oper

atio

nal R

isk

Man

agem

ent

• KRIs primarily track components of a risk story that has already commenced. The occurrence of risk causes and risk events will in most instances produce evidence (risk red flag). • KRIs are designed to identify that evidence, interpret it and rely it back to management in a meaningful and timely fashion to take actions.

Cause

Cause

Cause

Risk Event

Effect

Effect

Effect

Key Risk Indicators

Detective Controls

Expected loss events

KEY RISK INDICATORS

Oper

atio

nal R

isk

Man

agem

ent

HOW DO YOU IDENTIFY KRIS

People risk

Define Risk category

Inability to recruit

Inability to retain

Inadequate skills and education

Develop Causes Map

Low staff morale

Low job satisfaction

Establish KRIs

Staff turnover

ratios

Average time to fill

No. of applicant

per vacancy% of job offers

accepted

Poaching by competitors

Poor performance

of staff

Oper

atio

nal R

isk

Man

agem

ent

SETTING THRESHOLDS FOR THE KRI A key risk indicator for monitoring and responding to “loss of staff” risk is staff turnover levels. Key risk indicators of this type require;

Tolerance thresholds in order to give a meaningful representation of the risk;

The resultant ratings which could be used to create “heatmap” reporting on indicators.

So the KRI Thresholds can be set as followsBelow 5% – acceptable risk. The organization is comfortable with the level of staff turnover.

from 5% to 10% – Potential risk. The risk is a concern and HR would be expected to monitor actively and establish causes and actions. Escalation required raising awareness.

Above 10% – Significant risk. Action and escalation with explanatory report required

When given thresholds are breached there will be a requirement to escalate to an appropriate level of management:

KRI Acceptable

Early warnin

g

Worst

CaseStaff Turn Over

Below 5%

5%-10%

>10%

Oper

atio

nal R

isk

Man

agem

ent

INFORMATION THAT CAN HELP TO IDENTIFYSIGNIFICANT RISKS Historical internal & external loss events; Risk and control self assessment results; Internal / external audit findings; Workshops / discussions with business functions e.g. Human resources (including staff turnover statistics). Clients complaint cases Integrity Unit findings Compliance failure Improvement Implementation failure

Oper

atio

nal R

isk

Man

agem

ent

CONSIDERATION IN THE SELECTION OF KRIS/CHARACTERISTICS Ideally determined for many of the significant risks identified in the risk and control self assessment (self assessment) process; Can provide “early warning” signals to trigger actions that reduce potential risk exposures; Some indicators are meaningless on their own and need to be combined with other KRIs. In many cases, it is a group of KRIs that will provide the best management information for a meaningful assessment; Can indicate past, current and projected level of risks and can be used as a criteria to monitor, escalate and manage risk and related actions; and KRIs relevance and change in importance over time.The appropriate frequency of reporting and monitoring of each identified indicator is also an important consideration.Other characteristics are: measureable, easy to monitor, auditable, comparability

Oper

atio

nal R

isk

Man

agem

ent

ROLES AND RESPONSIBILITIESBusiness Unit/

Dep.• Identification of indicators

• Setting of thresholds

• Monitor position against targets and limits

• Escalate breaches to operational risk management

Risk Management Dep

• Provide guidance and challenge the selection of KRIs and thresholds

• Monthly reporting on KRI Breaches

• Ad-hoc escalation reporting to Board

• Identify trends across the business

Internal Audit Dep.

• Provide validation / independent assurance around the KRI process

• Incorporate outputs into audit plan

Oper

atio

nal R

isk

Man

agem

ent

KEY RISK INDICATOR WORKFLOW DIAGRAM

Set up KRI Definitions

Define/assign

Thresholds

Set up submissio

ns Submit to KRI owner

Capture Data

KRI owner review

and approved

Submit data to

KRI coordinato

r

KRI Owner Review

KRI Reporter

KRI Owner

Oper

atio

nal R

isk

Man

agem

ent

KRI DATABASE AND REPORTING The KRI Database should include the following The name of the KRI Description of the KRI Objective of the KRI What is the KRI tracking The linkage of the KRI to the risk cause The linkage of the KRI to the risk event The linkage of the KRI to the risk effect The linkage of the KRI to control(s)

Oper

atio

nal R

isk

Man

agem

ent

KRIS COLLECTION PROCESS Sending notification and follow up to those responsible for input of the KRIs information by the due date. Software based collection system can assist and facilitate the process. Input of KRIs data either via a system interface or manually. Quality assurance off KRI data to ensure accuracy of data prior to the processing. Reporting of the KRIs with action required:

No action required. For green - colored KRIs Explanation with suggested corrective actions provided by the business unit within one month. These KRIs are escalated to senior management. For Amber – Colored KRIs

Explanation with suggested corrective actions provided by the business unit within 10 days. These KRIs are escalated to CRO, Executive management and Board. For red-colored KRIs

KRIKRI1 XKRI2 XKRI3 X

05/03/2023 21

Oper

atio

nal R

isk

Man

agem

ent

MANAGING KRIS Collate the data required at the approved times. Draft the report according to the approved format. Submit the report according to the approved timeframes and to the approved role players. Develop and implement control measures if there is a breach in the approved threshold. Monitor the various business influences, which could lead to a change in the approved threshold, for example an increase in business, external influences on business processes, etc. Submit KRI information to serve as an input for operational risk modelling (to determine a realistic capital for operational risk). Submit KRI information as an input to determine the risk profile and the risk appetite of the organisation. Submit KRI information to test the risk and control self-assessment results.

Oper

atio

nal R

isk

Man

agem

ent

EXAMPLES OF KRIS FOR CREDIT RISK

Front office – daily indicators

• Number/amount of interest payment delay

• Number/amount of credit limit breach

• Number of loans/days/amount in watch list

Loan attribution – portfolio review• Number of loans with

missing documentation

• Number of loan applications close to the documentation limit

Loan monitoring – credit review• % nonperforming to total loans• Breach of

liquidity/solvency/leverage limits

Oper

atio

nal R

isk

Man

agem

ent

EXAMPLES OF KRIS FOR FINANCIAL MARKETS ACTIVITIES

Front office – daily indicators• Number of Breaches of trading

limits• Number of Abnormal trading

patterns:• Number of deals amended

• Number of deals cancelled

• Number of off-market price transactions

Back-office/accounting – daily indicators• Number of pending

confirmations• Number of unconfirmed deals

• Number of unreconciled deals

• Number of unsettled deals

• Number of reversals • Number of pending requests

Front office – environmental KRIs

• Lack of supervision (number of days / weeks without line supervisors)

• Blame culture (metric: number of traders fired for poor short-term performance)

Back-office – environmental KRIs

• Number of staff without financial background

• Number of staff without on-the-job/technical training

• Number of transactions per staff member (monthly % change)

Oper

atio

nal R

isk

Man

agem

ent

DEVELOPING KRIS IN ISDB AND LESSONS LEARNED• Operational risk team has already done Risk and Control self-Assessment (RCSA) to 16 departments the main output are as follows:•List of risks•List of Control in place•Number of KRIs and KCIs •Number of Actions

• About 100 of KRIs and KCIs were developed for these departments during the RCSA exercise.Lessons learned•Each department should start use their KRIs in order to track the key risks them and report to operational risk team.•They can work as an early warning indicators.•If the department feels that the KRIs that they have are not enough they can develop more KRIs.•Focusing on two or three KRIs is enough to start monitoring your key risks.

Oper

atio

nal R

isk

Man

agem

ent

CASE STUDY Think of one risk as an example of the risks that your department is exposed to and try to (in10 minutes):

Develop one or more KRIS.Set thresholds for the suggested KRIs: (acceptable, potential (early warning) and significant (worst case))Answer1. Define one objective that your department

would like to achieve.2. Define on risk that may prevent your

department from achieving this objective3. Define KRI(s) with thresholds that you can

use it/them to monitor such risk.

Objective

Risk

KRI

Oper

atio

nal R

isk

Man

agem

ent