operational risk management - cemla - bundesbank’s methodology of orm, crisis management and bcm...
TRANSCRIPT
Crisis Management andOperational Risk ManagementChristoph StuteGuatemala 28 – 29 March 2012
Crisis ManagementCrisis ManagementChristoph StuteGuatemala 28 – 29 March 2012
Definition - Bundesbank’s methodology of ORM, crisis management and BCM
ERM/Operational Risk Management
• ERM is the overall process for early identification, handling and monitoring of risks
• ERM includes business risks and OR
• ERM gives an overview on all risks and helps to decide which risks are acceptable and which not (risk tolerance /risk appetite)
Crisis Management
• CM is the ability of an organisation to respond to any crisis situation in a predefined way
• CM includes a “tool box” with organisational and technical utilities to support management (BCP is one of the “tools”)
crisis management 3
tolerance /risk appetite)
• ERM/ORM has preventive character
• Focus: risks emerging from conducting the business
the “tools”)
• CM has mainly reactive character
Business Continuity Management
• BCM identifies potential threats to an organisation and the impacts to its most critical functions
• BCM includes BCP that put an organisation in a position to manage permanent continuity or adequate recovery of critical functions in the event of crisis situations in a predefined way.
• BCM has mainly reactive character; Focus: risks that endanger the object of a company
Differentiation crisis management – risk management
❙ Risk management
supervision and prevention at day-to-day business
❙ Crisis and business continuity management
crisis management 4
❙ Crisis and business continuity management
managing of crises and keep continue of the operational business in exceptional circumstances
���� quick decisions and reaction under pressure
Crisis definition at Bundesbank
The term crisis is understood to mean any unusual incident which has a significant (potential or acute) negative impact on the health and safety of the Bundesbank staff and its guests, the execution of Bundesbank’s tasks,its material assets , its integrity and/or reputation
Every crisis is unique, its cause and course are unpredictable and
crisis management 5
Every crisis is unique, its cause and course are unpredictable and consequently specific plans cannot be made
➲ individual➲ flexible response required➲ rapid
(Potential) causes for a crisis
❙ long term breakdown of information technology
❙ long term electrical power outage
❙ fire
❙ epidemic (e.g. avian flu, swine flu, seasonal flu)
crisis management 6
❙ epidemic (e.g. avian flu, swine flu, seasonal flu)
❙ natural disaster (e.g. flooding, …)
❙ armed robbery (with hostage-taking and / or damage to persons)
❙ “media crisis”
❙ terrorist attack
CM folder
crisis management 7
The Bundesbank’s CM concept
CRISISPREVENTION
CRISIS REVIEWCRISIS MANAGEMENT
Early recognition of crises
• Incident register• Situation report
Safeguarding the Bundesbank’s decision-making function through
• a central crisis management
Gathering experience from the crisis and making use of it through
crisis management 8
Basis for rapid and systematic response
• Contingency planning
• BCP• Trained staff
• Situation report
Overcoming the crisis incident through
• (immediate) operational measures by the contingency team, BCP team, police ....
• a central crisis management team at top management level
•systematic documentation of the crisis management
•crisis follow-up and review of the existing plans (as required)
Roles and responsibilities
❙ Declaration of crisis � Executive Board or (if not capable of acting) Ex. Board member for controlling & organis.
❙ Suspension of crisis � Board
crisis management 9
❙ Head of CMT � Board member for controlling & organis.
❙ CMT � senior manager (Core team: controlling & organisation, IT, administration, communication, head of CM secretariat)
• Decides on all measuresnecessary to overcome crises
• Decision-making preparationat operational-technical level
Head of the CMT(Presidentor ExecutiveBoard memeber for controlling)
CMT coordinator
Head of Crisis Communcation
Head of Administration and Premises
Head of IT
Head of Controlling
Ope
ratio
nal
tech
nica
lle
vel
Cor
ecr
isis
man
agem
ent t
eam
Head of the CMT(Executive Board member for controlling)
CMT coordinator
Head of Crisis Communication
Head of Administration and Premises
Head of IT
Head of Controlling
Ope
ratio
nal
tech
nica
lle
vel
Cor
ecr
isis
man
agem
ent t
eam
crisis management 10
• At least 5 substitutes perfunction
at operational-technical level Head of Crisis Management Secretariat
Head of Legal Department
Heads of Cash, Markets, Payment Systems
Head of Personnel
(as
requ
ired)
Ope
ratio
nal
Ext
ende
dC
MT
C
ore
Head of Crisis Management Secretariat
Head of Legal Department
Heads of Cash, Markets, Payment Systems
Head of Personnel
(as
requ
ired)
Ope
ratio
nal
Ext
ende
dC
MT
C
ore
Contingency/BCP teams implements the CMT’s and the BCP’s resolutions as well as
emergency measures (Vb, IT, H, C, M, Z)� Urgent measures
Crisis management secretariat assists the CMT (file managers,
telecommunications services, minute keepers, secretarial staff)
Support teams
crisis management 11
Crisis communication team (Communication Department)
operational implementation of crisis communication
Local contacts implements the CMT’s resolutions as well as emergency measures
throughout Germany
Crisis management in praxis
Crisis management concept
Detailed conceptsa. Organisational structure
b. procedures
c. Location planning• Contact data
• Diagrams & location plans
CM folder - Guidance for CM(every CMT member)
crisis management 12
c. Location planning
d. Telecommunication
e. Crisis communication
f. documentation
g. training
h. CM regional head offices
i. CM branches
• Diagrams & location plans
• Checklists and templates
Procedures in case of a crisis
Identification of an incident(staff, sensor, security team etc.)
urgent / emergency measuresInformation head crisis
Information of the security team
crisis management 13
urgent / emergency measures
alerting Information of the business areas
• police (BCP-Teams, Administration,• Fire brigade IT)• ambulance
Information head crisis secretariat
Information head CMT
Alerting CMT and secretariat
Tasks of the crisis secretariat
Tasks of the secretariat
❙ Collect information of media, phone calls, email, fax etc.
❙ Asses these information about priority, responsibility
❙ Compile a current situation report for the CMT
crisis management 14
❙ Compile a current situation report for the CMT
❙ Write minutes of the CMT meetings
❙ Provide CMT with information for decision making, food and drinking etc.
working phase of the CMT
❙ explore proposals
❙ ensure the decisions are done
Tasks of the CMT
crisis management 15
CMT meetings
❙ Presentation
❙ Decision making on the proposals by the head of the CMT
Procedure
D e r K r is e n s ta b s p ro z e s s
S ta b s a rb e itS ta b s b e -
s p re c h u n g S ta b s a rb e it
S ta b s b e -s p re c h u n g
L a g e b i ld e rs te l lu n g u n d - fo r t f ü h ru n g , (S e k re ta r ia ts - )A u fg a b e n , D o k u m e n ta t io n ,S te u e ru n g M e ld e w e s e n , P r o to k o l l fü h ru n g , S ic h e rs te l l u n g K o m m u n ik a t io n
t
• E n ts c h e id u n g s e b e n e(b e i S ta b s b e s p re c h u n g )
K r is e n s ta b s s e k re ta r ia t
•o p e r a t io n a l- fa c h l ic h e E b e n e
• K o m m u n ik a t io n s -s te u e ru n g
Working phase Working phasemeetings meetings
crisis management 16
tc a . 1 0 - 1 5 M in .c a . 4 5 - 6 0 M in . c a . 1 0 - 1 5 M in .c a . 4 5 - 6 0 M in .
E r s tm a l ig :•E ra rb e itu n g L a g e b ild•g g f . V e ra n la s s u n g S o fo r tm a ß n a h m e n•E ra rb e itu n g M a ß -n a h m e n v o rs c h lä g e ,K o m m u n ik a t io n s -v o rs c h lä g e• E rw e ite ru n g K S / N o tfa llte a m s ?•Ü b e rp rü fu n g d . d u rc h g e fü h rte nM a ß n a h m e n
E r s tm a lig :•P rä s e n ta t io n L a g e b ild
•P rä s e n ta t io nB e s c h lu s s v o rs c h lä g e
u n d K o m m u n ik a t io n s -e n tw ü rfe (u n d g g f. E rw e ite ru n g K S )•E n ts c h e id u n g d e r o .g . P u n k te d u rc h E n ts c h e id u n g s e b e n e•V e re in b a ru n g w e ite re sV o rg e h e n , n ä c h s te rT e rm in S -B e s p re c h u n g
•V e ra n la s s u n g / U m s e t-z u n g d e r E n ts c h lü s s ea u s d e r S ta b s b e -
s p re c h u n g•E ra rb e itu n g L a g e b ild•E ra rb e itu n g M a ß -n a h m e n v o rs c h lä g e ,K o m m u n ik a t io n s -v o rs c h lä g e•Ü b e rp rü fu n g d . d u rc h g e fü h r te nM a ß n a h m e n
•E rs te llu n g / G e n e h m i-g u n g / V e rs a n d P ro to -k o ll S ta b s b e s p re c h u n g
•P rä s e n ta t io n L a g e b ild
•P rä s e n ta t io nB e s c h lu s s v o rs c h lä g e
u n d K o m m u n ik a t io n s -e n tw ü r fe •E n ts c h e id u n g d e r o .g . P u n k te d u rc h E n ts c h e id u n g s e b e n e•V e re in b a ru n g w e ite re sV o rg e h e n , n ä c h s te rT e rm in S -B e s p re c h u n g
Basis conditions for CMT
❙ One decision maker � head of CMT
❙ Five representatives for every CMT role
❙ Alerting system
crisis management 17
❙ Arranged rooms for working and meetings
❙ Crisis hotlines
❙ Functional email addresses
Locations of the CMT
Head officePrimary premise of the head office main building or Situation room under the guest house
Regional head office Frankfurt
Second site, if the head office is not available anymore or endangered
crisis management 18
HV Mainz bzw. situativ HV Berlin
Third and fourth site, if the region of Frankfurt is not available anymore or endangered
Locations of the CMT II
❙ In all locations there are prepared a❙ Meeting room❙ Working room❙ Secretary room❙ If needed more rooms❙ If needed more rooms
❙ The rooms are used in daily business so computers and equipment are up to date
❙ All locations are provided with the same means (posters, forms, USB-Sticks, handys etc.)
crisis management 19
Alerting system
❙ Definition of
❙ Who alarms
❙ Who is to alarm
❙ What is to tell / ask during the alarming call
❙ Firstly the secretary is alarmed, secondly the CMT
❙ If the first representative of a CMT function is not available or cannot reach the CM rooms within one hour, the next representative of the 5 substitutes of the function is called
❙ Representatives of a function that are currently not in the CMT can replaces their colleagues if the crisis lasts longer than 6 or 8 hours
crisis management 20
Crisis communication I
❙ Bundesbank communicates with the � media, � staff and � their related parties in a crisis
❙
crisis management 21
❙ The aims of crisis communication are� Satisfaction of general public’s right to information� Strengthening credibility, confidence and acceptance� Preventing damaging rumours and speculation
���� Crisis communication concept by the PR department
Crisis communication II
❙ Crisis communication should be proactive to positively influence public opinion and to avoid being forced on to the defensive.
crisis management 22
❙ speak with “one voice” � avoid dissents
❙ Head of CMT is responsible for crisis communication but one representative of communication department in CMT
Exercises / Incidents in the past I
❙ Sept 07 Exercise bomb explosion in Bundesbank buildings
❙ Nov 07 Exercise LÜKEX – worldwide Influenza pandemic
❙ Oct 08 Incident financial crisis
❙ Oct 08 Incident coin contamination (ill staff)
❙ Mar 09 Exercise alert exercise
❙ May 09 Exercise Mainz – coffee contamination (dead of staff)
crisis management 23
❙ May 09 Exercise Mainz – coffee contamination (dead of staff)
❙ Aug 09 Incident Pandemic
❙ Oct 09 Exercise Hannover – hostage taking in a branch
❙ Jan 10 Exercise LÜKEX – worldwide threat by islamic terrorism
❙ May 10 Exercise München – mass demonstration with conflicts
❙ May 10 Incident short power outage in branch
❙ Sept 10 Incident one day IT break down
❙ Oct 10 Exercise Düsseldorf - flood water and accident of a BBK cash transport
❙ March 11 Incident earthquake in Japan – representation closed
❙ April 11 Exercise Berlin – offices for other Ministry, leak of personal data
Exercises / Incidents in the past II
❙ April 11 Exercise Berlin – offices for other Ministry, leak of personal data
❙ Sept 11 Exercise Frankfurt - air condition system fell on building
❙ Aug 11 Incident Hurricane warning NY
❙ Sept 11 Incident DDOS Attack on Bundesbank-website
crisis management 24
Reasons for regular exercises
✔ Apply the existing CM structures and procedures
✔ Train CM team work by using the available means
✔ Train the alert system
crisis management 25
✔ Check the Crisis Communications
✔ Sensitise the CM team members
✔ Realize weaknesses of the CM concept
Operational Risk Management
26
Christoph StuteGuatemala 28 – 29 March 2012
Definition - Bundesbank’s methodology of ORM, crisis management and BCM
Operational Risk Management
• ORM is the overall process for early identification, handling and monitoring of risks
• ORM includes business risks and OR
• ORM gives an overview on all risks and helps to decide which risks are acceptable and which not (risk tolerance /risk appetite)
• ORM has preventive character
Crisis Management
• CM is the ability of an organisation to respond to any crisis situation in a predefined way
• CM includes a “tool box” with organisational and technical utilities to support management (BCP is one of these “tools”)
• CM has mainly reactive character
Seite 27
• ORM has preventive character
• Focus: risks emerging from conducting the business
• CM has mainly reactive character
Business Continuity Management
• BCM identifies potential threats to an organisation and the impacts to its most critical functions
• BCM put an organisation in a position to manage permanent continuity or adequate recovery of critical functions in the event of crisis situations in a predefined way.
• BCM has mainly reactive character; Focus: risks that endanger the object of a company
operational risk management
❙ Risk management is a logical and systematic method of identifying, analysing, treating and monitoring risks.
Risk management system
Definition – Risk Management
28
system
Early identification of risks Monitoring of risksHandling of risks
Identification of risks
Evaluation of risks
Communication of risks
Controls Internal audit
operational risk management
Definitions
Risk
= adverse variance from a reference figure
Operational Risk= the risk of direct or indirect loss
resulting from inadequate or failed internal processes,
29
resulting from inadequate or failed internal processes, people and systems or from external events
Transversal Risk= risk which can occur cross-functional and effect several business
areas
operational risk management
❙Transversal Risks – some examples:❙risks related to corruption❙risks related to compliance❙risks related to data protection❙risks related to general/ physical security
Definitions
30
❙risks related to general/ physical security ❙risks related to money laundering❙risks related to IT❙risks related to employees❙risks related to media/ public relations❙…
operational risk management
Inherent Risk= risk situation without taking any treatment measures into
consideration
Definitions
31
Residual Risk
= risk situation considering implemented treatment measures
operational risk management
to review the
financial impactreputational impact
damage to persons
Factors of influence
32
to review the RM set up
legal background
by example
crisis 2004
recommendations of internal & external auditors
operational risk management
The Framework
ContentsAims and structure of the frameworkLegal backgroundDefinitionsAims and functions of risk managementRisk cultureExpertises and responsibilitiesRisk structureRisk management process
33
Risk management processEarly identification of risksIdentification of risksRisk evaluationCommunication of risksHandling of risksMonitoring of risks
•Implementation after the approval by the board in March 2006
•published to the staff via intranet
operational risk management
Governance structure of the Bundesbank
Internal audit
IT Department
34
ERM Office;
Security and Crisis Management
Office for Risk Control
operational risk management
Responsibilities
❙ The Executive Board ❙ has the overall responsibility for the management of risks❙ is basically responsible for decision making❙
Governance structure of the Bundesbank
35
❙ approves a risk tolerance policy and residual risks in specific risk zone
❙ receiver of aggregated risk reports
operational risk management
❙ Business areas❙ are responsible for the operational risk management according to
their tasks overall the whole Bundesbank (decentralisation)
❙ The heads of departments are responsible for the identification, assessment and mitigation of their own risks.
Governance structure of the Bundesbank
36
assessment and mitigation of their own risks.
❙ They have an informal relationship with the risk management office.
❙ In some areas, such as the risk management of foreign reserves and other portfolios, IT- security and general security, related tasks are performed by central work units.
operational risk management
Area V
DepartmentFinancial Stability
Department…
Office for Risk Control
❙ This unit is dealing with market risks such as currency risks, interest rate risks, counterparty risks and liquidity risks. It is
Governance structure of the Bundesbank
37
Stability
Office For RiskControl
risks and liquidity risks. It is responsible for the risk management of foreign reserves and other portfolios.
operational risk management
IT- Security Management
❙ Supports the board and the business areas in questions concerning IT-Security and is responsible for the design and
Area VI
DepartmentInformationTechnology
Department
…
Governance structure of the Bundesbank
38
IT- Security Management
responsible for the design and maintenance of firewalls, evaluation of information from proxy server, the maintenance and enhancement of IT- security concepts.
Technology …
operational risk management
Area III
DepartmentControlling,
Accounting and Organisation
Department…
❙ The Division Organisation is part of the Department
Division Organisation
Department…
Governance structure of the Bundesbank
39
Security and Crisis
Management
Division
ERM Office
OrganisationControlling, Accounting and Organisation.
operational risk management
Division Organisation
ERM Office
❙ In context with risk management, the ERM Office is responsible for the maintenance and enhancement of the risk management framework, the methodology, documentation and coordination.
Governance structure of the Bundesbank
40
documentation and coordination.
In that context ❙ reports of the business areas are summarised,❙ results of risk assessments are checked and❙ analyses conducted as well as❙ an annual report drawn up.
operational risk management
❙Topic centre for questions concerning general security
C 35: Security and Crisis Management
Division Organisation
Governance structure of the Bundesbank
41
❙Design and maintenance of the security framework
❙Business-Continuity-Planning, Crisis Management
operational risk management
Internal Audit
❙The Internal Audit is directly responsible to one of the board members of the Deutsche Bundesbank. It is
Area II
Department…
DepartmentAudit
Governance structure of the Bundesbank
42
Deutsche Bundesbank. It is as an independent entity –not being involved in the working processes.
… Audit
operational risk management
Risk structure
Reputational loss Financial loss
Currency Risks
Interest Rate Risks
EmployeeRisks
TechnicalRisks
ExternalRisks
Operational RisksBusiness Risks
Primary Main-IT Risks
Human
Damage to persons
43
Liquidity Risks
Counterparty RisksCritical
Infrastructure
Natural Risks
tenance Risks
Negative PressCoverage
Dependencies On Third Parties
Legal Risks
IT Risks
Incorrect Conduct
Misallocation Of Staff
Inadequate Qualification
Of Staff
Failures
General Security Risks
Gold price Risks
operational risk management
❙Task of business areas❙Identification should be output oriented with regard to the underlying task❙Root causes have also to be identified and documented❙Helpful information could be gathered from:
Risk Management Process1. Identification of risks
44
❙Helpful information could be gathered from:
❙Audit reports (internal as well as external)❙Test reports (IT-systems)❙Incident data bases❙…
❙ As a basic principle, a risk at the Deutsche Bundesbank can result in the following three categories of losses:
Financial loss
Damage to persons
Reputational loss
Risk Management Process2. Risk Assessment
45
❙ Each of these categories is evaluated for each risk partly in a qualitative and partly in a quantitative way
RiskEvent= Probability of loss occuringEvent X ImpactEvent
operational risk management
Risk assessment – grading scales
Risk likelihood grading scale
Likelihood levelCriteria
5 - Almost certain
4 - Likely 3 - Possible 2 - Unlikely 1 - Rare
Frequency of loss events
Every year or more…
Once every 1-2 years
Once every 2-5 years Once every 5-10 years Less than once every
10 years …
If no observable events: Qualitative criteria (frau d and attacks oriented)
Motivation Personal gain ... … … Attracting attention (“making a point”)
46
Skills & knowledge
Basic skills,sufficient, knowledge not necessary
… … … …
Collaboration … … … … …
Traceability … … … … …
Time and cost <1 day < EUR 100 … … … > 1 year > EUR 100 000
operational risk management
Risk assessment – grading scales
Level Definition
Very high 10.000.001 - 25.000.000€*
high 1.000.001€ - 10.000.000€
medium 100.001 € - 1.000.000€
Impact
Level Definition
Very high Numerous deaths
high Individual deaths
medium Life-threatening injuries
47
medium 100.001 € - 1.000.000€
low 10.001 € - 100.000 €
negligible 1 - 10.000 €
financial impact
medium Life-threatening injuries
low Major injuries
negligible Minor injuries
personal injuries
operational risk management
Risk assessment – grading scales
Impact
Level Definition
Very high The occurrence of an event can endanger the Bank's security for a lengthy period or cause critical damage to its interests. Examples:❙Criminal proceedings against individual members of the Bundesbank's governing bodies……
48
high The occurrence of an event can endanger the Bank's security or cause major damage to its interests.Examples: …
medium
low
negligible The occurrence of an event can be of disadvantage to the Bank's interests.Examples: …
reputational impact
operational risk management
Likelihood of loss occurring
Risk tolerance policy
poss
ible
likel
yA
lmos
t ce
rtai
n
49
Impact on overall loss
negligible low medium high very high
rare
poss
ible
unlik
ely
operational risk management
❙Policy of risk avoidance and risk limitation while implementing preventive measures
❙Principles e.g. :❙Principle of hierarchy
❙
Risk Management Process3. Risk Treatment
50
❙Editorial principle (to use a second set of eyes)
❙Principle of separation of functions
❙…
❙Principle that tasks, competences and responsibilities should be located within the same entity
operational risk management
risk
Actual risk position
Risk avoidance
Risk and threat analysis
Concept of measures
51
Preventive measures
Usually, there is no risk transfer
Residual risk
Concept of measures
Approval of the Executive Board
Insurances are only used in law driven issues
operational risk management
❙Notification of loss❙Security relevant matters❙
Risk reporting within the business areas
Centralised risk reporting
❙Report within business area (hierarchy)
Risk Management Process4. Communication of risks
52
❙Compliance, money laundering, corruption❙Major projects❙...
❙Centralised annual risk report
❙Periodical reports (e.g. daily report of market risks)
❙Ad-hoc reporting if necessary
operational risk management
❙Annual risk report according to our risk management framework
❙The business areas have to examine their risk assessment.
❙The results were aggregated from the ERM Office.
Centralised annual risk report
53
❙The results were aggregated from the ERM Office.
❙Report to the board and feedback to the business areas
❙The board has to decide whether additional mitigation measures should be taken or not.
operational risk management
RMS at the Bundesbank
Structure of the ORM template
54operational risk management
❙Monitoring is part of the internal supervision by the head of each unit
❙responsibility of business areas
❙
Risk Management Process5. Monitoring of risks
55
❙no formal KRI in place
❙no centralised monitoring
operational risk management
Thank you for your attention!
56
attention!
operational risk management