Module four will cover Op risk management frameworks , and governance frameworks. First, we'll look at the development of an Op risk management framework in a typical organization. Op risk management starts with internal audit, and is primarily based on reactive measures to risk events. It focuses on safety, error avoidance, and a general aversion to risk. Once an organization decides to manage Op risk formally, it will create an Op risk unit that will be responsible for recommending proactive controls, and a framework, and a strategy for risk management. The Op risk unit will implement the framework by creating systems of self-assessments, collecting loss data, and organizing that data into a database that can be used by risk management, and business lines. The next stage in the evolution of the risk management framework is to develop key risk indicators, and analyzing business processes, and risks using scenario analysis , and operational reporting. This is also where the risk management function can create formal models that allow for the calculation of an operational value at risk., The final stage of the development of an Op risk framework is the firm-wide integration of the risk management system, and the implementation of risk capital allocation, and budgeting to manage the high-value risks with the highest potential losses. Op risk is then incorporated into a broader program of enterprise risk management. Overall, the goals of Op risk management are to understand the potential impact of operational risks, and the optimal level of control. Finally, risk-management allows enterprises to allocate budgets for risk reduction with a goal of improving business results, reducing risk, and improving product quality. The risk culture of an organization is a vital component of a risk management system. Risk culture includes integrity, and ethical values, management's operating philosophy, organizational structure, delegation of authority, and responsibility, human resource policies and practices, and staff competencies. All of this is driven by the Board of Directors and senior management, HR, and Op risk training, and awareness campaigns. Here's an example of a typical Op risk management framework. Infrastructure, and technology solutions are the foundation of operas management. As it support every part of the framework. The qualitative components of the framework include risk governance policies, risk culture, appetite, strategy, and objectives. Internal and external loss databases along with the risk, and control self-assessments, and scenario analysis, and key risk indicators support quantitative output of risk management, which includes measuring, and modeling operational risk, and reporting them to key stakeholders in the organization. In the past, Op risk was managed by effective techniques such as the four I's principle where no piece of business or process could be the responsibility of a single person. Separation of functions, allocation of responsibility, and limits, and internal controls reviewed by auditors. For Op risk to be successful, it must be fully embedded in the organization. The focus must be on prevention instead of correction of operational losses. The organization also needs to continually question its strategy, structure, systems safety, simplicity, and speed. Make sure that all employees are aware of the risk, and then a risk culture is promoted. Shown here is a chronological framework for the implementation of an Op risk management system. The first step is identification of operational risks, beginning with the creation of infrastructure, and database to collect internal, and external loss data. This allows the organization to describe potential losses, and consider preventive measures for high risk areas. The second step is creating risk assessments, and reporting mechanisms that involve all the business units, and use automated data gathering , and workflow technologies. The third step is risk measurement, which includes developing, and refining the modeling approach, creating Op risk data, and implementing advanced tools such as key risk indicators, scenario analysis, and business process analysis. The last step is the integration of Op risk exposure data into the management process. This includes managing exposures, and investing in automating processes. Here's an example of a complex Op risk management framework that shows the inputs of Op risk management, and Op risk measurement at each stage in the risk management process. There are four steps in the framework. First is identification of the risk. Second is assessment of inherent risks. Third is management of risks, leaving residual risks, and the fourth step is reporting risks. Op risk management starts by identifying the business environment, and internal control factors using our RCSA, and input from internal audit and key risk indicators. These are used to create a risk map and Scorecard before taking risk mitigating actions. After risk mitigating actions have been taken, a new risk map, and scorecard are created, and management must decide to accept the now identified residual or immeasurable risks, and report on the new level of residual risks. The Op risk measurement process begins by using data from internal losses, combined with data on external losses to create scenario analysis, and a database of potential losses. These are used to create loss frequency and severity distributions which are combined in a Monte Carlo simulation into a gross loss distribution. The gross loss distribution is just for loss mitigating actions recommended by the Op risk management to create a net residual loss distribution. This can then be used to calculate the amount of risk capital required. If the required risk capitalist greater than the available risk capital, then risk capital must be allocated to the business units that offer the highest returns on risk capital
