Y ou have joined the Operational Resilience workshop being hosted by RiskSpotlight. The session will start at 1pm UK time.
Co-Founder and CRO @ RiskSpotlight (last 7 years) Passionate about utilising risk management as a management tool to define and execute business strategy Part of UK delegation for revision of the ISO 31000 standard Member of the IOR project team for developing and rolling out Certificate of Operational Risk Management (CORM) Designed world’s first forward-looking operational risk content service “RiskSpotlight Portal”. Utilised by over 100 financial services firms for horizon scanning and monitoring emerging operational risk topics. Trained 1,000+ operational risk professionals through classroom and online courses LinkedIn: www.linkedin.com/in/manojkulwal 3
Stressors Firm Stressors Firm Stressors Firm Stressors Firm Stressors Firm Stressors Firm Firm on track to Firm faces strategic Firm faces Firm faces Firm can quickly Firm requires a long achieve business & operational issues significant crisis in existential crisis recover from the time to recover strategy and incidents in key parts of the crisis from the crisis or is some areas business unable to recover Low High Level of Resilience 4
Strategic Objectives Investments/Capital Value Creation Processes/Activities People Tangible Intangible Assets Assets Targeted Strategic Risk Compliance Objectives Exposures Boundaries 5
Strategic Objectives Investments/Capital Value Creation Processes/Activities Resilience is an outcome of People Tangible Intangible making right business decisions, Assets Assets successfully executing these and managing risks Targeted Strategic Risk Compliance Objectives Exposures Boundaries 6
Value Creation Value Protection Measures undertaken to create value that directly contributes to Measures undertaken to ensure firm’s ability to create value in the strategic objectives. Examples include: - long term is not affected. Examples include: - Provide website for customers to purchase financial products Prevent criminals from using financial products for money laundering Provide online banking website for customers to manage their funds Prevent cyber criminals from gaining access to customer accounts Operate sales team to sell financial products to clients Prevent sales team from mis-selling financial products to clients Typically considered as similar Typically considered as similar to accelerators in cars to brakes in cars Winning cars requires effective accelerators and brakes. Similarly successful firms require optimal balance of value creation and value protection. Only firms that can find the optimal balance will be successful in the long run. 7
Value Creation Value Protection Measures undertaken to create value that directly contributes to Measures undertaken to ensure firm’s ability to create value in the strategic objectives. Examples include: - long term is not affected. Examples include: - Provide website for customers to purchase financial products Prevent criminals from using financial products for money laundering Provide online banking website for customers to manage their funds Prevent cyber criminals from gaining access to customer accounts Operate sales team to sell financial products to clients Prevent sales team from mis-selling financial products to clients Typically considered as similar Typically considered as similar to attackers in a football team to defenders & goalkeeper in a football team Winning teams requires effective attackers and defenders. A team will be defeated even when attackers score 20 goals but if the opposite team scores 21 goals. 8
100% 0% Large Large New New national global bank fintech firm challenger bank bank Level of investment in value creation measures Level of investment in value protection measures 9
Board Strategic Investments / Processes / People Tangible Intangible Objectives Capital Activities Assets Assets Senior Executives Sales Team Marketing Team Product Team Value Technology Team Inherent dilemma to allocate resources between value Creation creation & value protection Group Risk Team Value Protection Risk Committees Audit Committees Control Performers Investments / Processes / People Tangible Intangible Internal Auditors Capital Activities Assets Assets Compliance Team Information Security Team BCM Team Compliance Boundaries 10
Resilient Not Resilient (Fragile) • Balanced focus on value creation and value protection • Excessive focus on value creation at the cost of value protection • Robust preventative controls to minimise disruption to key • Weaker preventative controls resulting in periodic disruption business activities to key business activities Robust detective controls to facilitate early detection of Weaker detective controls resulting in delayed detection of • • disruption to key business activities disruption to key business activities • Robust responsive controls to facilitate rapid recovery of • Weaker responsive controls resulting in delayed recovery of disrupted business activities disrupted to business activities Lessons are learnt from failures in a structured manner and Lessons are not learnt from failures in a structured manner – • • applied to continuously improve the level of resilience same type of failures re-occur • Periodic stress testing exercises conducted to evaluate • Stress tests are not conducted or scenarios are not extreme resilience level under different extreme & plausible scenarios • Focus on concentration risks and minimise these were • Little or no focus on concentration risks possible • Recognise that increasing efficiency can reduce the level of • Excessive focus on increasing efficiency without adequate resilience consideration of resilience • Recognise that adequate capital/reserves should be allocated • Believe that allocating emergency capital/reserves is sub-optimal and for dealing with an extreme crisis attempt to minimise these to meet regulatory requirements • Recognise that complexity as a key driver of resilience. • Do not understand the relationship between complexity and Complexity is managed in a structured manner. resilience. No structured approach to manage complexity. 11
New! www.riskspotlight.com 12
Products • Current Account Service = Make payment from UK account to an international account • International Payments Channel 2 = Phone Banking Channel 1 = Branch Channel 3 = Online Banking Channel 4 = Mobile Banking Process 2 – Process Process 1 – Process Process 3 – Customer driven international international international payments processing (self-serve) payments through payments in branch phone banking People – Branch staff People – Call centre staff IT Systems – Call centre IT System – computers & software Branch computers External IT System & software • Industry Payment IT System • Core Banking System Processing System Software Server • SAP Core Banking Software • IBM Servers Facility Third-parties • IBM Data • SAP Center, London Third-parties • Accenture www.riskspotlight.com • IBM 13
• Customers mainly care about whether the service they require is available or not - irrespective of the issues a firm may be facing with the channels, systems, processes, people. Services provide an outside-in perspective enabling valuable insights on prioritising resource allocation decisions. Business • Providing alternatives to services becomes a key driver of resilience. Services with alternatives will Services be considered more resilient than services without alternatives. Firms may need to create manual alternatives in some cases. • Mapping services to key business components will highlight constraints / vulnerabilities / bottlenecks / dependencies www.riskspotlight.com 14
1. Withdraw cash from account (e.g. non-bank ATM, ATM in bank branches, branch counter) 2. Open new current account (e.g. online banking, new account website, mobile banking, phone banking, bank branch) 3. Get access to bank account statements (e.g. online banking, mobile banking, phone banking, bank branch) 4. Setup standing order (e.g. online banking, mobile banking, phone banking, bank branch) 5. Make payments (e.g. online banking, mobile banking, phone banking, bank branch) Business Services 6. Deposit cheques (e.g. cheque deposit machines in branches, branch counter) 7. Report credit card fraud (e.g. dedicated credit card fraud hotline) 8. Apply for new credit cards (e.g. online banking, online new credit card website, phone banking, bank branch) 9. Close saving account (e.g. online banking, mobile banking, phone banking, bank branch) 10. Request new security key (e.g. bank branch) www.riskspotlight.com 15
Account operation services o q Online banking service Ø Make payments ü Make payments to international bank accounts Business Services Selected granularity will drive the number of business services that need to be managed as part of operational resilience initiative. FCA/PRA – “It should be clearly identifiable as a separate service and not a collection of services.” www.riskspotlight.com 16
Recommend
More recommend