What is Operational Risk?

(1)

Operational Risk Management

DeMPA Workshop with ECCB

St. Kitts & Nevis March 18-20, 2009

Debt Management Performance Assessment Tool (DeMPA)

What is Operational Risk?

Market Risk Market Risk

IR & FX IR & FX

Credit Risk

Credit Risk Operational RiskOperational Risk

Everything Else Everything Else

Traditional View

Basel II Definition: “The risk of direct or indirect loss resulting from inadequate or failed internal processes, people and systems or from external events.”

(2)

Sources of Operational Risk

People

Operational Risk in Execution

Natural Disasters/ Terrorist Attacks Fraudulent Activities Processes Sytems Laws and Regulations Internal External Policies and Guidelines

Automated vs Manual Processes

• Automated Processes

PROS

– Reduce opportunities for human error – Fast

– Less need for staff (Free staff to do other things) CONS

– Fewer opportunities for detective controls

– Heavy reliance on having right systems/system security – Greater Systemic Risk

(3)

Systems

• Adequate and well functioning systems are at the core of a good control environment

• High level of dependence on spreadsheets outside of core systems introduces high level of risk

– Inability to trace and track the history of changes – Restricting access to spreadsheets

• Selecting a Debt System: Develop in-house or purchase one off-the-shelf?

Systems Capacity Planning

– Hardware and software selection should be considered during growth projections – Over/under utilization – Scalability

(4)

People - Staffing Related Risks

• Staff person is unusually bad. Mitigated by: – Existence of clear written procedures

– Two-person sign-offs for important functions – Mentoring and regular training

• Staff person is unusually good

– Key Person Risk: dependence and repository of institutional memory

– Mitigated by:

• Encouraging key people to record processes/past experiences in writing in accessible form

• Working in teams

People - Internal Fraud

• Internal Fraud

– Generally for direct financial gain (embezzlement) or to cover losses • Nick Leeson – Barings Bank Case

– Other reasons – Royal Bank of Scotland Case:

• GBP 21 million fraud at Royal Bank of Scotland in 2006 – employee created 1,400 false accounts to be named “business manager of the year.”

• Defenses Against Internal Fraud

– Restricting access to information and systems to “need to know” staff – Segregation of duties

– Requiring two-person sign-offs – Proper audit trail

(5)

External Fraud

• External Fraud

– Access of systems/corruption of system by external parties: robbery

,

computer hacking

– Collusion of staff with external parties: bribery – Fraud by dealers or other market intermediaries • Defenses Against External Fraud

– Build adequate security and controls in the financial systems that interfaces with external vendors or counterparties

– Build awareness among staff of the importance of

safeguarding the institutions' systems (no downloading of programs on external sites)

External Events

• Damage to Physical Assets

– Terrorism, Vandalism, Earthquakes, Fires, Hurricanes, Floods, etc

• Systems Failures

– Hardware and Software Failures, Telecommunication Problems

• May be Low Probability but Very High Severity Events

• Need Business Continuity Plans – Alternative Work Sites – Back-up Systems

(6)

World Bank HQ Position

Legal & Regulatory

Environment

• Approval by Local Securities Regulator (“Registration”) • On-going disclosure Requirements

(7)

Anti-Fraud Provisions

• Liability (penal/civil) for materially false statements or omissions

• Meaning: “information that would influence a reasonable investor’s decision to purchase or sell the security.” • INTERNAL PROCEDURES ARE KEY

• Debt administration and data security (DPI 12) • Segregation of duties, staff capacity, and business

continuity (DPI 13)

(8)

debt service Procedures

manual for processing debt service

Debt Administration and Data Security

Dim1 Dim2 C DeM Entity B A Updated every 2 Years C B A Procedures manual for debt recording and validation Payment Systems Electronic Payment Orders Independent confirmation of data conducted annually

STP Updated every 2 years External Creditors Major Investors 15

Procedures for accessing debt and payment systems Secure Fireproof

Debt Administration and Data Security

Dim3 C

DeM Entity

B

Updated when staff changes occur C A Audit Trails of System Access

Monthly data back-ups

Weekly data back-ups Daily data back-ups

(9)

DeM Entity B Payment and Accounting Staff Data Entry and Checking Staff

Segregation of Duties, Staff Capacity,

and Business Continuity

Dim1 C A Creditors Market Payments Accounting One compliance monitoring staff Dedicated compliance monitoring staff Negotiating and Contracting Staff Debt Recordin g System Risk Monitoring and Compliance Unit 17

DeM Entity Training and development plans, plus yearly performance assessments Code-of-conduct and conflict-of-interest guidelines Job descriptions Dim2 C A B A Dim3 C B Tested in past 3 years DR/BC

plan Recovery_Site

Operational risk management procedures

Annual testing

Segregation of Duties, Staff Capacity,

and Business Continuity

(10)

Thank you!

http://go.worldbank.org/4VX651FHB0

World Bank

ccc@worldbank.org