Operational Risk Management
DeMPA Workshop with ECCBSt. Kitts & Nevis March 18-20, 2009
Debt Management Performance Assessment Tool (DeMPA)
What is Operational Risk?
Market Risk Market Risk
IR & FX IR & FX
Credit Risk
Credit Risk Operational RiskOperational Risk
Everything Else Everything Else
Traditional View
Basel II Definition: “The risk of direct or indirect loss resulting from inadequate or failed internal processes, people and systems or from external events.”
Sources of Operational Risk
PeopleOperational Risk in Execution
Natural Disasters/ Terrorist Attacks Fraudulent Activities Processes Sytems Laws and Regulations Internal External Policies and Guidelines
Debt Management Performance Assessment Tool (DeMPA)
Automated vs Manual Processes
• Automated ProcessesPROS
– Reduce opportunities for human error – Fast
– Less need for staff (Free staff to do other things) CONS
– Fewer opportunities for detective controls
– Heavy reliance on having right systems/system security – Greater Systemic Risk
Systems
• Adequate and well functioning systems are at the core of a good control environment
• High level of dependence on spreadsheets outside of core systems introduces high level of risk
– Inability to trace and track the history of changes – Restricting access to spreadsheets
• Selecting a Debt System: Develop in-house or purchase one off-the-shelf?
Debt Management Performance Assessment Tool (DeMPA)
Systems Capacity Planning
– Hardware and software selection should be considered during growth projections – Over/under utilization – ScalabilityPeople - Staffing Related Risks
• Staff person is unusually bad. Mitigated by: – Existence of clear written procedures
– Two-person sign-offs for important functions – Mentoring and regular training
• Staff person is unusually good
– Key Person Risk: dependence and repository of institutional memory
– Mitigated by:
• Encouraging key people to record processes/past experiences in writing in accessible form
• Working in teams
Debt Management Performance Assessment Tool (DeMPA)
People - Internal Fraud
• Internal Fraud
– Generally for direct financial gain (embezzlement) or to cover losses • Nick Leeson – Barings Bank Case
– Other reasons – Royal Bank of Scotland Case:
• GBP 21 million fraud at Royal Bank of Scotland in 2006 – employee created 1,400 false accounts to be named “business manager of the year.”
• Defenses Against Internal Fraud
– Restricting access to information and systems to “need to know” staff – Segregation of duties
– Requiring two-person sign-offs – Proper audit trail
External Fraud
• External Fraud
– Access of systems/corruption of system by external parties: robbery
,
computer hacking– Collusion of staff with external parties: bribery – Fraud by dealers or other market intermediaries • Defenses Against External Fraud
– Build adequate security and controls in the financial systems that interfaces with external vendors or counterparties
– Build awareness among staff of the importance of
safeguarding the institutions' systems (no downloading of programs on external sites)
Debt Management Performance Assessment Tool (DeMPA)
External Events
• Damage to Physical Assets– Terrorism, Vandalism, Earthquakes, Fires, Hurricanes, Floods, etc
• Systems Failures
– Hardware and Software Failures, Telecommunication Problems
• May be Low Probability but Very High Severity Events
• Need Business Continuity Plans – Alternative Work Sites – Back-up Systems
World Bank HQ Position
Debt Management Performance Assessment Tool (DeMPA)
Legal & Regulatory
Environment
• Approval by Local Securities Regulator (“Registration”) • On-going disclosure Requirements
Anti-Fraud Provisions
• Liability (penal/civil) for materially false statements or omissions
• Meaning: “information that would influence a reasonable investor’s decision to purchase or sell the security.” • INTERNAL PROCEDURES ARE KEY
Debt Management Performance Assessment Tool (DeMPA)
• Debt administration and data security (DPI 12) • Segregation of duties, staff capacity, and business
continuity (DPI 13)
debt service Procedures
manual for processing debt service
Debt Administration and Data Security
Dim1 Dim2 C DeM Entity B A Updated every 2 Years C B A Procedures manual for debt recording and validation Payment Systems Electronic Payment Orders Independent confirmation of data conducted annually
STP Updated every 2 years External Creditors Major Investors 15
Debt Management Performance Assessment Tool (DeMPA)
Procedures for accessing debt and payment systems Secure Fireproof
Debt Administration and Data Security
Dim3 C
DeM Entity
B
Updated when staff changes occur C A Audit Trails of System Access
Monthly data back-ups
Weekly data back-ups Daily data back-ups
DeM Entity B Payment and Accounting Staff Data Entry and Checking Staff
Segregation of Duties, Staff Capacity,
and Business Continuity
Dim1 C A Creditors Market Payments Accounting One compliance monitoring staff Dedicated compliance monitoring staff Negotiating and Contracting Staff Debt Recordin g System Risk Monitoring and Compliance Unit 17
Debt Management Performance Assessment Tool (DeMPA)
DeM Entity Training and development plans, plus yearly performance assessments Code-of-conduct and conflict-of-interest guidelines Job descriptions Dim2 C A B A Dim3 C B Tested in past 3 years DR/BC
plan RecoverySite
Operational risk management procedures
Annual testing
Debt Management Performance Assessment Tool (DeMPA)
Segregation of Duties, Staff Capacity,
and Business Continuity
Thank you!
http://go.worldbank.org/4VX651FHB0
World Bank
ccc@worldbank.org