Key Risk Indicators - Operational Risk

8m ago
926.32 KB
41 Pages

Institute of Operational RiskOperational Risk Sound Practice GuidanceKey Risk IndicatorsNovember 2010

Key Risk IndicatorsInstitute of Operational Risk – Sound Practice GuidanceThe Institute of Operational Risk Sound Practice GuidanceThe Institute of Operational Risk (IOR) recognises that there is no one size fits all approach to themanagement of operational risk. However by drawing on the experience of practising riskprofessionals it is possible to identify examples of good practice described in this paper. Equally it ishoped that these guidance papers will facilitate a shared understanding of key operational riskconcepts amongst risk management professionals, regulators and academics, thus contributingtowards the further development of the discipline of operational risk.This is one of a series of Sound Practice Guidance papers being produced by the IOR with thefollowing objectives: Providing information on the practicalities and know-how necessary in order to implementthe techniques that support a robust operational risk management framework; Empowering operational risk professionals to demonstrate the value of operational riskmanagement to senior management in a practical rather than theoretical manner; Capturing the real experience of practising risk professionals, including the challengesinvolved in developing operational risk management frameworks.This paper is available from the Institute’s website at If you have comments orsuggestions on this paper please contact us on [email protected] Institute of Operational RiskThe Institute of Operational Risk was created in January 2004 as a professional body whose aim is toestablish and maintain standards of professional competency in the discipline of Operational RiskManagement. It is an independent, not for profit, professional body designed to support its members.The stated mission of the Institute is to promote the development and discipline of Operational Riskand to foster and maintain investigations and research into the best means and methods of developingand applying the discipline and to encourage, increase, disseminate and promote knowledge,education and training and the exchange of information and ideas.Copyright 2010 Institute of Operational Risk2

Key Risk IndicatorsInstitute of Operational Risk – Sound Practice Guidance1.Introduction . 12.Definitions. Indicators . 12.2.Control Effectiveness Indicators . 22.3.Performance Indicators . 22.4.Indicators generically . 22.5.‘Key’ Indicators . 2Role and Purpose: Using Risk Indicators. 33.1.Indicators and Risk Monitoring . 33.2.Using Indicators to Support Operational Risk Assessments . 33.3.Indicators, Risk Appetite and Governance. 43.4.Performance Management and Strategic Management. 43.5.Regulation and Capital Assessments . 4Selecting Risk Indicators . Desirable Characteristics of Risk Indicators . 54.1.1.Relevance . 54.1.2.Measurable . 64.1.3.Predictive . 64.1.4.Easy to Monitor. 74.1.5.Auditable . 84.1.6.Comparability . 84.2.The Selection Process – Top-Down versus Bottom-Up . 84.3.How Many Indicators are Enough? . 94.4.Composite or Index Indicators . 9Thresholds, Limits and Escalation Triggers. 105.1.Thresholds and Limits. 105.2.Specialised Thresholds. 115.3.Escalation Triggers . 12Managing Risk Indicators . 126.1.Starting Off . 126.2.Adding or Changing Indicators . 126.3.Indicator Dimensions and “Buckets” . 136.4.Changing Thresholds and Limits . 146.5.Data Collection and Management . 146.6.Taking Action to Resolve Unacceptable Indicators . 14Reporting. 147.1.To Whom? Levels of Reporting. 14Copyright 2010 Institute of Operational Risk3

Key Risk Indicators8.Institute of Operational Risk – Sound Practice Guidance7.2.Frequency of Reporting . 167.3.Presenting Risk Indicators . 167.4.Prioritising Risk Indicators . 177.4.1Size . 177.4.2Trends . 187.4.3.Dependencies between Indicators . 18Appendices . 208.1.Common Categories of Risk Indicator for All Major Industry Sectors . 208.2.Specific Sample Indicators for Financial Institutions . 228.2.1.Agency Services. 228.2.2.Asset Management . 238.2.3.Commercial Banking . 248.2.4.Corporate Finance . 248.2.5.Payments and Settlements . 258.2.6.Retail Banking . 258.2.7.Retail Brokerage . 268.2.8.Trading and Sales . 278.2.9.Corporate Services . 288.2.10.Insurance . 298.3.Example Documentation . 308.4.Example Report for Management . 338.5.Example Report for Board . 358.6.Composite Indicators . 368.7.Web Resources. 37Title: Key Risk IndicatorsFile name: IOR KRI Guidance Nov 2010Copyright 2010 Institute of Operational RiskDate issued: 2nd Nov 2010Version: 1Update date: n/a4

Key Risk IndicatorsInstitute of Operational Risk – Sound Practice Guidance1. IntroductionRisk indicators are an important tool within operational risk management, facilitating the monitoringand control of risk. In so doing they may be used to support a range of operational risk managementactivities and processes, including: risk identification; risk and control assessments; and theimplementation of effective risk appetite, risk management and governance frameworks (see IORGuidance on Risk Appetite and Risk Governance).Despite their usefulness relatively little guidance exists on how to use risk indicators in an effectivemanner. Moreover it is an area that has proven to be particularly challenging for many organisations.Hence there is a need for further guidance in this area.What follows is the IOR’s perspective on current sound practices in relation to the use of riskindicators to support the management of operational risk. In so doing, this guidance covers the roleand purpose of risk indicators, the elements of an effective risk indicator framework and someimportant practical considerations relating to the use of such frameworks within an operational riskmanagement context.2. DefinitionsIndicators are metrics used to monitor identified risk exposures over time. Therefore any piece of datathat can perform this function may be considered a risk indicator. The indicator becomes ‘key’ whenit tracks an especially important risk exposure (a key risk), or it does so especially well (a keyindicator), or ideally both.More specifically a metric may be considered to be a risk indicator when it can be used to measure: The quantum (amount) of exposure to a given risk or set of risks.The effectiveness of any controls that have been implemented to reduce or mitigate a givenrisk exposure.How well we are managing our risk exposures (the performance of our risk managementframework).Expressed slightly differently, this implies that an organisation will typically make use of threedifferent types of indicator: risk (exposure) indicators, control effectiveness indicators andperformance indicators.2.1.Risk IndicatorsIn an operational risk context a risk indicator (commonly known as a key risk indicator or KRI) is ametric that provides information on the level of exposure to a given operational risk which theorganisation has at a particular point in time. In order to provide such information the risk indicatorhas to have an explicit relationship to the specific risk whose exposure it represents. For example, takethe number of customer complaints, which is likely to be linked to the risk of process errors – ascustomer complaints increase, the probability that there are some underlying and potentially systemicmistakes and errors of judgement being made is likely to rise. In other words, there is a rationale forthinking that changes in the value of this indicator are likely to be associated with changes inoperational risk exposure or operational loss experience.Further examples of risk indicators include staff turnover (which may be linked to risks such as fraud,staff shortages and process errors), the number of data capture errors (process errors) and the numberof viru