|
Operational Risk Governance
103
Enterprise
risk
Market risk
Credit risk
Operational
risk
Infor
m
ation
security
Legal &
co
m
pliance
Fraud
F I G U R E 9 . 2
Operational risk sets the framework for all non-financial risks
Market risk
Credit risk
Operational
risk
Infor
m
ation
security
Legal &
co
m
pliance
Fraud
Enterprise
risk
F I G U R E 9 . 3
Specialized risk types all equally coordinated by the risk committee
certain tasks or processes. This documentation constitutes the core of a company’s
governance structure, attributing roles and responsibilities to the different parties.
Policies and procedures are important as long as they are lived in the company;
they should apply in daily practices and be meaningful. Policies should reflect business
realities. This is the best way to embed them in a company and they can then evolve
gradually to complement the business, unless new activities or new processes require
a fresh start.
Who likes reading policies? Who likes writing them? Let’s be honest, policies
and procedures are often the poor parent of a risk management framework and are
often painful to write and even more so to read. They do not need to be. Specialist
teams and skilled technical writers can create short, well-crafted and clearly presented
documentation that can serve as a useful guide. It is a sensible investment for firms that
can afford external help. Communicating policies is another challenge. Embedding
a policy does not mean posting it on the intranet; it requires proper communication,
in focus groups, through face-to-face sessions and tests or exercises, and it must be
appropriate for the topic and the specific risk.
Policies, procedures and other guidelines are a form of internal controls, known
as directive controls. The next chapter is dedicated to internal controls.
CHAPTER
10
Risk Mitigation
D E F I N I T I O N S
In the International Organization for Standardization (ISO) vocabulary, risk mitiga-
tion is defined by the four Ts: Tolerate, Treat, Transfer, Terminate. Tolerate means
accepting the risk as it is. Treat refers to internal controls, aimed at reducing either
the likelihood or the impact of a risk (or both); it is the most common form of risk
mitigation. Transfer means to move the consequence – or the causes – of a risk to
another party, typically an insurer or a third-party supplier. Terminate means to remove
risk exposure altogether, when none of the other options is acceptable. This chapter
concentrates on the two most common mitigation solutions: internal controls and risk
transfers.
T Y P E S O F C O N T R O L S
There are many different classifications for controls. Given my background in internal
audit, I tend to adopt the following simple classification used by the Institute of Internal
Auditors (IIA):
1
preventive, detective, corrective and directive controls.
The aim of preventive controls is obviously to reduce the likelihood of an event
happening. The controls are executed before possible events and address their causes.
A car seat belt is an example of a preventive control in everyday life, while the seg-
regation of duties, where different people are in charge of initiating, approving and
settling a transaction, is probably the most common and effective preventive control
for internal fraud.
Detective controls take place during or just after an event and, thanks to early
detection, can reduce the impact. An example is a smoke detector, which will alert
1
For further references, please refer to the note “Control” from the Chartered Institute of Internal
Auditors, 31 August 2017.
105
Operational Risk Management: Best Practices in the Financial Services Industry, First Edition.
Ariane Chapelle.
© 2019 John Wiley & Sons Ltd. Published 2019 by John Wiley & Sons Ltd.
106
RISK MITIGATION
you to a fire. Detective controls can become preventive if they detect a cause of an
event. File reconciliations, for instance, which detect gaps, can be considered either
as a detective control if the error is already made and recorded, or as a preventive
control if it allows the detection and correction of an error before a transaction is
executed.
Corrective controls take place after the incident, to mitigate net impacts. Redun-
dancies, backups, continuity plans and crisis communication strategies are all part of
corrective controls that firms use to mitigate the consequences of unexpected events
and accidents. Backing up data will not prevent a server from crashing, but it will sig-
nificantly reduce the pain should it happen. Similarly, to take an example from everyday
life, a car airbag will not prevent an accident from happening but it will limit the damage
if one occurs.
Lastly, directive controls cover all the required actions and rules to execute a pro-
cess: policies and procedures, training and guidance, governance structure, roles and
responsibilities. Figure 10.1 lists some of the most common examples of the various
control types.
Another important feature of internal controls is key versus non-key or, to use
vocabulary from internal audit, primary controls versus secondary controls. A key
control is sufficient to prevent the risk on its own. In contrast, non-key or secondary
controls are present to reinforce or to complement key controls, but they are unable to
prevent a risk on their own.
Preventive controls
• Segregation of duties
• Access controls (digital or physical)
• Levels of authorization
Detective controls
• Exception reports
• File reconciliations
• S
m
oke detector
• Intrusion detection syste
m
s
Directive controls
• Procedures and guidance
m
anuals
• Induction training
• Tea
m
supervision
Corrective controls
• Co
m
plaints handling process
• Co
mm
unications and co
m
pensations to affected parties
• Backups and syste
m
s redudancies
F I G U R E 1 0 . 1
Types of controls and examples
Do'stlaringiz bilan baham: |
