INFORMATION AND OPERATIONAL RISK IMT 556 UW Winter

INFORMATION AND OPERATIONAL RISK IMT 556 – UW Winter Quarter 2015 University of Washington Week #4 Annie Searle

2 The risk continuum= impact x likelihood

3 Commonest Reasons for Not Mitigating the Risk • We don’t have the time or money. • We thought another department was working on it. • We don’t have an ORM program in place. • We’re waiting for regulatory guidance. • The board of directors doesn’t understand the significance. • Senior management wants to put off mitigation for another year, until after bonuses are paid. • Are there more reasons?

4 The Role of Governance • An effective governance structure must be implemented to: • Provide oversight of operational risk management and measurement. • Ensure an effective route for risk escalation. • Reflect the culture of the firm. • Be practical in nature. Measurement and Modeling Internal Loss Data RCSA External Loss Data Scenario Analysis Policies and Procedures Culture and Awareness Key Risk Indicators Risk Appetite Governance and Organization Reporting

5 Need the Risk Committees for policy • Escalation and management of operational risk • Structure • Utilize a board-created enterprise- level risk committee for overseeing all risks, to which a management level operational risk committee reports. • Composition • Include a combination of members with expertise in business activities and financial as well as independent risk management. • Operation • Appropriate frequencies with adequate time and resources to permit productive discussion and decision making. • Records of committee operations should be adequate to permit review and evaluation of committee effectiveness. Source: 2011 Sound Practices

6 Using RACI Model for Clarity • Responsible -- those who do the work. • Accountable – person or entity who approves work. • Consult – all parties involved in the work. • Inform – kept up to date or notified of results. This model can be used on large projects or on the creation of new policies and procedures. It is an essential component of compliance. Auditors will make their own RACI if you do not have one.

7 8. 2 Policy documentation hierarchy Laws Regulations Policies Standards Procedures Guidelines

8 OR Policy Sample • • • Purpose Definition Objectives Supporting Documents Scope Governance Roles & Responsibilities • RACI comes in very handy in constructing this section • Principles • • Culture & Awareness Loss Data Collection RCSA Scenario Analysis KRIs Measurement & Modeling Reporting Risk Appetite • Approval

9 REAL WORLD Chapter 12, Wreck of the Edmund Fitzgerald (1975) Chapter 13, Mount St. Helens Eruption (1980) Chapter 14, South Canyon Fire (1994)

10 Edmund Fitzgerald Lessons: Profit vs safety and soundness (1975) • Decision to defer minor repairs of hatch covers until the end of the season. Or failure to tighten hatch covers so that water seeped in with iron ore? • Economic pressure to ship maximum amounts v safety. • Vessels only dry docked every five years. • Poor communication. • Poor design: short cuts on hull since not “ocean-going. ” • Weather forecasting by NWS. • Arrogance of the captain? • Lack of safety equipment. • NTSB is the regulator. Maritime regulations changed after all 29 members of crew lost here.

11 Mount St. Helens Volcano (1980) • Eruption reconfigured the region, along with landslides, mud flows and eruption cloud. 57 people dead. • Scientists knew it was coming, but not its impact. • Had not been an eruption since 1857, but scientists began to understand volcano could turn active in 1960 s. • 1978: report outlined exact hazards and called for more monitoring and emergency preparedness. • 5. 1 EQ on March 18, 1980 caused north side (“the cork”) to collapse. Spewed out side, but also vertical eruptions put ash into the air 15 miles up. Cut top of mountain by 1300 feet. • Monitoring increased. This is still a live volcano, folks.

12 South Canyon Fire (1994) • Initial flawed assessment? Or best possible for a remote and inaccessible location? • Fire stayed on low priority list (July 2 -4) because of other more dangerous fires in the area, but grew overnight on July 4 to 10 times its previous size. • On July 6, fire intensified and changed direction several times with the help of strong winds, but original plan not really modified. As a result, 14 firefighters died. • Firefighters lacked current information. • Poor management structure for smokejumper crews. • Safety routes and escape routes poorly set, if at all.

13 REAL WORLD TODAY Winter Storm Juno Chinese Regulations for Foreign Companies

14 Headlines Galore…. • “National Weather Service admits forecast error” (BBC) • “Leaders in New York and New Jersey Defend Shutdown for a Blizzard That Wasn't” (NYTimes) • Troubling gaffes: • NY Governor Forgets to Advise Mayor He is Shutting Down Subway • NYC Mayor: “food delivery bicycles are not emergency vehicles and thus are banned…” • NWS failure to emphasize uncertainty in the forecast

15 Chinese Government Requirements • “The Chinese government has adopted new regulations requiring companies that sell computer equipment to Chinese banks to turn over secret source code, submit to invasive audits and build so-called back doors into hardware and software, according to a copy of the rules obtained by foreign technology companies that do billions of dollars’ worth of business in China. • The new rules, laid out in a 22 -page document approved at the end of last year, are the first in a series of policies expected to be unveiled in the coming months that Beijing says are intended to strengthen cybersecurity in critical Chinese industries. As copies have spread in the past month, the regulations have heightened concern among foreign companies that the authorities are trying to force them out of one of the largest and fastest-growing markets. ” (NY Times)

16 QUESTIONS? asearle@uw. edu (206) 465 -7849 @anniesearle