Operational Risk Scenario Analysis Resilience Madeline Betts Lloyd
Operational Risk Scenario Analysis & Resilience Madeline Betts & Lloyd Richards 28 th June 2018
Introduction September 2021
Introduction Current Approaches Refinements Operational Risk PEOPLE PROCESS SYSTEMS September 2021 OPERATIONA L RISK EXTERNAL EVENTS 3
Current Approaches to Scenario Analysis September 2021
Scenario Analysis Introduction Current Approaches Refinements Operational Resilience Operational Scenario analysis is a tool used by businesses to identify, measure and manage the amount of Operational Risk the business is open to. This involves: • understanding the scenarios that could lead to a significant loss, or could stop a business achieving its objectives • reviewing and enhancing the activities a business undertakes to prevent or reduce their impact; and • ensuring a business holds enough of a financial buffer to protect customers across a broad range of scenarios. September 2021 5
Introduction Current Approaches Refinements Operational Resilience Challenges • Risk running the process in isolation to the business • Using the previous • Working back from the years scenarios for ease capital number already rather than re-assessing set • Not using external benchmarking of event data • Unconscious biases such as anchoring or over confidence • Only using internal data • Trying to cover all risks rather than using rather than focusing on external benchmarking the most important • Excessive focus on capital as mitigation • 1/200 estimation impossible
Scenario Analysis at the 1/200 point September 2021 Introduction Current Approaches Refinements Operational Resilience 7
Introduction Current Approaches Refinements Operational Resilience Data vs Judgement Proportion Reliance on Judgement vs Data Typical year Data Judgement 1 -in-5 1 -in-10 1 -in-20 1 -in-50 1 -in-100 1 -in-200 Worst Case Estimation Point September 2021 8
Introduction Current Approaches Refinements Operational Resilience Probability Capital is King Hold Capital at 1/200 LOSS September 2021 PROFIT 9
Refinements to Scenario Analysis September 2021
Introduction Current Approaches Refinements Choice Management STSA Resilience Controls KRIs Focus on the choice of operational risks Operational Resilience Process Cyber Attack Conduct Systems September 2021 11
Introduction Current Approaches Refinements Choice Management STSA Resilience Controls KRIs Focusing on the management of operational risks Operational Resilience • A lack of focus on the most material risks to strategic objectives can lead to a failure to see the “wood for the trees” in Operational Risk Management approaches. • The company strategy should drive a view on where to focus operational risk analysis…to identify and take action on the most material risks to the company objectives. September 2021 12
Introduction Current Approaches Refinements Identification to Management Choice Management STSA Resilience Controls KRIs Operational Resilience • Shifting the focus from Identification to proactive management September 2021 13
Introduction Current Approaches Refinements Re-engineering the Stress and Scenario Process Choice Management STSA Resilience Controls KRIs Operational Resilience • Improved understanding of: - Operational risk exposure in areas in which the risk is being assessed - Processes and procedures in place to manage risks - Accountability of controls - Effectiveness of controls - Use of management actions September 2021 14
Introduction Current Approaches Refinements Choice Management STSA Resilience Controls KRIs Introduce the control environment Operational Resilience • Improve understanding of the control environment – To implement an effective control testing process – concentrating in areas which are directly connected to the achievement of business objectives or identified as particularly critical for business resilience • Improved understanding of: - Effectiveness of controls - Link to strategic objectives - Critical controls September 2021 15
Introduction Current Approaches Refinements Choice Management STSA Resilience Controls KRIs Having the correct KRIs/KCIs Operational Resilience • Having the correct KRIs & KCIs in place to monitor the ongoing volatility of material risks • Improved understanding of: – Critical KRIs – Critical Controls – Actions – Materiality – Management actions – Accountability September 2021 16
Operational Risk Resilience September 2021
Operational Resilience Introduction Current Approaches Refinements Operational Resilience • Operational Resilience is defined as ‘the ability to adapt operations to continue functioning, when - not if – circumstances change’ September 2021 18
Introduce or improve risk resilience Introduction Current Approaches Refinements Operational Resilience is an outcome or result of other practices, processes and culture working effectively - Understanding end to end processes - Understand the businesses strengths and weaknesses - Operational risk management • The aim of Operational Resilience is so that the Financial Services sector to improve its ability to absorb the impact of an unexpected event while to continuing to perform its normal activities September 2021 19
Case Study 1 Introduction Current Approaches Refinements Operational Resilience Example A: NHS, an outbreak which led to the disruption of at least 80 out of 236 hospital trusts in England, as well as 603 primary care and affiliate NHS organisations. • Wanna. Cry infected systems, thousands of cancelled appointment and the diversion of A&E patients to other hospitals. • NHS were unprepared for a cyber-attack of such scale, despite being warned of a threat as far back as 2014. • £ 25 million has been earmarked for helping NHS organisations improve their defences • a collective focus across the NHS on strengthening resilience against cyber-attacks – Main focus on improving speed of response, resilience, communication and knowledge in the event of a cyberattack. September 2021 20
Case Study 2 Introduction Current Approaches Refinements Operational Resilience Example B: Maersk (a large shipping company) picked up an infection that hooked into its global network and shut down the company, forcing it to halt operations at 76 port terminals around the world. • Not. Petya hit the accounting software in place • 45, 000 PCs and 4, 000 servers were taken down by the virus • It took them 10 days to recover • Good BCP plan, implemented quickly • No loss of customers or hit on reputation September 2021 21
![Questions Comments The views expressed in this [publication/presentation] are those of invited contributors and](http://slidetodoc.com/presentation_image_h2/83741dca8ca5552e7993912d80f2d414/image-22.jpg "Questions Comments The views expressed in this [publication/presentation] are those of invited contributors and")
Questions Comments The views expressed in this [publication/presentation] are those of invited contributors and not necessarily those of the IFo. A. The IFo. A do not endorse any of the views stated, nor any claims or representations made in this [publication/presentation] and accept no responsibility or liability to any person for loss or damage suffered as a consequence of their placing reliance upon any view, claim or representation made in this [publication/presentation]. The information and expressions of opinion contained in this publication are not intended to be a comprehensive study, nor to provide actuarial advice or advice of any nature and should not be treated as a substitute for specific advice concerning individual situations. On no account may any part of this [publication/presentation] be reproduced without the written permission of the IFo. A [or authors, in the case of non-IFo. A research]. September 2021 22
Lloyd Richards Crowe Risk Consulting 1 Carey Lane London EC 2 V 8 AE Mob: +44 (0) 77 66 66 2523 lloyd. richards@crowe. com Madeline Betts Crowe Risk Consulting 1 Carey Lane London EC 2 V 8 AE Mob: +44 (0) 74 03 47 6123 madeline. betts@crowe. com September 2021 https: //www. crowe. com/uk 23
- Slides: 23