MBA(Sri j) BCOM(spl) CISSP CISA CISM CGEIT CRISC CBCP ITIL ISO27K(LA) FIB]

Thilak Pathirage

AGM-OpRisk Info.Risk Mgt. AGM O Ri k & I f Ri k M t Seylan BankPLC

Definition Example Roles and responsibilities for KRIs Major steps necessary to generate KRIs Tool Generic operational risk KRIs

Key risk indicators (KRI) are measurements that are used by management to show how risky an activity isa project or an investment, for example. example They are called key because they warn of the most obvious areas where problems may arise. KRI help to flag up early warnings of a possible adverse impact arising from an activity in the future future. Developing operational risk indicators is not easy.

highlight current risk levels by providing a measure of the status of an identified risk and the effectiveness of its control. Risk indicators can p provide information which g gives a useful ongoing g g view of the underlying behavior of the risk profile1; highlight trends and changes in risk level by monitoring changes in risk between formal risk d l and control assessments; p provide early warning signals through predictive y g g g p risk indicators which highlight changes in the risk environment, control effectiveness and potential risk issues before they crystallise and result in loss

Another type of indicator is a key control indicator (KCI), which is a measure of the effectiveness (e.g. (KCI) (e g design and performance) of a specific control. Deterioration in KCIs can show an increase in residual risk impact or likelihood. KCIs are relevant to a particular control activity(s). i l l i i ( ) enable actions that prevent or minimise material loss or incident by prompting timely action on early warning signals; and express escalation criteria for risk management by using thresholds to convert raw indicator data into meaningful risk ratings to aid effective decision making. g

Key risk indicators can be classified into two categories, namely:

specific indicators, which relate to particular processes within a franchisee, such as the number franchisee of reconciling items in a given area; and environmental indicators, which impact the franchisee as a whole, for example, business f hi h l f l b i volume.

KRI can provide early warning of future losses or other problems. They are useful in supporting management decisions and actions actions. They can be benchmarked both internally and externally. externally

Mastering KRI has proven difficult to date. The company has to believe in them, even though past history may not fully support their value. value

KRI can provide early warning of future losses or other problems. They are useful in supporting management decisions and actions actions. They can be benchmarked both internally and externally. externally

RCSA Exercise Bottom Up risk Top down Risk

RCSA Fundamentals: Impact Vs. Probability P b bili

ORM is the management of the frequency AND severity of operational losses

Share
Mitigate & Control

COSO Framework COBIT Framework

Accept

C t l Control

We established norms of Impact and Probability

OPS

OPS 7 10 15 FIN 8 PWN 8 LEG 12 LEG 5 20 CFU 6 SCC 1 MKT 3 PWN 2 IMP 4 20 25

Pre Control Post Control Criteria

5
EXP 10

16

Catego ry y

Tolerabil ity y

Risk Level

Impact

EXP

CFU

ABC6 MKT FIN IMP 4

ABC 9

Very Low ( VL)

Acceptab le

1-2

12

15
Low (LO) p Acceptab le 3-4

SCC

Medium (ME)

Tolerable

5-7

10

High (HI)

Tolerable

8-14

Very High (VH)

Unaccept able

15 and Above

Likelihood

The Most Risky Business Functions

Rating by Summery Business Function 100%

Percentage( High / Medium / Low) L

90% 80% 70% 60% 50% 40% 30% 20% 10% 0% PWN ACT ABC SLI MKT SCC OPS FCC EXP LEG IMP

Low

Medium

High

Business Functions

Some of the following resources can be useful in helping create your own KRI list. list Policies and regulations, particularly those that are aimed at regulating the business activities of the company. Such KRI may include risk company exposures relating to compliance with regulatory requirements and standards. Strategies and objectives Corporate and objectives. business strategies, as established by senior management, are a good source. Previous losses and incidents Databases incidents. containing historical losses and incidents can provide useful input on what processes or events can cause losses.

Do Make your KRI quantifiable. Base KRI on consistent methodologies and standards. Track them along a timeline against standards or limits. Link KRI to objectives, risk owners, and standard risk categories. Run regular overviews to check that your f R l i h k h formulae are still l ill relevant and accurate in assessing risk. Dont Dont complicate risk. Dont be too simplistic. Dont put 100% faith in your initial KRI.