“An Overview of Operational Risk Management” Presented by Fred Vacelet

Zintro Webinar

Presented by Fred Vacelet, MBA, CTM, PRM/FRM, IFQ.

Presenter’s Note:
“In financial institutions, operational risk has been considered as minor compared to credit risk and market risk. Moreover, let us honestly face it, Operational Risk is too difficult to grasp for bankers. Therefore, operational risk management is often considered as a regulatory constraint or as an imprecise practice rather than a science. It is often hijacked by political necessities or can turn into insignificant exercises aimed at predicting small losses or improving efficiency without consideration for high-impact risks or for the relationships between the risks incurred and the potential rewards.
We present in this webinar an overview of the practical techniques coming from best practice that apply and reinforce operations of financial institutions, whatever their size and complexity.”

About Fred Vacelet:
Fred Vacelet is a Financial Risk Management Consultant with an international expertise in Risk Management methodological frameworks. His experience spans some 20 years, advising banks, software houses and others on risk management. Fred holds various degrees, including from London Business School, with post-graduate studies at the Technische (then West)-Berlin and Keio (Japan) universities. He is a published author on risk management and Basel Accords and a regular speaker at conferences. Fred writes and presents training courses and workshops on risk management and Basel II/III.

Do you have a suggestion for a webinar topic or presenter?

Let us know

Would you like to discuss an idea with our Business Development team?

Fill out our Business Development contact form and let us know.

Are you looking for an Expertise Provider for a Project, Job or Consultation?

Other useful links



Enrique Levin:  Hello and welcome. My name is Enrique Levin, co‑founder and VP of Product at Zintro.

Zintro’s a global online marketplace, that helps connect companies with highly specialized consultants and other expertise providers, for projects that range from one‑hour phone consults to multi‑month onsite engagements, and even full‑time jobs.

Today’s webinar, “An Overview of Operational Risk Management,” will be presented by Fred Vacelet, MBA, CTM, PRM/FRM, IFQ. Fred is a Financial Risk Management Consultant, with international expertise in Risk Management methodological frameworks.

His experience spans 20 years, advising banks, software houses and others on risk management. He holds various degrees, including one from London Business School, with post‑graduate studies at the Technische (then West)‑Berlin and Keio Japan Universities.

He is a published author on risk management and Basel Accords, and a regular speaker at conferences. Fred writes and presents training courses and workshops on risk management and Basel II/III.

If you would like to ask Fred any specific questions throughout the webinar, feel free to use the question section of your GoToWebinar console panel. If it’s not open, you can click on the little orange arrow on the top right corner of your screen and you’ll see a section that says, “Questions.”

Feel free to enter any question, Fred will respond to questions after this presentation. We will also provide Fred’s direct contact information in case you want to follow up or ask any other questions or in case you want to engage with Fred.

Without further ado, I’d like to turn it over to our presenter, Fred Vacelet.

Fred Vacelet:  Thank you very much for this introduction. First, to discern, to stop any ambiguity, let me underline once again, we are talking of operation risk in financial institutions.

Quite a lot of the principles in general that work on our industries are applicable as well, but there are certain specificities that specifically misguiding thinking’s and exaggeration of a few things and some of our mistakes that are only typical of financial industry for operation risk.

We’ll come to some details about these ones as we go along. The framework by which the financial community is living right now is provided by the Basel Committee on Banking Supervision.

The Basel Committee has issued a few different accords which have been defining risk management regulations for you. Within the Basel framework, we have three different kinds of risk, which are credit risk, market risk, and operational risk.

But a more generic framework within banking institutions will differentiate about ‑‑ in green in the picture ‑‑ financial risk, which include, after Basel III especially, liquidity risk, ALM, asset liability management risk, which will be a specific case, if you will, of market risks for interest rate risk.

We will, so far, neglect or leave alone some other risks, which are regulatory risk, ‑‑ does it exist, first, at all as a risk Basel? ‑‑ environmental risk, ‑‑ is it a topic for banks or anything? ‑‑ and strategic risk, ‑‑ is it a topic for risk managers or for [inaudible 0:04:33] management?

We will concentrate here on operational risk, which includes all the topics you can see, including fraud especially, terrorism, and some other disasters and so on, project risk as well, and so on.

A list in extension is a little bit difficult to draw, because the limits of such a list would be hard to find. But some categories of risk can be drawn, et cetera. To forget the next risk that will occur. That’s a big problem of a limitative list of risks.

The peculiarities of operational risk compared to the two other typical risks, market and credit risks, that we have. It has been recognized only very recently in history as really a risk per se, an interesting risk. But since banking started in the 16th century.

The security risk harboring cash and gold in the bank was the first thing to be recognized as a risk. Credit risk went a little bit, a few weeks or months later when the first lender couldn’t pay back.

Operational risk is definitely the oldest risk in banking institutions and also the youngest, as it is the youngest being recognized, type of risk. A big issue, it is quite within the DNA of every banker to understand what is credit risk, a risk that…cannot or don’t want to pay back. That’s quite an easy thing.

It’s relatively easy to understand for any banker what is market risk. I take a position in the financial markets. The market goes against me. I lose money. But operational risk for people who in relative terms obviously, lead a very, very stable life.

They don’t like the military, for example, risks their life every time they get into a campaign. Like the nuclear industry, they don’t risk their life, and the life of quite a lot of other people, and their business, their factory, and everything else each time there is an accident within their factory, their nuclear power station.

Bankers are not, by tradition, people designed to manage efficiently operational risk, although they have, obviously, a few routine and so on acquired with centuries that helps them to acquire some idea of operational risk.

We have within operational risk two different subspaces of it. We have the daily risk of a very, very likely risk that happened on a daily basis particularly. But the impact of this is quite limited, a few hundreds are being lost there and there.

The typical example is a payment being just not done in time, a few alerts, a few people being told off because the payment didn’t get in time to the right person and so on, a few penalties being paid. That’s about it for the risk.

But these ones are the typical risks that can happen quite a lot, although, in proportion of the number of demands being made by a bank, in a very, very tiny proportion of it.

But, also, some other risk can be absolutely catastrophic. The original sin of modern operational risk management, according to a few, especially European bankers, is the one of Barings.

In 1995, a rogue trader episode closed down the whole bank, which was sold for one pound, in other words, for nothing. Finally, the name of the bank was disappeared. It was bought by another bank.

We have within operational risks some influence of technology which has been in, let’s say, recent decade increasing quite a lot operational risk. In the very old days, when all processes were paper based, a little mistake didn’t have much of an effect.

Nowadays, entering the wrong data within the system can have a very, very wide‑ranging effect within the full process of the bank everywhere, including especially the knock‑on effect.

Which is generally considered as being the reputational risk of making a mistake, and not being able to hide the mistake from the public, and the reputation of the bank, right or wrong, obviously, being knocked out.

What is new in the Basel II accord, which is, and most people in banking will think, the most important regulation for the banking world in recent times? What was new in Basel II ‑‑ the most interesting thing for us.

Which was initially considered new ‑‑ was the introduction of capital to be put…aside for operation risk events. You are going to ask, “Why put capital against operation risk events?” The obvious answer is if you’ve got capital that’s much better than if you don’t have capital.

If you make a loss, you can pay for it, but the other reason is that within the DNA of bankers there is this assumed wisdom that capital can protect against most things including operation risk. You can have some reservations about [inaudible 0:11:37] but it’s never really far from a banker’s mind.

The Basel Accord as defined as well has provided one definition of operation risk, which was quite a challenge to establish a definition of operational risk, but before being able to talk about it, it was quite necessary to be able to define it.

I read aloud, “The risk of loss resulting from inadequate or failed internal processes, people, and systems or from external events.”

Which includes obviously external events which are really far beyond the reach of any banker like worldwide political or economic crisis, natural disasters which will affect the population as well, and other types of catastrophic external events.

But also, failure of IT systems are included. Failure of processes within the bank are also within, and human failure within the bank are also included. Shall I as well insist that we have to consider the risk of loss resulting from.

What is resulting, within definition, is not the risk is not resulting, but the loss resulting. In other words, its definition is the risk of loss resulting from, and failed internal processes for example don’t bring about a risk. They bring about a loss purely.

This definition has often been misunderstood in this sense considering that failed internal process is the bringing of the risk of something. No, the process means a loss…a process failing bringing a loss. I mentioned the Basel Accord. I would like to insist a little bit on this generation’s of different Basel Accords.

First, we had in 1988 the very simple Basel I Accord, which can be summed up in very simple, simple thing. Banks should have enough capital, eight percent of total balance sheets, and this was a reaction to some historically interesting level of leverage of the banks.

Banks since times in memorial have continued and continued always to increase their leverage to make more operation with the same capital or to have less capital and more capital efficiency as they go along.

So in 1988, Basel Accord was trying to establish some handling of system increase by making sure that the banks had adequate capital to work.

However, as soon as the accord was applied, written, and published banks used quite a lot of big tools to game the system and make sure that the capital was accounted in this way and this way, so that it was more favorable to them. Assets were accounted in different ways and so on.

Then came Basel II as a reaction of obviously the gaming of the system. Proposed in 1999, implemented between 2000…let’s say 2002, officially a bit later. Official implementation was starting according to account in different countries.

In the US, by the way, it came quite late and well after the 2008 disasters. To react to the crisis of 2008, we have now the third accord which is Basel III, which was the reaction to the crisis. To put things a little bit quickly, it added a few considerations of liquidity.

There was nothing being re‑returnable to perish risk management, not that operation risk was well‑managed by every bank, but accord as it stood was well written.

It was in implementation that there was a few big issues, and so we worked on the text of the Basel II, which is officially taken on in the Basel III Accord as well. How can we sum up Basel Accord? National EPIDOS was defined in the Basel II Accord, but it is still valid exactly the same way in the Basel III Accord.

We have three wonderful pillars which are supposed to evocate harmonious architecture of the Greek temple with three front frontal pillars. The three frontal pillars created equal and very nice and solid and very harmonious as well.

First pillar was capital requirements, still the same thing eight percent, but a few refinements on calculations. Definitely quite a lot of refinements.

The second one was supervisory review process. In other words, the regulators or the supervisors had the capacity and even obligation to check that banks’ calculation of capital were done sincere, makes sense, and no gaming of the system.

The third one is this very poetic idea that if banks have got enough transparency. Publish the results. Publish their news about their risk. Publish everything they have to say about risk.

As the public at large not only finds an analyst but you and me and savers and depositors and everybody will have a pretty good idea about how risky is your bank.

Can you trust your bank to [inaudible 0:18:32] your deposits and so on? In terms of what happened, as you can guess from what I have hinted, the pillar number three is a little bit of a joke.

There is no way the public will be able to go against the barrage of communications that the banking industry is displaying at all times about, “Look at my bank, how safe it is.”

This communication is very highly professional, very well done. No casual reading of an inner report by someone who doesn’t know about banking will give you an indication about if your bank is more risky or less risky, and whatever is there.

However, to circumvent this problems, most countries have been establishing deposit insurance systems so that small depositors, at least, get fooled, yes, but in case of failure of their thinking get paid back by the guarantee process. That was all for this very fragile non‑pillar of the pillar three.

As for the weaknesses of the pillar two, the theory was that every regulator on the world will understand very well about what happened in their banking sector all over the place. However, the big weakness is that bank regulators don’t have the energy and the resources to check everything.

They have to rely quite a lot on sincere implementation of the Basel II accord, sincere implementation of risk management processes, and do quite a lot of leap of faith when they check the banks.

They check if the banks really manage well their risk, if they know exactly their extreme risks, especially if they know…and master well their daily risk.

As for capital requirement, it has become and more the obsession of every risk manager when, especially in operational risk, capital requirement is one tool among quite a lot of them to manage risk.

I’ll pass on the rest of the slide very quickly, as this overview it’s just not supposed to be about regulation. It’s supposed to go over the risk. But the world of banking is being what it is, we have to talk about regulation.

What is nature of operational risks? Within the different kinds of operational risks that we have, we can find a few examples as we go through the risk register of every bank. But we will have first, as a category that we can eliminate as absolutely uninteresting immediately, the low‑frequency and low‑impact type of risk.

No example falls in my mind right now. But, anyway, it’s a type of risk in which once in a while you happen to lose a little bit of money, and you don’t care about this money. I have, an example. You have a retail client who, for political reasons or other reasons, must be cared in a special, specific way.

Once in a while, the person rushes into the branch physically, or by email, or phone, and gets very angry for whatever stupid reason, and bother, and trying to argue about whatever. They use some little present and whatever.

The client is quiet down, happy. This is a type of low‑frequency, low‑impact risk that we can happily neglect. Now we have on the right‑hand side, lower‑hand side, low‑frequency and high‑impact risks.

These ones are really the ones that are the most dangerous, the most unknown, and the most misunderstood ones. It’s a type of risks that never happened before or seldom happened before. It’s a type of risk in which we have very, very little experience, very little history.

One big example is 11th of September. It was figuratively impossible that two planes bumped into two towers at the same time. It was statistically close to impossible, even for insurance companies.

For banks, this type of risk was not exactly on the radar until this faithful day of September 2001. These low‑frequency, high‑impact risks are quite interesting to observe.

But the big weakness of the Accord is that we have very, very little total information for managing these ones. As for the high‑frequency, low‑impact risk, that’s generally the cost of doing business. Everybody is more or less involved in handling this type of risks.

This is the risk of going to the bank every morning, having a few things mistyping, and misdoing anything. This happens every day. This can be addressed for sake of efficiency, for sake of quite a lot of things. It’s quite a good practice to try to reduce this high‑frequency and low‑impact risk.

As for the high‑frequency, high‑impact risks, they are supposed not to exist, because it’s enough to have one or two of this type of risks to occur for your bank to be out of business, because your bank cannot afford to have a lot of episodes of high‑impact risk.

Rogue trading, I argue, is this kind of risk. Fortunately, in terms of frequency, it’s not that high. But, nonetheless, it didn’t, this one.

If the controls are missing in a bank, the risk, which are normally very, very limited and occur with very low frequency, will be able to become high‑frequency, high‑impact risk. If you put very good controls in your trading room, you will have rogue trading occurring in a very low frequency.

One day, if you switch off the controls, don’t check what is happening, don’t look at your log of IT systems and so on, the next thing you will know is that there has been several occurrences of rogue trading. This will be a type of high‑frequency, high‑impact risk.

Some people argue that if really these risks have happened several times, you are not worth being a banker or running a bank, anyway.

These risks in fact are phantom risk, being low‑frequency, high‑impact risk disguised in the guise of a high frequency risk because of mistakes being done on a consistent basis. Here it’s quite important then to treat the different kind of risk in this four by four matrix in a different way.

The most important one are the ones on the right‑hand side, lower part of it, the one that needs to be risk managed. When I say managed risk, what do we mean? The Basel frameworks, Basel II and III, mentioned in this concept.

The probability or likelihood of the risk and the monetary or dollar impact of the risk. That’s two basic notions by which the risk must be managed. However, if you are in charge of compliance, you can very well deal with this existing notion, two notions of probability and impact that define it.

If you are an operational risk manager, this comes a little bit short as a notion. I’d like to see, first, the notion of hazard, which can be seen as an environmental aspect of the risk. If you work in a very unstable environment, if you worked, let’s say, in a communities business.

Or, let’s say, energy trading as a bank, you will have not only a very volatile community, which is energy prices, but also very subject to quite a lot of shocks because of, let’s say, a power station is out of service for this period, and so local prices can go up and down quite a lot.

I argue that compared to, let’s say, garantment bond markets, a trading environment for communities will be much more hazardous because the volatility of the assets, the quickness, the speed by which you must react to every event is much higher, and so mistakes can be done much easier than this.

Probability or likelihood, that’s not an environmental aspect of where the risk can be, but it’s where the risk will occur. If you have a position which is very close in size to trading limits, your probability of going over limits and your probability of losing more money than allowed by internal rules is quite high.

It’s quite useful to differentiate the hazard or the long‑haul causes as opposed to the near causes of them. To put it in a metaphor, if you’ve got a dark sky, it doesn’t mean it will rain. But if you’ve got clouds coming over your head and now starting to rain, then it’s really going to rain.

The different steps in the occurrence of risk can be seen in this way in separating the notion of hazard and probability. Immediate impact is, obviously, generally relatively easy to calculate. The knock‑on effects are generally much less.

The typical knock‑on effect of an operational risk mistake, of an operational risk occurrence is reputational risk. Tell me what happened when a big bank gets in the front page of the newspapers because of rogue trading, or extremely big losses out of control, and loss had been hidden, or whatever.

The knock‑on effect in terms of reputational risk, but also confidence of the regulator in the bank, plus internal fighting about whose fault was it or whatever, and so on can be quite significant as well. It’s not enough to see the impact. That’s about it.

When we have now understood the risk very well in terms of drivers, causes, and consequences, and very well defined by referencing risk as compared to other risk, labeled the risk for community purposes, obviously.

And categorizing the risk within the Basel categories and your internal categories of risk, and so on, then we can see we have defined the risk. Now, does the risk really exist? Find the story by which this risk has happened or could happen.

Some past events can be a very good guide. But you don’t necessarily need to use past events. You can use your imagination, especially for high‑impact, low‑frequency risk. Sometimes, you have got only this to deal with.

Find some stories, some causal events, some chain of events that can produce these things. This means also understand quite well by what processes the risk can occur and get out of control. Then you can claim, at this stage, that you have established a full definition of the risk.

You know what you are talking about about this risk. You know that the risk is not just a fantasy. It can happen again or can happen for force. Assessing the driver, and so establish, if you can, some probability of the risk to happen. Our figure is really excellent to get on it.

But you can still manage the risk, I argue, without having a good idea or a precise idea of how much is the figure. If you can say risk probability is high, low, medium, that’s maybe in some cases good enough anyway to start something on assessing the risk.

Then that’s a most critical part of the business. Determine for the risk has been defined as both. What can be done to assess the risk? No. Please, Mr. Banker, you don’t need to write a check book here. That’s not useful here. There are quite a lot of things that can be done.

One example, if you think that a market is too difficult or a country is too unstable, and you just don’t want to have the headaches of managing the risk of lending into a territory of a country because of economics, political, or whatever risk, avoid the risk, don’t get into the county.

But, therefore, you don’t get the profit of the risk. You have as well some strategies which are generally preferred, which are prevention, trying to reduce ‑‑ only reduce, not to set to zero phrase ‑‑ the probability of the risk to happen by setting preventative controls.

Monitoring the risk as well gives you, when the risk occurs, a better action time to set up your mitigation strategies. Preparing the mitigation strategies, as well, in advance is quite a good strategy.

But there are quite a lot of different strategies that can be used. The one consisting in putting capital aside for protecting about mistakes or stupidity is not the right not, is not sufficient. It’s not the most efficient one, and it’s very costly.

Why doesn’t it work? You can argue stupidity is unlimited. The amount of capital you can set aside is limited by definition. You will not be able to protect against something. That’s one argument.

This other argument is, “Why should you cure the problem by putting money after the loss has been done?”, or I’m trying to have a better control about the future loss that has been going to make.

There are some risks as well. One of them is environmental risk, which is in general in practice, unfortunately, dealt with by curing the risk. In other words, you need to wait for the seas being dirty.

The river being polluted so that the powers that be decide that this river needs to be cleaned, when, in fact, a prevention strategy will have had much less cost and no effect on the environment, because the river would never have been polluted enough to justify the curing.

Oil tankers, as well, crushing on the coast is a typical type of risk which, ideally, should have been dealt with by prevention. But if you remember Exxon Valdez and a few other ones in fact de facto let’s admit that these cases have been dealt with by cleaning the beaches.

And putting quite a lot of money on the victims, birds and whatever, and the fauna and so on rather than preventing by having better controls of navigation and whatever else.

Then I must as well insist prevention, to me at least, it doesn’t mean elimination of a risk. Prevention, within this context, I take it to mean reduce the probability. But let’s always be aware zero risk does not exist.

If you can set the probability of a risk to zero, ‑‑ not 0.000 whatever, but really pure zero, total zero ‑‑ while is not under a risk first, why has it ever been a risk and so on? Are you mixing up pure zero and a very little number? I’m not sure about it.

When I see or I hear a risk has been purely and simply eliminated, I get into a cynical mood or a skeptical mood, at least. That’s what we can do now with handling the risk. You are going to ask me, “Why handle the risks? Why really does it make sense all the time to set up costly controls and so on?”

“Does it make sense to put a lot of brain power on managing the risk or waiting for the risk to occur?” I say, “Yes, of course it does, because it reduces expected value of the impact.” As a matter of course, it introduces more certainty within the business.

There is another aspect as well, which is generally not very well dealt with and especially when it comes to capital allocation within different departments of the bank. A very volatile department will say, “Oh, we are making a lot of money, and blah blah blah, and so on, and so we need a lot of, of capital.

We need to do more business and so on,” when the more stable department, ‑‑ retail banking, but quite a lot of other departments as well ‑‑ will say, “We have got annual on return, which is very, very stable. We have heavy surprises.”

This does not fully account for the differences in the returns between this volatile department and our department, which begs the question, “How much is too risky? How much is not risky enough?” This is a question of risk preferences, which is too difficult to deal with within this hour.

To compare to two different returns, R1 and R2 within this slide, when one head of department will say, “I’ve got no variation. I’ve got a perfectly well stable business and so on,” it’s quite useful to use the following formula to assess what risk.

Even if you are risk neutral in terms of preference, how much can be compared to whatever. After two days, let’s say, or two months, or two years of trading, $1 invested we’ve produced. For the stable department, the formula is quite simple. Obviously, that’s a component twice to follow.

But the risky department, let’s assume, that one day things go very well, and the next day things go not so well. Instead of earning 1 + R2 ‑R2, this risky department will do 1 + R2 ‑ the standard deviation, which will compensate for the extra win of the day before.

By the way, if you lose money the first day and make money the second one, or if other…it goes other way around, things are exactly the same. We can develop here this formula. This simplifies in two. (1 + RD)^2 ‑ SD^2.

In other words, the comparison of the different returns will be varied not between R1 and R2, but between R1 and R2 minus this SD^2/2.

Considering a return of a business, of a department, or of an activity as being a return, but not taking into account the risk, is very often a misleading thing which leaves the door open to [inaudible 0:42:54] falcon‑like type of managers to say, “Yes. Let’s get into these risky operations.”

Let’s get your risk‑adjusted return after this standard deviation factor being compared to the other thing. Let’s add as well the discomfort for management having to watch all the time that this return is going up and down, and so on.

Never ever compare two different returns in the same way, not taking into account of the risk of the returns as well. This is a mistake that is quite often being done willfully or not, but to quite a devastating effect on the long run.

Another really extremely important aspect that can help set up someone framework for managing operational risk, not yet manage operational risk, is segregation of duties. If or when you have within banks some departments in which really there are no counterpowers.

And the head of department can behave as a local [foreign word] without any counter power, however this head of department can be ethical, honest, disinterested into his [foreign word] or whatever else, sooner or later you will have a few issues exist.

Segregation of duties establishes, as a matter of processes, counter power. As soon as the process is being carried out, there is, of course, another process running in parallel, checking that things have been rightly done.

A process within a retail system in which cash payments are being done must always be monitored as a matter of course by the IT process which accompanies this. Every exit of physical cash must be documented within 90 entry.

The IT entries must be reconciled on real time as much as possible and in the end of day to make sure that the cash differences are always zero. Most of the big problems of internal frauds or lack of controls internally have been occurring because of the lack of segregation of duties.

The typical lack of segregation of duties that have been occurring are between back office/ administration departments and operational department/front offices, client‑facing one. If you’ve got a trading operation, that’s a typical one.

In the vast majority, if not all of the rogue trading episodes in the last 20 years, there was a big problem of front office people either being too much interested in what was happening in the back office or purely doing the work on the back office. There was no separation of duties, no separation of powers.

The people among you who know some things about older government know quite well that, by parallel to this notion of segregation of duties, a government can have some balance and can reach some advanced status of democratic control.

Or whatever good control, or any way to be a stable government is when you’ve got differentiation and the separation of powers between legislative power, executive power, and fiduciary power.

If not, if two of these three powers get too much assimilated or meddling within each other, you get into trouble very quickly, and you cannot achieve a balanced type of government. In banks as well, it’s quite a prerequisite to have a very good separation of different powers.

I’d like to compare the three powers to the administration power on one side, the back office, risk management department/risk control, let’s say, calculation, and quantification, and so on, and the executive power, which is the front office.

Obviously, the top management must definitely have a good influence on it and must always be able to see that there is a balance between the different powers.

What happens in practice is that, most of the time, the front office shouts a little bit louder and gets their way. There is no balance of power within and so. Within this notion of segregation of duties, there is a notion of the four‑eye principles…principle which is quite a critical thing.

You must have two people checking on everything which is done. One person doing the work himself, and one other person checking here. Here we have got a picture with a very beautiful blue‑eyed bloke who does the work. He’s complimented by a very sharp‑eyed person.

I take this opportunity to highlight, as well, the necessity to have some cultural diversity within a bank. Ethnic diversity comes as a premium as well. It heps quite a lot to establish that the diversity of thinking and diversity of control is well set. It prevents the notion of groupthink and cultural one‑sidedness, as well.

The usual tools put into action within banks. Obviously, this is an overview. We’ll have to go very quickly on this one. But risk and data loss register, it’s quite fundamental for banks to learn as operation go along, and progress, and so on.

Every time there is a loss, this loss must be documented and put into some data repository. A few institutions have been setting up some common repository of mistakes, and losses, and their data, which are some of them publicly available, some of them not less available.

But very useful to study ‑‑ especially for exceptional risk, in other words, low‑frequency risk ‑‑ when it will be quite difficult to find in your bank, a lot of comparable examples of such and risk has been happening, because they are, by nature, a low‑frequency risk.

The use of data loss registers is quite useful to guide imaginations and try to assess how can a bank work on scenarios. The systems and controls, this is quite a fundamental thing. Most of people who will have worked in an audit department will be able to sing a song about it.

This is quite a prerequisite to have a good set of systems and controls. When I say “audit‑inspired,” I say using, generally, the methods used by an audit. But audit, by nature, I say tends to be accounting oriented, and so very much past oriented.

When the systems and controls needed for a proactive risk management system needs to be more future oriented, that’s a positive way, or bathe upon the future and not the facts, so it’s part of the past, which gives it its strengths before it.

For the future, it’s useful, but with no data for the future yet because [inaudible 0:52:07] , which gives us an inherent weakness to risk management compared to the typical type of risk limitation provided by the audit department.

Another typical tool is process mapping. Understand as much as you can, and you have got time to spend on it, every process within your bank to see really where can processes go wrong, what is this process, what is this, the controls affected to the process, how does it work? and so on.

This is, generally, quite a huge type of work which can be done on the back of some process study dealt for improving the efficiency of processes. But process mapping a process for the sake of doing the risk, generally that’s quite hard work for nothing of reward.

Another tool is risk and controls assessments, when instead of having a central department, a risk management department, determining what are the risks of each department, you ask every department, and ask for signing as well.

Each department commits to some decision of, “What are the risks affecting my department?” As soon as every department can be sincere about the risk, and the department cannot be content to say, “I am wonderful, I don’t have any reason or problem to complicate you.

This is extremely critical type of tool, which can have very much tool to scribes the wisdom of the risk management to share around the clock, and it’s quite critical for every head of department to understand that its risk.

We…into the future have already been declared within the self assessment being described and so on and nobody can be accused of being naive. If the department doesn’t face the game and say, “Oh, I don’t have any risk.”

When the next day happens, it will be quite difficult to say, “Oh, that was quite a surprise,” but you didn’t know that this risk could happen ever and so when good communication can be established between the risk management operation of departments and the different department that’s quite a new thing.

The next one is Key risk indicators, which consist in setting numeric indicators to any kind of risk and to put them into four [inaudible 0:55:09] is quite a good risk indicator. Guess what happens if engine goes too hot, we run the risk of a few one.

Problems is there and so for accounting for the speed of a cars and heat of engines. The heat of a car is not an indicator of performance.

It’s an indicator of risk so it’s quite useful when you talked of a car and how quickly is it going, what power is it deploying. If anything, keep the performance indicator and this has been done since performance what you need to do with the game.

But it’s quite useful to add some of risk indicators like volatility of some profit for example, which can be a good risk indicators as well. The use of this thing together can be too obviously have a more better understanding over the different ways in it and the least.

But also early warning system as well and that’s quite useful. However, it’s a big problem is that at least you can really figure out every kind of waste indicator and the consequence and the correlation and so on and put a figure on everything.

It probably means you have understood your risk so well that when did to have this things, couldn’t you really set up a system and control that we prevent the least and get it and in some case it’s quite half to refrain into set up some tremendous indicators of the risk can be avoided or in the first place.

Next very useful type of tool is the scenario manages. This is quite important for especially low frequency high impact type of risk, when you cannot really deal with any other tool because this doesn’t happen and so on. This is really most fundamental tool that can be used.

Capital requirements are mentioned as well and the risk factor as well, which is quite useful notion, but a very subjective notion when it’s quite difficult to get us hand on what exactly is the and it takes really years and years and dictates and forever in one day and more to set up some culture within among.

I will have to open a flow of questions now.

Enrique:  Thank you very much. Thank you for your presentation Fred. It was really insightful. We have a couple of questions from users from these. We have one question from Felix.

Felix asks, he works in a security consulting firm and he ask what’s the one thing we can do right away to secure operations in our business. I assumed the question is a generalized one. What are the low hanging fruits of professional security consulting firm can do to secure operations?

Fred:  I don’t think there is really one big apples from where to hang in there, at the height of my mouth. Generally the first thing I would do in this case is have a look at risk register of the bank. How much security losses have we had in the past known history.

If there is no one step to this, take a generic data opposite a refund, all the banks comparable to this, and try to asses a security risk. I know we tried to differentiate between internal fold and external fold as well that’s when you use a fast thing.

For internal fold, yes, if there is a low hanging, the contact will be the segregation of duties, which is supposed to became embraced, but every time we have a big public loss being getting to the public place. The segregation of duties was not enough, or a second vendetta.

There was no independence between the two people for us, and thing that exist, and so Felix, to hump up on your question, if there is a low hanging default. Yes, there is a segregation of duties, but I don’t think it’s that easy.

Enrique:  Thank you very much Fred. We have a couple more questions, by the way everyone, feel free to reach out to Fred, if you want to follow up, or engage with him.

His email is on the screen. Let’s follow up with the next question. Tyrone asks, “Would like to ask if you have any great books, or recommendations to read up more on risk management?”

Fred:  I will start with the…It’s a guide to reframe from [inaudible 1:01:02] . You are not obliged to pass the exam, which is quite a heavy type of thing, obviously.

These two institutions have setup some handbook for the [inaudible 1:01:21] exam, which can be quite good of a view of the current thinking in accounting risk management.

I can send you some bibliography, in more precise terms if you so wish. If you send me an email, I can send you some list of books that make some sense. Generally it’s quite sane as well to read not only books about banking risk obviously, but also generic industrial risk and a few things.

Contrary to what…to believe, they don’t live in a vacuum. They are one industry like another, and they have quite a lot of interest in ways in risk industries like military, many car industry as well. Accident and Emergency have got very stringent passage use about how to manage the risk.

Well nuclear industries as well, are quite extreme type of risk industries, but it’s quite useful to have a view which comes from outside the banking world as well.

Enrique:  Thank you very much Fred. We are running out of time, but we have a couple more questions I would like to squeeze in, so bear with me.

We have one question by Rob. Rob asks, well he says, “Far too much checking relies on documented evidence, but behavioral issues create big risks. How are these being assessed for the key risk they create?”

Fred:  Sometimes there is not very much, not for many at least. What most banks tend to have is a screening process when hiring people, but it will give really good effects only after a big case indication. Let’s say some informal way of checking the piers and so on.

Setting up a culture within the banks, so that people who already have got a risk generating behavior, or risk generating attitude can be spotted, and to evict a quicker…than you think, but there is no history very much of a mouse or as a black sheep and what we need time to do some photo.

And what event will be spotted. I don’t believe you can spoke to them this kind of thing to buy anything else in coincidence. I don’t think you can spot any behavior as well.

One of the reason is that sometimes I had on really spotless something and one thing is ever personal lives, personal event or they reconsider what are the things in their life and they get a fantasy in becoming a psychopath or whatever.

This can happen as well to the surprise of everybody and so this human behavior types, well maybe I’m not good enough and expect that technology are good enough of psychology, but I don’t really believe that this can bring them most adjusted documented evidence and so on.

It can bring quite a lot of the at forward looking preventive measures. Yes. Definitely, that’s a [inaudible 1:05:15] , but with a lot of mistakes and put insured [foreign word] and so if you’re good in any success in such time legacies. I would be very keen to be [inaudible 1:05:27], but I doubt that can be a documented evidence.

Enrique:  Thank you very much Fred. We have one here for one last question and then we’re going to end this presentation. The question is by Steve.

How would you go about by evaluating risk in an automated distribution center. Where there’s conveyors, where as software technology are upgraded, et cetera?

Fred:  I would apply the same thing as well to a very automated retail unit of Internet banking for example, in which quite a lot of the process are automated.

I will take it but check nonetheless that within the automated courses as we go along, as of day to day process everything has been check, release, assess and so on.

My big worry will be what happen if the system face a massive failure and the next thing big event will check with some ware, which obviously never did happened and so everybody working with the automated system returnee never happened, it cannot happen, blah blah and so on.

Then, I will study this very unlikely case it’s where, we lease as machine explodes or whatever this kind of extremities, but will be confident that today release have been very much advice by automatization of the systems.

Enrique:  Thank you very much for the insights Fred. To members still free to contact Fred directly with information provided or by going to center profile. Fred, on behalf of Zintro and our over 170,000 members, thank you so much for sharing your insights.

Everyone, this closes today’s presentation. We will be sharing the recording the presentation next week so stay tuned to our newsletter. I wish you all a very nice stay. Thank you very much.