Co-Founder and CRO @ RiskSpotlight (last 7 years) Passionate about - - PowerPoint PPT Presentation

co founder and cro riskspotlight last 7 years passionate
SMART_READER_LITE
LIVE PREVIEW

Co-Founder and CRO @ RiskSpotlight (last 7 years) Passionate about - - PowerPoint PPT Presentation

Apr 03, 2024 914 likes •1.14k views

Co-Founder and CRO @ RiskSpotlight (last 7 years) Passionate about utilising risk management as a management tool to define and execute business strategy Part of UK delegation for revision of the ISO 31000 standard Member of the IOR project team

slide-1
SLIDE 1
slide-2
SLIDE 2

2

Co-Founder and CRO @ RiskSpotlight (last 7 years) Passionate about utilising risk management as a management tool to define and execute business strategy Part of UK delegation for revision of the ISO 31000 standard Member of the IOR project team for developing and rolling out Certificate of Operational Risk Management (CORM) Designed world’s first forward-looking operational risk content service “RiskSpotlight Portal”. Utilised by over 100 financial services firms for horizon scanning and monitoring emerging operational risk topics. Trained 1,000+ operational risk professionals through classroom and

  • nline courses

LinkedIn: www.linkedin.com/in/manojkulwal

slide-3
SLIDE 3

3 Stressors Firm Firm on track to achieve business strategy Stressors Firm Firm faces strategic & operational issues and incidents in some areas Stressors Firm Firm faces significant crisis in key parts of the business Stressors Firm Firm faces existential crisis Stressors Firm Firm can quickly recover from the crisis Stressors Firm Firm requires a long time to recover from the crisis or is unable to recover

Level of Resilience

High Low

slide-4
SLIDE 4

4

Strategic Objectives Investments/Capital Processes/Activities People Tangible Assets Intangible Assets Value Creation Targeted Strategic Objectives Risk Exposures Compliance Boundaries

slide-5
SLIDE 5

5

Strategic Objectives Investments/Capital Processes/Activities People Tangible Assets Intangible Assets Value Creation Targeted Strategic Objectives Risk Exposures Compliance Boundaries

Resilience is an outcome of making right business decisions, successfully executing these and managing risks

slide-6
SLIDE 6

6

Value Creation

Measures undertaken to create value that directly contributes to strategic objectives. Examples include: - Provide website for customers to purchase financial products Provide online banking website for customers to manage their funds Operate sales team to sell financial products to clients

Value Protection

Measures undertaken to ensure firm’s ability to create value in the long term is not affected. Examples include: - Prevent criminals from using financial products for money laundering Prevent cyber criminals from gaining access to customer accounts Prevent sales team from mis-selling financial products to clients

Typically considered as similar to accelerators in cars Typically considered as similar to brakes in cars Winning cars requires effective accelerators and brakes. Similarly successful firms require optimal balance of value creation and value protection. Only firms that can find the optimal balance will be successful in the long run.

slide-7
SLIDE 7

7

Value Creation

Measures undertaken to create value that directly contributes to strategic objectives. Examples include: - Provide website for customers to purchase financial products Provide online banking website for customers to manage their funds Operate sales team to sell financial products to clients

Value Protection

Measures undertaken to ensure firm’s ability to create value in the long term is not affected. Examples include: - Prevent criminals from using financial products for money laundering Prevent cyber criminals from gaining access to customer accounts Prevent sales team from mis-selling financial products to clients

Typically considered as similar to attackers in a football team Typically considered as similar to defenders & goalkeeper in a football team Winning teams requires effective attackers and defenders. A team will be defeated even when attackers score 20 goals but if the opposite team scores 21 goals.

slide-8
SLIDE 8

8

Level of investment in value creation measures Level of investment in value protection measures New challenger bank Large national bank New fintech firm 0% 100% Large global bank

slide-9
SLIDE 9

9

Strategic Objectives Investments / Capital

Compliance Boundaries

Processes / Activities People Tangible Assets Intangible Assets Investments / Capital Processes / Activities People Tangible Assets Intangible Assets

Value Creation Value Protection

Inherent dilemma to allocate resources between value creation & value protection

Board Senior Executives Sales Team Marketing Team Product Team Technology Team Group Risk Team Risk Committees Audit Committees Control Performers Internal Auditors Compliance Team Information Security Team BCM Team

slide-10
SLIDE 10

10

Resilient Not Resilient (Fragile)

  • Robust preventative controls to minimise disruption to key

business activities

  • Weaker preventative controls resulting in periodic disruption

to key business activities

  • Robust detective controls to facilitate early detection of

disruption to key business activities

  • Weaker detective controls resulting in delayed detection of

disruption to key business activities

  • Robust responsive controls to facilitate rapid recovery of

disrupted business activities

  • Weaker responsive controls resulting in delayed recovery of

disrupted to business activities

  • Lessons are learnt from failures in a structured manner and

applied to continuously improve the level of resilience

  • Lessons are not learnt from failures in a structured manner –

same type of failures re-occur

  • Periodic stress testing exercises conducted to evaluate

resilience level under different extreme & plausible scenarios

  • Stress tests are not conducted or scenarios are not extreme
  • Focus on concentration risks and minimise these were

possible

  • Little or no focus on concentration risks
  • Recognise that increasing efficiency can reduce the level of

resilience

  • Excessive focus on increasing efficiency without adequate

consideration of resilience

  • Recognise that adequate capital/reserves should be allocated

for dealing with an extreme crisis

  • Believe that allocating emergency capital/reserves is sub-optimal and

attempt to minimise these to meet regulatory requirements

  • Balanced focus on value creation and value protection
  • Excessive focus on value creation at the cost of value protection
  • Recognise that complexity as a key driver of resilience.

Complexity is managed in a structured manner.

  • Do not understand the relationship between complexity and
  • resilience. No structured approach to manage complexity.
slide-11
SLIDE 11

www.riskspotlight.com

11

New!

slide-12
SLIDE 12

www.riskspotlight.com

12

Products

  • Current Account
  • International Payments

Process 3 – Customer driven international payments processing (self-serve) IT System

  • Core Banking System

Software

  • SAP Core Banking Software

Server

  • IBM Servers

Third-parties

  • IBM

Third-parties

  • SAP
  • Accenture

Facility

  • IBM Data

Center, London Service = Make payment from UK account to an international account Channel 1 = Branch Channel 3 = Online Banking Channel 4 = Mobile Banking Channel 2 = Phone Banking Process 1 – Process international payments in branch Process 2 – Process international payments through phone banking People – Branch staff IT System – Branch computers & software People – Call centre staff IT Systems – Call centre computers & software External IT System

  • Industry Payment

Processing System

slide-13
SLIDE 13

www.riskspotlight.com

13

Business Services

  • Customers mainly care about whether the service they require is available or not - irrespective of

the issues a firm may be facing with the channels, systems, processes, people. Services provide an

  • utside-in perspective enabling valuable insights on prioritising resource allocation decisions.
  • Providing alternatives to services becomes a key driver of resilience. Services with alternatives will

be considered more resilient than services without alternatives. Firms may need to create manual alternatives in some cases.

  • Mapping services to key business components will highlight constraints / vulnerabilities /

bottlenecks / dependencies

slide-14
SLIDE 14

www.riskspotlight.com

14

Business Services

  • 1. Withdraw cash from account (e.g. non-bank ATM, ATM in bank branches, branch counter)
  • 2. Open new current account (e.g. online banking, new account website, mobile banking, phone banking,

bank branch)

  • 3. Get access to bank account statements (e.g. online banking, mobile banking, phone banking, bank branch)
  • 4. Setup standing order (e.g. online banking, mobile banking, phone banking, bank branch)
  • 5. Make payments (e.g. online banking, mobile banking, phone banking, bank branch)
  • 6. Deposit cheques (e.g. cheque deposit machines in branches, branch counter)
  • 7. Report credit card fraud (e.g. dedicated credit card fraud hotline)
  • 8. Apply for new credit cards (e.g. online banking, online new credit card website, phone banking, bank

branch)

  • 9. Close saving account (e.g. online banking, mobile banking, phone banking, bank branch)
  • 10. Request new security key (e.g. bank branch)
slide-15
SLIDE 15

www.riskspotlight.com

15

Business Services

  • Account operation services

q Online banking service Ø Make payments ü Make payments to international bank accounts

Selected granularity will drive the number of business services that need to be managed as part of

  • perational resilience initiative.

FCA/PRA – “It should be clearly identifiable as a separate service and not a collection of services.”

slide-16
SLIDE 16

www.riskspotlight.com

16

Business Services

  • 1. Services that allow customers to transfer funds between accounts
  • 2. Customers claiming on an insurance contract/policy
  • 3. Making loan repayments
  • 4. Checking account balances
  • 5. Accessing deposits and savings
  • 6. Renewing a general insurance contract
  • 7. Obtaining life insurance
  • 8. Receiving mortgage advance
  • 9. Processing direct debit payments
slide-17
SLIDE 17

www.riskspotlight.com

17

Business Services

Priority 1:

  • Services associated with primary revenue source for the firm (e.g. apply for new mortgages)
  • Services that are frequently used by customers (e.g. checking account balance, making payments)
  • Services that can cause financial harm to customers (e.g. customers unable to receive salary payments into their

bank accounts)

  • Services that can impact a large number of customers if disrupted in peak time (e.g. online banking website down

between 12pm and 2pm on weekdays)

  • Services that can impact other firms who rely on the service (e.g. Tesco Bank relying on Travelex services for

providing foreign exchange services)

  • Services that can impact the wider financial system of a nation or region (e.g. VISA or Mastercard unable to

provide credit card processing service)

  • Services meeting above criteria and where no alternative services are available

Priority 2

  • Services associated with secondary revenue source for the firm (e.g. revenues from providing financial advise)
  • Services that are infrequently used by customers (e.g. pay electricity bills in bank branches)
  • Services that are not considered time sensitive by customers (e.g. getting access to bank account statements)

Priority 3

  • All other services not covered above
slide-18
SLIDE 18

www.riskspotlight.com

18

Initial Setup

1. Identify and document key business services 2. Map business services to business components such as processes, assets, products etc. 3. Define the methodology to assess resilience (e.g. setting impact tolerances, scenarios) 4. Embed resilience methodology into existing risk management processes (e.g. operational risk, business continuity management) 5. Define impact tolerances for business services 6. Review and update service disruption communication strategy for external stakeholders (e.g. customers, regulators) 7. Review and update resilience reporting processes at the business unit and group level 8. Review and update processes to analyse service disruptions and implement the lessons learnt

On-going

1. Periodically update the business services to reflect changes to the business components 2. Periodically assess services to identify whether the defined impact tolerances can be met 3. Periodically review and update impact tolerances 4. Evaluate services as part of any business decision making (e.g. launching new products) or change management initiatives (e.g. outsourcing a critical IT system) 5. Evaluate services when there material changes occur within the internal or external business environment Business Services

slide-19
SLIDE 19

19

Practical Example

slide-20
SLIDE 20

20

Business Services: Working Group

Create an industry standard library of business services in collaboration with RiskSpotlight and other financial services firms Working group participants will get free access to the business services library Send email to manoj.kulwal@riskspotlight.com if you want to join the working group

slide-21
SLIDE 21