Leveraging Operational Risk Management (ORM) in Operational Risk - - PowerPoint PPT Presentation

leveraging operational risk management orm in
SMART_READER_LITE
LIVE PREVIEW

Leveraging Operational Risk Management (ORM) in Operational Risk - - PowerPoint PPT Presentation

Aug 29, 2023 16 likes •122 views

Kimberly Fix, Director Leveraging Operational Risk Management (ORM) in Operational Risk Management AIG Enterprise Risk Management Third Party Risk Management (TPRM) 212.770.6752 kimberly.fix@aig.com 175 Water St., NY, NY Operational Risk

slide-1
SLIDE 1

Operational Risk Management Congress CeFPro - October 2018

Leveraging Operational Risk Management (ORM) in Third Party Risk Management (TPRM)

Kimberly Fix, Director Operational Risk Management AIG Enterprise Risk Management 212.770.6752 kimberly.fix@aig.com 175 Water St., NY, NY

slide-2
SLIDE 2

2

Agenda

§ Our Journey § A TPRM Operating Model Overview § TPRM’s Second Line / Controls § TPRM Process Overview § Leveraging Operational Risk § Lessons Learned § Q & A

slide-3
SLIDE 3

3

TPRM - An Operating Model Overview

Corporate Level Governance

  • Defines third party regulatory obligations via policy & standards including stewardship of the third party risk assessment

process and associated toolset. Partners with required control groups

  • Interface for regulatory reviews and examinations
  • Risk aggregation and escalation including risk analysis and metrics
  • TPRM related training (i.e., TPRM requirements, rollout of tools and related processes, etc.)

First Line:

Businesses are accountable for

  • wning and managing the risks

that exist in their respective areas per defined third party risk management framework (e.g. TPRM Policy and Standards)

Second Line:

Business’ third party governance and procurement teams, support and are accountable for overseeing and challenging the first line in the effective management of their risks and driving convergence of TPRM requirements. Control Groups are responsible for providing guidelines for assessing and managing exposure for their specific risk area. They partner with TPRM to define and tailor risk assessment questions based on changes to regulatory landscape.

  • Business Third Party Governance and Procurement
  • Third Party Category Owners
  • Vendors, MGAs/PAs/DUAs, TPAs (Claims & Non-Claims), Affinity Sponsors,

and Brokers/Independent Agents/Travel Agents

  • Control Groups
  • Compliance, Privacy, and Legal, Information Security, Business Continuity,

Global Security and Financial Viability

> > >

slide-4
SLIDE 4

4

TPRM’s – Second Line / Controls

Due Diligence Legal and Compliance Data Privacy and Cyber Security Financial Viability

Information Security and Software System

Business Continuity Global Security

AML, Anti- corruption Background Checks, OFAC

slide-5
SLIDE 5

5

TPRM Process Overview

Risk Assessment Due Diligence, Ongoing Due Diligence, Exit Strategy, and Risk Acceptance

Due Diligence including Ongoing (determined by risk)

  • Sanctions Screening
  • Financial Viability Assessment
  • Information Security Assessment
  • Business Continuity Assessment
  • Software Security Assessment
  • Background Checks
  • Licensing Validation
  • Anti-Money Laundering
  • Anti-Corruption
  • Third Party Code of Conduct

Exit Strategy (High-Elevated Risk) Risk Acceptance (where applicable)

Business-Driven Pre-Risk Assessment Onboarding Activities

Determine sub-exposure inherent risks and identify which due diligence activities must be performed; notify/instruct the user and appropriate control groups as necessary

Contract Related Engagement of Legal to review and approve contract Third Party Inventory Designed to support business needs Oversight Applies to High & Elevated risk population, conducted by business Independent Reviews Conducted for High and Elevated risk population; can leverage internal audit and/or other control functions

Minimum Requirements

slide-6
SLIDE 6

6

Leveraging ORM in TPRM

Reporting & Analysis Training and Awareness Technology Risk Identification Risk Monitoring Risk Measurement Risk Assessments Committees Policies & Procedures Standard Taxonomy External Risk Events Risk Appetite (Tolerance & Limits) Common Organizational Hierarchy Capital Modeling & Allocation Key Risk Indicators (KRI) Quality Assurance Risk & Control Self Assessments (RCSA) Issues & Mitigating Actions (Audit, SOX, ORM, etc.) Scenario Analysis Emerging Risks Top Down Risk Assessment Internal Risk Events Risk Profile Operational Risk Governance

Leveraging ORM to Support Third Party Risk Management ORM Review and Challenge, Escalation when needed

Business RCSAs include Third Parties Control Gaps included in Issue Tracking & Reporting Risk Acceptance Vendor level, exclusions, other Business Unit Top Risks TP Risk Event Tracking and Reporting

§ Increased transparency of operational risks, aligns with industry standards, designed to meet regulatory expectations § Through related programs, deployment of the framework identifies, assesses, monitors, and measures operational risks

slide-7
SLIDE 7

7

Lessons Learned

§ Partner with the business to establish requirements and standards § Leverage existing business processes and owners § Standardization of the third party risk assessment approach is critical to data collection and analytics (Key Risk indicators) § Establish well defined roles & responsibilities and charters for stakeholder engagement and ongoing accountability § Automation is not a silver bullet § Simplification is critical when defining the “Regulatory Ask” in order for the business to better understand “How” to address the requirements § “Row in behind” other business initiatives whenever possible (ex. Existing standards, Definition of “critical”, ORM Review & Challenge)

slide-8
SLIDE 8

8

Appendix

slide-9
SLIDE 9

9

Refresher - What is Operational Risk?

Operational Risk is the risk of loss, or other adverse consequences, resulting from inadequate or failed internal processes, people, and systems or from external events. Operational Risk includes legal, regulatory, technology, compliance, third party and business continuity risks, but excludes business and strategy risks. Business Units have primary accountability and responsibility for managing operational risk within their respective units.

PEOPLE PROCESS SYSTEMS EXTERNAL EVENTS

People may contribute to the realization of

  • perational risk, for

example:

  • Staff turnover
  • Untrained personnel
  • Overreliance on key

personnel

  • Lack of management
  • versight and controls
  • Inappropriate employee

conduct

  • Human error

Systems may cause

  • perational risk when

systems and/or tools are:

  • Deficient
  • Unstable
  • Overly Complex
  • New Technology

deployed without adequate testing External events outside the

  • rganization’s control, may

negatively impact the organization. These include both man-made and natural events, for example:

  • Flood
  • Fire
  • Earthquake
  • Social unrest
  • New Regulations

Processes that are incorrectly executed can cause operational risks. Examples of processes include:

  • Payroll Processing
  • Claims Processing
  • Accounts Payable

Proprietary and Confidential

slide-10
SLIDE 10