Kimberly Fix, Director Leveraging Operational Risk Management (ORM) in Operational Risk Management AIG Enterprise Risk Management Third Party Risk Management (TPRM) 212.770.6752 kimberly.fix@aig.com 175 Water St., NY, NY Operational Risk Management Congress CeFPro - October 2018
Agenda Our Journey § A TPRM Operating Model Overview § TPRM’s Second Line / Controls § TPRM Process Overview § Leveraging Operational Risk § Lessons Learned § Q & A § 2
TPRM - An Operating Model Overview Corporate Level Governance • Defines third party regulatory obligations via policy & standards including stewardship of the third party risk assessment process and associated toolset. Partners with required control groups • Interface for regulatory reviews and examinations • Risk aggregation and escalation including risk analysis and metrics • TPRM related training (i.e., TPRM requirements, rollout of tools and related processes, etc.) > > Second Line: Business’ third party governance and procurement teams, support and are accountable for overseeing and challenging the first line in the effective management of their risks and driving convergence of TPRM requirements. First Line: Control Groups are responsible for providing guidelines for assessing and Businesses are accountable for managing exposure for their specific risk area. They partner with TPRM to define owning and managing the risks and tailor risk assessment questions based on changes to regulatory landscape. that exist in their respective areas > per defined third party risk management framework (e.g. TPRM Policy and Standards) • Business Third Party Governance and Procurement • Third Party Category Owners • Vendors, MGAs/PAs/DUAs, TPAs (Claims & Non-Claims), Affinity Sponsors, and Brokers/Independent Agents/Travel Agents • Control Groups • Compliance, Privacy, and Legal, Information Security, Business Continuity, Global Security and Financial Viability 3
TPRM’s – Second Line / Controls Legal and Compliance AML, Anti- Data corruption Global Privacy and Security Cyber Security Background Checks, OFAC Due Diligence Financial Business Viability Continuity Information Security and Software System 4
TPRM Process Overview Business-Driven Pre-Risk Assessment Onboarding Activities Determine sub-exposure inherent risks and identify which due diligence activities must Risk Assessment be performed; notify/instruct the user and appropriate control groups as necessary Due Diligence including Ongoing (determined by risk) Sanctions Screening • Financial Viability Assessment Minimum Requirements • Due Diligence, Ongoing Information Security Assessment • Business Continuity Assessment • Due Diligence, Exit Software Security Assessment • Strategy, and Risk Background Checks • Licensing Validation • Acceptance Anti-Money Laundering • Anti-Corruption • Third Party Code of Conduct • Exit Strategy (High-Elevated Risk) Risk Acceptance (where applicable) Contract Related Engagement of Legal to review and approve contract Third Party Inventory Designed to support business needs Applies to High & Elevated risk population, conducted by business Oversight Conducted for High and Elevated risk population; can leverage Independent Reviews internal audit and/or other control functions 5
Leveraging ORM in TPRM Increased transparency of operational risks, aligns with industry standards, designed to meet regulatory expectations § Through related programs, deployment of the framework identifies, assesses, monitors, and measures operational risks § Operational Risk Governance Risk Appetite Committees Policies & Procedures (Tolerance & Limits) Risk Assessments Risk Monitoring Risk Measurement Risk Identification Common Organizational Capital Modeling & S tandard Taxonomy Key Risk Indicators (KRI) Risk Profile Top Down Risk Assessment Allocation Hierarchy Emerging Risks Quality Assurance Internal Risk Events Scenario Analysis Issues & Mitigating Actions Risk & Control Self External Risk Events (Audit, SOX, ORM, etc.) Assessments (RCSA) Reporting & Analysis Training and Awareness Technology Leveraging ORM to Support Third Party Risk Management Business RCSAs Control Gaps included Risk Acceptance Business Unit TP Risk Event Tracking include Third Parties in Issue Tracking & Vendor level, Top Risks and Reporting Reporting exclusions, other ORM Review and Challenge, Escalation when needed 6
Lessons Learned Partner with the business to establish requirements and § standards Leverage existing business processes and owners § Standardization of the third party risk assessment § approach is critical to data collection and analytics (Key Risk indicators) Establish well defined roles & responsibilities and charters § for stakeholder engagement and ongoing accountability Automation is not a silver bullet § Simplification is critical when defining the “Regulatory § Ask” in order for the business to better understand “How” to address the requirements “Row in behind” other business initiatives § whenever possible (ex. Existing standards, Definition of “critical”, ORM Review & Challenge) 7
Appendix 8
Refresher - What is Operational Risk? Operational Risk is the risk of loss, or other adverse consequences, resulting from inadequate or failed internal processes, people, and systems or from external events. Operational Risk includes legal, regulatory, technology, compliance, third party and business continuity risks, but excludes business and strategy risks. Business Units have primary accountability and responsibility for managing operational risk within their respective units. PEOPLE PROCESS SYSTEMS EXTERNAL EVENTS People may contribute to Processes that are Systems may cause External events outside the the realization of incorrectly executed operational risk when organization’s control, may operational risk, for can cause operational systems and/or tools negatively impact the organization. example: risks. are: These include both man-made and • Staff turnover Examples of • Deficient natural events, for example: • Untrained personnel processes include: • Unstable • Flood • Overreliance on key • Payroll Processing • Overly Complex • Fire personnel • Claims Processing • New Technology • Earthquake • Lack of management • Accounts Payable deployed without • Social unrest oversight and controls adequate testing • New Regulations • Inappropriate employee conduct • Human error Proprietary and Confidential 9
Recommend
More recommend
