how to develop KRIs for operational risk management by Dr. Zakaria Salah

1. THE KEY RISK INDICATORS: A
WORKING EXAMPLE
Dr. Zakaria Salah
2015

2. OperationalRiskManagement OPERATIONAL RISK
 Operational risk is defined as “the risk of losses
resulting from operational failures due to processes,
people and systems or from external events”.
 Examples: human errors, IT failure, fraud, flood..etc.
 Main sources of operational risk are People, Systems,
Processes and External Events
 The main objectives of managing OpRisk:
 Changing the risk culture in the institution.
 Avoiding or minimizing operational risk losses.
 Providing early warning signals.
 Improving work-flow quality.

3. OperationalRiskManagement OPERATIONAL RISK LOSSES
 John Rusnak and Allied Irish Bank – fraud
 Bank of Credit and Commerce International – major fraud
 Nick Leeson and Barings Bank – bank collapse
 Soc Gen and Jerome Kerviel – Euro 7.2 bn major fraud
3

4. OperationalRiskManagement OPERATIONAL RISK GOVERNANCE AND
STRUCTURE
2 13

5. OperationalRiskManagement WHAT ARE THE APPLE & WHAT IS THE FORKS AND
HOW MANY FORKS?

6. OperationalRiskManagement KEY INDICATORS
Key Indicators
Key Control Effectiveness
Indicators
KCIs
Key
Performance
indicators
KPIs
Key Risk Indicators
KRIs
Is a metric that
provides
information on
the level of
exposure to a
given operational
risk which the
organization has
at a particular
point in time.
Are metrics that provide
information on the
extent to which a given
control is meeting its
intended objectives (in
terms of loss
prevention, reduction,
etc.).
Are metrics
that measure
performance
or the
achievement
of targets.
6

7. OperationalRiskManagement KEY RISK INDICATORS (KRIS)
 KRIs, as the name suggests, are indicators over the key
risks to which the organization is exposed to.
They are identifiable pieces of information that can act as
a proy or indicator of the current, or potential level of that
key risk.
Since the rogue trading incidents at Société Générale in
2008 and UBS in 2011, many banks have developed the
monitoring of specific KRIs for rogue trading.
Risk Indicators are an important tool within operational
risk management, facilitating the monitoring and control
of risk.
KRI is a metric that provides information on the level of
exposure to a given risk which the organization has at a

8. OperationalRiskManagement KEY RISK INDICATOR (KRIS)
 Developing KRIs is a prerequisite for effective risk
management.
 Useful risk indicators help identify rises in probabilities
of occurrence of incidents early enough to prevent them.
Credit analysts know which financial ratios,
management behaviors and economic conditions will
trigger a rise in credit risk.
In Paris, Taxi meters are limited to eleven hours per
day, preventing cab drivers overworking, since
tiredness is a well- documented contributor to car
accidents.
Same for our staff, overtime leads to human errors
and severe operational risk
8

9. OperationalRiskManagement KEY RISK INDICATORS
 The risk indicator has to have an explicit relationship to the
specific risk whose exposure it represents.
 For example,
Further examples of risk indicators include staff turnover (which
may be linked to risks such as fraud, staff shortages and process
errors), the number of data capture errors (process errors) and the
number of virus or phishing attacks (IT systems failure). another
examples of KRIs: number of limit breaches, number of
outstanding items on the bank reconciliation..etc.
Take the number of customer complaints, which is likely to
be linked to the risk of process errors – as customer
complaints increase, the probability that there are some
underlying and potentially systemic mistakes and errors of
judgment being made is likely to rise.

10. OperationalRiskManagement KEY RISK INDICATORS
KRIs are focused primarily on identifying and tracking
current risk.
Objectives of KRIs:
 Monitor current level of operational risk.
 Detect problems as part of an early warning system.
 Report risk levels in as timely manner as possible.
 Implement an effective risk appetite.
 Promote the awareness of risk issues across the staff.

11. OperationalRiskManagement PROCESS TO IDENTIFY KRIS
Identify and analyse a business process (process flow analysis).
Perform a risk and control self-assessment of the business process to
identify the inherent risk, control measures and residual risks of the
business process.
Prioritise the residual risks in terms of high, medium and low risks.
Identify the indicators according to the characteristics of a KRI:
 the risk must be a high priority (high risk);
 the KRI must be quantifiable; and
 the data must be available.
All stakeholders agree to a threshold for the KRIs.
Register the indicator as a KRI.
Determine the roles and responsibilities in managing the KRIs.
Determine the reporting frequency and method, including escalation
process.11/24/2015 11

12. OperationalRiskManagement
• KRIs primarily track components of a risk story that has
already commenced. The occurrence of risk causes and
risk events will in most instances produce evidence (risk
red flag).
• KRIs are designed to identify that evidence, interpret it
and rely it back to management in a meaningful and timely
fashion to take actions.
Cause
Cause
Cause
Risk Event
Effect
Effect
Effect
Key Risk
Indicators
Detective
Controls
Expected
loss events
KEY RISK INDICATORS

13. OperationalRiskManagement HOW DO YOU IDENTIFY KRIS
People risk
Define Risk category
Inability to
recruit
Inability to
retain
Inadequate
skills and
education
Develop
Causes Map
Low staff
morale
Low job
satisfaction
Establish
KRIs
Staff
turnover
ratios
Average time
to fill
No. of
applicant per
vacancy
% of job
offers
accepted
Poaching by
competitors
Poor
performance
of staff

14. OperationalRiskManagement SETTING THRESHOLDS FOR THE KRI
 A key risk indicator for monitoring and responding to “loss of staff” risk is
staff turnover levels.
 Key risk indicators of this type require;
 Tolerance thresholds in order to give a meaningful representation of the
risk;
 The resultant ratings which could be used to create “heatmap” reporting on
indicators.
So the KRI Thresholds can be set as follows
Below 5% – acceptable risk. The organization is comfortable with the level of
staff turnover.
from 5% to 10% – Potential risk. The risk is a concern and HR would be
expected to monitor actively and establish causes and actions. Escalation
required raising awareness.
Above 10% – Significant risk. Action and escalation with explanatory report
required
When given thresholds are breached there will be a requirement to escalate to
KRI Acceptab
le
Early
warning
Worst
Case
Staff Turn
Over
Below 5% 5%-10% >10%

15. OperationalRiskManagement INFORMATION THAT CAN HELP TO IDENTIFY
SIGNIFICANT RISKS
 Historical internal & external loss events;
 Risk and control self assessment results;
 Internal / external audit findings;
 Workshops / discussions with business functions e.g.
Human resources (including staff turnover statistics).
 Clients complaint cases
 Integrity Unit findings
 Compliance failure
 Improvement Implementation failure

16. OperationalRiskManagement CONSIDERATION IN THE SELECTION OF
KRIS/CHARACTERISTICS
 Ideally determined for many of the significant risks
identified in the risk and control self assessment (self
assessment) process;
 Can provide “early warning” signals to trigger actions that
reduce potential risk exposures;
 Some indicators are meaningless on their own and need to
be combined with other KRIs. In many cases, it is a group of
KRIs that will provide the best management information for a
meaningful assessment;
 Can indicate past, current and projected level of risks and
can be used as a criteria to monitor, escalate and manage
risk and related actions; and
 KRIs relevance and change in importance over time.
The appropriate frequency of reporting and monitoring of
each identified indicator is also an important consideration.
Other characteristics are: measureable, easy to monitor,
auditable, comparability

17. OperationalRiskManagement ROLES AND RESPONSIBILITIES
Business Unit/
Dep.
• Identification
of indicators
• Setting of
thresholds
• Monitor
position
against targets
and limits
• Escalate
breaches to
operational risk
management
Risk Management
Dep
• Provide guidance
and challenge the
selection of KRIs
and thresholds
• Monthly reporting
on KRI Breaches
• Ad-hoc escalation
reporting to Board
• Identify trends
across the business
Internal Audit Dep.
• Provide
validation /
independent
assurance
around the KRI
process
• Incorporate
outputs into
audit plan

18. OperationalRiskManagement KEY RISK INDICATOR WORKFLOW DIAGRAM
Set up KRI
Definitions
Define/assi
gn
Thresholds
Set up
submissio
ns
Submit to
KRI owner
Capture
Data
KRI owner
review and
approved
Submit
data to KRI
coordinato
r
KRI Owner
Review
KRI Reporter
KRI Owner

19. OperationalRiskManagement KRI DATABASE AND REPORTING
 The KRI Database should include the following
 The name of the KRI
 Description of the KRI
 Objective of the KRI
 What is the KRI tracking
 The linkage of the KRI to the risk cause
 The linkage of the KRI to the risk event
 The linkage of the KRI to the risk effect
 The linkage of the KRI to control(s)

20. OperationalRiskManagement KRIS COLLECTION PROCESS
 Sending notification and follow up to those responsible for
input of the KRIs information by the due date.
 Software based collection system can assist and facilitate the
process.
 Input of KRIs data either via a system interface or manually.
 Quality assurance off KRI data to ensure
accuracy of data prior to the processing.
 Reporting of the KRIs with action required:
 No action required. For green - colored KRIs
 Explanation with suggested corrective actions provided by the
business unit within one month. These KRIs are escalated to senior
management. For Amber – Colored KRIs
 Explanation with suggested corrective actions provided by the
business unit within 10 days. These KRIs are escalated to CRO,
KRI
KRI1 X
KRI2 X
KRI3 X

21. OperationalRiskManagement MANAGING KRIS
Collate the data required at the approved times.
Draft the report according to the approved format.
Submit the report according to the approved timeframes and to the
approved role players.
Develop and implement control measures if there is a breach in the
approved threshold.
Monitor the various business influences, which could lead to a change in
the approved threshold, for example an increase in business, external
influences on business processes, etc.
Submit KRI information to serve as an input for operational risk
modelling (to determine a realistic capital for operational risk).
Submit KRI information as an input to determine the risk profile and the
risk appetite of the organisation.
Submit KRI information to test the risk and control self-assessment
results.11/24/2015 21

22. OperationalRiskManagement EXAMPLES OF KRIS FOR CREDIT RISK
Front office – daily indicators
• Number/amount of interest
payment delay
• Number/amount of credit limit
breach
• Number of loans/days/amount
in watch list
Loan attribution – portfolio
review
• Number of loans with
missing documentation
• Number of loan
applications close to the
documentation limit
Loan monitoring – credit review
• % nonperforming to total loans
• Breach of
liquidity/solvency/leverage
limits

23. OperationalRiskManagement EXAMPLES OF KRIS FOR FINANCIAL MARKETS
ACTIVITIES
Front office – daily indicators
• Number of Breaches of trading
limits
• Number of Abnormal trading
patterns:
• Number of deals amended
• Number of deals cancelled
• Number of off-market price
transactions
Back-office/accounting – daily
indicators
• Number of pending confirmations
• Number of unconfirmed deals
• Number of unreconciled deals
• Number of unsettled deals
• Number of reversals
• Number of pending requests
Front office – environmental KRIs
• Lack of supervision (number of days
/ weeks without line supervisors)
• Blame culture (metric: number of
traders fired for poor short-term
performance)
Back-office – environmental KRIs
• Number of staff without financial
background
• Number of staff without on-the-
job/technical training
• Number of transactions per staff
member (monthly % change)

24. OperationalRiskManagement DEVELOPING KRIS IN ISDB AND LESSONS
LEARNED
• Operational risk team has already done Risk and Control
self-Assessment (RCSA) to 16 departments the main output
are as follows:
•List of risks
•List of Control in place
•Number of KRIs and KCIs
•Number of Actions
• About 100 of KRIs and KCIs were developed for these
departments during the RCSA exercise.
Lessons learned
•Each department should start use their KRIs in order to track
the key risks them and report to operational risk team.
•They can work as an early warning indicators.
•If the department feels that the KRIs that they have are not
enough they can develop more KRIs.
•Focusing on two or three KRIs is enough to start monitoring
your key risks.

25. OperationalRiskManagement CASE STUDY
Think of one risk as an example of the risks that your
department is exposed to and try to (in10 minutes):
Develop one or more KRIS.
Set thresholds for the suggested KRIs:
(acceptable, potential (early warning) and
significant (worst case))
Answer
1. Define one objective that your department
would like to achieve.
2. Define on risk that may prevent your
department from achieving this objective
3. Define KRI(s) with thresholds that you can
use it/them to monitor such risk.
Objective
Risk
KRI

26. OperationalRiskManagement