RSK 4801 ASSIGNMENT 01 Topics 1 -3 Due date: 25 June 2013 Unique number: 772936 Student number: 46433597 Name

and last name: Byron Jason

Topic 1. Comparing the roles and responsibilities of the board of Benchmark Bank Ltd with the requirements stipulated in King 3 Report for risk management and internal audit and corrective action that should be implemented that will ensure compliance with the King 3 requirements 2. Analyses of the reported losses and corrected information to reflect the losses more accurately for the annual report. 3. Brief to EXCO introducing an operational risk function at Broken Wing. 4. Distinguishing between risk indicators, control effectiveness, and performance indicators

Page Number 2

5 8

11

5. References

13

1|Page

1. Comparing the roles and responsibilities of the board of Benchmark Bank Ltd with the requirements stipulated in King 3 Report for risk management and internal audit and corrective action that should be implemented that will ensure compliance with the King 3 requirements. Benchmark Main Board The risk appetite of the board was set in September 2009 and then adjusted in 2012 King 3 Requirement Corrective Action

King 3 states that the Therefore, Benchmark board should set the levels bank is not complying with of tolerance once a year the code; to correct this, the board needs to set the levels of risk tolerance once a year and monitor that the risks taken are within the tolerance and appetite level.

The board should review its risk management plan regularly, but at least once a year. The board should ensure that the implementation of the risk management plan is monitored continually The interaction of the King 2 states that the audit board with internal and committee which external audit was limited. represents the board should meet at least once a year with the internal and external auditors. Various limits were King 3 states that a increased without board change in risk appetite approval requires the approval of the board and disclosed in the integrated report There was no effective risk The board should be committee responsible for the governance of risk The board should ensure Internal audit does not that there is an effective meet with the audit risk based internal audit committee, it does not filter information that is of concern Issues which came up The board should ensure were not addressed the integrity of the therefore not included in companys integrated the integrated report reporting
2|Page

The audit committee should schedule meetings with internal and external audit without management being present The board needs to approve various limits and it should be disclosed

The board should ensure that the internal audit activity is properly trained and that they can enforce the board to address disturbing issues The board needs to ensure that all matters of concern are addressed and included in the

The audit committee did not understand governance and risk weakness issues

The board should ensure that the company has an effective and independent audit committee

intergrated report The audit committee members need to be replace with members who do understand.

Board Audit Committee Concerns regarding traded market risk came to the attention of the BAC, and were not escalated to the board.

King 3 states that The audit committee must receive and deal appropriately with any concerns or complaints, relating either to the accounting practices and internal audit of the company or to the content or auditing of its financial statements, the financial controls of the company or to any related matter. King 3 states that the board must review the charter of the audit committee Board needs to review and approve the revised charter.

The BAC operated on a charter that was approved in May 2010. The BAC operated on a revised charter from September 2011 onwards.

The BAC was ineffective King 3 states that the risk in reporting weaknesses in committee should evaluate controls to the board the risks of the organisation The audit committee did not allocate sufficient time to risk management issues The audit committee did not filter information to the board and they did not enforce corrective action The audit committee did not correct audit findings that were reported by the regulators, they had a relaxed approach and did not address matters brought to their attention The audit committee King 3 states that there
3|Page

There was no risk committee at the time. The board needs to appoint a risk committee that will be able to discharge its duties

The board needs to put

members did not understand governance and risk weakness issues

should be a basic level of qualification and experience for members on the audit committee which includes understanding of risk management and governance processes The risk committee should convene regularly but at least twice a year

members on the audit committee which have an understanding of risk management and governance.

Board Risk Committee The last BRC meeting was held in November 2011, there has not been another to date. Internal Audit Audit issues were not disclosed to the audit committee.

The BRC should schedule at least two meetings for the year. Maybe every 6 months.

King 3 states that internal audit needs to discuss and disclose all issues of concern with the audit committee

Internal audit needs to have a better relationship with the audit committee and should discuss issues of concerns The regulators need to ensure that the board addresses their concerns. The board should ensure that there is transparency within the organisation

The Regulators The regulators brought up issues to the board which were not addressed. Culture There is a culture of secrecy Filtering of information by the audit committee to the board was dismal The CIBs attitude towards the findings of the regulators were non chalant The CIB had a negative attitude towards internal audit

4|Page

2. Analyses of the reported losses and corrected information to reflect the losses more accurately for the annual report.
Date Description Trader on the FX desk 06/01/2012 processed incorrectly AML function wrong directional view on interest rates. Loss on 11/01/2012 swap curve Bond options trader captured 18/01/2012 expiry date wrong SAFEX penalty for late margin calls. Clearing House official did 23/01/2012 not contact broker for payment JSE penalty for late bond 30/01/2012 settlements. Customer claim for bad 04/02/2012 derivatives investment advice Interest on late Citi bank collateral calls. Incorrect 11/02/2012 calculation by clerk Duplicate payment to Lloyds 16/02/2012 bank Payment to Sumitomo into wrong act loss Y156312 due to 23/02/2012 change in currency Payment fraud by triade 28/02/2012 syndicate JSE penalty for late settlements. Recon outstanding for cleared 06/03/2012 funds Goodwill payment to Big Shot Ltd because business online was 11/03/2012 down over month end Fraud due to sharing of 18/03/2012 passwords by payment staff 23/03/2012 Teller Difference 30/03/2012 Teller Difference 04/04/2012 Teller Difference 11/04/2012 Teller Difference-New Teller 16/04/2012 Staff fraud 23/04/2012 Staff fraud Fraudulent payment by staff 28/04/2012 member 05/05/2012 Armed robbery 5|Page Amount Risk Type Risk Subcategory People Rand Value 151976

21351 Operational Risk

1573035 Market Risk 52314 Operational Risk

Market Risk People

1573035 604980

100000 Operational Risk 150000 Operational Risk 150000 Operational Risk

People Process People

100000 150000 150000

35000 Operational Risk 20000 Operational Risk

People People

249129 231288

156312 Operational Risk 6500000 Operational Risk

People External events

14553 6500000

450000 Operational Risk

Process

450000

600000 Operational Risk 300000 15687 5962 1114 214509 100250 56000 Operational Risk Operational Risk Operational Risk Operational Risk Operational Risk Operational Risk Operational Risk

Systems People People People People People People People People External events

600000 300000 15687 5962 1114 214509 100250 56000 30000 15600000

30000 Operational Risk 15600000 Operational Risk

10/05/2012 17/05/2012 22/05/2012

BA800 submitted incorrectly Teller Difference Teller Difference

5000 Operational Risk 32418 Operational Risk 35167 Operational Risk 10000 Operational Risk 235145 342190 500000 10000 Operational Risk Operational Risk Operational Risk Operational Risk

People People People External events People People Process People People Credit Risk Credit Risk People People People People People People People People

5000 32418 35167 10000 235145 342190 500000 10000 753451 2567000 654789 5000 5000 5000 105678 10300 53800 23749 43761

Stolen cheque book Bob 29/05/2012 Mugabe Loaded incorrect atm fee 03/06/2012 increased for July 10/06/2012 Staff fraud 15/06/2012 Lost guarantee P Pompies 22/06/2012 BA800 submitted incorrectly Irrecoverable losses due to not 27/06/2012 follow up of excess reports Bad debts written off: JMM 04/07/2012 construction Bad debts written off: JBC 09/07/2012 construction supplies Access payment for motor car 16/07/2012 accident claim Access payment for motor car 21/07/2012 accident claim Access payment for motor car 28/07/2012 accident claim Late registration of bonds due 02/08/2012 to strike 09/08/2012 Staff fraud 14/08/2012 Staff fraud 14/08/2012 Teller difference 26/08/2012 Teller difference Interest claim by client because of bad service (customer not informed of interest rate 02/09/2012 changes) Commodities trader captured 07/09/2012 incorrect amount Write off due to incorrect 14/09/2012 model parameters. 19/09/2012 26/09/2012 Embossing fraud - card cloned Charge back recon differences

753451 Operational Risk 2567000 Credit Risk 654789 Credit Risk 5000 Operational Risk 5000 Operational Risk 5000 Operational Risk 105678 10300 53800 23749 43671 Operational Risk Operational Risk Operational Risk Operational Risk Operational Risk

73421 Operational Risk 44576 Operational Risk 150000 Operational Risk 15000 Operational Risk 256896 Operational Risk 15352 Operational Risk 1100 Operational Risk 7000000 Operational Risk 11890650 Operational Risk

People People Process External events Process People People External events External events

73421 317291 150000 15000 256896 15352 7830 7000000 11890650

Interest claim due to late swift 01/10/2012 transfer Processing official used 08/10/2012 incorrect rate Damage to premises due to 31/12/2012 ATM bombings 31/12/2012 26 ATM bombings

6|Page

15/01/2013

Branch teller differences

165631 Operational Risk

People

165631

Consolidation of total value per risk and event occurrences

Risk Credit Risk External events Market Risk People Process Systems Grand Total Amount (R.) Event Occurrence 3221789 41015650 1573035 4470632 1506896 600000 52388002

2 6 1 35 5 1 50

Rand value of risk

45000000 40000000 35000000 30000000 25000000 20000000 15000000 10000000 5000000 0 Credit Risk External events Market Risk People Process Systems 3221789 4470632 1573035 1506896 600000 41015650

Number of event occurrences per risk

40 35 30 25 20 15 10 5 0 Credit Risk External events Market Risk People Process Systems 2 6 1 5 1 35

7|Page

3. Brief to EXCO introducing an operational risk function at Broken Wing. Definition of Operational Risk Operational risk can be defined as the risk of loss resulting from inadequate or failed processes, people, systems, or external events. (Blunden & Thirlwell, 2010:8 sourced from Operational Risk: The next frontier, RMA/PricewaterhouseCoopers, 2009) Basel II defines operational risk as The risk of loss resulting from inadequate or failed internal processes, people, or systems or from external events Including legal risk, and excludes strategic and reputational risk. Benefits of Operational Risk Management The benefits of operational risk management could be an increase in the value of the business, by managing risk practises it will enhance the shareholders value by been able to minimise the likelihood and impact of risk occurrences that could decrease shareholder value and exploit opportunities to create value when they arise. Successful operational risk management reduces risk and improves business effectiveness Benefits of operational risk management 1. Business continuity By managing operational risk Broken Wing can identify its vulnerabilities, by doing this Broken Wing can get back to business quickly, should an event occur. 2. Insurance By managing operational risk Broken Wing can know the appropriate cost of transferring the risk and whether a particular insurance is appropriate 3. Outsourcing By managing operational risk Broken Wing can outsource certain activities that can be performed more efficiently. Outsourcing should enable Broken Wing to have higher transaction levels, improved speed, and a higher quality of customer service and improved financial controls. 4. People Risk By managing operational risk and creating a good people environment where people are open to change and are able to respond to flexibly and quickly to business opportunities as well as threats to the business, people will become Broken Wings greatest asset. 5. Reputation Risk- By managing operational risk correctly, Broken Wing can prevent a risk occurring, there will be no operational risk to deal with. If Broken Wing can avoid the risk, whereas competitors are unable to, the reputation of Broken Wing will be enhanced. Broken Wing will also benefit by: 1. Been able to make informed decisions (Governance) 2. Been able to understand the operational risk context of decisions
8|Page

3. Distinguishing and differentiating between operational risks 4. Been able to evaluate and assess past problems 5. Knowing where the organisation is now and where the organisation is heading 6. Allocating capital on an operational risk basis 7. Getting the right information on past events, the present state of the operational risk environment and its possible future state

Operational risk framework that should be introduced at Broken Wing

Governance: This is the process where the board of directors define key goals for the bank and overseas the progression towards achieving the goals. It defines overall operational risk culture at the organisation, as well as setting the tone as to how the bank should go about implementing the operational risk framework. The successful risk strategy should be firmly embedded in the vision, strategies, tools and tactics of the bank. Governance sets the precedence for strategy, structure, and execution. Strategy: Benchmark Bank strategy for operation risk drives the other components within the management framework. It provides clear guidance on risk appetite, policies, and process for day to day risk management.

9|Page

Appetite and policy: The risk management process should ensure that the bank behaviour is driven by its risk appetite. The bank should adopt an operational risk strategy that is aligned to the risk appetite that is set, this will lead to informed business decisions. Clear definition and communication of policy: The banks senior management should identify, assess, decide, implement, audit, and supervise their strategic risks. There should be a strategic policy at the board level that focusses on managing risks at all levels. The policies should be communicated at all levels of the bank. Evaluations based on internal and external changes: The risk management process should improve risk performance. The operational risk management goals should be evaluated periodically taking into consideration internal and external factors. Structure: The design of the operational risk management structure should have taken the overall risk scenario of the bank as a guideline. It should include a hierarchy structure that balances current risk processes, developing risk measurement models that assess regulatory and economic capital, and allocating economic capital against the actual risk confronted. Execution: Once the operational risk management framework has been established by the bank, adequate procedures should be designed and implemented to ensure execution of the policies.

10 | P a g e

4. Distinguishing between risk indicators, control effectiveness, and performance indicators Risk Indicators: This is a metric that provides information at the level of exposure to a given risk which the organisation has at a particular point in time. Risk indicators tell us about changes in the likelihood or impact of a key risk and can be linked to a risk and control assessment. Control Effectiveness: This is a metric that provides information on the extent to which a given control is meeting its intended objectives. A control effectiveness indicator tells us about the change in the design or performance of controls and is linked to a risk or control assessment. Control effectiveness indicators fall into two categories namely, indicators of controls which mitigate an individual risk and, indicators of controls which mitigate a number of risks. Performance Indicators: This is a metric that measures performance or the achievement of targets. Performance indicators are commonly used in business to assess the current level of performance. They are linked to the business objectives e.g. total costs, staff costs, sales, revenues, profitability. Argue the characteristics that you will consider to develop risk indicators Relevance: Risk indicators should be relevant and linked to the organisations operational risk exposure and it should provide management with the quantum regarding the levels of exposure and degree to which such exposures are changing over time. Risk indicators should be reviewed periodically for relevance, as it can change over time from the perspective of the users of the indicator. There are three indicators to determine relevance: 1. Specific focus, which is focuses on a single exposure area 2. General focus, which covers a specific area of activity and provide a general impression of current exposure levels or activity. 3. Common or generic, which can be used anywhere in the organisation, usually adding specific context. Measurable: Risk indicators must be able to be measured repeatedly and with certainty. To be measurable, the risk indicator should meet the following criteria: 1. 2. 3. 4. Must be quantifiable as an amount, percentage, ratio, number, or count. Must have values which are reasonably precise and a definite quantity. Must be comparable over time. Must be reported with primary values and be meaningful without interpretation or some subjective measure.

11 | P a g e

Predictive: Indicators can provide a leading, lagging, or current perspective of the operational risk exposure. Leading indicators are the most difficult to develop a simple projection of the future based on historical events thus sacrificing accuracy and reliability. Lagging indicators provides useful information regarding the historical causes of loss or exposure. It can also be useful where losses are initially hidden or where changes in historical trends may reflect changes in circumstances that may have some predictive qualities. Current indicators provide a current view of operational risk exposures and may identify a situation that requires attention to reduce an exposure or minimise a loss. Easy to monitor: In order for the organisation to the source data which can be used for risk indicators: 1. The data should be simple and relatively cost effective to collect, quality assured and distributed. 2. The data should be relatively easy to interpret, understand, and monitor. Auditable: It is important that risk indicators are accurate, complete, and timely because management will place significant reliance on them. The operational risk management department should be satisfied with the quality and as a governance measure, the internal audit function should include it as part of their audit coverage. Comparability: The indicator identification and selection process of an organisation should assess the level of comparability with the benchmarks in and across the industry to ensure that the users for the indicators have a better understanding of the exposure levels that the indicator relates to.

12 | P a g e

5. References All answers derive from the prescribed textbook and study guide unless otherwise stated. 1. Blunden, T. & Thirlwell, J.2010. Mastering Operational Risk. 1st Edition. Great Britain. Prentice Hall. 2. Frost, C. & Allen, D.2000. Operational Risk and Resilience.1st Edition. United States of America. Buttersworth 3. Question 3 adapted from Author Unknown. 2008. Operational Risk Management (ORM) Framework in Banks and Financial Institutions [online].Available from http://www.metricstream.com/solution_briefs/ORM.htm [15 June 2013]

13 | P a g e