Leading the risk profession

Operational Risk & Business Continuity

Management - An Effective And Integrated
Approach
Chris Lintern
Co-operative Financial Services
Introduction & Approach
Chris Lintern
• Background in all aspects of Business Continuity Management within
Financial Services
• Part of central Operational Risk Management Team
Co-operative Financial Services
• Includes Co-operative Bank, Co-operative Insurance, Co-operative
Investments
• Merged last year with Britannia Building Society
• Our vision is to be the UK’s most admired financial services business
Approach to this session
• Active participation
• All views welcome and appreciated
Purpose
• To share thoughts on the benefits of integrating Operational
Risk & Business Continuity
• Consider some of the key stakeholders, and the aims, and
components for Operational Risk and Business Continuity
frameworks
• Conclusions
What is Operational Risk Management?
Managing the risk of loss resulting from inadequate or failed
internal processes, people and systems or from external events
(Basel Committee of the Bank of International Settlements)

What is Business Continuity?

A holistic management process that identifies potential threats to an
organisation and the impacts to business operations that those
threats, if realised, might cause and which provides a framework for
building organisational resilience with the capability for an effective
response that safeguards the interests of its key stakeholders
reputation, brand and value creating activities (BS25999 – British
Standard for BCM)
Back to Basics

Preventing nasty surprises wherever practical, and

having the confidence that your organisation can
respond to and mitigate them - if and when they occur

Key
Health
Suppliers / System Property &
&
Outsource failures Facilities
Safety
Partners

Key person
External threats
dependencies
Historic Positioning of Op Risk & BCM
• Focus on “traditional” business continuity – denial of
access to premises, or loss of systems
• BCM and Operational Risk seen as separate entities

Operational
BCM
Risk
Synergies between the two
Stakeholders Framework Intended
Components Outcome
Board Policy & Understanding
Procedures of appetite
Executive & Senior Supporting Proactive
Management documents assessment
Operational Plans & Training Understanding
Management of impact

Other Considerations
Impact on Capital Impact on Change Insurance
 Operational Risk – Integrated Approach

Busi
Contro Operat
ness Insu
Operational l Self- ional
Cont ranc
Risk Asses Risk
inuit e
sment Capital
y
 Operational Risk – Integrated Approach

Busi
Contro Operat
ness Insu
Operational l Self- ional
Cont ranc
Risk Asses Risk
inuit e
sment Capital
y

Proactive identification of risks

• Assessment and evaluation
• Scenario analysis
 Operational Risk – Integrated Approach

Busi
Contro Operat
ness Insu
Operational l Self- ional
Cont ranc
Risk Asses Risk
inuit e
sment Capital
y

Assess controls
• CSA process
• Review control weaknesses
• Track actions
• Link control evidence to risks
• Review incidents as evidence of control failures
 Operational Risk – Integrated Approach

Busi
Contro Operat
ness Insu
Operational l Self- ional
Cont ranc
Risk Asses Risk
inuit e
sment Capital
y

Mitigation of operational risks

• Crisis Management Team & Plan
• Incident Management Teams
• Crisis Management Centre
• Work-Area Recovery
• Disaster Recovery strategy
 Operational Risk – Integrated Approach

Busi
Contro Operat
ness Insu
Operational l Self- ional
Cont ranc
Risk Asses Risk
inuit e
sment Capital
y

Risk transfer
• Placement
• Claims Handling
• Specific perils e.g. Buildings/Contents, Business
Interruption Insurance
• Advice & Guidance
 Operational Risk – Integrated Approach

Busi
Contro Operat
ness Insu
Operational l Self- ional
Cont ranc
Risk Asses Risk
inuit e
sment Capital
y

Capital against unexpected losses

• Calculation
• Planning
Operational Risk Components

Purpose 3 Year Strategic External Events Operational

Strategy e.g. Weather, Risk Appetite
Vision Plan Terrorism
Operational
Risk Capital

Change agenda
Scenarios

Suppliers &
Core Critical Reporting
Colleagues Facilities Outsource
Processes Systems
Partners

Control Self- Operational Risk Business Continuity Insurance

Assessment Programme
Top-down Resilience
Operational Risk Incident & Policies
Key Controls Profile Work-Area
Crisis
Recovery
Bottom-up Management Claims
End-to-end Operational Risk Disaster
Process view Profile Recovery
Incident & Near-
Miss Reporting

Operational Risk strategy and plan

Operational Risk Components

Purpose 3 Year Strategic External Events Operational

Strategy e.g. Weather, Risk Appetite
Vision Plan Terrorism
Operational
Risk Capital

Change agenda
Scenarios

Suppliers &
Core Critical Reporting
Colleagues Facilities Outsource
Processes Systems
Partners

Control Self- Operational Risk Business Continuity Insurance

Assessment Programme
Top-down Resilience
Operational Risk Incident & Policies
Key Controls Profile Work-Area
Crisis
Recovery
Bottom-up Management Claims
End-to-end Operational Risk Disaster
Process view Profile Recovery
Incident & Near-
Miss Reporting

Operational Risk strategy and plan

Embedding the Culture
• Business buy-in of paramount importance
• Incident Management framework known and utilised –
importance of exercising
• Risk Division seen as involved – not sat in Ivory Towers
• Part of the solution, not part of the problem - BC & Op Risk
representatives heavily involved in Incident Management
• Keep things simple – common language
• Linked to the CFS customer promise
Incident Framework

Crisis
Management
Team

Escalate Cascade
up Incident Management down
Teams

Operational Risk IS Service

(incl. BCM) Continuity

Business units / areas

BC plan owners and Plan co-ordinators
Incident Management Team - Structure
People
Co-ordinator

Business
Operations IS
Co-ordinator Co-ordinator

Incident
Management
Team Leader

Comms
Information
Co-ordinator
Co-ordinator

Site Facilities
& Security
Integrated Approach

Key risks mitigated

Issues raised as
risks
Stress scenarios

Operational
BCM
Risk
Incident
Risk Management
Assessments Capability

Tangible exercising
Conclusions
• An effective, and consistent framework
• Can be used to define overall risk appetite at Board level
• Practical considerations – both areas need policies &
procedures
• Simple for the business
• Aligned to business processes
• Crucial that it’s accepted from a cultural perspective within the
newly merged organisation
• Potential to drive efficiencies and cost-savings
 Thank You

Any Further Questions –

Chris.Lintern@cfs.coop