毕博上海银行咨询Sime Bank Operational Risk Report.doc

SIME BANK BERHADOPERATIONAL RISK REVIEW(Excluding Human Resources and Information Technology)November 1997CONTENTSPage NoIINTRODUCTION1IIFINDINGS AND RECOMMENDATIONS62.1Overview62.2Operational Risk Management Framework132.3Customer Service212.4Policies and Procedures312.5Regulatory Compliance372.6 New Project Co-ordination and Control442.7 Corporate Image502.8Physical Security552.9Fraud58Appendix ContentsA-RISK PROFILE MAPSB-RISK REGISTERSC-OPERATIONAL RISK CATEGORIES AND DEFINITIONSD-GUIDE VALUES/LOSS PARAMETERSIINTRODUCTION1.1OverviewThe purpose of this report is to summarise our draft findings and recommendations from the operational risk review carried out within Sime Bank Berhad (“Bank”). This excludes our findings and recommendations on human resources and information technology which have been incorporated in separate reports given their importance to the Bank.Our approach to conducting the operational risk review has involved holding a series of workshops and interviews with senior management, business managers and branch managers in order to:· identify the operational risks facing the Bank;· evaluate the causes and consequences of the risks identified;· assess the quality of controls to manage these risks in order to determine the overall severity of the risks; and· develop action plans to address the major risks.The findings from the workshops and interviews have been aggregated for the purposes of this report. Detailed findings from our workshops and interviews are set out in the Appendix to this report.1.2ApproachA summary of the project approach is set out in the diagram below:DevelopAction PlansControlsAssessmentRiskIdentificationDiagnosticReview§ Develop action plans for key residual risks§ Identify key controls§ Establish residual risks based on effectiveness of controls§ Conduct workshops in order to identify risks§ Understand processes and activities of the Bank1.3Operational risk profileThe findings from our review indicate that the Bank is exposed to a number of major operational risks. The risk profile map below reflects the severity of these risks after taking into account the effectiveness of existing controls.INHERENT RISKMEDIUMCATASTROPHIC/HIGHOrganisationCustomer ServiceOperational Error Policy & ProceduresRegulatory CompliancePhysical Security - GuardsNew Project Co-ordination and ControlFraudCorporate ImageSome WeaknessesSatisfactoryLOWWeakCONTROL EFFECTIVENESSIn summary, the major operational risks facing the Bank are as follows:· Organisation Responsibilities for managing operational risks are unclear.· A lack of a “sales orientated” culture within the branches is hindering the delivery of customer service; In addition, manual processes which are extensive in the branches is affecting the efficiency of customer service.· Branch policies and procedures appear to be cumbersome and not user friendly. There appears to be a lack of clarity in written communication of policies and procedures which can result in inconsistencies throughout the branches.· There is currently no centralised unit to facilitate regulatory (internal and external) compliance or communicate regulatory guidelines.· No formalised procedures exist to introduce/co-ordinate projects and authorise the introduction of new products.· The design, layout and location of certain branches is hampering business growth opportunities and adversely affecting the image of the Bank.· The quality of existing security services provided by external parties is of a poor standard. This may result in financial loss, destruction of property and physical harm to staff and customers.· There appears to be no strategy for pro-actively managing fraud.Although organisation was not identified as a major risk by the workshops, we have included this in the report because we believe that the Bank requires an operational risk management infrastructure to continue the process of managing operational risk.1.4 Structure of reportThe remainder of this report is structured to discuss these risks in more detail and outlines action plans to address these risks. Section II of this report sets out these risks under the following sub-sections:· Operational Risk Management Framework· Customer Service· Policies and Procedures· Regulatory Compliance· New Project Co-ordination and Control· Corporate Image· Physical Security· FraudThe final section (Section III) summarises our recommendations and outlines an overall implementation plan for addressing these risks.IIFINDINGS AND RECOMMENDATIONS2.1OverviewA summary of the findings and recommendations arising from the operational risk review is set out below:RISKRECOMMENDATIONOperational Risk Management Framework§ Responsibilities for managing operational risk are unclear.§ An operational risk committee should be set up to sponsor the management of operational risk§ Internal Audit (IAD) should expand its existing role to facilitate the management of operational risk§ A process based approach to evaluating operational risk and designing appropriate controls should be implemented(Further details are set out in Section 2.2)Benefit:· Ongoing responsibilities for managing operational risk will be clarified· A comprehensive method of evaluating risks and designing control systems will exist to support expected ongoing change to internal processes· Management can take greater assurance that all operational risks are being addressedRISKRECOMMENDATIONCustomer Service§ A lack of a sales orientated culture is hindering the delivery of customer service§ Top management should promote a sales culture within the organisation§ Key performance indicators (KPIs) should be introduced to measure customer service levels§ Relationship Banking should be introduced for all customers at branches§ Branches and business units should be involved in developing their own business and financial plans§ Manual processes which are extensive in the branches are affecting the efficiency of customer service§ The retail banking systems should be upgraded to include all products and facilitate reporting to regulators(Further details are set out in Section 2.3)Benefit:· Creates ability to monitor and respond to customer satisfaction as a minimum requirement for keeping pace with competitors· Improves staff morale and promotes responsibility· Reduces manual effort and increases time for customer serviceRISKRECOMMENDATIONPolicies and Procedures§ Policies and procedures manuals are cumbersome and not user friendly§ There appears to be a lack of clarity in the written communication of policies and procedures which can result in inconsistent application§ A compliance officer should be appointed with responsibility for:- directing the upgrade of internal and external policies and procedures (“P&P”)- interpreting and communicating policies and procedures- supervising distribution and implementation of P&P within branches(Further details are set out in Section 2.4)Benefit:· Clear and up to date policies & procedures· Skilled expert responsible for advising on implementation· Promotes effective communication of policies & proceduresRISKRECOMMENDATIONRegulatory Compliance§ There is currently no central unit to facilitate regulatory compliance or communicate regulatory guidelines§ A compliance department should be established with expert resources to:- facilitate dissemination and implementation of new regulatory requirements- improve effectiveness and accuracy of regulatory reporting(Further details are set out in Section 2.5)Benefit: · A compliance department will improve interpretation of regulatory requirements and ensure consistency of applicationNew Project Co-ordination and Control§ No formalised procedures exist to evaluate, approve, track and review the success of major initiatives or projects, including the introduction of new products and the opening of new offices.§ A robust process for evaluating, approving, tracking and reviewing major projects (including new product development) should be developed. We suggest that this process is co-ordinated by Group Finance(Further details are set out in Section 2.6)RISKRECOMMENDATIONNew Project Co-ordination and ControlBenefit:· Proper planning and risk assessment of major initiatives takes place· Clear accountabilities for delivering results for investment made are established· Organisations capability to manage change in a disciplined way is improvedCorporate Image§ The design, layout and location of certain branches are hampering business growth opportunities and adversely affecting the image of the Bank§ A consistent professional corporate image needs to be introduced to support the Banks commitment to customer service excellence(Further details are set out in Section 2.7)Benefit:· Appearance of branches will be consistent and of a minimum standard· Customer perception of the Bank will improvePhysical Security§ The quality of current security services provided by external parties is of a poor standard. This may result in financial loss, destruction of property and physical harm to staff and customers · A review of all security standards and service providers should be carried out. Minimum standards should be implemented to guide and control the quality of service(Further details are set out in Section 2.8)RISKRECOMMENDATIONPhysical SecurityBenefit:· Protects the Bank from access by unauthorised personnel with criminal intentions· Enhances the public image of the Bank· Provides reassurance to staff and customersFraud§ There is currently no strategy for proactively managing fraud§ A strategy should be developed to facilitate proactive fraud management(Further details are set out in Section 2.9)Benefit:· A well-publicised fraud strategy with a clear frame work or action plan should reduce the Banks losses from fraudThese findings and recommendations are discussed in more detail in the remainder of this section. The risk registers set out in the Appendix of this report also provide further information on the exposures identified in the course of this phase of the engagement.2.1.1WAY FORWARDFigure 22 below provides a summary of our recommendations and prioritises these in order of importance to provide the Bank with a suggested implementation plan for the next twelve months.Start in next6 monthsFigure 22Start in next12 monthsOVERALL IMPLEMENTATION PLAN OPERATIONAL RISKStart in next 3 months· Develop a compliance function· Commence upgrading design and layout of branches· Review physical security services· Develop strategy for pro-actively managing fraud· Develop an operational risk management infrastructure· Introduce procedures for co-ordinating projects and authorising new products· Undertake customer service initiatives· Upgrade policies and procedures· Appoint a compliance officer2.2Operational Risk Management FrameworkClear responsibilities and methodologies should be defined for managing operational risk2.2.1Rationale· At present, there is no one responsible for managing operational risk on a regular basis within the Bank. This is particularly important since operational risk does not remain static and the Bank is currently undergoing major changes in business processes and information technology.· The area of operational risk is vast in scope (see Appendix for operational risk categories) and affects all areas of the Bank. Without clear responsibilities and a structured process for planning, assessing and monitoring operational risk, the Bank will suffer unexpected losses, especially following the implementation of any process redesign. Process redesign is an increasing requirement of financial institutions in Malaysia as competition intensifies further in an industry which already has “excess capacity”.2.2.2Key Actions RequiredThe basic steps that we believe are necessary to address these issues are summarised below:Key stepsMonths369121.Establish an operational risk management structure3 monthsKey stepsMonths369122.Adopt a risk based minimum control standards approach (RBMCS) to managing operational risk2 months3.Develop implementation plan for rollout of RBMCS1 month4.Communicate operational risk responsibilities to business units1 month5.Train management in the use of RBMCS2 monthsThese steps are elaborated in further detail below1. Establish an operational risk management structureThe Bank should establish an operational risk management structure with the following responsibilities:(a) An operational risk committee should be set up with responsibility for sponsoring and directing the management of operational risk. A summary of the roles and responsibilities for the operational risk committee is set out in Figure 1.OPERATIONAL RISK COMMITTEE ROLES AND RESPONSIBILITIESParticipantsResponsibilitiesOperational Risk CommitteeParticipants:Executive DirectorHead of Internal AuditHead of ITHead of FinanceHead of Business DivisionsHead of Compliance*§ Initiate the development of minimum control standards to manage operational risk§ Approve operational risk performance indicator (eg limit breaches, systems downtime)§ Assess operational risk exposures involved in new products§ Report major operational risks to the CEO and the board every six months§ Evaluate control weaknesses and agree on appropriate action plans§ Assign responsibility for implementing action plans§ Monitor progress of major projects to address operational riskFigure 1*To be considered(b) Although the business units should be ultimately responsible for operational risk, internal audit should facilitate the management of operational risk. Specifically, it should have responsibility for planning, assessing and reporting/monitoring operational risk to management. Figure 2 below sets out the detailed responsibilities of internal audit for facilitating the management of operational risk.OPERATIONAL RISK MANAGEMENT STR