1、1,Operational Risk Management Trainingfor China Construction Bank (CCB)中国建设银行(CCB)操作风险管理培训,January 4th, 2005,August 2009,2,In this training program, you will learn about: 在这次培训中,各位将了解以下内容:Risk Management Importance & Approach at Bank of America 风险管理的重要性和美国银行的风险管理方针Corporate Governance at Bank of Ame
2、rica 美国银行的公司内部监控Detailed Definition and Subcategories of Operational Risk 操作风险的详细定义和子类别BASEL Requirements for Operational Risk 巴塞尔协议对操作风险的要求Industry Operational Risk Management Practices 操作风险管理的行业做法Operational Risk Management at Bank of America 美国银行的操作风险管理制度Examples of Policies, Tools & Reports 政策、工
3、具及报告范例Loss Data Policy 损失数据政策Line of Business Self Assessment (LOBSA) Tool 业务线自我评估(LOBSA)工具Operational Risk Review (ORR) Report 操作风险审查(ORR)报告,Training Goal: 培训目标:Provide an understanding of operational risk as well as our operational risk management program and how it fits into the overall corporate
4、 risk management governance structure at Bank of America. 理解操作风险的涵义,理解美国银行的操作风险管理制度以及美国银行的操作风险管理制度如何与美国银行集团总体风险管理结构相衔接。,Operational Risk Management Training 操作风险管理培训,3,January 4th, 2005,Risk Management Importance & Approach at Bank of America操作风险管理的重要性和美国银行的操作风险管理方针,4,Risk Management Importance & Ap
5、proach操作风险管理的重要性及方针,In order to realize our vision of becoming the worlds most admired company, Bank of America must build managing risk and reward to a competitive advantage. Risk management is a critical component of our strategy for growth.为了实现我们成为世界最受钦佩公司的目标,美国银行必须建立具有竞争优势的风险回报管理。在我们的发展战略中,风险管理是
6、一个关键的组成部分。The foundation of our approach to managing risk is individual accountability. The job of managing risk resides with every individual associate at Bank of America.个人问责是我们风险管理方针的基石。美国银行的每个员工都有管理风险的职责。We take a comprehensive approach to managing risk and reward.我们采取全面的风险回报管理方针。We have integra
7、ted risk management with strategic, financial, customer, and associate planning processes so that goals and responsibilities are aligned across the company.我们采取综合性的风险管理模式,通过战略、财务、客户和员工规划流程保证全公司上下目标和责任的统一。We use a holistic approach by:我们采用整体性方针:Managing risk and reward within individual business unit
8、s, products, services and transactions, and在具体的业务单位、产品、服务和交易的内部进行风险和回报的管理Managing risk and reward across the enterprise.集团作为整体进行风险和回报的管理,5,January 4th, 2005,Corporate Governance 公司内部监控,6,Corporate Governance - Risk Governance公司内部监控 风险的内部监控,Risk governance is about managing risk and reward to grow.风险
9、的内部监控就是着眼于发展,对风险和回报进行管理。Risk governance includes both cultural and structural elements.风险的内部监控包括文化和结构层面的元素。Bank of America categorizes risks into four categories: credit, market, operational, and strategic risk.美国银行将风险分为四类:信用、市场、操作和战略风险。Compliance is core to all aspects of risk management.合规是所有风险管理工
10、作的核心。,These risks will often overlap with each other creating situations that involve more than one type of risk这些风险往往彼此重叠,造成涉及一种风险类型以上的局面,战略风险,信用风险,合规,操作风险,市场风险,影响,信誉客户、员工及股东,7,Corporate Governance - Risk Definitions公司内部监空 风险的定义,Bank of America uses the following definitions for the various risks i
11、ncurred during the normal course of business: 美国银行按以下方式定义正常经营过程中发生的各种风险:,Credit Risk The risk related to the inability of a customer, client or other party to meet its repayment or delivery obligations under previously agreed upon terms and conditions. Credit risk can also arise from operational fai
12、lures that result in an advance, commitment or investment of funds.信用风险因顾客、客户或其他方无法按约定的条款和条件履行还款或履约义务的风险。造成资金预付、承诺或投资的操作失败也可能导致信用风险。Market Risk The risk that values of assets and liabilities or revenues will be adversely affected by changes in market conditions, such as market movements. These risks
13、 arise from positions taken for customers or for corporate purposes, such as liquidity management.市场风险资产、负债或营业收入的价值因市场行情变化而受到负面影响的风险,例如市场波动。这些风险来自于为客户持有或公司自行持有的目的,例如公司为了进行流动性管理而持有的目的。Strategic Risk The risk that adverse business decisions, ineffective or inappropriate business plans or failure to re
14、spond to changes in the competitive environment, business cycles, customer preferences, product obsolescence, execution and/or other intrinsic risks of business will impact the companys ability to meet its objectives.战略风险因为不利的业务决定、无效或不恰当的业务计划或因未能适应竞争环境的变化、商业周期、客户喜好、产品过时、执行和(或)业务的其他内在风险而使公司实现目标的能力受到影
15、响。,8,Corporate Governance - Risk Definitions (cont.)公司内部监控风险的定义(续),Operational Risk The risk of loss resulting from inadequate or failed internal processes, people, systems or external events. Operational risk also encompasses the failure to implement strategic objectives and initiatives in a succes
16、sful, timely and cost-effective manner.操作风险因内部流程不充分或失灵、人员、系统或外部事件而造成损失的风险。操作风险包括未能以成功、及时、具有成本效益的方式实施战略目标和行动计划。Operational risks are inherent to every business, product, service, and function within the Bank and, as such, every line of business and every associate is accountable for managing operatio
17、nal risk in day-to-day responsibilities.操作风险是银行内部每项业务、产品、服务和职能都固有的风险,因此每个业务线和每个员工的日常职责中都包括操作风险的管理。Examples of operational risks include: 操作风险范例: Processing errors / defects 业务处理中出现错误/瑕疵 Check kiting 空头支票 Natural disasters hurricanes, flooding 自然灾害飓风、洪水 Information breaches 信息安全事故 Customer product su
18、itability 客户的产品适合性 Money laundering 洗钱 Discrimination 歧视 Vendor relationships 供应商关系,9,January 4th, 2005,Operational Risk Detailed Definition操作风险详细定义,10,Operational Risk - Four Subcategories操作风险四个子类别,Operational risk is further defined by the following subcategories of risk:操作风险可进一步定义为以下风险子类别:Process
19、 Risk 流程风险People Risk 人员风险Systems Risk 系统风险External Risk 外部风险These operational risk subcategories include all aspects of execution in our business plans and processes.这些操作风险子类别包括业务计划及流程执行的所有方面。Regulatory and legal issues can be associated with any or all of the risk subcategories.监管及法律问题可归入任何或所有这些风险
20、子类别。,11,Operational Risk - Process Risk Detail操作风险流程风险的细节,Process Risk The risk arising from products and services or changes not being documented, processed or executed effectively or efficiently. Process risk also includes the risk associated with the failure to record and report financial and man
21、agement information in a complete, accurate, and timely manner.流程风险因为对产品、服务或变化没有切实有效地制作文档记录、处理或执行所造成的风险。流程风险还包括与未能以完整、准确和及时的方式记录和报告财务及管理信息有关的风险。Examples of process risk include: 流程风险范例:A step in check processing is inadvertently omitted and results in a customer statement error. 意外遗漏支票处理流程的一个步骤,造成客户
22、对账单出现错误。Inadequate Anti-Money Laundering (AML) controls make us vulnerable to money laundering schemes. 反洗钱(AML)控制措施不充分,造成我们的反洗钱机制出现漏洞。A lien is not perfected, thus providing us with no rights to the collateral upon default of the credit. 留置权没有得到完善,造成信贷违约后我们无权处置抵押品。,12,Operational Risk - People Risk
23、 Detail操作风险人员风险的细节,People Risk The risk that business needs may not be met due to management failure, deficiencies in organizational structure, inadequate human resources or other human resources failures, including unexpected turnover, untrained personnel, or internal and external fraud.人员风险因管理上的不足
24、、组织结构的缺陷、人力资源不充足或人力资源方面的其他不足造成业务需求无法得到满足的风险。Examples of people risk include: 人员风险范例:Excessive associate turnover that results in a loss of institutional knowledge. 员工流失率过高,造成机构的知识损失。Associate morale issues that seriously impact business capability. 严重影响业务能力的员工士气问题。Associate circumventing check ident
25、ification procedures to commit a fraud. 员工绕开支票查验程序,进行欺诈活动。,13,Operational Risk - Systems Risk Detail操作风险系统风险的细节,Systems Risk The risk arising from deficiencies, complexities and instability of systems or technology that support business activities. System initiatives can also involve both technology
26、 and processing risk. This is an example of the overlapping relationships between types of operational risks.系统风险因业务活动支撑系统或技术的缺陷、复杂性和不稳定而造成的风险。系统行动计划也可能同时涉及技术及处理风险。这是不同类型操作风险彼此重叠的一个范例。Examples of systems risk include: 系统风险范例:Insufficient testing of new technology that results in a system failure, pr
27、ogram inadequacies, or other errors such as Automated Teller Machines (ATMs) declining customer transactions, incorrect balances being displayed on Online Banking, etc. 对新技术测试不足,造成系统故障、软件程序缺陷或其他错误,例如自动提款机(ATM)拒绝客户的交易、网上银行显示的余额不正确等。Inadequate information security controls allow inappropriate access t
28、o customer information (e.g., a file transmitted outside of the bank is not encrypted and is intercepted or “hacking”).信息安全控制措施不充分,导致客户信息泄露(例如,向银行以外传送的文件没有加密,因而遭截获或“攻击”)。An associate decides to install a non-bank-approved device to their computer, or downloads software that is corrupted, causing a v
29、irus that disables their computer or network server.一名员工决定私自在电脑上安装银行没有批准的设备或下载包含病毒的软件,引入造成电脑或网络服务器瘫痪的病毒。,14,Operational Risk - External Events Risk Detail操作风险外部事件风险的细节,External Events Risk The risk arising from factors outside the companys direct control, including risks associated with vendors, all
30、iances and service providers, as well as political, social, cultural, environmental factors.外部事件风险因公司直接控制以外的因素造成的风险,包括与供应商、联盟伙伴和服务提供商有关的风险,以及政治、社会、文化、环境因素。Examples of external events risk include: 外部事件风险范例:A key supplier goes out of business and we can no longer obtain a critical product. 一个关键供应商破产停
31、业,造成我们无法再获得一种关键的产品。Natural disasters temporarily shut down our banking centers. 自然灾害造成银行业务中心暂时关闭。Changes in laws and regulations that require us to change our processes or place additional burden on our existing processes. 因为法律和法规的变化,我们必须修改流程或额外增加现有流程的负担。,15,January 4th, 2005,BASEL Requirements for
32、Operational Risk巴塞尔协议对操作风险的要求,16,Operational Risk - BASEL Requirements操作风险巴塞尔协议的要求,POLICY: 政策Implement policies and procedures that describe the major elements of the operational risk function including identifying, measuring, monitoring and controlling operational risk.制定实施描述操作风险职能主要元素的政策和规程,包括操作风险
33、的识别、测量、监督和控制。REPORTING: 报告Report risk exposures and loss data to the board of directors and senior management. 向董事会和高级管理层报告风险暴露和损失数据。Reporting must be at line of business (LOB) and enterprise level covering risk exposures, loss data, business environment and internal control assessments, and be prod
34、uced at least quarterly.报告必须在业务线(LOB)和集团级别上进行,覆盖风险暴露、损失数据、业务环境和内控措施评估,至少每季度报告一次。Report relevant enterprise level risk information to the board of directors and senior management.向董事会和高级管理层报告相关的集团级风险信息。,17,OPERATIONAL LOSS DATA COLLECTION: 操作损失数据的搜集:Demonstrate collection of internal loss event data,
35、 relevant external loss event data, internal and environmental risk control factors and scenario analysis results, to support the analytical framework.建立搜集内部损失事件数据、相关的外部损失事件数据、内部及环境风险控制因素和情境分析结果的体系,为分析框架提供支持。Document standards for the collection and modification of the elements of the analytical fra
36、mework.制定分析框架各元素的数据收集和修改标准文件。Map internal risk losses to the Basel seven loss event types.巴塞尔协议规定七类损失事件类型对内部风险损失进行分类。Set enterprise threshold for classifying operational losses as loss events. 设定集团将操作风险损失划分为损失事件的下限值。Treat risks consistently enterprise-wide. Treat credit risk related losses as credit
37、 risk for regulatory capital purposes. 集团执行统一的风险处理方式。计算监管资本时,与信用风险有关的损失作为信用风险处理。Capture at least 5 years of internal loss data across all business lines, events, products and geographic locations. 至少搜集各业务线、事件、产品和地点5年的内部损失数据。,Operational Risk - BASEL Requirements (cont.)操作风险巴塞尔协议的要求(续),18,Operational
38、 Risk - BASEL Requirements (cont.)操作风险巴塞尔协议的要求(续),RISK ASSESSMENT: 风险评估:Document policies and procedures that provide for use of external loss data in the operational risk framework. 制定关于在操作风险框架内使用外部损失数据的政策和规程文件。Management must review external data to ensure understanding of industry experience.管理层必
39、须审核外部数据以确保理解行业经验。Implement process to identify and assess business environment and internal control factors.实施鉴别和评价业务环境和内控因素的流程。Compare results of risk assessments against actual operational losses.对照实际的操作损失,比较风险评估的结果。Use advanced data management practices to qualify for Advance Measurement Approach
40、 (AMA) treatment. 采用先进的数据管理做法,使数据具备采用高级测量法(AMA)进行处理的条件。SCENARIO ANALYSIS: 情境分析:Establish policy and procedures determining how scenario analysis will be incorporated in the operational risk framework. 制定关于确定如何将情境分析纳入操作风险框架的政策和规程。Use a combination of internal loss data, relevant external data, risk a
41、ssessments and scenario analysis in the operational risk framework. 在操作风险框架中组合使用内部损失数据、相关的外部数据、风险评估和情境分析。TESTING AND VALIDATION: 测试和验证:Test the accuracy and appropriateness of the operational risk framework and results.测试操作风险框架和结果的准确性和适当性。Test and verify results independently of the operational risk
42、 management function and the lines of business. 结果的测试和验证要独立于操作风险管理职能部门和业务线。,19,Operational Risk - BASEL Requirements (cont.)操作风险巴塞尔协议的要求(续),ANALYTICAL FRAMEWORK: 分析框架:Document the appropriateness of explicit and embedded dependence assumptions. 以书面文件的方式记述明显及隐含的依赖性假设的恰当性。Document standards for the co
43、llection and modification of the elements of the analytical framework. 制定分析框架各元素的数据收集和修正标准文件。Establish appropriate operational risk data thresholds. 建立适当的操作风险数据下限。Implement a comprehensive operational risk analytical framework that provides an estimate of the institutions operational risk exposure.
44、实施估算机构操作风险暴露的全面的操作风险分析框架。Document rationale for all assumptions underpinning the analytical framework and any subsequent changes to these assumptions. 以书面文件的方式记录分析框架所有基础假设的依据以及对假设的任何后续修改的依据。Capital requirement for operational risk will be the sum of expected and unexpected losses unless the institut
45、ion can demonstrate, consistent with supervisory standards, the expected loss offset. 操作风险的资本金要求是预期和非预期损失之和,除非金融机构能根据监管标准证明预期损失可以得到抵消。Operational risk exposure results may be reduced by no more than 20% to reflect the impact of risk mitigants. 为了反映风险减少因素的影响,可缩减操作风险暴露的估算结果,但最高不超过20% 。,20,Operational
46、Risk - BASEL Requirements (cont.)操作风险巴塞尔协议的要求(续),GOVERNANCE: 内部监控:Include an independent enterprise operational risk function, line of business oversight and independent testing and verification as part of the operational risk framework.作为操作风险框架的一部分,建立独立的集团操作风险职能部门、业务线监督机制和独立的测试及验证机制。Board of direct
47、ors must oversee the operational risk framework. Management roles and responsibilities must be clearly established. 董事会必须监督操作风险框架。必须清楚地确定管理角色和责任。The board of directors and management are responsible to ensure appropriate resources are allocated to support the operational risk framework. 董事会和管理层负责确保分
48、配适当的资源以支持操作风险框架。Establish an independent operational risk management function that oversees the enterprise operational risk framework. 建立独立的操作风险管理职能部门,负责集团的操作风险框架。Line of business management are responsible for day to day management of operational risk within each business unit. 业务线管理层负责各业务单位内部操作风险的
49、日常管理。Line of business management must ensure that internal controls and practices within their business are consistent with enterprise policies and procedures. 业务线管理层必须本业务线内部的确保内部控制措施和做法符合集团的政策和规程。The internal control structure must meet or exceed minimum regulatory standards established by the regulatory agencies. 内控结构必须达到或超过监管机构制定的最低监管标准。The operational risk framework must use the regulatory definition of operational risk. 操作风险框架必须采用监管机构对操作风险的定义。,
