Operational Risk Management at IDFC

2011-06-30T04:17:00.000-07:00

Background

Risk management is an increasingly important business driver and stakeholders today are much more concerned about risk. Risk today can be a driver of strategic decisions, or a cause of uncertainty in the organization or it may simply be embedded in the activities of the organization. An enterprise-wide approach to risk management enables an organization to consider the potential impact risks on all processes, activities, stakeholders, products and services. Implementing a comprehensive approach results in an organization benefiting from what is often referred to as the ‘upside of risk’.
The global financial crisis in 2008 demonstrated the importance of risk management. Since then, businesses globally have become more sensitive to effective risk management and are increasingly embracing initiatives to manage the risk at enterprise level.
Operational Risk Management (ORM) is defined as the process of planning, organizing, leading and controlling the activities of an organization in order to minimize the effects of risk on its capital and earnings.
ORM is a new approach to risk management which differs from traditional ones in terms of focus, objective, scope, emphasis and application. Under the new approach, the uncertainties that can affect both tangible and intangible assets of the organization are taken into account. Hence, ORM helps aligning organization’s strategies, people, processes, technology and knowledge, so that the company is well equipped to handle risk.
A successful Operational Risk Management (ORM) initiative can have positive impact on the likelihood and consequences of risks that may materialize during the period. It can also result in making better informed strategic decisions, successful delivery of change, reduced operational losses and increased operational efficiency.
By addressing the need for internal control measures, ORM helps your organization anticipate and manage uncertainties better. It also enhances the enterprise’s value in following ways.

Creates sustainable competitive advantage.
Optimizes risk management cost.
Improves business performance.

Implementation Methodology
We have started implementation of ORM at Infrastructure Development Finance Company Ltd (IDFC) considering that ORM is a journey, not a destination. It represents a sea change in organizational attitude and behavior. Adoption of ORM is a process of creating better awareness, creating risk management framework, institutionalize risk management system and ultimately driving ownership throughout the organization. What makes it challenging is that the individual perspectives on risk differ, hence need for creating a common language of risk across the organization.
Operational Risk in IDFC is defined through its Group Operational Risk policy. The Group Operational Risk Policy articulates management’s expectations on how Operational Risk should be managed within the Group.
The scope of Operational Risk Management covers all exposures and events relating to failures be it people, processes, systems and impact of external events. The risks are managed within a comprehensive framework that ensures effective management of events and exposures, regardless of cause and enables consistent deployment across all businesses and functions.
IDFC has defined Operational Risk Management and Assurance Framework (ORMAF) which articulates a consistent approach to Operational Risk Management and its assurance across the Group. This framework defines the way in which risks are managed, Operational Risk policies and controls are assured, effective governance is exercised as well as the key role required to manage the underlying processes.
ORMAF comprises the following 6 components:

Scope: The scope of ORMAF is executed at 3 levels: Group, Business / Function and unit. Each level comprises of risk domains. The risk domain owners are responsible for the effective execution of ORMAF in their respective risk domains.
Governance: Operational Risk governance ensures consistent oversight across all levels regarding the execution and effectiveness of ORMAF.
Risk Management: Operational Risk Management refers to the end-to-end process i.e. identification to resolution, that ensures Operational risks are effectively managed from the time they are identified to the time the risks are mitigated down to the residual levels, within the established Operational Risk tolerance limits of the Group.
Assurance: Operational Risk assurance provides stakeholders with the assurance that regulations, policies and controls are complied with and that risks are effectively mitigated and controlled under ORMAF.
System: "Legatrix" technology platform that facilitates Operational Risk Management:
Currently Legatrix platform which:
- Allows real-time tracking and monitoring of all types of risks.
- Provides precise information on activities, risks and controls to all.
- Has the capability to track, understand and manage information across the organization.
- Generates risk heat maps at all levels of the business.
- Shows the list of open issues at any point of time.
- Enables setting up central repository for all policy and procedures.
- Enables standardizing of all group policies and procedures.
- Provides trend analysis on risk history to take proactive measures.

Automation of ORM Framework
Operational risks are identified and assessed at the business/function level, where controls and mitigation plans are put in place and the mitigation progress is monitored. Each risk is graded into different categories (High, Medium or Low) by the business unit. Business Head along with key process owners validate and ensure that the risk grades assessed by its members are appropriate, ownership of the mitigation actions is assigned and progress of actions is monitored to closure.
The action/mitigation plan can be assigned to different departments and functions for implementation and in case of conflicts; it is resolved at business head level.
Automation can play a big part in monitoring the risks at regular intervals.
Risks, which are graded High or Medium, are visible on the dashboard of Group level operational risk committee. A dynamic heat map is generated to show the risks on BORC dashboard.
At Group level operational risk Committee risks escalated by Business untis are assessed and their mitigation plans are tracked. This committee ensures that appropriate ownership is assigned to the controls and mitigation plans, and provides progress updates to the Management.
Overall, we have adopted following approach for implementation of Operational Risk Management at IDFC:

Laid down clear objectives bearing in mind our company’s capabilities and culture.
Developed an ORM plan and set priorities for implementation. Discussed the plan with our team members and sought their opinion.
Studied the desired framework that would be satisfy the business requirements for managing risks in conducting business at IDFC.
Evaluated relevant risk management frameworks and systems that adhere to the framework.
Some of the key considerations during this evaluation process were flexibility, scalability and coverage.
Selected ORM platform and customized it as per our requirements.
Delegated responsibilities for the role of designing, building and monitoring the implementation process.
Integrated risk management process with our business plan.
Factored future goals and capabilities for managing critical risks.

As described above, the automation is of great value in consistent monitoring of risks and tracks the movement towards criticality. We were looking for a solution that would

Be flexible to institutionalize complex organization structure of IDFC.
Be able to provide Alerts as part of the risk escalation.
Enable a user friendly entry and maintenance of risk registers.
Have role based access to different users.
Provide Comprehensive risk reporting.
Generate Dynamic heat map.

We evaluated different options which offer either part of full functionality. We zeroed in on ‘Legatrix’ developed by Legasis Services Pvt Ltd, a Pune based Legal Support Services Company and successfully rolled out Legatrix within IDFC. The manual risk registers have been converted into Legatrix.
ORM is a journey and we in IDFC will keep on making ORM stronger and stronger using ORM automation tools like Legatrix.

DEBASHIS ROY

Infrastructure Development Finance Company Ltd

Blog

Operational Risk Management at IDFC