Skip to main content
Back Custom print Text Only Rich Text Print / Save as PDF
Download Original PDF

  • 4. Risk Management Evaluation Questionnaire

    This Operational Risk Management Evaluation Questionnaire is designed to provide a tool to assist Banks within the Kingdom in assessing and quantifying the adequacy of their programs for managing and financing operational risk This is not a detailed questionnaire, but covers the main areas of importance in the implementation and management of an effective program of operational risk management within the bank.

    For this assessment to be both accurate and objective, the questions should be completed by staff who have an appreciation of overall operational risk management and the implications of the questions with respect to the banks operations and financial planning but who do not have day-to-day responsibility for either major operational areas or for the institution's insurance program. Involvement of Internal Audit personnel may provide both technical assistance in assessing operational risk and controls as well as helping to insure objectivity in the survey process.

    There is no "pass" or "fail" score for this Questionnaire. Primary questions are designed to elicit a "yes" or "no" answer. A written response or comment to all questions may be given when the institution uses a different approach than that stated to address the issue or if it is felt that there are or other considerations which should be brought to management's attention. Accordingly, this questionnaire is divided into:

    • (1)    Management oversight

    • (2)    Risk Assessment

    • (3)    Operational Risk Reduction and Control

    • (4)    Insurance Options

    The scope of all answers should include both domestic and foreign operations i.e inside and outside Saudi Arabia.

    • Management Oversight

      1. 

      YES

      No

      COMMENTS

      1. Has the Bank developed an Operational Risk Management Plan outlining objectives, policies, and standards ?
      		   
      1.1 If yes to 1, has this plan been:

      *    Formally approved in writing by the Board of Directors?

      *    Disseminated in writing by senior management ?

      * Reviewed on at least an annual basis ?

      1. Have annual Operational Risk Management Program Goals been established in terms of measurable organizational objectives where possible (i.e., a 50% reduction in branch fraud, a 15% reduction in credit card losses, etc.) ?
      2.2

      Is the Plan; formally evaluated against these Goals on at least an annual basis by the Board of Directors ?

      1. Has an Operational Risk Manager been appointed to address overall operational risk management and financing issues within the bank ?
      3.1 If yes to 3, is this a full-time position ?
      3.2 If yes to 3, does this individual:

      * Have clear and specific responsibility for operational risk assessment, risk management, and risk financing activities within the bank ?

      * Have a written position description ?

      1. Has an Operational Risk Management Committee been formed to assist the Operational Risk Management in assessing, planning, and managing operational risk management activities?
      4.1

      If yes to 4, are all major operational and staff areas of the bank represented on the committee to include: Specify such areas represented i.e. Internal Audit, Treasury Operations, Credit Card / ATM's etc.

      4.2 If yes to 4, does the Committee meet on at least a quarterly basis?
      4.3 If yes to 4, does the Committee report to the Chief Operating Officer ?
      4.4 If yes to 4, does the operational scope of the Committee include consideration of:

      *     Fraud, forgery, and other criminal risks ?

      *     Professional and client related liability exposures ?

      *     Risk associated with legal and regulatory

      non-compliance ?

      *      Political risk ?

    • Risk Assessment

      2.

      YES

      NO

      COMMENTS

      1. Is there any inventory of the institution's tangible and nontangible resources which may be subject to operational risks. These may include the following:
      		   
      • Physical Assets (i.e. physical plant, systems, real estate, etc)
      • Financial Assets (i.e. cash, securities, negotiable instruments, etc.)
      • Human Assets (i.e. employees, officers, directors, customers, shareholders, vendors and contractors, etc.)
      • Intangible Assets (i.e. reputation, good will; etc.)
      1. Are operational risks with respect to new acquisitions, divestitures, expansions, or downsizing been identified. These may include the following:
      • Physical Assets (i.e. physical plant, systems, real estate, etc.)
      • Financial Assets (i.e. cash securities, negotiable instruments, etc.)
      • Human Assets (i.e. employees, officers, customers, share holders, vendors and contractors, etc.)
      • Intangible Assets (i.e., reputation, goodwill, etc.)
      1. Can the bank identify actual and potential loss exposures and risk events for all products and services currently being offered or proposed for implementation. Such risks may include the following:
      Criminal acts including fraud, forgery, robbery, burglary and counterfeiting ?
      Direct loss of injury to or sickness of personnel ?
        * Loss or compromise of information / data ?
        * Direct loss of or damage to physical property ?
        * Consequential loss and or loss of use ?
        * Customer Contractual Liability ?
        * Tort and Product Liability ?
        * Statutory and Regulatory Liability (Legal and Regulatory Compliance ) ?
         Political risk and regulatory instability ?
      1. On at least an annual basis, are formal qualitative and quantitative analyses conducted to measure the level of current operational risk?

      Does this analyses include.

        * Judgmental risk estimates by senior staff and operational managers based on probable and maximum severity costs of a single occurance and / or aggregate losses in a single year ?
        * Assessment of risk event probabilities by senior managers and operational personnel ?
        * Review of available loss data from other banks institutions both within the Kingdom and internationally ?
        * Maintenance of a data base of incident reports and exposure and loss history for both insured and uninsured losses ?
        * Comparison of past losses and loss ratios to the premium and exposure bases ?
        * Analysis of trends, reporting, and payment patterns for past losses ?
        * Decision and event tree analysis ?
        * Scenario development (including "worse case" analyses) ?
        * Frequency and severity analyses and projections ?
        * Preventive measures in place ?

    • Operational Risk Reduction and Control

      3.

      YES

      NO

      COMMENTS

      1.

      Have formal written programs of operational risk and loss control including risk assessment and control matrices been developed for all operational and staff areas ?

      If yes 1, do these programs include:

       *   Proprietary and confidential data ?
       *   Physical security of the bank's premises ?
       *   Branch fraud prevention and awareness ?
       *   Credit card, ATM, trading, and payment systems fraud ?
       *   Software piracy and patent / copyright infringement ?
       *   Information Systems Security ?
       *   Product and service quality assurance ?
       *   A dherence to customer contractual obligations ?
       *   Compliance with regulatory and statutory requirements within Saudi Arabia ?
       *   Others as applicable ?

       

      2.Does the Operational Risk Management function provide central direction and coordination for operational risk management and loss control and risk financing programs within the institution ? Does its scope include:
       * Timely reporting of losses to senior management, SAMA, insurance carriers, and law enforcement (when appropriate) ?
       * Complete investigation of losses in conjunction with internal audit, bank's security department, insurance carriers and law enforcement (when appropriate) ?
       * Written claims handling procedures for line and staff personnel as well as both in-house claims personnel and external claims handling services ?
       * Review of claims files and investigative procedures ?
       * Coordination of claims and periodic qualitative evaluation of the overall claims handling process ?
       * Follow-up on all open claims and periodic qualitative evaluation of the overall claims handling process?

       

      3.Has the institution developed penalty/reward systems ? Do these systems include:
       *   Regular scheduled comparative evaluation of loss records of various units.
       *   Monetary and non-monetary incentives
      4.Has a formal program of operational risk control training been established which emphasizes responsibility and accountability for the control of operational losses ?
      		   

    • Insurance Policies

      4.

      YES

      NO

      COMMENTS

      1. Is there a written corporate risk financing policy which defines the methods to be used by the bank for insuring itself by considering all the methods available i.e. conventional insurance, loss retention guidelines, parent captive, risk retention group, finite insurance etc.
      		   
      1.1 Has this plan been approved by the Board of Directors
      1.2 Does this policy address loss retention guidelines by addressing the following:
        * Effect of risk financing options on earnings, budgets and balance sheet ?
        * Risk aversion (loss tolerance) by management and the Board of Directors ?
        * Relative cost of risk funding options in the existing market ?
        * Projection of expected operational losses and possible variance from expected levels ?
        * Statutory, regulatory, or contractual limitations on risk retention ?
      1. Are all corporate risk financing policies and guidelines formally reviewed by the Board of Directors on at least an annual basis ?
      1. Are internal risk financing options (self insurance) used which are commensurate with the financial resources of the institution, dispersion (or aggregation) of risk, and established policy ? Do these options include:

      *    Contractual transfer of risk ?

      *    Unfunded retention

      • -    Straight deductibles ?

      • -    Aggregate deductibles

      • -    Allocation of small/high frequency losses directly to responsble units ?

      • -   Absorb large and/or random losses at the

      corporate level ?

      *    Funded retention ?

      *     Single parent captives ?

      4. Are conventional insurance options analysed Do these options include ?

      *    Conventional insurance

      • -   Banker's Blanket Bond ?

      • -    Electronic and Computer Crime coverage

      • -    Directors and Officers (D&O) Liablity Coverage?

      • -   Professional Indemnity Coverage ?

      • -   Environmental Liability ?

      *    Risk retention groups, group captives and risk sharing pools?

      *   Agency Captives ?

      *    Rent-a-captive ?

      * Finite risk financing ?

      5. Do formal policies and procedures exist to coordinate conventional insurance, group captives, risk pooling, finite risk etc., with internal financing options i.e deductibles, losses and deductible sharing within the groups etc.
      6. On at least an annual basis is a formal market review of conventional insurance done. Does this review include:

      *    Market capacity ?

      *    Terms, conditions, and flexibility of coverage ?

      *    Cost ?

      7. Are the results of this, review formally reported to the Operational Risk Management Committee and the Board of Directors ?

      8. On at least an annual basis is a formal review of the insurance program conducted to evaluate the performance of both Underwriters and Brokers ? If yes, does this review include:

      * Financial stability ?

      *   Claims payment record ?

      *   Responsiveness to the institution’s coverage needs ?

      *    Premium structure and pricing ?

      *   Quality of program administration ?

      *    Professional competence and value added ?

      *   Fee for service/negotiated commission ?

      *   Performance parameters established by written

      agreement ?

      *    Arunual review of performance against contractual obligations?

      *   Quarterly progress reports / review sessions ?

      *    Claims handling records ?

      *   Quality of program administration ?

      • 9.    Does bank maintain a direct relationship with its Underwriters (both primary insurers and reinsurers) ?

      • 10.    On at least an annual basis does the bank review its exposure to catastrophic risk (i.e "long tail risks" which exceed existing risk financing measures and cause significant impact to the balance sheet and / or share price ) ?
      1. Are these findings reviewed by both senior management and the Board of Directors ?
      1. Are appropriate measures. taken to secure protection for catastrophic losses ? Do these measures include:

      *   Use of highly qualified and specific indemnities (i.e customer

      contractual, governmental, etc) ?

      * Use of global insurance markets to secure specific catastrophe coverage in excess of primary limits ?

      *   Plan for post-funding potential losses in excess of

      purchased protection ?

      *   Pre-loss reserving and finite insurance programs ?