Day One: Setting the Framework and Appetite

Session 1: Operational Risk Framework

Operational Risk Definition and Characteristics
Some risk frameworks: ISO, COSO, large banks and insurance companies
Three lines of defence and three levels of Operational Risk Management: Strategic, Tactical, Dynamic
SMA and regulatroy changes in Operational Risks
The ORM pyramid: which level are you at?

Group work: the ORM pyramid: define and discuss the maturity level of your ORM

Session 2: Risk Identification

Tools and techniques for risk identification
Exposures and Vulnerabilities
The Risk Wheel
Value drivers and reverse stress testing
Risk register: a list
Risk connectivity: network of risks

Class Exercise: identify your top risks and class feedback

Session 3: Actionable Risk Appetite
Industry guidance on Risk Appetite
Template for actionable Risk Appetite
Risk Appetite Statements: Features and Examples
Cascading Risk Appetite: RCSA & Indicators

Class discussion and exercises: Formulate  risk appetite & tolerance statements for two of your top risks

Session 4: Risk and Control Self Assessments

Definition and rules for RCSAs
Tool: Impact / probability matrix: shapes and forms, definitions
Usage and choice when defining RCSAs: extreme cases or median cases, distribution or single points, inherent or residual risk, likelihood or frequencies
Risk rating: when and how.
Scenario analysis: RCSA on steroids

Exercise: Highlight and assess your top risks before and after controls

Day Two: Key Risks Indicators & Reporting

Session 1: Features and types of leading KRIs

Features of leading KRIs
KRI, KPI, KCI: definitions and uses.
A typology of Key Risks indicators
KRIs: metrics of risks drivers
Root cause analysis & identification of risk drivers

Case study: examples of KRIs and risk drivers per activity
Class Exercise: root cause analysis for KRI identification: the bow tie

Session 2: Root causes analysis and Control Design

Slips and mistakes: Typology and causes of human errors
Understand and treat the causes of human error
Effective vs. Illusory controls
Root cause analysis: method and benefits
Tracking the common failures and systematic patterns
Prevention by Design

Exercise: apply the bow-tie to one of your incident; share the lesssons learnt

Session 3:  Design & Governance KRIs

KRI design: frequency,  thresholds,  reporting and discipline
Selective Preventive KRIs step by step
Building on previous results
Revisiting existing metrics
Upgrade your KRIs
Reporting on KRIs: aggregating colors?
KRI Governance

Group work: identify and design your own KRIs

Session 4: Incident data collection and risk reporting

Modern issues on loss data: the regulator’s view
Data features: core losses and tail risks
Golden rules of reporting
Management information: the “reporting cake”

Highlights of best practice, Group discussion and sharing of experience

Day three: Emerging Risks, Scenario Analysis and Risk Culture

Session 1: Operational Risk Drivers and Emerging Risks

Characteristics of Operational Risk
Drivers of Operational Risks
Emerging Risks
that we all know
that we don’t know
that we should know

Session 2: Scenario Analysis and Planning

Steps and governance of scenario analysis
Tackling behavioral biases in scenario assessment
Industry practices and lists of scenarios
Assessing probabilities of rare events
Acting on Scenario Analysis

Industry examples and sharing of experience

Session 3: Implementing the Desired Risk Culture: a method

Defining Risk Culture
Acting on behaviours: the Influencer
Necessary conditions: willingness and ability
Risk Culture: DESIRE steps: Define – Inspire – Support – Enable – Reinforce - Evaluate
Assessing the risk culture

Group work: Plan your own culture change

Session 4: Conclusion & Wrap-up

What have you learnt?
What will you remember?
What will you apply?

Day 1: Embedding positive risk management

Session 1: What is positive risk management?

Risk management is as much about avoiding danger than achieving objectives
Risk management as a competitive advantage
Get buy-in with positive language

Case studies

Session 2: Embedding good risk practice – Top Tips

Use test of risk management
Key behaviours to influence
The power of effective reporting
Top tips in risk management

Sharing of experience

Session 3: Compliance and regulatory expectations

What do regulators expects?
Framerwork consistency and effectiveness
Relevant reporting
Handling regulatory interactions
Upcoming reforms

Session 4: Culture and Conduct: a method

Defining Risk Culture
Acting on behaviours: the Influencer
Necessary conditions: willingness and ability
Risk Culture: DESIRE steps: Define – Inspire – Support – Enable – Reinforce - Evaluate
Assessing the risk culture

Group work: Plan your own culture change

Day 2: Key Risks Indicators & Scenario Analysis

Session 1: Identifying and reporting leading KRIs

Features of leading KRIs
KRI, KPI, KCI: definitions and uses.
A typology of Key Risks indicators
KRIs: metrics of risks drivers
Designing and reporting on KRIs

Session 2: Root causes analysis and lessons learnt for KRIs and controls

Slips and mistakes: Typology and causes of human errors
Effective vs. Illusory controls
Root cause analysis: method and benefits
Tracking the common failures and systematic patterns
Prevention by Design

Class workshop: identify and design your own KRIs

Session 3: Scenario Analysis and Planning

Steps and governance of scenario analysis
Tackling behavioral biases in scenario assessment
Industry practices and lists of scenarios
Assessing probabilities of rare events
Acting on Scenario Analysis

Industry examples and sharing of experience

Session 4: Emerging Risks

Emerging Risks
that we all know
that we don’t know
that we should know

Conclusion & Wrap-up

What have you learnt?
What will you remember?
What will you apply?

Day One: Emerging risks and the invisible framework

Session 1: Risk identification tools and emerging risks

Tools and techniques for risk identification
Exposures and Vulnerabilities
The Risk Wheel
Value drivers and reverse stress testing
Risk register: a list
Risk connectivity: network of risks
World economic forum: risk map
Emerging risks

Class Exercise: identify the network of your top risks and class feedback

Session 2: Reorganisation risk and project management

Risk due to changes and reorganisations
The trap of cost-cutting
Invisible opportunity costs
Essentials of project risk management

Class debate and sharing of best practice

Session 3: Root causes analysis – the bow-tie

Root cause analysis: tool and method
Benefits of root cause analysis: tracking the common failures and systematic patterns
Treating causes over symptoms
Bow-tie: a most effective tool to define
Preventive and corrective controls
Leading KRIs
Risk likelihood and expected impact

Exercise: apply the bow-tie to one of your incident; share the lesssons learnt

Session 4: Implementing ORM: the invisible framework

Governance of Operational Risk
1^st line and 2d line: The partnership model
Use and reuse: The Invisible Framework
Business value of ORM

Workshop: build a business case for risk management  

Day 2: Behaviours and Controls

Session 1: Internal Controls: Human Error and Control Design

Slips and mistakes: Typology and causes of human errors (J. Reason)
HRA: Human Reliability Analysis and other methods
Understand and treat the causes of human error
Effective or Illusory controls
Prevention by Design

Group work: best and worst controls in the business: sharing of experience

Session 2: Cyber threats and information security

Cyber threat landscape
An old emerging risks
Key controls in cyber security
Physical and behavioural measures
Priorities in prevention
Lessons learnt from some incidents

Class debate and exchange

Session 3: Risk reporting and Conduct reporting

Modern issues on events and risk reporting: the regulator’s view
Analysing operational risk data: get insight, tell a story
Management information: the “reporting cake”
Aggregate and escalate risk information: your options
Conduct reporting: themes and details

Highlights of best practice, Group discussion and sharing of experience

Session 4: Implementing the Desired Risk Culture: a method

Defining Risk Culture
Acting on behaviours: the Influencer
Necessary conditions: willingness and ability
Risk Culture: DESIRE steps: Define – Inspire – Support – Enable – Reinforce - Evaluate
Assessing the risk culture

Group work: Plan your own culture change

Wrap-up

What have you learnt?
What will you remember?
What will you apply?

Day One

Session 1: Operational Risk Scope and Framework

First session to discuss the scope of the operational risk function, the framework used in the company to manage risks, what has been achieved and what is left to be done.
Discussions over a maturity model to specify where the company is and what are the objectives ahead in terms of risk management.

Scope of Operational Risk
Losses, near misses, impacts
Benchmark of operational losses to gross income
Attributes of effective risk management
Examples of Operational Risk Frameworks in Banking and Insurance
The ORM pyramid: which level are you at?

Group discussion and sharing of experience around a maturity model of ORM

Session 2: Regulation and Governance of the Risk Function

Regulatory context and regulatory expecations regarding operational risk is there to give a context.
More importantly, the session highlights the do’s and don’ts for managing the relationship with the business and running a value-adding risk function. Based on personal experience and real case studies.

Basel II and III for operational risk: regulatory expectations
Revisions of the Standardized approach
Governance: Three lines of defence
The Invisible Framework
1^st line and 2d line of defense: a partnership model (Bupa Global)
Risk management to create value

Case studies

Session 3:  Risk Identification: tools and techniques

A hands-on, practical session giving tools and techniques to risk managers to run effective risk identification workshops with the business.
Risk identification workshops are sometimes neglected, moving straight to risk assessement. The session corrects this damaging short-cut.

Tools and techniques for risk identification: how to run a risk identification workshop with the business
Risk identification using a business language
Exposures and Vulnerabilities
The Risk Wheel
Value Drivers
Reverse stress testing
Risk register and connections between risks

Group work: identify top risks and class feedback, share practices and challenges

Session 4: Effective Risk and Control Self Assessments / ORSA

RCSA in Banking, ORSA in Insurance, they constitute an essential buidling block of the operational risk framework.
Simple in apparence, succesful execution of risk assesment workshop requires method and a common understanding by all parties to produce comparable, useful results.
This session, based on more than a decade in running risk assessments workshops, teaches the essential requirements to risk professionals.

RCSA,  ORSA (Operational Risk Self Assessment)
Definition and rules for ORSAs
Impact / probability matrix, ratings, colours and risk appetite
Methodollogical choices and governance
Definitions and comparability
Running a workshop

Class exercise: running a RCSA

Day Two

Session 1: Preventive Key Risk Indicators

Key Risk indicators are my biggest area of expertise, both in training and consulting.
This session gives an overview of the essential features of preventive KRIs to avoir confusion with a tally of events. It focuses the reflection on the understanding of what causes operational risk events, to improve the preventative nature of KRIs.

Essential features of preventive KRIs
KPI, KRI, KCI? concepts and examples per activity
KRI must address risks, not events: know your risk drivers
Typology of KRIs: Environmental, Stress, Causal and Failure
KRI Design: Frequency - Trigger levels - Escalation criteria – Ownership - Data accuracy
KRI reporting and risk reporting

Class discussion:: current internal practice and existing KRIs

Session 2: Root Cause Analysis for better controls and better KRIs

Root cause analysis is possibly the most powerful tool in risk management. When pushed to its limits, it produces a comprehensive diagnosis of the failures that have led to an incident, opening the way for better controls and preventatives KRIs. It also produces effective lessons to be learnt across the organisation. The “bow-tie” is a well-known tool in the non financial industry for root cause analysis. It proves to be very popular when applied to the financial services. Participants will have a chance to apply it and evaluate its benefits. The session is supplemented by a summary of scientific research on the types and causes of human error, for a better risk mitigation response.

Root Cause Analysis: the bow tie: benefits and applications
Why do we make mistakes?
Typology and causes of human errors
Understand and treat the cause of human error
Prevention by design

Group work: perform a root cause analysis, feedback to the class

Session 3: Risk Appetite Definition, Statement and Communication

One of the roles of the risk function is to assist the Board in the definition of his risk appetite.
Every risk management should be at ease with the concept and know the basic elements of actionable risk appetite and the way to identify them.

Industry guidance on Risk Appetite
Making Risk Apptite actionable
Risk Appetite Statements: Features and Examples
Risk Appetite structure and templates
Definition and Governance: Communicating Risk Appetite
Links with the other parts of the framework

Case Studies & Structured exampels of risk appetite statements, plus class exercise: formulate risk appetite and tolerance statements for one key risk.

Session 4: Influencing Risk Culture

A soft topic for last, as an inspiration for more. Based on a personal adaptation for the Financial Services of The Influencer methodology by Patterson at al. this session highlights the drivers of motivation (personal, social, structural) combined with the necessary condition for action (willingness and ability) to develop key steps influencing organisations towards a better risk culture.

Defining Risk Culture
Acting on behaviours: the Influencer
Necessary conditions: willingness and ability
Risk Culture: DESIRE steps: Define – Inspire – Support – Enable – Reinforce - Evaluate
Assessing risk culture

Case studies and Group work: Plan your own culture change

Conclusion: learning points, takeaways and action plans
What have you learnt?
What will you remember?
What will you apply?

1.       Operational Risk Management: scope and essentials

Scope of Operational Risk
Losses, near misses, impacts
Benchmark of operational losses to gross income
Four actions of Risk Management
Attributes of effective risk management

2.        Risk Identification made simple: tools and techniques

Tools and techniques for risk identification
Exposures and Vulnerabilities
The Risk Wheel
Value Drivers

Group work: identify your top risks + class feedback

3.      Root Cause Analysis

Root Cause Analysis: the bow tie
Benefits and applications of root cause analysis
Why do we make mistakes? Typology of human errors
Effective or optmistic controls
Prevention by Design

Group work: analyse the root causes of one past incidents, the control failure and lessons learnt + class feedback

4.    Preventive Key Risk Indicators

Essential features of preventive KRIs
KPI, KRI, KCI? Concepts and examples per activity
KRI must address risks, not events: know your risk drivers
Classifying KRIs: Environmental, Stress, Causal and Failure
KRI Design: Frequency - Trigger levels - Ownership - Data accuracy

Group work: discuss your own indicators, define others if relevant + class feedback

5.      Conclusion
What have we learnt? What will we remember? What will we apply?

1.       Regulatory Context and Risk Governance

Regulatory expecations for operational risk and conduct
Risk Governance: effective and evidenced
Tone from the top
Making risk committees effective
Promoting risk culture

2.      Risk Appetite Definition, Statement and Communication

Industry guidance on Risk Appetite
Definition and Governance: Communicating Risk Appetite
Making Risk Apptite actionable: Appetite – Tolerance – Limits - Controls
Risk Appetite Statements: Features and Examples

3.      Risk Reporting and Risk Diagnosis

Essentials of Effective reporting
Risk reporting: filtering information
Escalation vs. Aggregation
Aggegrating colours
Operational risk diagnosis

1- Rappel du cadre réglementaire
Pour les activités bancaires
Pour les activités de services d’investissement
Risque de non-conformité dans la banque

2- Les principaux risques de manquement (mise en avant à l’aide d’exemples)
Corruption
Abus de marché
Délit d’initié
Conflits d’intérêts
Devoir de conseil
Réputation
Confidentialité
Connaissance du client
Abus de faiblesse
Intégrité
Usage des moyens professionnels à des fins privées

3- Rappels des points clés à respecter
Gouvernance et prise de décision
Chinese wall
Enregistrements
Devoir d’alerte

4- Mission du déontologue

5- Points divers & questions-réponses

⇒ La démarche pédagogique inclut un QCM en fin de session.

1- Introduction et définitions

2- Rappel du cadre réglementaire
Activités bancaires et de services d’investissement
Périmètre de risque de non-conformité dans la banque

3- Mesures spécifiques communes
Conflit d’intérêt et « chinese wall »
Politique de cadeaux
Politique de rémunération
Enregistrements
Droit et devoir d’alerte
Limites et délégations
Formation et sensibilisation

4- Spécificités de la lutte contre la corruption et loi Sapin II
Fraude et corruption en tant qu’infractions
Environnement de la lutte contre la corruption
Points clés de la loi Sapin II

5- Quel dispositif de contrôle interne cible pour encadrer les aspects comportementaux ?
Dispositif préventif et corpus procédural indispensable
Dispositif de contrôle et correctif
Outils informatiques et nouvelles technologies

6- Illustrations et cas pratiques
Cas pratiques : exercices + cas exposés par les participants
Présentations d‘exemples de documents type

⇒ La démarche pédagogique inclut un QCM en fin de session.

Contexte et enjeux de la conformité
Positionner la norme ISO 19600 dans le contexte normatif (ISO 9001, 31000…)
Le champ de la norme ISO 19600
La finalité d’un système de gestion de la conformité

Les concepts fondamentaux de la conformité
Risques, bonne gouvernance, parties prenantes,  politique, processus, objectifs, etc…
Mise en activité : que retenez-vous au regard du contexte de votre entreprise ?

Concevoir un système de management de la conformité avec la norme ISO 19600
•    L’environnement externe, les objectifs de l’entreprise, les prérequis, l’environnement décisionnel et la culture de l’entreprise
•    Comprendre les impacts du dispositif sur
•    la stratégie et la gouvernance de l’entreprise, 
•    l’organisation et les processus, 
•    le capital humain et le dispositif de droit social, 
•    le système d’information
•    Les rôles et responsabilités, le « leadership » de qui, pour qui ?

Mise en activité : La dynamique d’une organisation, sous l’angle de la compliance
•    Qu’est-ce qu’une culture d’entreprise ? Les éléments essentiels au bon fonctionnement d’un système de conformité
•    Définir une politique de conformité adaptée aux spécificités de l’entreprise
•    Organiser la remontée d’alerte : quels types d’alerte, quels seuils ou quelle matérialité ? Les exigences CNIL concernant l’alerte professionnelle

Mise en activité : Comment organiser la remonté d’alerte dans son entreprise ?
•    Comment s’organiser pour assurer sa veille légale et réglementaire ?
•    Quelques bases pour identifier les risques de non-compliance

Intégrer le facteur humain dans le système ISO 19600
•    Savoir conseiller et former les acteurs du dispositif
•    Maitriser sa relation avec les managers
•    Gérer la communication interne et externe
•    Gérer la documentation, la notion de preuve
•    Maitriser les activités externalisées

Les points clés pour évaluer votre dispositif et mettre en place son amélioration continue avec ISO 19600

Retour d’expériences vécues et cas de jurisprudence de mise en cause des responsables de conformité

Les "Due Diligences" sont devenues une obligation incontournable. Le niveau de jeu s'élève. L'entreprise doit maintenant s'assurer de leur pertinence et maitriser ses budgets. La formations vous permettra de comprendre les attentes des régulateurs, le processus de "Due Diligence", le marché et ses acteurs, les outils. In fine vous pourrez d'optimiser la réalisation des "Due Diligences" et mieux protéger votre entreprise, et ses dirigeants.

Module 1: Contexte et enjeux
Etat des lieux et tendances
Chiffres clés

Module 2: Panorama légal et réglementaire
Normes internationales
Normes régionales (Europe, Amériques, Asie)
Normes nationales (USA, France, Royaume-Unis, Brésil)
Enseignements de la jurisprudence

Module 3: Le processus de" Due Diligence"
Les différents modèles de due Diligence et leurs étapes
La mise en oeuvre de la due diligence dans l'entreprise
Choisir l'intensité de la due diligence en fonction du risque
Externaliser la due diligence

Module 4: Faire face à la réalité

⇒ Exercices pratiques de mise en oeuvre d'une due diligence

⇒ La démarche pédagogique inclut un QCM en fin de session.