Operational risk at Zions Bancorporation

RMA Journal, The,  Nov, 2002  by David Stone

• E-mail
• Print
• Link

Each step of the methodology is briefly described below:

1. Objectives. To enter/edit risk data, a user clicks on the Risk Data tab and selects the desired business unit. Then, on the Objectives screen, the user can select a previously entered business objective or create a new one. Objectives receive a name, category description, and a performance measure that indicates when they are achieved. Measures include both a current state and a goal. A measurement file can be attached or a link established to provide dynamic updates on goal performance.

2. Risks. On the Risk tab, a user enters the threats to business objectives. The Risks screen enables the user to name, categorize, and describe the risks, and indicate risk (severity, frequency, and direction) ratings based on previously set business rules. These ratings result in an automatically calculated risk score used for reporting and analysis. Users are also encouraged to enter rationales and key risk indicators for severity, frequency, and direction. Workflow alerts can then be established to trigger automatic notifications when KRI thresholds are breached. The Risks screen also includes a section for recording loss data, allowing the enterprise to build its own loss database. Loss data can be entered manually, or automatically uploaded/fed from other systems.

3. Controls. Moving to the Controls screen, the user rates the effectiveness of controls in mitigating risk. Key controls for People, Systems & Processes, Vendors, and Other are listed and assessed. An Overall Control score and Residual Risk score are then calculated. As with the Risk tab, KRIs for control effectiveness can be entered with either internally driven or externally benchmarkable triggers. Based on the severity of control gaps, a business unit is encouraged to, or must, take action to close the gap. For example, if the gap is not large, a business/department might decide to forgo taking action at that time. The Controls tab also contains an interface to Corporate Insurance so that Insurance receives an alert with complete risk information whenever a new risk is entered into the system or when residual risk ratings change.

4. Actions. On the Actions screen, a user enters actions to mitigate risk, the individual with ownership for the action, and the date for completion. Action status and reason codes are also entered and tracked. Actions can even be assigned to those who do not use the system. For example, nonsystem users would receive an e-mail alert with appropriate risk detail and contact information.

The system's tabbed design makes it easy to gather information quickly. Fields are arranged in a logical order so users can define their business objectives, identify and rate the risks to those objectives, assess controls, and track actions necessary to mitigate risks. Data is entered once and is easily recalled when needed.

Scoring. As noted above, users rate risks and controls from a defined list of drop-down ratings. The methodology is intuitive: risk - controls = residual (net) risk. Behind the scenes, over 400 residual risk score options are possible, making it easy to derive the top 10 risks at a corporate level or by business line, product, process, or risk category.