09.10 - 10.30 Session 1: Risk Identification Tools and Emerging Risks
10:30 - 10:45 Coffee break
10:45 - 12:30 Session 2: Root Causes Analysis - The Bow-tie
- Root cause analysis: tools and methods
- Benefits of root cause analysis: tracking the common failures and systematic patterns
- Treating causes over symptoms
- Bow-tie: A most effective tool to define: preventive, corrective controls and leading KRIs
- Risk likelihood and expected impact
- Class exercise: Apply the bow-tie to one of your incidents; share the lessons learnt
12:30 - 13:30 Lunch
13:30 - 14:45 Session 3: Implementing ORM: The Invisible Framework
- Governance of operational risk
- 1st line and 2nd line: The partnership model
- Use and reuse: The invisible framework
- Leverage on existing practices for better risk management
- Use the language of the business
- Make ORM practicable and valuable
- Business value of ORM
- Workshop: Build a business case for risk management
14:45 - 15:00 Coffee break
15:00 - 17:00 Session 4: Information Security Assessment and Essentials of Cyber Protection
Cyber risk is voted top risk for the financial industry for three years in row. This session explains how the same risk management framework can be applied to cyber risk and, more generally, to information security risk assessment. Based on real case studies, it presents a taxonomy for information security risk, essentials of assessment and the key elements of mitigation of cyber and information risk:
- Information security risk management framework
- Typology of information security risk
- Information assets inventory
- Risk assessments
- Control layering and key controls for information security risks
- Scenarios and quantification
Wednesday, June 12
09:00 - 10:30 Session 5: Internal Controls: Human Error and Control Design
10:30 - 10:45 Coffee break
10:45 - 12:30 Session 6: Risk Reporting
- Modern issues on events and risk reporting: the regulator's view
- Analysing operational risk data: Get insight, tell a story
- Management information: The "reporting cake"
- Aggregate and escalate risk information: Your options
- Conduct reporting: Themes and details
Highlights of best practice, group discussion and sharing of experience
12:30 - 13:30 Lunch
13:30 - 15:00 Session 7: Operational Risk Management for Projects
Project and changes are common place in the financial industry. It is only recently that project risk is explicitly included in the operational risk management scope. Yet, the coordination between the risk function and the project management teams are not always straight-forward. Based on practical successful experiences, this session suggest framework and policy rules to assess and address operational risk on corporate projects.
- ORM policy for project management
- Project rating criteria
- Causes of project failure
- Essentials of project risk management
- Collaborations and benefits
15:00 - 15:15 Coffee break
15:15 - 16:30 Session 8: Implementing the Desired Risk Culture: a method
16:30 - 17:00 Wrap-up
- What have you learnt?
- What will you remember?
- What will you apply?