This is a high level end-to-end overview of the OR2Q system. The diagram below shows a deconstructed view of the system and its constituent components, each of which is briefly described below.

In the diagram, the upper red level is used to represent the Organisation Methodology as it pertains to both the context within which the organisation manages Risks and the approach adopted to measure and monitor these Risks. In OR2Q Application terms, the upper red level is called the Specification Shell, and is considered central to OR2Q management. Via this shell, client organisations are able to tailor OR2Q to fi t their methodology at installation and reflect updates at any time thereafter. This allows for a gradual expansion of new functionality and management concepts as and when the organisation is ready to deploy them.
It is envisaged that during the implementation phase, Amelia staff will spend several days with the organisation’s senior Risk Managers to define the client’s Risk Methodology and then configure this within the OR2Q risk assessment framework by selecting the domains that are activated, determining the permissible links between them and defining classifications to be used within each of the user domains.

“Amelia supports the Basel II proposals”

The specification shell will be flexible enough to support diverse methodologies anywhere on the qualitative: quantitative spectrum. In addition to existing measurement methodologies put forward by national banking regulators, Amelia supports constructs defined within the Basel II proposals.
The Diagram shows seven individual User Domains, which comprise the base data components of the OR2Q system. The system will enable organisations to build a complete model of their Entity Structure and Workflow via Entity and Process Flowcharts (Workflows). The system supports the use of Risks, Indicators, Controls, Action Plans, Risk Events and Review Notes that can be individually defined and linked to various other domains or into the Entity Structure. Additional domains envisioned for future releases include Policies, Human Resources, Dependencies and Opportunities. A brief description of each of these user domains is provided below.

An Entity could describe a defined unit within the organisation that may have Risks, Controls and other domains directly or indirectly associated with it. OR2Q allows organisations to develop a hierarchical model of their Entities and associated workflows. These Entities may take the form of business lines (as proposed by Basel II), business objectives, geographical areas, products or any other decomposition by which the organisation chooses to manage Risk. At any time during this process it is possible to create detailed Process Workflows illustrating the nature of the activities carried out within a given Entity. Risks, Controls and other components can then be attached to individual processes giving users the ability to model the organisation structure and workflow to an unprecedented level of detail.

Risks are used to describe the consequence and likelihood of potential exposures related to a given Entity. Risk Officers will be able to build up a repository of unique Risk templates within the organisation via a Central Risk Register (CRR). Instances of each Risk can then be created from these templates within the Local Risk Register (LRR) and linked to the Entities to which they relate. The CRR will assist the organisation in collating consistent Risks, by category across the business units. With appropriate assigned privileges, certain users will be able to identify and include new Risks on their LRR that may later facilitate their inclusion in the CRR.

Risk Events are used to record actual loss events and near misses within the organisation. Collation of such data will assist reviewers in determining the presence and severity of Risks as well as the effectiveness of associated Controls. In addition, Risk Events will provide the organisation with a rich source of data that can be fed into the analytical models that are built or imported into the system.

Indicators are proxy measures of Risks that cannot be measured directly. They may also be applied to Controls and other domains thus facilitating classification by association (e.g. Risk Indicators, Controls Indicators, etc.) The system is capable of recording and tracking multiple Indicators for each Risk, the assessments for which may be qualitative, quantitative or a composite of the two approaches. Trend analysis can also be performed to track movement in Indicators over time against user defined calibrated scales. By attaching rules defined in the system Rules Editor to Indicators, OR2Q will be able to manage data automatically and even alert users to potential developing problems.

“By attaching rules... OR2Q will be able to manage data automatically and even alert users to potential developing problems”

Controls are procedures or practices that may take the form of policy directives, Operational Risk insurance, business continuity plans, etc. that have been developed to mitigate a given Risk. Once the nature of a Control is defined, details specific to that type of Control can be captured. Controls can then be attached to Entities or inserted as steps within process workflows.

Action Plans are used to further mitigate Risks should Controls not be considered adequate or effective to reduce Risks to an acceptable level. When Controlled Risk levels exceed predefined limits, defined action plans can be automatically assigned to Risks. Owners of these Action Plans are notified of their responsibility ensuring corrective action is taken in a timely manner.
Action Plans can also be entered manually, providing users with a means of recording audit findings.

Review Notes enable reviewers to log any comments they may have concerning any of the domain entries and so provides Operational Risk staff and especially internal auditors with a useful tool to record their comments and queries in relation to domain values. In the functional diagram, the boxes displayed within the lower blue section represent both systems support services and external components which can interface with the OR2Q system. A brief description of each of these components is provided below.

The Analytical Engine of the system will provide a powerful Function Editor with which mathematical models can be constructed. This editor, with the assistance of optional plug-ins will be capable of supporting Bayesian Networks (for causal modelling), EVT (developing models for large losses) and a variety of other techniques that are at the forefront of assisting in quantifying Operational Risk.

A Rules Editor is provided to create logic based business rules that are used to define actions taken in response to data is provided to create logic based business rules that are used to define actions taken in response to data values within the system domains. Both rules and functions can be fed data or embedded within specific areas of the application. These expressions will then work in the background, performing validations and computations as and when required. The combination of these technologies means that OR2Q can fully support the basic, standard and advanced measurement approaches being defi ned for Operational Risk management.

OR2Q supports industry standard connectivity with internal and external systems and via external data feeds. A client’s existing third party applications which address specialist areas of Operational Risk such as transaction monitors, could potentially interface with the system via custom built API’s. We intend to have a high level of interactivity between other Risk related applications, data warehouses and industry database initiatives and will take full advantage of XML to achieve our data transfer goals.

“We intend to have a high level of interactivity between other Risk related applications... and will take full advantage of XML to achieve our data transfer goals”.

A Report Writer allows those users responsible for reporting to create both template based and custom reports, incorporating allows those users responsible for reporting to create both template based and custom reports, incorporating analysis from system data in the form of text and a wide variety of graphical output including charts, tables and matrices. Once produced, reports can be distributed via a report scheduler in a number of formats for dissemination by end users.

The Administration & Security Shell allows IT administrators to work in conjunction with senior Risk Officers to create a user group hierarchy within which user roles are defined. Departments or specific individuals are then assigned to roles that determine their access levels to the system functions and data.