Risk Governance

After completing this reading, you should be able to:

• Explain Basel regulatory expectations for an operational risk management framework’s governance.
• Describe and compare the roles of different committees and the board of directors in operational risk governance.
• Describe the “three lines of defense” model for operational risk governance and compare roles and responsibilities for each line of defense.
• Explain the best practices and regulatory expectations for developing a risk appetite for operational risk and strong risk culture.

The Basel Regulatory Expectations for the Governance of an Operational Risk Management Framework

In June 2004, Basel II published its first changes to regulate operational risk. This review introduced three regulatory pillars, broadening the scope of prudential supervision beyond minimum capital requirements.

Pillar 1: Regulatory Capital

This pillar involves calculating the minimum level of capital banks require to cover the risk of unexpected losses from credit, market, and operational risks and the minimum ratios required to limit liquidity risks.

Pillar 2: Supervisory Review Process

Pillar 2 capital requirements can include additional capital requirements (“add-ons”) depending on a regulated entity’s risk profile.

Pillar 3: Market Discipline

Pillar 3 requires that financial institutions disclose their quarterly or yearly financial and risk information.

After learning that regulatory capital was insufficient to cover operational losses, Basel introduced mandatory principles for managing operational risk in 2003. In 2011, these principles were later revised to include lessons learned from the 2007-2009 financial crisis. In March 2021, a revised version of the principles was published, which saw an increase from 11 to 12.

Table 1.1.: BCBS Revisions to the Principles for the Sound Management of Operational Risk

Principles:

1. Culture led by the board of directors and implemented by senior management.
2. Maintenance of a sound and proportionate operational risk management framework (ORMF).
3. Board review and approval of ORMF.
4. Risk appetite and tolerance statement for the board to approve and periodically review operational risk. 
5. Senior management role in ORM policies and systems development and implementation.
6. Comprehensive identification and assessment of operational risk in material activities.
7. Change management process adequately resourced and articulated.
8. Regular monitoring of operational risk profile and exposures.
9. Strong control environment: Internal controls, mitigation, training, and risk-transfer strategies.
10. Robust information and communication technology (ICT) management program, in line with ORMF.
11. Business continuity plans in place and linked to ORMF.
12. Public disclosures on approach to ORM and risk exposures.

After the 2007-2009 financial crisis, Basel II was partially reformed. However, operational risk rules remained unchanged. The Basel Committee initiated an operational risk capital reform in 2015. As a result, Basel III was updated in December 2017, discontinuing the three-tier regulatory capital regime for operational risk. The Standardized Measurement Approach (SMA), later renamed Standardized Approach (SA), is the new method, effective from January 2023 and shall be in use up to January 2025.

BCBS greatly influences the operations of major regulatory bodies across the globe. Regulated institutions are advised to constantly refer to publications local regulators issue. This will enable them to meet their regulatory requirements and gain guidance on operational risk management.

Supervisory risk management involves:

• Assessing the risk profile in a forward-looking manner.
• Developing robust governance policies and processes to facilitate the establishment of a robust risk management framework.
• Identifying and managing all material risks per the firm’s risk appetite and ensuring an effective control environment.

Supervisors are expected to frequently assess the ORM framework of banks. To do this, supervisors examine banks’ policies, processes, and systems relating to operational risk.

In case the assessment reveals any weaknesses, supervisors should take necessary measures to ensure that banks address the identified weaknesses. 

In addition, supervisors should support banks’ efforts by monitoring, comparing, and evaluating their performance.

Regulators expect ORM to go beyond a paperwork compliance exercise. It should be a more practical exercise and an integral part of all activities. To put it another way, risk management is fundamental to every business decision, and the staff should be involved at all levels of decision-making.

Regulators and auditors should ask banks to show how they reach their decisions and examine whether such decisions are made with risk in mind. 

To examine whether an ORM framework is being implemented in a firm, the following questions should be asked:

• Is there evidence that all material events are captured in event reports? Do reports provide lessons and root-cause analysis? Does this include near misses?
• Is the basis for risk and control assessments robust and consistent? Are the right people involved? Are the assessments challenged and peer-reviewed to ensure consistency across the organization?
• Does the value of each risk indicator come from an independent source? Do line managers (the risk owners) approve of the indicators as being the best? How often are they refreshed?
• Scenarios: Are they sufficient enough? Do they remain realistic while being sufficiently extreme? Is the assessment objective, documented, and repeatable?
• Coverage: Do the reports sufficiently cover the ORM scope?
• Risk reporting: Are the presented data sufficient for decision-making? Does the information pertain to the level of management it is intended for?

Firms are expected to document and report all the activities as evidence for using an operational risk management framework. In other words, a firm should be able to provide evidence that the practice takes place. Therefore, all firm committees and management should keep a record of their discussions, decisions, and issues.

To avoid suffering regulatory compliance fines, firms should read and understand all consultation papers and policy documents to ensure that they meet regulatory expectations. Besides, the staff should have sufficient knowledge of their material documents. Indeed, they should be asked to confirm that they fully understand the material in their possession each year.

Whenever there is a new regulatory expectation, a firm should have a team that reviews such regulations and presents them to the staff during their next meeting.

The Roles of Different Committees and the Board of Directors in Operational Risk Governance

According to the Bank for International Settlements (BIS), banks should integrate their risk governance function into their overall risk management governance structure. To achieve effective risk governance, a firm should establish strong internal controls marked by clearly designated roles and responsibilities.

A company’s operational risk is managed through several committees. These committees make collegial decisions based on information from different levels of the firm’s decision-making hierarchy. The size and complexity of a firm influence the number of committees.

The type of business operations (i.e., corporate banking, investment banking, or support services) or geographic locations (such as countries or regions) determine the lowest tier of the operational risk committee setup. This level of the risk committee oversees operational risk in its respective area and escalates information to help build an accurate overview of the overall operational risk profile. In addition, any issues that arise above predetermined limits will be reported to a firmwide risk committee or second line of defense group for further examination.

It is important to note that each committee has a distinct purpose and must work within a specific set of constraints. For example, the corporate banking committee evaluates potential risks arising from activities in their sector. On the other hand, the investment banking committee assesses investment-related risks associated with their domain. Similarly, a country-level committee must gauge potential risks from operations across a single nation. Still, regional committees consider risks originating from multiple countries within one region.

The operational risk committee is entrusted with the important responsibility of overseeing, managing and monitoring operational risks. It presents a comprehensive and consolidated view of all operational risks to the executive risk management and board risk committees. The concerned committee then analyzes and identifies any potential operational risk issues or threats, creates strategies to control and mitigate these risks, and implements plans to monitor relevant risk indicators. They may also be responsible for developing procedures to ensure that all operational activities are conducted in accordance with applicable regulations and internal policies. Furthermore, they must provide regular reports to the executive risk management committee. These reports should include an assessment of current risk levels and the effectiveness of existing controls.

The board-created enterprise-level risk committee (board risk committee) oversees all operational risks. The committee is vital in ensuring that all potential risks are identified and managed appropriately. This involves conducting ongoing assessments of an organization’s operations to identify any risks or deficiencies before they morph into larger issues. Additionally, this committee works in close cooperation with senior executives across various departments to further enhance an organization’s overall control environment. Its efforts help ensure that operations are conducted safely and efficiently while mitigating any financial losses from emerging risks.

The board risk committee makes recommendations to the full board with regard to risk-based decisions, risk exposure, and risk management.

 The Roles of the Board of Directors

The board of directors is mandated to approve and periodically review the operational risk management framework. The board should oversee senior management to ensure that policies, processes, and systems are implemented effectively at all decision levels.

With respect to Principle 3, the board of directors should:

• Establish a culture and processes that help everyone – including board members, managers, and employees – understand the nature and scope of operational risks.
• Regularly review the ORM framework to ensure that it considers emerging/evolving risks.
• Review and approve operational risk management policies senior management develops.
• Ensure that a bank has identified and is managing operational risks arising from external market changes and other environmental factors. The board does this by regularly reviewing, evaluating, and approving the ORM Framework.
• Ensure the ORM framework is subject to independent review by sufficiently skilled personnel.
• Ensure that management follows the evolution of best practices and avails themselves of these changes. 

The Three “Lines of Defense” Model for Operational Risk Governance

The Basel Committee defines operational risk as “the risk of loss resulting from inadequate or failed internal processes, people, and systems or from external events.” It includes legal risk but excludes strategic and reputational risk. Many programs that manage risks in banks take effective management of operational risk as a fundamental element that is inherent in all banking products, systems, activities, and processes. Therefore, sound operational risk management reflects the board’s and senior management’s effectiveness in the administration of portfolio products, activities, processes, and systems.

Firms often employ 3 lines of defense to be able to control operational risks:

First Line of Defense: Business Unit Management

In modern banking, banks have established several business lines that work with some level of independence. Furthermore, they all work towards attaining a set of institution-wide goals. Each business line is faced with its own operational risks and is responsible and accountable for assessing, controlling, and mitigating these risks.  

Front-line risk management involves all commercial and front-office operational functions or, simply, business functions.

An effective first line of defense consists of the following responsibilities:

• Evaluating and identifying operational risks inherent in a business.
• Developing appropriate controls.
• Evaluating the effectiveness and design of these controls.
• Keeping track of the operational risk profiles of business units and reporting them.

Roles and Responsibilities of the Risk Champions and “Line 1.5”

ORM is decentralized by nature, i.e., everyone can take part in managing operational risk. Nevertheless, not everyone in a firm has the capacity to have a deeper understanding of risk management. As a result, firms appoint “risk specialists” or “risk champions” within each business unit. Risk specialists are also known as the line “1.5” or “1.b”. The following are the roles of risk specialists within the first line of defense:

• Serving as the principal correspondent for risk management issues.
• Keeping track of risk events and losses through gathering and recording data.
• Identifying risks and controls in accordance with group definitions (where applicable).
• Making follow-ups on the implementation of control rules, risk management action plans, and the audit tracking process.

Second Line of Defense: An Independent Corporate Operational Risk Management Function

This is a functionally independent corporate operational risk function (CORF) involved in policy setting and provision of assurance over first-line activities. The CORF generally complements the operational risk management activities of individual business lines.

Responsibilities of the CORF may include:

• Developing and maintaining operational risk management and measurement policies, standards, and guidelines, as well as designing and delivering operational risk training to promote awareness and competency concerning operational risk.
• Establishing an independent view of the business units’ risk management activity, including the identification of material operational risks, the design and effectiveness of key controls, and the respect of risk appetites and tolerances.
• Assessing the relevance and consistency of the department’s implementation of operational risk management tools, measurement activities, and reporting systems and providing evidence that the approach is effective.
• Reviewing and taking part in the monitoring and reporting of the operational risk profile.

Although the CORF enjoys some level of independence in all banks, the actual degree of independence varies among banks. The CORF function in small banks often achieves independence through the separation of duties and independent review of processes and functions. For larger banks, the CORF enjoys a reporting structure that’s independent of the risk-generating business lines. The CORF has the mandate to design, maintain, and continually develop the operational risk framework within a bank.

A key function of the CORF is to challenge a business line’s risk management activities so as to ensure that all decisions and actions taken align with a bank’s risk measurement and reporting framework. To ensure that the CORF is effective in its work, it should have enough skilled personnel to manage operational risk.

Third Line of Defense: Independent Assurance

The third line of defense consists of a bank’s audit function, which performs independent oversight of the first two lines. Everyone involved in the auditing process must not be a participant in the process under review. An external party can also conduct the review. The independent review team usually reports directly to the Audit Committee (a committee of members of the board of directors) on internal control, compliance, and governance.

According to the Institute of Internal Auditors (IIA, 2017), the internal audit should interact with the risk management, compliance, and finance functions in the following ways:

• Corporate governance structures must include effective risk management, compliance, and finance functions. This should not be the responsibility of, or a part of, an internal audit.
• An internal audit should assess the effectiveness and adequacy of risk management, compliance, and finance functions. A company’s internal audit should never rely exclusively on risk management, compliance, or finance to evaluate the effectiveness of internal controls. The internal audit itself should always assess a sample of the activities under review.
• As part of its risk assessment, internal audit should make informed decisions regarding the appropriateness of incorporating relevant work handled by others, such as risk management, compliance, or finance.

Best Practices and Regulatory Expectations for the Development of a Risk Appetite for Operational Risk and Strong Risk Culture

Regulatory Guidance on Risk Appetite for Operational Risk

The board is responsible for determining the nature and extent of its risk appetite and internal control systems.

Defining a risk appetite implies assessing a firm’s key risks, developing limits within which the risks are acceptable, and establishing the required controls for these systems. Board directors should ensure that risk appetite and risk tolerance are defined consistently to drive the priorities of the entire control environment.

According to the 4^th principle of operational risk management, the board must identify the types and levels of operational risks a bank is willing to assume. In addition, the board should approve risk appetite and risk tolerance statements. These statements should:

1. Be easy to communicate and understand.
2. Provide the assumptions and information a bank uses to prepare its business plan.
3. Provide reasons for taking or avoiding certain operational risks.
4. Ensure risk limits align with the bank-wide risk appetite statement.
5. Be forward-looking and subject to scenario and stress testing.

With respect to Principle 4, the board of directors should:

• Consider all risks when approving a bank’s risk appetite and tolerance statements, which provide details on risk limits and thresholds. In addition, the board should consider a bank’s strategic direction.
• Regularly review a bank’s risk appetite and tolerance statements appropriateness. During the review process, some of the factors that the bank should consider include changes in the external environment, changes in business or activity volumes, the effectiveness of risk management or mitigation strategies, loss experience, and the frequency, volume, or nature of limit breaches.

Regulatory guidance requires that risk appetite and risk tolerance statements be in line with the organization’s operations.

The board of directors is responsible for owning and validating the risk limits. The board usually delegates this responsibility to its risk committee.

Risk Appetite Structure and Monitoring

According to the Basel Committee on Banking Supervision (BCBS), risk appetite should include the reasons for taking or avoiding certain types of risks. The firm has to take risks to meet its objective, but avoiding risk can also cost the firm. In this regard, the risk-return tradeoff must be addressed in the risk appetite statements. Risk appetite should be consistent with a firm’s objectives and the firm’s risk management strategy. Such a well-articulated risk appetite that is strategically aligned with a firm’s objectives can be used as a guideline for making important business decisions.

To demonstrate their risk appetite and tolerance for disruptions, firms must set maximum impact tolerances for critical business services. Also, in order for risk appetite and tolerance statements to be credible and actionable, they must refer to consistent key controls and systems of control.

Risk Appetite Governance

As a good practice of risk appetite, a risk owner should be assigned to each risk type. This assignmnt aims at controlling owners to design, implement, and evaluate controls. Metrics owners collect, report, and monitor metrics that measure an organization’s risk appetite. Owners of risk are managers who manage, maintain, and monitor risk within defined appetite and tolerance limits.

Risk Culture

According to the 1^st principle of operational risk management, a bank should maintain a strong risk management culture spearheaded by the bank’s board of directors and senior managers. A bank should strive to propagate a culture of operational risk resilience where everyone understands the need to manage risk.

The board of directors and senior management play a starring role in any operational risk management framework. With respect to Principle 1, the board of directors and/or senior management should:

• Provide a sound foundation for a strong risk management culture within a bank. With a strong risk management culture and ethical business practices, a bank is less likely to experience potentially damaging operational risk events. If a bank ends up experiencing such an event, it would be better placed to deal effectively with the outcome.
• Establish a code of conduct (or ethics policy) for all employees that outlines expectations for ethical behavior. The code of conduct should identify acceptable business practices and prohibited conflicts.
• Provide risk training throughout all levels of a bank. Training should consider the level of seniority, roles, and responsibilities of the trainee.

Banks with a strong risk culture are less likely to be affected by damaging operational risk events. In fact, they are better positioned to deal with such events when they occur.

The board of directors must push for the implementation of risk cultures by senior management. The directors and senior management promote their organization’s risk culture through their own conduct and by spelling out expectations and consequences for employee conduct. Obviously, employees would easily emulate what they see than what they are told.

It is easy to implement an effective risk appetite framework where there is already a strong risk culture. Success on the risk appetite journey is extremely difficult without a strong risk culture. 

To promote a strong risk culture, a firm must have well-documented policies and codes that apply to everyone in the firm. Creating awareness and alerting people of a firm’s policies and rules contributes towards a strong risk culture.

Firms should also organize training and compensation structures to reinforce the codes of conduct and, as such, promote a strong risk culture. Educating all participants about operational risks embedded in activities and processes is another critical component of creating a sound risk culture.

Practice Question

Which of the following is the correct order and description of the roles and responsibilities for each line of defense in the “three lines of defense” model for operational risk governance?

A. First line: Risk and compliance functions setting policies. Second line: Internal and external auditors reviewing processes. Third line: Business unit managers handling day-to-day risk.

B. First line: Business unit managers and process owners handling day-to-day risk. Second line: Risk and compliance functions providing oversight. Third line: Internal and external auditors reviewing processes and controls.

C. First line: Internal and external auditors reviewing processes. Second line: Business unit managers handling day-to-day risk. Third line: Risk and compliance functions setting policies.

D. First line: Business unit managers handling day-to-day risk. Second line: Risk and compliance functions setting policies. Third line: Internal and external auditors providing oversight.

Solution

The correct answer is B.

The “three lines of defense” model for operational risk governance is typically structured as follows:

• First line: Business unit managers and process owners are responsible for handling the day-to-day management of operational risk. They are the front-line operators who are closest to the business operations and are in the best position to identify, assess, and manage risks as they arise.
• Second line: The risk and compliance functions play an oversight role. They set the policies and provide guidance to the first line on how to manage risks effectively. They do not directly manage the risk but instead support and oversee the risk management activities of the first line.
• Third line: Internal and external auditors review the processes and controls. They provide independent assurance that the risk management processes and controls put in place by the first and second lines of defense are effective.

A is incorrect because it incorrectly places the risk and compliance functions in the first line, auditors in the second line, and the business unit managers in the third line. This is not consistent with the standard “three lines of defense” model.

C is incorrect as it begins with internal and external auditors, which belong to the third line of defense. It also incorrectly places the risk and compliance functions in the third line, rather than the second.

D is incorrect because while it correctly identifies the business unit managers as the first line, it switches the roles of the risk and compliance functions with the internal and external auditors. Auditors should be in the third line, providing independent assurance, rather than oversight.

Things to Remember

• The “three lines of defense” model ensures a layered approach to risk management. Each line serves as a checkpoint, making it harder for risks to go unnoticed or unmanaged.
• By positioning business unit managers in the first line, the model leverages their proximity to daily operations, ensuring immediate risk identification and management.
• The second line’s oversight role is crucial as it bridges the gap between operational management and independent assurance, ensuring that risk policies are not only in place but are also adhered to.
• The third line offers an external perspective, providing unbiased assurance on the effectiveness of the preceding lines, thereby adding credibility to the risk management process.
• One primary benefit of this model is its clear delineation of roles, which reduces ambiguities in responsibilities and ensures accountability.
• Another advantage is the model’s comprehensive approach, which combines hands-on risk management, oversight, and independent review, thereby strengthening an organization’s resilience against operational risks.