Credit Scoring and Retail Credit Risk ...
After completing this reading, you should be able to: Analyze the credit risks... Read More
After completing this reading you should be able to:
The Basel Committee defines operational risk as “the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events.” It includes legal risk but excludes strategic and reputational risk.
Many programs that manage risks in banks take effective management of operational risk as a fundamental element that is inherent in all banking products, systems, activities, and processes. Therefore, sound operational risk management reflects the effectiveness of the board and senior management in the administration of portfolio products, activities, processes, and systems.
Firms often employ 3 lines of defense to be able to control operational risks:
In modern banking, banks have established several business lines that work with some level of independence, but they all work towards the attainment of a set of institution-wide goals. Each business line is faced with its own set of operational risks and is responsible and accountable for assessing, controlling, and mitigating these risks.
This is a functionally independent corporate operational risk function (CORF) involved in policy setting and provides assurance over first-line activities. The CORF generally complements the operational risk management activities of individual business lines.
Responsibilities of the CORF may include:
Although the CORF enjoys some level of independence in all banks, the actual degree of independence differs among banks. The CORF function in small banks achieves independence often through the separation of duties and independent review of processes and functions. For larger banks, the CORF enjoys a reporting structure that’s independent of the risk generating business lines. The CORF has the mandate to design, maintain, and continually develop the operational risk framework within the bank. A key function of the CORF is to challenge the business lines’ risk management activities so as to ensure that all decisions and actions taken align with the bank’s risk measurement and reporting framework. To ensure that the CORF is effective in its work, it should have a sufficient number of personnel skilled in the management of operational risk.
The third line of defense consists of the bank’s audit function, which performs independent oversight of the first two lines. Everyone involved in the auditing process must not be a participant in the process under review.
The review can also be conducted by an external party. The independent review team usually reports directly to the Audit Committee (a committee made up of members of the board of directors) on matters of internal control, compliance, and governance.
The Basel Committee requires banks to have a proactive operational risk management framework where the Board of Directors, senior managers, business line managers, and employees all play a role. The committee has suggested 11 fundamental principles that should form the bedrock of operational risk management across banks:
Principle 1 – The bank should maintain a strong risk management culture spearheaded by the bank’s board of directors and senior managers. The bank should strive to propagate a culture of operational risk resilience where every individual understands the need to manage risk.
The board of directors and senior management plays a starring role in any operational risk management framework.
With respect to Principle 1, the board of directors and/or senior management should:
Principle 2 – The operational risk framework must be developed and fully integrated into the overall risk management processes of the bank.
With respect to Principle 2, the board of directors and/or senior management should:
Principle 3 – The board of directors has the mandate to establish, approve, and periodically review the operational risk management framework. The board should oversee senior management to ensure that the policies, processes, and systems are implemented effectively at all decision levels
With respect to Principle 3, the board of directors and/or senior management should:
Principle 4 – The board must identify the types and levels of operational risks the bank is willing to assume as well as approve risk appetite and risk tolerance statements. These statements should be worded in a clear manner to ensure fast and efficient implementation
With respect to Principle 4, the board of directors and/or senior management should:
Principle 5 – Consistent with the bank’s risk appetite and risk tolerance, senior management must develop a well-defined governance structure within the bank. The governance structure is subject to approval by the board of directors.
With respect to Principle 5, the board of directors and/or senior management should:
Principle 6 – Senior management must understand the risks inherent in the bank’s business lines and processes. They must also understand the incentives associated with those risks so as to be able to put in place effective countermeasures
With respect to Principle 6, the board of directors and/or senior management should consider both internal and external factors to identify and assess operational risk
Examples of tools that may be used for identifying and assessing operational risk include:
Principle 7 – New lines of business, products, processes, and systems should require an approval process that assesses the potential operational risks
With respect to Principle 7, the board of directors and/or senior management should:
Principle 8 – A process for monitoring operational risks and material exposures to losses should be put in place by senior management with support from the board of directors and business line employees
With respect to Principle 8, the board of directors and/or senior management should:
Operational risk reports should lay down:
Principle 9 – The bank must come up with strong internal controls, risk mitigation, and risk transfer strategies in place to manage operational risks.
With respect to Principle 9, the board of directors and/or senior management should:
Principle 10 – The bank must have plans that guarantee survival and continuity in the event of a major business disruption. All business operations must be resilient.
Banks are exposed to disruptive events, some of which may be severe and result in an inability to fulfill some or all of their business obligations. With respect to Principle 10, the board of directors and/or senior management should:
Principle 11 – The bank should make disclosures that are clear enough to ensure that all stakeholders can conduct their own assessment of the bank’s approach to operational risk management.
Public disclosure of relevant operational risk management information instills confidence and ensures transparency and the development of a better industry. With respect to Principle 11, the board of directors and/or senior management should:
An effective operational risk management system excels in risk identification and assessment. The former considers both internal factors and external factors. Sound risk assessment, on the other hand, allows the bank to better understand its risk profile and allocate risk management resources and strategies most effectively.
Tools that may be used to identify and assess operational risk include:
Audit findings primarily focus on control weaknesses and vulnerabilities and can also provide insight into inherent risk due to internal or external factors.
In a risk assessment, often referred to as a Risk Self Assessment (RSA), a bank assesses the processes underlying its operations against a library of potential threats and vulnerabilities and considers their potential impact. Closely related are Risk Control Self Assessments (RCSA), which typically evaluate inherent risk (the risk before controls are considered), the effectiveness of the control environment, and residual risk (the risk exposure after controls are considered).
Analysis of internal operational loss data can provide meaningful information for assessing a bank’s exposure to operational risk. In particular, the analysis can provide insight into the triggers of large losses. Banks can also monitor the contribution of operational risk to credit and market risk-related losses. That way, a more complete view of their operational risk exposure is obtained.
A bank may be able to gather external loss data related to operational risks. That includes causal information, gross operational loss amounts, dates, and recoveries. By comparing external loss data with internal loss data, the bank can be able to assess whether its risk management policies are effective. External data can also help explore possible weaknesses in the control environment or being to the fore previously unidentified risk exposures.
Risk and performance indicators are risk metrics that provide insight into a bank’s risk exposure.
Risk indicators, often referred to as Key Risk Indicators (KRIs), specify the main drivers of key risks.
Key Performance Indicators (KPIs), provide insight into the status of operational processes, which may in turn provide insight into operational weaknesses, failures, and potential loss.
Business process mappings identify the key steps in business processes, activities, and organizational functions and the risks associated with each of the activities. Detailed process maps can reveal individual risks, risk interdependencies, and risk management weaknesses.
This involves the use of outputs of risk assessment tools as inputs for operational risk exposure models. The results can then be used to allocate economic capital to various business units based on return and risk.
In operational risk management, scenario analysis entails seeking the opinion of business line and risk managers about all potential operational risk events and what each event would lead to. However, the process is highly subjective, and a robust governance framework is needed to ensure that integrity and consistency are upheld.
The comparative analysis consists of comparing the results of different assessment tools to provide a more comprehensive picture of the bank’s operational risk profile. For example, the bank can combine the frequency and severity of internal data with RCSAs and then be able to gauge the functioning of self-assessment processes.
Control environment refers to is the foundation on which an effective system of internal control is built and operated in a bank that intends to:
The Board of Directors and senior management have an obligation to instill into other employees the importance of internal control, including expected standards of conduct
There are five key components of internal control:
All banks should ensure that traditional internal controls are in place as appropriate to address operational risk. These controls include:
Modern banking is heavily invested in tech, with products, activities, processes and delivery channels all reliant on one or more forms of digital technology. The use of technology, however, leaves banks vulnerable to strategic, operational, and reputational risks. Technology risks also raise the specter of material financial loss that can have a devastating effect even on well-established banks. Consequently, it is important for banks to have an integrated approach that identifies, measures, monitors, and manages technology risks.
Sound technology risk management uses the same precepts as operational risk management and includes:
Outsourcing can be defined as a process in which a bank delegates some of its in-house operations/processes to a third party. Instead of dedicating internal resources from their Legal and Risk functions, for example, smaller US operations of global European commercial banks often turn to external providers to help them comply with local anti-Money laundering laws and KYC (Know Your Customer) requirements.
On one hand, outsourcing helps banks manage costs, provide expertise, expand product offerings, and improve services. On the other hand, it introduces risks that should not be ignored by management.
The Board and senior management must understand the operational risks associated with outsourcing arrangements and ensure that effective risk management policies and practices are developed. Outsourcing policies and risk management activities should encompass:
Practice Question
A new bank is to be established in New York City. According to the Basel Committee, three of the following are principles that should be considered in the operation of the new bank. Which one is does NOT fit with Basel’s principles?
A. The board of directors should establish, approve, and periodically review the framework
B. The board of directors should take a strong lead in establishing a powerful risk management culture
C. The bank should develop, implement and maintain a framework that is fully integrated into the bank’s overall risks management processes
D. The bank should establish the optimal number of customer loans that best fits its risk profile
The correct answer is D.
The Basel Committee highlighted three principles which are necessary during the operation of an organization, and it does not include the number of customer loans the organization is supposed to handle as different organizations have different numbers of customers and yet they follow the same principles.