Principles for the Sound Management of Operational Risk

After completing this reading you should be able to:

• Describe the three “lines of defense” in the Basel model for operational risk governance.
• Summarize the fundamental principles of operational risk management as suggested by the Basel Committee.
• Explain guidelines for strong governance of operational risk and evaluate the role of the board of directors and senior management in implementing an effective operational risk framework.
• Describe tools and processes that can be used to identify and assess operational risk.
• Describe features of an effective control environment and identify specific controls that should be in place to address operational risk.
• Explain the Basel Committee’s suggestions for managing technology risk and outsourcing risk.

The three “Lines of Defense” in the Basel Model for Operational Risk Governance

The Basel Committee defines operational risk as “the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events.” It includes legal risk but excludes strategic and reputational risk.

Many programs that manage risks in banks take effective management of operational risk as a fundamental element that is inherent in all banking products, systems, activities, and processes. Therefore, sound operational risk management reflects the effectiveness of the board and senior management in the administration of portfolio products, activities, processes, and systems.

Firms often employ 3 lines of defense to be able to control operational risks:

First Line of Defense: Business Line Management

In modern banking, banks have established several business lines that work with some level of independence, but they all work towards the attainment of a set of institution-wide goals. Each business line is faced with its own set of operational risks and is responsible and accountable for assessing, controlling, and mitigating these risks.  

Second Line of Defense: An Independent Corporate Operational Risk Management Function

This is a functionally independent corporate operational risk function (CORF) involved in policy setting and provides assurance over first-line activities. The CORF generally complements the operational risk management activities of individual business lines.

Responsibilities of the CORF may include:

• Measuring the operational risks;
• Establishing the reporting processes for operational risks;
• Establishing the risk committees to measure and monitor operational risks; and
• Reporting operational risk issues to the Board of Directors.

Although the CORF enjoys some level of independence in all banks, the actual degree of independence differs among banks. The CORF function in small banks achieves independence often through the separation of duties and independent review of processes and functions. For larger banks, the CORF enjoys a reporting structure that’s independent of the risk generating business lines. The CORF has the mandate to design, maintain, and continually develop the operational risk framework within the bank. A key function of the CORF is to challenge the business lines’ risk management activities so as to ensure that all decisions and actions taken align with the bank’s risk measurement and reporting framework. To ensure that the CORF is effective in its work, it should have a sufficient number of personnel skilled in the management of operational risk.

Third Line of Defense: Independent Review/Audit

The third line of defense consists of the bank’s audit function, which performs independent oversight of the first two lines. Everyone involved in the auditing process must not be a participant in the process under review.

The review can also be conducted by an external party. The independent review team usually reports directly to the Audit Committee (a committee made up of members of the board of directors) on matters of internal control, compliance, and governance.

The Fundamental Principles of Operational Risk Management as Suggested by the Basel Committee

The Basel Committee requires banks to have a proactive operational risk management framework where the Board of Directors, senior managers, business line managers, and employees all play a role. The committee has suggested 11 fundamental principles that should form the bedrock of operational risk management across banks:

Principle 1 – The bank should maintain a strong risk management culture spearheaded by the bank’s board of directors and senior managers. The bank should strive to propagate a culture of operational risk resilience where every individual understands the need to manage risk.

The board of directors and senior management plays a starring role in any operational risk management framework.

With respect to Principle 1, the board of directors and/or senior management should:

• Provide a sound foundation for a strong risk management culture within the bank. With a strong culture of risk management and ethical business practices, the bank is less likely to experience potentially damaging operational risk events. If the bank ends up experiencing such an event, it would be better placed to deal effectively with the outcome.
• Establish a code of conduct (or ethics policy) for all employees that outlines expectations for ethical behavior. The code of conduct should identify acceptable business practices and prohibited conflicts.
• Provide risk training throughout all levels of the bank. Training should take into account the level of seniority, roles, and responsibilities of the trainee.

Principle 2 – The operational risk framework must be developed and fully integrated into the overall risk management processes of the bank.

With respect to Principle 2, the board of directors and/or senior management should:

• Have a thorough understanding of both the nature and complexity of the risks inherent in the products, lines of business, processes, and systems in the bank. Only then can they be able to craft and approve appropriate risk management measures that are effective against the various risks.
• Ensure that the Framework is fully integrated with the bank’s overall risk management plan across all levels of the firm including those at the group and business line levels, as well as into new business initiatives’ products, activities, processes, and systems.

Principle 3 – The board of directors has the mandate to establish, approve, and periodically review the operational risk management framework. The board should oversee senior management to ensure that the policies, processes, and systems are implemented effectively at all decision levels

With respect to Principle 3, the board of directors and/or senior management should:

• Establish a culture and processes that help everyone – including board members, managers, and employees – understand the nature and scope of operational risks.
• Regularly review the Framework to ensure that it takes into account emerging/evolving risks.
• Provide senior management with guidance regarding operational risk management and approve policies developed by senior management aimed at managing operational risk.
• Ensure that the Framework is subject to independent review by sufficiently skilled personnel.
• Ensure that management follows the evolution of best practices and avails themselves to these changes
• Establish strong internal controls marked by a clear designation of roles and responsibilities.

Principle 4 – The board must identify the types and levels of operational risks the bank is willing to assume as well as approve risk appetite and risk tolerance statements. These statements should be worded in a clear manner to ensure fast and efficient implementation

With respect to Principle 4, the board of directors and/or senior management should:

• Ensure that they consider all risks when approving the bank’s risk appetite and tolerance statements which provide details on risk limits and thresholds. They should also consider the bank’s strategic direction.
• Regularly review the bank’s risk appetite and tolerance statements appropriateness. During the review process, some of the factors that should be considered include changes in the external environment, changes in business or activity volumes, the effectiveness of risk management or mitigation strategies, loss experience, and the frequency, volume, or nature of limit breaches.

Principle 5 – Consistent with the bank’s risk appetite and risk tolerance, senior management must develop a well-defined governance structure within the bank. The governance structure is subject to approval by the board of directors.

With respect to Principle 5, the board of directors and/or senior management should:

• Establish and maintain robust challenge mechanisms and effective dispute resolution processes. There should be guidelines that dictate tracking and reporting of issues and when necessary, establish to whom an issue can be escalated to ensure resolution.
• Translate the Framework approved by the board into specific policies and procedures that can be adopted by specific business lines.
• Ensure that there’s proper communication between the operational risk management team and other teams tasked with keeping an eye on other risks such as credit risk and market risks.
• Ensure that managers of the CORF have sufficient stature within the bank commensurate with other risk management functions such as credit, market, and liquidity risk
• Ensure that bank activities are only carried out by members of staff who have the necessary experience and technical skills. Staff tasked with monitoring and evaluating compliance with the established risk policy should have authority independent from the units they oversee.
• Develop a governance structure that’s commensurate with the nature, size, complexity, and risk profile of the bank’s activities.

Principle 6 – Senior management must understand the risks inherent in the bank’s business lines and processes. They must also understand the incentives associated with those risks so as to be able to put in place effective countermeasures

With respect to Principle 6, the board of directors and/or senior management should consider both internal and external factors to identify and assess operational risk

Examples of tools that may be used for identifying and assessing operational risk include:

• Audit findings
• Internal loss data collection and analysis
• External loss of data collection and analysis
• Risk and Performance Indicators
• Scenario Analysis
• Comparative analysis

Principle 7 – New lines of business, products, processes, and systems should require an approval process that assesses the potential operational risks

With respect to Principle 7, the board of directors and/or senior management should:

• Ensure that the risk management framework keeps pace with new products and processes which usually come with increased exposure to operational risk.
• Thoroughly review new activities and product lines. Some of the factors that should be considered during this process include:
• Inherent risks in the new product, service, or activity;
• Changes to the bank’s operational risk profile and appetite and tolerance, including the risk of existing products or activities;
• The necessary controls, risk management processes, and risk mitigation strategies;
• The residual risk;
• Changes to relevant risk thresholds or limits; and
• The procedures and metrics to measure, monitor, and manage the risk of the new product or activity.
• Ensure that appropriate investment has been made for human resources and technology infrastructure before new products are introduced.

Principle 8 – A process for monitoring operational risks and material exposures to losses should be put in place by senior management with support from the board of directors and business line employees

With respect to Principle 8, the board of directors and/or senior management should:

• Continuously improve the quality of operational risk reporting. All of a bank’s reports should be comprehensive, accurate, consistent, and implementable across business lines and products.
• Ensure that operational risk reports are timely and generated during normal as well as stressed market conditions. All reports must be furnished to the board and senior management
• Ensure that all risk reports contain internal financial, operational, and compliance indicators, as well as external market or environmental information about events and conditions relevant to decision making.

Operational risk reports should lay down:

• Breaches of the bank’s risk appetite and tolerance statement, thresholds or limits;
• Details of recent significant internal operational risk events and losses; and
• Relevant external events and any potential impact they could have on the bank
• Ensure that data capture and risk reporting processes should be analyzed periodically with a view to continuously enhancing risk management performance

Principle 9 – The bank must come up with strong internal controls, risk mitigation, and risk transfer strategies in place to manage operational risks.

With respect to Principle 9, the board of directors and/or senior management should:

• Establish internal controls that safeguard the bank’s assets, produce reliable financial reports, and provide reasonable assurance that the bank will have efficient and effective operations;
• Ensure that Control processes and procedures always include a system for ensuring compliance with policies;
• Ensure that there’s segregation of duties to avoid a situation where it’s difficult to pinpoint the individual responsible for the concealment of losses, errors, or other inappropriate actions;
• Ensure effective use and sound implementation of technology. Automation, for example, reduces most of the errors associated with manual processes;
• Ensure that they understand the operational risks associated with outsourcing arrangements and ensuring that effective risk management policies and practices are in place to manage the risk in outsourcing activities; and
• Ensure the bank has a sound technology infrastructure that meets current and long-term business requirements by providing sufficient capacity for normal activity levels as well as peaks during periods.

Principle 10 – The bank must have plans that guarantee survival and continuity in the event of a major business disruption. All business operations must be resilient.

Banks are exposed to disruptive events, some of which may be severe and result in an inability to fulfill some or all of their business obligations. With respect to Principle 10, the board of directors and/or senior management should:

• Establish continuity plans to handle unforeseen disruptive events (e.g., disruptions in technology, damaged facilities, pandemic illnesses that affect personnel, and so on).
• Periodically review continuity plans.

Principle 11 – The bank should make disclosures that are clear enough to ensure that all stakeholders can conduct their own assessment of the bank’s approach to operational risk management.

Public disclosure of relevant operational risk management information instills confidence and ensures transparency and the development of a better industry. With respect to Principle 11, the board of directors and/or senior management should:

• Ensure that amount and type of disclosure is commensurate with the size, risk profile, and complexity of a bank’s operations.
• Ensure that the bank discloses its operational risk management framework in a manner that allows stakeholders to independently determine whether the bank identifies, assesses, monitors, and controls/mitigates operational risk in an effective manner.
• Ensure that disclosures reflect the methodology adopted by the senior management and the board of directors while assessing and managing the operational risk of the bank
• Ensure that there’s a formal, approved disclosure policy that dictates the elements of the bank’s operational risk framework that can be disclosed.

Tools and Processes That Can Be Used To Identify and Assess Operational Risk

An effective operational risk management system excels in risk identification and assessment. The former considers both internal factors and external factors. Sound risk assessment, on the other hand, allows the bank to better understand its risk profile and allocate risk management resources and strategies most effectively.

Tools that may be used to identify and assess operational risk include:

Audit Findings

Audit findings primarily focus on control weaknesses and vulnerabilities and can also provide insight into inherent risk due to internal or external factors.

Risk Assessments

In a risk assessment, often referred to as a Risk Self Assessment (RSA), a bank assesses the processes underlying its operations against a library of potential threats and vulnerabilities and considers their potential impact. Closely related are Risk Control Self Assessments (RCSA), which typically evaluate inherent risk (the risk before controls are considered), the effectiveness of the control environment, and residual risk (the risk exposure after controls are considered).

Internal Loss Data Collection and Analysis

Analysis of internal operational loss data can provide meaningful information for assessing a bank’s exposure to operational risk. In particular, the analysis can provide insight into the triggers of large losses. Banks can also monitor the contribution of operational risk to credit and market risk-related losses. That way, a more complete view of their operational risk exposure is obtained.

External Data Collection and Analysis

A bank may be able to gather external loss data related to operational risks. That includes causal information, gross operational loss amounts, dates, and recoveries. By comparing external loss data with internal loss data, the bank can be able to assess whether its risk management policies are effective. External data can also help explore possible weaknesses in the control environment or being to the fore previously unidentified risk exposures.

Risk and Performance Indicators

Risk and performance indicators are risk metrics that provide insight into a bank’s risk exposure.

Risk indicators, often referred to as Key Risk Indicators (KRIs), specify the main drivers of key risks.

Key Performance Indicators (KPIs), provide insight into the status of operational processes, which may in turn provide insight into operational weaknesses, failures, and potential loss.

Business Process Mapping

Business process mappings identify the key steps in business processes, activities, and organizational functions and the risks associated with each of the activities. Detailed process maps can reveal individual risks, risk interdependencies, and risk management weaknesses.

Measurement

This involves the use of outputs of risk assessment tools as inputs for operational risk exposure models. The results can then be used to allocate economic capital to various business units based on return and risk.

Scenario Analysis

In operational risk management, scenario analysis entails seeking the opinion of business line and risk managers about all potential operational risk events and what each event would lead to. However, the process is highly subjective, and a robust governance framework is needed to ensure that integrity and consistency are upheld.

Comparative Analysis

The comparative analysis consists of comparing the results of different assessment tools to provide a more comprehensive picture of the bank’s operational risk profile. For example, the bank can combine the frequency and severity of internal data with RCSAs and then be able to gauge the functioning of self-assessment processes.

Features of an Effective Control Environment

Control environment refers to is the foundation on which an effective system of internal control is built and operated in a bank that intends to:

• Provide reliable financial reporting to internal and external stakeholders;
• Comply with all applicable laws and regulations;
• Operate its business efficiently and effectively;
• Achieve its strategic objectives; and
• Safeguard its assets.

The Board of Directors and senior management have an obligation to instill into other employees the importance of internal control, including expected standards of conduct

There are five key components of internal control:

1. Control Environment: This refers to a set of standards, structures, and processes that provide the bedrock for performing internal control within the entity.
2. Risk Assessment: Risk assessment is a process used to identify, assess, and manage risks the bank is faced with as it works toward the achievement of its objectives.
3. Control Activities: These are actions taken to mitigate the risks to the achievement of the entity’s objectives. These actions are subject to management approval. The approval process looks at the bank’s policies and procedures.  
4. Information and communication: Information and communication is the distribution of information needed to perform control activities and to understand internal control responsibilities to personnel internal and external to the entity.
5. Monitoring: Monitoring has much to do with continuous evaluations of the implementation and operation of operational risk policies.

A Note on Traditional Internal Controls

All banks should ensure that traditional internal controls are in place as appropriate to address operational risk. These controls include:

• A vacation policy that relieves officers and employees of their duties for a period of not less than two consecutive weeks;
• Appropriate staffing level and training to maintain expertise;
• Clearly established authorities and processes for approval;
• Close monitoring of adherence to pre-established risk thresholds or limits;
• Safeguards for access to, and use of, bank assets;
• Regular verification and reconciliation of transactions and accounts; and
• Ongoing processes to identify business lines or products where returns appear to be out of line with reasonable expectations.

The Basel Committee’s Suggestions for Managing Technology Risk and Outsourcing Risk

Technology Risk

Modern banking is heavily invested in tech, with products, activities, processes and delivery channels all reliant on one or more forms of digital technology. The use of technology, however, leaves banks vulnerable to strategic, operational, and reputational risks. Technology risks also raise the specter of material financial loss that can have a devastating effect even on well-established banks. Consequently, it is important for banks to have an integrated approach that identifies, measures, monitors, and manages technology risks.

Sound technology risk management uses the same precepts as operational risk management and includes:

• Establishment of risk transfer strategies to mitigate technology risks;
• Governance and oversight controls;
• Implementation of a risk control environment;
• Coming up with policies and procedures to identify and assess technology risks;
• Working with a written risk appetite and tolerance statements;
• Monitoring of technology risks and violations of thresholds and risk limits; and
• Create a sound technology infrastructure (i.e., the hardware and software components, data, and operating environments).

Outsourcing Risk

Outsourcing can be defined as a process in which a bank delegates some of its in-house operations/processes to a third party. Instead of dedicating internal resources from their Legal and Risk functions, for example, smaller US operations of global European commercial banks often turn to external providers to help them comply with local anti-Money laundering laws and KYC (Know Your Customer) requirements.

On one hand, outsourcing helps banks manage costs, provide expertise, expand product offerings, and improve services. On the other hand, it introduces risks that should not be ignored by management.

The Board and senior management must understand the operational risks associated with outsourcing arrangements and ensure that effective risk management policies and practices are developed. Outsourcing policies and risk management activities should encompass:

• Establishment of an effective control environment at the bank and the service provider;
• Procedures for determining whether and how activities can be outsourced;
• Sound structuring of the outsourcing arrangement, including ownership and confidentiality of data, as well as termination rights;
• Mechanisms for managing and monitoring the risks associated with the outsourcing, including the financial condition of the service provider;
• Procedures that emphasize on due diligence in the selection of potential service providers;
• Development of viable contingency plans; and
• Execution of comprehensive contracts and/or service level agreements with a clear allocation of responsibilities between the outsourcing provider and the bank.

Practice Question

A new bank is to be established in New York City. According to the Basel Committee, three of the following are principles that should be considered in the operation of the new bank. Which one is does NOT fit with Basel’s principles?

A. The board of directors should establish, approve, and periodically review the framework

B. The board of directors should take a strong lead in establishing a powerful risk management culture

C. The bank should develop, implement and maintain a framework that is fully integrated into the bank’s overall risks management processes

D. The bank should establish the optimal number of customer loans that best fits its risk profile

The correct answer is D.

The Basel Committee highlighted three principles which are necessary during the operation of an organization, and it does not include the number of customer loans the organization is supposed to handle as different organizations have different numbers of customers and yet they follow the same principles.