In this chapter, we look at the three lines of defense in the Basel model for operational risk governance and do a summary of the fundamental principles of operational risk management as the Basel Committee suggests.
In the identification and assessment of operational risk, the tools and processes applicable will be described. Furthermore, an explanation on the guidelines for strong governance of operational risk shall be given with an evaluation senior management and board of director’s role in the implementation of effective operational risk structures.
We shall also do a study on the characteristics of an effective control environment and the specific controls for operational risk purposes. Finally, the management of technological and outsourcing risks will be explained as suggested by the Basel Committee.
The Role of Supervisors
For supervisors to remain apprised of developments at a bank, they ensure that appropriate mechanisms are in place. A bank’s policies, processes, and systems related to operations are evaluated regularly either directly or indirectly by supervisors.
It is the duty of supervisors to ensure that processes and procedures are put in place for the appropriate management of operational risk, where banks are part of a financial group. A range of actions may be applied to address the deficiency that had been identified in the supervisory period.
An active role has been taken by supervisors for encouraging the ongoing internal efforts of development through monitoring and evaluating the bank’s processes.
Principles for the Management of Operational Risk
Many programs that manage risks in banks take effective management of operational risk as a fundamental element that is inherent in all banking products, systems, activities, and processes. Therefore, operational risk management that is sound happens to reflect the board and senior management’s effectiveness in the administration of its portfolio products, activities, processes. and systems.
A bank’s risk identification processes are generally encompassed by risk management, where exposures to those risks are measured. The duties of the risk management teams are, therefore:
- Putting in place an effective program to plan and monitor capital;
- Ensuring that risk exposure and corresponding capital needs are monitored on an ongoing basis; and
- Make sure steps are taken to mitigate the risk exposure.
The three lines of defense adopted by common practices in the industry for sound operational risk governance are:
- Business line management: In the identification and management of inherent risk’s accountability in products, activities, systems, and processes, business line management will be recognized by sound operational risk governance.
- An independent corporate operational risk management function: This is a functionally independent corporate operational risk function (CORF) which generally complements the operational risk management activities of the business.
- An independent review: In this line of defense, the bank’s operational risk management controls, processes, and systems are independently reviewed and challenged by a competent team with appropriate training and should not develop, operate, or implement the framework.
The internal audit team should independently verify that the implemented framework is functioning effectively. An opinion on the overall appropriateness of the framework and the associated governance processes across the bank should be included by the internal audit coverage.
The policies, processes, and systems of the framework should remain sufficiently robust to the evolution of operational risk management and the constant changes in the business environment.
Fundamental Principles of Operational Risk Management
For a strong risk management culture to be established, then the board of directors should take the lead. This is the first principle: A corporate tradition guided by strong risk management should be established by the board. Appropriate standards and incentives for a behavior that is professional and responsible should be supported and provided by the culture of the enterprise.
In the second principle, development, implementation, and maintenance of a framework fully integrated into the overall risk management processes of the bank should be ensured by the said bank. The factors relied upon by the framework ranges from nature, size, and sophistication to risk profile.
The Board of Directors
Under the third principle, the framework should be reviewed periodically, and established and approved by the board of directors as stipulated. Foran adequate implementation of policies, processes, and systems, the senior management should be overseen by the board of directors at all levels.
According to principle four, in an operational risk framework that articulates the types, nature, and levels of operational risk to be assumed by the bank, the approval and review of the risk appetite should be done by the board.
A governance structure that is effective and robust with lines of responsibility that are well defined and consistent should be developed by senior management for approval. The responsibility of consistently implementing and maintaining the policies, processes, and systems for operational risk management throughout the organization lies solely with senior management.
Risk Management Environment
Identification and Assessment
For a good understanding of inherent risk and incentives, the identification of the assessment of the operational risk inherent in all material products, activities, and processes is ensured by senior management. Senior management is also responsible for the full assessment of operational risk for all new products, processes, activities, and systems.
Monitoring and Reporting
Operational risk profiles and material exposure to losses should be regularly monitored by a process that is implemented by senior management.
Proactive management of operational risk should also be supported by appropriate reporting mechanisms that are in place at the business line levels of both the board and senior management.
Control and Mitigation
Policies processes and systems should be utilized by a strong control environment that has been put in place by the banks. These controls include appropriate internal controls and strategies of transfer.
Business Resiliency, Continuity and the Role of Disclosure
For the ability to operate on an ongoing basis, and in case of severe business disruptions, the losses have to be limited and continuity plans should be put in place.
Furthermore, stakeholders should be allowed by a bank’s public disclosure to assess its approach to operational risk management.
Fundamental Principles of Operational Risk Management
Potentially damaging operational risk events are hardly experienced in banks with a strong risk management culture and business practices that are ethical. An ethics policy and a code of conduct are normally established by the board for identifying business practices that are acceptable.
The nature and sophistication of risks inherent in bank products’ portfolios, services, and activities should be understood by the bank’s board of directors and managed by the fundamental premise of sound risk management.
Having the components of the framework fully integrated into the overall risk management processes is a crucial way to understand the nature and sophistication of operational risk.
This framework should have documentation that performs the following tasks:
- Identifies the systems of governance that are applicable in the management of operational risk;
- Provides a description of risk assessment tools and their applications;
- Gives a description of risk appetites and tolerance that are accepted by the bank, and thresholds or limits for residual and inherent risk and risk mitigation strategies and instruments that are accepted;
- Establishes risk reporting and management information systems;
- Ensures that the approaches to establishing and monitoring limits or thresholds are described for inherent and residual risk exposures;
- Provides for a common taxonomy for operational risk terms;
- Ensures that appropriate an independent review is provided; and
- Requires the review of policies in cases of material changes in the operational risk profile of the bank.
Board of Directors
The following are the roles of the board:
- Ensures that a management culture and its supporting process is established for the nature and scope of operational risk inherent in the strategies and activities of the bank and a comprehensive, dynamic oversight is developed;
- Provides clear guidelines and directions on the principles underlying the framework to senior management, and ensures that corresponding policies developed by senior management are approved;
- Ensures operational risk due to a bank’s external market changes and other environmental factors are identified through a regular review of the frameworks;
- Makes sure independents audit reviews are made by individuals that have the appropriate training; and
- Makes sure that the management is up to date in the advancements and evolutions of best practices.
Clear management, responsibility and accountability lines should be established by the board of directors since strengthened internal controls are important operational risk management aspects.
Consideration of all relevant risks, the bank’s risk aversion level, and its current financial condition and strategic direction should be ensured by the board of directors during the process of approving and reviewing the risk appetite and tolerance statement.
The senior management is responsible for the following:
- Establishing and maintaining a challenge mechanism and an issue-resolution process that are robust;
- The translation of the operational risk management framework into policies and procedures that are specific and that can be implemented and verified within the different business units;
- Ensuring the effective communication and coordination of the staff responsible for operational risk management;
- Ensuring that only employees with necessary experience, technical capabilities, and access to appropriate resources are conducting the activities of the bank.
The following should be considered by the bank when designing an operational risk governance structure:
- Committee structure: The utilization of a board-created enterprise level risk committee that oversees all risks reported by the risk committee that is at the management level is the most important procedure for firms that are larger and sophisticated with a central group function and business units that are separate.
- Committee decomposition: The inclusion of a combination of members with expertise in different business and risk management activities is the operational committee’s responsibility.
- Committee operation: For discussions and decision-making to be productive, meetings should be held at appropriate frequencies with adequate time and resources allocated to them.
Risk Management Environment
Identification and Assessment
To effectively manage operational risk, systems should be put in place to identify and assess the risks by considering both internal and external factors. This ensures that there is proper and better risk profile understanding.
The tools that may be used for this purpose are: audit findings, internal loss data collection and analysis, external data collection and analysis, risk assessment, business process mapping, risk and performance indicators, scenario analysis, and measurement and comparative analysis.
Internal pricing and performance measurement mechanisms should appropriately account for operational risk. In case the bank engages in new activities, its operational risk exposure is increased.
Therefore, a process that reviews and approves new products should be put in place by the bank, with policies and procedures to address the process. The considerations in the review and approval process are:
- Inherent risks in new products, services, and activities;
- Changes experienced in the operational risk profile, appetite, and tolerance;
- Controls, risk management processes, and risk mitigation strategies that are necessary;
- The residual risk;
- Changes to relevant risk threshold and limits;
- The procedures and metrics of measuring, managing, and monitoring the new products or activities.
Monitoring and Reporting
The quality of operational risk reporting should be monitored by the bank to confirm that its reports are comprehensive, accurate, consistent, and actionable across the business line and products.
In both normal and stressed market conditions, the bank should be able to produce reports that are timely. Those should include:
- Thresholds, limits, and breaches of the bank’s risk appetite and tolerance;
- Details of recent significant internal operational risk events and losses;
- External events that are relevant plus any potential impacts on the bank.
Control and Mitigation
Reasonable assurance should be provided by the internal controls that efficient and effective controls are applied. Internal procedures should include the systems that ensure compliance with policies, which are:
- Top level review of progress towards objectives that are stated;
- Verification of compliance with management controls;
- Evaluation of required approvals and authorizations; and
- Reports tracking for approved expectations to thresholds or limits.
Other internal controls should be set in place to complement the segregation of duties, and also for dual control. These controls include:
- Authorities or processes that are clearly established for approval;
- Adherence should be closely monitored to assigned risk limits or thresholds;
- Safeguards access and application of bank records and assets;
- To maintain expertise, appropriate staffing level should be put in place;
- Verifications and reconciliations of transactions and accounts that are regular; and
- A policy of vacation providing for employees not present in their duties for a given timeframe.
Banks should possess an integrated approach to monitor and manage technological risk. The same precepts used by operational risk are applied by technology risk management and they are:
- Governance and oversight controls for the alignment of technology with the business objectives of the bank;
- Policies and procedures facilitating risk identification and procedures;
- Risk appetite and statement of tolerance establishment plus performance expectations assisting in risk control and management;
- Effective control environment implementation; and
- Processes testing for policy threshold or limits compliance should be monitored.
Business Resiliency and Continuity
Significant financial losses may be incurred as a result of incidents that damage the bank’s facilities, telecommunications networks, and IT systems. These could lead to broader disruptions of the financial systems.
Critical business operational risks should be identified by a bank, including key internal and external dependencies, and resilience levels that are appropriate.
Furthermore, continuity plans should ensure that contingency strategies are established and procedures for recovery resumption and plans for informing management, employees, suppliers, etc. are communicated.
Moreover, to ensure that contingency practices are consistent with current operations, risk, threats, resiliency requirements, and recovery priorities, periodic review of the bank’s continuity plans should be done by the said organization.
Role of Disclosure
Transparency and development of better industry practices through market discipline can be made possible by the public disclosure of relevant operational risk management.
The manner in which the bank should disclose its operational risk management should allow stakeholders to determine whether there is assessment, identification, monitoring, and control of the bank’s operational risk.
Furthermore, the formal disclosure policy possessed by the bank should be approved by the board of directors and should address its approach in determining the kind of operational risk disclosures to be made and internal controls to be disclosed.
1) A new bank is to be established in New York City. According to the Basel Committee, three of the following are principles that should be considered in the operation of the new bank. Which one is does NOT fit with the Basel’s principle?
- The board of directors should establish, approve, and periodically review the framework
- The board of directors should take a strong lead in establishing a powerful risk management culture
- The bank should develop, implement and maintain a framework that is fully integrated into the bank’s overall risks management processes
- The bank should establish the number of customer loans that best fits its risk profile
The correct answer is D.
The Basel Committee highlighted three principles which are necessary during the operation of an organization, and it does not include the number of customer loans the organization is supposed to handle as different organizations have different numbers of customers and yet they follow the same principles.