What is ERM?
After completing this reading, you should be able to: Describe enterprise risk management... Read More
After completing this reading, you should be able to:
In June 2004, Basel II published its first changes to regulate operational risk. Three regulatory pillars were introduced, broadening the scope of prudential supervision beyond minimum capital requirements.
This pillar involves calculating the minimum level of capital banks require to cover the risk of unexpected losses from credit, market, and operational risks and the minimum ratios required to limit liquidity risks.
Pillar 2 capital requirements can include additional capital requirements (“add-ons”) depending on a regulated entity’s risk profile.
Pillar 3 requires that financial institutions disclose their quarterly or yearly financial and risk information.
In 2003, having learned that regulatory capital was not enough to cover operational losses, Basel introduced mandatory principles for managing operational risk. These were later revised in 2011 to include lessons learned from the financial crisis. In March 2021, a revised version of the principles was published, which saw an increase from 11 to 12 principles.
Principles:
After the 2007-2009 financial crisis, Basel II was partially reformed. However, operational risk rules remained unchanged. The Basel Committee initiated an operational risk capital reform in 2015. As a result, Basel III was updated in December 2017, discontinuing the three-tier regulatory capital regime for operational risk. The Standardized Measurement Approach (SMA), later renamed Standardized Approach (SA), is the new method, effective from January 2023 and shall be in use up to January 2025.
BCBS greatly influences the operations of major regulatory bodies across the globe. Regulated institutions are advised to constantly refer to publications issued locally by regulators. This will enable them to meet their regulatory requirements and gain guidance on operational risk management.
Supervisory risk management involves:
Supervisors are expected to frequently assess the ORM framework of banks by examining their policies, processes, and systems relating to operational risk.
In case the assessment does not go as expected, supervisors should take necessary measures to ensure that banks address the identified weaknesses.
In addition, supervisors should support the bank’s efforts by monitoring, comparing, and evaluating the bank’s performance.
Regulators expect ORM to go beyond a paperwork compliance exercise. It should be a more practical exercise and an integral part of all activities. To put it another way, risk management is fundamental to every business decision, and the staff should be involved at all levels of decision-making.
Regulators and auditors should ask banks to show how they reach their decisions and examine whether such decisions are made considering risk.
To examine whether an ORM framework is being implemented in a firm, the following questions should be asked:
Firms are expected to document and report all the activities as evidence for using an operational risk management framework. In other words, a firm should be able to provide evidence that the practice takes place. Therefore, all firm committees and management should keep a record of their discussions, decisions, and issues.
To avoid suffering regulatory compliance fines, firms should read and understand all consultation papers and policy documents to ensure that they meet the regulatory expectations. The staff should have sufficient knowledge of their material documents and be asked to confirm that they fully understand the material in their possession each year.
Whenever there is a new regulatory expectation, a firm should have a team that reviews such updates and presents them to the team during their next meeting.
According to the Bank for International Settlements (BIS), banks should integrate their risk governance function into their overall risk management governance structure. To achieve effective risk governance, the firm should establish strong internal controls marked by a clear designation of roles and responsibilities.
A company’s operational risk is managed through several committees. These committees make collegial decisions based on information provided by different levels of the firm’s decision-making hierarchy and information escalated by those committees. The size and complexity of the firm influence the number of committees.
The lowest tier of the operational risk committee setup is typically determined by the type of business operations (i.e., corporate banking, investment banking, or support services) or geographic locations (such as countries or regions). This level of the risk committee oversees operational risk in its respective area and escalates information to help build up an accurate overview of the overall operational risk profile. In addition, any issues that arise above predetermined limits will be reported to a firmwide risk committee or second line of defense group for further examination.
At this lower level, it is important to note that each committee has a distinct purpose and must work within a specific set of constraints. For example, the corporate banking committee will evaluate potential risks arising from activities in their sector. In contracts, the investment banking committee will assess investment-related risks associated with their part of operations. Similarly, a country-level committee must gauge potential risks from operations located across a single nation. In contrast, regional committees will consider risks originating from multiple countries within one region.
The operational risk committee is entrusted with the important responsibility of overseeing, managing, and monitoring operational risks. It then presents a comprehensive and consolidated view of all operational risks to the executive risk committee management, management committee, and board risk committee. The concerned committee can then analyze and identify any potential operational risk issues or threats, create strategies to control and mitigate these risks, and implement plans to monitor relevant risk indicators. They may also be responsible for developing procedures to ensure that all operational activities are conducted in accordance with applicable regulations and internal policies. Furthermore, they must provide regular reports to the executive risk committee management, including an assessment of current risk levels and the effectiveness of existing controls.
The board-created enterprise-level risk committee (board risk committee) oversees all operational risks. The committee is vital in ensuring that all potential risks are identified and managed appropriately. This involves conducting ongoing assessments of the organization’s operations to identify any risks or deficiencies before they manifest into larger issues. Additionally, this committee works in close cooperation with senior executives across various departments to further enhance the organization’s overall control environment. Their efforts help ensure that operations are conducted safely and efficiently while mitigating any financial losses from emerging risks.
The board risk committee makes recommendations to the full board with regard to risk-based decisions, risk exposure, and risk management.
The board of directors is mandated to approve and periodically review the operational risk management framework. The board should oversee senior management to ensure that the policies, processes, and systems are implemented effectively at all decision levels.
With respect to Principle 3, the board of directors should:
The Basel Committee defines operational risk as “the risk of loss resulting from inadequate or failed internal processes, people, and systems or from external events.” It includes legal risk but excludes strategic and reputational risk. Many programs that manage risks in banks take effective management of operational risk as a fundamental element that is inherent in all banking products, systems, activities, and processes. Therefore, sound operational risk management reflects the board’s and senior management’s effectiveness in the administration of portfolio products, activities, processes, and systems.
Firms often employ 3 lines of defense to be able to control operational risks:
In modern banking, banks have established several business lines that work with some level of independence, but they all work towards attaining a set of institution-wide goals. Each business line is faced with its own operational risks and is responsible and accountable for assessing, controlling, and mitigating these risks.
Front-line risk management involves all commercial and front-office operational functions or simply business functions.
An effective first line of defense consists of the following responsibilities:
Even though ORM is decentralized by nature, i.e., everyone can take part in managing operational risk, not everyone in a firm has the capacity to have a deeper understanding of risk management. As a result, firms appoint “risk specialists” or “risk champions” within each business unit. Risk specialists are also known as the line “1.5” or “1.b”. The following are the roles of risk specialists within the first line of defense:
This is a functionally independent corporate operational risk function (CORF) involved in policy setting and provides assurance over first-line activities. The CORF generally complements the operational risk management activities of individual business lines.
Responsibilities of the CORF may include:
Although the CORF enjoys some level of independence in all banks, the actual degree of independence differs among banks. The CORF function in small banks often achieves independence through the separation of duties and independent review of processes and functions. For larger banks, the CORF enjoys a reporting structure that’s independent of the risk-generating business lines. The CORF has the mandate to design, maintain, and continually develop the operational risk framework within the bank.
A key function of the CORF is to challenge the business lines’ risk management activities so as to ensure that all decisions and actions taken align with the bank’s risk measurement and reporting framework. To ensure that the CORF is effective in its work, it should have enough skilled personnel to manage operational risk.
The third line of defense consists of the bank’s audit function, which performs independent oversight of the first two lines. Everyone involved in the auditing process must not be a participant in the process under review. An external party can also conduct the review. The independent review team usually reports directly to the Audit Committee (a committee of members of the board of directors) on internal control, compliance, and governance.
According to the Institute of Internal Auditors (IIA, 2017), the internal audit should interact with the risk management, compliance, and finance functions in the following ways:
The board is responsible for determining the nature and the extent of its risk appetite and internal control systems.
Defining a risk appetite implies assessing the firm’s key risks, developing limits within which the risks are acceptable, and establishing the required controls for these systems. The board directors should ensure that risk appetite and risk tolerance are defined consistently to drive the priorities of the entire control environment.
According to the 4th principle of operational risk management, the board must identify the types and levels of operational risks a bank is willing to assume. In addition, the board should approve risk appetite and risk tolerance statements. These statements should be:
With respect to Principle 4, the board of directors should:
Regulatory guidance requires that risk appetite and risk tolerance statements be in line with the organization’s operations.
The board of directors is responsible for owning and validating the risk limits. The board usually delegates this responsibility to its risk committee.
According to the Basel Committee on Banking Supervision (BCBS), risk appetite should include the reasons for taking or avoiding certain types of risks. The firm has to take risks to meet its objective, but avoiding risk can also cost the firm. In this regard, the risk-return tradeoff must be addressed in the risk appetite statements. Risk appetite should be consistent with the firm’s objectives and the firm’s risk management strategy. Such a well-articulated risk appetite that is strategically aligned with the firm’s objectives can be used as guidance for making important business decisions.
To demonstrate their risk appetite and tolerance for disruptions, firms must set maximum impact tolerances for critical business services. Also, in order for risk appetite and tolerance statements to be credible and actionable, they must refer to consistent key controls and systems of control.
As a good practice of risk appetite, a risk owner should be assigned to each risk type; control owners to design, implement, and evaluate controls. Metrics owners collect, report, and monitor metrics that measure the organization’s risk appetite. Owners of risk are managers who manage, maintain, and monitor risk within defined appetite and tolerance limits.
According to the 1st principle of operational risk management, the bank should maintain a strong risk management culture spearheaded by the bank’s board of directors and senior managers. The bank should strive to propagate a culture of operational risk resilience where everyone understands the need to manage risk.
The board of directors and senior management play a starring role in any operational risk management framework. With respect to Principle 1, the board of directors and/or senior management should:
Banks with a strong risk culture are less likely to be affected by damaging operational risk events and are better positioned to deal with such events when they occur.
The board of directors must push for the implementation of risk cultures by senior management. The directors and senior management promote their organization’s risk culture through their own conduct and by setting expectations and consequences for employee conduct. In fact, employees would easily emulate what they see than what they are told.
It is easy to implement an effective risk appetite framework where there is already a strong risk culture. Success on the risk appetite journey is extremely difficult without a strong risk culture.
To promote a strong risk culture, a firm must have well-documented policies and codes that apply to everyone in the firm. Creating awareness and alerting people of the firm’s policies and rules contributes towards a strong risk culture.
Firms should also organize training and compensation structures to reinforce the codes of contact to promote a strong risk culture. Educating all participants about operational risks embedded in activities and processes is another critical component of creating a sound risk culture.
Practice Question
A company’s operational risk is managed through several committees that make collegial decisions based on information provided by different levels of the firm’s decision-making hierarchy and information escalated by those committees.
Which of the following is the correct function of the operational risk committee?
- Overseeing, managing, and reporting a comprehensive picture to the executive risk committee, management committee, and board risk committee.
- Supervising the operations of a designated business division or segment and presenting an overview to the respective manager of the designated business unit.
- Overseeing all operational risks, such as changes in the business environment, market volatility, regulatory compliance, cyber threats, and unforeseen events.
- A thorough and ongoing assessment of significant incidents through the review and monitoring of investigations.
The correct answer is A.
The operational Risk Committee is responsible for overseeing, managing, and reporting a comprehensive picture to the executive risk committee, management committee, and board risk committee.
B is incorrect. Overseeing the activities of a specific business line or function is the responsibility of the business line operational risk committee.
C is incorrect. Overseeing all operational risks is the responsibility of the risk committee of the board.
D is incorrect. Reviewing and monitoring the investigation of large incidents is also a responsibility of the board’s risk committee.