Risk Reporting

After completing this reading, you should be able to:

• Identify roles and responsibilities of different organizational committees and explain how risk reports should be developed for each committee or business function.
• Describe components of operational risk reports and explain best practices in operational risk reporting.
• Describe challenges to reporting operational risks, including characteristics of operational loss data, and explain ways to overcome these challenges.
• Explain best practices for reporting risk exposures to regulators and external stakeholders.

The Roles and Responsibilities of Different Organizational Committees

Decision-makers can see a firm’s operational risk profile by monitoring operational risk. It helps them to assess the efficiency of its risk management framework and offers reassurance that the company operates within the parameters of its risk appetite. Decision-makers are alerted through risk reporting if these boundaries are crossed and if losses and incidents are bigger or more frequent than anticipated.

Both external and internal stakeholders use operational risk reporting. Internal audiences include the company’s executive committee, the risk committee of the board of directors, the core operational risk function, and pertinent business lines. The public, the regulatory bodies, and outside parties like clients or suppliers are all considered external stakeholders.

An organization’s operational risk profile contains details about the type and degree of operational risk exposure, prior risk incidents, risk appetite and risk indicators, risk-mitigation strategy, and resilience measures.

The Risk Committee of the Board of Directors

The board risk committee plays a critical role in the management of operational risk within firms. The committee is responsible for setting a firm’s risk appetite and overseeing the firm’s operations to ensure that it operates within the limits set by this appetite. In order to do so, the board risk committee must be provided with key risk indicators associated with the firm’s risk appetite, as well as information on the frequency and severity of risk events occurring in operations. The board risk committee can then use this information to make decisions on how to manage operational risks and ensure that they remain within acceptable levels.

The executive committee will be in charge of carrying out any improvements to better manage the firm’s risk profile in accordance with instructions from the board risk committee.

The Audit Committee

The audit committee provides an additional layer of oversight and assurance in order to protect the organization from any potential losses that may occur as a result of operational risk. They are responsible for ensuring that internal audit activities are performed correctly. This is aside from ensuring that any weaknesses or vulnerabilities uncovered through these audits are communicated to both the executive committee and the audit committee.

In order to properly manage operational risk, the audit committee is tasked with providing input into policies and procedure implementation and monitoring compliance with relevant regulations. In addition, its other responsibilities are overseeing internal control systems, regularly evaluating financial internal controls, and ensuring they meet industry standards. The audit committee should also conduct regular meetings with management to review ORM issues, trends, performance, and results.

Furthermore, the audit committee should review all reports from internal audits on a regular basis to determine if there is any evidence of fraud or non-compliance with regulations. Moreover, it should proactively monitor emerging operational risk trends. It does this by staying informed about changes in regulatory requirements for operational risk management and any developments in technology or general business practices which could lead to increased operational risk exposure.

Board members may hold dual roles while concurrently serving on the risk and audit committees.

The Executive Committee

The executive committee (ExCo) is a board subcommittee comprising top executives and elected board members. It serves as the entire board’s steering committee. Its mandate includes determining the most important issues that should be addressed by the full board and enforcing board policies. The ExCo ensures compliance with governance procedures.

In regards to risk management, the ExCo oversees how the operational risk management (ORM) framework is employed. All information relevant to how this framework is used—or not—is reported to the executive committee. This can include data such as risk events, remediation statuses related to culture and issue issues, and action plans which are implemented in response to these risks.

The Central Operational Risk Function and the Operational Risk Committee

The central operational risk function gathers all pertinent operational risk data, including information on risk events such as risk exposures, controls, indicators, the status of action plans, and changes to the risk profile brought on by new initiatives or developing trends, from the business lines and summarizes it in order to create aggregated, synthesis reports for the operational risk committee and to give the business lines feedback. Information should be evaluated, condensed, and presented in a way that helps different audiences and stakeholder groups make decisions.

The central ORM function’s responsibility is to give an aggregated view of the many risks and event types and their interactions, reflecting the organization’s operational risk profile as comprehensively as possible.

Coordination of the various reporting procedures by risk type and business line to produce a non-duplicative yet comprehensive report is a crucial ORM function in operational risk reporting.

Business-Line Managers and Risk Champions

Information about operational risk is gathered at the business operations levels. It is more carefully monitored by business line managers who keep an eye on the status of their action plans as well as the type and severity of operational risk incidents that their business lines encounter. Additionally, this data is communicated to the central ORM function so that it may be included in the centralized report on the operational risk profile of the organization.

Many businesses struggle to strike the appropriate balance between having too much and insufficient information in their risk reports. The risk of missing critical information and hiding crucial information increases when risk reports contain too much information, while too little information can become meaningless.

Choosing which information to report to whom and in what format is one of the considerations in the design of risk reporting. In most cases, high risks, near misses, and flawed critical controls will be escalated to the next decision level without change, while other information will be summed up in aggregated reports.

Reporting on Non-financial Risk Internally

All reporting is done with the aim of identifying actionable risk mitigation solutions as well as ensuring alignment with the firm’s risk appetite. Reporting offers a window into the business operations to make sure that objectives for risk acceptance, appetite, and mitigation are consistently met. In contrast to other risk categories, operational risk assessment is particularly difficult because this field is still developing.

The Components of Operational Risk Reports and the Best Practices in Operational Risk Reporting

Operational reporting across organizations is not standardized. While some businesses are more forward-looking in their research and focus on risk outlook, key risk indicators, and action plans, some organizations focus a lot of their emphasis on historical risk events, such as the frequency and severity of financial losses. Generally, an organization’s reporting tends to be more futuristic the more mature its ORM approach is.

A comprehensive internal ORM report has at least seven components. Depending on the audience, different levels of depth and specific elements will be included.

1. Top-10 risks and risk outlook.
2. Heatmap and risk register.
3. Risk appetite metrics.
4. Key risk indicators (KRIs) and issue monitoring.
5. Incidents and near misses.
6. Action plans and follow-up.
7. Emerging risks and horizon scan findings.

Top-10 Risks and Risk Outlook

The top-10 list of operational risks is a commonly used reporting tool for company management. It prioritizes risks based on management’s strategic objectives. This prioritization is based on the intensity of the risk within the business environment and any residual exposure that may exist due to an insufficiently effective control environment. For example, during the 2020 coronavirus pandemic, organizations typically ranked risks such as employee well-being and additional hazards associated with extreme business circumstances very highly in their risk assessment.

In general, companies can use this report to keep track of potential threats associated with specific types of operational risks. This list provides company leadership with valuable insight into situations that might require close monitoring or more extensive preventive measures. Furthermore, it can help identify areas where measures could be changed or improved in order to reduce overall risk exposure. Additionally, it serves as a useful reference point for comparison between different time periods or environments should an unexpected event occur.

Creating and regularly updating this top-10 risk document allows for better visibility into potential sources of harm and improved prioritization of resources towards mitigating them effectively. It also encourages staff to discuss existing issues and develop effective solutions to reduce any potential disruption in day-to-day operations. Finally, it allows senior management to make sound data-driven decisions when evaluating possible solutions while remaining conscious of organizational goals and objectives.

Heatmap and Risk Register

When assessing operational risks, it is important to have a comprehensive risk register that lists the different types of risks and their likelihoods and impacts. In order to visualize these elements in a more efficient way, organizations often use heatmaps and risk registers.

Heatmaps are graphical representations of the identified risks and potential associated losses that help an organization better assess, analyze, and manage its operational risks. Heatmaps also help illustrate the overall risk profile of an organization by showing how likely each type of risk is relative to one another.

A risk register is an organized listing of all the different types of risks that an organization has identified, along with their descriptions and associated likelihoods, impacts before and after controls are applied, as well as any controls or mitigation measures implemented or planned to address each risk. The typical format of a risk register often includes columns such as “Risk Description”, “Likelihood”, “Impact (pre-control)”, “Impact (post-control)”, “Controls Implemented/Planned”, etc. As part of its RCSA process, organizations create these documents to allow for better assessment and management of operational risks.

Using both a heatmap and a risk register together allows organizations to gain greater insight into the assessment process when managing operational risks.

Risk Appetite Metrics

A crucial component of operational risk reporting is the tracking of risk appetite and the monitoring metrics that go along with it. It enables the board to assess if the company is functioning within its risk appetite and choose the best course of action. 

Risk appetite measures, often known as “risk appetite KRIs,” are measurements that show how well a company complies with its operational risk appetite’s risk limits. Risk appetite measurements are provided as a single list when submitted to the board and senior management without necessarily segmenting risk appetite into operational risk subcategories.

KRIs and Issue Monitoring

KRIs can offer a detailed analysis of risk exposure in various activities or a thorough examination of the contributing elements to a particular risk. When it comes to data collection, KRI selection, and reporting, many businesses have discovered that repurposing what is already known and collected in the organization into a comprehensive set of indicators is more effective and requires less time and effort than attempting to create another data collection effort. 

Issues are another term for operational or control system problems that may or may not result in incidents. Flags indicating lax controls, delayed action, or delays in a process are a few examples. Issues should be classified by business line or as part of an identified emergent risk in order to make reporting actionable.

Incidents and Near Misses

One of the most important components of ORM reporting is reporting risk occurrences, losses, and near misses. Many companies begin their reporting by outlining what incidents involving operational risk occurred and how much each incident costs the company. Reports on operational risk events should include the size and frequency of incidents, frequency and severity per period, per event type, and business line, a trend analysis, and for larger instances that exceed a particular threshold, a supplementary report.

Near-miss occurrences are included in reporting incidents in organizations with strong risk cultures that emphasize ORM. Organizations assess the significance of close calls based on the potential consequence that was unintentionally avoided.

Action Plans, Controls, and Remediation Strategies

Action plans are risk-reduction strategies created to strengthen the regulatory environment. Corrective risk-mitigation strategies are reactive measures used to address an unexpected operational loss event. The operations incorporate detective controls to anticipate potential issues. Preventive action plans are developed to prevent specific operational risk events above a firm’s risk appetite.

The business-line owner is in charge of implementing controls, tracking action plans, and reporting on the success of the action taken.

Emerging Risks and Horizon Scanning

The process of “horizon scanning” has been adopted by businesses to find new trends and potential risks. The board risk committee receives monthly or quarterly reports on these risks. The majority of horizon scanning frequently concentrates on changes to the compliance and regulatory environment as well as regulatory risks. In accordance with best standards, horizon scanning ought to consider factors that can alter emerging risks and draw attention to volatility changes.

The Challenges of Reporting Operational Risks

Addressing Asymmetry of Operational Risk Event Data

Data on operational losses are especially heavily statistically biased away from the average frequency, i.e., a relatively small number of high-severity loss events frequently account for the majority of operational loss. The largest losses may occur 0.5% of the time but account for 80% of all operational losses. Risk management resources should focus on preventing and resolving major incidents rather than being distracted by minor daily incidents. 

Escalation of Large Risk Events

Large risk occurrences and notable near misses that exceed the organization’s risk threshold are typically discovered very fast by management and the parties involved, and they must be escalated right away to senior management for evaluation and action. Large losses must be identified and published separately to prevent distorting the summary data concerning minor losses.

Large Number of Small Losses

The majority of reported operational risk incidents involve small, frequent losses. A large number of operational events are recorded when the incident reporting threshold is lower. The identification and regular analysis of small and frequent losses should be done to spot any patterns that would indicate a control breach. The average cost of these losses may be added to the price of services and charged to the clientele.

Benchmarking Operational Losses

Reporting operational risk losses in relation to a benchmark can help management’s decision-making process become more targeted. Comparing similar entities across business units is easier when operational losses are reported as a percentage of gross income, total costs, or total budget.

No Averages in Operational Risk

Averages are far less useful and can be deceptive when used in asymmetric distributions, such as operational risk events. The median and the first and third quartiles of the distribution are preferred to averages, and they also have the benefit of being simple to show and comprehend.

A small number of outliers frequently contribute to the bias in operational loss averages. It is preferable in this situation to eliminate these huge tail losses from the dataset used to calculate the average and instead report each of the large tail losses separately if the calculation of an average is required.

From Data to Information: Outliers, Concentration, and Scenarios

Information with regard to risk reporting is valuable when it deviates from the norm. Information’s value is derived from data patterns, concentrated regions of distributions, and separations between observations. Establishing a baseline of “normality” against which deviations can be more easily and accurately discovered can be done via trend analysis over two or more cycles. This would often be used to set KRI levels and other alert criteria.

Investigating the reality underlying the numbers and identifying what is going right and potentially wrong in the business are two things that may be done through risk reporting. Various low, medium, and high-risk scenarios that could change the loss profile are taken into account in a robust analysis of operational loss patterns.

The Challenge of Aggregating Qualitative Risk Data

Unlike financial risk reporting, operational risk reporting encounters the extra difficulty of combining qualitative data. Risk scores, color ratings, and other indications are discrete, qualitative, and totally unsuitable for arithmetic treatment. Two risks rated “3” (moderate) are not always equivalent to one risk rated “5” (severe) and one risk rated “1” (low). Risk ratings stated as numbers are no more quantitative or additive than those expressed as colors despite the fact that they reveal information regarding ordinal ranking. There are three possibilities to think about when combining qualitative data:

• Conversion and addition: Convert qualitative indicators into a single monetary unit that is additive, linear, and can subsequently be arithmetically aggregated. This strategy adds the non-financial effects of operational risks to their financial impacts by translating them into financial terms. The monetization of operational risk’s non-financial effects also has the added benefit of increasing awareness of the significance of this risk type in comparison to credit and market risks.
• Categorization: Report risk indicators and scores by category, classifying them according to color or score. This gives a fair representation of the risk profile and maintains the clarity of the reporting. The red scores are arranged as a “candle” at the top of the graphic to represent the idea that the longer the flame, the greater the danger.   
• Worst-case reporting: A data set’s worst score, such as a combination of major risk indicators, is given as the total value, i.e., if one thing is red, everything is red. It can be suitable if the risk tolerance is low and the data acquired is trustworthy. This strategy has the benefit of being cautious, but it also may be too alarming.

Combined Assurance

The goal of combined assurance is to coordinate the assurance methods used by internal audit and outside assurance providers so that senior management and the audit committee receive accurate information on governance, risk, and control management.

The second line-of-defense functions, which include the ORM function, among others, are the internal assurance providers. Depending on the organization, the legal, risk management, compliance, or quality assurance functions may also be incorporated.

The following roles should be split among the three lines of defense for combined assurance:

• First line: Assessment of risks and controls, testing of controls, and certification that risk management procedures and controls work as intended.
• Second line: Supervision of the risk management tasks carried out in the first line of defense.
• Third line: Periodic assurance actions that include internal audits in accordance with the audit cycle.

Building a practical ORM framework requires the use of quantitative methods, including modeling. Many businesses use scenario analysis to supplement existing operational risk techniques because of the uncertainty of operational risk and the lack of extensive historical data patterns.

The Best Practices for Reporting Risk Exposures to Regulators and External Stakeholders

External Risk Reporting

Pillar 3 of the Basel regulatory framework addresses the public disclosure of risk and financial information.

Reporting to the Regulator: Pillar 3 of the Basel Regulations

Basel mandates that banks compute their operational risk capital using operational risk-related data that make up the standardized approach elements.

Requirements for operational risk disclosure cover three categories of data:

I. Qualitative Information on Operational Risk Management

Presenting the governance and risk management structures that the entity has established to manage, mitigate, or transfer its operational risk is the goal of this section of the reporting. Companies must disclose the structure and organization of their ORM and control function, as well as the policies, procedures, and standards for the management of operational risk. Firms must also describe the risk transfer and mitigation strategies utilized in the management of operational risk.

II. Historical Losses

Regulated entities must provide appropriate details on the total operational losses accumulated during the previous ten years. Each national supervisor has a set and specified reporting structure that offers additional direction on the disclosure. While providing the information in aggregate and excluding any sensitive or proprietary information, banks should also provide any additional relevant information regarding their historical losses or recoveries.

III. Business Indicator and Subcomponents

This entails disclosing the business indicator and its necessary components, which serve as the basis for the computations of operational risk capital. In order to explain any important changes that have occurred during the reporting period and the primary causes of those changes, regulated firms are also required to provide descriptive input to the report.

Absence of Evidence is Evidence of Absence

What is not supported by evidence is regarded as nonexistent by regulators. A risk manager’s verbal declaration won’t be accepted as confirmation by a regulator; there must be proof. Risk reporting and documentation are crucial in demonstrating to regulators and the market that risk controls and adequate risk governance mechanisms exist. You can accomplish this by compiling the minutes from the meetings of the governance committees, such as the board, board risk committee, and executive committee, and by capturing the issues, conversations, and decisions in the minutes approved for the meetings.

Notifications of Incidents to the Regulator

Financial institutions are mandated in the majority of jurisdictions to alert their regulators of any substantial operational risk events or any conduct violations. This is in addition to alerting law enforcers of any fraud, wrongdoing, or terrorist activity both inside and outside an institution. The need to alert regulators could be caused by:

• Materiality criteria: The events’ importance in light of a loss or materiality threshold.
• Reputation criteria: Anything that negatively impacts the company’s reputation.
• Resilience criteria: Any circumstance that might compromise the business’s ability to continue serving its clients.
• Stability criteria: Anything that might have a negative impact on the financial system.

Regulators need openness and honesty from regulated institutions regarding the status of their operational risks.

Reporting to the Market and Investors: Risk Section of the Annual Report

Businesses must also provide comments about how they manage and expose their risks in their annual reports. Operational risk is becoming increasingly important in the annual reports of financial services firms. While avoiding excessively frightening stakeholders about potential issues, businesses must appear open, aware of, and honest about their risk exposure. This leads to them being perceived more positively by stakeholders.

Reporting on Operational Resilience and Satisfying Regulatory Expectations

To meet the demands of the market and some regulators, operational resilience reporting will soon be added to reporting on operational risk. Some regulators will soon demand that businesses conduct testing to ensure that they stay within the established impact tolerances for every significant business service, make the necessary investments to allow these services to operate continuously within the established impact tolerances, and report to the regulator on these elements.

Practice Question

StoneBank International, a global financial institution, is currently undergoing a major internal audit regarding its operational risk management strategies. The audit aims to evaluate the effectiveness and efficiency of the institution’s internal control system. During a board meeting, the Chief Risk Officer presented various reports to different organizational committees. The audit committee was presented with findings about a significant variance between the actual and expected losses from a specific business line. The central operational risk function has observed some inconsistencies in the risk indicators and has recommended a comprehensive review.

After the meeting, you, as a consultant, were approached by the CEO who asks you about the most suitable committee to address the potential concerns raised by the variance between actual and expected losses.

Which committee would be best suited to handle this specific concern?

A. Risk Committee
B. Audit Committee
C. Executive Committee
D. Central Operational Risk Function

Solution

The correct answer is A.

The Risk Committee is primarily charged with monitoring the firm’s risk management framework. They receive reports detailing operational risk exposures, trends, and emerging risks. Key data points such as key risk indicators (KRIs), the frequency and severity of risk events, and large event investigations are paramount to them. A significant variance between actual and expected losses falls directly within the scope of their monitoring responsibilities, making them the most suited to address this concern.

B is incorrect. While the Audit Committee does oversee the third-level oversight of an organization and reviews operational risk, its main focus is to ensure the effectiveness and efficiency of the entity’s internal control system. Their concerns are more toward findings and assurances rather than the granular handling of risk indicators like the variance between actual and expected losses.

C is incorrect. The Executive Committee serves as the steering committee for the overall board, overseeing board policies, facilitating decision-making, and ensuring strong governance. Although they do oversee the effective and proper execution of the operational risk management framework, the specificity of the concern raised is best handled by the Risk Committee that dives deeper into such matters.

D is incorrect. The Central Operational Risk Function acts as the second line of oversight. They collect and aggregate information for reporting to the Risk Committee and business line managers. While they might have identified the inconsistencies, the responsibility to address and manage such a significant variance between actual and expected losses falls under the Risk Committee.

Things to Remember

• The Risk Committee plays a pivotal role in setting the tone and culture of risk management within an institution.
• Its focus goes beyond monitoring, encompassing the development and updating of risk management policies and procedures.
• Membership often comprises senior executives, ensuring that the committee’s decisions align with the broader strategic objectives of the institution.
• Regular communication between the Risk Committee and other organizational committees ensures comprehensive risk oversight and integrated decision-making.
• Its proactive approach allows for early identification of potential risks, enabling firms to navigate challenges with agility and foresight.