Case Study: Financial Crime and Fraud
After completing this reading, you should be able to: Describe elements of a... Read More
After completing this reading, you should be able to:
In June 2004, Basel II published its first changes to regulate operational risk. This review introduced three regulatory pillars, broadening the scope of prudential supervision beyond minimum capital requirements.
This pillar involves calculating the minimum level of capital banks require to cover the risk of unexpected losses from credit, market, and operational risks and the minimum ratios required to limit liquidity risks.
Pillar 2 capital requirements can include additional capital requirements (“add-ons”) depending on a regulated entity’s risk profile.
Pillar 3 requires that financial institutions disclose their quarterly or yearly financial and risk information.
After learning that regulatory capital was insufficient to cover operational losses, Basel introduced mandatory principles for managing operational risk in 2003. In 2011, these principles were later revised to include lessons learned from the 2007-2009 financial crisis. In March 2021, a revised version of the principles was published, which saw an increase from 11 to 12.
Principles:
After the 2007-2009 financial crisis, Basel II was partially reformed. However, operational risk rules remained unchanged. The Basel Committee initiated an operational risk capital reform in 2015. As a result, Basel III was updated in December 2017, discontinuing the three-tier regulatory capital regime for operational risk. The Standardized Measurement Approach (SMA), later renamed Standardized Approach (SA), is the new method, effective from January 2023 and shall be in use up to January 2025.
BCBS greatly influences the operations of major regulatory bodies across the globe. Regulated institutions are advised to constantly refer to publications local regulators issue. This will enable them to meet their regulatory requirements and gain guidance on operational risk management.
Supervisory risk management involves:
Supervisors are expected to frequently assess the ORM framework of banks. To do this, supervisors examine banks’ policies, processes, and systems relating to operational risk.
In case the assessment reveals any weaknesses, supervisors should take necessary measures to ensure that banks address the identified weaknesses.
In addition, supervisors should support banks’ efforts by monitoring, comparing, and evaluating their performance.
Regulators expect ORM to go beyond a paperwork compliance exercise. It should be a more practical exercise and an integral part of all activities. To put it another way, risk management is fundamental to every business decision, and the staff should be involved at all levels of decision-making.
Regulators and auditors should ask banks to show how they reach their decisions and examine whether such decisions are made with risk in mind.
To examine whether an ORM framework is being implemented in a firm, the following questions should be asked:
Firms are expected to document and report all the activities as evidence for using an operational risk management framework. In other words, a firm should be able to provide evidence that the practice takes place. Therefore, all firm committees and management should keep a record of their discussions, decisions, and issues.
To avoid suffering regulatory compliance fines, firms should read and understand all consultation papers and policy documents to ensure that they meet regulatory expectations. Besides, the staff should have sufficient knowledge of their material documents. Indeed, they should be asked to confirm that they fully understand the material in their possession each year.
Whenever there is a new regulatory expectation, a firm should have a team that reviews such regulations and presents them to the staff during their next meeting.
According to the Bank for International Settlements (BIS), banks should integrate their risk governance function into their overall risk management governance structure. To achieve effective risk governance, a firm should establish strong internal controls marked by clearly designated roles and responsibilities.
A company’s operational risk is managed through several committees. These committees make collegial decisions based on information from different levels of the firm’s decision-making hierarchy. The size and complexity of a firm influence the number of committees.
The type of business operations (i.e., corporate banking, investment banking, or support services) or geographic locations (such as countries or regions) determine the lowest tier of the operational risk committee setup. This level of the risk committee oversees operational risk in its respective area and escalates information to help build an accurate overview of the overall operational risk profile. In addition, any issues that arise above predetermined limits will be reported to a firmwide risk committee or second line of defense group for further examination.
It is important to note that each committee has a distinct purpose and must work within a specific set of constraints. For example, the corporate banking committee evaluates potential risks arising from activities in their sector. On the other hand, the investment banking committee assesses investment-related risks associated with their domain. Similarly, a country-level committee must gauge potential risks from operations across a single nation. Still, regional committees consider risks originating from multiple countries within one region.
The operational risk committee is entrusted with the important responsibility of overseeing, managing and monitoring operational risks. It presents a comprehensive and consolidated view of all operational risks to the executive risk management and board risk committees. The concerned committee then analyzes and identifies any potential operational risk issues or threats, creates strategies to control and mitigate these risks, and implements plans to monitor relevant risk indicators. They may also be responsible for developing procedures to ensure that all operational activities are conducted in accordance with applicable regulations and internal policies. Furthermore, they must provide regular reports to the executive risk management committee. These reports should include an assessment of current risk levels and the effectiveness of existing controls.
The board-created enterprise-level risk committee (board risk committee) oversees all operational risks. The committee is vital in ensuring that all potential risks are identified and managed appropriately. This involves conducting ongoing assessments of an organization’s operations to identify any risks or deficiencies before they morph into larger issues. Additionally, this committee works in close cooperation with senior executives across various departments to further enhance an organization’s overall control environment. Its efforts help ensure that operations are conducted safely and efficiently while mitigating any financial losses from emerging risks.
The board risk committee makes recommendations to the full board with regard to risk-based decisions, risk exposure, and risk management.
The board of directors is mandated to approve and periodically review the operational risk management framework. The board should oversee senior management to ensure that policies, processes, and systems are implemented effectively at all decision levels.
With respect to Principle 3, the board of directors should:
The Basel Committee defines operational risk as “the risk of loss resulting from inadequate or failed internal processes, people, and systems or from external events.” It includes legal risk but excludes strategic and reputational risk. Many programs that manage risks in banks take effective management of operational risk as a fundamental element that is inherent in all banking products, systems, activities, and processes. Therefore, sound operational risk management reflects the board’s and senior management’s effectiveness in the administration of portfolio products, activities, processes, and systems.
Firms often employ 3 lines of defense to be able to control operational risks:
In modern banking, banks have established several business lines that work with some level of independence. Furthermore, they all work towards attaining a set of institution-wide goals. Each business line is faced with its own operational risks and is responsible and accountable for assessing, controlling, and mitigating these risks.
Front-line risk management involves all commercial and front-office operational functions or, simply, business functions.
An effective first line of defense consists of the following responsibilities:
ORM is decentralized by nature, i.e., everyone can take part in managing operational risk. Nevertheless, not everyone in a firm has the capacity to have a deeper understanding of risk management. As a result, firms appoint “risk specialists” or “risk champions” within each business unit. Risk specialists are also known as the line “1.5” or “1.b”. The following are the roles of risk specialists within the first line of defense:
This is a functionally independent corporate operational risk function (CORF) involved in policy setting and provision of assurance over first-line activities. The CORF generally complements the operational risk management activities of individual business lines.
Responsibilities of the CORF may include:
Although the CORF enjoys some level of independence in all banks, the actual degree of independence varies among banks. The CORF function in small banks often achieves independence through the separation of duties and independent review of processes and functions. For larger banks, the CORF enjoys a reporting structure that’s independent of the risk-generating business lines. The CORF has the mandate to design, maintain, and continually develop the operational risk framework within a bank.
A key function of the CORF is to challenge a business line’s risk management activities so as to ensure that all decisions and actions taken align with a bank’s risk measurement and reporting framework. To ensure that the CORF is effective in its work, it should have enough skilled personnel to manage operational risk.
The third line of defense consists of a bank’s audit function, which performs independent oversight of the first two lines. Everyone involved in the auditing process must not be a participant in the process under review. An external party can also conduct the review. The independent review team usually reports directly to the Audit Committee (a committee of members of the board of directors) on internal control, compliance, and governance.
According to the Institute of Internal Auditors (IIA, 2017), the internal audit should interact with the risk management, compliance, and finance functions in the following ways:
The board is responsible for determining the nature and extent of its risk appetite and internal control systems.
Defining a risk appetite implies assessing a firm’s key risks, developing limits within which the risks are acceptable, and establishing the required controls for these systems. Board directors should ensure that risk appetite and risk tolerance are defined consistently to drive the priorities of the entire control environment.
According to the 4th principle of operational risk management, the board must identify the types and levels of operational risks a bank is willing to assume. In addition, the board should approve risk appetite and risk tolerance statements. These statements should:
With respect to Principle 4, the board of directors should:
Regulatory guidance requires that risk appetite and risk tolerance statements be in line with the organization’s operations.
The board of directors is responsible for owning and validating the risk limits. The board usually delegates this responsibility to its risk committee.
According to the Basel Committee on Banking Supervision (BCBS), risk appetite should include the reasons for taking or avoiding certain types of risks. The firm has to take risks to meet its objective, but avoiding risk can also cost the firm. In this regard, the risk-return tradeoff must be addressed in the risk appetite statements. Risk appetite should be consistent with a firm’s objectives and the firm’s risk management strategy. Such a well-articulated risk appetite that is strategically aligned with a firm’s objectives can be used as a guideline for making important business decisions.
To demonstrate their risk appetite and tolerance for disruptions, firms must set maximum impact tolerances for critical business services. Also, in order for risk appetite and tolerance statements to be credible and actionable, they must refer to consistent key controls and systems of control.
As a good practice of risk appetite, a risk owner should be assigned to each risk type. This assignmnt aims at controlling owners to design, implement, and evaluate controls. Metrics owners collect, report, and monitor metrics that measure an organization’s risk appetite. Owners of risk are managers who manage, maintain, and monitor risk within defined appetite and tolerance limits.
According to the 1st principle of operational risk management, a bank should maintain a strong risk management culture spearheaded by the bank’s board of directors and senior managers. A bank should strive to propagate a culture of operational risk resilience where everyone understands the need to manage risk.
The board of directors and senior management play a starring role in any operational risk management framework. With respect to Principle 1, the board of directors and/or senior management should:
Banks with a strong risk culture are less likely to be affected by damaging operational risk events. In fact, they are better positioned to deal with such events when they occur.
The board of directors must push for the implementation of risk cultures by senior management. The directors and senior management promote their organization’s risk culture through their own conduct and by spelling out expectations and consequences for employee conduct. Obviously, employees would easily emulate what they see than what they are told.
It is easy to implement an effective risk appetite framework where there is already a strong risk culture. Success on the risk appetite journey is extremely difficult without a strong risk culture.
To promote a strong risk culture, a firm must have well-documented policies and codes that apply to everyone in the firm. Creating awareness and alerting people of a firm’s policies and rules contributes towards a strong risk culture.
Firms should also organize training and compensation structures to reinforce the codes of conduct and, as such, promote a strong risk culture. Educating all participants about operational risks embedded in activities and processes is another critical component of creating a sound risk culture.
Practice Question
Which of the following is the correct order and description of the roles and responsibilities for each line of defense in the “three lines of defense” model for operational risk governance?
A. First line: Risk and compliance functions setting policies. Second line: Internal and external auditors reviewing processes. Third line: Business unit managers handling day-to-day risk.
B. First line: Business unit managers and process owners handling day-to-day risk. Second line: Risk and compliance functions providing oversight. Third line: Internal and external auditors reviewing processes and controls.
C. First line: Internal and external auditors reviewing processes. Second line: Business unit managers handling day-to-day risk. Third line: Risk and compliance functions setting policies.
D. First line: Business unit managers handling day-to-day risk. Second line: Risk and compliance functions setting policies. Third line: Internal and external auditors providing oversight.
Solution
The correct answer is B.
The “three lines of defense” model for operational risk governance is typically structured as follows:
- First line: Business unit managers and process owners are responsible for handling the day-to-day management of operational risk. They are the front-line operators who are closest to the business operations and are in the best position to identify, assess, and manage risks as they arise.
- Second line: The risk and compliance functions play an oversight role. They set the policies and provide guidance to the first line on how to manage risks effectively. They do not directly manage the risk but instead support and oversee the risk management activities of the first line.
- Third line: Internal and external auditors review the processes and controls. They provide independent assurance that the risk management processes and controls put in place by the first and second lines of defense are effective.
A is incorrect because it incorrectly places the risk and compliance functions in the first line, auditors in the second line, and the business unit managers in the third line. This is not consistent with the standard “three lines of defense” model.
C is incorrect as it begins with internal and external auditors, which belong to the third line of defense. It also incorrectly places the risk and compliance functions in the third line, rather than the second.
D is incorrect because while it correctly identifies the business unit managers as the first line, it switches the roles of the risk and compliance functions with the internal and external auditors. Auditors should be in the third line, providing independent assurance, rather than oversight.
Things to Remember
- The “three lines of defense” model ensures a layered approach to risk management. Each line serves as a checkpoint, making it harder for risks to go unnoticed or unmanaged.
- By positioning business unit managers in the first line, the model leverages their proximity to daily operations, ensuring immediate risk identification and management.
- The second line’s oversight role is crucial as it bridges the gap between operational management and independent assurance, ensuring that risk policies are not only in place but are also adhered to.
- The third line offers an external perspective, providing unbiased assurance on the effectiveness of the preceding lines, thereby adding credibility to the risk management process.
- One primary benefit of this model is its clear delineation of roles, which reduces ambiguities in responsibilities and ensures accountability.
- Another advantage is the model’s comprehensive approach, which combines hands-on risk management, oversight, and independent review, thereby strengthening an organization’s resilience against operational risks.