Operational Risk Management

Question 1

What is operational risk?

Answer 1

The Basel Committee on Banking Supervision defines operational risk as: ‘The risk of loss resulting from inadequate or failed internal processes, people and systems or from external events’. It consists:

1. Internal fraud: This may take the form of any unauthorised activity such as internal theft or fraud
2. External fraud: Events might relate to theft, fraud and systems security
3. Employee practices and workplace safety: These are losses arising from acts inconsistent with employment, health or safety laws or agreements, from payment of personal injury claims, or from diversity or discrimination events
4. Clients, products and business practice: Losses can arise from an unintentional or negligent failure to meet a professional obligation to specific clients (including fiduciary and suitability requirements) or from the nature or design of a product
5. Damage to physical assets: These may be losses resulting from natural disasters but also losses from external human cases, such as terrorism, or vandalism
6. Business disruption and system failures: This refers to losses from systems in general and hardware, software, telecommunications, utility outages and systems failures in general
7. Execution, delivery and process management: This describes all losses from failed transaction processing or process management, from relations with trade counterparties and vendors. This includes transaction capture, execution and maintenance whereby a wide range of events would be caught. It would extend further into monitoring and reporting activities where any failed mandatory reporting obligation or inaccurate external reporting event took place and where an incurred loss resulted

Question 2

What are the operational risk business lines defined by the Basel Committee which are applicable to banks?

Answer 2

1. Corporate finance
2. Retail banking
3. Agency services
4. Payments and settlement
5. Commercial banking
6. Asset management
7. Retail brokerage
8. Trading and sales

Question 3

What are the regulatory requirements of operational risk?

Answer 3

UK Regulation

• The Board of a Bank is responsible for setting appropriate policies and to procure the necessary resources such as the appointment of supervisors.
• The PRA and FCA require that individual senior managers take appropriate steps to ensure that the business they are running is properly organised and capable of being controlled.
• The Senior Managers Regime (SMR) for individuals who are subject to regulatory approval requires organisations to allocate a range of responsibilities to these individuals and regularly assess their fitness and propriety.

European regulation

• The European Commission has passed many directives and regulatory initiatives including the Capital Requirements Directive (CRD).
• The Capital Adequacy Directive (CAD 3) contained explicit rulings about operational risk addressing such things as employees, processes, outsourcing and business continuity management.

Question 4

What are the Benefits of Operation Risk Management?

Answer 4

1. A reduction of operating losses
2. Lower compliance/auditing costs
3. The early detection of unlawful activities
4. Reduced exposure to future risks
5. A lower capital charge under the regulatory environment in line with Basel recommendations
6. Better decision making
7. Improved credit ratings, share price and reputation

These benefits lead to greater resilience in the business and a better chance of the business growing and attracting further customers in line with its strategic objectives.

Question 5

How should operational risk policy be implemented?

Answer 5

1. Board responsibility for operational risk policy: Operational risk policy must originate from the top of the organisation and be agreed and sponsored at board level via a process of embedding it into the bank’s culture. The board must comply with good corporate governance standards as laid down by the Financial Reporting council’s Combined Code. Risk committees should be under the chairmanship of a member of the Board and have as a member of its group the Chief Risk Officer (CRO) acting for the bank.
2. Senior management’s role: The Board must ensure that there is a segregation of duties between internal audit and operational risk management. Both disciplines are necessary to support the business and have independent, unfettered access to the Board itself.
3. Development of the framework: The bank should be looking for a standard, holistic way of working which is improved over time and is thoroughly understood by all who take part in it.
4. Operational risk culture: Boards and senior executive groups must set a good example by way of leadership and therefore simulate the culture in a way that not only mitigates risks but also enhances the value of business.
5. Challenge and escalation: People should be encouraged to remain vigilant and contribute to an active risk awareness and mitigation in the manner in which they undertake their own jobs. The benefits of an ongoing commitment to improvement in knowledge and expertise will benefit the organisation by being better able to recruit and retain good quality staff.
6. Better decision making: Corporate governance sits at the top of everything and provides greater assurance to the Board and to shareholders on the effectiveness of internal controls operating and utilised within the bank. This assurance should lead to stronger decision making.

Question 6

What stages are there to an operational risk management framework?

Answer 6

1. Operational risk policy
2. Identification of risks
3. Measurement and assessment of risks
4. Mitigation (the reduction of potential risk impact and likelihood)
5. Monitoring of risks
6. Reporting of risks

Question 7

What are constraints to an operational risk management framework?

Answer 7

1. Practical constraints of implementing an operational risk management framework:
2. Data collection and management constraints: in practice, it is very difficult to build a truly comprehensive data set.
3. Cultural constraints: business heads need to be convinced of the value that operational risk management will bring. If not implemented in a well-structured manner it is often seen as a cost to the business, and even a nuisance, rather than a real asset.
4. Resource and cost constraints: organisations may underestimate time and resources required to implement risk identification and measurement systems
5. Indicator constraints: it can be difficult to deign risk indicators that monitor the full range of risks.

Question 8

What types of operational risk controls are there?

How can a control be measured?

Answer 8

• Directive controls: These typically take the form of policies, processes or manuals.
• Preventative controls: These controls are to prevent the risk or event from happening in the first place.
• Detective controls: These identify immediately that the risk event has occurred and to mitigate it.
• Corrective controls: These act after the event has happened and mitigate the effects of the event though corrective action.

In the same way that risks and performance can be measured by indicators so can controls utilising the concept of key control indicators (KCIs). A KCI will be something which sets in place a scoring mechanism to measure the effectiveness of the control.

Question 9

What is the purpose of audit?

Answer 9

The purpose of audit is to provide independent review.

Question 10

What performs audit in an organisation?

Answer 10

• Internal Audit: Internal audit acts independently of senior management yet its scope and objectives of are decided by the senior management. It should have an unrestricted mandate to access records, checking, challenging and reviewing practices. Internal audit activity reports directly to the board. Its purpose is to report and provide a follow up providing an action plan upon which management can move forward.
• External Audit: External auditors check and comment on financial reporting statements in accordance with statements of standard accounting practice as laid down by the Auditing Practices Board. External audit operates on behalf of members and shareholders of a company. It provides an opinion as to whether the financial statements give a true and fair view of the company.
• The Audit Committee: The Audit Committee of the Board comprises independent non-executive directors drawn from the Board and works in parallel with the internal and external auditors. Most banks have a separate Risk Committee as well as the Audit Committee.

Question 11

What is the three lines of defence model?

Answer 11

Each of the three lines of defence have specific tasks in the internal risk control governance framework.

The first line of defence: This describes the controls that an organisation has in place to deal with the day-to-day business; in effect the line management. The first line of defence informs the audit committee by identifying risks and business improvement actions, implementing controls, and reporting on progress.

The second line of defence: This is the combination of the risk management and compliance functions. Risk management functions facilitate and monitor the implementation of effective risk management practices by operational management.

The third line of defence: This describes the independent assurance provided by the Audit Committee and the internal audit function that reports to that committee.