Operational Risk Management Framework

Framework for Operational Risk

The Operational Risk Management framework is comparable to the frameworks for other risks:



• Risk identification identify uncontrolled risks
• Risk measurement measure of likelihood and impact of risks and changes in risk levels
• Risk monitoring monitor (unacceptable) risk, changes in risk, and risk management process
• Risk mitigation mitigate risk to stay within acceptable risk levels

Risk & Control Self-Assessment

Banks shareholders, board, regulators and rating agencies require them to consistently and periodically identify, measure and monitor their key operational risks which their businesses run in achieving their objectives. One of the required tools is Risk & Control Self-Assessment (R&CSA). It has become an industry’s best practice, in banking, insurance and asset management, but also outside our industry. All major and reputable institutions have developed their R&CSA framework and tools. Also, regulators are increasingly focussing on R&CSA.


The objective of the R&CSA is to:

1. improve the early detection of unidentified risks
2. better assess the acceptability of level of identified risks
3. develop (more effective) alternative controls for the unacceptable risks
4. (earlier and better) implement mitigating actions
5. involve the business and functions themselves in this risk assessment, thereby creating higher commitment from management and staff to proactively manage its operational risks

A graphical representation of the R&CSA process is given in the figure below. In the 'Identification' phase the key risks are identified. Presumably a (small) amount of risks will not be detected (unidentified risks). By definition, however, these risks are not known. However, the identification process needs to be performed in such a way that the risk of non-detection is mitigated as much as possible. An open-minded process is key. In the 'Assessment' phase, the identified risks are analysed with respect to probability and impact and then split into acceptable risks and unacceptable risks. Line management is responsible for this assessment and decision-making, based on a bank´s own risk appetite. During the 'Mitigation' phase adequate measures are developed (control, transfer or avoid) to mitigate the unacceptable risks.

                    Identification        Assessment         Mitigation


This generic R&CSA framework allows for the specifics of our businesses, but still creates a certain level of uniformity where possible and desired. The approach will help the business units to perform a Risk & Control Self Assessment by the business itself. Maximum benefit, in terms of economic capital reduction and implicit process quality improvement, will accrue from integral business assessment. A high quality R&CSA process within a business will be separately rewarded through a lower economic capital charge.

The R&CSA framework meets the available regulatory standards (ROC: “Regulation on Organisation & Control”, Basel: “Sound Practices for the Management and Supervision op Operational Risk”). The framework also secures the linkage of the R&CSA process with other risk management processes, i.e. development of Key Risk Indicators, operational incident & loss data collection, audit findings & action tracking.
The risks and existing controls identified in the identification phase of the R&CSA will be assessed in detail, to determine the level of acceptability or unacceptability, by measuring their probability and impact, on a scale from one to five as depicted in the below Impact/Probability matrix:


From the bottom-left hand corner up to the top-right hand corner, the impact/probability of the risks gradually increases. The goal of operational risk management is to bring the high probability/high impact risks down to the bottom-left hand corner as much as possible by reducing the causes of the risks or by implementing adequate controls.

Risk awareness programmes

Our approach includes a Management workshop using pre-set question blocks where teams have to provide answers from multiple choice using silent voting devices.
The results are screen-based and recorded. We discuss the results candidly. The importance of this step cannot be over-stressed as it works within any culture.
The silent voting ensures that we draw out sensitive issues and increase the confidence that there is a level playing field and results are not contaminated by internal pressures.
At an early stage in the Risk Assessment process we are in a strong position to compare results to Dashboards currently in operation as a result of previous risk assessments.

Key Risk Indicators reporting

Based on the R&CSA that we perform we can benchmark against the current reporting and develop an upgraded dashboard for KPI and KRI reporting using the ROAMBI system for data extraction and reporting.

A Key Risk Indicators reporting should be compiled in such a way that it:

• helps to improve the controllability of the business
• helps to mitigate (operational) risks
• is concise and accessible for senior management
• helps to keep or focus management attention to maintain operational risks within acceptable, preferably predefined, target-ceiling - or quality-levels

The above can be achieved if the management summary of the report is only 1 page long and contains traffic light indicators (green, amber, red) and required actions to be taken.

Such a Report should be a standard component of the information-set for an ORC or Management Team or Committee. Further, part of the monitoring process is also to set control standards, which should be met by an activity or function. Without standards the measurement process would become a mere statistics exercise. The risk tolerance or acceptance is dependent on setting standards. This should of course be done in an effective and managerial way (e.g. not by producing an overload of manuals or ineffective bureaucracy).

It is critically important for effective Key Risk Indicator Reporting to differentiate between senior management , which monitors and takes management action and business line and functional department management which is involved with day-to-day action-taking.
To reach both audiences a Key Risk Indicator Report will contain a specifically designed Top Sheet for the senior management and a Facts Sheet with more detailed information for the line management. Such a report can provide more management information value compared to a variety of traditional management reports.

Our ROAMBI approach is critical to the success of:

1. Designing upgraded KPI and KRI Reporting Ratios.
2. Delivering the opportunity to produce reports more accurately and timely
3. Establishing a more robust yet adaptable reporting dashboard supporting hand held devices where stakeholder and customer facing people can effectively share authorised information that shows directional signs of achievement in positively changing culture, improving standards, reducing reputational risk, improving customer confidence etc .
Based on the Key Risk Indicators reporting systems that we help our clients establish we believe a radical set of benefits are delivered to the business winning teams who can demonstrate the the headway their firm is making in managing their operational risks and improving standards whilst developing innovative solutions for the client. We ensure that the Operational Risk Management function becomes strategically part of the business winning apparatus and is not just seen as a red, amber, green reporting hub and cost base that never seems to prevent the big losses from happening and customer confidence eroding.

Incidents reporting

Many Financial Institutions did not have a periodic and comprehensive reporting of operational incidents prior to 2000. The development of new systems of data capture to create better knowledge of the actual costs of operational risk has occurred since the implementation of Basel II. Improving our clients’insight into the costs of operational risk helps us in accomplishing the Board’s objective of operational excellence, lowering the costs & capital charges and improving risk management and at the same time becoming more competitive in the markets to win new business by demonstrating new found confidences.

All Banks have already have robust frameworks for operational incident reporting with at least a complete 3-year history of operational risk incidents, as one of the requirements for qualifying for a more favourable operational risk capital charge regime. The advantages include:

• Increase risk awareness

To assist the management of business units in increasing risk awareness and improving their risk management capability by improving their knowledge of the actual current costs of operational risk;

• Better MIS

To periodically measure the value of operational risk incidents, per business line and loss category, giving management better insight to manage and reduce incident costs. “You have to create a measurement-culture because operational risk control starts with measurement and knowledge of the facts”

• Better incident response

To improve the ability of general management and its supporting functions to respond to significant operational and reputational incidents.

Capital allocation

All Banks have developed operational risk capital measurement methodologies which measures how much capital is necessary given the operational risks of a business (unit/line), region, EC or group. This methodology is continuously being upgraded given regulatory & industry developments and the increasing importance of economic capital and RAROC within the industry. Banks commonly apply the Risk Adjusted Return on Capital (RAROC) framework in order to measure the economic performance of the banking, asset management and insurance activities on a consistent and risk adjusted basis. RAROC is calculated by dividing the economic return by the economic capital. The operational risk capital is the ‘executive summary’ of the operational risk level of a business. The current state of the art in operational risk measurement allows making a first assessment of the operational risk exposure including the operational size, complexity and inherent risk of a business. A specific adjustment, based on five scorecards, then reflects the quality of risk control. Each scorecard measures the quality of a risk management process.

Audit findings action tracking

Action Tracking tools monitor the progress on solving outstanding audit, regulatory and own key risk control actions. Especially in the larger and medium-size business units, operating in various locations, such tools prove essential in keeping track of action progress, enabling management to solve risk control problems.

Operational Risk Committee

The risk monitoring responsibility is allocated to line management which has its Operational Risk Committee to structure and coordinate all required communication and information, i.e. to identify, measure and monitor the operational risks of its business activities and to ensure that appropriate management action is taken by their responsible (business) line managers. Operational Risk Committees are required for all of a Bank’s Executive Committees, Regional Management Committees, Business Units and Countries.

Control standards

Risk mitigation is required if risk levels are exceeding the acceptable risk levels or regulatory standards. This can be achieved through several ways, some of which are listed below:

1. Risk avoidance (by stopping, if possible, the activity that generates the risk).
2. Reduce the probability of the occurrence (by e.g. implementing process controls, improve supervision, testing, training)
3. Reduce the impact (by e.g. insurance, extra capital)
4. Transfer the risk to other parties who bear or share (parts of) the same risk
5. Retain the residual risks by financing the possible consequences (e.g. by extra capital)
6. Acknowledge and accept a predefined portion of the risk as ‘inherent’ in the decision of executive management to proceed with the business line.

It is the responsibility of line management to take the appropriate actions. Operational Risk Mamagement or any of the specialised support functions like Information Security, Compliance, Legal, Finance, Operations Control, etc assists line management in implementing controls (improving or replacing existing ones, installing new ones, removing ineffective controls) and in setting internal control standards. Important examples of high-level controls are New Product Review/Approval processes, Project Management Governance, etc. Next to controls, risk can be mitigated by risk insurance.

New product review

The new product review process is a joint business and risk management driven process to ensure that new products are introduced in a well-prepared, (management) controlled and timely way. Such processes have been established now for some years. Regulators have focussed on this form of control . An example was the banking regulation ‘Sound Practices for the Management and Supervision of Operational Risk’ from the Basel Committee on Banking Supervision which required that, ‘Banks should also ensure that before new products, activities, processes and systems are introduced or undertaken the operational risk inherent in them is subject to adequate assessment procedures’.

Risk insurance

A Bank’s Operational Risk Management is tasked to determine Insurable Risks and is entrusted with the following mitigating risk insurance activities:

1. Centralising Insurable Risks Management for risks that might influence the continuity of the Bank.
2. Centralised buying of "Global" insurance policies for Comprehensive Crime and Liability covers.
3. Supervising of local insurance policies
4. Informing Directors, Management and Officers of relevant information regarding insurance coveringGroup companies but also advising on their personal liabilities.
5. Studying other Risk Transfer possibilities for (local) insurable risks.