Operational Risk Management Framework

Regulatory Requirements for Operational Risk

The Regulatory directions in line with the Basel III discipliness continue to focus heavily around the management of operational risk, improving standards, cultural awareness that embraces ethical conduct and much tighter buffer capital demands.

The ROC sets four elements, and the correct emphasis on these elements should result in the effective steering and control of business processes. These elements are:

• risk control,
• organisational measures,
• information and communication,
• examination, evaluation and rectification.
• An institution shall ensure that risk analysis is performed systematically with the aim of identifying,measuring and evaluating all risks.
• An institution shall have clearly formulated policies for controlling operational risks. The policies shall be documented and communicated to all the relevant personnel of an institution.
• An institution shall systematically perform an analysis of operational risks. The analysis shall be performed both on an institution-wide basis and at the level of the various business divisions.
• An institution shall translate the policies for controlling operational risks into organisational and administrative procedures and measures and shall integrate these into the systems and the day-to-day activities of all relevant personnel.
• For the larger and more complex institutions it is recommended that a committee be established that is responsible for the oversight of controlling the operational risks of the institution.
• The committee must ensure that the management board remains well informed about the risk profile of the institution and is informed of significant problems and developments.
• An institution shall systematically monitor compliance with the organisational and administrative procedures and measures for controlling operational risks.
• An institution shall have in place an information system that is adequate for the systematic measurement, monitoring and documentation of all operational risks, both at the level of the institution and at the level of the various business divisions.
• The operational risks to which the institution is exposed shall be reported in a timely manner, stating any (impending) disasters and losses that have been identified.

Basel Committee

Work continues under Basel III in qualifying criteria for using advanced measurement approaches to determine the operational risk minimum regulatory capital requirements. These criteria cover both risk management and risk measurement processes, and apply on a business line basis.

Back in February 2003, the Risk Management Group of the Basel Committee on Banking Supervision published the final version of the Sound Practices document. The 10 main principles still apply and we can assist a client in every one :

1. The board of directors should be aware of the major aspects of the bank’s operational risks as a distinct risk category that should be managed, and it should approve and periodically review the bank’s operational risk management framework. The framework should provide a firm-wide definition of operational risk and lay down the principles of how operational risk is to be identified, assessed, monitored, and controlled/mitigated.

2. The board of directors should ensure that the bank’s operational risk management framework is subject to effective and comprehensive internal audit by operationally independent, appropriately trained and competent staff. The internal audit function should not be directly responsible for operational risk management.

3. Senior management should have responsibility for implementing the operational risk management framework approved by the board of directors. The framework should be consistently implemented throughout the whole banking organisation, and all levels of staff should understand their responsibilities with respect to operational risk management. Senior management should also have responsibility for developing policies, processes and procedures for managing operational risk in all of the bank’s products, activities, processed and systems.

4. Banks should identify and assess the operational risk inherent in all material products, activities, processes and systems. Banks should also ensure that before new products, activities, processes and systems are introduced or undertaken, the operational risk inherent in them is subject to adequate assessment procedures.

5. Banks should implement a process to regularly monitor operational risk profiles and material exposure to losses. There should be regular reporting of pertinent information to senior management and the board of directors that supports the proactive management of operational risk.

6. Banks should have policies, processes and procedures to control and/or mitigate material operational risks. Banks periodically review their risk limitation and control strategies and should adjust their operational risk profile using appropriate strategies, in light of their overall risk appetite and profile.

7. Banks should have in place contingency and business continuity plans to ensure their ability to operate on an ongoing basis and limit losses in the event of severe business disruption.

8. Banking supervisors should require that all banks, regardless of size, have an effective framework in place to identify, assess, monitor and control/ mitigate material operational risks as part of an overall approach to risk management.

9. Supervisors should conduct, directly or indirectly, regular independent evaluation of a bank’s policies, procedures and practices related to operational risks. Supervisors should ensure that there are appropriate mechanisms in place, which allow them to remain apprised of developments at banks.

10. Banks should make sufficient public disclosure to allow market participants to assess their approach to operational risk management.