Chapter 1 Operational Risk Management PDF
Document Details
Uploaded by ColorfulBildungsroman
The Institute of Risk Management
Tags
Summary
Chapter 1 details the foundations of operational risk management, covering the definition of operational risk, common risk types, and the relationship between operational risk and other risk types. It explores the different manifestations of operational risk within a firm and provides an overview of the operational risk framework and governance structures. It also touches on the basic operational risk management process, operational risk governance, risk and control self-assessments, and future developments.
Full Transcript
5/23/24, 8:23 AM Chapter 1 Back Up Book for Printing Chapter 1 Back Up Book for Printing Site: The Institute of Risk Management Printed by: calvin oyieke Co...
5/23/24, 8:23 AM Chapter 1 Back Up Book for Printing Chapter 1 Back Up Book for Printing Site: The Institute of Risk Management Printed by: calvin oyieke Course: IOR - Certificate in Operational Risk Management Date: Thursday, 23 May 2024, 6:22 AM Book: Chapter 1 Back Up Book for Printing https://www.irmvle.org/mod/book/tool/print/index.php?id=4159 1/19 5/23/24, 8:23 AM Chapter 1 Back Up Book for Printing Description The back up book allows you to print this units course content. This can be done by clicking on More and simply clicking ‘Print Book’. https://www.irmvle.org/mod/book/tool/print/index.php?id=4159 2/19 5/23/24, 8:23 AM Chapter 1 Back Up Book for Printing Table of contents Chapter 1: Fundamentals of Operational Risk https://www.irmvle.org/mod/book/tool/print/index.php?id=4159 3/19 5/23/24, 8:23 AM Chapter 1 Back Up Book for Printing Chapter 1: Fundamentals of Operational Risk Learning outcomes and assessment criteria 1. Understand the fundamentals of operational risk management. 1.1 Examine the definition of operational risk. 1.2 Identify the common risk types. 1.3 Explain the relationship between operational risk and other risk types. 1.4 Explain the different manifestations of operational risk within a firm. 1.5 Explain the relationship between cause, event and impact. 1.6 Examine the key components of the operational risk framework and governance structures. Key themes The key themes of this chapter are as follows: The definition of operational risk, including where operational risk fits in relation to other risk types, as well as the resultant boundary issues. The key components of an operational risk management framework and supporting governance structures, including an introduction to: The basic operational risk management process. Operational risk governance. Risk and control self-assessments. Key risk indicators. Loss event management and recording. Scenario analysis. Operational risk modelling. Operational risk reporting. Future developments. https://www.irmvle.org/mod/book/tool/print/index.php?id=4159 4/19 5/23/24, 8:23 AM Chapter 1 Back Up Book for Printing Introduction to Chapter 1 Operational risk exists wherever there are operational processes and systems, automated or manual, complicated or simple. Any form of organised human endeavour or activity with intrinsic value may give rise to potential operational risk. However, it is only in the last few decades that operational risk management has been recognised as a discrete risk type, and it remains a very young discipline. The emergence of the term operational risk as a discrete risk type started with the International Convergence of Capital Measurement and Capital Standards: A Revised Framework, more commonly known as Basel II, in the late 1990s (see Chapter 9, The Regulatory Treatment of Operational Risk). While primarily intended for internationally active banks, the operational risk management concepts set out in Basel II have since been incorporated into equivalent regulatory guidance and rules for the insurance sector and other areas of financial services including asset management and pension funds. Today, most financial organisations have integrated management of operational risks within their business activities, which may be supported by centralised operational risk management function. While operational risk emerged as a discrete risk type within financial services, the concepts of operational risk have been developed and practiced extensively within non-financial services firms. For many years non-financial services firms have invested significantly in managing their operational risks in areas such as health & safety practices, disaster management, preventing harm to customers due to product consumption, anti-corruption practices etc. Financial services firms are also realising the business benefits of managing operational risks and commercial drivers for sound operational risk management practices are now as important as regulatory drivers. Today, given these drivers, the discipline of operational risk is maturing rapidly and many different systems, processes and management tools have been developed to support the management of operational risk. Nevertheless, the discipline still relies on some key fundamentals that all professionals involved with the management of operational risk need to know, and it is these fundamentals which are the focus of this chapter. https://www.irmvle.org/mod/book/tool/print/index.php?id=4159 5/19 5/23/24, 8:23 AM Chapter 1 Back Up Book for Printing 1.1 Examine the definition of operational risk One of the commonly used definitions of operational risk within banking was published as part of Basel II, which defines operational risk as the 'risk of loss resulting from inadequate or failed internal processes, people and systems or from external events'. This definition includes legal risk, but excludes strategic and reputation risk. Basel II explicitly frames legal risk as including (but not limited to) exposure to fines, penalties, or punitive damages resulting from supervisory actions, as well as private settlements. The definition, with slight variations, is now widely adopted across financial services firms, and we use it as our definition in this Workbook. This definition is causal by nature; that is, it focuses on the risks arising from four primary causal factors - processes, people, systems and factors or events external to the firm. The table below highlights examples of operational risk for each causal factor covered by the definition. Causal Factors Examples New account opening documentation is sent to incorrect addresses of customers due to poorly designed processes. Firm issues financial products to criminals/terrorists due to inadequate checks during the sales process. Processes Call centre staff provides incorrect advice to customers due to incorrect product documentation provided to them. Employees misuse customer assets for personal gain. Discrimination of employees during the hiring process. People Senior managers commit financial statement fraud. Disruption to IT Systems due to defects in software. Disruption to IT Systems due to attack by hackers. Systems Incorrect premium payments collected from customers due to error in software programme. Damage to physical assets due to a natural disaster. Disruption to business operations due to rapid spread of a dangerous epidemic or near-pandemic. External Damage to physical assets due to a terrorist strike. Workplace reflection Find out what definition is used for operational risk within your firm. Check how widely known and understood the definition is and whether any alternative definitions are used in the firm. To expand this further the Basel II regulatory framework referred to earlier divided operational risk into seven risk event types: Internal Fraud - misappropriation of assets, tax evasion, intentional mismarking of positions, bribery. External Fraud - theft of information, hacking damage, third-party theft and forgery. Employment Practices and Workplace Safety - discrimination, workers’ compensation, employee health and safety. Clients, Products, and Business Practice - market manipulation, antitrust, improper trade, product defects, fiduciary breaches, account churning. Damage to Physical Assets - natural disasters, terrorism, vandalism. Business Disruption and Systems Failures - utility disruptions, software failures, hardware failures. Execution, Delivery, and Process Management - data entry errors, accounting errors, failed mandatory reporting, negligent loss of client assets One common way to classify operational risk is to consider expected vs. unexpected risks. Some operational risks may be expected because of their being inherently associated with the internal or external environment of the firm and hence may occur frequently. Examples of such risks may include:- Credit card fraud for a firm offering credit card products. Damages due to hurricanes for an asset management firm with offices in a city which experiences a hurricane season every year. Disruption to IT systems due to power cuts for an insurance firm with offices in a city where seasonal power cuts are normal. As these risks are an inherent part of the business environment, management of them is integrated within the planning and execution of business activities. Firms may also incorporate the risks within the pricing of their products. If the firm is unable to include the risk within their product pricing, they may raise accounting provisions, include it as part of business budgets or invest in improving the efficiency of business processes. https://www.irmvle.org/mod/book/tool/print/index.php?id=4159 6/19 5/23/24, 8:23 AM Chapter 1 Back Up Book for Printing 1.1 Examine the definition of operational risk Some operational risks may be unexpected because they are not an inherent part of the internal or external environment of the firm and hence may occur rarely. Examples of such risks may include: Disruption to IT Systems due to the escalation of a cyber war between two or more countries. Damage to physical assets due to solar storms. Disruptions to business operations due to the rapid spread of a serious epidemic. As such risks are not an inherent part of the business environment, management of such risks may involve support from specialist departments (e.g. Business Continuity Management department) to deal with business continuity related risks. Such risks may be managed using capital reserves, insurance or investment in controls. https://www.irmvle.org/mod/book/tool/print/index.php?id=4159 7/19 5/23/24, 8:23 AM Chapter 1 Back Up Book for Printing 1.2 Identify the common risk types 1.2.1 Risk types There are many ways to categorise the risks faced by financial services firms and the table below highlights one way of such categorisation. Risk Type Description Uncertainties that may affect or may be created by an organisation’s business strategy and strategic objectives. Examples of strategic risk include: Products offered by the organisation may not meet customer needs. Strategic risk Over-reliance on a single product for revenue generation. Failure to anticipate a new competitor entering the market which intends to be very aggressive about acquiring market share. The risk of loss due to counterparty default. It is restricted to default or situations where the counterparty can but refuses to make payment when due. Examples of credit risk include: Credit risk A business is unable repay a loan because of the failure of a major creditor. A customer defaults on their mortgage payments as a result of redundancy. Insurance company is unable to claim on a reinsurer because the reinsurer is insolvent. The risk of loss due to adverse economic changes in market conditions, rates or prices or fluctuations in volatility. Market risk includes price risk, volatility risk, interest rate risk and foreign exchange risk among others. Examples of market risk include: Market risk Loss of revenue due to changes in exchange rates between sterling (GBP) and euro (EUR). Losses in an investment portfolio due to significant drop in FTSE 100 index. Unexpected increase in debt-related interest payments due to policy changes announced by a central bank. The risk of not having adequate funds available to meet financial commitments as they fall due. This may be caused by local or foreign economic conditions, a reduction in the firm’s credit rating, or situations where the firm is interested in trading an asset but cannot do so because nobody in the market wants to trade that asset. Examples of liquidity risk include: Liquidity risk A significant change to the credit rating of an organisation which may result in material withdrawal of funds by customers. A material change to the credit rating of a country which may result in panic withdrawal of funds from all banks in the country which they cannot meet. Significant level of uncertainty in the market which may dry up demand for financial instruments held by the firm Also known as underwriting risk. Insurance risk is the risk of a claim being made on an insurance policy or underwriting. Insurance Examples of classes of insurance risk include: business interruption, cyber-crime, directors' and officers' liability, key man, motor risk (individual or fleet), property, professional indemnity, terrorism, unauthorised trading, as well as life and health policies. The risk of loss, direct or indirect, resulting from inadequate or failed internal processes, people and systems or from external events. Examples of operational risk include: Operational Accepting or offering a bribe. risk Theft of customer data from IT Systems by hackers. Intentional mis-selling of products/services to clients. https://www.irmvle.org/mod/book/tool/print/index.php?id=4159 8/19 5/23/24, 8:23 AM Chapter 1 Back Up Book for Printing 1.3 Explain the relationship between operational risk and other risk types Some firms look to manage their risks in an integrated way, under an umbrella framework sometimes known as Enterprise Risk Management (ERM). This approach is based on the premise that risks are interconnected and need to be managed together in a consistent way, with clear differentiation of the boundaries between them. The issue of ensuring clear boundaries between different risks is something that operational risk managers face day-to-day. Chapter 4 explores in more detail the need for and benefits of a clear categorisation scheme for risks. Operational risk managers often need to interact with risk managers dealing with other risk types and have to justify why some risks should be considered as part of operational risk management. Even with clearly documented boundary conditions between risk types, from time to time situations arise which are not covered by existing definitions and need resolution with other risk disciplines. Some examples of these boundaries are: Credit risk: A credit risk should be considered under operational risk management if the risk may be caused by, for instance, fraud related to lending facilities, procedural failures in the credit process, inadequate collateral, inadequate credit models or inappropriate loan sales practices. Market risk: A market risk should be considered under operational risk management if the risk is caused by transactional errors, limit breaches, internal or external fraud or inadequate collateral. Liquidity risk: A liquidity risk should be considered under operational risk management if the risk may be caused due to non-economic factors (for example due to forecasting issues, unsuitable or mismatched investment strategies, model issues or timing issues). Insurance risk: An insurance risk should be considered under operational risk management if the risk may be caused due to result of failure to follow policy or protocols, errors in actuarial modelling or inadequate documentation. Strategic risk: A strategic risk should be considered under operational risk management if the risk is caused by errors in strategic business judgement, inappropriate or inadequate corporate governance, incomplete due diligence, inappropriate or incorrect advice, inappropriate management decisions or lack of management oversight. The examples listed above highlight that the causal factors of other risks can be used to determine whether the risks should also be considered under operational risk management. If the causes of any type of risk relates to people, process, systems or non-economic external factors – then it can also be considered under operational risk management. Another example to understand this is mentioned below: Boundary Examples: - 1. A firm has advanced a sum of money to a customer and the customer defaults and fails to repay the loan. What caused the firm to lose the money? If the customer’s business failed and, as a result, the customer lost everything and was unable to repay the firm, then the answer is simple, it is a pure credit loss. If, however, the customer failed to repay the firm because the loan agreement contained a technical deficiency which the customer was able to rely upon in court, the cause is the documentation error, which makes the loss an operational loss. 2. At the start of the trading day, a firm submits an order to purchase 1 million shares of an organisation at £1.20 per share, expecting the share price to increase to £1.26 during the trading day and sell the shares at that price point. Due to an error in the trading system, 3 orders of 1 million shares each were submitted. So the firm ended up buying 3 million shares at £1.20 per share. At the end of the day, the price declined to £1.10 and as the firm only wanted to hold the position for one trading day, it had to sell the position at this price. So the firm sold 3 million shares at price of £1.10 per share which resulted in a loss of £300,000. As the firm only wanted to purchase 1 million shares initially, only 1/3 (£100,000) of the trading loss can be attributed as market risk related loss. As 2 million additional shares were purchased due to trading system error, 2/3 (£200,000) of the trading loss should be attributed to operational risk. Instances like this occur frequently in operational risk management, and need both careful analysis and the right questions being asked to ensure they are correctly categorised and reported. https://www.irmvle.org/mod/book/tool/print/index.php?id=4159 9/19 5/23/24, 8:23 AM Chapter 1 Back Up Book for Printing 1.4 Explain the different manifestations of operational risk within a firm This section highlights the common manifestations of operational risk. This is not an exhaustive list but just an illustration of the types of risk that firms would typically cover within the scope of their operational risk management initiative. Business continuity risk: The risk that a firm is either inadequately prepared for a business continuity event (process) or that the business continuity preparations fail to function in the manner intended during a business continuity crisis (people, systems or process). Examples of such risk may include Disruption to the customer-facing processes due to a natural disaster. Disruption to IT systems due to a successful hacking attempt. Damage to physical assets due to a terrorist attack. Systems or IT risk: The risk that systems fail, process information incorrectly, become obsolete, or cannot support transactional volumes. Examples of such risk may include: Disruption to IT Systems due to software defects. Incorrect fees/charges added to customer accounts due to poor quality input information. Disruption to IT Systems due to excessive volume of transactions. Information security or privacy risk: The risk that confidential information, such as client personal details, client financial information, the firm’s own product, strategic or financial information, is exposed to unauthorised individuals or is deliberately mis-used or stolen. Examples of such risk may include: Theft of customer data by external hackers. Mis-use of customer data by employees. Customer data accidently shared with external parties. Process execution risk: The risk that business processes of the firm are disrupted, are not designed adequately, are not executed as designed or produce incorrect results. Examples of such risk may include: A marketing campaign with incorrect information is released to the public due to lack of adequate approval processes. A firm allows terrorists to open an account due to lack of adequate 'Know Your Customer' due diligence procedures Call centre staff give incorrect advice to customers due to incorrect product information provided to them. Financial crime risk: A broad form of risk that covers internal and external fraud involving money laundering, sanctions and embargo breaches, processing proceeds of organised crime, bribery, terrorism financing, insurance fraud and credit card fraud. Examples of such risk may include: Offering financial products to individuals or organisations covered by international sanctions or embargoes due to inadequate or unused procedures or controls. Clients utilising financial products for purpose of money laundering due to inadequate or poorly designed controls. Credit card fraud committed by external parties. Physical security risk: The risk that the firm suffers some form of loss as the result of inadequate physical security precautions or failures within the physical security infrastructure. Examples of such risk may include: Theft of physical assets (e.g. laptops) by external parties due to staff not following internal security procedures. Damage to physical assets caused by fire due to failure to maintain fire extinguisher systems. Unauthorised external parties are able to visit restricted areas within the office building due to lax security. Health and safety or personal safety risk: The risk that the health or safety of stakeholders (e.g. employees, customers, vendors) may be impacted due to the working environment of the firm. Examples of such risk may include: Injuries or death of employees due to use of faulty equipment (e.g. laptop catching fire). Injuries or death of employees due to excessive amount of work pressure. Kidnapping of employees during their work related travel. Legal or litigation risk: The risk that the firm suffers loss due to unexpected legal judgements or unexpected failure to enforce contracts for legal reasons. Examples of such risk may include: Customer contracts drafted inadequately or incorrectly from a legal perspective. Vendor contracts drafted inadequately or incorrectly from a legal perspective. https://www.irmvle.org/mod/book/tool/print/index.php?id=4159 10/19 5/23/24, 8:23 AM Chapter 1 Back Up Book for Printing 1.4 Explain the different manifestations of operational risk within a firm Employment contracts drafted inadequately or incorrectly from a legal perspective. Compliance risk: The risk of non-compliance with external laws, regulations and rules. This can include people not doing what they should be doing, or processes or systems not being appropriate or adequate to meet compliance requirements. Examples of such risk may include: Submitting incorrect information within regulatory reports to regulators. Delay in submitting regulatory reports to regulators. Sales staff do not provide mandatory regulatory information to customers. Third-party risk: The risk that the firm suffers loss due to third-parties (e.g. vendors or suppliers) failing to follow Service Level Agreements, or where the third-party may breach expectations or trust of key stakeholders (e.g. customers). Examples of such risk may include: A firm has to compensate staff as a result repeated delays in payroll managed by a third-party, in breach of its SLA. Vendors get involved in price fixing to inflate their prices. Theft of customer information by vendors for purpose of committing fraud. The above manifestations of operational risk may appear to be discrete initially but in reality operational risks may cut across multiple categories. The following examples highlight this key point: A new software defect may result in confidential customer data being visible to unauthorised external parties. In this case the software development is outsourced to an external supplier. This example cuts across Third-party risk, Compliance risk, Information security and Privacy risk and Systems or IT risk. A disgruntled employee may bring armed weapons into the office with the intention of killing his team members and causing maximum physical damage to key IT systems. This example cuts across Health and Safety or personal safety risk, Physical security risk, Systems or IT risk and Business Continuity risk. Understanding the interdependencies between operational risks will better facilitate how to manage the risks and hence should always be considered. Due to the wide range of risks covered within operational risk, new categories may emerge from time to time due to changes in how organisations want to combine management of certain operational risks, significant industry events or technological trends. If risks within such new categories may be caused due to people, process, systems or external factors – then such new categories should also be considered as part of operational risk management. Following are two such new categories: Conduct risk: Generally accepted as the risk that the firm’s behaviours will result in poor outcomes for customers. However, it is arguable whether conduct risk is strictly a 'risk'. Conduct is an essential element of operational risk because it is integral to the fundamental cause of operational risk which is 'people'. Whilst conduct is generally aimed at customer outcomes, a firm's behaviours will also have a detrimental effect on the markets in which it operates, other key stakeholders, such as third-parties with which it deals and, importantly, its staff. Examples of poor conduct may include: Intentional mis-selling products/services to clients. Intentional discrimination against customers based on their religion, country of origin, appearance or sexual orientation. Sales staff not following the designed sales process when dealing with new customer enquiries due to poor understanding of the products offered by the firm. Cyber risk: The risk that the firm may be unable to protect its digital assets. It typically covers damage to digital assets from external parties (e.g. hackers) but should also cover damage to digital assets by employees. Examples of such risk may include: Theft of customer information from IT systems as a result of staff not following cyber security procedures. Theft of confidential strategy-related information from IT systems by competitors as a result of lax physical security. Disruption to IT Systems caused by unexpected volumes of transaction generated by hackers, known as 'denial of service' attacks. Workplace reflection How does your firm manage operational risk? Examine which categories listed in this section are covered or not covered as part of operational risk management. https://www.irmvle.org/mod/book/tool/print/index.php?id=4159 11/19 5/23/24, 8:23 AM Chapter 1 Back Up Book for Printing 1.5 Explain the relationship between cause, event and impact The operational risk definition is causal by nature. This means it is important to have a good understanding of a concept commonly referred to as cause, event and impact chain (impacts are also sometimes referred to as consequences or effects). 1.5.1 The cause, event and impact chain The bow-tie model is a commonly used, well-recognised model for visualising risk in many industries. It enables organising the cause, event and impacts of a risk as illustrated below: The bow-tie element comes from adding controls between the cause and the event; and between the event and the impact. Adding controls into this framework has the effect of ‘compressing’ the gaps between the three components, to create a shape like a bow-tie as shown in the below graphic. Figure1.5.1: Bow-tie model graphic The bow-tie is a very useful model to visualise a risk covering its key components - causes, event, impacts and controls in a single graphic. The bow-tie differentiates between preventative controls – those located between cause and event which reduce the likelihood of a risk event occurring – and corrective controls – those located between the event and its impact which reduce the impact of a risk event after it has occurred. Essentially, this model holds that there are many causal factors which exist in a firm’s business environment. On their own these causal factors do no damage, and cause no real business disruption. However, you cannot have an event without a causal factor. Some events have no impacts (sometimes referred to as ‘near misses’, which are discussed in Chapter 7, Events and Losses, at 7.1.3), some may give rise to unexpected gains, while others have adverse impacts on the firm. And just as you cannot have an event without causal factors, you cannot have any impact without an event. This topic is dealt with more fully in Chapter 4, Operational Risk Tools - Categorisation. https://www.irmvle.org/mod/book/tool/print/index.php?id=4159 12/19 5/23/24, 8:23 AM Chapter 1 Back Up Book for Printing 1.5.2 Common operational risk causes and impacts This section now looks at how a bow-tie model might evolve in practice. The operational risk definition covers four causal drivers: process, systems, people and external factors. Some firms augment these four with additional drivers of strategy and management. Other firms adopt different causal categorisation structures, which can run to many lower level causes. In a similar way, some firms have developed extensive impact categorisation schemes. For simplicity, just to illustrate the bow-tie model, we can restrict this to just five types of impact: financial impacts, efficiency impacts, service impacts, lost business opportunities and reputational impacts. The following table highlights an example of mapping covering common causes and impacts for seven operational risk categories mentioned in the previous section: (1) Cause (2) Event (3) Impact Primary: People Primary: Financial Internal Fraud Secondary: Reputation Secondary: Process Primary: External Factors Primary: Financial External Fraud Secondary: Process Secondary: Business Opportunities, Reputation Primary: People Primary: Reputation Employment Practices and Workplace Secondary: Process, External Safety Secondary: Service, Financial, Efficiency Factors Primary: People Primary: Reputation Clients, Products and Business Practices Secondary: Process Secondary: Financial, Business Opportunities, Efficiency Primary: External Factors Primary: Financial Damage to Physical Assets Secondary: Process, Systems Secondary: Service, Business Opportunities, Efficiency Primary: Service Primary: Systems Business Disruption and System Failures Secondary: Efficiency, Reputation, Business Opportunities, Secondary: Process, External Factors Financial Primary: Process Primary: Service Execution, Delivery and Process Management Secondary: People, Systems Secondary: Financial, Efficiency, Reputation More detail on operational risk categorisation is included in Chapter 4, but this summary table illustrates how firms might set about categorising operational risk causes, events and impacts using a bow-tie model. Learning activity Select one or two significant operational risks for your firm. Apply the structure suggested above to each risk and try and identify the specific causes, event and impacts. If information on controls is available, also try to identify whether they would be implemented between cause and event or event and impact. To what extent do you agree with this ‘cause-event-impact’ model? https://www.irmvle.org/mod/book/tool/print/index.php?id=4159 13/19 5/23/24, 8:23 AM Chapter 1 Back Up Book for Printing 1.6 Examine the key components of the operational risk framework and governance structures This section provides a brief introduction to the key elements of an effective operational risk management framework. More detailed discussion on many of these elements will follow in subsequent chapters of this Workbook. 1.6.1 The basic risk management process The operational risk management process should be integrated in key activities of the firm such as decision making, product development, change management or business processes. Additionally, it may also be executed at pre-defined frequency (e.g. quarterly, yearly). The diagram below highlights the key activities within the operational risk management process. Figure 1.6.1: Operational risk management process Trigger The operational risk management process can be triggered due to one or more business needs. Some examples are highlighted below: Decision making e.g. purchasing new IT systems, considering outsourcing options, considering new relationship with a vendor, opening new business operations in foreign country etc. Strategic planning e.g. defining strategic objectives, implementing the strategic plan. New product development and launching the product in the market. Changes in the internal business environment e.g. high level of customer churn, higher than expected increase in revenue, organisational restructuring. Changes in the external business environment e.g. changes to existing regulations, technology trends, competitor activity. Significant incident inside or outside the firm e.g. a significant cyber theft, significant terrorist event, significant failure of IT systems. Periodic review of operational risks e.g. quarterly review of IT risks, semi-annual review of business continuity plan, yearly review of all operational risks. The business needs represented by the above triggers will require the firm to understand its exposure to relevant operational risks so that it can utilise such understanding when making key business decisions or defining and implementing key business activities. Risk identification The first activity in the process is to identify relevant operational risks based on the trigger. So if the firm is considering developing and launching a new insurance product, it should consider all relevant operational risks. If the firm is considering outsourcing its business processes to a third party, it should consider all operational risks relevant for making the outsourcing decision. Most firms may identify and document risks in a structured format. This may be referred to as “risk register” or “risk library”. Risk identification may involve capturing new risks for the business need represented by the trigger or verifying that the relevant risks are already present within the risk register. Risk assessment In this activity the firm will analyse the key aspects of risk such as causes, impacts, loss events and existing controls. Based on such analysis, key measures of risk such as likelihood, financial impacts or reputational impacts are assessed. Such measures will reveal the level of risk exposure the firm may have to consider and manage. Risk response https://www.irmvle.org/mod/book/tool/print/index.php?id=4159 14/19 5/23/24, 8:23 AM Chapter 1 Back Up Book for Printing 1.6 Examine the key components of the operational risk framework and governance structures Based on the outcomes of the risk assessment activity, the firm needs to decide how it will respond to each risk. Most firms have some form of risk appetite framework and will compare the risk exposure against risk appetite. Details on this process are set out in Chapter 3 of this Workbook. Based on the evaluation of the risk exposure with the risk appetite, the firm may have to consider the following types of common risk responses: Risk Acceptance: If a risk exposure is within its risk appetite, the firm may elect to do nothing additional about the risk and accept the current level of exposure, or may even consider increasing its risk appetite if it has not reviewed for some time. Risk Reduction: The firm may decide to reduce the likelihood and/or impact of risk through management actions, changing the underlying business process, changing existing controls or introducing new controls. Risk Transfer: The firm may decide to transfer some aspects of risk exposure to another party, either through the use of insurance or by contractual arrangements. This is also sometime referred to as sharing the risk. It should be noted that while some aspect of the risk exposure may be transferred to another party, the firm still owns the risk and may remain exposed to some of the financial exposure and all of the reputational exposure of the risk. Risk Avoidance: The firm may decide to avoid the risk, which may require it to stop offering certain products, exit certain markets or stop performing certain processes. Risk Monitoring/Reporting After risk response decisions are made on all relevant risks, the outcomes of previous activities may need to be reported to appropriate stakeholders, so they are aware of the identified risk, level of risk exposure and the risk response decisions. Stakeholders may involve Board members, Chief Executive Officer, Chief Risk Officer, Heads of Business Units, Internal Audit or Regulators. The firm may also need to implement actions to monitor changes to certain risks, so significant changes can be detected pro-actively and appropriate remediation actions can be undertaken to respond to such changes. Monitoring may also cover the monitoring of controls in place to manage the risks. This activity will mark the end of the application of the operational risk process. The operational risk process may be applied several times for the same trigger e.g. if a new product is being developed over 6 months, the operational risk management process can be applied every month during the 6 month development period. https://www.irmvle.org/mod/book/tool/print/index.php?id=4159 15/19 5/23/24, 8:23 AM Chapter 1 Back Up Book for Printing 1.6.3 Operational risk governance Governance of risk is a critical success factor within any firm. In general, the governance structure flows from the governing body (or its equivalent) through a board risk committee to a group operational risk committee or non-financial risk committee. In larger firms this is often supported by divisional risk committees and subsidiary company risk committees. In terms of management, most firms will have a Chief Risk Officer (CRO), reporting either to the Chief Executive Officer (CEO) or else through the governing body risk committee directly to the governing body itself. The heads of departments responsible for managing each of the core risk types, specifically credit, market, liquidity and operational risk, normally report to the CRO. Depending on the firm’s size and structure, the firm may have a dedicated operational risk management department under a Chief Operational Risk Officer role or the responsibility for managing operational risks may be assigned to another function such as Chief Financial Officer or the Chief Operations Officer. Chapter 2 describes the components of a risk governance framework and how they interact, in particular the so-called ‘three lines of defence’ model. There are subtleties associated with this model, as explained in section 2.1.1, but the following paragraphs summarise its basic elements. Under this model the first line of defence is the business, usually including both revenue generating entities and support entities to the revenue generating entities. The first line is the risk owner, and is responsible for the identification, assessment, responding, monitoring and reporting of its own risk. The second line of defence is responsible for independent control of, oversight of and challenge to the business (first line) in how it undertakes its risk management activities. The firm’s central operational risk function (if it exists) sits within the second line. The third line of defence is usually the firm’s internal audit function, providing independent assurance to the governing body that the firm is managing its risks appropriately in accordance with laid down processes and procedures and that exposure is within risk appetite. Core to the governance structure is accountability for risk and the delegation of accountability down the organisation structure, accompanied by formal delegated authorities. This is supported by clear escalation structures and reporting lines, so that information on exposures flows back up to the most senior accountable officer in a timely manner. Workplace reflection Examine your firm’s risk governance structure. How has the ‘three lines of defence’ model been incorporated into the risk governance structure? Are there clearly defined boundaries between the roles of lines one, two and three? Are accountabilities, delegations of authority and limits on delegated authority clear and documented? 1.6.5 Risk and control self-assessment (RCSA) The primary technique used by most firms to identify the risks they face and their current exposure to those risks is through a risk and control self-assessment (RCSA) process. This technique is covered in detail in Chapter 5 of this Workbook. Many firms will also undertake specialist forms of risk assessment, such as information security risk assessments, IT security or cyber threat risk assessments or financial crime risk assessments. Irrespective of the approach adopted and the specific mechanisms employed, the overall objective is to ensure that the firm’s management knows what risks the firm is facing, understands the exposure to those risks and is empowered to manage those risks within the firm’s risk appetite. 1.6.6 Risk and control indicators This topic is covered in detail in Chapter 6 of this Workbook. It is standard practice to link some form or measure, metric or indicator to the more significant risks identified in the risk and control self-assessment process, and then for management to monitor exposure via risk indicators (sometimes called “Key Risk Indicators” or KRIs). Similarly, where the exposure to a significant risk has been reduced through the establishment of key controls, indicators can be established to monitor the effectiveness of the controls. These indicators are termed control indicators. Collectively, these indicators form an important component of the firm’s risk reporting structure. https://www.irmvle.org/mod/book/tool/print/index.php?id=4159 16/19 5/23/24, 8:23 AM Chapter 1 Back Up Book for Printing 1.6.7 Events, losses, near misses and gains/offsets From time to time an operational risk exposure will manifest itself as an actual loss event. Loss events may result in financial and non-financial impacts, or may be what are termed ‘near misses’, that is, adverse impacts of the event are avoided through timely use of controls and no actual loss is suffered. This topic is covered in detail in Chapter 7 of this Workbook, and forms an integral component of the operational risk management framework. Operational risk events can even act as the catalyst for establishing or upgrading the operational risk management function. Some events can also generate data which can be used to test the accuracy of more forward-looking tools such as RCSA or scenario analysis (covered below). 1.6.8 Scenario analysis Scenario analysis, which is covered in Chapter 8 of this Workbook, is primarily focused on understanding the severe but plausible exposures which can give rise to more severe losses. 1.6.9 Operational risk modelling There are different methods available to measure operational risk exposures and impacts, ranging from subjective opinions from subject matter experts through to sophisticated mathematical and statistical modelling techniques. A common use of operational risk modelling is in the area of estimating regulatory capital requirements, including the Basel II Advanced Measurement Approach (AMA) and its equivalent models treatment for insurance firms under Solvency II, as outlined in Chapter 9, The Regulatory Treatment of Operational Risk. Modelling is a large topic in its own right and is not a core component of this course but is mentioned here for completeness, given it continues to be an important part of the operational risk framework for some firms. 1.6.10 Operational risk reporting Underlying the entire operational risk management framework is the need for high-quality, fit-for-purpose risk reporting. However, firms do encounter challenges in implementing an appropriate reporting structure: Lack of integration between operational risk management tools: The various techniques described previously may be managed independently of each other, even using different technology solutions for the different tools in use. This implies that data relating to particular operational risks, their associated controls, risk assessments, scenario analyses, actual loss event data and risk indicators cannot be easily combined into a comprehensive composite report for management purposes. Lack of common definitions and categorisation: Without a consistent categorisation scheme, used across all the tools, it is difficult to combine different views and measures of common exposures into a meaningful measure for management. Inappropriate detail: Often management is presented with too much, too little or unimportant data. Or it has not been ascertained what level or structure or reporting management actually wants. As a general rule, the more senior the level of management, the more concise the report should be and the more the focus should be on significant exposures. However, details should be available in supporting reports or via drill-down options in online reports. Workplace reflection What approach has your firm adopted to operational risk reporting? Have the various target audiences ever been canvassed as to the appropriateness of the current reporting or asked if there are additional reporting requirements which they may have? How could you improve the quality and timeliness of your risk reporting? https://www.irmvle.org/mod/book/tool/print/index.php?id=4159 17/19 5/23/24, 8:23 AM Chapter 1 Back Up Book for Printing Summary This chapter started off by providing the key industry definition of operational risk and some definitions of other core risk types. It discussed the boundaries between operational risk and the other core risk types. It touched on some ways in which operational risks may manifest within a firm. Extending from the earlier definition of operational risk, the chapter then went on to examine a model for investigating and analysing the causal drivers behind some of the more common forms of operational risk and the resultant impacts. The chapter then examined the key components of an operational risk management framework and introduced the core tools and techniques available to the professionals responsible for the management of operational risks, most of which will be explored in greater detail in the following chapters. Finally it took a brief look at some likely areas of future evolution for operational risk. https://www.irmvle.org/mod/book/tool/print/index.php?id=4159 18/19 5/23/24, 8:23 AM Chapter 1 Back Up Book for Printing Key learning You will be ready to move to the next chapter when you can confidently answer the following questions: 1. What is the definition of operational risk? 2. What are the common risk types? 3. What types of risk are covered within the scope of operational risk? 4. How does operational risk differ from risk within other categories e.g. strategic risk, credit risk? 5. What are the key causal factors of operational risk? 6. What is the difference between expected and unexpected risk? 7. What are the various operational risk event types covered within Basel II? 8. What are the common manifestations of operational risk? 9. What is a bow-tie model? 10. What is the relationship between cause, event and impact? 11. What types of controls are implemented between cause and event? 12. What types of controls are implemented between event and impact? 13. What are the common types of risk responses? https://www.irmvle.org/mod/book/tool/print/index.php?id=4159 19/19 5/24/24, 12:42 PM Chapter 2 Back Up Book for Printing Chapter 2 Back Up Book for Printing Site: The Institute of Risk Management Printed by: calvin oyieke Course: IOR - Certificate in Operational Risk Management Date: Friday, 24 May 2024, 10:42 AM Book: Chapter 2 Back Up Book for Printing https://www.irmvle.org/mod/book/tool/print/index.php?id=4160 1/17 5/24/24, 12:42 PM Chapter 2 Back Up Book for Printing Description The back up book allows you to print this units course content. This can be done by clicking on More and simply clicking ‘Print Book’. https://www.irmvle.org/mod/book/tool/print/index.php?id=4160 2/17 5/24/24, 12:42 PM Chapter 2 Back Up Book for Printing Table of contents Chapter 2: Management of Operational Risk https://www.irmvle.org/mod/book/tool/print/index.php?id=4160 3/17 5/24/24, 12:42 PM Chapter 2 Back Up Book for Printing Chapter 2: Management of Operational Risk Learning outcomes and assessment criteria 2. Understand the nature and role of governance in the management of operational risk. 2.1 Explain how the components of a risk governance framework interact. 2.2 Describe the roles and responsibilities of the operational risk function. 2.3 Describe the accountabilities, roles and responsibilities in the management of operational risk. 2.4 Explain the needs and expectations of external stakeholders in relation to operational risk Key themes The key themes are as follows: The governance framework for managing operational risk. How operational risk fits in the first, second and third lines of defence model. Operational risk policy. Risk culture. The 'use test'. Continuous review and change. Roles and responsibilities of the governing body and different committees and functions with regard to operational risk. The needs and expectations of regulators, investors and other outside parties with regard to operational risk. Introduction to Chapter 2 The management of operational risk, its identification, assessment, control and monitoring, can only be successful if it is set in the context of a robust governance framework in which all individuals are clear about their roles and responsibilities, from the members of the governing body down, and where everybody is working in a supportive risk culture. In companies, the governing body is the board, but other legal structures, such as partnerships or trusts, may have a governing body which is not described as a board. For the purposes of this section, reference is made throughout to the governing body. Further consideration of the role and responsibilities of the governing body is set out below in section 2.3. Operational risk management is not concerned solely with internal people, processes and systems but also has to recognise the needs and expectations of all external stakeholders such as regulators, investors, customers and third parties (e.g. suppliers, business partners, agents), with which the firm interacts. https://www.irmvle.org/mod/book/tool/print/index.php?id=4160 4/17 5/24/24, 12:42 PM Chapter 2 Back Up Book for Printing 2.1 Explain how the components of a risk governance framework interact 2.1.1 The governance framework for managing operational risk As shown in Figure 2.1.1 below, the fundamental components of the risk governance framework comprises of the governing body, the risk owners, those who fulfil risk oversight functions and those who fulfil risk assurance. The last three elements are widely known as the 'three lines of defence'. They report to and are answerable to the governing body. Figure 2.1.1: The three lines of defence Background on the ‘three lines of defence’ model Before we cover the definitions of the first, second and third lines of defence in more detail, two things are important to clarify. The first is to distinguish between operational risk as a discipline and operational risk as a function, i.e. part of the independent risk management department. Responsibility for operational risk as a discipline falls on every single individual in a firm, as an inherent part of their day-to-day responsibilities. This is irrespective of which line of defence their function is associated with, whether they are in the business line or risk oversight or audit. Hence the common adage “everyone is an operational risk manager”: everyone in a firm is expected to take responsibility for identifying and mitigating operational risks associated with the tasks they perform. In this sense operational risk as a discipline cuts right across the three lines of defence, belonging to all of them, even if operational risk as a function is deemed part of the risk oversight function, in the second line of defence. The second thing to note is that the three lines of defence model is not as clear-cut as it sounds. Some tasks performed by functions located in the second line of defence – such as operational risk oversight – will often look quite like first line of defence tasks. This especially applies to assisting the business in identifying operational risks; and helping the business to optimise around its operational risk exposure. This ambiguity is inevitable – and accepted – given the complex nature of risk management. It applies in other functions too. Back office operations teams are often regarded as first line of defence since their activities are part of the business line. Yet they also perform some oversight tasks which are more akin to second line of defence tasks. For both these reasons it should not be surprising if the roles and responsibilities of an operational risk function (set out later, in section 2.2) appear to contain some things which look more like first line of defence than second line. Essentially operational risk as a function is located in the second line of defence, but a good operational risk manager or function will also be engaged in assisting and supporting the business to optimise its operational risk exposure management. And in any case, as suggested earlier, operational risk as a discipline cuts across all three lines of defence. We now cover the first, second and third lines of defence in more detail. First line - risk owners The first line of defence, the risk owners, are the business line managers, and any other business or front office staff responsible for managing risk, as well as support functions such as IT, HR and Legal. They are responsible for: Integrating management of operational risks within the decision-making, activities, products and systems of the business and aligning the risk exposures within the agreed risk appetite. Establishing and operating an effective risk and control environment within the business. https://www.irmvle.org/mod/book/tool/print/index.php?id=4160 5/17 5/24/24, 12:42 PM Chapter 2 Back Up Book for Printing 2.1 Explain how the components of a risk governance framework interact Ensuring there are adequate resources, tools and training within the business to enable them to fulfil their responsibilities for managing operational risks. Promoting and maintaining an appropriate risk culture within the business. Second line - risk oversight The second line of defence involves those who provide independent risk oversight over business processes and the proper implementation of the risk management policies and framework. They are responsible for challenging the activities and behaviours of the business lines (i.e. the first line of defence) and provide direction and guidance through corporate policy. Given the importance of risk management in any firm, the risk management function should have a commensurate authority and stature to enable it to fulfil its responsibilities. In exercising its functions, risk oversight functions do not directly manage risk themselves. Business line executives and managers do that and are clearly responsible for the risks they accept. The risk management function is not only there to provide oversight and challenge, but to facilitate effective risk management throughout the firm. Depending on the size and structure of the firm, the second line responsibilities for operational risk management can be fulfilled by a dedicated operational risk function or through the risk management or compliance function. The core responsibilities of the second line of defence, in respect to operational risk, are to: Develop and implement the operational risk framework and operational risk policies. Facilitate and ensure a consistent application of operational risk policies throughout the firm. Ensure clarity of responsibility for operational risks, and contribute to education, training and awareness of operational risk throughout the firm. Develop and implement tools and processes to support the operational risk framework, including scenario analysis, capital-related processes, IT tools and reporting metrics. Develop, agree and monitor risk appetite for operational risk. Report/escalate to executive management and governance bodies on issues raised by the risk assessment process and make recommendations on those and other risk matters. Challenge the inputs and outputs provided by the first line in risk assessment and reporting. As the second line provides a control and oversight function, it should be independent of the first line to prevent any conflicts of interest or undue influence over its decisions and actions. For efficient and effective operational risk policies and processes, it is also important that there should be a central function establishing and maintaining the operational risk framework. This includes its role in setting policies and providing guidance to the business in implementing those policies. In many larger firms, business line management incorporates front-line risk managers, whose responsibilities are to identify risks, decide on how to treat those risks and implement controls within the business line to mitigate risks and ensure they remain within the firm's agreed risk appetite. These front line risk managers report to business line management and are not independent of the business. This contrasts with the need for a separate, independent risk management function, as a second line of defence, independent of the business line. This is especially true of financial services firms where, in the case of financial risks, such as credit, market, insurance or liquidity risks, the second line has a delegated authority and control function to ensure that risks are being kept within agreed appetites and ensure that this form of oversight, challenge and control is independent of first line. A core function of the second line of defence is to aggregate, challenge and report operational risk information. The function responsible for operational risk management in the second line must be independent enough not to be compromised in its duty to report operational risk exposures on a timely basis; and to ensure that they are escalated quickly to the committees or governance bodies where decisions need to be taken. Third line - risk assurance The third line, risk assurance, is truly independent of the other two lines. Strictly speaking it comprises the internal audit function which provides assurance to the governing body and senior management of the quality and effectiveness of the firm's governance, risk management, internal controls, systems and processes. Internal audit provides independent review and challenge. It is important that independence is maintained by ensuring that those in the ‘third line of defence’ are competent and appropriately trained and have not been involved in the development, implementation and operation of those aspects of the framework for which they are asked for assurance. https://www.irmvle.org/mod/book/tool/print/index.php?id=4160 6/17 5/24/24, 12:42 PM Chapter 2 Back Up Book for Printing 2.1 Explain how the components of a risk governance framework interact However, it should not simply test for compliance with policies and procedures but consider whether the operational risk framework is fit for purpose in the context of the firm's current objectives and expectations. Audit should look for material exposures to operational risk and key changes to the operational risk profile; and should review the key controls mitigating these risks. In relation to operational risk appetite, while it should not set the risk appetite, it should review the robustness of the process and how these limits are set and why and how they are adjusted in response to changing circumstances. The frequency of its audits will reflect an assessment of the risks which individual business units pose to the overall objectives of the firm. It is equally important that risk assurance has necessary status within the firm, so that its recommendations and observations are promptly resolved and it is provided with adequate resources to fulfil its function. Failure to deal with identified audit issues promptly is a good indicator that neither risk nor the audit function is being accorded the importance it deserves. As culture and behaviours are a focus of firms' attention, internal audit is increasingly being asked, in their regular audits of business units, to assess whether the firm's stated values and behaviours are being adhered to. Internal audit may be outsourced in specialist areas such as information security or product valuation, where internal resource experience and skill is lacking. It may also be outsourced completely. Where internal audit or assurance is outsourced, senior management should regularly consider the effectiveness and independence of the underlying arrangements and the appropriateness of relying on an outsourced function as the third line of defence. External auditors are not strictly part of the third line of defence. Their role is to provide independent assurance to the governing body of the accuracy of the firm's financial statements. In this, they also provide assurance to investors and other stakeholders. Learning activity Reflect on some of the advantages and disadvantages of the three lines of defence model. Use the internet to explore if there are any alternatives to the three lines of defence model. https://www.irmvle.org/mod/book/tool/print/index.php?id=4160 7/17 5/24/24, 12:42 PM Chapter 2 Back Up Book for Printing 2.1.2 Operational risk policy A clear operational risk policy should communicate how management of operational risk can enable the firm to achieve its business objectives. It is the primary means by which the governing body and senior management communicate to all staff the firm's approach to operational risk management. The policy should include: Purpose and scope of the policy: It is important to articulate the overall risk management objectives of the firm to provide a context for operational risk management. Definitions: If not included in the 'purpose and scope' section, this section will include the firm's definition of operational risk and an indication of the risks and scope covered by the definition. This section will also provide guidance on how 'boundary' issues (dealt with earlier in section 1.3 and in more detail in section 4.2 in the chapter on Data Categorisation) are treated as between operational risk and other risk types, such as credit, market or underwriting risks. Statement or statements of operational risk appetite aligned to the firm's risk objectives. This subject is fully covered in Chapter 3. Roles and responsibilities of personnel and functions related to operational risk management (see sections 2.3 and 2.4 below). As well as dealing with roles and responsibilities, this section will explain the operational risk management structure and segregation of duties between different functions or individuals. Overview of the operational risk management framework and processes, including reporting of operational risk and how issues are escalated and deviations from policy authorised or dealt with. Ethical and behavioural guidelines. The generally accepted definition of operational risk includes 'failures of people'. This makes operational risk a core part of a firm’s risk culture. This section will articulate core values and acceptable or unacceptable behaviours involved in management of risk. (see section 2.1.3 for discussion about risk culture) Glossary of terms relating to operational risk. It is important that all staff are using a common language when considering operational risk within their day-to-day activities, so that it is managed and reported consistently. Even simple words such as loss, event or control can give rise to confusion if they are not clearly defined and understood. The policy should be clearly communicated to all relevant staff, including the implications of not following it. The policy should be clearly communicated to all relevant staff, including the implications of not following it. Learning activity Review the operational risk management policy of your firm. Based on your review document any changes you would recommend and reasons for these. https://www.irmvle.org/mod/book/tool/print/index.php?id=4160 8/17 5/24/24, 12:42 PM Chapter 2 Back Up Book for Printing 2.1.3 Risk culture A primary responsibility of the governing body is to establish both an organisational culture and a risk culture. Organisational culture has been defined as: “A pattern of basic shared assumptions learned by a group as it solved its problems, which has worked well enough to be considered valid and, therefore, taught to new members, as the correct way to perceive, think and feel in relation to those problems.” (Schein, 2010) The important elements are that culture involves a group of people solving problems and the assumptions about behaviour which they share. In the context of risk culture, this can be defined as: “…the values, beliefs, knowledge and understanding about risk, shared by a group of people with a common purpose …” (IRM, 2012) The 'problem to be solved' when it comes to operational risk management is to “identify, understand, discuss and act on the risks the organisation confronts and the risks it takes” (IIF, 2009), within the overall purpose of the firm's strategic objectives. The organisational culture should be guided by strong risk management and provide appropriate standards and incentives for professional and responsible behaviour. A culture will be successfully embedded if: The leadership of the firm is committed to upholding and acting the values and behaviours which it expects from everyone in the firm - the 'tone at the top'. Those values and behaviours are clearly communicated to, understood and accepted by all staff. Everybody is clear about their roles and responsibilities. Reward which incentivises good behaviour and deters poor behaviour. People are selected and trained in the firm's values and behaviours. In the case of a risk culture, the values and behaviours will include: Confidence in dealing with risk, including appropriate challenge. Open communication up and down the firm so that bad news travels quickly to where decisions are required – risk-related information is transparent. Competence and training of those who are responsible for managing risk; in the case of operational risk this is effectively all staff. Appropriate resources allocated to the management of risk. Discouraging behaviours and incentives for employees to “game the system” and encouraging them to play by the rules. Apart from implementing a code of conduct and ethics policy, and seeing it lived by senior management, it is especially important that rewards, whether financial (e.g. bonus) or non-financial (e.g. promotion and the other forms of recognition, such as respect for all employees), are aligned with risk appetite and appropriately balance risk and reward. The final element which will determine whether a risk culture truly exists is if management of risk is an integral part of all business decisions. Learning activity Review and document some of the factors or behaviours which can help assess whether the risk culture within a firm is strong or weak. https://www.irmvle.org/mod/book/tool/print/index.php?id=4160 9/17 5/24/24, 12:42 PM Chapter 2 Back Up Book for Printing 2.1.4 The 'use test' The ‘use test’ is a common shorthand term used by some regulators (notably in the UK and Europe). It tests that tools and processes used for governance and regulatory purposes are embedded in the firm’s wider risk governance framework, and not developed or operated in a back room purely to satisfy regulatory needs. In other words, they are actually being ‘used’ by the firm. The term was first developed in the context of capital model approvals. The aim was to ensure that models used for capital purposes were actually used by the firm in its management of risk. This would help ensure that data and methodologies used for capital purposes also came under close day-to-day scrutiny from businesses and executive management. It follows that if the 'use test' is passed, models are more likely to be accurate and appropriate, and that any errors or omissions more likely to be spotted and rectified. Nowadays the ‘use test’ concept is applied widely to any tools or processes, not just capital calculations, that need to be embedded in a firm’s day-to-day operations and should not be maintained offline and out-of-sight of the firm’s governance and management processes. The use test in the context of operational risk is demonstrated by evidence that policies and procedures have not only been written, but are actually being followed. It should be evidenced in minutes of meetings at every level to demonstrate that decisions are being made with appropriate consideration of operational risk. As suggested above, to satisfy the ‘use test’ firms should ensure that operational risk management is fully integrated within the day-to-day business processes. That means that operational risk is considered in all managerial judgements and decision-making and not just occasionally or to meet a regulatory request. It will help to pass the use test if you can respond positively to questions such as: Do all senior management embody the stated and agreed risk culture and values? Is risk considered whenever business decisions are being made? Do minutes of meetings relating to risk management show evidence that information provided is challenged and challenges are satisfactorily dealt with? Are reports properly reviewed or merely tabled and filed? Are indicators effective in providing appropriate warnings for the risks to which they relate? Are controls regularly assessed for their design and performance? Are loss events being fully reported? Are comments by internal audit on risk matters dealt with in a timely manner? It will also be evidenced by the review and use of: Event reports - have all material events been captured? Are reports analysed for cause and lessons learned and implemented? Are external event reports used to benchmark likelihood and severity within the firm? Risk and control assessments - are they consistently and regularly assessed? Are the assessments challenged and peer reviewed? Risk indicators - are the values of indicators independently derived? Are the indicators agreed by business managers as being fit for purpose? Scenarios - are they sufficiently extreme? Are the results acted upon by senior management? Reports generally - are they challenged both for their content and whether they are fit for purpose? Escalation to senior management and governance bodies in the event of problems not being resolved or unsatisfactory responses to challenge. https://www.irmvle.org/mod/book/tool/print/index.php?id=4160 10/17 5/24/24, 12:42 PM Chapter 2 Back Up Book for Printing 2.1.5 Continuous review and change Change management is a fundamental part of risk management. Both the internal and external environments of a firm continually changes. The internal environment evolves with changes of strategy, objectives and personnel at all levels, and especially when new products, activities, processes or systems are being considered. But the external environment is equally important. The definition of operational risk, after all, includes 'the risk of loss... from external events'. The external environment changes with elements which can be: Political Regulatory Economic Social - including reactions on social media as well as changes in attitudes in society as a whole Technological Environmental, and Legal. As a result, risks and risk appetites continually change so that it is essential that the identification, assessment, monitoring and management of operational risk are continually performed. How often individual risks are reviewed, monitored and re-assessed will require an assessment of their likelihood to change. Some process risks may require frequent consideration whilst others can be reconsidered on a half-yearly or annual basis. Overall, it is important that there is clarity about roles and responsibilities for change management and that they are aligned with the three lines of defence. Learning activity Document 2-3 examples of where a change within the internal or external environment may introduce new operational risk or change the level of exposure to operational risks. Workplace reflection What is your firm’s governance structure for the management of operational risk? Check how the ‘three lines of defence’ are defined and who in your firm is named to be within the lines. Does your firm define and monitor risk culture? How does the risk culture influence business decision-making in your firm https://www.irmvle.org/mod/book/tool/print/index.php?id=4160 11/17 5/24/24, 12:42 PM Chapter 2 Back Up Book for Printing 2.2 Describe the roles and responsibilities of the operational risk function Some of these roles and responsibilities have already been mentioned in the section on second line of defence but they are restated more comprehensively here. As mentioned in section 3.1.1, depending on the size and structure of the firm, the second line responsibilities for operational risk management can be fulfilled by a dedicated operational risk function or through the risk management or compliance function. So “operational risk function” in this section refers to any function within the second line which has been assigned responsibilities for operational risk management. The operational risk function is responsible for: Developing and implementing the operational risk management framework throughout the firm. Ensuring a consistent approach to operational risk management across the firm, especially in: Developing a consistent view of risk levels and risk appetite. Developing quantitative and qualitative metrics for the assessment of operational risk exposure. Codifying policies and procedures concerning operational risk management and controls. Assessing exposure to each major operational risk to ensure it is in line with agreed risk appetite. Establishing appropriate scenario planning for operational risks to understand their impact on the business and on risk appetites. Providing cost-benefit analysis on risk control optimisation. Designing and implementing a risk reporting system for operational risk and reporting to senior management, as appropriate, on operational risk events, exposures, assessments and indicators, including escalation of risk exposures exceeding agreed appetites. Establishing a process for embedding awareness of operational risk throughout the firm. Assessing operational risks and exposures embedded in products, processes and systems managed by the first line. Providing oversight and advice to the first line in their identification, assessment and monitoring of operational risk exposures. Responsibility for operational risk management systems and for categorisation of operational risk data. The function should also be involved in providing a due diligence appraisal of the operational risks involved in strategic transactions, new initiatives or new products. If they are not already part of the operational risk management function's remit, operational risk management will work closely with other functions such as IT and Information security, business continuity planning, insurance buying, money laundering and health and safety, amongst others, to ensure these risks and functions are effective 2.3 Describe the accountabilities, roles and responsibilities in the management of operational risk 2.3.1 Governing body The governing body is ultimately responsible and accountable for: Establishing a clear strategy and risk management objectives for the firm. Articulating and communicating clear risk appetite to support the strategy. Establishing and communicating the components of the firm's risk culture. Approving policies and key roles and responsibilities for the management of operational risk. Overseeing firm’s operational risk management framework. Holding executive management to account for: Delivering the strategy. Managing within the agreed risk appetite and policies. Maintaining the agreed risk culture. Establishing an incentive and reward structure which supports and develops the management of operational risk throughout the firm. To be able to fulfil its responsibilities, the governing body needs to understand the nature and scope of operational risk, since it is different to financial risks, which can be reported and controlled quantitatively. The firm, therefore, needs to consider whether training of the governing body is necessary. https://www.irmvle.org/mod/book/tool/print/index.php?id=4160 12/17 5/24/24, 12:42 PM Chapter 2 Back Up Book for Printing 2.3.2 Risk committee The risk committee is a sub-committee of the governing body. It has primary risk oversight responsibility on behalf of the governing body and advises the governing body on risk matters such as risk strategy, risk appetite and risk culture. It should also provide advice on the risk aspects of strategic transactions. While its membership may include executive directors, it should be chaired by an independent non-executive director. The chair of the committee is responsible for safeguarding the independence, and overseeing the performance, of the firm's risk function, including the chief risk officer. In addition to the risk committee setup by the governing body, a firm may also establish other risk committees such as: Risk committees within the first line to perform the oversight role as a business unit/division level. Risk committees for each geographic locations where it has business operations to perform the oversight role for the assigned geographic locations. Risk committees on a specific operational risk type (e.g. IT Risk Committee) to perform the oversight role for a specific operational risk type. 2.3.3 Audit committee The audit committee is a sub-committee of the governing body. It should be entirely independent of executive management and its membership should only comprise non-executive directors. The audit committee: Ensures that financial reporting and controls are appropriate and effective. Approves statements relating to operational risk management in any public reports and accounts. Appoints external auditors and ensures that the quality of their work is in accordance with the terms of engagement. Oversees the work of the internal auditor. 2.3.4 Risk management function As indicated in section 2.1.1, in the section on the three lines of defence, the independent risk management function itself does not directly manage risk. That is the responsibility of risk owners in the various business lines or support functions. The risk management function provides oversight and challenge of all aspects of the risk management framework and is answerable to the governing body. The operational risk function is one of the functions under the risk management function. The core responsibilities of the operational risk management function have been set out in detail in section 2.1 so we will not repeat them here. What is important to note here, however, is that to enable it to fulfil its responsibilities, the operational risk function – and indeed the independent risk function more widely – must have appropriate authority and status and have appropriate resources to fulfil its remit. It is the responsibility of executive management and the governing body to provide full and appropriate support to the risk management function https://www.irmvle.org/mod/book/tool/print/index.php?id=4160 13/17 5/24/24, 12:42 PM Chapter 2 Back Up Book for Printing 2.3.5 Chief risk officer The chief risk officer (CRO), as with the risk management function, must have appropriate authority and stature within the firm to enable her/him to fulfil their responsibilities. In general, the CRO is a member of the governing body. The CRO should be independent of the business lines and so should report to a member of the governing body, either the chair of the risk committee or the chief executive officer (CEO). The Basel Committee, in its consultation paper on corporate governance, makes clear that the CEO or chief financial officer (CFO) should not 'double up' as CRO. The paper also recommends that: The CRO should not be approved or removed without the agreement of the governing body. The remuneration of the CRO and risk management staff should be tied to the achievement of their specific objectives and not 'substantially to business line revenue'. The CRO's primary responsibilities are to: Provide risk management leadership, vision and direction. Develop and review risk management policies. Establish the risk management framework across the firm and ensure that it is being maintained by developing regular assessment and metrics. Developing a supporting infrastructure to ensure that risk policies are being followed and that risk exposures are being maintained within agreed risk appetite. Whilst these are the practical aspects of the role, which is essentially one of oversight of the risk management process, the CRO has a responsibility to challenge risk exposures and decisions and also act as an adviser, both to the governing body, business lines, and support functions. To be effective, the CRO needs to establish good relations with all aspects of the business to ensure that risk events and information are reported quickly to where they are needed for decision. Given the CRO's oversight and challenge role, other oversight functions may report to the CRO, such as compliance, conduct risk, money laundering, IT security, insurance purchase, health and safety or legal. Ultimate accountability for risk management leadership rests with the governing body, but the CRO is responsible for ensuring its day-to-day implementation. 2.3.6 Examples of some risk support functions On the premise that “everyone in the firm is an operational risk manager” the operational risk function interacts with a number of different support functions whose activities give rise to operational risk that needs to be mitigated and managed. Some of the key functions and their areas of responsibility that give rise to operational risk are summarised below: Financial Control: Management information, statutory reporting, balance sheet & P&L reconciliation, regulatory capital and reporting, expense management. Product Control: Independent valuation, reserves and adjustments. Back office/Operations: Payments, settlement, system reconciliations, documentation. Compliance: Regulatory compliance, money laundering, sanctions, bribery and corruption, conduct risk, unauthorised and insider trading treating customers fairly. Human Resources: Recruitment, talent management, training, performance appraisal, employment law, remuneration. IT and Premises: IT systems, availability and failure, IT policies, cyber-security, business continuity planning, physical security, information security. Legal: Litigation, transaction documentation, contracts. Workplace reflection Consider the roles and responsibilities in your firms. Do you have the same committees with the same role as mentioned in this chapter? If deviations exist, discuss with your line manager or other senior risk management staff why this is the case. https://www.irmvle.org/mod/book/tool/print/index.php?id=4160 14/17 5/24/24, 12:42 PM Chapter 2 Back Up Book for Printing 2.3.6 Examples of some risk support functions 2.4 Explain the needs and expectations of external stakeholders in relation to operational risk 2.4.1 Regulators The regulatory approach to operational risk is discussed in Chapter 9. In the banking sector, the principal regulatory expectations are set out in the Principles for the Sound Management of Operational Risk updated and published by the Basel Committee for Banking Supervision in 2011 and reviewed by the Committee in 2014. They cover: 1. Operational risk culture. 2. Operational risk management framework. 3. Board of directors/governing body. 4. Operational risk appetite and tolerance. 5. Senior management. 6. Risk identification and assessment. 7. Change management. 8. Monitoring and reporting. 9. Control and mitigation. 10. Business resilience and continuity. 11. The role of disclosure. In addition, there is the overarching principle of the three lines of defence as set out in section 2.1.1 above. Similar statements have been made by insurance regulators. In addition, specific international regulators, supported by national legislators, target operational risk with issues such bribery and corruption and money laundering. At a national level, many regulators are concerned with issues such as health and safety in the workplace, food safety, electrical safety standards and so on, all part of the operational risk scope. 2.4.2 Investors As with all stakeholders, the key issue with investors is communication and informing them of a firm's risk management approach, appetite and process. For both existing and potential investors this will help to assure them of the safety of their investment. When Basel II was published, one of its main aims was to provide common key metrics for market participants about banks' risk exposures and regulatory capital assessments. This was intended to reduce information asymmetry and enable market participants to compare banks’ risk profiles within and across jurisdictions. A comprehensive set of disclosure requirements was therefore devised and published