Describe the three “lines of defense” in the Basel model for operational risk governance
The Basel Committee on Banking Supervision defines operational risk as “the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events.” The committee states that the definition excludes strategic and reputational risks but includes legal risks. Risks range from those arising from national disasters, such as hurricanes, t_o the risk of fraud_.
The three common “lines of defense” employed by firms to control operational risks are:
- Business line management.
- An independent operational risk management function.
- Independent reviews of operational risks and risk management.
Corporate Operational RiskFunction (CORF)
The corporate operational risk function (CORF), also known as the corporate operational risk management function, is a functionally independent group that complements the business lines’ risk management operations.
Responsibilities of the CORF may include:
- Measurement of operational risks.
- Establishing reporting processes for operational risks.
- Establishing risk committees to measure and monitor operational risks.
- Reporting operational risk issues to the board of directors.
Summarize the fundamental principles of operational risk management as suggested by the Basel committee
The 11 fundamental principles of operational risk management suggested by the Basel Committee are:
- The maintenance of a strong risk management culture led by the bank’s board of directors and senior managers.
- The operational risk framework (referred to as the “Framework” in this topic) must be developed and fully integrated into the overall risk management processes of the bank.
- The board should approve and periodically review the Framework.
- The board must identify the types and levels of operational risks the bank is willing to assume as well as approve risk appetite and risk tolerance statements.
- Consistent with the banks risk appetite and risk tolerance, senior management must develop a well-defined governance structure within the bank.
- Senior management must understand the risks, and the incentives related to those risks, inherent in the bank’s business lines and processes.
- New lines of business, products, processes, and systems should require an approval process that assesses the potential operational risks.
- A process for monitoring operational risks and material exposures to losses should be put in place by senior management and supported by senior management, the board of directors and business line employees.
- Banks must put strong internal controls, risk mitigation, and risk transfer strategies in place to manage operational risks.
- Banks must have plans in place to survive in the event of a major business disruption. Business operations must be resilient.
- Banks should make disclosures that are clear enough that outside stakeholders can assess the bank’s approach to operational risk management.
Explain guidelines for strong governance of operational risk, and evaluate the role of the board of directors and senior management in implementing an effective operational risk framework
With respect to Principle 1, the board of directors and/or senior management should:
- Provide a sound foundation for a strong risk management culture within the bank.
- Establish a code of conduct (or ethics policy) for all employees that outlines expectations for ethical behavior.
- Provide risk training throughout all levels of the bank.
With respect to Principle 2, the board of directors and/or senior management should:
- Thoroughly understand both the nature and complexity of the risks inherent in the products, lines of business, processes, and systems in the bank.
- Ensure that the Framework is fully integrated in the bank’s overall risk management plan across all levels of the firm (i.e., business lines, new business lines, products, processes, and/or systems).
With respect to Principle 3, the board of directors and/or senior management should:
- Establish a culture and processes that help bank managers and employees understand and manage operational risks.
- Regularly review the Framework.
- Provide senior management with guidance regarding operational risk management and approve policies developed by senior management aimed at managing operational risk.
- Ensure that the Framework is subject to independent review.
- Ensure that management is following best practices in the field with respect to operational risk identification and management.
- Establish clear lines of management responsibility and establish strong internal controls.
With respect to Principle 4, the board of directors and/or senior management should:
- Consider all relevant risks when approving the bank’s risk appetite and tolerance statements.
- Periodically review the risk appetite and tolerance statements.
With respect to Principle 5, the board of directors and/or senior management should:
- Establish systems to report and track operational risks and maintain an effective mechanism for resolving problems.
- Translate the Framework approved by the board into specific policies and procedures used to manage risk.
- Ensure that operational risk managers communicate clearly with personnel responsible for market, credit, liquidity, interest rate, and other risks and with those procuring outside services, such as insurance or outsourcing.
- Ensure that CORF managers should have sufficient stature in the bank, commensurate with market, credit, liquidity, interest rate, and other risk managers.
- Ensure that the staff is well trained in operational risk management.
- Develop a governance structure of the bank that is commensurate with the size and complexity of the firm. Regarding the governance structure, the bank should consider:
- Committee structure: for large, complex banks, a board-created firm level risk committee should oversee all risks. The management-level operational risk committee would report to the enterprise level risk committee.
- Committee composition: committee members should have business experience, financial experience, and independent risk management experience. Independent, non-executive board members may also be included.
- Committee operation: committees should meet frequently enough to be productive and effective. The committee should keep complete records of committee meetings.
With respect to Principle 6, the board of directors and/or senior management should:
- Consider both internal and external factors to identify and assess operational risk.
With respect to Principle 7, the board of directors and/or senior management should:
- Maintain a rigorous approval process for new products and processes.
- Thoroughly review new activities and product lines, reviewing inherent risks, potential changes in the banks risk appetite or risk limits, necessary controls required to mitigate risks, residual risks, and the procedures used to monitor and manage operational risks.
With respect to Principle 8, the board of directors and/or senior management should:
- Continuously improve the operational risk reporting.
- Ensure that operational risk reports are timely
- Ensure that operational risk reports include:
- Breaches of the banks risk appetite and tolerance statement.
- Breaches of the banks thresholds and risk limits.
- Details of recent operational risk events and/or losses.
- External events that may impact the banks operational risk capital.
- Both internal and external factors that may affect operational risk.
With respect to Principle 9, the board of directors and/or senior management should have a sound internal control system. Banks may need to transfer risk (e.g., via insurance contracts) if it cannot be adequately managed within the bank. However, sound risk management controls must be in place and thus risk transfer should be seen as a complement to, rather than a replacement for, risk management controls.
With respect to Principle 10, the board of directors and/or senior management should:
- Establish continuity plans to handle unforeseen disruptive events (e.g., disruptions in technology, damaged facilities, pandemic illnesses that affect personnel, and so on).
- Periodically review continuity plans.
With respect to Principle 11, the board of directors and/or senior management should:
- Write public disclosures such that stakeholders can assess the banks operational risk management strategies.
- Write public disclosures that are consistent with risk management procedures.
Operational Risk Management Framework
The operational risk management framework (i.e., the Framework) must define, describe, and classify operational risk and operational loss exposure. The Framework helps the board and managers understand the nature and complexities of operational risks inherent in the banks products and services.
Framework documentation, which is overseen by the board of directors and senior management, should:
- Describe reporting lines and accountabilities within the governance structure used to manage operational risks.
- Describe risk assessment tools.
- Describe the banks risk appetite and tolerance.
- Describe risk limits.
- Describe the approved risk mitigation strategies (and instruments).
- With respect to inherent and residual risk exposures, describe the banks methods for establishing risk limits and monitoring risk limits.
- Establish risk reporting processes and management information systems.
- Establish a common language or taxonomy of operational risk terms to create consistency of risk identification and management.
- Establish a process for independent review of operational risk.
- Require review of established policies and procedures.
Describe tools and processes that can be used to identify and assess operational risk.
Tools that may be used to identify and assess operational risk include:
- Business process mappings, which do exactly that, map the bank’s business processes. Maps can reveal risks, interdependencies among risks, and weaknesses in risk management systems.
- Risk and performance indicators are measures that help managers understand the banks risk exposure. There are Key Risk Indicators (KRIs) and Key Performance Indicators (KPIs). KRIs are measures of drivers of risk and exposures to risk. KPIs provide insight into operational processes and weaknesses. Escalation triggers are often paired with KRIs and KPIs to warn when risk is approaching or exceeding risk thresholds.
- Scenario analysis is a subjective process where business line managers and risk managers identify potential risk events and then assess potential outcomes of those risks.
- Measurement involves the use of outputs of risk assessment tools as inputs for operational risk exposure models. The bank can then use the models to allocate economic capital to various business units based on return and risk.
- Audit findings identify weaknesses but may also provide insights into inherent operational risks.
- Analysis of internal operational loss data. Analysis can provide insight into the causes of large losses. Data may also reveal if problems are isolated or systemic.
- Analysis of external operational loss data including gross loss amounts, dates, amount of recoveries and losses at other firms.
- Risk assessments, or risk self assessments (RSAs), address potential threats. Assessments consider the banks processes and possible defenses relative to the firm’s threats and vulnerabilities. Risk Control Self-Assessments (RCSA) evaluate risks before risk controls are considered (i.e., inherent risks). Scorecards translate RCSA output into metrics that help the bank better understand the control environment.
- Comparative analysis combines all described risk analysis tools into a comprehensive picture of the bank’s operational risk profile. For example, the bank might combine audit findings with internal operational loss data to better understand the weaknesses of the operational risk framework.
Describe features of an effective control environment and identify specific controls that should be in place to address operational risk
An effective control environment must include the following five components:
- A control environment.
- Risk assessment.
- Control activities.
- Information and communication.
- Monitoring activities.
Explain the Basel Committees suggestions for managing technology risk
Technology risk management tools are similar to those suggested for operational risk management and include:
- Governance and oversight controls.
- Policies and procedures in place to identify and assess technology risks.
- Written risk appetite and tolerance statements.
- Implement a risk control environment.
- Establish risk transfer strategies to mitigate technology risks.
- Monitor technology risks and violations of thresholds and risk limits.
- Create a sound technology infrastructure (i.e., the hardware and software components, data and operating environments).
Explain the Basel Committees suggestions for managing outsourcing risk.
Outsourcing involves the use of third parties to perform activities or functions for the firm. Outsourcing may reduce costs, provide expertise, expand bank offerings, and/or improve bank services. The board of directors and senior management must understand the operational risks that are introduced as a result of outsourcing. Outsourcing policies should include:
- Processes and procedures for determining which activities can be outsourced and how the activities will be outsourced.
- Processes for selecting service providers (e.g., due diligence).
- Structuring the outsourcing agreement to describe termination rights, ownership of data, and confidentiality requirements.
- Monitor risks of the arrangement including the financial health of the service provider.
- Implement a risk control environment and assess the control environment at the service provider.
- Develop contingency plans.
- Clearly define responsibilities of the bank and the service provider.
Define enterprise risk management (ERM) and explain how implementing ERM practices and policies can create shareholder value, both at the macro and the micro level
Enterprise risk management (ERM) is the process of managing all of a corporation’s risks within an integrated framework.
Macro Level
At the macro level, ERM allows management to optimize the firm’s risk/return tradeoff. This optimization assures access to the capital needed to execute the firm’s strategic plan.
The perfect markets view of finance implies that a company’s cost of capital is unrelated to its diversifiable risk. Rather, the cost of capital is determined by the firm’s systematic risk (also referred to as nondiversifiable, market, or beta risk). According to this view, efforts to hedge diversifiable risk provide no benefit to shareholders, who can eliminate this risk by diversifying their portfolios.
Micro Level
In order for ERM to achieve the objective of optimizing the risk/return tradeoff, each project must be evaluated not only for the inherent risk of the project but also for the effect on the overall risk of the firm. Thus, ERM requires that managers throughout the firm be aware of the ERM program. This decentralization of evaluating the risk/return tradeoff has two components:
- Any managers evaluating new projects must consider the risks of the project in the context of how the project will affect the firm’s total risk.
- Business units must be evaluated on how each unit contributes to the total risk of the firm. This gives the individual managers an incentive to monitor the effect of individual projects on overall firm risk.
There are three reasons why decentralizing the risk-return tradeoff in a company is important:
- Transformation o f the risk management culture: A consistent, systematic assessment of risks by all business units ensures that managers consider the impact of all important risks.
- Every risk is owned: Because performance evaluations are based on risk, managers have an incentive to consider important risks in their decision making.
- Risk assessment by those closest to the risk: Managers in the individual business units have the knowledge and expertise needed to assess and manage the risks of the business unit.
Explain how a company can determine its optimal amount of risk through the use of credit rating targets. Describe the development and implementation of an ERM system, as well as challenges to the implementation of an ERM system.
In developing an ERM, management should follow this framework:
- Determine the firms acceptable level of risk.
- Based on the firms target debt rating, estimate the capital (i.e., buffer) required to support the current level of risk in the firms operations.
- Determine the ideal mix of capital and risk that will achieve the appropriate debt rating. At this level of capital, the firm will be indifferent between increasing capital and decreasing risk.
- Decentralize the risk/capital tradeoff by giving individual managers the information and the incentive they need to make decisions appropriate to maintain the risk/capital tradeoff.
The implementation steps of ERM are as follows:
- Step 1: Identify the risks of the firm. Identification of risks should be performed both top-down (by senior management) and bottom-up (by individual managers of business units or other functional areas).
- Step 2: Develop a consistent method to evaluate the firms exposure to the risks identified above. If the methodology is not consistent, the ERM system will fail because capital will be misallocated across business units.
Economic Value vs. Accounting Value
- Credit ratings are typically based on accounting data, combined with some level of subjective assessment by analysts. Economic value, as determined by management, may very well be a more accurate reflection of the true value of the firm.
- In determining whether accounting value or economic value is more relevant, the firm must consider its objective. If the objective is to manage the probability of default, the question of how default is determined becomes important. If default is determined by failure to meet certain accounting measures (e.g., debt ratio, interest coverage), then accounting measures will be a critical component of meeting the objectives.
- If the objective is to manage the present value of future cash flows, then economic measures may be more appropriate than accounting measurements that do not accurately capture economic reality. Management must consider that managing economic value may lead to more volatile accounting earnings, which may ultimately affect economic value as well.
Describe the role of and issues with correlation in risk aggregation, and describe typical properties of a firms market risk, credit risk, and operational risk distributions
- Firms that use value at risk (VaR) to assess potential loss amounts will ultimately have three different VaR measures to manage. Market risk, credit risk, and operational risk will each produce their own VaR measures. The trick to accurately measuring and managing firmwide risk, and in turn firm-wide VaR, is to understand how these VaR measures interact. Market risks will typically follow a normal distribution; however, the distributions for credit risks and operational risks are usually asymmetric in shape, due to the fat-tail nature of these risks.
- Due to diversification effects of aggregating market, credit, and operational risk, firm-wide VaR will be less than the sum of the VaRs from each risk category. This suggests that the correlation among risks is some value less than one.
Distinguish between regulatory and economic capital, and explain the use of economic capital in the corporate decision making process
Regulatory capital requirements may differ significantly from the capital required to achieve or maintain a given credit rating (economic capital). If regulatory requirements are less than economic capital requirements, then the firm will meet the regulatory requirements as part of its ERM objectives, and there will be no effect on the firm’s activities.
However, if regulatory capital requirements are greater than economic capital requirements, then the firm will have excess capital on hand. If competitors are subject to the same requirements, this excess capital will amount to a regulatory tax. If competing firms are not subject to the excess capital requirement, they will have a competitive advantage.
Risks to Retain and Risks to Lay off
The guiding principle in deciding whether to retain or layoff risks is the comparative advantage in risk bearing. A company has a comparative advantage in bearing its strategic and business risks, because it knows more about these risks than outsiders do. Because of this informational advantage, the firm cannot transfer these risks cost effectively. Moreover, the firm is in the business of managing these “core” risks. On the other hand, the firm has no comparative advantage in forecasting market variables such as exchange rates, interest rates, or commodities prices. These “noncore” risks can be laid off. By reducing noncore exposures, the firm reduces the likelihood of disruptions to its ability to fund strategic investments and increases its ability to take on business risks.
Risk appetite framework (RAF)
A risk appetite framework (RAF) is a strategic decision-making tool that represents the firm’s core risk strategy. It sets in place a clear, future-oriented perspective of the firm’s target risk profile in a number of different scenarios and maps out a strategy for achieving that risk profile. It also specifies which types of risk the firm is willing to take and under what conditions as well as which types of risk the firm is unwilling to take.
Risk Appetite Statement
An RAF should start with a risk appetite statement that is essentially a mission statement from a risk perspective. This statement should cover some or all of the following elements:
- Desired business mix and balance sheet composition (i.e., capital structure—trade-off between debt and equity).
- Risk preferences (i.e., how much credit or market risk to take on or hedge)
- Acceptable trade-off between risk and reward.
- Acceptable limits for volatility (based on standard deviation).
- Capital thresholds (i.e., regulatory and economic capital).
- Tolerances for post-stress losses.
- Target credit ratings.
- Optimum liquidity ratios.
Benefits of a well-developed RAF
The benefits of a well-developed RAF are as follows:
- It improves a firm’s strategic planning and tactical decision-making.
- The inherent flexibility allows firms to adapt to market changes, especially if appropriate opportunities arise that require adjustments to the RAF.
- It assists firms in preparing for the unexpected; requires business line strategy reviews and maintains an open dialogue regarding the management of unexpected economic or market events in particular geographies or products.
- It focuses on the future and sets expectations regarding the firm’s consolidated risk profile after performing relevant stress tests and scenario analyses. Thus, it helps the firm set up a plan for risk taking, loss mitigation, and use of contingency measures.
Describe best practices for a firm’s Chief Risk Officer (CRO) in the development and implementation of an effective RAF
Board members involved with risk issues should be able to directly contact the CRO and engage in frequent communication about on-going key risk issues. A best practice could be to create a board risk committee that is directly involved in performance review and compensation decisions regarding the CRO. A strong alliance between the CRO (risk management function) and the CFO (budgetary considerations) is key to spreading the use of the RAF throughout the organization.
Describe best practices for a firm’s Chief Executive Officer (CEO) in the development and implementation of an effective RAF
The CEO should strongly support the RAF and refer/use it to support challenging risk and strategic decisions. The willingness of the CEO to give the CRO the final word on many risk decisions is a best practice since it strengthens the importance of the risk management function. Where any instances of non-compliance with the RAF exist, a best practice would be for the CRO and/or the CEO to advise the board of directors on the corrective measures that will be undertaken.
Describe best practices for a firm’s board of directors in the development and implementation of an effective RAF
- A best practice would be for the board to state its expectations to management in advance so that management can establish appropriate strategic plans.
- When a board challenges management and requires a thorough vetting of the RAF, the end product is more complete and relevant. A best practice is to have the active involvement of the board with senior management in continually revising the RAF until everyone is satisfied.
- Additionally, another best practice is the development of a concrete way of assessing when the RAF needs to be amended to reflect a changing environment.
- With regard to technical knowledge of members, there should be a sufficient balance in board composition to ensure all members have a reasonable and congruent understanding of the firm’s risks and to avoid situations where there are marked divisions between “experts” and “non-experts.” A best practice is to provide detailed technical training to board members on relevant concepts.
- Additionally, requiring cross-membership amongst the major committees helps ensure that those functions have members with a strong technical base. The training and cross-membership practices should serve as supplements to existing expertise.
- As a best practice, reporting to the board should be thorough and broad in scope and not overly simplified.
- Additionally, communication from management should include a business aspect and not be focused on just technical aspects.
- Finally, as another best practice, the board should be willing to push back to management if they feel the information provided is not sufficient for their needs.
- Reputation risk needs to have a significant amount of the board’s attention. As a best practice, the board should set up a reputational risk committee to analyze marketplace changes and approve transactions on the basis of geography or product line.
Explain the role of an RAF in managing the risk of individual business lines within a firm,
- Generally speaking, the RAF helps to ensure that each business line’s strategies are congruent with the firm’s desired risk profile. The various business line managers each submit a medium-term business plan to senior management and/or the board to determine if it is consistent with the RAF.
- Additionally, the RAF considers the integrated nature of the business lines within the firm. For example, the RAF can help determine how much a given business line’s medium-term business plans has to be amended in order to allow another business line’s proposal to be approved.
Describe best practices for monitoring a firm’s risk profile for adherence to the RAF
Examples of metrics that can be monitored as part of an effective RAF are as follows:
- Capital targets (economic capital, tangible common equity, total leverage) or capital-atrisk amounts.
- Liquidity ratios, terms, and survival horizons.
- Net interest income volatility or earnings-at-risk calculations.
- Value at risk (VaR) limits.
- Risk sensitivity limits.
- Risk concentrations by internal and/or external credit ratings.
- Expected loss ratios.
- The firms own credit spreads.
- Asset growth ceilings by business line or exposure type.
- Performance of internal audit ratings.
- Economic value added.
- Post-stress-test targets for capital, liquidity, and earnings.
It is important to ensure that the metrics used to monitor risk are appropriate to the users of the information. Therefore, the risk metrics should be divided into classes, depending on who is receiving the information within the firm.
Explain the benefits to a firm from having a robust risk data infrastructure, and describe key elements of an effective IT risk management policy at a firm.
A benefit of a robust risk data infrastructure is the ability to aggregate timely and accurate data to report on credit, market, liquidity, and operational risks.
Key elements of an effective IT risk management policy at a firm are described as follows:
- Clearly defined standards and internal risk reporting requirements to ensure a proper IT infrastructure and internal reporting.
- Sufficient funding is provided to develop IT systems for the purpose of internal risk reporting; they compete equally with proposals that are revenue generating, for example.
- Assessing IT infrastructure and capacity prior to approving new products.
- Post-implementation reviews of IT systems performed anywhere from 6—18 months afterward as a check that the systems meet the risk personnel’s needs.
- The level of governance for outsourced IT activities is the same as if they were done in-house. There are no impediments to implementation or access to data due to outsourcing.
- The existence of effective project management offices (PMOs) to ensure that timelines and deliverables are met. Specifically, one person is in charge of the PMO, which seems to result in stronger coordination and communication between project staff.
- There is a data administrator as well as a data owner, and the data owner must ensure a sufficiently high level of data accuracy, integrity, and availability. This helps to ensure that IT projects are meeting the users’ needs.
- The board is able to implement relevant internal audit programs to allow for periodic reviews of data maintenance processes and functions. The monitoring could be continuous or specific to a product or business line. This would allow for the quick correction of any weaknesses detected by internal audit.
-
Topics 1-225
-
Topics 3-525
-
Topics 6-928
-
Topics 10-1217
-
Topics 13-1530
-
Topics 16-1823
-
Topics 19-2041
-
Topics 21-2334
-
Topics 24-2626
-
Topics 27-3038
-
Topics 31-3431
-
Topics 35-3621
-
Topics 37-3926
-
Topics 40-4223
-
Topics 43-4527
-
Topics 46-4823
-
Topics 49-5031
-
Topics 51-5434
-
Topics 55-5829
-
Topics 59-6116
-
Topics 62-6425
-
Topics 65-6832
-
Topics 69-7134
-
Topics 72-7939
-
Revision27
