operational risk governance: 5 core regulatory expectations
DESCRIPTION
The concept of heightened expectations was no surprise to banks, even before the publication of the notice of proposed rulemaking (NPR) that appeared in the Federal Register on January 27, 2014 (Volume 79, No. 17, page 4282). The OCC had been raising these issues for years. The NPR however, did provide more detail on OCC expectations.TRANSCRIPT
Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending
1
JOIN. ENGAGE. LEAD.
OPERATIONAL RISK GOVERNANCE: 5 CORE REGULATORY
EXPECTATIONS
Adapted from Malcolm Griggs’s presentation at the RMA Governance, Compliance, and Operational Risk
Conference
May 7, 2014
Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending
2
JOIN. ENGAGE. LEAD.
REGULATORY EXPECTATIONS
The notice of proposed rulemaking that appeared in the Federal
Register on January 27, 2014 (Volume 79, No. 17, page 4282)
provides more details on the OCC’s heightened
expectations of banks.
Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending
3
JOIN. ENGAGE. LEAD.
5 CORE EXPECTATIONS IN THE HEIGHTENED REGULATORY ENVIRONMENT
The bank board must act in the best interests of the bank entity.
Banks must have well defined personnel management programs, including staffing, succession, and compensation programs that do
not reward excessive risk taking.
Banks must articulate their risk appetite tolerance levels, using capital at risk, earnings at risk, and liquidity measures.
Limits should be established and allocated to lines of business.
Banks must have strong audit and risk management programs.
Bank boards must evidence their willingness to challenge and question bank management.
1
4
2
3
5
Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending
4
JOIN. ENGAGE. LEAD.
HEIGHTENED REGULATORY EXPECTATIONS
• The proposed rule includes details on expectations relating to first, second, and third lines of defense as part of the bank’s risk governance framework.
• Operational risk governance alone will not meet each of these expectations, but it would difficult to comply fully without a solid governance framework.
Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending
5
JOIN. ENGAGE. LEAD.
GOVERNANCE
In order to meet the expectation that the board will act in the best interests of the bank, (expectation 1), the board, or the board Risk Committee must have accurate and relevant information about: 1. Operational risks. 2. Operational risk limits
established under the comprehensive risk appetite framework.
1
Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending
6
JOIN. ENGAGE. LEAD.
Trading errors (dollars and
count).
Fraud losses (internal and
external). Legal
settlements. Control gaps.
Regulatory violations.
Severity and frequency of operational
losses.
Vendor errors or vendor
concentration risk.
System outages and recovery
time.
Information security
breaches.
Employee attrition and staffing adequacy
(expectation 2).
Errors in new product
launches.
Failed branch, operations and
business audits.
Measurement of self-identified issues vs. issues identified by
second or third lines of defense.
OPERATIONAL RISK, LIMITS, OR MEASUREMENTS
2
Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending
7
JOIN. ENGAGE. LEAD.
GOVERNANCE ROUTINES
• Understand what drives operational risk capital or stress testing (impacts EaR and VaR). This is essential for strategic planning, the development of appropriate controls, and the allocation of IT and human resources (expectation 3).
• Discuss operational risks and associated metrics in an operational risk committee meeting or have a standing slot in a comprehensive risk committee meeting, which discusses all types of risks in one forum (preferred).
• Should be established and monitored for breaches or trend lines heading toward a KRI breach.
• A key tool to assess the level of operational risk. (Similar to Risk and Control Self Assessments, but with more testing of controls.) Management
Control Assessments
Key Risk Indicators
Understanding Drivers
OR Information
3
Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending
8
JOIN. ENGAGE. LEAD.
GOVERNANCE ROUTINES: CHANGE IS A KEY OPERATIONAL RISK
Change can include: • A merger. • A sale or purchase of assets or
liabilities. • A new product launch. • A systems conversion. • Etc.
“Ready–Aim–Fire” is always better than “Fire–Ready– Aim.”
Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending
9
JOIN. ENGAGE. LEAD.
GOVERNANCE ROUTINES: CHANGE IS A KEY OPERATIONAL RISK (CONT.)
Change Control
Committee
Proposed change to the control
environment is brought for discussion and
decision is a valuable tool to prevent
execution mistakes.
The membership is generally comprised of business leaders, Risk
Management, Technology, Operations
and Compliance
Committee does not decide whether a
proposal is appropriate in theory or whether it
poses a legal or regulatory risk. That
should have been vetted earlier in other forums
Focus is on ensuring that the teams have thought through everything that is needed to ensure an
execution that is consistent with expectations (i.e., no surprises). This includes the results of UAT or FUT,
communications plans, checkpoints with key internal and external partners, and a plan for monitoring the change
post-implementation
Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending
10
JOIN. ENGAGE. LEAD.
Auditors need same experience.
Business must understand the operational risks it incurs.
Hire/train people who can develop operational risk policies, procedures, and programs in line with the bank’s risk appetite framework.
THE IMPORTANCE OF PERSONNEL AND ROLES/RESPONSIBILITIES
Hire risk managers with actual experience in transaction processing, technology, information security, and fraud detection and prevention (expectation 4).
4
Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending
11
JOIN. ENGAGE. LEAD.
THE BOARD
From a governance standpoint, the board must be fully informed and fully engaged (expectation 5).
5
Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending
12
JOIN. ENGAGE. LEAD.
BOARD ENGAGEMENT The board should have a healthy degree of skepticism. They should trust management, but make sure they fully understand a situation. Key questions to ask in the operational risk space might include:
What was the root cause of that loss?
How do you know it won’t happen again?
What sort of testing of controls did you do to ensure that this gap is
closed?
So, you’ve closed this control gap….are there other similar gaps that
need work? How do you know?
How does this rank in terms of priority of risk
focus? Why?
Do you have the human and technology resources
to address this issue?
Who are our largest or key vendors?
How confident are you that our vendor has their end under control? How
do you know?
I read about the problem XYZ Bank had with XXX. Can this happen here? How do you know/what are you doing about it?
Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending
13
JOIN. ENGAGE. LEAD.
BOARD ENGAGEMENT: EQUALLY IMPORTANT
Not only must your board be engaged… you have to prove it.
Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending
14
JOIN. ENGAGE. LEAD.
BOARD ENGAGEMENT: EQUALLY IMPORTANT (CONT.)
• Much more detailed minutes than traditionally provided will be required:
Show questions or challenges the board directed to management.
Recap active discussion among the board members.
• Bank examiners can’t sign off on what they can’t see.
Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending
15
JOIN. ENGAGE. LEAD.
SHARE THIS PRESENTATION
Visit http://www.rmahq.org for information on risk management
Visit our blog at http://rmablog.rmahq.org/
RMA is a member-driven professional association whose sole purpose is to advance sound risk principles in the financial services industry.
RMA helps its members use sound risk principles to improve institutional performance and financial stability, and enhance the risk competency of individuals through information, education, peer sharing, and networking.
Become a member today.