uk fsa guidance consultation - enhancing frameworks in the standardized approach (tsa) to...

8/8/2019 UK FSA Guidance Consultation - Enhancing Frameworks in the Standardized Approach (TSA) to Operational Risk

1/51

Financial Services Authority

Enhancing frameworksin the standardisedapproach tooperational risk

Guidance Consultation

October 2010


2/51


3/51

1

The standardised approach to operational risk

enhancing frameworks

A compendium o papers illustrating some o the approaches TSA irms might

employ to help them meet the qualitative requirements.

1. Introduction The standardised approach: enhancing rameworks

2. Operational risk governance and risk management structures

3. Risk identiication, measurement, monitoring and reporting

4. The Use Test


4/51

2

1. The standardised approach: Enhancing frameworks

Introduction

1.1 The Financial Services Authority (FSA) is undertaking an initiative designed to

examine, review and assess the implementation o the standardised approach (TSA)or operational risk at rms and to establish i any elements in existing rameworks

can be improved on or require clarication.

1.2 This work is called: The standardised approach: Enhancing rameworks. As part o

this work we have initiated a series o expert groups designed to bring together the

FSA and operational risk practitioners at rms to share ideas on current practice,

weaknesses, and possible improvements. As well as stimulating discussions and

inorming the FSA and ellow participants, we are producing this compendium o

papers covering various components o a TSA ramework.

1.3 These papers are being drated or the benet o supervisors o TSA rms, but willalso be made available on our website. The compendium outlines key eatures o the

TSA that are o interest, with observations and suggestions to support existing

handbook guidance and rules. We use Handbook guidance and other supporting

materials to supplement the principles and rules where we think it may help rms to

decide what procedures they might wish to consider adopting as good practice.

Guidance, and the variety o materials we publish to support the rules and

Handbook guidance, is not binding on those to whom the FSA rules apply. Such

materials are intended to illustrate ways (but not the only ways) in which rms can

comply with the relevant rules. Guidance and supporting materials are potentially

relevant to an enorcement case. The extent to which we may take them intoaccount when considering a matter will depend on all the circumstances o the case.

Firms are reerred to Chapter 2 o our Enorcement Guide or urther inormation

about the status o Handbook guidance and supporting materials.

1.4 Our ndings will also fow into ongoing work at international level, in the EU and

Basel, both o which are considering a number o operational risk topics o

relevance to TSA rms at present.

1.5 We are grateul to all those rms and their sta who participated in the expert

groups ormed to consider the various compendium topics. The quality o

contribution was exceptional and the openness with which participants embarkedon this process is commended. Each section o the compendium will include details

o those rms and individuals who provided such valuable assistance in this process.

Context

1.6 All BIPRU rms are required to meet a set o proportionate general risk-

management standards (contained in SYSC 4.1.1R to 4.1.2R and SYSC 7.1.16R),

irrespective o the operational risk methodology adopted. In addition, there are also

specic qualitative standards or TSA and AMA1 rms and these are proportionate

1 AMA: Advanced Measurement Approach to operational risk.


5/51

3

or TSA rms. As a consequence o the SYSC2 general risk management

requirements, there should be no signicant dierence between the qualitative

operational risk standards required o a large and complex TSA rm and those or a

similarly large and complex AMA rm.

1.7 The waiver approval processes or current AMA rms involved two to three years o

close and continuous work with the rm by our Prudential Risk Department and were

marked by improvements in the qualitative standards developed by these rms.

However, TSA rms have not had the benet o a similar close and continuous process,

and this actor, together with the ndings o some ARROW and rm visits and some

SREP3 submissions, has raised concerns about the qualitative standards adopted.

1.8 The lack o any guidance on the appropriate components and orm o an acceptable

TSA/ASA ramework has made it dicult or some rms and supervisors to identiy

weaknesses in the rameworks adopted. The key message is that, as a result o the

general risk management standards contained in SYSC, there should be no

signicant dierence between the qualitative standards applied by a large andcomplex TSA rm and those required rom a similar AMA rm. However,

experience suggests that some such TSA rms may experience diculty i they were

to seek AMA approval, urther supporting the suggestion that not all TSA rms

have reached a satisactory level o qualitative operational risk management.

Completed compendium sections

1.9 To date, we have acilitated three expert groups and this resultant compendium can

be ound on our website. These papers cover the ollowing:

I. Operational risk governance and risk management structures

1.10 Topics covered include: the role o the board; risk appetite/tolerance; the role o

senior management; the operational risk unction; three lines o deence; and

behaviour, engagement and risk culture.

II. Risk identification, measurement, monitoring and reporting

1.11 Topics covered include: the tools and techniques used by rms to identiy and assess

the operational risk inherent in all material products, activities, processes and

systems; tracking relevant operational risk data, including loss data; procedures ortaking appropriate action in response to inormation contained in management

reports; and how risk exposure is managed, monitored, and reported.

III. The Use Test

1.12 Topics covered include: how the Use Test is integrated into the risk management

process; how the output o the risk management process can become an integral part

o the process o monitoring and controlling the rms operational risk prole; how

rms determine i they meet the Use Test requirements on an ongoing basis; and the

Use Test or experience requirement.2 SYSC: Senior Management Arrangements, Systems and Controls Sourcebook.

3 SREP: Supervisory Review and Evaluation Process.


6/51

4

Future compendium sections

1.13 We are proposing to undertake the ollowing expert groups as part o this initiative:

I. Policy and documentation

1.14 We expect the policy topics to include: issues addressed in operational risk policies;how policy is communicated and maintained; risk appetite/tolerance; new product

approval process; mapping the relevant indicator or business lines and activities

policies (see also quantitative requirements); who approves; how requently policy is

reviewed and updated; the requirements placed on documentation; the issues

documented; and how rms satisy themselves over the quality o documentation

and management reporting.

II. Quantitative requirements

1.15 We expect the topics to include: the development o specic criteria or mapping therelevant indicator or business lines and activities; and approaches to business line

mapping and relevant indicator mapping.

Summary

1.16 This compendium comprises a series o papers drated by the FSA to assist rms and

supervisors in understanding, assessing and enhancing the adequacy and

eectiveness o rameworks introduced to implement the standardised approach to

operational risk. The various components o a TSA ramework cannot be viewed in

isolation and should be reviewed and assessed as a package o closely interwovenelements. Thereore we will ocus attention on the outcome generated by the

operational risk ramework. It is unlikely that a rm with an acceptable operational

risk governance and risk management structure, or example, and weaknesses in

other TSA elements could be perceived to have an acceptable TSA ramework. In

addition, weaknesses in one area may well make it impossible or a rm to

implement a successul element elsewhere. For example, a rm with poor

operational risk reporting and management inormation is unlikely to be able to

demonstrate that the operational risk assessment system is closely integrated into the

rms risk management processes (the use or experience test).

1.17 Implementing operational risk rameworks cannot be viewed as a compliance exercise.

Putting the various individual TSA elements in place is only likely to provide an

eective ramework i the individual elements have been implemented together in a

robust, eective and comprehensive manner. The quality o implementation is an

important consideration in any assessment o an operational risk ramework.

1.18 These papers, and the variety o materials we publish to support the rules and

Handbook guidance, are not binding on those to whom our rules apply. Such

materials are intended to illustrate some o the ways in which rms can comply

with the relevant rules. Irrespective o the techniques and methods adopted, a

rm should be able to articulate why they believe the approach they haveemployed is appropriate.


7/51

5

Challenges

1.19 The process o drating these papers conrmed the existence o a number o key

challenges that cut across the various elements o the TSA methodology. These

challenges are being encountered by most TSA rms and resolving these challenges

is likely to greatly assist rms in developing more sophisticated operational risk

measurement systems and practices. Challenges identied include the ollowing:

i) The importance o tangible, clear and unambiguous board and senior

management support and sponsorship or the operational risk management

ramework and unction.

ii) The importance o the board and senior management setting the right cultural

tone towards the operational risk ramework.

iii) Persuading senior management to invest in improved operational risk

rameworks and sotware. In many instances operational risk unctions are

required to ocus valuable resources managing operational risk data rather thanmanaging operational risk.

iv) The importance o operational risk training and the challenges o ensuring that

training is geared to the appropriate level o participant.

v) Embedding the operational risk ramework within and across business units,

particularly where these cross countries.

For further information

1.20 I you would like more inormation, or to discuss the contents o these papers,please email [email protected].
mailto:[email protected]:[email protected]


8/51

6

2. Operational risk governance and riskmanagement structures

Introduction

2.1 This paper is one o a series drated by the FSA to assist rms and supervisors inunderstanding, assessing and enhancing the adequacy and eectiveness o

rameworks introduced to implement the standardised approach to operational risk.

While this paper deals with issues related to operational risk governance and risk

management structure it is recognised that the various components o a TSA1

ramework cannot be viewed in isolation and must be reviewed and assessed as a

package o closely interwoven elements.

2.2 Thereore, it is unlikely that a rm with an acceptable operational risk governance

and risk management structure and weaknesses in other TSA elements could be

perceived to have an acceptable TSA ramework. In addition, weaknesses in one

area may well make it impossible or a rm to implement a successul element

elsewhere. For example, a rm with poor reporting and management inormation is

unlikely to have an eective governance structure. In addition, implementing

operational risk rameworks cannot be viewed as a compliance exercise. Having the

various individual TSA elements in place is only likely to provide an eective

ramework when the individual elements have been implemented together in a

robust, eective and comprehensive manner. The quality o implementation is an

important consideration in any assessment o an operational risk ramework.

2.3 Increasing emphasis is being placed on the risk governance, oversight and

management process adopted by rms. The board and senior management play acentral role in this process and it is not clear how a rms governance, oversight and

management process can prove eective without the ull support and engagement o

these bodies, or how the operational risk ramework can succeed.

2.4 We expect rms to strengthen their risk governance in response to several regulatory

initiatives, including The Walker Review2 and this exercise. We also expect

supervisors will ask TSA rms to detail the measures they have taken to assess how

suitable their governance arrangements are, any remedial action they have taken as a

result and how they are satised with their governance arrangements.

2.5 This paper has been drated or the benet o supervisors o TSA rms but will also

be made available on our website. The paper outlines key eatures o TSA that are

o interest, with observations and suggestions to support existing handbook

guidance and rules. We use Handbook guidance and other supporting materials to

supplement the principles and rules where we consider it may help rms to decide

what procedures to adopt as good practice. Guidance (and the variety o materials

we publish to support the rules and Handbook guidance) is not binding on those to

whom rules apply. Such materials are intended to illustrate some ways in which

rms can comply with the relevant rules.

1 TSA: The Standardised Approach to operational risk.

2 A review o corporate governance in UK banks and other nancial industry entities, 26 November 2009,www.hm-treasury.gov.uk/d/walker_review_261109.pd.
http://www.hm/http://-treasury.gov.uk/d/walker_review_261109.pdfhttp://-treasury.gov.uk/d/walker_review_261109.pdfhttp://www.hm/


9/51

7

Expert group

2.6 As part o the process o collecting the inormation necessary to drat this paper, we

invited representatives rom a number o BIA3 and TSA rms to participate in an

expert group on operational risk governance and risk management structures and a

complete list o the 15 rms and their representatives appears in Annex A. A

number o the expert group participants made presentations to the group. We are

extremely grateul or the quality o debate and discussion in the expert group and

or the contribution o participants to the work o the group.

Rules and guidance

2.7 The BIPRU4 rules require rms to have a well-documented assessment and

management system, with clear lines o reporting and responsibility that should be

subject to a regular independent review. The requirements are subject to the

proportionality principle and are thereore dependant on the size, nature, scale and

complexity o the rm.

2.8 There is a air amount o literature rom various sources providing guidance on the

topics o governance and risk management. Documents published by the Basel

Committee or Banking Supervisors reinorce the importance o the role o senior

management when implementing operational risk management rameworks.

Furthermore, they emphasise that board members should be qualied or their

positions while also being aware o the main operational risks their institution aces.

2.9 The CEBS5Risk Management Consultation Paper (2009) reinorces the importance

o senior management support, as well as the existence o a person responsible or

the risk management unction across the entire institution (e.g. a Chie Risk Ocer

(CRO)). This CRO (or equivalent), should be suciently senior and independent to

be able to challenge the decision-making process o the organisation.

2.10 Annex B o this paper contains details o the various rules and guidance mentioned

above. Firms may nd it useul to take ull account o these rules and guidance

when designing, implementing and testing their operational risk rameworks.

Key characteristics and observations

2.11 This section details elements that TSA rms might wish to employ as part o theirrisk governance and risk management ramework. In drating this section we have

taken account o the various governance documents produced by the BCBS6 and

CEBS, and in some instances we have incorporated elements o that guidance

directly into our suggestions.

2.12 While the involvement o the board or its delegates in the risk governance process is

likely to be determined by the overall risk management ramework o the rm, it is

generally accepted that, when a board delegates responsibility to an appropriate

3 BIA: Basic indicator approach to operational risk

4 BIPRU: Prudential sourcebook or banks, building societies and investment rms.5 CEBS: Committee o European Banking Supervisors.

6 BCBS: Basel Committee on Banking Supervision.


10/51

8

committee (or example, some rms have a Board Risk Committee), it continues to

be accountable. Our discussions with the operational risk governance and risk

management expert group showed that, or TSA rms with an eective Operational

Risk governance and risk management structure, the boards (or its delegates)

responsibilities might include:

i) Approving and periodically reviewing the operational risk ramework based on

an appropriate deinition o operational risk. This ramework usually covers

the irms appetite and tolerance or operational risk. Reviews assess industry

best practice and, where necessary, ensure the ramework is revised accordingly.

Reviews o the ramework usually occur every 24 months and or many irms

an annual review is considered appropriate.

ii) Establishing a senior management structure to implement the irm-wide

operational risk management ramework and assigning clear lines o

management responsibility, accountability and reporting.

iii) Having a clear understanding o operational risk and being aware o the major

aspects o the irms operational risks as a distinct risk category that should be

managed. As part o this process, regular reviews o key risks oten take place

at board level.

iv) Ensuring the operational risk-management ramework is subject to eective

audit and review by an independent audit unction.

v) Understanding the impact o strategic initiatives on the operational risk proile

and ensuring that the operational risk impacts o strategic initiatives, new

products, processes and systems are evaluated, managed and mitigated.vi) Promoting:

a) a risk-ocused culture throughout the organisation, with a clear

understanding among all sta o their role in managing operational risk;

b) open communication o the operational risk ramework and clear and

speedy reporting o operational risk inormation, including signicant

operational risk events; and

c) ongoing risk training to ensure that the operational risk ramework is ully

embedded throughout the organisation. Our experience suggests that TSArms oten ail to require sta to undertake adequate operational risk

training and that the embedding o a robust risk culture suers as a result.

vii) Satisying themselves that, or the purposes o risk management, the irm

collects and maintains data that is accurate and comprehensive, which supports

the principles o sound risk management at all levels o the irm. Actions

required to satisy this requirement might include:

a) Maintaining a data policy, approved by the board.

b) Data being suciently granular that it supports detailed analysis byrisk actor.


11/51

9

c) Data being maintained over a period o time that allows analysis o loss

behaviour through the economic and business cycles that are relevant to

each risk type (or example, raud).

d) Data being supported by a data model that allows or aggregation and

disaggregation, as required. In particular, rms may wish to avoid their

data being constrained by a specic vendor solution, entity identication,

product classication, or instrument identication.

e) Data reporting upwards rom origination, up to and including the board.

Firms are likely to benet rom accurate, timely and clear reporting,

aggregated at levels that are relevant to each recipient, and accompanied by

value-adding analysis and commentary consistent with the decision-making

status o the recipient.

) Data not being limited to actual losses or incidents, but also including items

that allow the rms management to anticipate potential uture problems by

using benchmarking and/or trend analysis.

2.13 The board could discuss and approve a risk appetite/tolerance statement that is clear

and understood throughout the organisation. We recommend though that rms

consider whether their ramework should cover the rms appetite/tolerance or

operational risk, as specied through the policies or managing this risk and the

rms prioritisation o operational risk management activities, including the extent

o, and manner in which, operational risk is transerred outside the rm.

2.14 The term risk appetite is oten taken as a orward-looking view o risk acceptance,

while risk tolerance is oten considered to be the amount o risk a rm has acceptedin the past. In this document the terms are used to capture both aspects to reinorce

a general message that rms might include a orward-looking analysis as part o their

risk management and capital assessments. A purely historic approach might be

perceived as neither sucient nor interchangeable with a orward-looking view.

2.15 While some TSA rms have developed statements o this type, this is proving a

challenging process in many organisations. Nevertheless, rms have usually expressed an

appetite or risk in several orms, including loss data thresholds, RCSA7 remedial action

prompts and KRI8 thresholds. An eective risk appetite will generally require regularly

measuring and reporting risk exposure, as well as using clear and measurable triggers

and limits to ensure that a rm does not exceed its risk appetite without taking remedial

action. Operational risk appetite statements can provide an important management tool

or TSA rms and are requently used as a means o demonstrating that the operational

risk ramework is embedded. Risk appetite statements may:

i) take all relevant risks into account, including the irms risk aversion, the

current inancial situation and the irms strategic direction;

ii) encapsulate the various risk appetites in a irm and ensure they are

consistent; and

7 RCSA: Risk control sel assessment.

8 KRI: Key risk indicator.


12/51

10

iii) detail how the board will monitor management adherence to the risk appetite.

2.16 Generally, in TSA rms with eective operational risk governance and risk

management structures, the senior management are responsible or implementing the

ramework approved by the board and are delegated, by the board, responsibility

or developing policies, processes and procedures or managing operational risk. In

undertaking these tasks, the requirements placed on the

senior management might include:

i) Translating the board-approved operational risk management ramework into

speciic policies, processes and procedures that can be implemented and veriied

within the dierent business units.

ii) Managing risks on a day-to-day basis, under the oversight o the management

body.

iii) Implementing the operational risk ramework through the organisation.

iv) Developing and obtaining approval or policies, processes and procedures or

managing and approving operational risk in all new and material products,

processes and systems.

v) Ensuring that:

a) all activities are conducted by sta with necessary experience, technical

capability and resources;

b) the operational risk management policy is clearly and appropriately

communicated to sta in all units;

c) remuneration policies are consistent with the rms appetite or risk, as

expressed in the risk appetite statement; and

d) operational risk sta communicate eectively with sta responsible or

credit risk, market risk, compliance and other risks, insurance purchasers

and outsourcing arrangers.

vi) Having a ull understanding o the nature o the business and activities o the

irm.

vii) Considering our SIF9/control unction requirements.

2.17 The operational risk management unction usually plays a key role in identiying,

measuring and assessing the risks aced by the rm. Its responsibilities oten

include oversight o the ramework; analysis o the introduction and development

o new products, markets, lines o business, processes, systems and signicant

changes to existing products; and an appropriate involvement in exceptional

transactions. The new product approval process might consider the adequacy o

the tools and expertise o the operational risk management, inormation

technology, business line and internal control unctions to identiy, manage,

monitor and report the resultant operational risk. Operational risk arising rom

mergers and acquisitions could be assessed in a similar way. This is particularly

9 SIF: Signicant infuence unction.


13/51

11

important given the condentiality and timerame within which mergers and

acquisitions are negotiated and the complicated nature o the process.

2.18 In undertaking these tasks, the requirements placed on the senior management o the

operational risk management unction might include being:

i) Appropriately expert or the risk proile. The board and senior managementare oten responsible or ensuring that the resources allocated to the risk

management unction are appropriate and consistent with the risk proile,

management and business strategies.

ii) In regular contact with the board and its committees, depending on the

delegation o authority and the risk management structure o the irm.

iii) Actively involved in the elaboration o the institutions strategy, to assist and

beneit the decision-making process.

iv) Independent rom the operational units reviewed by the risk management

unction. Nevertheless, the unction could interact with the operational units

and have suicient access to achieve its objectives.

2.19 Successul risk management unctions are usually:

i) empowered and supported by the board and senior management; and

ii) not directly responsible or the audit unction, given the audit unctions role in

challenging the operational ramework.

2.20 Responsibility or managing operational risk is not limited to the risk management

unction. All sta and business line management are responsible or managingoperational risk and a rm would benet rom making all sta aware o their

accountability or this.

2.21 In general, existing guidelines, papers and principles are not prescriptive on the

governing structure o nancial institutions. Instead they tend to concentrate on

the roles and responsibilities o the key players and avoid discussing the structure

created by the rm or its governance process. Nevertheless, it is clear rom our

discussions with the members o the expert group that a number o common

elements exist in many TSA rms operational risk governance structures. When

considering the appropriateness o the adopted operational risk governance and

risk management structure the range o issues that should be taken into

consideration might include the ollowing:

i) The committee structure Many organisations with a central group unction

and separate business units create a Group Operational Risk Committee that

reports into a Group Risk Committee, which is a committee established by the

board. Depending on the size, nature, scale and complexity o the irm, the

Group Risk Committee may receive input rom country, business and unctional

level Operational Risk Committees.

ii) Consideration o the operational risk governance and risk managementstructure, which could take account o:


14/51

12

a) the composition o any Operational Risk Committees, ensuring that

the committee contains a combination o members with either nancial

experience or risk management, or both;

b) whether the committees are solely dedicated to operational risk, how much

time is devoted to this, and what evidence can be provided to testiy to the

quality o debate and challenge;

c) whether committee members must attend, how many meetings they can

miss without censure, whether they can send an alternate and i so whether

they require prior agreement o the chair;

d) the requency o the operational risk governance bodies meetings (a recent

survey o risk governance10 noted that meetings are not as requent as had

been expected); and

e) whether the meetings o the various committees that orm part o the

governance structure are timed so issues and events can be escalated in atimely manner.

2.22 Most expert group participants have established senior management Operational

Risk Committees to ensure oversight o operational risk. It is interesting to note that

some small rms have adopted this approach. In some instances rms have also

established Board Risk Committees to oversee the overall risk management process.

In some rms, the responsibilities o the board discussed in paragraph 1.15 are

carried out by a delegated committee, although the board retains ultimate

accountability. Firms adopting the TSA methodology may nd it helpul to establish

eective Operational Risk Committees and to be able to articulate how they satisythemselves that the senior committee undertakes an eective role in the operational

risk management ramework.

2.23 Several expert group participants employ three lines o deence as part o their

operational risk governance and risk management structure. A strong risk culture,

good communication and understanding and a strong sense o risk awareness can

provide comort when used in conjunction with this approach. While, we have seen

dierent interpretations o its composition the most common approach is or the

three lines to comprise the ollowing:

i) The irst line is provided by the business units comprising the business units,support unctions and embedded operational risk sta.

ii) The second line is provided by the risk management unction comprising

the operational risk management unction and the compliance unctions. To

qualiy in this category, the risk management unction usually demonstrates the

qualities detailed in the operational risk management unction section.

iii) The third line is the audit unction. A number o TSA irms have outsourced

their audit unction. The underlying arrangements and eectiveness o an

outsourced audit unction should be assessed or its suitability.

10 Risk Governance at Large Banks by Moodys Global Banking, July 2009


15/51

13

2.24 While a great many rms can point to their structure as evidence o the three lines

o deence, rms could strengthen this by producing specic examples showing how

they operate satisactorily. They might also explain how the board and senior

management are satised that this approach is implemented and operates in an

appropriate and acceptable manner.

2.25 One possibility when seeking to determine the eectiveness o a rms operational

risk governance and risk management structure could be to evaluate its impact on

behaviour, engagement and risk culture. Any attempt to do so might ocus on a

number o important elements:

i) Awareness Every member o sta has an important role to play in the

management and mitigation o operational risk within a irm. Supervisors could

investigate i sta are aware o their responsibilities with regard to identiying,

managing, monitoring and reporting operational risks. Firms could elect to

raise awareness o operational risk among sta and embed the operational risk

ramework into the day-to-day risk management process o the irm.

ii) Culture The expert group considered a strong risk culture, running through

the entire organisation, as essential. For example, it may be better to own up

than hide an error, as a no blame culture exists. Such cultures are diicult to

achieve without the direct, active and demonstrable sponsorship and support

o the board and senior management. A avourable culture is also likely to be

achieved i business units are engaged with the governance structure and do not

view the arrangements as a constraint.

iii) Challenge One o the key components o an eective governance structure

is challenge throughout the structure including at board, senior managementand committee level. Various mechanisms exist to enable irms to judge the

quality and eectiveness o the challenge process including committee minutes

and notes or record.

2.26 Firms capable o satisying themselves about the eectiveness o their operational

risk governance and risk management structure are also likely to be able to

demonstrate to supervisors why they eel that this is the case. In some cases the rm

may decide that external observers are best placed to undertake an impartial

evaluation o eectiveness, although alternatively in some cases rms decide that this

task is best achieved by internal parties, including the internal audit unction. Therm is generally in the best position to determine who is best able to evaluate the

eectiveness o the operational risk governance and risk management arrangements.

2.27 Supervisors oten use a vertical slice through the governance and risk management

structure to help understand the workings o the process and procedures and

behaviour, engagement and risk culture. This may show how risks and events are

escalated within the governance structure and involves tracking the reporting, review

and response to a signicant operational risk event, rom its discovery in a business

unit up to the board or most senior risk committee in the rm. Examining the

vertical slice could extend to considering how any responses, reactions and

decisions are communicated to the original business unit.


16/51

14

2.28 We have observed that rms oten benet rom having a clear organisational

structure with well dened, transparent and consistent lines o responsibility. This

structure works well when it is comprehensive and proportionate to the size, scale

and complexity o the rms activities.

2.29 The operational risk governance and risk management structure is a key component

o a rms assessment and management system or operational risk and it is a

specic BIPRU requirement that the assessment and management system or

operational risk must be well-documented.

2.30 Regulators and supervisors regularly publish papers, principles and proposals or

improving risk governance and risk management or example, either locally (FSA) or

in conjunction with other regulators (CEBS, BCBS, etc). Firms are likely to benet rom

ensuring that they remain ully aware o the contents, proposals and recommendations

published by regulators and adjust and amend their approaches accordingly.

Challenges

2.31 TSA rms seeking to ensure that their operational risk governance and risk

management structures are both appropriate and eective or a rm using the

standardised approach and are also proportionate to their size, scale and

complexity, ace a number o obstacles and supervisors could ocus attention on

how the rm has approached and resolved these issues, which might include:

i) demonstrating the extent o direct and active board and senior management

sponsorship and support;

ii) determining the Operational Risk governance and risk management culture othe irm;

iii) understanding the degree and eectiveness o challenge;

iv) ensuring business engagement with the governance structure; and

v) how the board and senior management have satisied themselves that the

governance structure is eective and appropriate.

Conclusion

2.32 The operational risk governance and risk management structure is a key componento all TSA rms operational risk ramework. However, it may not be sucient or a

rm to be able to point to the existence o a risk governance and risk management

structure as much depends on the way in which this process has been implemented.

Firm-wide behaviour, engagement and risk culture are key considerations in

determining the eectiveness o the risk governance and risk management structure

as are the direct, active and demonstrable sponsorship and support o the board and

senior management.

2.33 Firms lacking an appropriate and eective structure are unlikely to meet the

requirements laid down in BIPRU 6.4 or TSA rms or the general risk managementstandards in SYSC 4.1.1R to 4.1.2R and SYSC 7.1.16R.


17/51

15

Expert group members:

Industry

Bank o America Richard Walsh

Bank o Montreal Christopher Eyles

Bank o NY Mellon Anna Nicholl Brewin Dolphin Barry Howard

Britannia Graeme Bell

Ford Financial Robert Pringle

Gatehouse Bank Reza Zaidi

HSBC Neil MacKenzie

IG Group Andrew Bole

Bjorn Model

Investec Asim Balouch

Bharat Thakker

Man Group Clive Wratten

Nomura Huw Howell

Northern Rock Barry Pert

Standard Chartered Rajit Punshi

Mark Willis

Vanquis Bank Rosemary Hilton

Manish Shah

FSA

Andrew Sheen (Chair) Operational Risk Policy

Christine Brentani Operational Risk Policy

Giles Ward Operational Risk Policy

Anna Jernova Operational Risk Policy

Liz Meneghello Operational Risk Policy

David Haberield Risk Frameworks & Capital Unit (PRD)

Adrian McCarthy Risk Frameworks & Capital Unit (PRD)

Brian Thornhill Asset Managers & Advisers Department


18/51

16

Handbook rules and guidance

Source Rule/guidance #

Text

PrudentialSourcebook for

Banks, BuildingSocieites andInvestment Firms(BIPRU)

6.4.1R (2) Afirm must have a well-documented assessment andmanagement system or operational riskwith clear

responsibilities or the system assigned within thefirm. Thesystem must identiy thefirms exposures to operational riskand track relevant operational riskdata, including materialloss data.

6.4.1R (3) Afirmsoperational riskassessment and management systemmust be subject to regular independent review.

6.4.1R (5) Afirm must implement a system o management reportingthat provides operational riskreports to relevant unctionswithin thefirm. Afirm must have procedures in place ortaking appropriate action in response to the inormationcontained in such reports.

6.4.2R Afirm must comply with the criteria in BIPRU6.4.1R havingregard to the size and scale o its activities and to theprinciple o proportionality.

Senior ManagementArrangements,Systems andControlsSourcebook (SYSC)

4.1.1R Afirm must have robust governance arrangements, whichinclude a clear organisational structure with well deined,transparent and consistent lines o responsibility, eectiveprocesses to identiy, manage, monitor and report therisks it is or might be exposed to, and internal controlmechanisms, including sound administrative and accountingprocedures and eective control and saeguard arrangementsor inormation processing systems.[Note: article 22(1) o the Banking Consolidation Directive,article 13(5) second paragraph oMiFID] 3,

4.1.2R For a common platform firm, the arrangements, processesand mechanisms reerred to in SYSC 4.1.1 R must becomprehensive and proportionate to the nature, scaleand complexity o the common platform firms activitiesand must take into account the speciic technical criteriadescribed in SYSC 4.1.7 R, SYSC 5.1.7 R and SYSC 7.[Note: article 22(2) o the Banking Consolidation Directive]

BCBS and CEBS guidelines

Source Guidance # Text

BIS Sound Practicesfor the Managementand Supervision ofOperational Risk

Principle 1 The board o directors should be aware o the major aspectso the banks operational risks as a distinct risk categorythat should be managed, and it should approve andperiodically review the banks operational risk managementramework. The ramework should provide a irm-widedeinition o operational risk and lay down the principleso how operational risk is to be identiied, assessed,monitored, and controlled/mitigated.

Principle 2 The board o directors should ensure that the banksoperational risk management ramework is subject toeective and comprehensive internal audit by operationallyindependent, appropriately trained and competent sta. Theinternal audit unction should not be directly responsible oroperational risk management.
http://fsahandbook.info/FSA/glossary-html/handbook/Glossary/F?definition=G430http://fsahandbook.info/FSA/glossary-html/handbook/Glossary/B?definition=G99http://fsahandbook.info/FSA/glossary-html/handbook/Glossary/M?definition=G1975http://fsahandbook.info/FSA/handbook/LI/2002/2002_16.pdfhttp://fsahandbook.info/FSA/glossary-html/handbook/Glossary/C?definition=G1967http://fsahandbook.info/FSA/html/handbook/SYSC/4/1#D3http://fsahandbook.info/FSA/glossary-html/handbook/Glossary/C?definition=G1967http://fsahandbook.info/FSA/html/handbook/SYSC/4/1#DES55http://fsahandbook.info/FSA/html/handbook/SYSC/5/1#D32http://fsahandbook.info/FSA/html/handbook/SYSC/7#D35http://fsahandbook.info/FSA/glossary-html/handbook/Glossary/B?definition=G99http://fsahandbook.info/FSA/glossary-html/handbook/Glossary/B?definition=G99http://fsahandbook.info/FSA/html/handbook/SYSC/7#D35http://fsahandbook.info/FSA/html/handbook/SYSC/5/1#D32http://fsahandbook.info/FSA/html/handbook/SYSC/4/1#DES55http://fsahandbook.info/FSA/glossary-html/handbook/Glossary/C?definition=G1967http://fsahandbook.info/FSA/html/handbook/SYSC/4/1#D3http://fsahandbook.info/FSA/glossary-html/handbook/Glossary/C?definition=G1967http://fsahandbook.info/FSA/handbook/LI/2002/2002_16.pdfhttp://fsahandbook.info/FSA/glossary-html/handbook/Glossary/M?definition=G1975http://fsahandbook.info/FSA/glossary-html/handbook/Glossary/B?definition=G99http://fsahandbook.info/FSA/glossary-html/handbook/Glossary/F?definition=G430


19/51

17


Principle 3 Senior management should have responsibility orimplementing the operational risk management rameworkapproved by the board o directors. The ramework shouldbe consistently implemented throughout the whole bankingorganisation, and all levels o sta should understand

their responsibilities with respect to operational riskmanagement. Senior management should also haveresponsibility or developing policies, processes andprocedures or managing operational risk in all o the banksmaterial products, activities, processes and systems.

Principle 4 Banks should identiy and assess the operational riskinherent in all material products, activities, processesand systems. Banks should also ensure that beore newproducts, activities, processes and systems are introduced orundertaken, the operational risk inherent in them is subjectto adequate assessment procedures.

Principle 5 Banks should implement a process to regularly monitoroperational risk proiles and material exposures to losses.There should be regular reporting o pertinent inormationto senior management and the board o directors thatsupports the proactive management o operational risk.

Principle 6 Banks should have policies, processes and procedures tocontrol and/or mitigate material operational risks. Banksshould periodically review their risk limitation and controlstrategies and should adjust their operational risk proileaccordingly using appropriate strategies, in light o theiroverall risk appetite and proile.

CEBS Guidelines onthe implementation,validation andassessment of AMAand IRB approaches)

470 Both the management body and senior management shouldbe responsible or approving all material aspects o theoverall operational risk ramework. They should have ageneral understanding o the institutions operational riskmeasurement systems and detailed comprehension o itsassociated management reports and how operational riskaects the institution. The material aspects o the overalloperational risk ramework include:

activities aimed at identiying, assessing and/or measuring,monitoring, controlling, and mitigating operational risk;

proactive risk management strategies and policies

the organisational structure o the control unctions and

speciying levels o acceptable risk.

472 The management body has to exercise eective oversight.Senior management should thereore notiy the managementbody, or a designated committee thereo, o materialchanges or exceptions rom established policies thatwill materially impact the institutions operational riskmeasurement systems and management processes.


20/51

18


473 Both the management body and senior management shouldbe involved, on an ongoing basis, in the oversight o thecontrol procedures and measurement systems adopted bythe operational risk management unction and InternalAudit, to ensure that they are adequate and that the overall

operational risk management and measurement processesand systems remain eective over time.

474 Senior management should ensure that the ollowing tasksare being addressed:

ensuring the soundness o risk management processes

inorming the management body or a designatedcommittee thereo o material changes or exceptionsrom established policies that will materially impactthe operations and the operational risk proile othe institution

identiying and assessing the main risk drivers, based

on inormation provided by the operational riskmanagement unction

deining the tasks o the risk management unit andevaluating the adequacy o its proessional skills

monitoring and managing all sources o potentialconlicts o interest

establishing eective communication channels to ensurethat all sta are aware o relevant policies and procedures

deining the content o reporting to the managementbody or to dierent delegated bodies thereo (e.g. theRisk Committee)

examining reports rom Internal Audit on operational

risk management and measurement processes andsystems and

adequately assessing operational risk inherent in newareas (products, activities, processes, and systems)beore they are introduced, and identiying risks tiedto new product development and other signiicantchanges to ensure that the risk proiles o productlines are updated regularly.

475 The operational risk management unction designs,develops, implements, and executes risk management andmeasurement processes and systems.

476 The Internal Audit should provide an assessment o theoverall adequacy o the operational risk ramework, as wellas o the operational risk management unction.


21/51

19


CEBS CP 24High- levelprinciples for riskmanagement

9 A strong institution-wide risk culture is one o thekey elements o eective risk management. One othe prerequisites or creating this risk culture is theestablishment o a comprehensive and independent riskmanagement function under direct responsibility of the

senior management.10 The management body is responsible or overseeing senior

management, and also or establishing sound businesspractices and strategic planning. It is thereore o theutmost importance that the management body havea full understanding of the nature of the businessand its associated risks. At least some members o themanagement body or, where relevant, the audit committee(or equivalent) should carry out an activity in the area oinancial markets or have proessional experience directlylinked to this type o activity.

11 Every member of the organisation must be constantly

aware of their responsibilities relating to theidentification and reporting of risks and other roleswithin the organisation and the associated responsibilitiesto these roles. The risk culture must extend across all o theorganisations units and business lines. Risk policies must beormulated based on a comprehensive view o all businessunits, and risks must be evaluated not only rom the bottomup, but also across individual business lines.

12 Institutions must implement a consistent risk cultureand establish sound risk governance, supported by anappropriate communication policy, all o which must beadapted to the size and complexity o the organisation and

the risk proile o the institution or banking group.19 The institution should appoint a person responsible for the

risk management function across the entire organisation,and or coordinating the activities o other units relatingto the institutions risk management ramework. Normallythis person is the Chie Risk Oicer (CRO). However, whenthe institutions characteristics in particular its size,organisation and the nature o its activity do not justiyentrusting such responsibility to a specially appointedperson, the person responsible or internal control can bemade responsible or risk management as well.

20 The CRO (or equivalent) should have sufficient

independence and seniority to enable them to challenge(and potentially veto) the decision-making process ofthe institution. Their position within the institution shouldpermit them to communicate directly with the executivebody concerning adverse developments that may not beconsistent with the institutions risk tolerance and businessstrategy. When the executive body or the management bodyconsiders it necessary, the CRO should also report directlyto the management body or, where appropriate, to the auditcommittee (or equivalent).

21 The CRO should have expertise that matches theinstitutions risk profile. They should play a key role inmaking the management body and senior management tounderstand the institutions overall risk proile.


22/51

20


23 The risk management function should be actively involved,at an early stage, in the elaboration of the institutionsstrategy and decision-making on business activities.

24 Firms should ensure that the risk management function is

independent from the operational units whose activitiesthey review. Their position in the organisation should allowthem to interact with these units in order to have access tothe inormation necessary or the accomplishment o theirmission. However, the risk management unction should inall cases be carried out at arms length rom the decision-making unction.

25 The management of risks should not be confined to therisk management function. It should be a responsibility omanagement and sta in all business lines, and they shouldbe aware o their accountability in this respect.

26 The management body and senior management should beresponsible for allocating resources to the risk managementfunction in suicient amounts and quality to allow it to ulilits missions. These resources should be consistent with theinstitutions risk management and strategic objectives. Theyshould include adequate personnel (with suicient expertiseand qualiications), data systems and support, and access tointernal and external inormation deemed necessary to theulilment o the risk-managements missions.

BIS Enhancingcorporategovernancefor banking

organisations

Principle 1 Board members should be qualiied or their positions, havea clear understanding o their role in corporate governanceand be able to exercise sound judgement about the aairso the bank.

Principle 2 The board should approve and oversee the banks strategicobjectives and corporate values that are communicatedthroughout the banking organisation.

Principle 3 The board should set and enorce clear lines o responsibilityand accountability throughout the organisation.

Principle 4 The board should ensure that there is appropriate oversightby senior management consistent with board policy.

Principle 5 The board and senior management should eectively utilisethe work conducted by the internal audit unction, externalauditors, and internal control unctions.


23/51

21

3. Operational risk identification, measurement, monitoringand reporting

Introduction

3.1 This paper is one o a series drated by the FSA to assist rms and supervisors inunderstanding, assessing and enhancing the adequacy and eectiveness o

operational risk rameworks used by rms to implement the Standardised Approach

to Operational Risk (TSA). While this paper deals with issues related to risk

identication, measurement, monitoring and reporting (IMMR) it is recognised that

the various components o a TSA ramework cannot be viewed in isolation and

should be reviewed and assessed as a package o closely interwoven elements.

Thereore, a rm with acceptable IMMR methodologies but with weaknesses in

other TSA elements is unlikely to have an acceptable TSA ramework. Weaknesses in

one area could also make it impossible or a rm to implement a successul element

elsewhere. For example, a rm with poor reporting and management inormation isunlikely to have an eective governance structure. In addition, implementing

operational risk rameworks cannot be viewed as a compliance exercise. Having the

various individual TSA elements in place is only likely to provide an eective

ramework when all the individual elements have been implemented in a robust,

ecient and comprehensive manner. The quality o implementation is an important

consideration in any assessment o an operational risk ramework.

3.2 Though we are not prescriptive regarding the approach we ask rms to take, we

expect rms to be proportionate in the choices they make or risk identication,

measurement, monitoring and reporting.3.3 The primary aim o this document is to assist supervisors in assessing and

challenging some o the methods that rms use to look at their risk exposures.

Although this document is aimed at supervisors o rms that use TSA to calculate

their operational risk charge, the inormation provided may be o use to supervisors

o other BIPRU1 rms. We address individual risk identication tools and highlight

areas that may be considered good practice, which rms may also nd useul.

Supervisors may choose to ask TSA rms or detailed analyses o the methodologies

used to assess risk exposures, along with any documentation and management

inormation employed. This inormation can be used to determine whether the

overall risk governance architecture is working eectively at the rm.

3.4 While this paper has been drated primarily or the benet o supervisors o TSA

rms, it is also on our website. The paper outlines key eatures o TSA that are o

interest, with observations and guidance to support existing Handbook guidance

and rules. We use Handbook guidance and other supporting materials to supplement

the principles and rules where we consider it would help rms to decide what action

they need to take to meet the necessary standard. Guidance, and the variety o

materials we publish to support the rules and Handbook guidance, are not binding

on those to whom our rules apply. Such materials are intended to illustrate ways

(but not the only ways) in which rms can comply with the relevant rules.

1 BIPRU: Prudential sourcebook or banks, building societies and investment rms.


24/51

22 Appendix 1

Expert group

3.5 We invited representatives o a number o BIA2 and TSA rms to participate in an

expert group on Operational Risk Identication, Measurement, Monitoring, and

Reporting and a complete list o the rms and their representatives appears in

Annex A o this paper. We held ve meetings between June and October 2009,

where a number o participants made presentations o their approaches to risk

identication, measurement, monitoring and reporting to the group. The

inormation provided at these expert group meetings orm the basis o this

document, though other sources o inormation have been used as well. We are

extremely grateul or the quality o debate and discussion in the expert group

and or the contribution o participants to the work o the group.

Rules and guidance

3.6 The BIPRU 6.4 rules or rms using TSA state that a rm must have a well-documented

assessment and management system, which identies the rms exposures to operational

risk and tracks the relevant data. SYSC 4 and SYSC 7 add to these rules by requiring

that rms must have eective processes to identiy, manage, monitor and report the risks

that they are or might be exposed to (including low-requency, high severity events).

These processes and systems must be proportionate to the nature, scale and complexity

o the rms activities.

3.7 Currently, the main source o guidance or operational risk identication is the Basel

Committee on Banking Supervision (BCBS) paper, Sound Practices or the

Management and Supervision o Operational Risk (Sound Practices, 2003).3 The

Sound Practices paper encourages rms to identiy operational risks inherent in allexisting products, as well as any new products or services that a rm is planning to

undertake. Also, rms risk proles should be regularly monitored by relevant sta

and reported to senior management. The CEBS4 Compendium5 adds that near

misses6 should also be closely monitored and that there should be appropriate

procedures to collect such data.

3.8 Annex B o the Operational risk governance and management structures document

that orms part o this TSA: Enhancing Frameworks Compendium contains a

summary o the rules that incorporate risk identication, measuring and monitoring.

Firms should take ull account o these rules and the associated guidance in the

implementation o all aspects o their operational risk ramework. TSA rms should

be particularly mindul o the qualitative requirements set out in these rules.

2 BIA: Basic Indicator Approach to operational risk.

3 The ull paper can be ound at: www.bis.org/publ/bcbs96.htm .

4 CEBS: Committee o European Banking Supervisors.

5 The CEBS Compendium o supplementary guidelines on implementation issues o Operational Risk can be ound at:www.c-ebs.org/News--Communications/Latest-news/CEBS-Compendium-o-supplementary-guidelines-on-(1).aspx .

6 Near misses are Operational Risk-related events that do not necessarily result in an actual loss (or gain) amount.
http://www.bis.org/publ/bcbs96.htmhttp://www.c-ebs.org/News--Communications/Latest-news/CEBS-Compendium-of-supplementary-guidelines-on-(1).aspxhttp://www.c-ebs.org/News--Communications/Latest-news/CEBS-Compendium-of-supplementary-guidelines-on-(1).aspxhttp://www.bis.org/publ/bcbs96.htm


25/51

23Appendix 1

Key characteristics and observations

IMMR as part o the overall ramework

3.9 For all the rms taking part in the expert group, the process o risk identication,

measurement, management and reporting (IMMR) was integrated into the overall

risk governance ramework. It was recognised that it is important that rms can

explain how their IMMR procedures t into their overall risk governance structure

and which areas and personnel are responsible or the procedures. Also, where rms

employ the three lines o deence model,7 it was acknowledged that rms should be

able to explain how the IMMR process ts in and where responsibilities lie.

3.10 Many risk management rameworks relied on the cultural tone-setting rom senior

management, which promotes a no blame culture or reporting actual risks and

near misses throughout the organisation. Our discussions show that representatives

o several expert group rms eel the operational risk unction benets when senior

management ully endorse, deploy, review and uphold the IMMR procedures andoutcomes at the rm.

3.11 Regarding reporting, many risk managers ensure that inormation rom the IMMR

processes goes to the right committees and executive bodies and that any decisions

arising rom these committees are cascaded down to the areas that collect, control

and monitor risk-related inormation.

3.12 IMMR could be used by board and senior management to monitor whether the rm

is operating within its stated risk appetite. Risk indicators can be set to collect data

where risk appetite limits are breached. These could be a valuable tool to ensure

compliance with risk appetite and risk tolerance levels.

3.13 Firms could benet rom attempting to align their top down risk appetite (oten

ocused on nancial returns) with their bottom-up approach (more granular

business-related risks and controls) where applicable. While this is a dicult

concept, risk indicators could be established that promote this. There is broad

industry consensus on the dierent means that a rm can use to consider its risk

appetite or operational risk, including capital, losses and key risk indicators.

3.14 A particular challenge or rms, as well as monitoring existing risk, is how to

identiy orward-looking risks. One method observed was to develop orward-

looking risk indicators, which could be monitored either on a short or longer-term

basis. These orward-looking risk indicators attempt to identiy trends in the next 12

to 24 months that will drive the level o risk, such as external threats, economic/

political conditions or business change.

3.15 The risk identication process can lead to enhancing risk control mechanisms. Firms

may decide on a risk mitigation or control strategy or each material risk identied.

This inormation can be captured in a comprehensive risk register that:

7 The three lines o deence model o operational risk control include line management as the rst line o deence, therisk control unctions as the second line o deence, and the risk assurance unctions such as internal or externalaudit as the third line o deence. Please see the Operational risk governance and risk management structures paperor urther inormation.


26/51

24

i) assigns senior responsibility or control or individual risks;

ii) acilitates ongoing and objective assessment o gross risks, perormance and

eectiveness o associated controls and mitigants; and

iii) provides validation o individual and aggregate (net) exposures relative to

the irms risk appetite (some irms have suggested such validation could bequalitative as well as quantitative).

3.16 The process could identiy that there are sucient controls in place already and/or

that management are prepared to accept the level o risk.

3.17 The overall aim o the IMMR process is to ensure management are considering

whether the appropriate controls are in place and working eectively to mitigate the

risk to an acceptable level (refecting their risk appetite).

3.18 Expert group members oten divided their processes into the various components o

the risk management lie-cycle and provided an analysis o the elements o each o

the stages. Below is an example o such a process. The IMMR process identied

below is meant to be iterative and rms could have some system in place to ensure

that the process is periodically reviewed and rereshed. The components listed below

will be discussed in more detail throughout this paper.

Identifyrisk

Assess r isk Measureandmonitorrisk

Controlrisk

Reportonrisks

Risk identification and assessment

3.19 Principle 4 in the 2003 BCBS Sound Practices paper states that rms should identiy

and assess the operational risks inherent in all material products, activities, processes

and systems. This implies that rms should also ensure that, beore new products,

activities, processes and systems are introduced or undertaken, the operational risk

inherent in them is subject to adequate assessment procedures.

3.20 The paper also stresses that risk identication is paramount or the subsequentdevelopment o a viable operational risk monitoring and control system. Eective

risk identication is likely to consider both internal actors (such as the institutions

structure, the nature o the institutions activities, the quality o the rms human

resources, organisational changes and employee turnover) and external actors (such

as changes in the industry and technological advances) that could adversely aect

the achievement o the institutions objectives.

3.21 In addition to identiying the most potentially adverse risks, rms will wish to assess

their vulnerability to them. Eective risk assessment allows the rm to better

understand its risk prole and eectively target risk management resources.


27/51

25

3.22 The rst stage o such a process would involve the rm identiying the main risks to

which it is or might be exposed and to set up indicators or other monitoring

mechanisms. Risks could be looked at in the context o the overall business strategy

and might not necessarily be considered in isolation. Some rms may choose to

assess the quantitative impact o their material risks. These can also link into (or

help inorm) the rms risk appetite. The ollowing tools can be used or this stage:

i) Risk and Control Sel-Assessments (RCSA):8 Most irms conduct some sort

o RCSA, which can include: i) dierent business areas holding workshops to

assess where they are exposed to risks; ii) business heads being asked to ill

in risk register templates or questionnaires; or iii) a hybrid or combination

o these two approaches. Overall, by assessing its operations and activities, a

irm is seeking to establish where the main risks in that area lie. The process

is internally driven (though it can be led by an external third party) and

oten incorporates checklists and/or workshops to identiy the strengths and

weaknesses o the operational risk environment. Oten, the most eective RCSA

processes address inherent risks as well as the controls to mitigate them.

RCSAs could include the ollowing elements: risk description, risk event type,

risk owner, impact and likelihood (probability) or gross (or inherent) risk,

control, control owner, impact and likelihood or net (or residual risk), control

eectiveness, and a remedial action plan (i appropriate). The assessment o

gross risk pre-controls is oten diicult or irms to undertake and some irms

may beneit rom thinking in terms o how much could be lost i key controls

dont work as expected.

It is important or irms using this tool to have a process in place that keepsRCSAs up-to-date and relevant over time.

ii) Business process mapping: With this methodology, irms identiy all the steps

within speciic business processes or procedures (or example, the lie-cycle o

booking and settling a trade) to determine where areas o weaknesses might lie.

This may result in controls being tightened in these areas. In addition, key risk

indicators could be set up to monitor weak points in processes so that actions

can be taken beore weaknesses turn to breaking points. Firms might take a

risk-based approach about which business processes should be mapped in this

way and to what detail.

iii) Scenarios analysis: Scenario analysis oten involves carrying out workshops in

dierent areas o the irm where expert judgement is used to ascertain dierent

risks to which the area might be exposed. The main dierence between scenario

and RCSA workshops is that the scenario workshops are meant to investigate

the unexpected or potentially catastrophic losses to which the irm may be

exposed while the RCSA workshops tend to ocus on the expected losses.

Firms could envisage urther reaching scenarios o potential events beyond their

own distress. Firms could use internal data and external data to acilitate the

thinking around the scenarios and to inorm and veriy the quantiication o the

8 In actuality, RSCAs span across multiple stages o the process and can link into scenario analyses and will cover therisk control assessment.


28/51

26

risks. These can include extreme, but plausible events and are oten ocused on

low requency, high severity events. Scenarios tend to be orward looking.9 It

is generally elt important that enough time is allocated or the running o the

workshops to ensure eective outcomes. Firms using the scenario processes are

unlikely to be able to demonstrate the integrity o the scenarios i the outputs

rom the scenario planning workshops are not clearly documented.

Scenarios exercises could include: the description o the scenario, including the

cause; key controls; use o internal and external data; control ailures implicit

in the scenario; requency; and impact, including the worst case loss and impact

and any remedial actions. The impact igures o catastrophic events on a irms

inancial position are oten assessed using scenarios. Scenarios can also be used

to generate requency and impact igures or modelling purposes. It is up to

irms to identiy the appropriate number o scenarios to use.

It is also important to look out or scenario biases, such as:

Partition dependence: where respondents knowledge is distorted by discrete

choices o buckets within which their responses have to be represented.

Availability: where participants recall recent events.

Anchoring: where dierent starting points yield dierent estimates.

Motivational: where the misrepresentation o inormation due to respondents

interests are in confict with the goals and consequences o the assessment.

Overconfdence: where small data samples are applied to the whole population.

3.23 To assist in the risk identication process, rms could use the results o internal

and external audit reports and other available public data. Firms could also

consider any regulatory reports received (e.g. rom ARROW and/or SREP

assessments and supervisory correspondence) and any other published FSA

guidance, statements or notices.

3.24 The risk assessment phase provides a good opportunity or rms to ensure that adequate

controls and mitigants are in place to manage the risks and whether existing controls

might require improving.

3.25 Firms demonstrating good practice in their use o the risk identication and assessment

exercises/tools, tend to employ these tools on an annual basis and more requently as

required i material changes to business areas occur.

Risk measurement and monitoring

3.26 The next stage o the IMMR process involves the rm setting up specic risk

indicators and thresholds or measuring the identied risks to which the rm is

exposed.10 To meet the requirements o SYSC 4.1.1R rms should also ensure that

9 It is possible or the same risks to appear under both RCSAs and scenarios, once or the expected loss element and,secondly, or the unexpected loss component.

10 It is important that the denitions and scales utilised within risk capture and risk measurement systems areconsistent throughout the rm and can be easily understood by those who are expected to work with or record datainto these systems.


29/51

27

they have a risk monitoring procedure in place. Some o the elements o this risk

measurement and monitoring phase could include:

i) Key Risk Indicators (KRIs), Key Performance Indicators (KPIs) and/or KeyControl Indicators (KCIs)11

These are statistics and/or metrics that can provide insight into a irms riskposition. These indicators tend to be reviewed on a periodic basis (generally

monthly) to alert irms to changes that are indicative o risk concerns. Such

indicators may include the number o ailed trades, sta turnover rates, and

the requency and/or severity o errors and omissions. Firms could establish

thresholds per indicator and many usually monitor them on a red/amber/green

(RAG) basis. Many irms employing this tool ensure that sta understand the

implications, escalation process and actions to be taken when risk indicators go

into the amber or red zones. Firms could beneit rom having a robust process

or changing KRI thresholds, with appropriate gatekeepers having ownership or

individual KRIs. KRIs are usually periodically reviewed to assess their relevance.

ii) Early warning indicators/Emerging risk indicators

Firms could identiy appropriate indicators that provide early warning o an

increased risk o uture losses. Such indicators are usually orward-looking

and relect potential sources o operational risk, such as rapid growth, the

introduction o new products, employee turnover, transaction breaks, system

downtime, etc. With the setting o appropriate thresholds linked to these

indicators, an eective monitoring process can enable the irm to act upon these

risks appropriately.

iii) Loss data

Firms could maintain a loss data base, which captures details o actual

operational losses at the irm, as well as near misses. Data collected could include:

the cause, the event, the date the event took place, the severity, the amount o the

loss, the eect, the risk owner, control ailures, the control owner, any recoveries

o gross loss amounts, lessons learnt and any remedial actions. Material

exposures to losses could also be identiied.

iv) Risk monitoring

Firms oten implement a process to regularly monitor operational risk

proiles and material exposures to losses as an integrated part o the irms

activities. An eective monitoring system can allow or the quick detection

and correction o deiciencies in the irms processes and procedures and

can allow or enhancements o the risk-management process. In turn, these

actions can substantially reduce the potential requency and/or severity o a

loss event. The requency o monitoring could relect the risks involved and

the nature o changes to the operating environment. Internal audit and/or

the risk management unctions could periodically assess compliance with the

monitoring activities.

11 Some rms may also monitor Key Control Indicators (KCIs). Key indicators can be used to both provide insightregarding the level o risks occurring as well as or monitoring what is happening to the risks.


30/51

28

3.27 Many risk measurement and monitoring processes capture both existing and

orward-looking risks, with rms proactively setting up and rereshing suitable risk

indicators, as well as establishing appropriate time-rames or monitoring the

inormation obtained rom the indicators and their eectiveness.

Risk control3.28 Firms should have eective processes to manage operational risks. These policies

could be implicitly and/or explicitly linked with the risk appetite o the institution.

3.29 Risk appetite statements could contain a mix o qualitative and quantitative actors

and be capable o being communicated, measured and applied to key risk-generating

areas o a rm. The risk-measurement tools above could be used to assist rms in

ensuring that quantitative aspects o the rms risk appetite are not breached.

3.30 In our view, rms may wish to consider periodically reviewing and analysing their

risk-control strategies and adjusting their operational risk appetite accordingly, inlight o changes to their business models/activities and/or size.

Such analysis could help the institution to identiy and distinguish between:

i) which risks12 it is willing to accept as business as usual and hold capital against

or actor into business perormance and/or margins;

ii) the risks or which it is willing to invest in controls and mitigants;

iii) which risks could be transerred through insurance;13 and

iv) which risks it should avoid altogether.

3.31 In many rms, the board o directors and senior management are responsible or

establishing a strong internal control culture in which control activities are an

integral part o the regular activities o the institution.

3.32 As mentioned previously, the tools used under the risk identication section, such as

RSCA workshops and scenario analysis workshops oten provide good opportunities

or rms to assess and ultimately strengthen their controls around risks that have

been identied.

3.33 Each cyclical review o the IMMR processes could allow or the review o the

control eectiveness as well.

Risk reporting

3.34 The SYSC rules require rms to have eective risk reporting and this process may

involve senior management receiving regular reports refecting the up-to-date status

o operational risk issues at the rm. The operational risk reports may contain

internal nancial, operational, and compliance data, as well as external market

inormation about events and conditions that are relevant to decision-making.

Reports are usually distributed to appropriate levels o management and to areas o

12 These could include risks that are unmitigated and/or residual risks ollowing mitigation or controls.

13 Where insurance is used as a mitigant, it is essential that the rm undertake a robust gap analysis o the insurer andthe policy.


31/51

29

the rm on which areas o concern may have an impact. Reports that ully refect

any identied problem areas and motivate timely corrective action o outstanding

issues are oten most eective. To ensure the useulness and reliability o these

reports, management could regularly veriy the timeliness, accuracy, and relevance o

reporting systems and internal controls in general. Management may also wish to

use reports prepared by external sources (external auditors, regulators) to assess theuseulness and reliability o internal reports. Reports could be analysed with a view

to improving existing risk management perormance, with a ocus on the

implications o operational risk breaches on the business. The management

inormation (MI) reports can also potentially be used to inorm and instigate the

development o new risk management policies, procedures, and practices and could

be used to monitor compliance with risk appetite levels.

3.35 To be o most benet, the MI is likely to be in a orm that the users can readily

understand, challenge and act on. It can be useul, or example, to have a high-level

summary o the top risks at the rm in the orm o a risk dashboard. Some rms

also nd it useul to provide a heat map summary o their risk ranking in such a

way to show which risks are o higher or lower probability and o higher and lower

impact. This type o report can be developed or each business area as well as the

rm as a whole and can be supported by underlying reports providing more detail.

It can be important or the reports to identiy in a clear and easy-to-understand

manner any concentration o risks that might pose a threat to the business and

reasons or any movements in risk rankings.

3.36 It may also be important to ensure that trend analysis is available or the various

KRIs and that KRIs are appropriately aggregated when amassing data upwards rom

smaller business areas to larger regional areas, or example. In our view it isbenecial that senior management challenge KRI data that never changes as this may

mean that the KRIs are not measuring true areas o risk, thresholds are not set at

the correct level or controls may be continually ailing. The MI reports may want to

highlight any operational risk themes that may be developing.

3.37 Overall, it can be important that the recipients o the reports understand what the

operational risk appetite is at the rm and what the governance procedures are or

changing the inormation that is set in the reports. Some members o the expert

group argued that it is important to be able to demonstrate eective operational risk

challenge within all decision-making processes.

Other

3.38 Firms could establish a risk identication and control process or new products and

services and consider them in the context o their agreed risk appetite and systems

and controls capabilities. A new product-approval process could encompass the use

o RCSAs, scenarios, and the development o KRIs ahead o any ormal sign-o

process. Firms could also identiy how the risk inormation related to the new

products/services can be captured by any MI.


32/51

30

3.39 Firms could also establish policies or managing the risks associated with

outsourcing activities.

3.40 Firms will wish to provide training to sta engaged in the IMMR processes.

Training could be geared at the various stages o the IMMR process or example,

certain sta could be trained on how to identiy risks that need to be reported.

Selected members o sta may also need to be trained on how to record inormation

related to the rms risk events in the rms loss database. Training may also need to

be tailored or scenario workshop participants. In these circumstances it may prove

benecial or training programmes to be kept up-to-date as new developments occur,

and to be reviewed periodically.

Challenges

3.41 The presentations and discussions by the expert group members highlighted a

number o challenges surrounding IMMR. These are listed below:

i) Several participants stressed that a culture supportive o operational risk

management at the irm was particularly important or ensuring that

risks were adequately identiied and reported on a timely basis. Senior

management support or operational risk policies and procedures was

particularly important where irms were trying to increase the reporting

o risk incidents and to move away rom a blame culture.

ii) Most participants stressed the importance o operational risk training in

IMMR. Some irms mentioned that they sometimes ound challenges in

ensuring that sta training on operational risk was geared at the right level

or the various types o sta at the irm. Also important is or operational

risk personnel to understand the various businesses in which they are

involved in monitoring risks and setting risk indicators.

iii) Sometimes the RCSA s