LO 37.1: Describe the three lines of defense in the Basel model for operational risk governance.
The Basel Committee on Banking Supervision defines operational risk as the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events. The committee states that the definition excludes strategic and reputational risks but includes legal risks. Operational risk is inherent in banking activities. Risks range from those arising from national disasters, such as hurricanes, to the risk of fraud. The committee intends to improve operational risk management throughout the banking system.
Sound operational risk management practices cover governance, the risk management environment, and the role of disclosure. Operational risk management must be fully integrated into the overall risk management processes of the bank.
The three common lines of defense employed by firms to control operational risks are: 1. Business line management. Business line management is the first line of defense.
Banks now, more than ever, have multiple lines of business, all with varying degrees of operational risk. Risks must be identified and managed within the various products, activities, and processes of the bank.
2018 Kaplan, Inc.
Page 1
Topic 37 Cross Reference to GARP Assigned Reading – Basel Committee on Banking Supervision
2. An independent operational risk management function. This is the second line of
defense and is discussed in the next section.
3. Independent reviews of operational risks and risk management. The review may
be conducted internally with personnel independent of the process under review or externally.
C o r po r a t e O pe r a t io n a l Ris k Fu n c t i o n (CORF)
The banks specific business lines monitor, measure, report, and manage operational and other risks. The corporate operational risk function (CORF), also known as the corporate operational risk management function, is a functionally independent group that complements the business lines risk management operations. The CORF is responsible for designing, implementing, and maintaining the banks operational risk framework. Responsibilities of the CORF may include: Measurement of operational risks. Establishing reporting processes for operational risks. Establishing risk committees to measure and monitor operational risks. Reporting operational risk issues to the board of directors. In general, the CORF must assess and challenge each business lines contributions to risk measurement, management, and reporting processes.
Larger, more complex banking institutions will typically have a more formalized approach to the implementation of the lines of defense against operational risks, including the implementation of the CORF. For example, a large bank may have a fully staffed group skilled specifically in operational risk management, while a smaller bank may simply fold operational risk management into the broader risk management function of the bank.
Pr in c ipl e s o f O pe r a t io n a l Ris k Ma n a g e me n t