LO 37.3: Explain guidelines for strong governance of operational risk, and evaluate the role of the board of directors and senior management in implementing an effective operational risk framework.
The attitudes and expectations of the board of directors and senior management are critical to an effective operational risk management program.
With respect to Principle 1, the board of directors and/or senior management should: Provide a sound foundation for a strong risk management culture within the bank. A strong risk management culture will generally mitigate the likelihood of damaging operational risk events.
2018 Kaplan, Inc.
Page 3
Topic 37 Cross Reference to GARP Assigned Reading – Basel Committee on Banking Supervision
Establish a code of conduct (or ethics policy) for all employees that outlines
expectations for ethical behavior. The board of directors should support senior managers in producing a code of conduct. Risk management activities should reinforce the code of conduct. The code should be reflected in training and compensation as well as risk management. There should be a balance between risks and rewards. Compensation should be aligned not just with performance, but also with the banks risk appetite, strategic direction, financial goals, and overall soundness.
Provide risk training throughout all levels of the bank. Senior management should
ensure training reflects the responsibilities of the person being trained.
With respect to Principle 2, the board of directors and/or senior management should: Thoroughly understand both the nature and complexity of the risks inherent in the products, lines of business, processes, and systems in the bank. Operational risks are inherent in all aspects of the bank.
Ensure that the Framework is fully integrated in the banks overall risk management
plan across all levels of the firm (i.e., business lines, new business lines, products, processes, and/or systems). Risk assessment should be a part of the business strategy of the bank.
With respect to Principle 3, the board of directors and/or senior management should: Establish a culture and processes that help bank managers and employees understand
and manage operational risks. The board must develop comprehensive and dynamic oversight and control mechanisms that are integrated into risk management processes across the bank.
Regularly review the Framework. Provide senior management with guidance regarding operational risk management and
approve policies developed by senior management aimed at managing operational risk.
Ensure that the Framework is subject to independent review. Ensure that management is following best practices in the field with respect to
operational risk identification and management.
Establish clear lines of management responsibility and establish strong internal
controls.
With respect to Principle 4, the board of directors and/or senior management should: Consider all relevant risks when approving the banks risk appetite and tolerance statements. The board must also consider the banks strategic direction. The board should approve risk limits and thresholds.
Periodically review the risk appetite and tolerance statements. The review should Changes in the market and external environment.Effectiveness of risk management strategies.The nature of, frequency of, and volume of breaches to risk limits. specifically focus on:
Changes in the market and external environment.
Changes in business or activity volume.
Effectiveness of risk management strategies.
The quality of the control environment.
The nature of, frequency of, and volume of breaches to risk limits.
With respect to Principle 3, the board of directors and/or senior management should: Establish systems to report and track operational risks and maintain an effective
mechanism for resolving problems. Banks should demonstrate the effective use of the three lines of defense to manage operational risk, as outlined by the Basel Committee.
Page 4
2018 Kaplan, Inc.
Topic 37 Cross Reference to GARP Assigned Reading – Basel Committee on Banking Supervision
Translate the Framework approved by the board into specific policies and procedures used to manage risk. Senior managers should clearly assign areas of responsibility and should ensure a proper management oversight system to monitor risks inherent in the business unit.
Ensure that operational risk managers communicate clearly with personnel responsible
for market, credit, liquidity, interest rate, and other risks and with those procuring outside services, such as insurance or outsourcing.
Ensure that CORF managers should have sufficient stature in the bank, commensurate
with market, credit, liquidity, interest rate, and other risk managers.
Ensure that the staff is well trained in operational risk management. Risk managers
should have independent authority relative to the operations they oversee. Committee structure’, for large, complex banks, a board-created firm level risk Develop a governance structure of the bank that is commensurate with the size and complexity of the firm. Regarding the governance structure, the bank should consider: Committee structure’, for large, complex banks, a board-created firm level risk
committee should oversee all risks. The management-level operational risk committee would report to the enterprise level risk committee.
Committee composition’, committee members should have business experience,
financial experience, and independent risk management experience. Independent, non-executive board members may also be included.
Committee operation’, committees should meet frequently enough to be productive
and effective. The committee should keep complete records of committee meetings.
With respect to Principle 6, the board of directors and/or senior management should: Consider both internal and external factors to identify and assess operational risk.
Examples of tools that may be used to identify and assess risk are described in LO 37.4.
With respect to Principle 7, the board of directors and/or senior management should: Maintain a rigorous approval process for new products and processes. The bank should make sure that risk management operations are in place from the inception of new activities because operational risks typically increase when a bank engages in new activities, new product lines, enters unfamiliar markets, implements new business processes, puts into operation new technology, and/or engages in activities that are geographically distant from the main office.
Thoroughly review new activities and product lines, reviewing inherent risks, potential changes in the banks risk appetite or risk limits, necessary controls required to mitigate risks, residual risks, and the procedures used to monitor and manage operational risks.
With respect to Principle 8, the board of directors and/or senior management should: Continuously improve the operational risk reporting. Reports should be manageable in
scope but comprehensive and accurate in nature.
Ensure that operational risk reports are timely. Banks should have sufficient resources to
produce reports during both stressed and normal market conditions. Reports should be provided to the board and senior management.
Ensure that operational risk reports include: Breaches of the banks risk appetite and tolerance statement.Details of recent operational risk events and/or losses.Both internal and external factors that may affect operational risk.
Breaches of the banks risk appetite and tolerance statement.
Breaches of the banks thresholds and risk limits.
Details of recent operational risk events and/or losses.
External events that may impact the banks operational risk capital.
Both internal and external factors that may affect operational risk.
2018 Kaplan, Inc.
Page 5
Topic 37 Cross Reference to GARP Assigned Reading – Basel Committee on Banking Supervision
With respect to Principle 9, the board of directors and/or senior management should have a sound internal control system as described in LO 37.3 (an effective control environment) and LO 37.6 (managing technology and outsourcing risks).
Banks may need to transfer risk (e.g., via insurance contracts) if it cannot be adequately managed within the bank. However, sound risk management controls must be in place and thus risk transfer should be seen as a complement to, rather than a replacement for, risk management controls. New risks, such as counterparty risks, may be introduced when the bank transfers risk. These additional risks must also be identified and managed.
With respect to Principle 10, the board of directors and/or senior management should: Establish continuity plans to handle unforeseen disruptive events (e.g., disruptions in
technology, damaged facilities, pandemic illnesses that affect personnel, and so on). Plans should include impact analysis and plans for recovery. Continuity plans should identify key facilities, people, and processes necessary for the business to operate. The plan must also identify external dependencies such as utilities, vendors, and other third party providers.
Periodically review continuity plans. Personnel must be trained to handle emergencies
and, where possible, the bank should perform disaster recovery and continuity tests. With respect to Principle 11, the board of directors and/or senior management should: Write public disclosures such that stakeholders can assess the banks operational risk
management strategies.
Write public disclosures that are consistent with risk management procedures. The
disclosure policy should be established by the board of directors and senior management and approved by the board of directors. The bank should also be able to verify disclosures.
O pe r a t io n a l Ris k Ma n a g e me n t Fr a me w o r k
The operational risk management framework (i.e., the Framework) must define, describe, and classify operational risk and operational loss exposure. The Framework helps the board and managers understand the nature and complexities of operational risks inherent in the banks products and services. The components of the Framework should be fully integrated into the banks overall risk management plan. The Framework must be documented in the board of directors approved policies. Framework documentation, which is overseen by the board of directors and senior management, should: Describe reporting lines and accountabilities within the governance structure used to
manage operational risks.
Describe risk assessment tools. Describe the banks risk appetite and tolerance. Describe risk limits. Describe the approved risk mitigation strategies (and instruments). With respect to inherent and residual risk exposures, describe the banks methods for
establishing risk limits and monitoring risk limits.
Establish risk reporting processes and management information systems. Establish a common language or taxonomy of operational risk terms to create
consistency of risk identification and management.
Page 6
2018 Kaplan, Inc.
Topic 37 Cross Reference to GARP Assigned Reading – Basel Committee on Banking Supervision
Establish a process for independent review of operational risk. Require review of established policies and procedures.
To o l s f o r Id e n t if y in g a n d A s s e s s in g O pe r a t io n a l Ris k