Good risk governance is required by the FSA through its Principles for Business (Principle 3). The European Union, through its draft of the Capital Requirements Directive also requires robust governance arrangements in relation to risk management. There are also many other governance requirements either in existence or in draft that will apply to the risk management of a financial services institution. Operational risk governance, in common with other forms of corporate governance, is about enabling senior management to guide and direct operational risk strategy and to review its effectiveness. From a practical perspective, this will encompass a policy document approved by the most senior executive body of the firm; a framework showing the identification, measurement, monitoring and management of operational risk; terms of reference for relevant bodies; and, a timeline for tracking and reviewing the development of operational risk processes within the firm.
Operational Risk Policy
Few now doubt the advantages of having a documented operational risk policy. It allows senior management to communicate to all staff the approach of the firm to operational risk management. As such, the policy should be approved by the Board of Directors. Alternatively, in some firms, the Executive or Management Committee may wish to approve the policy document or at a minimum, review and comment on it prior to Board approval.
The contents of an operational risk policy vary from firm to firm and are dependant on the firm’s culture. However, it generally contains:
- A definition of operational risk. This is now typically the Basel II definition although some firms still include a reference to indirect losses as well as to direct losses. Strategic business and reputational risks are often explicitly included by firms even though Basel excludes them. However, it is more unusual for the boundaries between operational risk, market risk ands credit risk to be clearly identified, although definitions of the other types of risk are often included.
- A statement of risk appetite. This is often a high level initial statement which will be broadened and deepened over time as the firm gains knowledge of the operations of risk management processes and how these are used in the firm.
- An overview of the risk management processes. Although this is necessarily high level, it helps significantly in making clear that the Board and senior management are aware of and have considered how operational risk management will be carried out by the firm. A very short description of each process is common with the links and reinforcements between each process often stated in order to show a considered, holistic approach to operational risk management.
- A statement of the roles and responsibilities of various persons and departments. It is important that the Board recognises and actively manages the potential conflicts of interest that exist between operational risk, internal audit and compliance. This point is particularly applicable to any firms where operational risk management was initially carried out by either internal audit or compliance. Clear roles for these three areas must be documented. In smaller organisations, the three functions overlap and the policy must be consistent with the scale, nature and complexity of the firm.
- Policies also often have references to categories and sub-categories of risk, to the role that central risk plays in the firm (as compared to the risk management units in the businesses) and to the risk reporting flows of information.
Operational Risk Framework
It is rare for two frameworks to look exactly the same. However, many organisations seek to identify, measure, monitor and manage operational risk using the same processes and, therefore, operational risk frameworks are inevitably similar in concept, if not in design detail. An example was given in the previous article in this series and is given again below (click to see an enlarged view):
The FSA’s PS142_2 published in July 2003 comments that a framework contains “governance structures and the tools to identify, assess and monitor OR”.
Terms of Reference
Given the broad and subjective nature of operational risk, it is essential that the various governance bodies in a firm understand their duties and authorities with respect to operational risk management. Although the Board of Directors is ultimately responsible for organising and controlling the firm’s affairs, the Board relies on other bodies such as the Risk Committee to assist it in carrying out its responsibilities. The duties and authorities of each body dealing with operational risk should be clearly laid out in the Terms of Reference of that body. Additionally, the level of risk reporting to each body should be clearly identified.
Given the number of interlinking processes in operational risk management, a timeline to identify when each process is expected to be operational is important to the necessarily phased introduction of operational risk management to a firm. In addition, at some stage, the firm will probably want to implement a risk management software to capture and handle the data being captured or created. A timeline will assist the firm in deciding when a tool will be useful and when or if it will be indispensable. The chart will also enable the efficient management and review of the development of operational risk management. Senior management and the Board will find that they can more easily understand the implications of changing the speed of the development of operational risk.
Benefits of Operational Risk Governance
There are a number of benefits for a firm implementing good operational risk governance. These include:
- increased comfort for the Board and senior management that risks which impact the business are being managed effectively
- a structured approach to implementing an effective and consistent risk management framework
- clarified risk ownership reducing duplication and overlap
- assurance that the firm is aligned with the Board’s risk appetite
Whilst it is possible to build a set of processes without adequate governance, the benefits of good governance will bring much greater certainty to the efficient and effective implementation of operational risk management.