Operational Risk (2): Governance

  • Subscribe to updates

  • Privacy
  • This field is for validation purposes and should be left unchanged.

Good risk governance is required by the FSA through its Principles for Business (Principle 3). The European Union, through its draft of the Capital Requirements Directive also requires robust governance arrangements in relation to risk management. There are also many other governance requirements either in existence or in draft that will apply to the risk management of a financial services institution. Operational risk governance, in common with other forms of corporate governance, is about enabling senior management to guide and direct operational risk strategy and to review its effectiveness. From a practical perspective, this will encompass a policy document approved by the most senior executive body of the firm; a framework showing the identification, measurement, monitoring and management of operational risk; terms of reference for relevant bodies; and, a timeline for tracking and reviewing the development of operational risk processes within the firm.

Operational Risk Policy

Few now doubt the advantages of having a documented operational risk policy. It allows senior management to communicate to all staff the approach of the firm to operational risk management. As such, the policy should be approved by the Board of Directors. Alternatively, in some firms, the Executive or Management Committee may wish to approve the policy document or at a minimum, review and comment on it prior to Board approval.

The contents of an operational risk policy vary from firm to firm and are dependant on the firm’s culture. However, it generally contains:

  • A definition of operational risk. This is now typically the Basel II definition although some firms still include a reference to indirect losses as well as to direct losses. Strategic business and reputational risks are often explicitly included by firms even though Basel excludes them. However, it is more unusual for the boundaries between operational risk, market risk ands credit risk to be clearly identified, although definitions of the other types of risk are often included.
  • A statement of risk appetite. This is often a high level initial statement which will be broadened and deepened over time as the firm gains knowledge of the operations of risk management processes and how these are used in the firm.
  • An overview of the risk management processes. Although this is necessarily high level, it helps significantly in making clear that the Board and senior management are aware of and have considered how operational risk management will be carried out by the firm. A very short description of each process is common with the links and reinforcements between each process often stated in order to show a considered, holistic approach to operational risk management.
  • A statement of the roles and responsibilities of various persons and departments. It is important that the Board recognises and actively manages the potential conflicts of interest that exist between operational risk, internal audit and compliance. This point is particularly applicable to any firms where operational risk management was initially carried out by either internal audit or compliance. Clear roles for these three areas must be documented. In smaller organisations, the three functions overlap and the policy must be consistent with the scale, nature and complexity of the firm.
  • Policies also often have references to categories and sub-categories of risk, to the role that central risk plays in the firm (as compared to the risk management units in the businesses) and to the risk reporting flows of information.

Operational Risk Framework

It is rare for two frameworks to look exactly the same. However, many organisations seek to identify, measure, monitor and manage operational risk using the same processes and, therefore, operational risk frameworks are inevitably similar in concept, if not in design detail. An example was given in the previous article in this series and is given again below (click to see an enlarged view):


The FSA’s PS142_2 published in July 2003 comments that a framework contains “governance structures and the tools to identify, assess and monitor OR”.

Terms of Reference

Given the broad and subjective nature of operational risk, it is essential that the various governance bodies in a firm understand their duties and authorities with respect to operational risk management. Although the Board of Directors is ultimately responsible for organising and controlling the firm’s affairs, the Board relies on other bodies such as the Risk Committee to assist it in carrying out its responsibilities. The duties and authorities of each body dealing with operational risk should be clearly laid out in the Terms of Reference of that body. Additionally, the level of risk reporting to each body should be clearly identified.


Given the number of interlinking processes in operational risk management, a timeline to identify when each process is expected to be operational is important to the necessarily phased introduction of operational risk management to a firm. In addition, at some stage, the firm will probably want to implement a risk management software to capture and handle the data being captured or created. A timeline will assist the firm in deciding when a tool will be useful and when or if it will be indispensable. The chart will also enable the efficient management and review of the development of operational risk management. Senior management and the Board will find that they can more easily understand the implications of changing the speed of the development of operational risk.

Benefits of Operational Risk Governance

There are a number of benefits for a firm implementing good operational risk governance. These include:

  • increased comfort for the Board and senior management that risks which impact the business are being managed effectively
  • a structured approach to implementing an effective and consistent risk management framework
  • clarified risk ownership reducing duplication and overlap
  • assurance that the firm is aligned with the Board’s risk appetite

Whilst it is possible to build a set of processes without adequate governance, the benefits of good governance will bring much greater certainty to the efficient and effective implementation of operational risk management.

Tony Blunden


Related Posts

Effective business continuity & operational resilience are both outcomes of good risk management
There has been some debate whether Operational Resilience (OpRes) and Business Continuity Management (BCM) are the same discipline, different disciplines, or similar areas but with differing degrees of granularity. It is arguable that OpRes is customer centric in that it looks at the threats and vulnerabilities to the services provided to the customer, whereas BCM …

Effective business continuity & operational resilience are both outcomes of good risk management Read More »

Digitising Risk Management – Time to ditch the spreadsheet
It is a recognised issue in the industry that the most widely-used risk management software tool is actually provided by Microsoft – and it’s called Excel. And it’s only a partial solution – at best While tier one financial institutions have been early adopters of large, complex risk management software solutions, due to both sophistication …

Digitising Risk Management – Time to ditch the spreadsheet Read More »

Long term value from ESG – the Importance of embedding a true ESG culture in your organisation
ESG, Environment, Social, Governance reporting seems like a good thing!  Being associated with ESG practices has a positive effect on the brand, which helps organisations to sell more products and services. Meta-analysis of over 1,000 studies published between 2015 and 2020 conducted by NYU Stern and Rockefeller Asset Management found a strong correlation between ESG …

Long term value from ESG – the Importance of embedding a true ESG culture in your organisation Read More »