The Basel Committee on Banking Supervision has published the final version of Revisions to the principles for the sound management of operational risk, and there is much interesting detail in the document that operational risk managers should consider. Five statements that perhaps require deeper exploration are:
- Recognising the importance of validation. In an important footnote, the Basel Committee writes that “Independent assurance includes verification and validation: … Validation ensures that the quantification systems used by the bank are sufficiently robust and provide assurance of the integrity of inputs, assumptions, methodologies, processes and outputs. Validation is critical for a well-functioning ORMF.” Many operational risk teams do not seem to be aware of these validation requirements, and do not perform them. Given the increasing importance that regulators are putting on data governance as well as model risk management, firms can expect that regulators will be much more interested in understanding the robustness of their approach to their quantification systems going forward. Firms need to provide assurance around the quality of the data and the robustness of the models they use, and be sure that assurance is adequately documented to withstand regulatory scrutiny. Moreover, firms should be using these assurance exercises to explore ways to improve both data and models, with a view to delivering more business value.
- Challenging first line RCSA results. According to the new principles, “the second line of defence (CORF) should challenge the operational risk and control assessments of first line of defence, as well as monitor the implementation of appropriate controls or remediation actions. CORF should cover all phases of this process. In addition, CORF should ensure that all relevant control groups (eg. finance, compliance, legal, business, ICT, risk management) are involved as appropriate.” Involving the relevant control groups – while no doubt best practice – is a significant additional load within the challenge process, and the existing culture in many firms will not make this easy. Boards and senior managers will need to support the second line to enable it to deliver on this regulatory obligation – not just to please the supervisors, but also because bringing together control groups in this way could result in a much richer and more nuanced understanding of issues arising from RCSA challenges.
- Boosting data quality. Data governance is a significant theme in this new version of the sound principles. For example, the Basel Committee says that the “capture and risk reporting processes should be analysed periodically with the goal of enhancing risk management performance as well as advancing risk management policies, procedures and practices.” Regulators will want to see evidence of these reviews, which is essentially the justification of firms’ approach to operational risk data governance. In the new environment, firms should consider this question through the regulators’ eyes, and anticipate what their challenges could be. For many firms, it could make sense to invest in more technology support for the capture, storage, analysis and auditability of operational risk data.
- Increasing the decision-making value of reporting. The regulators say that “reporting should be timely and a bank should be able to produce reports in both normal and stressed market conditions.” This statement supports what supervisors –and increasingly financial services firms themselves – see as the need for more automation of the capture, storage, analysis and reporting of operational risk data. During the Covid-19 pandemic, many firms recognised how challenging it was to manually create operational risk reports in those stressed conditions – resulting in a lack of timely data for decision-makers during incredibly fluid conditions. As a result of lessons learned from the crisis, regulators are going to be focusing with some intensity on data governance within operational risk going forward. For boards and senior managers impacted by new accountability rules such as the Senior Managers & Certification Regime (SMCR), it makes sense to improve reporting so that information flows to decision-makers in an actionable way.
- Reconsider the value of insurance. The regulators wrote: “Because risk transfer is an imperfect substitute for sound controls and risk management programmes, banks should view risk transfer tools as complementary to, rather than a replacement for, thorough internal operational risk control. Having mechanisms in place to quickly identify, recognise and rectify distinct operational risk errors – or specific legal risk exposure – can greatly reduce exposures. Careful consideration also needs to be given to the extent to which risk mitigation tools such as insurance truly reduce risk, transfer the risk to another business sector or area, or create a new risk (eg counterparty risk).” This seems to be a bit of a kick in the teeth for operational risk insurance, but the experience of many companies of across all industries during the pandemic bears out regulators’ concerns here. Many insurance companies refused to pay out on business continuity policies for various reasons – creating the counterparty risk the regulators cite above. Also, consider what the regulators have written in light of cyber risk – a pay-out from an insurance policy in the event of a cyberattack is really not mitigating the risk. Firms need to have controls in place to prevent – as much as possible – a cyberattack. And then they need to have an operational resilience programme in place that will enable them to recover quickly. An insurance policy pay-out will not happen at the speed with which the firm needs to respond, meaning that it’s really not a form of risk transfer during the moment of the crisis itself, but more of something that may be handy during the mopping-up phase.
Certainly, statements such as these reflect new lines of interest for regulators to pursue with firms. Regulators want to get under the skin of the decision-making process around operational risk within firms, to better understand how well-informed executives are and how they make the choices that they do. Regulators want to see operational risk data used more, and they also want firms to draw conclusions from that data – much in the same way they have drawn conclusions about the usefulness of operational risk insurance.
To discover more about how your firm can support data and analytics for better operational risk decision-making, contact RiskLogix-Solutions.