Governance

Governance determines the roles and responsibilities of the head of the operational risk function and the team that manages the framework, the committees that oversee and make key decisions about risk management, the operational risk managers in lines of business, and every employee who may encounter operational risk.

In order to develop an operational risk framework that is effective, an appropriate governance structure must be carefully considered at the outset. Governance should also be revisited at least annually, to check whether it is still working as intended. Good governance enables the escalation of risk and ensures that risk transparency is effective through all of the layers of operational risk management that may exist.

Governance holds the whole operational risk framework together. In Chapter 4 we explore the various aspects of governance, including who should own the operational risk function and what the operational risk function should own.

Culture and Awareness

Once governance has been addressed, the next step in developing an operational risk framework is to proactively tackle culture and awareness. While it may be tempting to jump into developing the building blocks of operational risk management, such as loss data collection and risk and control self-assessment, those building blocks will only be successful if sufficient time and energy has been spent on culture and awareness.

The implementation of a successful operational risk framework requires winning over the hearts and minds of the employees of the firm. Spotting operational risks is a developed skill. While the risks exist in all lines of business, it takes the right tone at the top, training, and awareness to identify the risks. Operational risk can arise in any corner of the firm, and it can result in best practice responses, or it may be met with indifference. The response will depend on the work that has been done in the area of culture and awareness. In Chapter 5, we look at various aspects of this essential activity, including training, marketing, and building a brand for the operational risk function.

Policies and Procedures

The next foundational element of the framework is policies and procedures. There was a time, not that long ago, when banks and financial institutions did not take their policy and procedure programs very seriously. Today, that has changed dramatically under the watchful eye of the regulators. Firms are expected to have clear, actionable, and measurable policies and procedures.

Indeed, today all banks pay close attention to writing and actively managing their policies and procedures, and regulators expect a robust policy and procedure framework to be in place. While formal policies and procedures are less well established in fintechs, there is a growing emphasis on these formal documents, and they are often required from investors and third parties during due diligence.

A well-managed policy framework allows lines of business increased flexibility because the rules of the road are clearly articulated and are not ambiguous. Having well-managed policies and procedures gives a financial firm increased autonomy because it is influential in building trust with industry regulators. A good operational risk framework will have well-documented policies and procedures that reflect the requirements of each of the elements.

In Chapter 6, we look at examples of standard policies and procedures and discuss best practices in how to design, implement, maintain, and track these documents.

Loss Data Collection

Two types of loss data are key to the framework: internal loss data, which occurs within the firm, and external loss data, which occurs outside the firm.

Risk and Control Self-Assessment

The second of the four main building blocks of operational risk management activity is risk and control self-assessment (RCSA). Risks and controls are identified and assessed through RCSA, with a view to controlling and mitigating any unacceptable risks.

While loss data tells us what has already happened, RCSA is designed to help us to understand what additional potential risks we face today. Loss data are backward-looking, but RCSA looks at risk levels now and in the future.

RCSA often becomes the most important part of the framework because it proactively addresses the requirements that we first looked at in Chapter 1. Those requirements are that the operational risk framework should identify, assess, control, and mitigate risk.

While loss data allow us to identify and assess risks that have occurred and to consider how to control and mitigate those risks in the future, RCSA allows us to identify all risks, not just those that have already materialized. Loss data is about hindsight. Risk and control self-assessment is about foresight. In Chapter 10, we look at various methodologies and best practices for RCSA.

Scenario Analysis

The third activity in the framework is scenario analysis. Unlike risk and control self-assessment, scenario analysis is only looking for rare, catastrophic risks. It is focused on identifying plausible risks that are so large as to be potentially fatal or severely destructive to a firm.

Scenario analysis stresses the operational risk framework and pushes participants to think outside their comfort zone. RCSA centers on discussions of the risks that are faced and the controls that are in place, whereas scenario analysis requires participants to consider what could happen if there were to be a serious failure of controls or a previously unassessed combination of risks.

Scenario analysis is a challenging area, and was a key element in the Basel II AMA capital calculation approach. Many firms struggled with meeting the AMA regulatory requirements while retaining business value in the process. The simplification of capital calculation in Basel III removed scenario analysis from the calculation, and it is now used as risk management tool rather than as a capital input. We look at alternative approaches to scenario analysis and the uses of scenario analysis in operational risk management and measurement in Chapter 11.

Key Risk Indicators

The final building block of operational risk data gathering are key risk indicators. Operational risk practitioners sometimes use the terms key risk indicator and metric interchangeably; however, understanding the difference between a metric and a true key risk indicator is important. Metrics provide an important monitoring function across the framework: they can be attached to loss data and to risks or controls in RCSA and can provide useful input to scenario analysis.

A key risk indicator, in comparison, predicts that a risk is changing and allows for proactive intervention. It is difficult to find metrics that are true key risk indicators or that can be combined to form a key risk indicator, because many metrics are simply counting exceptions or measuring performance, rather than measuring an increase or decrease in risk levels. We consider the challenges of developing key risk indicators in Chapter 9, where we also discuss best practices in metrics.

1. Which of the following is least likely to be part of an operational risk framework?
   1. Loss data collection
   2. Risk and control self-assessment
   3. Counterparty credit assessment
   4. Scenario analysis
2. Which of the following is the best description of a robust operational risk framework?
   1. It collects all operational risk losses that occur within the firm.
   2. It provides effective tools to identify, assess, control, and mitigate operational risk.
   3. It produces a capital calculation of operational risk.
   4. It is based on a framework that has been successful at another firm.