8/8/2019 UK FSA Guidance Consultation - Enhancing Frameworks in the Standardized Approach (TSA) to Operational Risk
1/51
Financial Services Authority
Enhancing frameworksin the standardisedapproach tooperational risk
Guidance Consultation
October 2010
8/8/2019 UK FSA Guidance Consultation - Enhancing Frameworks in the Standardized Approach (TSA) to Operational Risk
2/51
8/8/2019 UK FSA Guidance Consultation - Enhancing Frameworks in the Standardized Approach (TSA) to Operational Risk
3/51
1
The standardised approach to operational risk
enhancing frameworks
A compendium o papers illustrating some o the approaches TSA irms might
employ to help them meet the qualitative requirements.
1. Introduction The standardised approach: enhancing rameworks
2. Operational risk governance and risk management structures
3. Risk identiication, measurement, monitoring and reporting
4. The Use Test
8/8/2019 UK FSA Guidance Consultation - Enhancing Frameworks in the Standardized Approach (TSA) to Operational Risk
4/51
2
1. The standardised approach: Enhancing frameworks
Introduction
1.1 The Financial Services Authority (FSA) is undertaking an initiative designed to
examine, review and assess the implementation o the standardised approach (TSA)or operational risk at rms and to establish i any elements in existing rameworks
can be improved on or require clarication.
1.2 This work is called: The standardised approach: Enhancing rameworks. As part o
this work we have initiated a series o expert groups designed to bring together the
FSA and operational risk practitioners at rms to share ideas on current practice,
weaknesses, and possible improvements. As well as stimulating discussions and
inorming the FSA and ellow participants, we are producing this compendium o
papers covering various components o a TSA ramework.
1.3 These papers are being drated or the benet o supervisors o TSA rms, but willalso be made available on our website. The compendium outlines key eatures o the
TSA that are o interest, with observations and suggestions to support existing
handbook guidance and rules. We use Handbook guidance and other supporting
materials to supplement the principles and rules where we think it may help rms to
decide what procedures they might wish to consider adopting as good practice.
Guidance, and the variety o materials we publish to support the rules and
Handbook guidance, is not binding on those to whom the FSA rules apply. Such
materials are intended to illustrate ways (but not the only ways) in which rms can
comply with the relevant rules. Guidance and supporting materials are potentially
relevant to an enorcement case. The extent to which we may take them intoaccount when considering a matter will depend on all the circumstances o the case.
Firms are reerred to Chapter 2 o our Enorcement Guide or urther inormation
about the status o Handbook guidance and supporting materials.
1.4 Our ndings will also fow into ongoing work at international level, in the EU and
Basel, both o which are considering a number o operational risk topics o
relevance to TSA rms at present.
1.5 We are grateul to all those rms and their sta who participated in the expert
groups ormed to consider the various compendium topics. The quality o
contribution was exceptional and the openness with which participants embarkedon this process is commended. Each section o the compendium will include details
o those rms and individuals who provided such valuable assistance in this process.
Context
1.6 All BIPRU rms are required to meet a set o proportionate general risk-
management standards (contained in SYSC 4.1.1R to 4.1.2R and SYSC 7.1.16R),
irrespective o the operational risk methodology adopted. In addition, there are also
specic qualitative standards or TSA and AMA1 rms and these are proportionate
1 AMA: Advanced Measurement Approach to operational risk.
8/8/2019 UK FSA Guidance Consultation - Enhancing Frameworks in the Standardized Approach (TSA) to Operational Risk
5/51
3
or TSA rms. As a consequence o the SYSC2 general risk management
requirements, there should be no signicant dierence between the qualitative
operational risk standards required o a large and complex TSA rm and those or a
similarly large and complex AMA rm.
1.7 The waiver approval processes or current AMA rms involved two to three years o
close and continuous work with the rm by our Prudential Risk Department and were
marked by improvements in the qualitative standards developed by these rms.
However, TSA rms have not had the benet o a similar close and continuous process,
and this actor, together with the ndings o some ARROW and rm visits and some
SREP3 submissions, has raised concerns about the qualitative standards adopted.
1.8 The lack o any guidance on the appropriate components and orm o an acceptable
TSA/ASA ramework has made it dicult or some rms and supervisors to identiy
weaknesses in the rameworks adopted. The key message is that, as a result o the
general risk management standards contained in SYSC, there should be no
signicant dierence between the qualitative standards applied by a large andcomplex TSA rm and those required rom a similar AMA rm. However,
experience suggests that some such TSA rms may experience diculty i they were
to seek AMA approval, urther supporting the suggestion that not all TSA rms
have reached a satisactory level o qualitative operational risk management.
Completed compendium sections
1.9 To date, we have acilitated three expert groups and this resultant compendium can
be ound on our website. These papers cover the ollowing:
I. Operational risk governance and risk management structures
1.10 Topics covered include: the role o the board; risk appetite/tolerance; the role o
senior management; the operational risk unction; three lines o deence; and
behaviour, engagement and risk culture.
II. Risk identification, measurement, monitoring and reporting
1.11 Topics covered include: the tools and techniques used by rms to identiy and assess
the operational risk inherent in all material products, activities, processes and
systems; tracking relevant operational risk data, including loss data; procedures ortaking appropriate action in response to inormation contained in management
reports; and how risk exposure is managed, monitored, and reported.
III. The Use Test
1.12 Topics covered include: how the Use Test is integrated into the risk management
process; how the output o the risk management process can become an integral part
o the process o monitoring and controlling the rms operational risk prole; how
rms determine i they meet the Use Test requirements on an ongoing basis; and the
Use Test or experience requirement.2 SYSC: Senior Management Arrangements, Systems and Controls Sourcebook.
3 SREP: Supervisory Review and Evaluation Process.
8/8/2019 UK FSA Guidance Consultation - Enhancing Frameworks in the Standardized Approach (TSA) to Operational Risk
6/51
4
Future compendium sections
1.13 We are proposing to undertake the ollowing expert groups as part o this initiative:
I. Policy and documentation
1.14 We expect the policy topics to include: issues addressed in operational risk policies;how policy is communicated and maintained; risk appetite/tolerance; new product
approval process; mapping the relevant indicator or business lines and activities
policies (see also quantitative requirements); who approves; how requently policy is
reviewed and updated; the requirements placed on documentation; the issues
documented; and how rms satisy themselves over the quality o documentation
and management reporting.
II. Quantitative requirements
1.15 We expect the topics to include: the development o specic criteria or mapping therelevant indicator or business lines and activities; and approaches to business line
mapping and relevant indicator mapping.
Summary
1.16 This compendium comprises a series o papers drated by the FSA to assist rms and
supervisors in understanding, assessing and enhancing the adequacy and
eectiveness o rameworks introduced to implement the standardised approach to
operational risk. The various components o a TSA ramework cannot be viewed in
isolation and should be reviewed and assessed as a package o closely interwovenelements. Thereore we will ocus attention on the outcome generated by the
operational risk ramework. It is unlikely that a rm with an acceptable operational
risk governance and risk management structure, or example, and weaknesses in
other TSA elements could be perceived to have an acceptable TSA ramework. In
addition, weaknesses in one area may well make it impossible or a rm to
implement a successul element elsewhere. For example, a rm with poor
operational risk reporting and management inormation is unlikely to be able to
demonstrate that the operational risk assessment system is closely integrated into the
rms risk management processes (the use or experience test).
1.17 Implementing operational risk rameworks cannot be viewed as a compliance exercise.
Putting the various individual TSA elements in place is only likely to provide an
eective ramework i the individual elements have been implemented together in a
robust, eective and comprehensive manner. The quality o implementation is an
important consideration in any assessment o an operational risk ramework.
1.18 These papers, and the variety o materials we publish to support the rules and
Handbook guidance, are not binding on those to whom our rules apply. Such
materials are intended to illustrate some o the ways in which rms can comply
with the relevant rules. Irrespective o the techniques and methods adopted, a
rm should be able to articulate why they believe the approach they haveemployed is appropriate.
8/8/2019 UK FSA Guidance Consultation - Enhancing Frameworks in the Standardized Approach (TSA) to Operational Risk
7/51
5
Challenges
1.19 The process o drating these papers conrmed the existence o a number o key
challenges that cut across the various elements o the TSA methodology. These
challenges are being encountered by most TSA rms and resolving these challenges
is likely to greatly assist rms in developing more sophisticated operational risk
measurement systems and practices. Challenges identied include the ollowing:
i) The importance o tangible, clear and unambiguous board and senior
management support and sponsorship or the operational risk management
ramework and unction.
ii) The importance o the board and senior management setting the right cultural
tone towards the operational risk ramework.
iii) Persuading senior management to invest in improved operational risk
rameworks and sotware. In many instances operational risk unctions are
required to ocus valuable resources managing operational risk data rather thanmanaging operational risk.
iv) The importance o operational risk training and the challenges o ensuring that
training is geared to the appropriate level o participant.
v) Embedding the operational risk ramework within and across business units,
particularly where these cross countries.
For further information
1.20 I you would like more inormation, or to discuss the contents o these papers,please email [email protected].
mailto:[email protected]:[email protected]8/8/2019 UK FSA Guidance Consultation - Enhancing Frameworks in the Standardized Approach (TSA) to Operational Risk
8/51
6
2. Operational risk governance and riskmanagement structures
Introduction
2.1 This paper is one o a series drated by the FSA to assist rms and supervisors inunderstanding, assessing and enhancing the adequacy and eectiveness o
rameworks introduced to implement the standardised approach to operational risk.
While this paper deals with issues related to operational risk governance and risk
management structure it is recognised that the various components o a TSA1
ramework cannot be viewed in isolation and must be reviewed and assessed as a
package o closely interwoven elements.
2.2 Thereore, it is unlikely that a rm with an acceptable operational risk governance
and risk management structure and weaknesses in other TSA elements could be
perceived to have an acceptable TSA ramework. In addition, weaknesses in one
area may well make it impossible or a rm to implement a successul element
elsewhere. For example, a rm with poor reporting and management inormation is
unlikely to have an eective governance structure. In addition, implementing
operational risk rameworks cannot be viewed as a compliance exercise. Having the
various individual TSA elements in place is only likely to provide an eective
ramework when the individual elements have been implemented together in a
robust, eective and comprehensive manner. The quality o implementation is an
important consideration in any assessment o an operational risk ramework.
2.3 Increasing emphasis is being placed on the risk governance, oversight and
management process adopted by rms. The board and senior management play acentral role in this process and it is not clear how a rms governance, oversight and
management process can prove eective without the ull support and engagement o
these bodies, or how the operational risk ramework can succeed.
2.4 We expect rms to strengthen their risk governance in response to several regulatory
initiatives, including The Walker Review2 and this exercise. We also expect
supervisors will ask TSA rms to detail the measures they have taken to assess how
suitable their governance arrangements are, any remedial action they have taken as a
result and how they are satised with their governance arrangements.
2.5 This paper has been drated or the benet o supervisors o TSA rms but will also
be made available on our website. The paper outlines key eatures o TSA that are
o interest, with observations and suggestions to support existing handbook
guidance and rules. We use Handbook guidance and other supporting materials to
supplement the principles and rules where we consider it may help rms to decide
what procedures to adopt as good practice. Guidance (and the variety o materials
we publish to support the rules and Handbook guidance) is not binding on those to
whom rules apply. Such materials are intended to illustrate some ways in which
rms can comply with the relevant rules.
1 TSA: The Standardised Approach to operational risk.
2 A review o corporate governance in UK banks and other nancial industry entities, 26 November 2009,www.hm-treasury.gov.uk/d/walker_review_261109.pd.
http://www.hm/http://-treasury.gov.uk/d/walker_review_261109.pdfhttp://-treasury.gov.uk/d/walker_review_261109.pdfhttp://www.hm/8/8/2019 UK FSA Guidance Consultation - Enhancing Frameworks in the Standardized Approach (TSA) to Operational Risk
9/51
7
Expert group
2.6 As part o the process o collecting the inormation necessary to drat this paper, we
invited representatives rom a number o BIA3 and TSA rms to participate in an
expert group on operational risk governance and risk management structures and a
complete list o the 15 rms and their representatives appears in Annex A. A
number o the expert group participants made presentations to the group. We are
extremely grateul or the quality o debate and discussion in the expert group and
or the contribution o participants to the work o the group.
Rules and guidance
2.7 The BIPRU4 rules require rms to have a well-documented assessment and
management system, with clear lines o reporting and responsibility that should be
subject to a regular independent review. The requirements are subject to the
proportionality principle and are thereore dependant on the size, nature, scale and
complexity o the rm.
2.8 There is a air amount o literature rom various sources providing guidance on the
topics o governance and risk management. Documents published by the Basel
Committee or Banking Supervisors reinorce the importance o the role o senior
management when implementing operational risk management rameworks.
Furthermore, they emphasise that board members should be qualied or their
positions while also being aware o the main operational risks their institution aces.
2.9 The CEBS5Risk Management Consultation Paper (2009) reinorces the importance
o senior management support, as well as the existence o a person responsible or
the risk management unction across the entire institution (e.g. a Chie Risk Ocer
(CRO)). This CRO (or equivalent), should be suciently senior and independent to
be able to challenge the decision-making process o the organisation.
2.10 Annex B o this paper contains details o the various rules and guidance mentioned
above. Firms may nd it useul to take ull account o these rules and guidance
when designing, implementing and testing their operational risk rameworks.
Key characteristics and observations
2.11 This section details elements that TSA rms might wish to employ as part o theirrisk governance and risk management ramework. In drating this section we have
taken account o the various governance documents produced by the BCBS6 and
CEBS, and in some instances we have incorporated elements o that guidance
directly into our suggestions.
2.12 While the involvement o the board or its delegates in the risk governance process is
likely to be determined by the overall risk management ramework o the rm, it is
generally accepted that, when a board delegates responsibility to an appropriate
3 BIA: Basic indicator approach to operational risk
4 BIPRU: Prudential sourcebook or banks, building societies and investment rms.5 CEBS: Committee o European Banking Supervisors.
6 BCBS: Basel Committee on Banking Supervision.
8/8/2019 UK FSA Guidance Consultation - Enhancing Frameworks in the Standardized Approach (TSA) to Operational Risk
10/51
8
committee (or example, some rms have a Board Risk Committee), it continues to
be accountable. Our discussions with the operational risk governance and risk
management expert group showed that, or TSA rms with an eective Operational
Risk governance and risk management structure, the boards (or its delegates)
responsibilities might include:
i) Approving and periodically reviewing the operational risk ramework based on
an appropriate deinition o operational risk. This ramework usually covers
the irms appetite and tolerance or operational risk. Reviews assess industry
best practice and, where necessary, ensure the ramework is revised accordingly.
Reviews o the ramework usually occur every 24 months and or many irms
an annual review is considered appropriate.
ii) Establishing a senior management structure to implement the irm-wide
operational risk management ramework and assigning clear lines o
management responsibility, accountability and reporting.
iii) Having a clear understanding o operational risk and being aware o the major
aspects o the irms operational risks as a distinct risk category that should be
managed. As part o this process, regular reviews o key risks oten take place
at board level.
iv) Ensuring the operational risk-management ramework is subject to eective
audit and review by an independent audit unction.
v) Understanding the impact o strategic initiatives on the operational risk proile
and ensuring that the operational risk impacts o strategic initiatives, new
products, processes and systems are evaluated, managed and mitigated.vi) Promoting:
a) a risk-ocused culture throughout the organisation, with a clear
understanding among all sta o their role in managing operational risk;
b) open communication o the operational risk ramework and clear and
speedy reporting o operational risk inormation, including signicant
operational risk events; and
c) ongoing risk training to ensure that the operational risk ramework is ully
embedded throughout the organisation. Our experience suggests that TSArms oten ail to require sta to undertake adequate operational risk
training and that the embedding o a robust risk culture suers as a result.
vii) Satisying themselves that, or the purposes o risk management, the irm
collects and maintains data that is accurate and comprehensive, which supports
the principles o sound risk management at all levels o the irm. Actions
required to satisy this requirement might include:
a) Maintaining a data policy, approved by the board.
b) Data being suciently granular that it supports detailed analysis byrisk actor.
8/8/2019 UK FSA Guidance Consultation - Enhancing Frameworks in the Standardized Approach (TSA) to Operational Risk
11/51
9
c) Data being maintained over a period o time that allows analysis o loss
behaviour through the economic and business cycles that are relevant to
each risk type (or example, raud).
d) Data being supported by a data model that allows or aggregation and
disaggregation, as required. In particular, rms may wish to avoid their
data being constrained by a specic vendor solution, entity identication,
product classication, or instrument identication.
e) Data reporting upwards rom origination, up to and including the board.
Firms are likely to benet rom accurate, timely and clear reporting,
aggregated at levels that are relevant to each recipient, and accompanied by
value-adding analysis and commentary consistent with the decision-making
status o the recipient.
) Data not being limited to actual losses or incidents, but also including items
that allow the rms management to anticipate potential uture problems by
using benchmarking and/or trend analysis.
2.13 The board could discuss and approve a risk appetite/tolerance statement that is clear
and understood throughout the organisation. We recommend though that rms
consider whether their ramework should cover the rms appetite/tolerance or
operational risk, as specied through the policies or managing this risk and the
rms prioritisation o operational risk management activities, including the extent
o, and manner in which, operational risk is transerred outside the rm.
2.14 The term risk appetite is oten taken as a orward-looking view o risk acceptance,
while risk tolerance is oten considered to be the amount o risk a rm has acceptedin the past. In this document the terms are used to capture both aspects to reinorce
a general message that rms might include a orward-looking analysis as part o their
risk management and capital assessments. A purely historic approach might be
perceived as neither sucient nor interchangeable with a orward-looking view.
2.15 While some TSA rms have developed statements o this type, this is proving a
challenging process in many organisations. Nevertheless, rms have usually expressed an
appetite or risk in several orms, including loss data thresholds, RCSA7 remedial action
prompts and KRI8 thresholds. An eective risk appetite will generally require regularly
measuring and reporting risk exposure, as well as using clear and measurable triggers
and limits to ensure that a rm does not exceed its risk appetite without taking remedial
action. Operational risk appetite statements can provide an important management tool
or TSA rms and are requently used as a means o demonstrating that the operational
risk ramework is embedded. Risk appetite statements may:
i) take all relevant risks into account, including the irms risk aversion, the
current inancial situation and the irms strategic direction;
ii) encapsulate the various risk appetites in a irm and ensure they are
consistent; and
7 RCSA: Risk control sel assessment.
8 KRI: Key risk indicator.
8/8/2019 UK FSA Guidance Consultation - Enhancing Frameworks in the Standardized Approach (TSA) to Operational Risk
12/51
10
iii) detail how the board will monitor management adherence to the risk appetite.
2.16 Generally, in TSA rms with eective operational risk governance and risk
management structures, the senior management are responsible or implementing the
ramework approved by the board and are delegated, by the board, responsibility
or developing policies, processes and procedures or managing operational risk. In
undertaking these tasks, the requirements placed on the
senior management might include:
i) Translating the board-approved operational risk management ramework into
speciic policies, processes and procedures that can be implemented and veriied
within the dierent business units.
ii) Managing risks on a day-to-day basis, under the oversight o the management
body.
iii) Implementing the operational risk ramework through the organisation.
iv) Developing and obtaining approval or policies, processes and procedures or
managing and approving operational risk in all new and material products,
processes and systems.
v) Ensuring that:
a) all activities are conducted by sta with necessary experience, technical
capability and resources;
b) the operational risk management policy is clearly and appropriately
communicated to sta in all units;
c) remuneration policies are consistent with the rms appetite or risk, as
expressed in the risk appetite statement; and
d) operational risk sta communicate eectively with sta responsible or
credit risk, market risk, compliance and other risks, insurance purchasers
and outsourcing arrangers.
vi) Having a ull understanding o the nature o the business and activities o the
irm.
vii) Considering our SIF9/control unction requirements.
2.17 The operational risk management unction usually plays a key role in identiying,
measuring and assessing the risks aced by the rm. Its responsibilities oten
include oversight o the ramework; analysis o the introduction and development
o new products, markets, lines o business, processes, systems and signicant
changes to existing products; and an appropriate involvement in exceptional
transactions. The new product approval process might consider the adequacy o
the tools and expertise o the operational risk management, inormation
technology, business line and internal control unctions to identiy, manage,
monitor and report the resultant operational risk. Operational risk arising rom
mergers and acquisitions could be assessed in a similar way. This is particularly
9 SIF: Signicant infuence unction.
8/8/2019 UK FSA Guidance Consultation - Enhancing Frameworks in the Standardized Approach (TSA) to Operational Risk
13/51
11
important given the condentiality and timerame within which mergers and
acquisitions are negotiated and the complicated nature o the process.
2.18 In undertaking these tasks, the requirements placed on the senior management o the
operational risk management unction might include being:
i) Appropriately expert or the risk proile. The board and senior managementare oten responsible or ensuring that the resources allocated to the risk
management unction are appropriate and consistent with the risk proile,
management and business strategies.
ii) In regular contact with the board and its committees, depending on the
delegation o authority and the risk management structure o the irm.
iii) Actively involved in the elaboration o the institutions strategy, to assist and
beneit the decision-making process.
iv) Independent rom the operational units reviewed by the risk management
unction. Nevertheless, the unction could interact with the operational units
and have suicient access to achieve its objectives.
2.19 Successul risk management unctions are usually:
i) empowered and supported by the board and senior management; and
ii) not directly responsible or the audit unction, given the audit unctions role in
challenging the operational ramework.
2.20 Responsibility or managing operational risk is not limited to the risk management
unction. All sta and business line management are responsible or managingoperational risk and a rm would benet rom making all sta aware o their
accountability or this.
2.21 In general, existing guidelines, papers and principles are not prescriptive on the
governing structure o nancial institutions. Instead they tend to concentrate on
the roles and responsibilities o the key players and avoid discussing the structure
created by the rm or its governance process. Nevertheless, it is clear rom our
discussions with the members o the expert group that a number o common
elements exist in many TSA rms operational risk governance structures. When
considering the appropriateness o the adopted operational risk governance and
risk management structure the range o issues that should be taken into
consideration might include the ollowing:
i) The committee structure Many organisations with a central group unction
and separate business units create a Group Operational Risk Committee that
reports into a Group Risk Committee, which is a committee established by the
board. Depending on the size, nature, scale and complexity o the irm, the
Group Risk Committee may receive input rom country, business and unctional
level Operational Risk Committees.
ii) Consideration o the operational risk governance and risk managementstructure, which could take account o:
8/8/2019 UK FSA Guidance Consultation - Enhancing Frameworks in the Standardized Approach (TSA) to Operational Risk
14/51
12
a) the composition o any Operational Risk Committees, ensuring that
the committee contains a combination o members with either nancial
experience or risk management, or both;
b) whether the committees are solely dedicated to operational risk, how much
time is devoted to this, and what evidence can be provided to testiy to the
quality o debate and challenge;
c) whether committee members must attend, how many meetings they can
miss without censure, whether they can send an alternate and i so whether
they require prior agreement o the chair;
d) the requency o the operational risk governance bodies meetings (a recent
survey o risk governance10 noted that meetings are not as requent as had
been expected); and
e) whether the meetings o the various committees that orm part o the
governance structure are timed so issues and events can be escalated in atimely manner.
2.22 Most expert group participants have established senior management Operational
Risk Committees to ensure oversight o operational risk. It is interesting to note that
some small rms have adopted this approach. In some instances rms have also
established Board Risk Committees to oversee the overall risk management process.
In some rms, the responsibilities o the board discussed in paragraph 1.15 are
carried out by a delegated committee, although the board retains ultimate
accountability. Firms adopting the TSA methodology may nd it helpul to establish
eective Operational Risk Committees and to be able to articulate how they satisythemselves that the senior committee undertakes an eective role in the operational
risk management ramework.
2.23 Several expert group participants employ three lines o deence as part o their
operational risk governance and risk management structure. A strong risk culture,
good communication and understanding and a strong sense o risk awareness can
provide comort when used in conjunction with this approach. While, we have seen
dierent interpretations o its composition the most common approach is or the
three lines to comprise the ollowing:
i) The irst line is provided by the business units comprising the business units,support unctions and embedded operational risk sta.
ii) The second line is provided by the risk management unction comprising
the operational risk management unction and the compliance unctions. To
qualiy in this category, the risk management unction usually demonstrates the
qualities detailed in the operational risk management unction section.
iii) The third line is the audit unction. A number o TSA irms have outsourced
their audit unction. The underlying arrangements and eectiveness o an
outsourced audit unction should be assessed or its suitability.
10 Risk Governance at Large Banks by Moodys Global Banking, July 2009
8/8/2019 UK FSA Guidance Consultation - Enhancing Frameworks in the Standardized Approach (TSA) to Operational Risk
15/51
13
2.24 While a great many rms can point to their structure as evidence o the three lines
o deence, rms could strengthen this by producing specic examples showing how
they operate satisactorily. They might also explain how the board and senior
management are satised that this approach is implemented and operates in an
appropriate and acceptable manner.
2.25 One possibility when seeking to determine the eectiveness o a rms operational
risk governance and risk management structure could be to evaluate its impact on
behaviour, engagement and risk culture. Any attempt to do so might ocus on a
number o important elements:
i) Awareness Every member o sta has an important role to play in the
management and mitigation o operational risk within a irm. Supervisors could
investigate i sta are aware o their responsibilities with regard to identiying,
managing, monitoring and reporting operational risks. Firms could elect to
raise awareness o operational risk among sta and embed the operational risk
ramework into the day-to-day risk management process o the irm.
ii) Culture The expert group considered a strong risk culture, running through
the entire organisation, as essential. For example, it may be better to own up
than hide an error, as a no blame culture exists. Such cultures are diicult to
achieve without the direct, active and demonstrable sponsorship and support
o the board and senior management. A avourable culture is also likely to be
achieved i business units are engaged with the governance structure and do not
view the arrangements as a constraint.
iii) Challenge One o the key components o an eective governance structure
is challenge throughout the structure including at board, senior managementand committee level. Various mechanisms exist to enable irms to judge the
quality and eectiveness o the challenge process including committee minutes
and notes or record.
2.26 Firms capable o satisying themselves about the eectiveness o their operational
risk governance and risk management structure are also likely to be able to
demonstrate to supervisors why they eel that this is the case. In some cases the rm
may decide that external observers are best placed to undertake an impartial
evaluation o eectiveness, although alternatively in some cases rms decide that this
task is best achieved by internal parties, including the internal audit unction. Therm is generally in the best position to determine who is best able to evaluate the
eectiveness o the operational risk governance and risk management arrangements.
2.27 Supervisors oten use a vertical slice through the governance and risk management
structure to help understand the workings o the process and procedures and
behaviour, engagement and risk culture. This may show how risks and events are
escalated within the governance structure and involves tracking the reporting, review
and response to a signicant operational risk event, rom its discovery in a business
unit up to the board or most senior risk committee in the rm. Examining the
vertical slice could extend to considering how any responses, reactions and
decisions are communicated to the original business unit.
8/8/2019 UK FSA Guidance Consultation - Enhancing Frameworks in the Standardized Approach (TSA) to Operational Risk
16/51
14
2.28 We have observed that rms oten benet rom having a clear organisational
structure with well dened, transparent and consistent lines o responsibility. This
structure works well when it is comprehensive and proportionate to the size, scale
and complexity o the rms activities.
2.29 The operational risk governance and risk management structure is a key component
o a rms assessment and management system or operational risk and it is a
specic BIPRU requirement that the assessment and management system or
operational risk must be well-documented.
2.30 Regulators and supervisors regularly publish papers, principles and proposals or
improving risk governance and risk management or example, either locally (FSA) or
in conjunction with other regulators (CEBS, BCBS, etc). Firms are likely to benet rom
ensuring that they remain ully aware o the contents, proposals and recommendations
published by regulators and adjust and amend their approaches accordingly.
Challenges
2.31 TSA rms seeking to ensure that their operational risk governance and risk
management structures are both appropriate and eective or a rm using the
standardised approach and are also proportionate to their size, scale and
complexity, ace a number o obstacles and supervisors could ocus attention on
how the rm has approached and resolved these issues, which might include:
i) demonstrating the extent o direct and active board and senior management
sponsorship and support;
ii) determining the Operational Risk governance and risk management culture othe irm;
iii) understanding the degree and eectiveness o challenge;
iv) ensuring business engagement with the governance structure; and
v) how the board and senior management have satisied themselves that the
governance structure is eective and appropriate.
Conclusion
2.32 The operational risk governance and risk management structure is a key componento all TSA rms operational risk ramework. However, it may not be sucient or a
rm to be able to point to the existence o a risk governance and risk management
structure as much depends on the way in which this process has been implemented.
Firm-wide behaviour, engagement and risk culture are key considerations in
determining the eectiveness o the risk governance and risk management structure
as are the direct, active and demonstrable sponsorship and support o the board and
senior management.
2.33 Firms lacking an appropriate and eective structure are unlikely to meet the
requirements laid down in BIPRU 6.4 or TSA rms or the general risk managementstandards in SYSC 4.1.1R to 4.1.2R and SYSC 7.1.16R.
8/8/2019 UK FSA Guidance Consultation - Enhancing Frameworks in the Standardized Approach (TSA) to Operational Risk
17/51
15
Expert group members:
Industry
Bank o America Richard Walsh
Bank o Montreal Christopher Eyles
Bank o NY Mellon Anna Nicholl Brewin Dolphin Barry Howard
Britannia Graeme Bell
Ford Financial Robert Pringle
Gatehouse Bank Reza Zaidi
HSBC Neil MacKenzie
IG Group Andrew Bole
Bjorn Model
Investec Asim Balouch
Bharat Thakker
Man Group Clive Wratten
Nomura Huw Howell
Northern Rock Barry Pert
Standard Chartered Rajit Punshi
Mark Willis
Vanquis Bank Rosemary Hilton
Manish Shah
FSA
Andrew Sheen (Chair) Operational Risk Policy
Christine Brentani Operational Risk Policy
Giles Ward Operational Risk Policy
Anna Jernova Operational Risk Policy
Liz Meneghello Operational Risk Policy
David Haberield Risk Frameworks & Capital Unit (PRD)
Adrian McCarthy Risk Frameworks & Capital Unit (PRD)
Brian Thornhill Asset Managers & Advisers Department
8/8/2019 UK FSA Guidance Consultation - Enhancing Frameworks in the Standardized Approach (TSA) to Operational Risk
18/51
16
Handbook rules and guidance
Source Rule/guidance #
Text
PrudentialSourcebook for
Banks, BuildingSocieites andInvestment Firms(BIPRU)
6.4.1R (2) Afirm must have a well-documented assessment andmanagement system or operational riskwith clear
responsibilities or the system assigned within thefirm. Thesystem must identiy thefirms exposures to operational riskand track relevant operational riskdata, including materialloss data.
6.4.1R (3) Afirmsoperational riskassessment and management systemmust be subject to regular independent review.
6.4.1R (5) Afirm must implement a system o management reportingthat provides operational riskreports to relevant unctionswithin thefirm. Afirm must have procedures in place ortaking appropriate action in response to the inormationcontained in such reports.
6.4.2R Afirm must comply with the criteria in BIPRU6.4.1R havingregard to the size and scale o its activities and to theprinciple o proportionality.
Senior ManagementArrangements,Systems andControlsSourcebook (SYSC)
4.1.1R Afirm must have robust governance arrangements, whichinclude a clear organisational structure with well deined,transparent and consistent lines o responsibility, eectiveprocesses to identiy, manage, monitor and report therisks it is or might be exposed to, and internal controlmechanisms, including sound administrative and accountingprocedures and eective control and saeguard arrangementsor inormation processing systems.[Note: article 22(1) o the Banking Consolidation Directive,article 13(5) second paragraph oMiFID] 3,
4.1.2R For a common platform firm, the arrangements, processesand mechanisms reerred to in SYSC 4.1.1 R must becomprehensive and proportionate to the nature, scaleand complexity o the common platform firms activitiesand must take into account the speciic technical criteriadescribed in SYSC 4.1.7 R, SYSC 5.1.7 R and SYSC 7.[Note: article 22(2) o the Banking Consolidation Directive]
BCBS and CEBS guidelines
Source Guidance # Text
BIS Sound Practicesfor the Managementand Supervision ofOperational Risk
Principle 1 The board o directors should be aware o the major aspectso the banks operational risks as a distinct risk categorythat should be managed, and it should approve andperiodically review the banks operational risk managementramework. The ramework should provide a irm-widedeinition o operational risk and lay down the principleso how operational risk is to be identiied, assessed,monitored, and controlled/mitigated.
Principle 2 The board o directors should ensure that the banksoperational risk management ramework is subject toeective and comprehensive internal audit by operationallyindependent, appropriately trained and competent sta. Theinternal audit unction should not be directly responsible oroperational risk management.
http://fsahandbook.info/FSA/glossary-html/handbook/Glossary/F?definition=G430http://fsahandbook.info/FSA/glossary-html/handbook/Glossary/B?definition=G99http://fsahandbook.info/FSA/glossary-html/handbook/Glossary/M?definition=G1975http://fsahandbook.info/FSA/handbook/LI/2002/2002_16.pdfhttp://fsahandbook.info/FSA/glossary-html/handbook/Glossary/C?definition=G1967http://fsahandbook.info/FSA/html/handbook/SYSC/4/1#D3http://fsahandbook.info/FSA/glossary-html/handbook/Glossary/C?definition=G1967http://fsahandbook.info/FSA/html/handbook/SYSC/4/1#DES55http://fsahandbook.info/FSA/html/handbook/SYSC/5/1#D32http://fsahandbook.info/FSA/html/handbook/SYSC/7#D35http://fsahandbook.info/FSA/glossary-html/handbook/Glossary/B?definition=G99http://fsahandbook.info/FSA/glossary-html/handbook/Glossary/B?definition=G99http://fsahandbook.info/FSA/html/handbook/SYSC/7#D35http://fsahandbook.info/FSA/html/handbook/SYSC/5/1#D32http://fsahandbook.info/FSA/html/handbook/SYSC/4/1#DES55http://fsahandbook.info/FSA/glossary-html/handbook/Glossary/C?definition=G1967http://fsahandbook.info/FSA/html/handbook/SYSC/4/1#D3http://fsahandbook.info/FSA/glossary-html/handbook/Glossary/C?definition=G1967http://fsahandbook.info/FSA/handbook/LI/2002/2002_16.pdfhttp://fsahandbook.info/FSA/glossary-html/handbook/Glossary/M?definition=G1975http://fsahandbook.info/FSA/glossary-html/handbook/Glossary/B?definition=G99http://fsahandbook.info/FSA/glossary-html/handbook/Glossary/F?definition=G4308/8/2019 UK FSA Guidance Consultation - Enhancing Frameworks in the Standardized Approach (TSA) to Operational Risk
19/51
17
Source Guidance # Text
Principle 3 Senior management should have responsibility orimplementing the operational risk management rameworkapproved by the board o directors. The ramework shouldbe consistently implemented throughout the whole bankingorganisation, and all levels o sta should understand
their responsibilities with respect to operational riskmanagement. Senior management should also haveresponsibility or developing policies, processes andprocedures or managing operational risk in all o the banksmaterial products, activities, processes and systems.
Principle 4 Banks should identiy and assess the operational riskinherent in all material products, activities, processesand systems. Banks should also ensure that beore newproducts, activities, processes and systems are introduced orundertaken, the operational risk inherent in them is subjectto adequate assessment procedures.
Principle 5 Banks should implement a process to regularly monitoroperational risk proiles and material exposures to losses.There should be regular reporting o pertinent inormationto senior management and the board o directors thatsupports the proactive management o operational risk.
Principle 6 Banks should have policies, processes and procedures tocontrol and/or mitigate material operational risks. Banksshould periodically review their risk limitation and controlstrategies and should adjust their operational risk proileaccordingly using appropriate strategies, in light o theiroverall risk appetite and proile.
CEBS Guidelines onthe implementation,validation andassessment of AMAand IRB approaches)
470 Both the management body and senior management shouldbe responsible or approving all material aspects o theoverall operational risk ramework. They should have ageneral understanding o the institutions operational riskmeasurement systems and detailed comprehension o itsassociated management reports and how operational riskaects the institution. The material aspects o the overalloperational risk ramework include:
activities aimed at identiying, assessing and/or measuring,monitoring, controlling, and mitigating operational risk;
proactive risk management strategies and policies
the organisational structure o the control unctions and
speciying levels o acceptable risk.
472 The management body has to exercise eective oversight.Senior management should thereore notiy the managementbody, or a designated committee thereo, o materialchanges or exceptions rom established policies thatwill materially impact the institutions operational riskmeasurement systems and management processes.
8/8/2019 UK FSA Guidance Consultation - Enhancing Frameworks in the Standardized Approach (TSA) to Operational Risk
20/51
18
Source Guidance # Text
473 Both the management body and senior management shouldbe involved, on an ongoing basis, in the oversight o thecontrol procedures and measurement systems adopted bythe operational risk management unction and InternalAudit, to ensure that they are adequate and that the overall
operational risk management and measurement processesand systems remain eective over time.
474 Senior management should ensure that the ollowing tasksare being addressed:
ensuring the soundness o risk management processes
inorming the management body or a designatedcommittee thereo o material changes or exceptionsrom established policies that will materially impactthe operations and the operational risk proile othe institution
identiying and assessing the main risk drivers, based
on inormation provided by the operational riskmanagement unction
deining the tasks o the risk management unit andevaluating the adequacy o its proessional skills
monitoring and managing all sources o potentialconlicts o interest
establishing eective communication channels to ensurethat all sta are aware o relevant policies and procedures
deining the content o reporting to the managementbody or to dierent delegated bodies thereo (e.g. theRisk Committee)
examining reports rom Internal Audit on operational
risk management and measurement processes andsystems and
adequately assessing operational risk inherent in newareas (products, activities, processes, and systems)beore they are introduced, and identiying risks tiedto new product development and other signiicantchanges to ensure that the risk proiles o productlines are updated regularly.
475 The operational risk management unction designs,develops, implements, and executes risk management andmeasurement processes and systems.
476 The Internal Audit should provide an assessment o theoverall adequacy o the operational risk ramework, as wellas o the operational risk management unction.
8/8/2019 UK FSA Guidance Consultation - Enhancing Frameworks in the Standardized Approach (TSA) to Operational Risk
21/51
19
Source Guidance # Text
CEBS CP 24High- levelprinciples for riskmanagement
9 A strong institution-wide risk culture is one o thekey elements o eective risk management. One othe prerequisites or creating this risk culture is theestablishment o a comprehensive and independent riskmanagement function under direct responsibility of the
senior management.10 The management body is responsible or overseeing senior
management, and also or establishing sound businesspractices and strategic planning. It is thereore o theutmost importance that the management body havea full understanding of the nature of the businessand its associated risks. At least some members o themanagement body or, where relevant, the audit committee(or equivalent) should carry out an activity in the area oinancial markets or have proessional experience directlylinked to this type o activity.
11 Every member of the organisation must be constantly
aware of their responsibilities relating to theidentification and reporting of risks and other roleswithin the organisation and the associated responsibilitiesto these roles. The risk culture must extend across all o theorganisations units and business lines. Risk policies must beormulated based on a comprehensive view o all businessunits, and risks must be evaluated not only rom the bottomup, but also across individual business lines.
12 Institutions must implement a consistent risk cultureand establish sound risk governance, supported by anappropriate communication policy, all o which must beadapted to the size and complexity o the organisation and
the risk proile o the institution or banking group.19 The institution should appoint a person responsible for the
risk management function across the entire organisation,and or coordinating the activities o other units relatingto the institutions risk management ramework. Normallythis person is the Chie Risk Oicer (CRO). However, whenthe institutions characteristics in particular its size,organisation and the nature o its activity do not justiyentrusting such responsibility to a specially appointedperson, the person responsible or internal control can bemade responsible or risk management as well.
20 The CRO (or equivalent) should have sufficient
independence and seniority to enable them to challenge(and potentially veto) the decision-making process ofthe institution. Their position within the institution shouldpermit them to communicate directly with the executivebody concerning adverse developments that may not beconsistent with the institutions risk tolerance and businessstrategy. When the executive body or the management bodyconsiders it necessary, the CRO should also report directlyto the management body or, where appropriate, to the auditcommittee (or equivalent).
21 The CRO should have expertise that matches theinstitutions risk profile. They should play a key role inmaking the management body and senior management tounderstand the institutions overall risk proile.
8/8/2019 UK FSA Guidance Consultation - Enhancing Frameworks in the Standardized Approach (TSA) to Operational Risk
22/51
20
Source Guidance # Text
23 The risk management function should be actively involved,at an early stage, in the elaboration of the institutionsstrategy and decision-making on business activities.
24 Firms should ensure that the risk management function is
independent from the operational units whose activitiesthey review. Their position in the organisation should allowthem to interact with these units in order to have access tothe inormation necessary or the accomplishment o theirmission. However, the risk management unction should inall cases be carried out at arms length rom the decision-making unction.
25 The management of risks should not be confined to therisk management function. It should be a responsibility omanagement and sta in all business lines, and they shouldbe aware o their accountability in this respect.
26 The management body and senior management should beresponsible for allocating resources to the risk managementfunction in suicient amounts and quality to allow it to ulilits missions. These resources should be consistent with theinstitutions risk management and strategic objectives. Theyshould include adequate personnel (with suicient expertiseand qualiications), data systems and support, and access tointernal and external inormation deemed necessary to theulilment o the risk-managements missions.
BIS Enhancingcorporategovernancefor banking
organisations
Principle 1 Board members should be qualiied or their positions, havea clear understanding o their role in corporate governanceand be able to exercise sound judgement about the aairso the bank.
Principle 2 The board should approve and oversee the banks strategicobjectives and corporate values that are communicatedthroughout the banking organisation.
Principle 3 The board should set and enorce clear lines o responsibilityand accountability throughout the organisation.
Principle 4 The board should ensure that there is appropriate oversightby senior management consistent with board policy.
Principle 5 The board and senior management should eectively utilisethe work conducted by the internal audit unction, externalauditors, and internal control unctions.
8/8/2019 UK FSA Guidance Consultation - Enhancing Frameworks in the Standardized Approach (TSA) to Operational Risk
23/51
21
3. Operational risk identification, measurement, monitoringand reporting
Introduction
3.1 This paper is one o a series drated by the FSA to assist rms and supervisors inunderstanding, assessing and enhancing the adequacy and eectiveness o
operational risk rameworks used by rms to implement the Standardised Approach
to Operational Risk (TSA). While this paper deals with issues related to risk
identication, measurement, monitoring and reporting (IMMR) it is recognised that
the various components o a TSA ramework cannot be viewed in isolation and
should be reviewed and assessed as a package o closely interwoven elements.
Thereore, a rm with acceptable IMMR methodologies but with weaknesses in
other TSA elements is unlikely to have an acceptable TSA ramework. Weaknesses in
one area could also make it impossible or a rm to implement a successul element
elsewhere. For example, a rm with poor reporting and management inormation isunlikely to have an eective governance structure. In addition, implementing
operational risk rameworks cannot be viewed as a compliance exercise. Having the
various individual TSA elements in place is only likely to provide an eective
ramework when all the individual elements have been implemented in a robust,
ecient and comprehensive manner. The quality o implementation is an important
consideration in any assessment o an operational risk ramework.
3.2 Though we are not prescriptive regarding the approach we ask rms to take, we
expect rms to be proportionate in the choices they make or risk identication,
measurement, monitoring and reporting.3.3 The primary aim o this document is to assist supervisors in assessing and
challenging some o the methods that rms use to look at their risk exposures.
Although this document is aimed at supervisors o rms that use TSA to calculate
their operational risk charge, the inormation provided may be o use to supervisors
o other BIPRU1 rms. We address individual risk identication tools and highlight
areas that may be considered good practice, which rms may also nd useul.
Supervisors may choose to ask TSA rms or detailed analyses o the methodologies
used to assess risk exposures, along with any documentation and management
inormation employed. This inormation can be used to determine whether the
overall risk governance architecture is working eectively at the rm.
3.4 While this paper has been drated primarily or the benet o supervisors o TSA
rms, it is also on our website. The paper outlines key eatures o TSA that are o
interest, with observations and guidance to support existing Handbook guidance
and rules. We use Handbook guidance and other supporting materials to supplement
the principles and rules where we consider it would help rms to decide what action
they need to take to meet the necessary standard. Guidance, and the variety o
materials we publish to support the rules and Handbook guidance, are not binding
on those to whom our rules apply. Such materials are intended to illustrate ways
(but not the only ways) in which rms can comply with the relevant rules.
1 BIPRU: Prudential sourcebook or banks, building societies and investment rms.
8/8/2019 UK FSA Guidance Consultation - Enhancing Frameworks in the Standardized Approach (TSA) to Operational Risk
24/51
22 Appendix 1
Expert group
3.5 We invited representatives o a number o BIA2 and TSA rms to participate in an
expert group on Operational Risk Identication, Measurement, Monitoring, and
Reporting and a complete list o the rms and their representatives appears in
Annex A o this paper. We held ve meetings between June and October 2009,
where a number o participants made presentations o their approaches to risk
identication, measurement, monitoring and reporting to the group. The
inormation provided at these expert group meetings orm the basis o this
document, though other sources o inormation have been used as well. We are
extremely grateul or the quality o debate and discussion in the expert group
and or the contribution o participants to the work o the group.
Rules and guidance
3.6 The BIPRU 6.4 rules or rms using TSA state that a rm must have a well-documented
assessment and management system, which identies the rms exposures to operational
risk and tracks the relevant data. SYSC 4 and SYSC 7 add to these rules by requiring
that rms must have eective processes to identiy, manage, monitor and report the risks
that they are or might be exposed to (including low-requency, high severity events).
These processes and systems must be proportionate to the nature, scale and complexity
o the rms activities.
3.7 Currently, the main source o guidance or operational risk identication is the Basel
Committee on Banking Supervision (BCBS) paper, Sound Practices or the
Management and Supervision o Operational Risk (Sound Practices, 2003).3 The
Sound Practices paper encourages rms to identiy operational risks inherent in allexisting products, as well as any new products or services that a rm is planning to
undertake. Also, rms risk proles should be regularly monitored by relevant sta
and reported to senior management. The CEBS4 Compendium5 adds that near
misses6 should also be closely monitored and that there should be appropriate
procedures to collect such data.
3.8 Annex B o the Operational risk governance and management structures document
that orms part o this TSA: Enhancing Frameworks Compendium contains a
summary o the rules that incorporate risk identication, measuring and monitoring.
Firms should take ull account o these rules and the associated guidance in the
implementation o all aspects o their operational risk ramework. TSA rms should
be particularly mindul o the qualitative requirements set out in these rules.
2 BIA: Basic Indicator Approach to operational risk.
3 The ull paper can be ound at: www.bis.org/publ/bcbs96.htm .
4 CEBS: Committee o European Banking Supervisors.
5 The CEBS Compendium o supplementary guidelines on implementation issues o Operational Risk can be ound at:www.c-ebs.org/News--Communications/Latest-news/CEBS-Compendium-o-supplementary-guidelines-on-(1).aspx .
6 Near misses are Operational Risk-related events that do not necessarily result in an actual loss (or gain) amount.
http://www.bis.org/publ/bcbs96.htmhttp://www.c-ebs.org/News--Communications/Latest-news/CEBS-Compendium-of-supplementary-guidelines-on-(1).aspxhttp://www.c-ebs.org/News--Communications/Latest-news/CEBS-Compendium-of-supplementary-guidelines-on-(1).aspxhttp://www.bis.org/publ/bcbs96.htm8/8/2019 UK FSA Guidance Consultation - Enhancing Frameworks in the Standardized Approach (TSA) to Operational Risk
25/51
23Appendix 1
Key characteristics and observations
IMMR as part o the overall ramework
3.9 For all the rms taking part in the expert group, the process o risk identication,
measurement, management and reporting (IMMR) was integrated into the overall
risk governance ramework. It was recognised that it is important that rms can
explain how their IMMR procedures t into their overall risk governance structure
and which areas and personnel are responsible or the procedures. Also, where rms
employ the three lines o deence model,7 it was acknowledged that rms should be
able to explain how the IMMR process ts in and where responsibilities lie.
3.10 Many risk management rameworks relied on the cultural tone-setting rom senior
management, which promotes a no blame culture or reporting actual risks and
near misses throughout the organisation. Our discussions show that representatives
o several expert group rms eel the operational risk unction benets when senior
management ully endorse, deploy, review and uphold the IMMR procedures andoutcomes at the rm.
3.11 Regarding reporting, many risk managers ensure that inormation rom the IMMR
processes goes to the right committees and executive bodies and that any decisions
arising rom these committees are cascaded down to the areas that collect, control
and monitor risk-related inormation.
3.12 IMMR could be used by board and senior management to monitor whether the rm
is operating within its stated risk appetite. Risk indicators can be set to collect data
where risk appetite limits are breached. These could be a valuable tool to ensure
compliance with risk appetite and risk tolerance levels.
3.13 Firms could benet rom attempting to align their top down risk appetite (oten
ocused on nancial returns) with their bottom-up approach (more granular
business-related risks and controls) where applicable. While this is a dicult
concept, risk indicators could be established that promote this. There is broad
industry consensus on the dierent means that a rm can use to consider its risk
appetite or operational risk, including capital, losses and key risk indicators.
3.14 A particular challenge or rms, as well as monitoring existing risk, is how to
identiy orward-looking risks. One method observed was to develop orward-
looking risk indicators, which could be monitored either on a short or longer-term
basis. These orward-looking risk indicators attempt to identiy trends in the next 12
to 24 months that will drive the level o risk, such as external threats, economic/
political conditions or business change.
3.15 The risk identication process can lead to enhancing risk control mechanisms. Firms
may decide on a risk mitigation or control strategy or each material risk identied.
This inormation can be captured in a comprehensive risk register that:
7 The three lines o deence model o operational risk control include line management as the rst line o deence, therisk control unctions as the second line o deence, and the risk assurance unctions such as internal or externalaudit as the third line o deence. Please see the Operational risk governance and risk management structures paperor urther inormation.
8/8/2019 UK FSA Guidance Consultation - Enhancing Frameworks in the Standardized Approach (TSA) to Operational Risk
26/51
24
i) assigns senior responsibility or control or individual risks;
ii) acilitates ongoing and objective assessment o gross risks, perormance and
eectiveness o associated controls and mitigants; and
iii) provides validation o individual and aggregate (net) exposures relative to
the irms risk appetite (some irms have suggested such validation could bequalitative as well as quantitative).
3.16 The process could identiy that there are sucient controls in place already and/or
that management are prepared to accept the level o risk.
3.17 The overall aim o the IMMR process is to ensure management are considering
whether the appropriate controls are in place and working eectively to mitigate the
risk to an acceptable level (refecting their risk appetite).
3.18 Expert group members oten divided their processes into the various components o
the risk management lie-cycle and provided an analysis o the elements o each o
the stages. Below is an example o such a process. The IMMR process identied
below is meant to be iterative and rms could have some system in place to ensure
that the process is periodically reviewed and rereshed. The components listed below
will be discussed in more detail throughout this paper.
Identifyrisk
Assess r isk Measureandmonitorrisk
Controlrisk
Reportonrisks
Risk identification and assessment
3.19 Principle 4 in the 2003 BCBS Sound Practices paper states that rms should identiy
and assess the operational risks inherent in all material products, activities, processes
and systems. This implies that rms should also ensure that, beore new products,
activities, processes and systems are introduced or undertaken, the operational risk
inherent in them is subject to adequate assessment procedures.
3.20 The paper also stresses that risk identication is paramount or the subsequentdevelopment o a viable operational risk monitoring and control system. Eective
risk identication is likely to consider both internal actors (such as the institutions
structure, the nature o the institutions activities, the quality o the rms human
resources, organisational changes and employee turnover) and external actors (such
as changes in the industry and technological advances) that could adversely aect
the achievement o the institutions objectives.
3.21 In addition to identiying the most potentially adverse risks, rms will wish to assess
their vulnerability to them. Eective risk assessment allows the rm to better
understand its risk prole and eectively target risk management resources.
8/8/2019 UK FSA Guidance Consultation - Enhancing Frameworks in the Standardized Approach (TSA) to Operational Risk
27/51
25
3.22 The rst stage o such a process would involve the rm identiying the main risks to
which it is or might be exposed and to set up indicators or other monitoring
mechanisms. Risks could be looked at in the context o the overall business strategy
and might not necessarily be considered in isolation. Some rms may choose to
assess the quantitative impact o their material risks. These can also link into (or
help inorm) the rms risk appetite. The ollowing tools can be used or this stage:
i) Risk and Control Sel-Assessments (RCSA):8 Most irms conduct some sort
o RCSA, which can include: i) dierent business areas holding workshops to
assess where they are exposed to risks; ii) business heads being asked to ill
in risk register templates or questionnaires; or iii) a hybrid or combination
o these two approaches. Overall, by assessing its operations and activities, a
irm is seeking to establish where the main risks in that area lie. The process
is internally driven (though it can be led by an external third party) and
oten incorporates checklists and/or workshops to identiy the strengths and
weaknesses o the operational risk environment. Oten, the most eective RCSA
processes address inherent risks as well as the controls to mitigate them.
RCSAs could include the ollowing elements: risk description, risk event type,
risk owner, impact and likelihood (probability) or gross (or inherent) risk,
control, control owner, impact and likelihood or net (or residual risk), control
eectiveness, and a remedial action plan (i appropriate). The assessment o
gross risk pre-controls is oten diicult or irms to undertake and some irms
may beneit rom thinking in terms o how much could be lost i key controls
dont work as expected.
It is important or irms using this tool to have a process in place that keepsRCSAs up-to-date and relevant over time.
ii) Business process mapping: With this methodology, irms identiy all the steps
within speciic business processes or procedures (or example, the lie-cycle o
booking and settling a trade) to determine where areas o weaknesses might lie.
This may result in controls being tightened in these areas. In addition, key risk
indicators could be set up to monitor weak points in processes so that actions
can be taken beore weaknesses turn to breaking points. Firms might take a
risk-based approach about which business processes should be mapped in this
way and to what detail.
iii) Scenarios analysis: Scenario analysis oten involves carrying out workshops in
dierent areas o the irm where expert judgement is used to ascertain dierent
risks to which the area might be exposed. The main dierence between scenario
and RCSA workshops is that the scenario workshops are meant to investigate
the unexpected or potentially catastrophic losses to which the irm may be
exposed while the RCSA workshops tend to ocus on the expected losses.
Firms could envisage urther reaching scenarios o potential events beyond their
own distress. Firms could use internal data and external data to acilitate the
thinking around the scenarios and to inorm and veriy the quantiication o the
8 In actuality, RSCAs span across multiple stages o the process and can link into scenario analyses and will cover therisk control assessment.
8/8/2019 UK FSA Guidance Consultation - Enhancing Frameworks in the Standardized Approach (TSA) to Operational Risk
28/51
26
risks. These can include extreme, but plausible events and are oten ocused on
low requency, high severity events. Scenarios tend to be orward looking.9 It
is generally elt important that enough time is allocated or the running o the
workshops to ensure eective outcomes. Firms using the scenario processes are
unlikely to be able to demonstrate the integrity o the scenarios i the outputs
rom the scenario planning workshops are not clearly documented.
Scenarios exercises could include: the description o the scenario, including the
cause; key controls; use o internal and external data; control ailures implicit
in the scenario; requency; and impact, including the worst case loss and impact
and any remedial actions. The impact igures o catastrophic events on a irms
inancial position are oten assessed using scenarios. Scenarios can also be used
to generate requency and impact igures or modelling purposes. It is up to
irms to identiy the appropriate number o scenarios to use.
It is also important to look out or scenario biases, such as:
Partition dependence: where respondents knowledge is distorted by discrete
choices o buckets within which their responses have to be represented.
Availability: where participants recall recent events.
Anchoring: where dierent starting points yield dierent estimates.
Motivational: where the misrepresentation o inormation due to respondents
interests are in confict with the goals and consequences o the assessment.
Overconfdence: where small data samples are applied to the whole population.
3.23 To assist in the risk identication process, rms could use the results o internal
and external audit reports and other available public data. Firms could also
consider any regulatory reports received (e.g. rom ARROW and/or SREP
assessments and supervisory correspondence) and any other published FSA
guidance, statements or notices.
3.24 The risk assessment phase provides a good opportunity or rms to ensure that adequate
controls and mitigants are in place to manage the risks and whether existing controls
might require improving.
3.25 Firms demonstrating good practice in their use o the risk identication and assessment
exercises/tools, tend to employ these tools on an annual basis and more requently as
required i material changes to business areas occur.
Risk measurement and monitoring
3.26 The next stage o the IMMR process involves the rm setting up specic risk
indicators and thresholds or measuring the identied risks to which the rm is
exposed.10 To meet the requirements o SYSC 4.1.1R rms should also ensure that
9 It is possible or the same risks to appear under both RCSAs and scenarios, once or the expected loss element and,secondly, or the unexpected loss component.
10 It is important that the denitions and scales utilised within risk capture and risk measurement systems areconsistent throughout the rm and can be easily understood by those who are expected to work with or record datainto these systems.
8/8/2019 UK FSA Guidance Consultation - Enhancing Frameworks in the Standardized Approach (TSA) to Operational Risk
29/51
27
they have a risk monitoring procedure in place. Some o the elements o this risk
measurement and monitoring phase could include:
i) Key Risk Indicators (KRIs), Key Performance Indicators (KPIs) and/or KeyControl Indicators (KCIs)11
These are statistics and/or metrics that can provide insight into a irms riskposition. These indicators tend to be reviewed on a periodic basis (generally
monthly) to alert irms to changes that are indicative o risk concerns. Such
indicators may include the number o ailed trades, sta turnover rates, and
the requency and/or severity o errors and omissions. Firms could establish
thresholds per indicator and many usually monitor them on a red/amber/green
(RAG) basis. Many irms employing this tool ensure that sta understand the
implications, escalation process and actions to be taken when risk indicators go
into the amber or red zones. Firms could beneit rom having a robust process
or changing KRI thresholds, with appropriate gatekeepers having ownership or
individual KRIs. KRIs are usually periodically reviewed to assess their relevance.
ii) Early warning indicators/Emerging risk indicators
Firms could identiy appropriate indicators that provide early warning o an
increased risk o uture losses. Such indicators are usually orward-looking
and relect potential sources o operational risk, such as rapid growth, the
introduction o new products, employee turnover, transaction breaks, system
downtime, etc. With the setting o appropriate thresholds linked to these
indicators, an eective monitoring process can enable the irm to act upon these
risks appropriately.
iii) Loss data
Firms could maintain a loss data base, which captures details o actual
operational losses at the irm, as well as near misses. Data collected could include:
the cause, the event, the date the event took place, the severity, the amount o the
loss, the eect, the risk owner, control ailures, the control owner, any recoveries
o gross loss amounts, lessons learnt and any remedial actions. Material
exposures to losses could also be identiied.
iv) Risk monitoring
Firms oten implement a process to regularly monitor operational risk
proiles and material exposures to losses as an integrated part o the irms
activities. An eective monitoring system can allow or the quick detection
and correction o deiciencies in the irms processes and procedures and
can allow or enhancements o the risk-management process. In turn, these
actions can substantially reduce the potential requency and/or severity o a
loss event. The requency o monitoring could relect the risks involved and
the nature o changes to the operating environment. Internal audit and/or
the risk management unctions could periodically assess compliance with the
monitoring activities.
11 Some rms may also monitor Key Control Indicators (KCIs). Key indicators can be used to both provide insightregarding the level o risks occurring as well as or monitoring what is happening to the risks.
8/8/2019 UK FSA Guidance Consultation - Enhancing Frameworks in the Standardized Approach (TSA) to Operational Risk
30/51
28
3.27 Many risk measurement and monitoring processes capture both existing and
orward-looking risks, with rms proactively setting up and rereshing suitable risk
indicators, as well as establishing appropriate time-rames or monitoring the
inormation obtained rom the indicators and their eectiveness.
Risk control3.28 Firms should have eective processes to manage operational risks. These policies
could be implicitly and/or explicitly linked with the risk appetite o the institution.
3.29 Risk appetite statements could contain a mix o qualitative and quantitative actors
and be capable o being communicated, measured and applied to key risk-generating
areas o a rm. The risk-measurement tools above could be used to assist rms in
ensuring that quantitative aspects o the rms risk appetite are not breached.
3.30 In our view, rms may wish to consider periodically reviewing and analysing their
risk-control strategies and adjusting their operational risk appetite accordingly, inlight o changes to their business models/activities and/or size.
Such analysis could help the institution to identiy and distinguish between:
i) which risks12 it is willing to accept as business as usual and hold capital against
or actor into business perormance and/or margins;
ii) the risks or which it is willing to invest in controls and mitigants;
iii) which risks could be transerred through insurance;13 and
iv) which risks it should avoid altogether.
3.31 In many rms, the board o directors and senior management are responsible or
establishing a strong internal control culture in which control activities are an
integral part o the regular activities o the institution.
3.32 As mentioned previously, the tools used under the risk identication section, such as
RSCA workshops and scenario analysis workshops oten provide good opportunities
or rms to assess and ultimately strengthen their controls around risks that have
been identied.
3.33 Each cyclical review o the IMMR processes could allow or the review o the
control eectiveness as well.
Risk reporting
3.34 The SYSC rules require rms to have eective risk reporting and this process may
involve senior management receiving regular reports refecting the up-to-date status
o operational risk issues at the rm. The operational risk reports may contain
internal nancial, operational, and compliance data, as well as external market
inormation about events and conditions that are relevant to decision-making.
Reports are usually distributed to appropriate levels o management and to areas o
12 These could include risks that are unmitigated and/or residual risks ollowing mitigation or controls.
13 Where insurance is used as a mitigant, it is essential that the rm undertake a robust gap analysis o the insurer andthe policy.
8/8/2019 UK FSA Guidance Consultation - Enhancing Frameworks in the Standardized Approach (TSA) to Operational Risk
31/51
29
the rm on which areas o concern may have an impact. Reports that ully refect
any identied problem areas and motivate timely corrective action o outstanding
issues are oten most eective. To ensure the useulness and reliability o these
reports, management could regularly veriy the timeliness, accuracy, and relevance o
reporting systems and internal controls in general. Management may also wish to
use reports prepared by external sources (external auditors, regulators) to assess theuseulness and reliability o internal reports. Reports could be analysed with a view
to improving existing risk management perormance, with a ocus on the
implications o operational risk breaches on the business. The management
inormation (MI) reports can also potentially be used to inorm and instigate the
development o new risk management policies, procedures, and practices and could
be used to monitor compliance with risk appetite levels.
3.35 To be o most benet, the MI is likely to be in a orm that the users can readily
understand, challenge and act on. It can be useul, or example, to have a high-level
summary o the top risks at the rm in the orm o a risk dashboard. Some rms
also nd it useul to provide a heat map summary o their risk ranking in such a
way to show which risks are o higher or lower probability and o higher and lower
impact. This type o report can be developed or each business area as well as the
rm as a whole and can be supported by underlying reports providing more detail.
It can be important or the reports to identiy in a clear and easy-to-understand
manner any concentration o risks that might pose a threat to the business and
reasons or any movements in risk rankings.
3.36 It may also be important to ensure that trend analysis is available or the various
KRIs and that KRIs are appropriately aggregated when amassing data upwards rom
smaller business areas to larger regional areas, or example. In our view it isbenecial that senior management challenge KRI data that never changes as this may
mean that the KRIs are not measuring true areas o risk, thresholds are not set at
the correct level or controls may be continually ailing. The MI reports may want to
highlight any operational risk themes that may be developing.
3.37 Overall, it can be important that the recipients o the reports understand what the
operational risk appetite is at the rm and what the governance procedures are or
changing the inormation that is set in the reports. Some members o the expert
group argued that it is important to be able to demonstrate eective operational risk
challenge within all decision-making processes.
Other
3.38 Firms could establish a risk identication and control process or new products and
services and consider them in the context o their agreed risk appetite and systems
and controls capabilities. A new product-approval process could encompass the use
o RCSAs, scenarios, and the development o KRIs ahead o any ormal sign-o
process. Firms could also identiy how the risk inormation related to the new
products/services can be captured by any MI.
8/8/2019 UK FSA Guidance Consultation - Enhancing Frameworks in the Standardized Approach (TSA) to Operational Risk
32/51
30
3.39 Firms could also establish policies or managing the risks associated with
outsourcing activities.
3.40 Firms will wish to provide training to sta engaged in the IMMR processes.
Training could be geared at the various stages o the IMMR process or example,
certain sta could be trained on how to identiy risks that need to be reported.
Selected members o sta may also need to be trained on how to record inormation
related to the rms risk events in the rms loss database. Training may also need to
be tailored or scenario workshop participants. In these circumstances it may prove
benecial or training programmes to be kept up-to-date as new developments occur,
and to be reviewed periodically.
Challenges
3.41 The presentations and discussions by the expert group members highlighted a
number o challenges surrounding IMMR. These are listed below:
i) Several participants stressed that a culture supportive o operational risk
management at the irm was particularly important or ensuring that
risks were adequately identiied and reported on a timely basis. Senior
management support or operational risk policies and procedures was
particularly important where irms were trying to increase the reporting
o risk incidents and to move away rom a blame culture.
ii) Most participants stressed the importance o operational risk training in
IMMR. Some irms mentioned that they sometimes ound challenges in
ensuring that sta training on operational risk was geared at the right level
or the various types o sta at the irm. Also important is or operational
risk personnel to understand the various businesses in which they are
involved in monitoring risks and setting risk indicators.
iii) Sometimes the RCSA s
Top Related