GRC Tuesdays: Revisions to the Principles for the Sound Management of Operational Risk
Unless you have been hiding under a rock for the past 20 years, if you are working in or with the banking industry, or have simply been interested in risk management, then you will surely have heard of the Basel Accords (Basel I, Basel II and of course, as for all good series, Basel III) issued by the Basel Committee on Banking Supervision – AKA the “Basel Committee”.
I’m not going to go over the details and history of the Basel Accords in this blog. For this, I would suggest you have a look at the History of the Basel Committee page. But in a nutshell, these are a set of recommendations for regulations in the banking industry – and include particular focus on operational risks. Operational risks are of our interest here for Governance, Risk and Compliance since they are defined as resulting from “inadequate or failed internal processes, people and systems or from external events”. In its guidance, the Basel Committee specifies that this definition includes legal risks but excludes strategic and reputational risks. For other industries that don’t need to calculate their capital exposure for regulatory purpose though, I would recommend including these risks as well.
In August 2020, the Basel Committee issued a consultation on its revision to the Principles for the Sound Management of Operational Risk, which would be the third version since the inception of this original document in 2003. All previous publications can be found online of course, directly on the website of the Bank for International Settlements where the Basel Committee is headquartered:
* 2003 Sound Practices for the Management and Supervision of Operational Risk
* 2011 Principles for the Sound Management of Operational Risk
* 2014 Review of the Principles for Sound Management of Operational Risk
Before I even start, I have an admission to make: I am very biased. I believe that these principles are very clear, provide actionable guidance and do not make use of the often too technical risk jargon that we encounter in many publications.
In addition, even if there are of course a few banking specificities, to me these principles apply to companies of all sizes, industries or geographies. Hence why I decided to write a blog summarizing this revision and why I often recommend companies have a look at Basel Committee’s guidelines.
Have a read through this and then let’s discuss if you feel they are not applicable to some companies!
What is it about?
As for the previous revisions, this document introduces once again the definition of operational risks, the risk management process itself and the three lines of defence framework – and defines the roles and responsibilities of each line. Just so that we’re all on the same page.
Once these introductions are completed, the authors progress to detailing 12 guiding principles. These principles are organized around the entire risk management process and its various stakeholders: the Operational Risk Culture and Framework (principles 1 and 2), Governance (principles 3 and 4), Senior Management (principle 5), Risk Management Environment (principles 6, 7, 8 and 9), Information and Communication Technology (principle 10), Business Continuity Planning (principle 11), and Role of Disclosure (principle 12).
The 12 Principles
Operational Risk Culture and Framework
(Note: this one is my labelling, not the authors’)
Principle 1: The board of directors should take the lead in establishing a strong risk management culture, implemented by senior management. The board of directors and senior management should establish a corporate culture guided by strong risk management, set standards and incentives for professional and responsible behaviour, and ensure that staff receives appropriate risk management and ethics training.
- This is the tone at the top that most risk management guidelines recommend starting with. And from my experience, the code of conduct with the do’s and don’ts really define the way the risk culture is enabled within the organization, and naturally promotes ethical behaviours.
Principle 2: Banks should develop, implement and maintain an operational risk management framework (ORMF) that is fully integrated into the bank’s overall risk management processes. The ORMF adopted by an individual bank will depend on a range of factors, including the bank’s nature, size, complexity and risk profile.
- One size fits all might be good for baseball caps, but clearly not in risk management. The risk management activity not only needs to be adapted to the organization, but also, has to be natively embedded within the processes to be effective. Running it side-by-side to the business operations will only give a false impression of control with after the fact updates. Hence preventing the implementation of a true proactive risk management approach that would enable issues to be detected early.
Principle 3: The board of directors should oversee material operational risks and the effectiveness of key controls, and ensure that senior management implements the policies, processes and systems of the ORMF effectively at all decision levels.
- This section continues with the tone at the top but also operationalises it. Management needs to know what the expectations are so that they can design effective policies that will be rolled-out to the first line, the business unit management. And importantly, these policies must be reviewed regularly so as to continue being fully applicable.
Principle 4: The board of directors should approve and periodically review a risk appetite and tolerance statement for operational risk that articulates the nature, types and levels of operational risk the bank is willing to assume.
- The publication makes an interesting observation here. It recommends that the risk appetite should be “easy to communicate and therefore easy for all stakeholders to understand”. It may seem an obvious statement, but I have seen many cases where management didn’t have a full understanding of the risk appetite, therefore hindering the alignment of board expectations with operational policies.
Principle 5: Senior management should develop for approval by the board of directors a clear, effective and robust governance structure with well-defined, transparent and consistent lines of responsibility. Senior management is responsible for consistently implementing and maintaining throughout the organisation policies, processes and systems for managing operational risk in all of the bank’s material products, activities, processes and systems consistent with the bank’s risk appetite and tolerance statement.
- This is where senior management translates the risk management framework into an operational model based on the Three Lines of Defence, and then rolls-it out to the various departments within the company. A crucial piece of the jigsaw.
Risk Management Environment
(including Identification and Assessment, Monitoring and Reporting, Control and Mitigation)
Principle 6: Senior management should ensure the comprehensive identification and assessment of the operational risk inherent in all material products, activities, processes and systems to make sure the inherent risks and incentives are well understood.
- This is of course the “Risk Assessment” section of ISO31000 but it also extends to “Risk Treatment” and “Monitoring aspects” since the Basel Committee on Banking Supervision includes control monitoring and metrics to monitor risk exposure:
Principle 7: Senior management should ensure that the bank’s change management process is comprehensive, appropriately resourced and include continuous risk and control assessments, adequately articulated between the relevant lines of defence.
- The publication here highlights that a new risk management cycle should be triggered whenever a change occurs (entering new market, implementing new process, etc.) so that risk-based decision is applied when embarking on a new or revised strategy.
Principle 8: Senior management should implement a process to regularly monitor operational risk profiles and material operational exposures. Appropriate reporting mechanisms should be in place at the board of directors, senior management, and business unit levels to support proactive management of operational risk.
- I have already discussed many times in these GRC Tuesdays blogs the necessity of continuous monitoring of the risk information. An outdated risk report is indeed only useful as a post-mortem… The guidance makes this point even more eloquently: a “bank should ensure that its reports are comprehensive, accurate, consistent and actionable across business units and products”.
Principle 9: Banks should have a strong control environment that utilises policies, processes and systems; appropriate internal controls; and appropriate risk mitigation and/or transfer strategies.
- This last section in risk management takes the reader through the Risk Treatment aspect of ISO31000 by leveraging controls – including segregation of duties, but also policies, non-compliance resolutions, and risk transfer (i.e.: to another party such as through insurance). Together, they will help reduce the residual risk to its desired level.
Information and communication technology
Principle 10: Banks should implement robust ICT [Information and Communication Technology] that is consistent with their risk appetite and tolerance statement for operational risk and ensures that their ICT fully supports and facilitates their operations. ICT should be subject to appropriate risk identification, protection, detection, response and recovery programmes that are regularly tested, incorporate appropriate situational awareness, and convey relevant information to users on a timely basis.
- Working in the software industry, I would of course concur to this point! But the Basel Committee makes an additional argument in the fact that “senior management should routinely evaluate the design, implementation and effectiveness of the ICT framework”. As for many readers I am sure, there are too many examples of tools that have been chosen at one point in time to answer a specific requirement, slowly lose their purpose over time, but continue to be used even if no-one is sure why… Much like outdated controls that are routinely performed “because we’ve always done them” but that no longer cover an active risk or don’t align to the process they monitor anymore.
Business continuity planning
Principle 11: Banks should have business continuity plans in place to ensure their ability to operate on an ongoing basis and limit losses in the event of a severe business disruption.
- Business continuity is not a separate activity! And that’s the title of a dedicated blog that I’ll soon release on this very topic so watch this space. But in short: business continuity planning should be embedded directly in the Governance, Risk, and Compliance process – as a continuous virtuous circle.
Role of Disclosure
Principle 12: A bank’s public disclosures should allow stakeholders to assess its approach to operational risk management and its operational risk exposure.
- As for most organizations, banks of course have to disclose risk information. But there is an additional comment from the authors that I find invaluable: a “bank should disclose its ORMF [Operational Risk Management Framework] in a manner that allows stakeholders to determine whether the bank identifies, assesses, monitors and controls/mitigates operational risk effectively”. Let’s be candid: how many integrated reports did you read where you didn’t really know at the end of the risk section whether these were in control? Transparency is key here. Yes, it’s undeniable that risk information is sensitive, but shareholders are entitled to know what could impact the company and what is done to mitigate it.
As you can read, you could simply replace “banks” by “organizations” and these principles would apply to any company, regardless of its morphology. As a result, even if your company is not in banking, I would highly recommend reading this publication. Cross-pollination of risk management best practices across industries and geographies is what make this discipline so strong in my mind. And also so evolutive and adaptable!
What about you, do you also feel these principles could be applied more widely? I look forward to reading your thoughts and comments either on this blog or on Twitter @TFrenehard