AJM44.2: Defineanddescribe thecorporateoperational risk function(CORF) and compare andcontrast thestructure and responsibilitiesof theCORFat smaller and larger banks.
The hank’sspecificbusiness linesmonitor, measure, report,and manage operational andotherrisks.Thecorporateoperationalriskfunction(CORF),also knownas the
corporateoperadonal risk managementfunction,is afunctionally independent group that complementsthebusinesslines1 riskmanagementoperations. TheCORF isresponsible fordesigning,implementing,and maintainingthe hanksoperationalrisk framework.
Responsibilitiesof theCORF mayinclude:
* Measurementofoperational risks.
* Establishingreportingprocessesforoperationalrisks.
• Establishingriskcommitteestomeasureand monitoroperational risks.
• Reportingoperational riskissuestothe hoard of directors.
Ingeneral, theCORFmust assessandchallengeeach business line’scontributionstorisk
measurement,management,and reporting processes.
Larger, morecomplex bankinginstitutionswill typicallyhavea moreformalized approach
to die implementation of the lines of defense againstoperationalrisks,includingdie implementationof theCORF. Forexample, alargehank may haveafully staffedgroup skilledspecificallyinoperational risk management,whileasmaller hank maysimplyfold operationalriskmanagementinto thebroader risk managementfunctionof die bank.
PRINCIPLESOE OPERATIONAL RISK MANAGEMENT
AJM44.3:Summarizethe eleven fundamental principles of operational risk managementassuggested by the Basel committee.
Operationalrisksmustbe proactively managed byahanks boardof directorsandsenior
managersaswellasitsbusiness linemanagersandemployees.The IIfundamental principlesofoperationalriskmanagementsuggested bythe BaselCommittee are:
I. Themaintenanceofastrongriskmanagementculture ledbythehanksboard of directorsandsenior managers.This means diat hothindividual andcorporatevalues andattitudesshouldsupport the bank’scommitment tomanaging operationalrisks.
2. Theoperational risk framework (referred toas die “Framework” in this topic) must bedevelopedandfullyintegratedinto the overall riskmanagementprocesses of the bank.
©2013Kaplan,Inc.
Page 138
Topic44
CrossReferencetoGARPAssigned Reading—Basel CommitteeoilBanking Supervision 3. Thehoard shouldapproveand periodically review die Framework.The board should
alsooverseesenior management coensure diat appropriate riskmanagementdecisions
areimplemented atall levels of the firm.
4. Thehoard mustidentifythe typesandlevelsof operational risks the bankis willingto
assumeaswellasapproverisk appetite and risk tolerancestatements.
5. Consistentwith the batiks risk appetiteandrisk tolerance, seniormanagement must
developawell-defined governancestructurewithin die bank. Thestructure must
beimplementedandmaintainedthroughout the bank’svariouslinesofbusiness, its processes,and itssystems.The boardof directorsshould approvethisgovernance
structure.
6. Senior management mustunderstand the risks,and theincentives related tothose
risks, inherentin thebanks businesslines andprocesses.Theseoperationalrisks must
he identified andassessedhy managers.
7. Newlinesofbusiness, products, processes,andsystemsshould requirean approval process thatassessesthe potential operationalrisks. Senior managementmust make certain this approval processisin place.
f5. Aprocess formonitoringoperational risks and materialexposures tolossesshouldbe
putin place byseniormanagementandsupported byseniormanagement, the hoard of directors andbusinesslineemployees.
9. Banks mustputstronginternalcontrols,risk mitigation, and risktransfer strategiesin place to manageoperational risks.
10. Banksmusthave plansin place cosurvivein theeventofa majorbusinessdisruption.
Businessoperationsmustbe resilient.
11. Banks should make disclosures diatareclearenough that outsidestakeholderscan assessthe hanksapproach tooperationalriskmanagement.
The Roleof the Board and.SeniorManagement
AIM44.4:Evaluate the roleof the Board of Directorsaswell assenior
managementinimplementinganeffective operational riskstructureper the Basel committee recommendations.
Theattitudes andexpectations of the board ofdirectorsandsenior managementarecritical
toaneffectiveoperationalriskmanagement program.
With respect to Principle1, theboardofdirectorsand/orsenior managementshould:
• Provideasound foundation fora strongriskmanagementculture within the bank.
Astrongriskmanagementculturewillgenerally mitigatethe likelihoodofdamaging operationalriskevents.
Topic
CrossReferencetoCARPAssignedReading-Basel Committeeon BankingSupervision
* Establishacodeof conduct (orethics policy) for all employees LIHIL outlines
expectations for ethical behavior. The board of directorsshouldsupportsenior managers in producingacodeofconduct.Risk management actividesshould reinforce thecode ofconduct.Thecodeshouldbe reflectedin trainingandcompensationaswellas risk management.Thereshouldheabalance between risks andrewards. Compensation should healignednot justwithperformance,but alsowithdie banks risk appedte, strategicdirection,financialgoafs,and overall soundness.
* Providerisktrainingthroughoutall levels of the bank.Senior managementshould
ensuretrainingreflects theresponsibilitiesof the personbeingtrained.
With respect toPrinciple2,the board of directors and/orsenior managementshould:
* Thoroughly understandboth thenatureandcomplexityofthe risks inherentin the
products,linesofbusiness, processes,andsystemsin the bank.Operationalrisksare inherentinallaspectsof die bank.
• Ensurethat die Frameworkisfully integrated,in thebank'soverall risk management
planacrossall levels of thefirm(Le., businesslines, newbusinesslines,products, processes,and/orsystems). Riskassessmentshould bea partof die businessstrategyof the bank.
With respect toPrinciple3, die boardof directors and/orseniormanagementshould:
• Establishaculture and processes thathelpbank managers and employeesunderstand andmanageoperationalrisks. The boardmust develop comprehensiveanddynamic oversightand control mechanisms thatareintegrated intoriskmanagement processes acrossthe bank
* Regularlyreviewthe Framework.
* Provideseniormanagement withguidanceregarding operational riskmanagementand approvepolicies developed bysenior managementaimedat managing operadonalrisk.
• Ensurethat the Framework issubject toindependentreview.
* Ensurethat management isfollowing best pracdcesin the field with respect to
operational riskidentification andmanagement.
* Establishdearlinesofmanagementresponsibilityand establishstrong internal controls.
With respect toPrinciple4,die boardof directors and/orsenior managementshould:
* Considerall relevant riskswhenapprovingthe bank's risk appedte and tolerance statements.Theboardmustalso consider the banks strategicdirection.The hoard shouldapprove risk limits andthresholds,
• Periodicallyreview the risk appetite and tolerancestatements.The reviewshould specificallyfocuson:
* Changes in the market andexternal environment.
* Changesin businessoractivityvolume.
* Effectivenessofrisk managementstrategies.
* Thequalityof the controlenvironment.
* Hie natureof,frequencyof,and volumeof breaches torisklimits.
With respect toPrinciple5,dieboardof directorsand/orseniormanagementshould:
* Establishsystems toreportandtrack operational risks andmaintainaneffective mechanismfor resolvingproblems.Banksshoulddemonstrate the effectiveuseof the threelinesof defense to manage operational risk,asoutlined bydie BaselCommittee.
Page 140 ©2013Kaplan,Inc.
Topic44
CrossReferencetoGARPAssignedReading—Basel CommitteeonBanking Supervision
• Translate dieFrameworkapproved bydieboardintospecific policiesand procedures used tomanagerisk.Seniormanagersshouldclearly assign areasofresponsibilityand shouldensurea propermanagementoversightsystem tomonitor risks inherent in die businessunit.
* Ensure thatoperationalriskmanagerscommunicatedearlywith personnel responsible formarket, credit,liquidity,interest rate,and other risks and with those procuring outsideservices,suchasinsuranceoroutsourcing.
• EnsuredialCORFmanagersshouldhave sufficientstature inthebank, commensurate withmarket, credit,liquidity,interest rate,and other riskmanagers.
• Ensure that die staffiswell trainedin operadonalriskmanagement.Risk managers should haveindependent authorityreladve to the operationsdieyoversee.
• Developagovernancestructureof thebank that iscommensuratewith thesizeand complexityof the firm.Regardingthegovernancestructure,the bank should consider:
* Committeestrueture:forlarge, complexbanks,aboard-created firm level risk committeeshouldoverseeall risks. The management-leveloperationalrisk committeewould reporttothe enterprise level riskcommittee.
* Committeecomposition:committee membersshouldhavebusinessexperience, financial experience, andindependent risk managementexperience.Independent, 11011-executive hoard membersmay alsohe included.
* Committeeoperation:committeesshouldmeetfrequentlyenough to beproductive and effective. Thecommitteeshould keep completerecordsof committee meetings.
With respecttoPrinciple6,the board of directorsand/or senior managementshould:
* Consider both internal and externalfactorstoidentifyandassessoperationalrisk.
Examplesof tools that maybe usedtoidentifyand assessrisk aredescribedinAIM44.6.
WithrespecttoPrinciple7,the boardof directorsand/or senior managementshould:
* Maintainarigorousapproval processfor new productsandprocesses.The hank should makesuredrat riskmanagementoperationsarein placefiom the inception ofnew activitiesbecause operational risks typicallyincreasewhen abank engagesin new activities, new productlines,entersunfamiliarmarkets,implementsnewbusiness processes, puts intooperation new technology, and/orengagesinactivities chat are
geographically distantfrom themainoffice.
• Thoroughlyreviewnewactivities andproductfines,reviewinginherentrisks,potential changesin the hank’s risk appetiteor risklimits,necessary controlsrequired to mitigate risks,residualrisks, and theprocedures used tomonitor and manageoperationalrisks.
WithrespecttoPrincipleft,the hoardof directorsand/orseniormanagementshould:
* Continuously improve the operational risk reporting.Reports shouldbemanageablein scopebut comprehensiveandaccuratein nature.
• Ensuredialoperationalriskreports aredmely.Banksshould have sufficientresources to
produce reportsduringboth stressedandnormal market conditions. Reportsshouldbe providedtodie boardand seniormanagement.
• Ensurethatoperational risk reportsinclude:
* Breachesof the hank’sriskappetite and tolerancestatement,
* Breachesof the hank’s diresholdsand risk limits.
* Detailsofrecentoperationalriskeventsand/or losses.
* Externaleventschar may impact the hank’soperationalriskcapital.
* Both internal andexternal factors that may affect operational risk.
CrossReferencetoCARPAssignedReading—Basel Committeeon BankingSupervision
With respectto Principle9,the board ofdirectors and/orsenior managementshould havea sound internal controlsystem asdescribedinAIM 44.7 (aneffective controlenvironment) and 44.fi (managingtechnologyandoutsourcing risks).
Banks may needtotransfer risk(eg.,via insurancecontracts)ifitcannotbeadequately managedwithin thebank. However,sound riskmanagement controlsmust bein placeand thus risktransfer should beseen asacomplementto, rather thanareplacementfor, risk
managementcontrols. Newrisks,such ascounterpartyrisks, maybe introduced when the banktransfersrisk. These additional risks mustalso heidentifiedand managed.
With respectto Principle10, the board of directors and/orsenior managementshould:
• Establish continuity planstohandleunforeseen disruptiveevents(eg.,disruptionsin technology, damagedfacilities, pandemicillnessesthat affect personnel,andso on).Plans should includeimpactanalysisandplansforrecovery.Continuityplansshouldidentify keyfacilities, people,andprocesses necessaryfor the businesstooperate.Theplanmust
alsoidentifyexternaldependencies suchas utilities, vendors,andother third party
providers.
• Periodicallyreviewcontinuity plans.Personnel must be trained tohandleemergencies and,wherepossible,the bankshouldperform disasterrecoveryand continuitytests.
With respectto Principle11, the boardofdirectorsand/orsenior managementshould:
• Writedisclosuressuch dratstakeholderscan assessthe bank'soperational risk managementstrategies.
• Disclosures should heconsistentwith board of directorsandseniormanagementrisk management procedures.Thedisclosure policyshould be establishedbytheboardof directorsandsenior managementandapproved by the boardof directors. The bank should also be abletoverifydisclosures.