Book 3. Operational Risk

FRM Part 2

OR 2. Risk Governance

Presented by: Sudhanshu

Module 1. Operational Risk Regulation and Governance

Module 2. Three Lines of Defense, Risk Appetite and Risk Culture

Module 1. Operational Risk Regulation and Governance

Topic 1. Basel II Operational Risk

Topic 2. Pillar 1: Principles for the Sound Management of Operational Risk

Topic 3. Pilar 1: Capital Calculation

Topic 4. Pilar 2: Operational Risk Capital

Topic 5. Regulatory Expectations

Topic 6. Risk Committee Structure

Topic 7. Governance and Risk Documentation

Topic 8. Board of Directors Role (Operational Risk)

Topic 9. Board of Directors Role (Operational Resilience)

Topic 1. Basel II Operational Risk

• Basel II includes three pillars for the regulation of operational risk.

• Pillar 1: Regulatory Capital

  • Minimum capital required to meet unexpected losses from credit, market, and operational risks.

  • Minimum coverage ratios to manage liquidity risk.

  • Basel Committee's Principles for the Sound Management of Operational Risk.

• Pillar 2: Supervisory Review Process

  • Extra capital requirements beyond Pillar 1 for risks not explicitly considered (e.g., concentration, compliance, governance risks).

  • Voluntary disclosure and self-assessment subject to regulatory review.

• Pillar 3: Market Discipline

  • Required quarterly and annual financial and risk disclosures by banks.

  • Underlying idea is to have greater capital reserves to balance greater risks taken.

Topic 2. Pillar 1: 12 Principles for the Sound Management of Operational Risk

• BCBS has developed 12 principles for sound operational risk management

  1. Culture directed by the board of directors and implemented by senior management.

  2. Maintaining a robust Operational Risk Management Framework (ORMF).

  3. Board analysis and validation of the ORMF.

  4. Board to regularly assess and sign off on operational risk appetite and tolerance statements.

  5. Clear description of senior management's ORM responsibilities.

  6. Thorough description and evaluation of operational risk for key business activities.

  7. Thorough preparation and communication of the change management process.

  8. Ongoing review of operational risk profile and exposures.

  9. Secure and stable controls (e.g., internal controls, risk mitigation, training, risk transfer methods)

  10. Reliable information and communication technology (ICT) that is consistent with the ORMF

  11. Established business continuity plans that are consistent with the ORMF

  12. External disclosures on the ORM approach and risk exposures

Topic 3. Pillar 1: Capital Calculation

• Effective January 2023, a single capital measure known as the Standardized Approach (SA) is used.

• Operational Risk Capital (ORC) Equation:

  $ORC=BusinessIndicatorComponent(BIC)\times InternalLossMultiplier(ILM)$

• Business Indicator Component (BIC):

  • Percentage of the yearly average Business Indicator (BI) over the past three years (analogous to gross income).

  • $BI=Interest,Leases,andDividendComponent(ILDC)+ServicesComponent(SC)+FinancialComponent(FC)$.

  • SC: Higher of fee income and fee expenses plus the higher of other operating income and operating expense.

  • FC: Absolute value of the net income/loss of the banking book and the trading book.

  • ​BIC Percentages (based on BI):
    • ​12% for less than EUR1 billion.

    • 15% for EUR1 billion to EUR30 billion.

    • 18% for greater than EUR30 billion.

  • Increased percentages indicate regulators believe operational risk increases proportionally more with size, requiring additional capital​

• Internal Loss Multiplier (ILM): Penalizes banks with greater losses and helps those with lower losses than average.

  • Loss Component (LC) = 15× annual operational losses incurred over the last 10 consecutive years

  • ILM Scenarios:

    • $ILM=1$ if $LC=BIC$; often used by regulators for simplicity.

    • $ILM>1$ if $LC>BIC$; more capital is required.

    • $ILM<1$ if $LC<BIC$; less capital is required.

Topic 3. Pillar 1: Capital Calculation

Practice Questions: Q1

Q1. The Rosedale Community Bank (RCB) has average annual performance over the past three years as follows:

                               Category                                Amount (EUR)

Using only the information provided, what is the yearly average business indicator (BI) for RCB using the standardized approach?

A. EUR720 million.

B. EUR870 million.

C. EUR920 million.
D. EUR1,070 million.

Practice Questions: Q1 Answer

Explanation: D is correct.

• BI = interest, leases, and dividend component (ILDC) + services component (SC) + financial component (FC)
• ILDC = EUR740 million
• SC consists of the higher of fee income and fee expenses plus the higher of other operating income and operating expense = EUR185 million + EUR45 million = EUR230 million
• FC consists of the absolute value of the net income/loss of the banking book and the trading book = EUR100 million
• BI = EUR740 million + EUR230 million + EUR100 million = EUR1,070 million

Practice Questions: Q2

Q2. The following data on a bank is available:

• Annual operational losses incurred over the last 10 consecutive years = EUR80 million
• Business indicator component (BIC) = EUR900 million

Using the standardized approach for calculating operational risk capital, which of the following statements is most accurate?

A. The internal loss multiplier (ILM) is less than 1.

B. The internal loss multiplier (ILM) is greater than 1.

C. The percentage used to calculate the business indicator component (BIC) is 15%.

D. The percentage used to calculate the business indicator component (BIC) is 18%.

Practice Questions: Q2 Answer

Explanation: B is correct.

BIC is given as EUR900 million. Because it is less than EUR1 billion, the percentage used to calculate BIC should be 12%.
The loss component (LC) is calculated as 15 × annual operational losses incurred over the last 10 consecutive years = 15 × EUR80 million = EUR1,200 million.

Because LC > BIC, then ILM is > 1, and more capital is required.

Topic 4. Pillar 2: Operational Risk Capital

• Pillar 2 supplements Pillar 1 capital requirements.

• It aims to be more representative of a specific bank's risk exposure.

• Examples of risks addressed by Pillar 2:

  • Excessive geographic or sector concentrations.

  • Exceedingly rapid business growth.

  • Weak risk management methods.

• Regulators may require additional capital for these incremental operational risks.

• Regulators examine all bank activities to meet regulatory requirements and pursue additional risks discovered through stress testing.

• Regulators must be satisfied that the bank's capital reserves align with risks taken.

• Solvency Assessment (long-term in nature):

  • Determining significant threats and scenarios for major loss events.

  • Determining the bank's resilience to sudden events impacting operations and profits.

• Pillar 2 also analyzes the bank's governance processes, values, mission, and managers' ability to fulfill roles (e.g., providing thorough risk reporting).

Topic 5. Regulatory Expectations

• Five core principles are particularly relevant for a proper supervisory system in assessing an ORMF:

  • Principle 8: Supervisors should apply a forward-looking assessment of bank risk profiles in relation to their systemic importance.

  • Principle 14: Supervisors ensure banks have strong corporate governance policies and procedures.

  • Principle 15: Supervisors ensure banks have a thorough risk management program capable of timely determination, quantification, assessment, monitoring, reporting, and management of significant risks.

  • Principle 25: Supervisors ensure banks have a proper ORMF considering risk appetite, risk profile, market, and other macroeconomic factors.

  • Principle 26: Supervisors ensure sufficient internal controls for well-controlled business operations in relation to the bank's risk profile.

• Supervisors should perform ongoing review of a bank's ORMF, including policies, procedures, and IT systems.

• Significant deficiencies require supervisory action.

• Supervisors should note past and future improvements to assist with continuous improvement.

• Regulators expect ORM to be integrated as an essential part of business operations, with employees involved in decision-making at all levels.

• Operational risk reports assist in evaluating ORMFs. Regulators often ask:

  • Do incident reports account for all significant incidents, determine underlying causes, and offer improvement takeaways? Are "close calls" reported?

  • Is there a stable, methodical approach to internal risk and control assessments by qualified staff? Are these assessments cross-examined for reliability?

  • Has management determined appropriate and relevant risk indicators? How are they computed objectively and updated?

  • Do scenarios cover a wide range, including extreme but potential scenarios? Are assessments fair and detailed?

  • Is the overall ORMF reasonably thorough based on available information?

  • Is the information useful for the given management level?

• Regulators prefer sufficient documentation (e.g., meeting minutes) and thorough reporting to evidence solid risk management processes, especially for smaller banks which may lack robust governance.

Topic 5. Regulatory Expectations

Topic 6. Risk Committee Structure

• Operational risk committee scope varies with bank size. Small banks may have one committee with oversight and reporting duties.

  • Large banks likely have multiple committees for different business lines.

• Expanded Risk Committee Structure for a Large Bank:

  • Lowest level:

    • ​Numerous smaller risk committees focused on specific business activities (e.g., personal banking, trading, asset management) or countries.

    • Provide valuable data for firmwide operational risk assessment and escalate crucial issues.

  • Middle level:

    • ​Organization risk committee gathers information and manages overall operational risk for the entire organization.

    • Reports regularly to the executive risk committee and board risk committee.

  • Top level:

    • ​Board (enterprise) risk committee manages middle and lowest levels of operational risk.

    • Provides recommendations to the board on risk exposures and key risk decisions.

    • Oversees evaluation of major operational risk incidents and deals with escalated issues.

    • Members must have pertinent and current risk management experience.

Topic 7. Governance and Risk Documentation

• Each committee has a terms of reference (TOR) document:

  • Provides its mission and objective.

  • Outlines membership duties and functions.

  • Specifies meeting frequency.

• Committees analyze risk information and reporting to ensure congruence with risk decisions.

• They analyze and approve ORM policies and procedures within the bank.

• Careful documentation of agenda, actions taken, and justifications (in meeting minutes) demonstrates sufficient operational risk governance for supervisors.

• Policies and Procedures:

  • Serve as internal controls and provide detailed steps for specific processes.

  • Act as initial or refresher training for employees to minimize errors.

  • Remain useful only if actively used, change appropriately with business and industry practices, and are consistent with day-to-day operations.

Topic 8. Board of Directors Role (Operational Risk)

• Among its duties, the board must consider risk management, specifically establishing the bank's risk tolerance and operating within those constraints.

• Specific duties of the board in an ORMF context (per regulators):

  • Approving the ORMF.

  • Establishing ongoing updates to the ORMF.

  • Ensuring senior management executes ORMF policies and procedures throughout all levels of the bank.

• The board must create a risk management culture articulated throughout the bank to its staff at all levels.

• Training is crucial for fulfilling this requirement, for both board members and relevant staff involved in ORM.

Topic 9. Board of Directors Role (Operational Resilience)

• The board must clearly articulate (throughout the organization) its approach to and goals of operational resilience.

• This approach requires integrating the bank's risk tolerance with its capacity to withstand interruption to key operations.

• It must also account for how the bank can continue to operate effectively during "stressed" situations that are harsh, low probability, but reasonably foreseen.

• Senior management reports to the board on operational resiliency methodology, and the board should request periodic reports, especially regarding major issues impacting normal operations.

• The board is responsible for directing sufficient funds and support toward promoting operational resilience within the bank.

• Training in operational resilience is crucial for both the board and all relevant employees.

• Board members must have relevant skills and experience to properly perform their roles.

Practice Questions: Q3

Q3. Within a bank, who is ultimately responsible for operational risk management and resilience?

A. Employees.

B. Chief risk officer.

C. Board of directors.

D. Senior management team.

Practice Questions: Q3 Answer

Explanation: C is correct.

The board of directors is ultimately responsible for the operational risk management function, though risk management tasks are delegated to senior management and employees. The chief risk officer would be considered part of senior management, but that role does not assume ultimate responsibility for risk management.

Module 2. Three Lines of Defense, Risk Appetite and Risk Culture

Topic 1. Three Lines of Defense Model

Topic 2. Delineation of the Lines of Defense

Topic 3. First Line of Defense

Topic 4. Risk Specialists

Topic 5. Second Line of Defense

Topic 6. Third Line of Defense

Topic 7. Risk Appetite (Regulatory Expectations)

Topic 8. Risk Appetite (Best Practices)

Topic 9. Risk Culture

Topic 1. Three Lines of Defense Model

• Controls and risk management within a bank can be thought of in three interconnected lines:

  • Line 1: Individual business unit management, or the "front line".

  • Line 2: Objective review of the risk management process in Line 1. Includes cross-examination of risk management work by business units in Line 1. Also known as the corporate operational risk function (CORF).

  • Line 3: Objective internal audit of work performed in Lines 1 and 2.

• Implementing the three lines in practice can be problematic, with differences depending on bank size and structure.

• Differentiating between the three lines can be difficult due to the decentralized nature of ORM.

• Some areas of risk management (e.g., legal and compliance, IT security) overlap multiple lines and cannot be classified into only one line.

Topic 2. Delineation of the Lines of Defense

• The roles and duties performed in each group best delineate the three lines.

• Maintaining independence and objectivity of the CORF (Line 2) is key.

  • Smaller entities may achieve this through segregation of duties and independent review.

  • Larger entities require the CORF to engineer and manage the ORMF, being wholly separate from risk-generating groups.

  • A thorough clarification of CORF objectives and duties consistent with the bank's operational scope is needed.

• For banks not sufficiently large, some groups may not clearly delineate between first-line and second-line roles.

• Due to staffing shortages, first-line and second-line duties may combine into a hybrid function within the same group (e.g., legal, HR, finance).

• In such cases, the BCBS mandates clarity in delineating duties and careful demonstration of independence between the two lines.

  • Example: Legal department writing contracts (Line 1) and dealing with litigation (Line 2) in a hybrid function must ensure different employees perform these duties.

Topic 3. First Line of Defense

• The front line comprises the "business" or the risk owners.

• Risk owners generate, measure, and manage risks. For example, the head of the trading department "owns" trading risk.

• Risk is managed by the risk owners (employees and department heads), not solely by the risk management department.

• A proper first line defense would:

  • Determine significant operational risks faced by the bank that need management.

  • Create sufficient controls to deal with those risks.

  • Evaluate whether controls operate as intended.

  • Provide oversight and reporting of operational risk within the business line.

• If the front line cannot perform its operational risk duties, it must inform the CORF (Line 2).

• Examples of control weaknesses, process weaknesses, and losses from lack of proper controls need to be escalated to the second line.

Topic 4. Risk Specialists

• In some business groups or larger banks, a "risk specialist" or "champion" may function as a midway point ("Line 1.5") between Lines 1 and 2.

• Risk specialists would likely:

  • Serve as the key spokesperson for risk issues in a given business group.

  • Be responsible for gathering information on the group's risk incidents and losses.

  • Anticipate key risks and controls within the group.

  • Ensure risk management plans are completed.

• Having a risk specialist within the first line does not transfer all operational risk responsibility to the specialist.

Practice Questions: Q1

Q1. Within the context of the three lines of defense model, risk champions (or risk specialists) are most likely to be included in which lines?

A. Line 1 only.

B. Lines 1 or 2.

C. Line 2 only.

D. Line 3 only.

Practice Questions: Q1 Answer

Explanation: A is correct.

Risk champions or risk specialists are sometimes considered “Line 1.5” and, therefore, included in Line 1 only.

Topic 5. Second Line of Defense

• The purpose of Line 2 is to oversee and question what has been done in Line 1.

• To ensure independence, Line 2 must not be involved in Line 1 to avoid self-review threats.

• Risk management staff in Line 2 must be thoroughly trained in a broad range of risk matters, understand the business environment, and have thorough knowledge of relevant regulations.

• Role of a robust second line would include:

  • Developing ORM policies and procedures and providing training to employees.

  • Approaching Line 1's risk management work in a fresh and objective manner.

  • Cross-examining Line 1's work (e.g., ORM tools, risk measurement, reporting) and documenting useful cross-examination.

  • Overseeing and adding to the bank's monitoring and reporting functions.

• The second line provides input on potential incremental risks and management methods for major business decisions (e.g., acquisitions, divestitures).

• Its effectiveness is enhanced when given the power to overturn business decisions that do not comply with regulations or breach board-authorized risk limits.

• Clear separation of duties between Lines 1 and 2 may lead to work duplication between Lines 2 and 3.

• Cross-examination by Line 2 of Line 1 may be ineffective until Line 1's work is fully executed and has produced intended outcomes.

• Line 2 should focus on guidance and informing staff about ORM. This guidance includes defining operational risk, reporting incidents, explaining the positives of strong ORM, and the negatives of weak ORM.

• Practical, hands-on training (e.g., root-cause and scenario analysis) can increase employee acceptance of the ORMF.

• Line 2 avoids self-review by not "coaching" Line 1 on "correct answers". Training workshops can encourage feedback, and challenge is provided only after feedback is received.

• Line 1 is responsible for its own risk assessment and controls, with Line 2 providing challenge for improvement.

Topic 5. Second Line of Defense

Topic 6. Third Line of Defense

• Line 3 is internal audit, completely separate from risk management.

• It objectively reviews controls and adherence to bank policies and procedures for each group.

• Internal audit maintains independence by establishing its own list of significant risks, which may differ from risk management's list.

• Lines 2 and 3 occasionally share information and conclusions to reduce redundancies.

• Guidance from the Institute of Internal Auditors (IIA) on internal audit's work with risk management, compliance, and finance departments:

  • Internal audit must be strictly separate from these departments.

  • Internal audit evaluates the sufficiency and competence of these departments using its own independent analysis.

  • Reliance on work done by other departments for risk assessment or audit testing is permissible only after internal audit assesses the reliability of that work.

Topic 7. Risk Appetite (Regulatory Expectations)

• Board's Role: The board of directors is typically responsible for defining the bank's risk appetite, which is the acceptable level of risk.

  • A significant challenge lies in establishing risk appetite for non-financial risks.

• Risk Evaluation Framework: Determining risk appetite requires assessing significant risks, defining acceptable/unacceptable incident limits, and establishing corresponding controls
• Clear Communication: Risk appetite statements must be straightforward, explain risk acceptance/decline decisions, and align with overall strategy and mission
• Monitoring and Testing: Risk appetite limits tracked through exposure limits, significant controls, and acceptable loss events, with consideration for future scenarios and stress testing
• Regulatory Alignment: Risk appetite statements must be supported by actual operations and robust controls to demonstrate consistency between stated tolerance and real practices
• Board Responsibility: Board oversees risk limits through risk committee, working with risk management department for implementation, monitoring, and ensuring alignment with business objectives

Practice Questions: Q2

Q2. Which of the following items is least likely to appear in a bank’s risk appetite statement?

A. Key controls

B. Exposure limits

C. Expected losses.

D. Tolerated incidents.

Practice Questions: Q2 Answer

Explanation: C is correct.

Expected losses are not likely to be included in a risk appetite statement. Risk appetite consists of items such as exposure limits, key controls, and tolerated incidents.

Topic 8. Risk Appetite (Best Practices)

• Risk Appetite Foundation

  • BCBS requires risk appetite statements to consider risk-return tradeoffs when accepting/declining specific risks

  • Establishes risk exposure limits, sets control requirements, and defines acceptable incident frequency/impact thresholds
  • Uses boundaries or key risk indicators (KRIs) that can be either quantitative or qualitative measures
  • Risk appetite can be conveyed through main transaction processes, with separate appetite for each process

• Regulatory and Control Requirements

  • New operational resiliency regulations require tolerance thresholds on key business services for disruption risk

  • Risk appetite statements must include significant controls with clear documentation for each key risk
  • Documented controls provide comfort to banking clients and regulators about serious risk management commitment
  • Limits and KRIs help management ensure bank functions as expected within acceptable parameters

• Governance Structure

  • ​Proper governance assigns specific risk owners to each risk type within the organizational structure

  • Controls owners engineer/implement controls while metrics owners gather, report, and oversee performance metrics
  • Risk owners serve as front line in risk management function, overseeing risks outlined in appetite statements
  • Near misses and incidents analyzed against allowable thresholds to assess control robustness and financial impact containment

Topic 9. Risk Culture

• Regulatory Foundation

  • ​Dual Benefits: Strong risk culture reduces operational risk (fewer incident losses) and increases operational resilience (faster recovery)

  • Ethical Linkage: Regulators connect risk culture with ethical behavior through mandatory codes of conduct for all personnel
  • Policy Enforcement: Effective risk culture demonstrated through consistent policy enforcement and bank-wide risk awareness

• Leadership and Compensation

  • "Tone at the Top": Board leadership and top management implementation of risk culture through actions and communication

  • Prudent Incentives: Stock option compensation encourages cautious risk-taking to protect downside and maintain livelihood
  • Balanced Goals: Unreasonably high growth/profit targets can create toxic risk culture and excessive risk-taking behavior​

• Training and Development​

  • Comprehensive Programs: Initial training for new employees, ongoing online training, and specialist risk department training
  • Periodic Requirements: Regular training mandated, with formal requirements for top management and board in many jurisdictions
  • Knowledge Transmission: Essential risk concepts communicated to all employees at appropriate levels

• Reinforcement and Accountability

  • No-Blame Culture: Emphasizes rule compliance while avoiding blame assignment to encourage judgment and issue escalation
  • Whistleblowing Support: Fear-free reporting environment serves as strongest control against error and fraud
  • Balanced Consequences: Repeated infractions warrant blame/consequences; regulators penalize banks hiding control weaknesses

Topic 9. Risk Culture