OPERATIONAL RISK– this is any risk that is neither credit risk nor market…
OPERATIONAL RISK– this is any risk that is neither credit risk nor market risk. pt3
Business, Individual & the risk function
Individual members of staff should be able to question risk processes
Individual members of staff should be made to feel part of the full risk management framework and to
be made aware through their company’s efforts of the importance of the individual contributions they
make to the overall control system.
The diagram below illustrates that banking as a business can expect to experience losses - Left of the line represents Minimal day to day losses while right of the line represents lower probability higher impact events.
Sight of potential losses enable the business to:
Improve management confidence and debate regarding the bank’s risk profile
Rebalance the risk profile of the medium-term plan where breaches are indicated, thereby achieving a superior risk-return profile
Identify unused risk capacity and thus highlight the need to identify further profitable opportunities
Improve executive management control and co-ordination of risk taking across businesses
The risk function
First, to identify risks through the continuous monitoring of activities. This will include portfolios, new business and any complex or unusual transactions.
Measuring quantifiable risks by using methodologies and models which have been independently validated and approved.
To establish risk policies to reflect the firm’s risk principles and risk appetite which are consistent with the changing business requirements of the firm and developing international best practice.
Comprehensive risk reporting to stakeholders and to management at all levels.
To control risk by monitoring and enforcing compliance with the risk principles including the policies, limits and regulatory requirements under which the firm operates.
All these processes must be co-ordinated involving all relevant control and logistics functions. This will ensure that the overall approach is conducted in a comprehensive and holistic way including the assurance that transactions can be booked in a manner that will permit appropriate ongoing risk monitoring, reporting and control.
Every business should have an operational risk control framework which ensures implementation of the risk framework & ensures that there is assessment & reporting to management. There should be segregation of duties, coverage of risks & accountability
The culture is very important in adhering to risk management framework
The culture of a firm generally stems from the board
Challenge and escalation
The ability of staff and Non-Exec directors to challenge things and escalate are vital in improvement
Development of the framework
The board are responsible for the development of the framework & ensuring that the framework is being followed
Senior management’s role
The general role of senior management will be to make themselves aware of the major operational risks
facing their firm. They should therefore have a full understanding of the business.
Senior management must approve and review the operational risk framework and ensure that that framework is audited by independent, trained and competent staff. The board must ensure that there is a segregation of duties between internal audit and operational risk management.
Regulators expect the board/senior management to have a framework in place
Responsibility should be explicit and set out clearly for individual managers, supervisors and members of staff to follow. There should be a clear division of responsibilities across the team and overall a clear overall framework within which to operate.
the establishment of the risk control framework and the corporate governance measures under which it operates.
Internal and external audit - independent review
Internal Audit - internal audit acts as a dry run or test platform for an external audit.
Internal audit should have an unrestricted mandate to access records and to operate across the firm by checking, challenging and reviewing practices. The internal audit activity reports directly to the board.
Internal audit is an ongoing activity which permits a company to have risk assessment done on a
external audit operates for the purpose of reporting to the members and shareholders of a company. Essentially it has to provide an opinion as to whether the financial statements give a true and fair view of the reports of the company. They have to decide and declare whether the records are materially correct (i.e. true) and are not misleading (i.e. they are fair)
External auditors, on the other hand, carry out their assessment with reference to a set
point in time – for example, at the end of the financial year
The essence of audit is to ensure that all functions, procedures and controls within a banking organisation are checked to be adequately controlled, up to date and operate in accordance with the operating manuals and existing documentation.
Stages of an external audit
The auditors would check to see whether the controls were in place and test those controls to see
whether the results of the control framework were either effective or ineffective in practice.
substantive testing is undertaken to check large numbers of transactions as backing information.
a team identifying the systems and controls within the firm and investigating the accounting system and
document flow with all relevant departments within the firm.
The auditors would be engaged in reviewing the financial statements.
Much of the external work revolves around regulatory mandates whereby such things as client money and safe custody practices, regulatory prudential returns and record keeping in general are adequate against regulatory requirements.
Three Lines of defense
Internal management committees - These committees review the management of risk in relation to the particular risk appetite of the business, as determined by the board. The effectiveness of the second line is determined by the oversight committee structure, their terms of reference, the competence of the members and the quality of the management information and reports that are considered by these oversight committees.
Internal controls for day to day business
The PRA, FCA and internal audit
To promote the safety and soundness of banks, building societies, credit unions, insurers and investment firms
To secure protection for policy holders
To secure an appropriate degree of protection for consumers To protect and enhance the integrity of the UK financial system To promote effective competition in the interests of consumers
The PRA and FCA place internal audit under regular close scrutiny as part of its risk assessment visits. They are particularly concerned with internal audit’s independence, its standing with the board and senior executive management and the influence it exercises across the organisation.