Basel Committee - Principles for sound management of Operational Risk refresh

The Basel Committee pushed out their new, improved version of the Operational Risk guidance for the Banking Industry - as I suspect the insurance industry will ferret through this for the good bits, I had a good look through myself.

The 11 principles they settle on are all logical - highlights next to each;

The board of directors should take the lead in establishing a strong risk management culture.

• Recommends a code of conduct or "ethics policy"
• Compensation should be aligned to the bank's risk appetite/tolerance statement
• Training needs reflected by seniority, role and responsibilities of staffBanks should develop, implement and maintain a Framework that is fully integrated into the bank’s overall risk management processes.
  
  • Outputs of Op risk framework should be incorporated into the strategy development process (if used for capital allocation, this would be inevitable)
  • Framework should define Op Risk and Op Loss in a comprehensive board approved policy
  The board of directors should establish, approve and periodically review the Framework
  
  • Board should ensure that management avail themselves of best practice as it develops
  
  
  • Ticklists for what the board should be considering in context of this principle
  The board of directors should approve and review a risk appetite and tolerance statement for operational risk Senior management should develop for approval by the board of directors a clear, effective and robust governance structure
  
  • More ticklists for achievement
  • Provides for two-tier risk committee scrutiny based on "nature scale and complexity" (either an ERM committee considering reports from Market Credit and Op, or a flatter approach for smaller banks)
  
  
  • Standard list of identification/assessment tools, which are in use in most industries, so serve yourself if you are not familiar
  • Optional piece on "capture and [monitoring of] operational risk conttributions to credit and market risk related lossess in order to obtain a more complete view of operational risk exposure" - I like this piece on "border risks", and it is important from the Solvency II angle for correlation matrices
  • Differentiate KRIs and KPIs in a way I haven't seen previously
  Senior management should ensure that there is an approval process for all new products, activities, processes and systems that fully assesses operational risk. Senior management should implement a process to regularly monitor operational risk profiles and material exposures to losses.
  
  • "Reports should be manageable in scope and volume"! I suspect this will delight the Op Risk staff as well as the Board's, right up to the point at which something critical is left out on the principle of keeping the reporting 'manageable'.
  • Smal;l ticklist of content that "should" be included in Op Risk reports
  Banks should have a strong control environment that utilises policies, processes and systems; appropriate internal controls; and appropriate risk mitigation and/or transfer strategies.
  
  • Lots of ticklists on policy and process content that "should" be in place
  • Technology and Outsourcing risk given special treatment as far as internal controls go
  • Board of Directors expected to "determine the maximum loss exposure the bank is willing and has financial capacity to assume, and should perform an annual review of the bank's risk and insurance management programme".
  
  
  • Ticklists for continuity management processes and considerations
  Banks should have business resiliency and continuity plans in place A bank’s public disclosures should allow stakeholders to assess its approach to operational risk management.
  • No obligations for public disclosure of Op risk loss events
  • Disclosure focused mostly on detail of the Op Risk framework itself, ostensibly that it should be detailed enough to let the public make an informed judgement on its adequacy.
  
  
  • Ticklist for new product/activity/process/system consideration provided - noted as "should be considered"
  Senior management should ensure the identification and assessment of the operational risk inherent in all material products, activities, processes and systems

Strong culture unequivocally linked to "ethical business pactices"