Too important to ignore: how banks can get a grip …

1 Global operational Risk Review1 Too important to ignore: how banks canget a grip on operational riskBy Dr. Tom Huertas, Partner, EY EMEIA financial Services Risk Management groupOn banks risk dashboard, the signal for operational risk is orshould be flashing red. Over the past ten years, losses fromoperational risk have soared. That has reduced earnings anddepleted capital. Consequently, both investors and supervisors are de-manding that banks bring this risk under IS operational RISK?In the dry language of the Basel Committee, operational risk is the riskof direct or indirect loss resulting from inadequate or failed internalprocesses, people and systems or from external events.

2 This broaddefinition covers a myriad of non- financial risks , including conduct risk,fraud, cyber, vendor risk, privacy, unauthorised trading and from operational risk have been quite significant. Over thepast ten years, these have amounted to over $300 billion, stemming froma wide range of breaches in controls, conduct and security. Investorsand supervisors are increasingly questioning whether banks will actuallybe able to retain all the earnings they initially report, or whether theywill have to pay back a significant portion in fines and reputations have suffered perhaps even more than theirfinances.

3 In tabloid terms, operational risk has generated headlines suchas: banks fined for fixing markets. banks fined for gouging consumers. banks fined for abetting financial crime. Hackers halt and hold up the bank. Regulatory programmanagementRisk appetite and riskculture definitionTechnology enablementBusiness progressdocumentationData qualitygovernance and reportingControls assessmentRisk governanceQuantitative analysisUnauthorisedTradingDR and BCPC yberReputational riskFraudConduct riskPrivacyInformationsecurityVendor riskOperational riskcore componentsFramework designCommon taxonomyRisk assessmentKey indicatorsScenario analysisRisk quantificationValidation and verificationLoss dataFigure 1.

4 operational risk core componentsGlobal operational Risk Review2 Controlling operational risk can therefore go a long way towardrevitalising banks business models and restoring banks reputation. SUPERVISORS STRENGTHEN THEIR STICKS upervisors endorse these objectives and are taking steps to nudge banks in the right direction. The Basel Committee is proposing to altercapital requirements for operational risk. To assure consistency acrossbanks, the proposed regime will take a single standardised has two features: A base requirement scaled to the size of the bank s business. Thisincreases as the scale of the bank increases, in a manner similar toincreases in the marginal rate of tax under a progressive tax top marginal rate will be 29% of the bank s business indicator (adjusted revenue).

5 A multiplier that reflects the bank s operating loss history over thepast ten years relative to the size of the bank s business. Indetermining the multiplier a higher weight is given to losses in excessof 100 million. If the bank has no or very low losses, the multipliercan become less than 1, so that the actual requirement foroperational risk could be as low as 54% of the base that prospect represents the carrot, stress testing and theSupervisory Review and Evaluation Process (SREP) provide the stress tests routinely require that banks set aside capital nowfor the fines and settlements for which they might become liable overthe stress test horizon.

6 And, in the SREP process, supervisors assess thebank s governance, systems and controls and may impose a surchargeon those banks whose controls are deemed to be deficient or addition, supervisors have sharpened surveillance, empoweredenforcement and propelled penalties to new heights. If banks arecommitting a breach, there is a greater probability it will be discovered;if discovered, a greater probability that the breach will result in a penalty;and a near certainty that the penalty will be high and headed SHOULD banks RESPOND?Sound risk governance provides the framework in which banks canidentify, measure and mitigate operational risk.

7 This defines the bank srisk appetite, assigns responsibilities and develops specific bank s appetite for operational risk should be extremely low. Abank can have no appetite for risks that violate the law ( riggingbenchmarks) and it should show no tolerance to employees who do. ForDefinition and mission statement and framework Principles Existing risk management frameworks Management components Firm s visions and values driving the right culture Strategy, business model and planning Governance and senior management accountability Assessment, review and challenge Risk identification, management and mitigation Clients/customer Markets Strategy A documented process for determining the criteria for operational risk drivers.

8 Applicable to each business line Evidence of considering operational risks when determining and executing strategy Monitors and reports operational risks Governance Terms of reference define committee and board responsibilities, enabling senior management oversight and challenge of operational risk, including reporting and escalation procedures Evidences the flow of information from desk-level through to governance forums Dedicated operational risk management information to enable committee members to discharge responsibilities Board and audit committee engagement with operational risk issues.

9 And oversight Senior management oversight Senior management accountability for operational risk Reporting and escalation routes for operational risk issues to supervisors and management forums Articulated role of the second and third lines of defence Front office management information evidences identification and assessment operational risk definition An operational risk definition, applicable across all business lines, which identifies an owner of operational risk A clearly documented operational risk policy or framework Assessment, review and challenge operational risk assessments carried out and owned by front office business owners, that are independently reviewed, challenged and advised by second line of defence An operational risk assessment consistent with risk, compliance and internal audit frameworks Culture and review of behaviours Embedded operational risk awareness culture.

10 Demonstrated through clear mechanisms that assesses embeddedness periodically Consistent messaging across the organisation operational risk considerations built into performance assessment and remuneration processes 112345623456 Figure 2. operational risk governance frameworkAn integrated and distinct framework is essential naCelph ailpm conuo yp cena 05-1936135_NE ED0717 felp hmocdYZgd_k Q=_]j]lY_anYf'Yf 'eg[&q]