ORR-2: Risk Governance
This is a summary of one of the reading in the GARP FRM Part II Syllabus, under the section “Operational Risk & Resilience”.
Basel Regulatory Expectations for the Governance of an Operational Risk Management Framework
The Basel Committee on Banking Supervision (BCBS) lays out specific regulatory expectations for the governance of an operational risk management framework (ORMF), emphasizing its integration into overall risk governance structures. Central to these expectations is the “three lines of defense” model, which delineates clear roles and responsibilities among business units, risk management functions, and internal audit.
Board of Directors and Senior Management: The board is ultimately responsible for endorsing and periodically reviewing the ORMF. They also set the risk appetite and ensure a strong risk culture that permeates the entire organization. Senior management, in turn, is tasked with implementing the ORMF and developing comprehensive operational risk policies and systems.
Risk Committees: An effective governance structure includes a series of risk committees. At the enterprise level, the board risk committee oversees risk exposure and mitigation, while subordinate committees manage specific business lines or regions. These committees ensure risk information is escalated appropriately.
Three Lines of Defense:
- First Line: Business units are the first line of defense. They are responsible for risk identification, assessment, and control within their operations.
- Second Line: The corporate operational risk function (CORF) provides independent oversight and challenges the effectiveness of business controls. They maintain the ORMF and ensure compliance with policies.
- Third Line: Internal audit provides independent assurance on the effectiveness of the entire risk management process, verifying that risk frameworks are robust and adhered to.
Risk Appetite and Tolerance: Basel principles mandate that the board defines clear risk appetite and tolerance statements, aligning them with strategic goals. These statements guide operational limits, control standards, and accepted incident frequencies.
Risk Culture: A strong risk culture, led by the board and implemented by senior management, ensures that risk management values are embraced throughout the organization. Ethical conduct, transparency, and swift escalation of issues are fundamental, supported by clear policies and consistent training.
Supervisory Review: Regulators conduct supervisory evaluations to verify the ORMF’s adequacy. Banks should have documentation showing how risk frameworks guide decision-making at all levels, and deficiencies should be promptly addressed.
The Roles of Committees and the Board of Directors in Operational Risk Governance
In operational risk governance, the board of directors and various committees play distinct yet complementary roles. Their collaboration ensures effective oversight and management of risks, ultimately safeguarding the organization’s financial health and stability.
- Board of Directors: The board holds the ultimate responsibility for overseeing the risk governance framework. It sets the risk appetite, approves the Operational Risk Management Framework (ORMF), and establishes a risk-aware culture across the organization. The board’s Risk Committee regularly reviews reports, investigates significant incidents, and ensures that risk exposure aligns with the organization’s strategic goals. Their periodic review and approval of the ORMF confirm compliance with regulatory standards and reinforce the “tone at the top” for effective risk management.
- Operational Risk Committee: Typically reporting to the board, the Operational Risk Committee manages and oversees risk governance at an organizational level. It consolidates the risk profile from business lines, escalates issues to the board, and ensures alignment with the enterprise-wide risk management strategy. This committee often operates as the second line of defense, providing independent oversight and guidance to business units.
- Business Line Committees: Business line or function-specific committees manage operational risks within their specific areas, such as corporate banking or investment banking. They identify risks, monitor exposures, and establish controls within their respective domains. They escalate critical issues to the Operational Risk Committee, providing a detailed view of risks at the business level. These committees often act as the first line of defense.
- Audit Committee: The Audit Committee provides the board with independent assessments of the organization’s risk controls and internal audit function. As the third line of defense, it ensures the risk governance framework remains robust and effective.
Comparison:
- The board sets the strategic tone and risk appetite, delegating operational oversight to the Operational Risk Committee, which consolidates and manages organization-wide risk information.
- Business line committees handle the day-to-day risk management, implementing controls, monitoring key risk indicators, and ensuring compliance with risk appetite limits set by the board.
- The Audit Committee offers a final layer of assurance, ensuring independent oversight and providing objective assessments of risk management effectiveness.
Each layer plays a crucial role in creating a robust, comprehensive risk governance structure that aligns with the “three lines of defense” model while ensuring alignment with Basel regulatory expectations.
The Three Lines of Defense Model
The “three lines of defense” model provides a robust structure for operational risk governance, defining clear roles and responsibilities to ensure risks are effectively managed across the organization.
First Line of Defense
The first line, or risk owners, consists of business and operational staff responsible for managing risks where they originate. This line includes front-office staff and other personnel directly involved in business processes. Their responsibilities include identifying and assessing risks in their areas, implementing appropriate controls, monitoring risk exposure, and reporting any deviations to the second line. For instance, an IT manager oversees IT risks by ensuring the implementation of cybersecurity measures.
Second Line of Defense
The second line provides independent oversight over business activities and ensures risk management policies are properly implemented. Referred to as the corporate operational risk function (CORF) by the Basel Committee, this line includes risk management teams that design and maintain the risk management framework, provide training, and challenge the activities of the first line. They also monitor adherence to risk appetite limits and report on the overall risk profile. The second line holds veto power on business decisions contradicting risk appetite or regulatory requirements.
Third Line of Defense
The third line, or internal audit, offers independent assurance by assessing the overall effectiveness of the control systems and the compliance of both the first and second lines with the risk management framework. Internal audit evaluates risk management practices and ensures controls are functioning as intended. Their findings and recommendations help refine the governance framework and improve overall resilience.
Best Practices and Regulatory Expectations for Developing a Risk Appetite and Strong Risk Culture in Operational Risk
Risk Appetite for Operational Risk
To establish a robust risk appetite framework, regulatory guidance emphasizes the need for clear, actionable guidelines to identify acceptable and unacceptable levels of operational risk. Basel principles call for risk appetite and tolerance statements that are aligned with business strategy and are periodically reviewed by the board of directors. Risk appetite should be communicated effectively throughout the organization and linked with a firm’s controls and limits.
A well-structured risk appetite framework should include risk owners accountable for risk types, control owners responsible for implementation, and metrics owners monitoring adherence. Important practices include setting realistic risk appetite limits, aligning them with business strategy, and using Key Risk Indicators (KRIs) to monitor performance against these limits. Effective KRIs reflect exposure, control environment, and operational loss events. Stress-testing these indicators helps anticipate plausible scenarios that could breach risk appetite thresholds.
Strong Risk Culture
A strong risk culture stems from effective leadership by the board and senior management, referred to as the “tone at the top.” Risk culture principles focus on promoting ethical conduct and transparency, where every employee understands their role in managing risk. Policies, codes of conduct, and training programs must reinforce this culture, establishing clear expectations of risk-taking behavior.
Key elements of a strong risk culture include:
- Consistency: Policies must apply equally to all staff, ensuring accountability at all levels.
- Escalation: Encourage swift reporting of potential issues without fear of unnecessary blame.
- Lessons Learned: Share information about past incidents for continuous improvement and better preparedness.
Regulatory expectations, such as those outlined by Basel, require boards to oversee and support the development of a culture that prioritizes risk management and integrates it into daily activities. Furthermore, training programs should enhance risk literacy across the firm, ensuring all staff understand and adhere to the principles of good risk management.