ORR-2: Risk Governance

This is a summary of one of the reading in the GARP FRM Part II Syllabus, under the section “Operational Risk & Resilience”.

Basel Regulatory Expectations for the Governance of an Operational Risk Management Framework

The Basel Committee on Banking Supervision (BCBS) lays out specific regulatory expectations for the governance of an operational risk management framework (ORMF), emphasizing its integration into overall risk governance structures. Central to these expectations is the “three lines of defense” model, which delineates clear roles and responsibilities among business units, risk management functions, and internal audit.

Board of Directors and Senior Management: The board is ultimately responsible for endorsing and periodically reviewing the ORMF. They also set the risk appetite and ensure a strong risk culture that permeates the entire organization. Senior management, in turn, is tasked with implementing the ORMF and developing comprehensive operational risk policies and systems.

Risk Committees: An effective governance structure includes a series of risk committees. At the enterprise level, the board risk committee oversees risk exposure and mitigation, while subordinate committees manage specific business lines or regions. These committees ensure risk information is escalated appropriately.

Three Lines of Defense:

  • First Line: Business units are the first line of defense. They are responsible for risk identification, assessment, and control within their operations.

Risk Appetite and Tolerance: Basel principles mandate that the board defines clear risk appetite and tolerance statements, aligning them with strategic goals. These statements guide operational limits, control standards, and accepted incident frequencies.

Risk Culture: A strong risk culture, led by the board and implemented by senior management, ensures that risk management values are embraced throughout the organization. Ethical conduct, transparency, and swift escalation of issues are fundamental, supported by clear policies and consistent training.

Supervisory Review: Regulators conduct supervisory evaluations to verify the ORMF’s adequacy. Banks should have documentation showing how risk frameworks guide decision-making at all levels, and deficiencies should be promptly addressed.

The Roles of Committees and the Board of Directors in Operational Risk Governance

In operational risk governance, the board of directors and various committees play distinct yet complementary roles. Their collaboration ensures effective oversight and management of risks, ultimately safeguarding the organization’s financial health and stability.

  • Board of Directors: The board holds the ultimate responsibility for overseeing the risk governance framework. It sets the risk appetite, approves the Operational Risk Management Framework (ORMF), and establishes a risk-aware culture across the organization. The board’s Risk Committee regularly reviews reports, investigates significant incidents, and ensures that risk exposure aligns with the organization’s strategic goals. Their periodic review and approval of the ORMF confirm compliance with regulatory standards and reinforce the “tone at the top” for effective risk management.


  • The board sets the strategic tone and risk appetite, delegating operational oversight to the Operational Risk Committee, which consolidates and manages organization-wide risk information.

Each layer plays a crucial role in creating a robust, comprehensive risk governance structure that aligns with the “three lines of defense” model while ensuring alignment with Basel regulatory expectations.

The Three Lines of Defense Model

The “three lines of defense” model provides a robust structure for operational risk governance, defining clear roles and responsibilities to ensure risks are effectively managed across the organization.

First Line of Defense
The first line, or risk owners, consists of business and operational staff responsible for managing risks where they originate. This line includes front-office staff and other personnel directly involved in business processes. Their responsibilities include identifying and assessing risks in their areas, implementing appropriate controls, monitoring risk exposure, and reporting any deviations to the second line. For instance, an IT manager oversees IT risks by ensuring the implementation of cybersecurity measures.

Second Line of Defense
The second line provides independent oversight over business activities and ensures risk management policies are properly implemented. Referred to as the corporate operational risk function (CORF) by the Basel Committee, this line includes risk management teams that design and maintain the risk management framework, provide training, and challenge the activities of the first line. They also monitor adherence to risk appetite limits and report on the overall risk profile. The second line holds veto power on business decisions contradicting risk appetite or regulatory requirements.

Third Line of Defense
The third line, or internal audit, offers independent assurance by assessing the overall effectiveness of the control systems and the compliance of both the first and second lines with the risk management framework. Internal audit evaluates risk management practices and ensures controls are functioning as intended. Their findings and recommendations help refine the governance framework and improve overall resilience.

Best Practices and Regulatory Expectations for Developing a Risk Appetite and Strong Risk Culture in Operational Risk

Risk Appetite for Operational Risk

To establish a robust risk appetite framework, regulatory guidance emphasizes the need for clear, actionable guidelines to identify acceptable and unacceptable levels of operational risk. Basel principles call for risk appetite and tolerance statements that are aligned with business strategy and are periodically reviewed by the board of directors. Risk appetite should be communicated effectively throughout the organization and linked with a firm’s controls and limits.

A well-structured risk appetite framework should include risk owners accountable for risk types, control owners responsible for implementation, and metrics owners monitoring adherence. Important practices include setting realistic risk appetite limits, aligning them with business strategy, and using Key Risk Indicators (KRIs) to monitor performance against these limits. Effective KRIs reflect exposure, control environment, and operational loss events. Stress-testing these indicators helps anticipate plausible scenarios that could breach risk appetite thresholds.

Strong Risk Culture

A strong risk culture stems from effective leadership by the board and senior management, referred to as the “tone at the top.” Risk culture principles focus on promoting ethical conduct and transparency, where every employee understands their role in managing risk. Policies, codes of conduct, and training programs must reinforce this culture, establishing clear expectations of risk-taking behavior.

Key elements of a strong risk culture include:

  • Consistency: Policies must apply equally to all staff, ensuring accountability at all levels.

Regulatory expectations, such as those outlined by Basel, require boards to oversee and support the development of a culture that prioritizes risk management and integrates it into daily activities. Furthermore, training programs should enhance risk literacy across the firm, ensuring all staff understand and adhere to the principles of good risk management.