Management of specific operational risks, mainly at the transactions level, is not a new practice; it has always been
important for Banks to try to prevent fraud, maintain the integrity of internal controls, and reduce errors in transaction processing, etc. However, what is relatively new is the view of
operational risk management as a comprehensive practice comparable to the management of credit and market risk.
The objective of operational risk management is to find out the extent of Bank’s operational risk exposure, to understand what drives it, to allocate capital against it, identify trends internally and externally that would help predicting it, and recommend effective controls to mitigate the risks.
This is not a short-term task as it requires not just changes in systems and procedures, but a change in attitudes to operational problems across the entire organization. Such a fundamental shift cannot be achieved in a short time scale and without involvement of all the major stake holders in the Bank.
DEFINITION
Operational risk is defined as the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events.
Operational risk is the potential loss arising from the inadequate information system; technology failures, breaches in internal controls, fraud, unforeseen catastrophes, or other operational problems that may result in unexpected losses or reputation problems.
The scope of the bank’s operational risk management program includes legal risk but does not include deputational and strategic risks as these distinct risks categories will be addressed/ managed separately through Internal Capital Adequacy Assessment Process (ICAAP) – refer chapter ---- of this framework.
Operational Risk Management structure consists of the following:
a) Board of Directors;
b) Risk Management Committee;
c) Basel II Committee;
d) Operational Risk Committee;
e) Risk and Credit Policy Group
• Operational Risk function
f) Operational Risk/ RCSA Coordinators, Internal Control Unit / officials
g) Compliance Group
h) Audit and Inspection Group
OPERATIONAL RISK MANAGEMENT FRAMEWORK
In order to implement Central Bank
Guidelines in relation to operational risk management, the Risk and Credit Policy Group in consultation with respective groups/ divisions shall develop an Operational Risk Management Policy/ Framework duly incorporating the operational risk standards and guidelines.
The policy/ standards/ guidelines are in the development/ review stage and will address the following key components:
a) Operational Risk Strategy and Appetite;
b) Risk and Control Self Assessment Exercise (RCSA);
c) Key Risk Indicators (KRIs);
d) Collection of Operational Loss and Control Breach Data;
e) Operational Risk Inventory;
f) Capital Allocation;
g) Management Reports; etc.
BROAD CATEGORIES OF OPERATIONAL RISK
Operational risk covers a wide area and it is useful to subdivide operational risk into two main categories, as defined below:
Internal Operational Risks
Bank uses people, processes, systems, and technology and has controls implemented to ensure their effective integration and coherence to achieve business plans. The internal operational risks arise from the potential failure of these factors in the course of conducting banking activities.
External Operational Risks
It arises from environmental factors, such as major regulatory regime change, new competitor that changes the business paradigm, and other factors that are outside the control of the Bank. The external factors include regulation, government, societal etc.
OPERATIONAL RISK MANAGEMENT FUNCTION
A separate Operational Risk and Basel II Division (ORBD), has to be established within the Risk and Credit Policy Group, as per the requirements of Central Bank Guidelines and best international practices.
This function shall ensure that management of operational risk in the Bank is carried out in accordance with the Operational Risk Management Policy/ Standards/ Guidelines. The main objectives of the function are as follows:
• Develop bank’s Operational Risk Policy, Strategy and Appetite;
• Develop bank’s Operational Risk Standards and Guidelines which identifies roles and responsibilities across the organization and underlying methodologies/ tools for implementing Operational Risk Policy;
• Provide guidelines to conduct Risk and Control Self Assessment (RCSA) exercise and coordinate/ supervise the initiative;
• Develop the process for identifying Key Risk Indicators, coordinate/ supervise the KRI identification by groups and maintain and update the list on regular basis;
• Establish systems for collecting operational loss and control breach data from all areas of the Bank. Reporting of data shall remain the responsibility of respective groups/ divisions;
• Maintain Operational Loss Database and Operational Risk Inventory;
• On the basis of analyzing the above information, the function shall periodically generate reports which highlight incidents/ risks of material impact to the senior management/ Operational Risk Committee/ Basel II Committee/ Risk Management Committee and recommend ways to mitigate the impact of key risks identified.
OPERATIONAL RISK MANAGEMENT TOOLS
Risk and Control Self Assessment (RCSA)
Objective and Scope
In any undertaking/ performance of duties, there is an element of operational risk involved. The objective of risk and control self assessment exercise is that staff responsible for performance of these duties identifies/ assesses operational risk and related controls on the basis of their self assessment.
The scope of RCSA is aimed to spread across the entire organization. The implementation of the initial RCSA exercise shall be targeted in phases.
First phase of the initial RCSA exercise has been completed. Time frame for completion of remaining phases of the initial RCSA exercise shall be decided by Head ORBD.