silver globe


Establishing an operational risk framework in banking

Lessons learned in operational risk management

Banks continue to evolve and enhance their Comprehensive Capital Analysis and Review (CCAR) operational risk loss estimation process. Now they have a renewed focus on the qualitative aspects of estimation, as well as the leverage of and integration with their existing operational risk management program.

The foundation of operational risk frameworks

Losses attributable to operational risk are a significant factor in Comprehensive Capital Analysis and Review (CCAR) loss projections for many banks. The CCAR process has matured, with regulators and financial institutions learning from each other in an ongoing and reinforcing cycle. Initially, the greater focus was on credit and market risk. But now the significant regulatory focus has shifted to operational risk.

An emerging regulatory focus—in line with sound day-to-day risk management—is to ensure that the CCAR loss estimation framework will be firmly grounded on the institution’s regular operational risk management process. In other words, the CCAR estimation can’t be a discrete process divorced from the institution’s operational control, monitoring, and mitigation functions. This is a key consideration as institutions design and evolves their CCAR operational loss framework to be more efficient, streamlined, and cost-efficient.

Related article: The future of operational risk management

In this article, Nitish Idnani, leader of the operational risk management services group at Deloitte, provides his perspectives on what the operational risk management space might look like in the future and the potential impact of emerging technology.

Overall operational risk framework considerations

Many institutions have designed their operational risk estimation frameworks to consider both historical and forward-looking approaches. Regulators are gradually becoming more open to looking at qualitative approaches to estimate forward-looking losses. But they still require institutions to look at their internal loss history and identify a correlation with macro-economic scenarios and events.

The first step toward managing operational risk begins as part of the first line of defense. This step is where business managers identify, own, and manage operational risks and the controls that mitigate the identified risks. Risk identification should include triggers that institutions use to identify potential control failures that may result in operational losses.

At regular intervals, the identified risks and controls are required to be evaluated for effectiveness. Many institutions have set up risk and control self-assessment (RCSA) to regularly evaluate the inherent risks present within:

  • The institution
  • The controls designed to mitigate them
  • The resultant residual risks

These assessments help institutions identify material operational risks that potentially could go on to be significant influencers of operational losses. Material risks so identified are used in scenario analysis to estimate forward-looking events with low likelihood but that are plausible with high severity and impact.

An efficient and effective CCAR process should be grounded in and leverage the existing operational risk management framework. This ensures alignment between CCAR material risks and storylines and the actual risk profile and loss experience of the institution. The success of CCAR depends on the effectiveness of how upstream operational risk framework controls have been designed, monitored, and challenged.

To confirm compliance with regulatory requirements, institutions have broken down the operational risk loss estimation processes to logical components. There are four broad components defined:

  • A quantitative model that uses historical data and attempts to model operational risk and macroeconomic relationships
  • Scenario analysis for estimating losses related to forward-looking idiosyncratic events
  • A legal loss component to estimate potential litigation losses
  • Subject matter specialist (SMS) workshops to refine loss estimates from the previous components

The approach to estimating and stressing operational risk losses and ensuring all the individual components function efficiently requires a clearly designed governance structure supported by appropriate personnel. This structure is required to accommodate the escalation of issues to leadership, establish a conflict resolution process, and install continuous process improvement. The governance function should also include review and challenge across the different aspects of the CCAR operational risk loss estimation process.

silver crystals

Framework component considerations

Below, we address the individual components that make up an overall operational risk framework. We also summarize specific lessons learned and considerations from the individual components.

Moving forward with the operational risk framework

The components discussed above, including the quantitative model, make up the significant components of the CCAR operational risk framework. What ties all these individual pieces together is the stewardship of the operational risk management function. Operational risk management should ensure consistent implementation and sustained performance of an institution’s operational risk framework. It’s the institution’s responsibility to ensure that the framework provides comprehensive coverage across the different operational risk event types and to perform ongoing validation of not just the individual components, but the overall operational risk framework.

As part of a broader effort to improve the sustainability of an institution’s CCAR operational risk loss estimation forecasting efforts, firms need to not only strengthen the individual components but also ensure that the framework is grounded in and leverage the business-as-usual operational risk management framework.

Explore solutions to help predict changes in the regulatory and operational risk environment Regulatory & Operations Risk Services.

Get in touch

Monica O’Reilly
US Advisory Banking & Securities Leader
Deloitte & Touche LLP
+1 415 783 5780

Vikram Bhat
US Banking & Capital Markets Leader
Deloitte & Touche LLP
+1 973 602 4270

Alexandre Brady
US Risk and Capital Leader
Deloitte & Touche LLP
+1 415 783 5413

Nitish Idnani
US Operational Risk leader
Deloitte & Touche LLP
+1 212 436 2894

Krishnaswamy Balasubramanian
Specialist leader, Operational Risk
Deloitte & Touche LLP
+1 609 806 7043

Srinivas Vasudevan
Manager, Operational Risk
Deloitte & Touche Assurance & Enterprise Risk Services India Private Limited
+1 404 487 7357

Fullwidth SCC. Do not delete! This box/component contains JavaScript that is needed on this page. This message will not be visible when page is activated.

Did you find this useful?