Establishing an operational risk framework in banking

The foundation of operational risk frameworks

Losses attributable to operational risk are a significant factor in Comprehensive Capital Analysis and Review (CCAR) loss projections for many banks. The CCAR process has matured, with regulators and financial institutions learning from each other in an ongoing and reinforcing cycle. Initially, the greater focus was on credit and market risk. But now the significant regulatory focus has shifted to operational risk.

An emerging regulatory focus—in line with sound day-to-day risk management—is to ensure that the CCAR loss estimation framework will be firmly grounded on the institution’s regular operational risk management process. In other words, the CCAR estimation can’t be a discrete process divorced from the institution’s operational control, monitoring, and mitigation functions. This is a key consideration as institutions design and evolves their CCAR operational loss framework to be more efficient, streamlined, and cost-efficient.

Back to top

Overall operational risk framework considerations

Many institutions have designed their operational risk estimation frameworks to consider both historical and forward-looking approaches. Regulators are gradually becoming more open to looking at qualitative approaches to estimate forward-looking losses. But they still require institutions to look at their internal loss history and identify a correlation with macro-economic scenarios and events.

The first step toward managing operational risk begins as part of the first line of defense. This step is where business managers identify, own, and manage operational risks and the controls that mitigate the identified risks. Risk identification should include triggers that institutions use to identify potential control failures that may result in operational losses.

At regular intervals, the identified risks and controls are required to be evaluated for effectiveness. Many institutions have set up risk and control self-assessment (RCSA) to regularly evaluate the inherent risks present within:

• The institution
• The controls designed to mitigate them
• The resultant residual risks

These assessments help institutions identify material operational risks that potentially could go on to be significant influencers of operational losses. Material risks so identified are used in scenario analysis to estimate forward-looking events with low likelihood but that are plausible with high severity and impact.

An efficient and effective CCAR process should be grounded in and leverage the existing operational risk management framework. This ensures alignment between CCAR material risks and storylines and the actual risk profile and loss experience of the institution. The success of CCAR depends on the effectiveness of how upstream operational risk framework controls have been designed, monitored, and challenged.

To confirm compliance with regulatory requirements, institutions have broken down the operational risk loss estimation processes to logical components. There are four broad components defined:

• A quantitative model that uses historical data and attempts to model operational risk and macroeconomic relationships
• Scenario analysis for estimating losses related to forward-looking idiosyncratic events
• A legal loss component to estimate potential litigation losses
• Subject matter specialist (SMS) workshops to refine loss estimates from the previous components

The approach to estimating and stressing operational risk losses and ensuring all the individual components function efficiently requires a clearly designed governance structure supported by appropriate personnel. This structure is required to accommodate the escalation of issues to leadership, establish a conflict resolution process, and install continuous process improvement. The governance function should also include review and challenge across the different aspects of the CCAR operational risk loss estimation process.

Back to top

Moving forward with the operational risk framework

The components discussed above, including the quantitative model, make up the significant components of the CCAR operational risk framework. What ties all these individual pieces together is the stewardship of the operational risk management function. Operational risk management should ensure consistent implementation and sustained performance of an institution’s operational risk framework. It’s the institution’s responsibility to ensure that the framework provides comprehensive coverage across the different operational risk event types and to perform ongoing validation of not just the individual components, but the overall operational risk framework.

As part of a broader effort to improve the sustainability of an institution’s CCAR operational risk loss estimation forecasting efforts, firms need to not only strengthen the individual components but also ensure that the framework is grounded in and leverage the business-as-usual operational risk management framework.

Back to top