Establishing an operational risk framework in banking has been saved
Establishing an operational risk framework in banking
Lessons learned in operational risk management
Banks continue to evolve and enhance their Comprehensive Capital Analysis and Review (CCAR) operational risk loss estimation process. Now they have a renewed focus on the qualitative aspects of estimation, as well as the leverage of and integration with their existing operational risk management program.
- The foundation of operational risk frameworks
- Overall operational risk framework considerations
- Operations risk management components
- Framework component considerations
- Moving forward with the operational risk framework
The foundation of operational risk frameworks
Losses attributable to operational risk are a significant factor in Comprehensive Capital Analysis and Review (CCAR) loss projections for many banks. The CCAR process has matured, with regulators and financial institutions learning from each other in an ongoing and reinforcing cycle. Initially, the greater focus was on credit and market risk. But now the significant regulatory focus has shifted to operational risk.
An emerging regulatory focus—in line with sound day-to-day risk management—is to ensure that the CCAR loss estimation framework will be firmly grounded on the institution’s regular operational risk management process. In other words, the CCAR estimation can’t be a discrete process divorced from the institution’s operational control, monitoring, and mitigation functions. This is a key consideration as institutions design and evolves their CCAR operational loss framework to be more efficient, streamlined, and cost-efficient.
Related article: The future of operational risk management
In this article, Nitish Idnani, leader of the operational risk management services group at Deloitte, provides his perspectives on what the operational risk management space might look like in the future and the potential impact of emerging technology.
Overall operational risk framework considerations
Many institutions have designed their operational risk estimation frameworks to consider both historical and forward-looking approaches. Regulators are gradually becoming more open to looking at qualitative approaches to estimate forward-looking losses. But they still require institutions to look at their internal loss history and identify a correlation with macro-economic scenarios and events.
The first step toward managing operational risk begins as part of the first line of defense. This step is where business managers identify, own, and manage operational risks and the controls that mitigate the identified risks. Risk identification should include triggers that institutions use to identify potential control failures that may result in operational losses.
At regular intervals, the identified risks and controls are required to be evaluated for effectiveness. Many institutions have set up risk and control self-assessment (RCSA) to regularly evaluate the inherent risks present within:
- The institution
- The controls designed to mitigate them
- The resultant residual risks
These assessments help institutions identify material operational risks that potentially could go on to be significant influencers of operational losses. Material risks so identified are used in scenario analysis to estimate forward-looking events with low likelihood but that are plausible with high severity and impact.
An efficient and effective CCAR process should be grounded in and leverage the existing operational risk management framework. This ensures alignment between CCAR material risks and storylines and the actual risk profile and loss experience of the institution. The success of CCAR depends on the effectiveness of how upstream operational risk framework controls have been designed, monitored, and challenged.
To confirm compliance with regulatory requirements, institutions have broken down the operational risk loss estimation processes to logical components. There are four broad components defined:
- A quantitative model that uses historical data and attempts to model operational risk and macroeconomic relationships
- Scenario analysis for estimating losses related to forward-looking idiosyncratic events
- A legal loss component to estimate potential litigation losses
- Subject matter specialist (SMS) workshops to refine loss estimates from the previous components
The approach to estimating and stressing operational risk losses and ensuring all the individual components function efficiently requires a clearly designed governance structure supported by appropriate personnel. This structure is required to accommodate the escalation of issues to leadership, establish a conflict resolution process, and install continuous process improvement. The governance function should also include review and challenge across the different aspects of the CCAR operational risk loss estimation process.
Framework component considerations
Below, we address the individual components that make up an overall operational risk framework. We also summarize specific lessons learned and considerations from the individual components.
Moving forward with the operational risk framework
The components discussed above, including the quantitative model, make up the significant components of the CCAR operational risk framework. What ties all these individual pieces together is the stewardship of the operational risk management function. Operational risk management should ensure consistent implementation and sustained performance of an institution’s operational risk framework. It’s the institution’s responsibility to ensure that the framework provides comprehensive coverage across the different operational risk event types and to perform ongoing validation of not just the individual components, but the overall operational risk framework.
As part of a broader effort to improve the sustainability of an institution’s CCAR operational risk loss estimation forecasting efforts, firms need to not only strengthen the individual components but also ensure that the framework is grounded in and leverage the business-as-usual operational risk management framework.
Get in touch
Integrating new data to optimize risk identification methods
Understanding the new operational risk capital standard