Operational risk has often been poorly understood or ignored at banks.
The severe disruptive effects of Covid-19 on banks’ activities, have made identifying, measuring, controlling, and monitoring operational risk at banks more important than ever. Operational risk is the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events. This Basel Committee on Banking Supervision definition includes legal risk, but excludes strategic and reputational risk. The main objective of the Basel Committee for Banking Supervision’s recently released Principles for Operational Resilience is to make banks better able to withstand, adapt to and recover from severe adverse events.
Operational risk is the possible loss to earnings due to people, processes, IT and systems, and ... [+]
Operational resilience, as defined by the Basel Committee for Banking Supervision (BCBS) is “the ability of a bank to deliver critical operations through disruption.” For the sake of the safety and soundness of the banking sector, we want banks to be able to have qualified professionals and highly functioning technological systems so that banks can quickly identify and protect themselves “from threats and potential failures, respond and adapt to, as well as recover and learn from disruptive events in order to minimize their impact on the delivery of critical operations through disruption.” Operational risk can cause significant financial loss to banks and can destabilize the financial system.
Frequency and severity of losses reported within each region in 2019 (compared with 2018)
In the last decade we have been exposed not only to Covid-19, but also to other unexpected public health, cyber security, significant protests, terrorism, and climate related events such as severe floods and fires; hence, bank executives and financial regulators should assume that disruptions to their day-to-day bank functions will occur. Banks need to include sound and well-documented assumptions in designing their risk appetite and tolerance for disruption. According to the BCBS, the tolerance for disruption “is the level of disruption from any type of operational risk a bank is willing to accept given a range of severe but plausible scenarios.”
The seven principles for operational resilience are in the areas of:
Governance: Banks should utilize their existing governance structure to establish, oversee and implement an effective operational resilience approach that enables them to respond and adapt to, as well as recover and learn from, disruptive events in order to minimize their impact on delivering critical operations through disruption.
Operational risk management: Banks should leverage their respective functions for the management of operational risk to identify external and internal threats and potential failures in people, processes and systems on an ongoing basis, promptly assess the vulnerabilities of critical operations and manage the resulting risks in accordance with their operational resilience approach.
Business continuity planning and testing: Banks should have business continuity plans in place and conduct business continuity exercises under a range of severe but plausible scenarios in order to test their ability to deliver critical operations through disruption.
Mapping interconnections and interdependencies: Once a bank has identified its critical operations, the bank should map the internal and external interconnections and interdependencies that are necessary for the delivery of critical operations consistent with its approach to operational resilience.
Third-party dependency management: Banks should manage their dependencies on relationships, including those of, but not limited to, third parties or intragroup entities, for the delivery of critical operations.
Incident management: Banks should develop and implement response and recovery plans to manage incidents that could disrupt the delivery of critical operations in line with the bank’s risk appetite and tolerance for disruption. Banks should continuously improve their incident response and recovery plans by incorporating the lessons learned from previous incidents.
Information and communication technology (ICT) including cyber security: Banks should ensure resilient ICT including cyber security that is subject to protection, detection, response and recovery programs that are regularly tested, incorporate appropriate situational awareness and convey relevant timely information for risk management and decision-making processes to fully support and facilitate the delivery of the bank’s critical operations.
The BCBS Committee also published a revision to its Principles for the Sound Management of Operational Risk (PSMOR). These principles are an update to the Sound Practices for the Management and Supervision of Operational Risk issued in 2003, in order to provide banks and bank supervisory authorities with a framework for the effective management and supervision of operational risk; the ten principles were subsequently updated in 2011 in order to incorporate the effects of the Global Financial Crisis. The BCB’s Risk Management Group outlined the Principles for the Sound Management of Operational Risk to provide banks and bank regulators with a framework for the effective management and supervision of operational risk. Importantly, the principles that emphasize that banks’ board of directors and senior management should establish a corporate culture that is guided by strong risk management, sets standards and incentives for professional and responsible behavior, and ensures that staff receives appropriate risk management and ethics training.
As I have previously written, operational risk is the least understood and often ignored of financial risks, in comparison to credit and market risks. I very much welcome BCBS’ new and updated principles. I strongly encourage legislators, bank regulators, rating agencies, and investors to be attentive to how banks apply these principles to the operational risk management of their banks.
