Operational Risk Journal Articles 2011-2012 - Risk Management

Operational Risk

Journal Articles

2011-2012

April 2012 The RMA Journal

HEME

RA/T

HINK

STOC

K

57

OPERATIONAL RISK

••Challenges facing operational risk managers were discussed at a recent meeting of RMA’s New York Chapter.

Risk and Businesses Must Work Closely Together

WORK CLOSELY WITH the businesses to understand the risks they face. This message was a key point addressed by panel-ists at a recent New York Chapter meeting exploring chal-lenges in operational risk management. Other issues under discussion were risk reporting, benchmarking, technology, and data integrity.

Andrew Leonard, who runs the operational group at the Depository Trust & Clearing Corporation (DTCC), says operational risk is the biggest risk his organization faces. His group has operational risk professionals “married” to his organization’s seven major business lines. “We try to un-derstand their business, and then look at the risk and apply what we do to those risks,” he said. “We don’t present them with a set of risks and ask if they apply to their business.”

DTCC also has a small team that looks across the enter-prise to detect systemic risks that may not be apparent at the individual business levels.

Risk ReportingJoe Iraci, head of corporate risk at TD Ameritrade, a broker-dealer, offered advice on reporting. “First, determine the purpose of the reporting,” he advised. “Unlike credit or market risk, operational risk is very specific to the manage-ment level that it’s geared toward. A corporate risk group should report on a portfolio basis. The report should be-come increasingly more detailed as it is prepared for lower management levels.”

Risk managers bring intellectual capital to the business, which is memorialized in a report, continued Iraci. “Look at the report like a marketing person as you determine the target market for your report,” he said. “Are you meeting your market’s needs? Consider the firm’s organizational structure because it reflects how the risk organization is structured and that influences reporting.”

Leonard agreed. “At the business-line level, the infor-mation helps them manage the risk. At the board level, it informs them about the risks and who is managing them,” he said, adding that some risks require the board’s endorse-ment before the firm can move forward.

Effective and scalable technology has played a big role in enabling collaboration when it comes to identifying risks. Gaurav Kapoor, chief operating officer, MetricStream, noted that the technology has allowed companies to move from silos of managing risk to an integrated model that allows them to aggregate and manage risk across the enterprise in a federated manner. In a federated structure, the enterprise risk function is aligned centrally with corporate governance and reporting, as well as distributed to lines of business, facilitating clear ownership and accountability for risk. “Be-tween the information model and collaboration, companies are able to go deeper into the organization and be more proactive in how they manage risk,” Kapoor noted.

Standards and benchmarks are company-specific for op-erational risk, unlike credit and market risks, which carry

Copyright 2012 by RMA


the same risk at any firm with similar exposures. Key risk indicators (KRIs) have to be graded according to your own data set, explained Iraci, who also advocated back-testing to differentiate between a one-rated indicator and a five-rated indicator.

Yakov Lantsman, a business risk principal for Deloitte, noted that some processes around operational risk are stan-

dardized, which pro-vides structure around what needs to be re-ported. As an example, he pointed to Basel II with its matrix of risk types and business-line or product types. “What is optimal to report? What should people see? If we are going to

a branch level, they need completely different information than people at the board level or manager level or product level.”

Modeling RiskIt always gets back to the data, and the panel members addressed the issue of data model integrity. Kapoor said the term “big data” is one that will be heard more frequently in the risk world. “Big data is tons of data that stream in from multiple sources,” he said. “The challenge is to make sense of it—deriving risk intelligence out of it. There has been a lot of talk of ‘big data’ in the transactional and the operational world, and increasingly you hear a lot of it in the risk world as well. Many correlations exist between these data elements. The key is to effectively correlate the information from the credit, market, and operational sides.”

The analytics are about the rules that you can build within your originations, he said. Companies need to build their own rules, in place of the general benchmarks, and those that build the rules faster and better are doing a more ef-fective job of managing risk.

Lantsman noted that firms use two sets of models, one for reporting capital, which requires much less data, and another for expected loss, which comprises four elements:1. Internal data.2. External data.3. Scenario analysis.4. Key risk indicators.

The downside of the focus on data compilation for capital purposes is that it has hurt the operational risk discipline because it’s detached itself from the business, thereby mak-ing it less useful, explained Leonard.

“Unless you can show how that capital actually relates back to the business, and embed that methodology into how they manage their business and reduce risk, it’s not useful

for operational risk management,” he said. Leonard believes the industry lost three to five years of

progress as it focused on capital. “Just now are we getting more toward that balance between qualitative and quan-titative,” he said. “Again, our goal is to align ourselves to the business so that we understand the business and then discuss its risks.”

Back-testingBack-testing of models is difficult in operational risk be-cause data is scarce, making model performance unreliable. Lantsman suggests using scenario analysis to create a future operational risk database. For instance, if one firm experi-ences an event, your firm might also experience that event if your business, culture, or risk exposure is similar.

Many of the losses are the result of faulty practices such as improperly performed risk control self-assessments (RCSAs). Until the industry can get meaningful information from RCSAs, it will be susceptible to fines and penalties based on practices, which are almost impossible to back-test, said Iraci.

Incentives to Manage BehaviorLeonard said the tone from the top is strong at DTCC and that it works well to manage behavior.

“We’ve designed the scorecards so that the business agrees it represents how they look at their business. They accept those risks, and we bring in all the information, which is reported to the CEO, the chairman, and, on a quarterly basis, to the board. It’s not unusual for the chairman to phone the head of one of our businesses and say, ‘Hey, I’m looking at your risk profile, and I have seen this has gone up. What are you doing about it?’”

Iraci says behavior needs to be controlled by the com-pensation structure. In the best-case scenario, the business units would be evaluated by risk-adjusted return on capital, with their compensation structure built into it. Iraci is not aware of any firm that does this, but he believes the incen-tive often is a negative one.

“If something goes wrong and the firm loses a lot of money, senior management looks to fire someone. If nega-tive events are handled that way internally, people won’t raise their hands on losses and then the losses get worse over time. There has to be a balance, but until we’re re-ally better able to measure it with data sets, it’s difficult to influence behavior.”

Measuring Risk Appetite for Operational RiskWithin the past year, TD Ameritrade revaluated its risk ap-petite at the holding-company level with a view to establish-ing parameters, explained Iraci. It set outer boundaries for various risk types and established pass/fail measurements on specific indicators. And it is currently in the process of

Companies need to build their own rules, in place of the absent benchmarks, and those that build the rules faster and better are doing a more effective job of managing risk.

58


drilling down the indicators to a more granular level. “We look at risk appetite and risk indicators as one and

the same,” said Iraci, “but risk appetite is at the portfolio level; the indicators are more granular. Tools allow you to drill down through the business units and tie it back to the holding company.”

But aggregating the information and correlating market, credit, and operational risks across the enterprise are not so easy, and it’s not possible to get a precise figure for risk-adjusted return on capital.

Lantsman explained how Deloitte handles the situation: “We’re using scenario analysis to create some interrelation-ship between different risk types, and the same key risk issues arise. If you consider risks independently, your risk will be several orders of magnitude higher than the real one.”

Iraci noted that a simple risk appetite statement, such as “We don’t do proprietary trading,” is an effective way to eliminate some risks. He said that TD Ameritrade has a single page that sets down which risks are acceptable and unacceptable within the firm’s risk appetite.

FraudCan losses resulting from internal and external fraud be prevented if firms have better processes in place to identify KRIs or red flags? Leonard responded that red flags were

59

present when Société Générale suffered its $7 billion rogue-trading loss. “Sometimes firms lack risk managers who look at the entire life cycle of the business process,” he said. “People are responsible for pieces of it, so when they find something that’s squirrelly, they’re likely to say, ‘That’s Joe and Jane’s department. They’ll figure it out.’

“As risk managers, we can look at that full sweep of processes and ask if there are natural breaks in between the handoffs. By taking a holistic view, you can detect risks that you might not see if you’re just looking at it in its pieces. In some of the spectacular loss events in recent years, nobody was tasked to look at the entire front-to-back process.”

ConclusionChallenges continue to confront the evolving discipline of operational risk management, but senior management recognizes its value, especially in light of the escalating costs associated with operational risk events. As New York Chapter Governor John Noto noted when introducing the panel, Bloomberg News reported that at least 50% of all er-rors made in organizations are related to operational risk. v

RMA’s Governance, Compliance, and Operational Risk Conference will be held in Boston, April 25-26. Register at www.rmahq.org.

March 2012 The RMA Journal

Operational Risk

March 2012 The RMA Journal12

The Importance of Validation Verification

in Operational Risk Management

2012 by RMA

The RMA Journal March 2012

IN THE TWO previous issues of The RMA Journal,1 we wrote about the value of clear roles and responsibilities in the sound management of operational risk. Those articles focused on the need for banks to create and maintain definitive roles for all staff and provided 10 considerations for operational risk leaders seeking role clarity in their organizations.

One of the 10 considerations focused on clarifying roles to meet expectations for validation and verification.This article will present Bank of America’s approach to validation and verification—one that all banks can use regardless of their size.

As practitioners are aware, the Basel Committee on Banking Supervision provided guidance on validation and verification in two papers published in June 2011: Operational Risk: Supervisory Guidelines for the Advanced Measurement Approaches and Principles for the Sound Management of Operational Risk. The substance of the Basel guidance was clarified further by U.S. supervisors in their June 3 guidance, Interagency Guidance on the Advanced Measurement Approaches for Operational Risk.

While this guidance helped explain the Basel II “Final Rule” requirements, operational risk practitioners still face many questions in terms of how to structure and manage the validation and verification of their opera-tional risk management programs:1. Which aspects of the regulatory guidance must be

considered as you design your validation program?2. How can you best differentiate the roles and respon-

sibilities of multiple stakeholders?3. How can you make the validation process consistent

and repeatable?4. What governance and routines can be implemented

to manage the process?

BY GREG MONTANA AND RICK PARSONS

ISTOC

KPHO

TO/T

HINK

STOC

K

13

Operational risk practitioners still face many questions in

terms of how to structure and manage the validation and

verification of their operational risk management programs.

March 2012 The RMA Journal14

The following sections examine Bank of America’s ap-proach to each of these questions, in the hope that industry practitioners will find useful insights and methods they can apply to their organizations.

Which aspects of the regulatory guidance must be considered as you design your validation program?The regulatory requirements and interpretations of the Ba-sel II advanced measurement approaches (AMA) provide a framework, but not an exact road map, for banks seeking

qualification. In fact, the Basel guidance empha-sizes the word flexibility: “[i]n recognition of the evolutionary nature of operational risk manage-ment as an emerging risk management discipline, the Committee provided significant flexibility to banks in the develop-ment of their operational risk measurement and management system.

This flexibility was, and continues to be, a critical feature of the AMA.”2 Moreover, the U.S. guidance provides that “banks should develop formal policies that implement validation of the AMA framework.”3 However, “the scope of validation and the methodologies employed should be consistent with the materiality and complexity of the risks being managed.”4

According to the Basel guidance, however, “flexibility in the development of an AMA does not suggest that supervi-sors are prepared to accept any practice or process that a bank adopts in implementing its AMA framework. On the contrary, supervisors are concerned with identifying and encouraging bank operational risk management practices that achieve robust and effective management and measure-ment systems that are consistent with safety, soundness and level playing field objectives.”5

Consistent with the Basel II Final Rule, at the same time firms are considering the latest supervisory guidance they must create a well-defined approach focused on the requirements of Pillar 1 (risk-based capital requirements for credit risk, market risk, and operational risk) and Pillar 2 (supervisory review of capital adequacy) of the AMA qualification framework. Firms also must find a way to communicate these complex regulatory requirements so that they can be clearly understood by everyone within the organization.

For example, Bank of America has implemented a risk framework that defines an operational risk appetite, governance, and reporting at all levels of the company,

from each line of business up to the board of directors. The program addresses the Pillar 1 qualification require-ments provided in section 22 of the Final Rule covering operational risk management processes. Section 22 also covers methodologies and data, including a system of controls, oversight, and validation routines that must be implemented broadly across an organization and deeply within each of its business units.

The Bank of America operational risk validation program also focuses on addressing standards set forth in Pillar 2. This pillar plays an important role in qualification because it gives regulators the opportunity to look holistically at the risk management processes described in the bank’s opera-tional risk framework. It enables them to test the consistent adoption, use, and effectiveness of these processes at the enterprise level and in each line of business and enterprise control function.

For Bank of America, this means that all divisions of the company must pass the “use test” providing evidence that operational risk management is being used in its six lines of business (LOBs): • Consumer and small business banking.• Home loans and insurance.• Legacy asset servicing.• Global wealth and investment management.• Global commercial banking.• Global banking and markets.

Also required to pass the use test are the bank’s six en-terprise control functions (ECFs): • Global human resources.• Finance.• Global technology and operations.• Global marketing and corporate affairs.• Legal.• Global risk management.

When developing an approach to validation and verifica-tion, firms must consider the qualification requirements of both Pillars 1 and 2, yet also focus on adherence to the Basel guidance. These require the board of directors to: • Establish clear accountability for implementing a strong

control environment.• Ensure that policies and procedures are implemented at

all levels.6

Programs should be designed to provide assurance to management and the board of directors that operational risk management processes are functioning as designed, that program objectives are being met, and that appropriate ac-tions are being taken to address and remediate program gaps.

The U.S. interagency guidance states that operational risk validation is “a process for ongoing monitoring to assess whether all aspects of the AMA framework have been imple-mented effectively, remain appropriate, and are performing as intended.”7 Validation explicitly extends beyond using

Programs should be designed to provide assurance to management and the board of directors that operational risk management processes are functioning as designed.

The RMA Journal March 2012 15

framework by reviewing and validating the data and data collection processes used in capital modeling.

Business unit assessment—Assess adoption of the op-erational risk program by the LOBs, ECFs, and the chief risk officer.

Reporting—Report results to senior management and board committees.

Table 1 provides greater detail about the first four focus areas, including require-ment details and tasks used for communica-tion purposes. Ulti-mately, those designing the validation program are responsible for un-derstanding the require-ments of Pillars 1 and 2 and the latest regulatory guidance on validation and to build those re-quirements into their program design. They also must work to help simplify those requirements through clear and effective communication.

How can you best differentiate roles and responsibilities of multiple stakeholders?The U.S. interagency guidance acknowledges that “valida-tion is a process encompassing a variety of activities that may be performed by different individuals and/or groups throughout the organization over time.”11

This statement gives banks a great deal of flexibility in as-signing roles and responsibilities for validation across their

the AMA “solely for regulatory compliance purposes”8 and requires that validation should show that the bank’s frame-work is appropriate for its current and evolving risk profile. Validation also must assess the bank’s AMA program in its “support of and enhancement of operational risk manage-ment policies and practices” and in its impact on the bank’s ability to “control or mitigate operational risk.”9

All of this implies that a validation program must be both broad and deep as it “validate(s), on an ongoing basis … the bank’s operational-risk management processes, operational-risk data and assessment systems, and operational-risk quantification systems.”10

However, the depth and detail required to address the requirements outlined by both the Final Rule and the lat-est supervisory guidance present a paradox for validation program managers, who must find a way to articulate the requirements simply and effectively. The focus areas below summarize the requirements of the validation program:

Conceptual soundness—Provide a consistent approach for evaluating and independently validating the operational risk program for conceptual soundness.

Ongoing monitoring—Lead an ongoing monitoring program to ensure that all components of the operational risk program are functioning as designed, that key gaps are identified, and that remediation plans are executed.

Outcomes analysis—Compare the bank’s risk measure-ment and management results to actual losses, with a goal of improving the bank’s risk identification and measurement processes.

Validation of quantification systems—Verify the ef-fectiveness of the bank’s operational risk management

Table 1Basel Guidance Requirements and Key Operational Risk Validation Tasks

High-Level Requirement Requirement Details Tasks

Conceptual SoundnessAn evaluation of the conceptual soundness of the risk measurement and management framework.

· Consider whether the conceptual framework, governance, measurement and monitoring systems, management reporting and controls are appropriate give the size, complexity, and business activities.

· Operational risk program assessment· Compliance conceptual soundness

Ongoing MonitoringOngoing monitoring to assess whether all aspects of the AMA framework have been implemented effectively, remain appropriate, and are functioning as intended

· Accurate and complete capture of internal and external data· Scenario and BEICF data are well supported and structured to limit bias· Effectiveness of risk monitoring and management· Remediation of deficiencies is appropriate and preformed· Benchmarking qualitative process

· Risk and control self-assessment validation· Key risk indicator validation· Scenario analysis validation· Internal loss data validation· External loss data validation· Issues and emerging risk validation· Op. risk program effectiveness reporting· Validation governance· Validation issues management

Outcomes AnalysisOutcomes analysis to compare risk measurement and management results to actual outcomes and losses

· Comparison of operational-risk data assessment results to internal and external losses

· Validate back-testing internal losses to business environment and internal control factors

Validation of Quantification SystemsOperational risk model conceptual soundness, ongoing monitoring, and outcomes analysis

· Supervisory Guidance on Model Risk Management, issued by the OCC, April 4, 2011 · As defined by Enterprise Model Risk Control Policy

Those designing the validation program are responsible for understanding the requirements of Pillars 1 and 2 and the latest regulatory guidance on validation.


organizational structure. That said, the guidance provides a recommendation for addressing bias by emphasizing that “the [AMA] rule requires that a bank’s validation process must be independent of the advanced systems’ develop-ment, implementation, and operation or that the valida-tion process be subjected to an independent review of its adequacy and effectiveness.”12 That independent review stipulation is important, because it opens the door for al-lowing the operational risk management function (ORMF) to “perform validation work, provided that this work is reviewed by an independent party”13 or have validation work performed by an “independent party within a business unit, supplemented with a review by the ORMF.”14

Naturally, all of these qualifications have implications for

audit’s independent role in the validation of the advanced systems. The U.S. regulators address this issue in the last paragraph of their June guidance: “Some banks use the internal audit function to validate non-quantitative aspects of their advanced systems. This could present a conflict of interest—or at least the appearance thereof—in that a bank’s internal audit function is expected to assess the controls, including validation, related to the advanced systems.”15

Bank of America has created a program that follows the latest guidance using a variety of functions representing all three lines of defense: the lines of business and the enterprise control functions (the first line of defense), the risk management department (second line of defense), and the audit team (third line of defense). Figure 1, designed to be read from right to left, summarizes the bank’s framework for a validation team to manage the program holistically, leveraging other key teams to ensure both depth and breadth of program coverage.

This independent validation team completes operational risk validation testing of the bank’s operational risk manage-ment framework, covering all program elements, includ-ing risk control self-assessment (RCSA), key risk indicators (KRIs), scenario analysis, internal and external loss data, issues and emerging risks, governance, and new product process. The operational risk models are validated by a spe-cialized model validation team.

Verification is completed by the chief risk officer (LOB/ECF Risk) teams responsible for independently overseeing the lines of business and enterprise control functions. This verification comprises three activities: • Advice and counsel.• Review and approval.• Challenge.

Steps in the CRO challenge process are documented in Table 2.

The lines of business and enterprise control functions execute the operational risk management program and compare process and system outputs with operational risk management program requirements, as well as with the integrity of operational risk data.

Audit assesses the adequacy of the control environment by

16

Validation Framework

Figure 1

LOB/ECF Risk

LOB/ECF

Operational risk management controls are executed as designed, delivering expected results.

Reasonable assurance that LOB/ECF operational risk management program is executed as designed and control environment is sufficient.

Op Risk Testing

Operational Risk Management Program and applicable laws and regulations (Basel II) are met.

Reporting to Board of Directors and Executive Management

Independent Assessment (Audit)

Greater Accountability

Table 2The Challenge Process

Step 1. Establish Basis for Challenge

Step 2. Present and Discuss Challenge

Step 3. Resolve Challenge

The independent LOB/ECF risk team performs appropriate research (including monitoring and testing) and develops points of view on risk and the control environment.

Risk’s points of view on the risk/control may differ from the LOB/ECF’s point of view.

Examples of differences include: issues identified by Risk that the LOB/ECF did not identify; a different risk rating or direction; or a different assessment of root cause. Differences such as these are the basis for a documented challenge.

The independent risk team presents and obtains acknowledgement of the chal-lenge from the manager of the impacted business unit.

Challenges that are not acknowledged within the defined response period are escalated.

The LOB/ECF and independent risk team talk about the chal-lenge. Discussion is documented.

Risk and the LOB/ECF agree upon risk-mitigation actions and establish action plans, or Risk and the LOB/ECF do not agree. The challenge may be escalated for resolution according to the following escalation path:

· The senior independent LOB/ECF risk executive may override the associated LOB/ECF’s risk assertion.· The COR executive has the authority to override any risk assertion.

All actions required to respond to the resolved challenge are tracked to resolution.


testing and validating key controls and re-porting weaknesses in the control environ-ment. Audit’s work includes an annual assessment to meet the AMA requirement for independence of the process, ensuring that the validation work performed by other participants is unbiased. Figure 2 summarizes the verifi-cation and validation roles and responsibili-ties consistent with the Basel guidance.

How can you make the validation pro-cess consistent and repeatable?Regardless of their in-stitution’s size, bank validation program managers should de-fine and document their process for validating the opera-tional risk manage-ment framework. At Bank of America, the validation program team has created a consistent, repeatable five-step process for reviewing all key program elements in the bank’s operational risk management framework.

Figure 3 summarizes the steps used for the four program elements, as well as for external operational losses, gov-ernance and reporting, emerging risks and issues, FFIEC Schedule S, new product, and subsidiary governance.

Validation is performed using a checklist for each com-ponent of the operational risk process. The checklists follow a question format similar to the Operational Risk Work Program for Basel II AMA. They define the tests to be performed, test steps, and minimum requirements pass (“meets”) criteria. The input considerations for the check-lists are the AMA requirements, applicable policies and standards, and the program components’ specific require-ments (for example, those embedded in the RCSA tool). The validation team publishes the checklist, thus making

the process transparent and open (Figure 4).The validation process results in a report and an issues

action plan. Issues identified by the validation process can take the form of a self-identified audit issue, an audit issue identified by the validation program team, or a non-audit issue finding.

Any finding that does not meet the level of an audit issue (an issue self-identified or issued by the validation program team) is called a “validation program team identified oppor-tunity” and is tracked in a database owned by the validation program team. The database is used by the team to generate a monthly report that can then be shared with all stakeholders. If an opportunity for improvement that has been tracked in the database is not remediated within the agreed timeline, it is subject to being escalated to an audit issue.

Establishing a repeatable process that produces a con-

Verification and Validation Framework, Basel Guidance View

Figure 2

Validation

ORMF

Organizational Structure

ORMSMethodologies, Policies, Processes & Governance

Systems DataAMA Capital Outcome

Validation

Processes

Verification

Proce

ss &

Proce

dures

Governance

Op Risk Validation

Model Validation Group

CRO

Audit

Verification

Audit

Op Risk Program Validation (ORMS)

Advanced Capital Model Validation

Op Risk Program Components

Annual Assessment

Five-step Process for Reviewing ORM Framework

Figure 3

Internal Operational Loss

1.0 Plan 2.0 Analyze 3.0 Develop Test 4.0 Execute Test 5.0 Report and Plan Action

RCSA

Enterprise KRIs

Scenario Analysis

Identify and engage critical stakeholders

Determine scope of validation effort

Obtain documentation and source data

Review regulatory requirements

Develop high-level plan and timeline

Review current documentation

Prioritize data/process elements for testing

Refine timeline and identify capacity requirements

Finalize validation plan

Develop detailed testing objective

Design testing methodology

Define initial reporting objective

Pilot testing process

Create training plan for participants

Train test participants

Establish validation routines

Deploy testing methodology

Analyze preliminary results

Execute additional tests as needed

Produce initial summary findings

Publish draft report

Review results with stakeholders

Issue final report pro-posed with action plan including audit issues and non-audit issues.

Establish monitoring plan


sistent work product and reporting product has been enormously valuable for the Bank of America validation program. A process approach can be applied to banks of all sizes.

What governance and routines can be implemented to man-age the process?In our view, it is the responsibility of the validation program management team to provide the answers to the open-book

test. This team also is re-sponsible for objectively grading each organiza-tion on that open-book test. The team’s mantra is transparency and clarity. Furthermore, an annual schedule of validation activities has been established, align-ing each element of the

operational risk program with its scheduled deployment. As mentioned, the interagency guidance specifies that any

group performing validation must be either independent of the development, maintenance, and operation of the advanced systems, or subject to independent review. To

achieve this independence, Bank of America has established an annual audit of the validation program and has created governance and management for independent reporting to senior executives and the board of directors. This includes a steering group that provides input to validation activities, reviews validation results, and provides guidance regarding the scope and scale of validation efforts.

The validation steering group is chaired by the leader of the operational risk validation program and includes representatives from the bank’s legal, compliance, audit, and enterprise capital management teams.

The steering group performs an advisory function that provides input into the operational risk validation activities, such as validation planning and scheduling, testing design, review of results, and remediation reporting. The steering group also discusses, reviews, and provides recommenda-tions, as appropriate, for communicating validation results and prioritizing remediation activities.

The steering group also may recommend analytical activi-ties and related agenda topics for review as the chairman and/or steering group members deem appropriate. The group meets quarterly, timed to precede a quarterly meet-ing with the bank’s supervisors, and prepares a quarterly status report to the Enterprise Risk Committee of the bank’s board of directors. It also provides guidance for the valida-

18

If done correctly, the validation and verification program should not be considered redundant to existing compliance and audit program requirements.

Validation Checklist

Figure 4

Check IDShort Name

Data Element/Process

Reference

Data/Process Element to Be Checked

Control Criticality H/M/L

Monitoring and Testing Objectives

Check Type

Potential Documentation

for Evidence of Activity

Testing Procedure

R06

Commentary on Key Concerns Support

Commentary on Key Concerns

Top Risk, Emerging Risk, and Mitigation plans

H

Emerging Key Concerns information (Top Risks, Emerging Risks and Mitigation Plans) cited are supported by the individual risks and mitigation plan detail

Validity Op Risk Platform

Review information included in Key Concerns section1) Verify information is contained in all three sections of Key Concerns (Top Risks, Emerging Risk, Mitigation Plans)2) Verify top risks are supported in the individual risk fields Additional Check:3)Compare emerging risks against E-Rim

R10Individual Risk Descriptions/Taxonomy

Individual Risk Field

Operational Risk Description and Taxonomy

H

Ensure individual risk descriptions are clearly written as inherent risks, describe the business impact, are categorized properly (Basel, PPSE) and are consistent with taxonomies


Review individual risk descriptions:1) Verify individual risk statements are written as inherent risks and include risk, cause and impact, or have appropriate taxonomy categorization including causal Level 1, Level 2, and Impact2) Verify proper categorization into Basel Level 1 and Level 2

R18 Control Effectiveness

Control Description

Control Description; Justification; Accountability

HEnsure that controls associated with individual risks are appropriate


For selected risks, validate controls are relevant. Sample basis check completeness and relevance of:1) Control Description2) Control Justification3) Control Accountability4) Control Design5) Control Performance(May require interview to collect additional information on sample basis to validate control design and performance)

R02Stakeholder Challenge Documentation

Stakeholder Certification Challenges H

Ensure RCSA review and challenge by LOB/ECF Executive and Independent Risk Team has occurred and is documented

Validity

Op Risk Platform or other CRO indicated area

Review evidence for challenge process for documentation of dialogue between LOB/ECF Executive and Independent Risk Team

R12 Aggregate Risk Rating

Summary Risk Ratings

Aggregate Risk Rating Field (Computed and User Selected)

H

Ensure aggregate residual risk and control ratings match calculated value or are properly justified


Validate proper justification is provided where computed aggregate residual risk differs from entered aggregate residual risk

Input ConsiderationsThe Advanced Systems

RCSA

KRI

Int/ExtOp Loss

Scenario Analysis

Issues and Emerging Risk

Program Effectiveness

AMA Requirements

Business Environment and Internal Control

Factors (BEICF)Policy/Standards

Program Design/Playbook

Content

Output

Process


tion program’s annual presentation and formal report to the board of directors.

Figure 5 illustrates the levels of governance and oversight, including purpose and frequency.

Again, much like process clarity and consistency, a well-established governance process for validation will add value to any institution’s program.

ConclusionThe latest guidance from regulators gives all financial insti-tutions reason to assess their programs against the latest re-quirements for validation and verification. The flexibility of the guidance allows institutions an opportunity to custom-ize their approach according to their size and complexity.

The lessons of Bank of America’s program successes can be applied to institutions of all sizes. By leveraging your existing risk management framework and establish-ing clearly defined validation roles and responsibilities for first-, second-, and third-line stakeholders, you can create buy-in for the program. And by following both the letter and the spirit of the regulatory guidance, you can ensure both compliance with Basel guidelines and a comprehensive assessment of program effectiveness.

If done correctly, the validation and verification program should not be considered redundant to existing compliance and audit program requirements. Rather, it should be seen as a way to objectively identify opportunities for meaningful improvement throughout the entire institution. v

••Greg Montana, senior vice president, senior operational risk executive, Bank of America, leads the assessment and validation of the corporate operational risk framework across all Bank of America and Merrill Lynch lines of business. He can be reached at [email protected]. Rick Parsons, recently retired, was executive vice president and corporate operational risk executive at Bank of America. He was respon-sible for providing a consistent and structured approach for managing operational risk

throughout the company and providing enterprise-risk-level reporting and monitoring for systemic risk issues. He can be reached at [email protected].

Notes1. December 2011–January 2012, pp. 50–57; February 2012, pp. 60-65.

2. Basel Committee on Banking Supervision, Operational Risk: Supervi-sory Guidelines for the Advanced Measurement Approaches, June 2011, p. 1.

3.BoardofGovernorsoftheFederalReserveSystem,FederalDepositInsurance Corporation, Office of the Comptroller of the Currency, and Office of Thrift Supervision, Interagency Guidance on the Advanced Measurement Approaches, June 3, 2011, p. 10.

4. Ibid., p. 10.

5. Basel Committee on Banking Supervision, Operational Risk: Supervi-sory Guidelines for the Advanced Measurement Approaches, June 2011, p. 1.

6. Basel Committee on Banking Supervision, Principles for the Sound Management of Operational Risk, June 2011, p. 9.


8. Basel Committee on Banking Supervision, Operational Risk: Super-visory Guidelines for the Advanced Measurement Approaches, June 2011, p. 18.

9. Ibid., p. 18.


11. Ibid., p. 10.

12. Ibid., p. 12.

13. Ibid., p. 12.

14. Ibid., p. 12.

15. Ibid., p. 12.

Levels of Governance and Oversight

Figure 5

Governance and Oversight Purpose

Board

Steering Group

Stakeholders

· Provide an annual report on validation and data management program results and plans

· Establish and maintain a governance function for all validation activities to provide guidance on planning, reporting, and escalation

· Capture, report, plan, communicate, and remediate issues identified through programs and projects· Provide updates on the results and future plans on the Validation and Operational Risk Data Management programs

Frequency

Annual

Quarterly

Monthly

February 2012 The RMA Journal

Operational Risk

60

ISTOC

KPHO

TO/T

HINK

STOC

K

••In the December-January 2012 issue of The RMA Journal, the authors shared their perspectives on the roles and responsibilities of operational risk management and offered banks five tactics for improving their programs. This concluding article offers five additional strategies.

The Value of Clear Roles and Responsibilities

in the Management of Operational Risk Part 2


The RMA Journal February 2012 61

BY RICK PARSONS AND GREG MONTANA

IN JUNE OF last year, the Basel Committee on Banking Supervision published two documents that focused heavily on the need for clear roles and responsibilities in the area of operational risk: Principles for the Sound Management of Operational Risk and Operational Risk: Super-visory Guidelines for the Advanced Measurement Approaches.

This guidance, along with the U.S. banking agencies’ Interagency Guidance on the Advanced Measurement Approaches for Operational Risk, also issued in June, updates the 11 principles and associated guidelines that define opera-tional risk management based on industry re-search, supervisory experience, and observed best practices.

Our article in the previous issue of The RMA Journal offered five of 10 key tactics that bank leaders should consider as they review oppor-tunities for improving their operational risk programs. Here are the additional five tactics.

Key Tactic #6: Clarify roles to meet regula-tory expectations for validation.

Validation and verification are a clear focus

of the Basel Committee on Banking Supervision (BCBS) guidance. The BCBS guidance states, “The purpose of these activities is to ensure that a bank’s operational risk management framework is functioning as intended and that it remains appropriate for the bank’s risk profile.”1

Validation and verification can be invaluable in defining a strong operational risk program and measuring performance against it. But where do you begin to assess your validation and verifica-tion capabilities? Institutions should first under-stand and assess their structure and capabilities against the Basel II final rule requirements gov-erning advanced measurement approach (AMA) banks, as well as the aforementioned supervisory guidance (Figure 1).

Validation of the operational risk management framework is used to assess the bank’s organiza-tional structure, policies, processes, procedures, and governance. It focuses on the effectiveness of the overall framework to ensure that the risk measurement methodologies result in a credible operational risk capital estimate.

Proper assignment of responsibilities for validation and verification is critical to ensur-

Verification and Validation Framework, Basel Guidance View

Figure 1

Validation

ORMF

Organizational Structure

ORMSMethodologies, Policies, Processes & Governance

Systems DataAMA Capital Outcome

Validation

Processes

Verification

Proce

ss &

Proce

dures Governance

Op Risk Validation

Model Validation Group

CRO

Audit

Verification

Audit

Op Risk Program Validation (ORMS)

Advanced Capital Model Validation

Op Risk Program Components

Annual Assessment


ing a robust process that achieves the goals mentioned earlier: to set expectations in a clear manner and to ensure proper monitoring and measurement against those expec-tations. The BCBS guidance provides significant flexibility to banks when it comes to developing their operational risk measurement and management systems. This flex-ibility was, and continues to be, a critical feature of the AMA. For example, the interagency guidance states that “banks should develop formal policies that implement validation of the AMA framework” and that “the scope

of validation and the methodologies employed should be consistent with the materiality and complexity of the risks being managed.”2

We like to say at Bank of America that it is the respon-sibility of the teams conducting validation and verification to provide the answers to the test. It is an “open book” test, and transparency gives the entire organization goal clarity. It is the teams’ responsibility to objectively grade each organization against that open book test. Transparency and clarity are our mantra.

62

Validation Framework

Figure 2

Challenge and Validation Processes

Figure 3

“Improvements in operational risk management will depend on the degree to which operational risk managers’ concerns are considered and the willingness of senior management to act promptly and appropriately on their warnings.”*

* Basel Committee on Banking Supervision (BCBS), Principles for the Sound Management of Operational Risk, June 2011, p. 5.

LOB/ECF Risk

LOB/ECF

Operational risk management controls are executed as designed, delivering expected results.

Reasonable assurance that LOB/ECF operational risk management program is executed as designed and control environment is sufficient.

Op Risk Testing

Operational Risk Management Program and ap-plicable laws and regulations (BASEL II) are met.

Reporting to Board of Directors and Executive Management


Greater Accountability

LOB 2

LOB 1

Challenge Process (CRO)

LOB/ECF operational risk management program is executed as designed and control environment is sufficient.

CHALLENGE

Business Area 1

Business Area 2

Controls executed as designed, delivering expected results?

RISK ASSERTIONS

Validation Process (CORF)

Operational Risk Management Program objectives are met and appropriate actions are taken.


3.8 Assess Control 3.10 Define Action Plan

3.11 Document Risk Factors (Operational

Losses, Issues, KRIs)

3.9 Determine Residual Risk

C2C6

C4C3

C2 C4

C3 C4

C10

C9

C2C4

C3


Key Tactic #7: Define the roles in a risk framework clearly so that all levels of the organization will under-stand them.

Building on the theme of transparency and clarity, en-terprise stakeholders need not be Basel/AMA specialists, and the corporate operational risk function (CORF) should not promote a methodology requiring esoteric terminol-ogy that could be inconsistent with the bank’s overall risk framework.

For that reason, an institution should put roles and re-sponsibility requirements for validation and verification into its overall risk management framework and align them with its already established organizational structure. It is important for the framework and the roles within it to be clear and simple so that all levels of the organization will understand it.

In the example provided in Figure 2, we start with the lines of business (LOBs) and enterprise control functions (ECFs). Their job is to ensure that operational risk manage-ment controls are executed as designed and deliver results. We then define the roles and responsibilities of the indepen-dent LOB risk team (CRO team), as shown in Figure 3. If the CRO teams are the primary-challenge, second-line function in an organization, their role in challenging LOB execution of the operational risk program should be a natural exten-sion of their role in credit risk and market risk. They are charged with ensuring that the LOB/ECF operational risk management program is executed as designed and that the control environment is effective.

The role of the central Operational Risk Management Function (ORMF) is to ensure that the bank’s operational risk management framework is functioning as intended and remains consistent with the bank’s operational risk profile. Audit also has a vital role to play by providing independent assessment of the validation and verification program.

The net effect of this approach should help ensure aware-ness, adoption, and ultimately effectiveness. In the case of the CRO teams, their role as a challenge function should be well defined. That definition should include their respon-sibility for managing to resolution disparate points of view between themselves as an independent risk oversight team and their associated LOB/ECF relative to the latter’s risk and control environment. Bank of America has defined this challenge process explicitly as part of the ORMF’s Standard Operating Requirements.

Key Tactic #8: Setting expectations regarding the challenge process is key.

Establishing expectations in terms of what constitutes “success” is essential, as is frequency of review. These ex-pectations should be established at the outset and designed with stakeholder input. They need to include oversight of the LOB/ECFs as the primary responsibility of the in-

dependent CRO risk teams. This oversight ranges from providing advice and counsel to managing a documented challenge process.

Challenge is a structured, documented, time-sensitive process for managing to resolution incongruent points of view between an independent risk team and its associated LOB/ECF. Challenge is a potential outcome of the independent risk team’s monitoring and testing of the LOB/ECF. Table 1 illustrates the steps in the challenge process documented in the Bank of America ORMF Standard Oper-ating Requirements.

The oversight role of the independent CRO risk team to the LOB/ECF incorporates the ongoing exchange of business and risk subject-matter expertise that drives comprehensive understanding and improved management of the busi-ness environment and internal control factors (BEICFs). This activity should be documented as a discussion, or the outcome of the discussion may be documented by the LOB/ECF as a risk. Examples include the use of Six Sigma’s “Five whys?” which can result in a change in a risk and control self-assessment (RCSA) risk rating or a new issue, such as a self-identified audit issue.

Key Tactic #9: Expectations need to go up over time. A maturity model and overall scorecard can help.

Institutions need to evolve as the bank’s operational risk profile evolves. Two tools that can help improve and maintain a program’s effectiveness over the long term are

Table 1The Challenge Process

Step 1. Establish Basis for Challenge

Step 2. Present and Discuss Challenge Step 3. Resolve Challenge

The independent LOB/ECF risk team performs appropriate research (including monitoring and testing) and develops points of view on risk and the control environment.

Risk’s points of view on the risk/control may differ from the LOB/ECF’s point of view.

Examples of differences include: issues identified by Risk that the LOB/ECF did not identify; a different risk rating or direction; or a different assessment of root cause. Differences such as these are the basis for a documented challenge.

The independent risk team presents and obtains acknowledgement of the chal-lenge from the manager of the impacted business unit.

Challenges that are not acknowledged within the defined response period are escalated.

The LOB/ECF and independent risk team talk about the chal-lenge. Discussion is documented.

Risk and the LOB/ECF agree upon risk-mitigation actions and establish action plans, or, Risk and the LOB/ECF do not agree. The challenge may be escalated for resolution according to the following escalation path:

· The senior independent LOB/ECF risk executive may override the associated LOB/ECF’s risk assertion.· The COR executive has the authority to override any risk assertion.

All actions required to respond to the resolved challenge are tracked to resolution.

Challenge is a structured, documented, time-sensitive process for managing to resolution incongruent points of view between an independent risk team and its associated LOB/ECF.


maturity models and an overall business unit scorecard. The maturity model in Table 2 helps set the bar higher over time and allows benchmarking across business units—that is, it helps identify laggards and exemplars.

At least once a year, all of the work completed at the detailed element and program levels should feed an overall annual assessment for all lines of defense (Table 3). Tying that evaluation to performance management will help drive adoption, adherence, and business results.

Key Tactic #10: Keeping it simple is always a good policy.

Unnecessarily complicating the discipline doesn’t drive credibility—it only takes away from it. Going through Six Sigma black-belt training some years ago, we heard lots of fancy terms and soon realized that quite a bit of the methodology involved statistical analysis and commonsense management routines that we already knew. Have you ever heard of ANOVAs, Ishikawa diagrams, least squares analysis, and gage R&Rs?

While there is undeniable value in a common taxonomy for processes and tools across large corporations, there is no need to intimidate audiences with confusing terms and acronyms. We favor connecting the operational risk program

with a larger and clearly articulated corporate vision for operational excellence. In short, wherever and whenever possible, keep it simple!

A Final Word Owing to market volatility and changes in the financial services industry, operational risk is high at all financial institutions, both domestic and international. To deal with this operational risk and lower the residual risk levels, Bank of America has developed an extensive program to meet the Basel standards and drive ownership of operational risk at all levels, in all departments, globally. A major key to the success of the operational risk program has been the adoption of clear roles and responsibilities.

Whether you lead operational risk management at a re-gional institution or one of the world’s largest multination-als, the same lessons apply. Rolling out a successful op risk program that has the stature to be embraced by the enterprise requires more than just a set of well-designed program ele-ments to meet AMA specifications. It requires setting a clear vision and establishing an operating model that ties all of the program components together and makes them real and use-ful for managing risk across all lines of defense. With a clear operating model in place, defined roles and responsibilities

64

Table 2Maturity Model Sample

Sample Criteria Category Sample Data Management Components

BASIC “Awareness”1

DEVELOPING “Commitment”2

MATURE “Execution”3

ADVANCED “Predictive”4

Leadership

Mgmt. Scope and Role * Criteria (Basic) * Criteria (Developing) * Criteria (Mature) * Criteria (Advanced)

Management Routines * * * *

Resources * * * *

MeasurementMetrics * * * *

Goals * * * *

Program ExecutionCompliance * * * *

Tool Adoption * * * *

Reporting/Communication

Content * * * *

Audience * * * *

Timeliness * * * *

Scoring Values � 1

�2

�3

�4

Table 3Annual Assessment Summary Example

Dimension Measure Source of Score Frequency/Timing

Implementation

RCSA Process * * *

Op Loss Process * * *

KRI & Scenario Analysis * * *

Emerging Risks * * *

Data Quality * * *

Adoption

Governance * * *

Culture * * *

Staffing * * *

Effectiveness Op Risk/Control Effectiveness * * *


for all practitioners, and a structure for measurement and account-ability, institutions can create a deeply rooted capability and culture in operational risk management. v

••Rick Parsons, recently retired, was executive vice president and corporate operational risk executive at Bank of America. He was responsible for providing a consistent and structured approach for managing operational risk throughout the company and providing enterprise-risk-level reporting and monitoring for systemic risk issues. He can be reached at [email protected]. Greg Montana, senior vice president, senior operational risk executive, Bank of America, leads the assessment and validation of the corporate operational risk framework across all Bank of America and Merrill Lynch lines of business. He can be reached at [email protected].

Notes1. Basel Committee on Banking Supervision, Operational Risk: Supervisory Guide-lines for the Advanced Measurement Approaches, Basel Committee on Banking Su-pervision, June 2011, p. 11.

2. Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation, Office of the Comptroller of the Currency, and Office of Thrift Supervision, Interagency Guidance on the Advanced Measurement Approaches, June 3, 2011, p. 10.

Consider signing up for the Operational Risk Management Discussion Group. Go to www.rmahq.org or call RMA Customer Care at 800-677-7621.

LoanAnalytics gives a tenth of all revenue to charity. "So that I come again to my father's house in peace; then shall the LORD be my God: And this stone, which I have set for a pillar, shall be God's house: and of all that thou shalt give me I will surely give the tenth unto thee." Genesis 28:21-22 (KJV)

…we know this business and have the analytics to prove it!

See us at www.LoanAnalytics.com or email us at [email protected]

test, and PD/LGD migration analysis for over a decade.

Providing financial institutions of all sizes with ALLL, stress

The highest value at the lowest cost…guaranteed!

February 2012 The RMA Journal66

MY REVIEW OF this book can be summed up in two words: Read it!All of us in the financial community can learn from this volume. It reads relatively easily

and its lessons could be critical. The most important lesson is that the financial community is resilient in the face of disaster.

In Resurrecting the Street, Jeff Ingber writes poignantly about the catastrophic losses in personnel and facilities suffered by the U.S. government securities, or “Govie,” market. Both were casualties of the conflagration and collapse of the two towers of the World Trade Center on 9/11, a date seared into all of our memories.

The Govie market is the largest financial market in the world. While it had expanded over the years to include government agencies and a variety of derivatives, the market, out of historical inertia, was still centered in the World Trade Center. At the time, Ingber was general counsel of the Government Securities Clearing Corporation (GSCC), located several

REVIEWED BY MARK ZOELLER

Resurrecting the Street: How U.S. Markets Prevailed After 9/11

By Jeff Ingber (2011)

Book Review



blocks from the World Trade Center in lower Manhattan. The GSCC settled all Govie trades.

Ingber was one of the 1 million evacuees from lower Manhattan on 9/11. Some 400,000 left the area by boat, mostly to New Jersey, in scenes reminiscent of the Dunkirk evacuation in World War II.

The major trading firm in Govies, Cantor Fitzgerald, lost 658 personnel in the North Tower that day. Other firms also suffered terrible human losses. Ingber graphically describes how observers belatedly realized that the “debris” falling from the towers was actually people who chose to jump from the buildings rather than be incinerated by burning jet fuel. There were 200 people who jumped. One landed on and killed a firefighter, who was the first firefighter casualty of that day. The firefighter was a close friend of one of Ingber’s associates.

All markets, including the stock markets, had to close, which spelled disaster for the financial community. Many financial firms relied on the repo market to fund opera-tions. But the markets were stubborn and resilient; they reopened in just a few days. Cantor Fitzgerald and some others were back in the market on 9/13 as the Govie market opened on short hours with reduced volume.

Communications lines had been destroyed and fa-cilities were uninhabitable, but, as Ingber describes, the financial community made Herculean efforts to bring the markets back. On 9/17, the stock markets reopened and the Govie market resumed full-day operations. Much was required from the people of Wall Street. Employees of the Amex entered their building through a temporary morgue as bodies were still being brought in. Companies offered space to their competitors. Meanwhile, the federal government acted as an encourager, while attempts to bring the markets back to an uneasy normalcy came from private initiatives.

On 9/19, some 3,500 traders on the floor of the Chi-cago Board of Trade erupted into cheering and applause as the first cash prices since 9/11 came onto the big display board. The prices came from Cantor Fitzgerald.

Ingber reports that most of the backup facilities and communications links were inadequate in the wake of the

disaster. Relocating thousands of personnel to sites never designed for financial activities was a major problem. Computers and telephones by the thousands had to be bought and installed. Firms that used multiple telecom carriers as a redundancy later discovered that all these carriers routed their lines through a single switching station.

Anyone involved in disaster preparations, including boards and CEOs, should pay close attention.

Ingber also recounts how the GSCC accomplished the difficult task of reconciling trades after much of the originating paperwork was lost. At the height of the rec-onciling problem, GSCC had several hundred billion dollars of failed security deliveries (fails) and a huge overdraft at the Bank of New York. Most of the reconcili-ation was manual.

The Federal Reserve also loaned financial firms several hundred billion dollars to help them through the crisis.

While the book is poignant, it is not mawkish. It belongs as part of the permanent history of 9/11. All economic and business history courses should make this book required reading. �

••Mark Zoeller is president of Zoeller Credit Services. He can be reached at [email protected].

Jeff Ingber is currently a managing director, Policy Compliance and Control, Citigroup. His daughter, Arielle Morris, is senior designer for The RMA Journal and designed the book’s cover.

“Our people ran out of the Trade Center without a pencil. No trade records. No tickets. The business that we did in the North Tower we backed up in the South Tower, and vice versa. We didn’t know where to go the next morning. Or even if there was a firm left.”

–Ron Purpora, senior executive of Garban Securities LLC

December 2011–January 2012 The RMA Journal


in the Management of Operational Risk

Operational Risk

50

ISTOC

KPHO

TO/T

HINK

STOC

K


The RMA Journal December 2011–January 2012


in the Management of Operational Risk

BY RICK PARSONS AND GREG MONTANA

ESTABLISHING A STRONG risk management culture, gover-nance routines, and an optimal organizational structure is foundational to any sound operational risk management program. But even well-defined governance and organi-zational structures cannot be effective without clear and sustainable roles and responsibilities for the practitioners implementing these programs.

This role clarity is crucial, and it needs to be recognized at all levels in the organization. Indeed, industry regulators are now stressing the importance of accountabilities, clear lines of management responsibility, and the acceptance of risk management as a company-wide concern (Figure 1).

In June of this year, the Basel Committee on Banking Supervision published two documents that focused heavily on the need for clear roles and responsibilities in the area of operational risk: Principles for the Sound Management of Operational Risk and Operational Risk: Supervisory Guidelines for the Advanced Measurement Approaches.

This guidance, along with the U.S. banking agencies’ In-teragency Guidance on the Advanced Measurement Approaches for Operational Risk, also issued in June, updates the 11 principles and associated guidelines that define operational risk management based on industry research, supervisory experience, and observed best practices.

Collectively, the supervisory guidance is very specific regarding the roles and responsibilities of the board of di-rectors and senior management, who are expected to set the tone from the top to “ensure that a strong operational risk management cul-ture exists throughout the whole organiza-tion.”1 In addition, the Basel guidance charges the board and senior management with the responsibility for es-tablishing a risk culture that is supported by codes of ethics/conduct, compensation strategies, and train-ing. By linking the use of sound risk management practices to the effectiveness of the board and senior management, the supervisory guidance sets expectations and standards for governance, organizational structures, risk processes, routines, data and tools, loss collection and verification, and validation of the program and framework.

The supervisory guidance clearly states that the board is expected to know and understand the operational structure of the bank and its risks. Moreover, it states that the board

51

••How do you clarify the roles and responsibilities of operational risk practitioners to ensure the commitment of business management to the operational risk program and the independence of risk management?

In a two-part article, the first half of which appears here, the authors review the most recent regulatory guidance on risk practitioners’ roles and responsibilities and explore five strategies every firm should consider when contemplating opportunities for improvement.

The supervisory guidance is very specific regarding the roles and responsibilities of the board of directors and senior management.


needs to ensure that compensation policies and strategies are aligned with the bank’s statement of risk appetite. And finally, it highlights the role of governance and the impor-

tance of the “three lines of defense”—the lines of business (LOBs) and the enterprise control functions (ECFs), the risk organization, and audit—and their roles in the risk management process.2

In addition, the regu-lators now expect new risk management routines, including the close monitoring of limits and thresholds and tests to ensure that the operational risk management program is not implemented strictly to determine regulatory capital but to manage risk. The regulators are looking for clear evidence of integration and linkages between risk measurement and risk management processes. Also expected is risk manage-ment oversight of the LOBs and ECFs, as well as effective processes for issue resolution.

In addition, new explicit guidance is provided for validat-

ing, verifying, and approving (formerly assessing) opera-tional risk issues for all new products, activities, processes, and systems. The emphasis on roles and responsibilities ex-tends internationally. In the United Kingdom, for example, the Turner and Walker reports focused on the need to clarify the roles and responsibilities of the board, the nonexecutive directors, and senior management in executing an effective operational risk program. The reports also highlighted the importance of the designated control functions and their accountability in the management of risk.3,4

In light of all this guidance, firms need to consider 10 key tactics. In this month’s article, we present the first five.

Key Tactic #1: Start with a common understanding of the risk management process.

In early 2010, Bank of America’s Operational Risk Man-agement Function (ORMF) defined the corporation’s vision for operational risk management:

To create an industry-leading, Basel-compliant program that makes operational risk an integral part of the business’s activity and culture.

To achieve this vision, the ORMF team designed a set of standard operating requirements defining the model for the

52

Regulators Focus on Roles and Responsibilities

Figure 1

22. ...Clear expectations and accountabilities ensure that bank staff understand their roles and responsibilities for risk, as well as their authority to act.

29. Strong internal controls are a critical aspect of operational risk management, and the board of directors should establish clear lines of management responsibility and accountability for implementing a strong con-trol environment. The control environment should provide appropriate independence/separation of duties between operational risk control functions, business lines and support functions.

Basel Committee on Banking Supervision, Consultative Document, Sound Practices for the Management and Supervision of Operational Risk

Making risk management a company-wide concern and changing deeply engrained at-titudes toward risk clearly require significant attention to the “people factor” in the risk equation. As a result, major reassessment of roles and responsibilities is underway at many banks.

E&Y, “Navigating the Crisis: A Survey of World’s Largest Banks”

We do place special responsibility with the public leaders charged with protecting our financial system, those entrusted to run our regulatory agencies, and the chief execu-tives of companies whose failures drove us to crisis. The individuals sought and accepted positions of significant responsibility and ob-ligations. Tone at the top does matter and, in this instance, we were let down. No one said “no.”

Lending standards collapsed, and there was a significant failure of accountability and responsibility throughout each level of the lending system...

FDIC Inquiry Report

Firms were more likely to maintain a risk profile consistent with board/senior man-agement tolerances if there were regular, frequent risk management committees that included executive and senior leaders from key business lines and independent risk management and control functions to discuss significant risk exposures across the firm.

NY Fed Observations on Risk Management

Examiners consider the following assessment factors when making judgements about the quality of operational risk management...

The third assessment factor considered under Processes is: The adequacy of the governance structure around operational risk and the as-signment of responsibility and accountability at every level.

OCC Large Bank Supervision Comptroller’s Handbook

The regulators are looking for clear evidence of integration and linkages between risk measurement and risk management processes.

The RMA Journal December 2011–January 2012 53

operational risk management program, and it established roles and responsibilities for all Bank of America employees.

As part of the program kick-off, the ORMF worked to com-municate to all key stakeholders how operational risk man-agement fits into the overall business operating model.

The Basel guidance states that “banks should develop, implement, and maintain a[n] [Operational Risk] Frame-work that is fully integrated into the bank’s overall risk management processes.”5 This guidance is appropriate to help ensure that operation risk is culturally embraced as part of how the institution does business.

Incorporating operational risk disciplines into the broader business and risk framework ensures that operational risk is not relegated to a second-tier position or thought of as a strictly regulatory exercise (Figure 2). This integration is particularly important because operational risk is the least mature of the risk disciplines. In banking, it was at the nascent stage during the 1990s and only recently entered the maturing stage (Figure 3).

Key Tactic #2: Define the roles and responsibilities for stakeholders at a strategic level.

Building on the concept that operational risk must be a part of, not separate from, the bank’s overall risk man-agement program allows the firm to define stakeholder responsibilities at the highest strategic level (Figure 4).

At the highest level, the board and senior management must actively encourage a culture focused on risk manage-ment. The board needs to understand the organization’s risk profile and establish a risk appetite that is recognized by everyone as having come from the top. Meanwhile, senior management must help define the risk appetite and set the risk management framework under which the risk practitio-ners can design a set of standard operating requirements for

Corporate Goals and Objectives

Figure 2

Risk Appetite

Business and Risk Strategy

Independent Testing and Validation

Gove

rnanc

e

Continuous Feedback

Risk Management Process

Execute Business Activities

Report and Review

Identify and Measure

Mitigate and Control

Monitor and Test

Stages of Operational Risk in Banking

Figure 3

Nascent

U.S. ANPR Basel I & II

U.S. Final Rule

2010 BIS Sound Practices

and Supervisory Guidance

1990sNonexistent

1999-2007Early Stage

2007-2010Developing

2011-Beyond Maturing

Stakeholders must understand their role in the three lines of defense and their alignment with strategic program components.

Figure 4

Stakeholder View Strategic View

Gove

rnanc

e

Validation and Verification

Board of Directors

Senior Mgmt.

Risk Mgmt.

Line of Business/Enterprise Control

Functions

Risk Profile

Risk Framework

Policy (Standard Operating

Requirements)

Procedures

· Establish tone at the top· Approve risk appetite

· Define risk appetite and risk framework· Establish clear and effective governance

· Define program parameters· Challenge and escalate

· Own risk management and mitigation· Promote culture of escalation


operational risk consistent with the supervisory guidance. Finally, the LOBs and the ECFs, including finance, human

resources, marketing, corporate affairs, legal, technology, and operations, must own the operational risks and promote a culture of escalation, for which the risk organization per-forms an independent challenge function through oversight and governance.

Key Tactic #3: Operational risk needs to be a part of everyone’s role.

The Basel guidance highlights the importance of “em-bedding” an approach to operational risk management, ensuring that it becomes part of the bank’s overall man-

agement of risk and control. It also stresses the need for ownership of operational risk at all levels of the institution. However, that guidance should not be inter-preted to mean that ac-countability for specific roles does not have to be assigned across the

three lines of defense. This is a process easier said than done for large financial institutions, where implementing

change can be a complicated and arduous task. The Basel guidance further provides that, in addition to the

initial period required by supervisors as part of their use and embeddedness AMA [advanced measurement approaches] assessment, “the requirement is ongoing and banks will need to ensure that their ability to demonstrate embeddedness is not adversely impacted over time by change.”6

The last point is an important one, because it highlights the risk that change, which we all know is ubiquitous, could harm the sustainability of the operational risk management program throughout the organization.

Thinking about change, we asked ourselves: What type of change could put our AMA program at risk? A change in strategy? A change in processes or systems? A change to management or business structure? All of these changes are potentially disruptive, but maintaining role clarity, we would argue, is an effective mitigant to the disruptive ef-fect of change on an institution’s overall operational risk management program.

The risk and control self-assessment, or RCSA, is a tool designed to meet AMA requirements for providing a “bal-anced assessment of both the risk in the business environ-ment and the quality of internal controls.7 Along with key risk indicators and audit evaluations, it is one of the more tenured tools of most banks’ operational risk management programs (Figure 5). So let’s use it as an example.

54

Operational Risk Management Process

Figure 5

Identify & Measure Mitigate & Control Monitor & Test Report & Review

GovernanceReporting

Operational Risk Management PlatformTraining and Communications

Quality Assurance and Independent ValidationData Quality

Issues and Emerging Risk Management

Corporate Operational Risk (COR)

Lines of Business (LOB)

Enterprise Control Functions (ECF)

Independent LOB/ECF Risk

Enterprise Risk Functions

Corporate Audit

Partic

ipants

Metho

ds Loss Data Collection and Analysis

Risk and Control Self-Assessment

Scenario Analysis

Risk Appetite, Key Risk Indicators

Enab

led by

Basel II AMA

Maintaining role clarity, we would argue, is an effective mitigant to the disruptive effect of change on an institution’s overall operational risk management program.

The RMA Journal December 2011–January 2012 55

By its very name, the RCSA is clearly meant to be com-pleted by the line of business as a self-assessment. However, when we talk with practitioners across the U.S. banking sector, a good portion of them report some institutional ambiguity about the roles of the first and second lines of defense in the completion and assessment of this tool.

While reluctant to use a sports analogy, we find it’s too tempting here not to. Those who have had the opportu-nity to see soccer played at the highest level know that it’s called “the beautiful game” because players know their roles, they play their positions, and the game becomes a well-orchestrated dance. But if you’ve ever attended a children’s “bumble bee” soccer game, you know that the result is often a chaotic scene in which no one player knows his or her role, every player tries to score, and no one is thinking strategically. Moreover, a goal is rarely scored in these games.

Internally, we like to use the term “bumble bee risk pro-cess” to describe the phenomenon. It’s surprising how it can sneak up on us, despite our roles as risk professionals in the workplace. We’re sure it would not take a lot for you to recall a few such moments you’ve experienced in your own organization.

Key Tactic #4: Job titles must be clear and consistent so that everyone knows whose team they are on.

To provide greater clarity and transparency to the operat-ing model, the ORMF at Bank of America worked directly with the bank’s human resources department to create an optimal set of job codes, role descriptions, and responsibili-ties for each member of the operational risk stakeholder team.

At the start of the exercise, the ORMF identified over 1,400 members of staff, in the first line of defense, with the word “risk” in their titles. Like two teams playing in the same-color jersey on the soccer field, it was difficult for anyone at Bank of America to know if a risk associate resided in the first or second lines of defense.

To address this issue, the ORMF created a strict taxonomy that allows for the word “risk” in the title of only those individuals who are members of the second line of defense: the chief risk officer’s organization. This move helped clarify “who’s who” across the organization.

Representative sample titles for those risk associates in the second line of defense include “senior operational risk executive,” “operational risk executive,” “senior operational risk manager,” “operational risk manager,” and “operational risk analyst.” Further, for all of the roles in this particular job family, there is a consistent set of responsibilities in line with the team’s role that serve as a challenge and oversight function to the businesses they support.

To distinguish the operational risk practitioners in the CRO organization from the ORMF staff who design and lead

the program and are not strictly aligned to specific business units as their second line of defense, the firm adopted a naming convention with the word “corporate” as its pre-fix. Representative samples include “corporate operational risk executive,” “corporate operational risk manager,” and “corporate operational risk specialist/analyst.”

However, the most dramatic change was to adopt a common naming convention for the 1,400 first-line-of-defense staff residing in the LOBs. The use of “risk” in their titles was changed to “business control.” Examples include “business control executive,” “business control manager,” and “business control specialist/analyst.”

Clarity and consistency in roles and responsibilities, coupled with a standard set of naming conventions, help engender staff pride and a sense of empowerment in being a part of a specific team.

Key Tactic #5: Defining roles across multiple dimen-sions helps align the organization’s capabilities.

In covering the previous key tactics, first at the enterprise level and then at the operational risk program level, we discussed the simplicity of clarifying high-level roles. At that high level, it’s more like clarifying goals for each line of defense.

What needs to follow that “goal clarity” is “role clarity,” and defining roles does require details. Explicitly com-municating roles is critical, and doing so across multiple levels helps drive consistency across the bank’s operating framework. At Bank of America, the framework includes 1) Identify and measure, 2) Mitigate and control, 3) Monitor and test, and 4) Report and review. Together, they constitute what we call the IMMR Framework.

The excerpt “Who does what” (Figure 6) was communi-cated to all associates and succinctly describes the roles and responsibilities of all lines of defense, putting ownership of operational risk clearly in the hands of the leaders who own and manage the risk-reward equation for their respective businesses. Communicating roles and responsibilities starts at the strategic level for all stakeholders. At a more tactical level, the bank provided additional context on the roles of the multiple lines of defense.

That communication was critical to the successful adop-tion of the Operational Risk Framework because it helped clarify the role of the key stakeholders in the process, in-cluding the ORMF. Purposely centralized, the ORMF is charged with developing and guiding the operational risk strategy, ensuring its stature across the organization, and providing independent oversight of the operational risk management program.

Communicating roles and responsibilities starts at the strategic level for all stakeholders.


The ORMF ensures that business-unit CROs, who act as the second line of defense and independently lead risk for each of the bank’s LOBs and ECFs, are held account-able for oversight of the program for the businesses they support. At Bank of America, most of the CRO teams have an operational risk leader who reports to the CRO and is charged with leading the second-line operational risk program for their respective CROs. These operational risk leaders work directly with the LOB and ECF leaders, who are based primarily in the chief operating officer organizations.

The oversight role of the independent CRO risk team to the LOBs and ECFs incorporates the ongoing exchange of business and risk subject-matter expertise that drives comprehensive understanding and improved management of the business environment and internal control factors. These discussions are documented in ways such as meeting minutes, and significant outcomes are frequently captured in the identification and documentation of a specific risk, a change in risk rating, or as a new issue.

These independent CRO teams may implement opera-tional risk management review and approval processes for

the LOBs and ECFs they oversee, based on the specific risks and controls for each. This includes, but is not limited to, processes such as:• New product review and approval.• Reputational risk review and approval.• Risk acceptance review and approval.

However, the ORMF also works directly with these business leaders as well to ensure they own and manage operational risk in their lines of business as the first line of defense.

By communicating a clear operating model, with well-defined roles and responsibilities at the division level, the ORMF has been successful in helping associates at all levels understand the definition of operational risk and their or-ganizational role in it. The further step of providing clarity and consistency on specific roles within each of those key participant groups has effectively made it real for Bank of America staff. It has given associates a sense of ownership and empowerment in line with the bank’s operational risk vision. Role definition and clarity round out the first five of the authors’ considerations.

56

Figure 6

Operational Risk: Who Does What

All Bank of America associatespractice operational excellence and are champions and practitioners of active debate of issues, issue and emerging risk identification, self-identifying audit issues, and root cause analysis.

Business leaders are accountable for manag-ing operational risk in their line of business.

Chief risk officers own and manage the operational risk program in their areas. They identify the control gaps and take them to the business (leaders).

Operational Risk Management Function sets the operational risk program strategy, standards, tools, and processes based on the Basel framework and provides guidance, oversight, and challenge to CRO, LOB, and ECF teams.

Compliance manages compliance risk, including establishing compliance program standards and policies and overseeing bank interactions with regulatory agencies.

Corporate Audit assesses the effectiveness of the program and supporting controls and the enterprise’s execution of the program.

By IMMR Framework

IMMR Step ORMFResponsibilities

LOBResponsibilities

(1st Line)

LOB CROResponsibilities

(2nd Line)

AuditResponsibilities

(3rd Line)

Identify and Measure�

�

�

�

�

�

�

�

Mitigate and Control�

�

�

�

�

�

�

�

Monitor and Test�

�

�

�

�

�

�

�

Report and Review�

�

�

�

�

�

�

�

By Program Element

Program Element ORMFResponsibilities

LOBResponsibilities

(1st Line)


(2nd Line)


(3rd Line)

Risk Appetite�

�

�

�

�

�

�

�

Bus. Environ. & Int. Control Factors (RCSA/KRIs)

�

�

�

�

�

�

�

�

Scenario Analysis�

�

�

�

�

�

�

�

Operational Loss Mgmt.�

�

�

�

�

�

�

�

Within Governance

Governance Level ORMFResponsibilities

LOBResponsibilities

(1st Line)


(2nd Line)


(3rd Line)

Board Level Committees�

�

�

�

�

�

�

�

Sr. Mgmt. Level Committees�

�

�

�

�

�

�

�

LOB/ECF Committees�

�

�

�

�

�

�

�

The RMA Journal December 2011–January 2012

To be continued…In next month’s RMA Journal, the authors explore the final five considerations and offer a word on the importance of roles and responsibilities in operational risk management. v

••Rick Parsons, recently retired, was executive vice president and corporate operational risk executive at Bank of America. He was responsible for providing a consistent and structured approach for managing operational risk throughout the company and providing enterprise-risk-level reporting and monitoring for systemic risk issues. He can

57

an interthinx company

LookAhead™

Scenario-based Forecasting, Stress Testing & Portfolio Management Solution

Access the Power of Predictive Analytics. Contact us: [email protected]

ROBUST: Scenario-based forecasts

IMMEDIATE: Results with you in the drivers seat

EXPLAINABLE: Reproducible forecasts to meet regulatory requirements

SUPPORTED: A team of experts to help you design your solution

www.strategicanalytics.com

Solutions for Credit Card, Auto Loan & Leases, Mortgage, Personal Loans & Lines

Configurable across enterprise business functions

be reached at [email protected]. Greg Montana, senior vice president, senior operational risk executive, Bank of America, leads the assessment and validation of the corporate operational risk framework across all Bank of America and Merrill Lynch lines of business. He can be reached at [email protected].

Notes1. Basel Committee on Banking Supervision, Principles for the Sound Management of Operational Risk, June 2011, p. 5.

2. Ibid., p. 3.

3. Financial Services Authority, The Turner Review: A Regulatory Response to the Global Banking Crisis, March 2009.

4. David Walker, A Review of Corporate Governance in UK Banks and Other Financial Industry Entities, November2009.

5. Basel Committee on Banking Supervision, Principles for the Sound Management of Operational Risk, June 2011, p. 5.

6. Basel Committee on Banking Supervision, Operational Risk: Su-pervisory Guidelines for the Advanced Measurement Approaches, June 2011, p. 5.

7. Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation, Office of the Comptroller of the Currency, and Office of Thrift Supervision, Interagency Guidance on the Advanced Measurement Approaches, June 3, 2011, p. 9.

The RMA Journal Guidelines for Authors

The RMA Journal encourages industry professionals to share their knowledge with readers. We are happy to publish first-time authors, as well as experienced writers. Below are some tips to help you get your article accepted for publication. Writing Tips By following these few tips, you’ll increase the chance of your article being recommended for publication.

Read the Journal. It helps to know the types of articles we publish and the style they are written in.

Query first. Although we accept articles that drop into our inbox, it’s a good idea to query us first to be sure your topic is acceptable. By sending us an article proposal first, we can often provide you with guidance about what to include or not include in your article.

Keep the length reasonable. Most articles average about 2,500 words, but they can be longer or shorter if necessary. It’s better to focus on making your points in the most efficient way, than to try to hit a particular word count.

Use charts and graphs to illustrate your point. Not all articles benefit from charts and graphs, but many do. Charts and graphs may be created in Word and sent embedded within the article; if imported from another program, however, please send the files from which they originated, whether PowerPoint or Excel.

Use bulleted and numbered points. No matter how technical the topic, the best writing is simple writing. By using short sentences, lists, and subheads, you make your article easier to read and understand.

Explain “how to.” Our readers want to learn. Articles offering useful advice, such as what to consider when lending to hotels, are most popular. Readers also like to learn from others’ mistakes in “Spilled Milk” articles. Articles that offer problem-solving tips are also well read.

Limit the use of footnotes. We discourage the use of more than 10 footnotes and actually prefer less than five. RMA Journal articles should not read like research papers.

Email articles to the editor. Kathie Beans can be reached at [email protected] and 215-446-4095.

The Article Review Process The RMA Journal is a peer-reviewed publication. Proposals and articles are reviewed by members of The RMA Journal Editorial Advisory Board. These reviews can take up to a few weeks. When an article is not recommended for publication, the author is given a clear explanation of why the article fell short. Once an article is accepted for publication, you’ll be asked to sign our standard copyright form, which gives us first publication rights. You can reuse your article however you wish as long as you indicate that it was first published in The RMA Journal. We’ll also ask you for a photo that we can use on our Contributors’ Page. This is optional. The RMA Journal does not offer payment for articles; however, the author receives a byline and sentence about his or her background at the end of the article and on the Contributors’ Page at the front of the Journal. An Adobe .pdf file of the article is e-mailed to the author as well. About The RMA Journal The RMA Journal is the most respected publication for professionals in the financial services industry. It dates back to 1918, just four years after RMA was founded, when it was a mimeographed letter called the Bulletin. Over the decades, The RMA Journal evolved with the industry. Today its focus on enterprise risk management addresses current issues in credit, market and operational risk, offering practical advice and alerting readers to emerging risk and regulatory issues. Journal subscribers number about 20,000 and secondary readership is estimated to be 100,000. It’s published 10 times per year (every month but August and January).

Date post:	24-Mar-2022
Category:	Documents
Upload:	others
View:	3 times
Download:	0 times

Operational Risk Journal Articles 2011-2012 - Risk Management

Documents