Chapter 2

Risk Governance
Agenda
• Prudential Regulation of Operational Risk - ( Operational Risk in Basel II, Principles for Sound Management of Operational Risk ,
Pillar 1 Capital for Operational Risk , Pillar 2 Capital for Operational Risk , What Regulators Expect When Assessing an
ORMF ,Overview of Regulators Around the World )
• BCBS Revisions to Principles for Sound Management of Operational Risk
• Role of Supervisors of Operational Risk
• Operational Risk Governance - (Risk and Committee Structure, Governance and Risk Documentation, The Role of the Board for
Operational Risk and Resilience, Three Lines of Defense Model (3LoD))
• Roles and responsibilities in Lines of Defense
• Institute of Internal Auditors (IIA) - 2021
• Risk Appetite for Operational Risk – ( Regulatory Guidance on Risk Appetite for Operational Risk ,Risk Appetite Structure and
Monitoring Risk appetite, Risk Appetite Governance )
• Risk Culture –(The Importance of Risk Culture for Regulators ,Deploying a Risk Culture Program)
Prudential Regulation of Operational
Risk
• a) Operational Risk in Basel II - 3 pillars - introduced as part of Basel II (2004).
• Pillar 1: Regulatory Capital - calculations that determine minimum level of capital that banks need to cover for risk of unexpected losses from credit, market, and
operational risks, liquidity risk ratios .From ops. risk perspective  capital alone without proper governance and management is not sufficient.
• Pillar 2: Supervisory Review Process : Includes add-on capital requirements to Pillar 1 capital . Capital must be self-assessed by firm and validated /amended by
regulator. From ops. risk perspective concentration risk, compliance, gaps in governance/ management, aggressive growth strategy.
• Pillar 3: Market Discipline : rules on mandatory disclosures of financial situation and risk information  Encourages market discipline, especially among investors
in more risky firms that are required to hold larger amounts of capital to cover their increased risk-taking.

• b) Principles for Sound Management of Operational Risk : Regulatory capital to cover operational risks has shortcomings – eg : Natural disaters, ops. Failures etc.
emphasizing that good operational risk management is mandatory, not optional.
BCBS Revisions to Principles for Sound
Management of Operational Risk
• Revised - Principles for Sound Management of Operational Risk (RPSMOR) -- March 2021
 Prudential Regulation of Operational
Risk.. contd..
• c) Pillar 1 Capital for Operational Risk : Ops risk wasn’t modified much till 2015 . Around 2017, discontinuation of 3 tier regulatory capital regime for operational
risk. New approach  single measure of capital  Standardized Measurement Approach (SMA) OR renamed to Standardized Approach (SA), effective from Jan’23.
• From Jan’23 onwards  SA will be applicable. Its is a slight revision of The Standard Approach (TSA). In SA, minimum regulatory capital required to cover
operational risk  operational risk capital (ORC) . Compared to TSA, “gross income” is replaced with “business indicator” in SA.
• Marginal weighting % of regulatory capital depends on size of BI :
• 12% for < € 1 billion BI ; 15% for € 1 billion < BI < € 30 billion, 18% for any value of BI > € 30 billion.
• Level of ops. risk increases more than proportionally with size ( complexity of process, ops )  needs to be covered by extra capital.

Interest, leases, and dividends component (ILDC); services component (SC) ; financial component (FC)
ILM = penalty factor for banks with a history of larger losses than peers’ during 10 previous years. ILM is at discretion of national regulators and could be fixed as 1.
Prudential Regulation of Operational
Risk.. contd..
• Until January 2023: Banks have the choice among BIA, TSA, AMA of Pillar 1 capital calculation for operational risk.
• Basic indictor approach (BIA) –
• Ops. Risk capital = 15% (alpha) average yearly gross income over past 3 years ( years with –ve or 0 gross income is excluded). Gross income = net interest income +
net non-interest income.
• Not intended to be used by internationally active banks/ significant ops risk exposures.
• Standardized Approach (SA): ops. Risk capital is calculated by using weighted averages of gross income separated by business lines ( beta factor= 12%, 15%, or
18%), based on perceived riskiness of underlying business line.
• The SA reform departed from this view, as operational losses incurred in banks’ various lines of business over the past 20 years did not match expectations.
• Advanced Measurement Approaches (AMA) for banks and Internal Modeling Approaches (IMA) for insurance companies :
• FI are free to assess their own capital needs, provided regulatory authority of each country in which the firm is incorporated validates its model and framework.
• Level of capital should be sufficient to cover all possible operational losses up to a 99.9% confidence interval at a 1yr horizon.
Prudential Regulation of Operational
Risk.. contd..
• d) Pillar 2 Capital for Operational Risk : Allows regulator to adjust capital requirement calculated in Pillar 1 with an add-on that reflects more fairly the nature and
extent of the regulated entity’s risk exposure. ( eg : helps to cater for concentrated risks , newly evolving sector )  extra capital requirement to compensate for.
• Regulators review and evaluate arrangements, strategies, processes, firm’s governance arrangements, its corporate culture and values and mechanisms
implemented by a firm to comply with its regulatory requirements, considering the nature, scale, and complexity of a firm’s activities.
• In Europe, evaluation of capital sufficiency by banks and financial firms  Internal Capital Adequacy Assessment Process (ICAAP)  part of Supervisory Review and
Evaluation Process (SREP). For insurance industry  Own Risk and Solvency Assessment (ORSA).
• In United States,  Comprehensive Capital Analysis and Review (CCAR) program. Solvency assessment of a financial firm requires the identification of key threats
and scenarios for large loss events, and the assessment of the firm’s resilience to internal and external shocks that would lead to changes in the operating
environment, business plan, and profitability.
• e) What Regulators Expect When Assessing an ORMF Basel Framework contains BCBS’s full set of standards - 29 Core Principles needed for a supervisory system
to be effective. Most relevant elements relating to supervision of risk management:[Refer 29 core principles of BCBS]
Prudential Regulation of Operational
Risk.. Contd..
• f ) Overview of Regulators Around the World :
Role of Supervisors of Operational Risk
• Supervisory Evaluations in Practice: ORM should not be a mere compliance exercise of policies on paper, rubber-stamped by governing body ; risk management
should be fundamental to all business decisions and embedded in all activities ; involvement of staff at all levels in decision-making process  bank should be able
to demonstrate to regulators and auditors how decisions are arrived at.
• Questions to address when testing practical implementation of ORMF :
• 1> Event reports: Are all material events captured? Are reports thoroughly analyzed for root-cause and the lessons learnt ? Are near misses included?
• 2> Risk and control assessments: Is basis robust and consistently applied? Are right people involved ? Are assessments challenged and peer reviewed to ensure
consistency ?
• 3> Risk indicators: Are values of indicators independently derived? Are indicators approved by line managers/ risk owners ? Are they regularly refreshed?
• 4>Scenarios: Are they sufficiently broad? Are they sufficiently extreme while remaining realistic? Is the assessment objective, documented, and repeatable?
• 5>Coverage: Confidence that scope of ORM for functions and individuals is complete?
• 6>Risk reporting: Is information sufficient for decision-making? Is information appropriate for the level of management ?
• Getting on Top of Regulatory Requirements : Firms should be aware of anything that is relevant to their businesses. Failure to comply can result in regulatory
sanction, a capital add-on etc. Operational risk teams could maintain a library of regulatory documents to inform and govern how firm’s operational risk
framework should operate and ensure that all relevant staff are fully aware of their contents. (eg : annual review) . Compliance team  horizon scanning for
relevant new documents.
Operational Risk Governance
• Banks’ operational risk governance function should be fully integrated into their overall risk management governance structure – with clear definition of roles and
responsibilities (such as oversight, management, monitoring and reporting or escalation ) of various risk management stakeholders across the organization along
with an executable decision making process and enforceable discipline.
• a) Risk and Committee Structure : based on size and complexity of the organization, size and number of committees addressing the governance of operational risk
would be established  eg : Larger and more complex firms generally have a pyramid of risk committees for above mentioned responsibilities.
• Lowest level in the operational risk committee  held by risk committees overseeing activity by business type/ function (e.g., corporate banking, investment
banking, support services) or geographic location ; responsible for providing information to help determine broader operational risk profile, and escalate
significant issues, or those exceeding predetermined limits, to a firm wide or second line of defense risk committee.
• Group operational risk committee performs above highlighted responsibilities and reports consolidated picture to executive risk committee management,
management committee and board risk committee.
• Board-created enterprise-level risk committee (board risk committee) oversees all operational risk – Board also makes recommendations to full board on risk-
based decisions, risk exposure, and risk management. The board of directors and the board risk committee receive regular risk reporting.
• Risk committee reviews and monitors investigation of larger incidents ; frequency of meetings should ensure consistent oversight of ops and adequate
representation and escalation of potential issues to board.
• Regulators require that members of board risk committee have recent and relevant experience.
• ORM , ERM, Committee Structure Ops risk itself is often split into risk categories, with each category having its own committee
Operational Risk Governance..contd..

• b) Governance and Risk Documentation Terms of Reference (TOR) of a committee / “committee charter”  authority that a committee has to oversee delegated area of
responsibility ; has info on membership, roles and responsibilities of members, frequency of meetings , amendments, modifications, or variation in the charter over time.
• Committees review risk info and risk reporting of the firm to support decision making , review and validate policies. Content of discussions, their decisions , motivations must
be documented in committee minutes  evidence of good governance of ops risk requested by supervisors in their evaluation.
• Policies for operation  how a company runs its business and organizes its processes. Procedures and guidelines  specific guidance on how to execute certain tasks or
processes. Policies, procedures, and other guidelines are a form of internal controls, known as directive controls.
• Policies and procedures must be publicized, updated and be embedded in the operations of the organization. They should reflect business reality, apply in daily practices, and
be meaningful. Policies must evolve to reflect the changes in the business.
Operational Risk Governance..contd..
• c) The Role of the Board for Operational Risk and Resilience
• Regulatory Guidance on Role of Board for Operational Risk : Board of directors is ultimately responsible for general administration of firm ( including risk
management)  for determining the nature and extent of significant risks firm is willing to take to achieve its strategic objectives and to maintain sound risk
management and internal control systems  setting risk appetite of the firm and operating within limits.
• Board of directors should validate ops risk management framework and ensure periodic revision of ORMF; ensure that senior management implements the
policies, processes, and systems of the ops risk management framework effectively.
• Board is also responsible for establishing a risk management culture that is communicated effectively to firm  adequate training across.
• Regulatory Guidance on the Role of the Board for Operational Resilience : Responsibilities of bank /FI board has been extended to supervision and assurance of
the effective management Directors need to utilize their existing governance structure to establish, oversee and implement an effective operational resilience
approach.; directors should take an active role in establishing a broad understanding of the firm’s operational resilience approach, through clear communication of
its objectives, as it is their responsibility on risk culture.
• Firm’s operational resilience must consider its risk appetite and tolerance for disruption to critical operations which could affect its critical operations ; board of
directors oversees senior management’s implementation of operational resilience approach and ensures that sufficient financial and technical resources are
allocated to operational resilience ; board should have assurance of ongoing operational resilience through timely reporting from senior management; board has
received training ( self and staff) in operational resilience and has sufficient knowledge, skills, and experience to meet its operational resilience responsibilities
Operational Risk Governance..contd..
• d) Three Lines of Defense Model (3LoD)
• Line 1: Risk owners i.e front line of business responsible for managing risk  BCBS term “business unit management”
• Line 2: Comprises of those who provide independent risk oversight over business processes and proper implementation of the risk management policies and
framework. They are responsible for challenging activities and behavior of business lines  BCBS term “an independent corporate operational risk management
function (CORF).”
• Line 3: Internal audit function  BCBS term “independent assurance.”
• 3 lines of defense implementation varies based on size, nature, and complexity of the entity ; ORM tends to be less centralized than credit, market, or liquidity
risks, making the delineations of the three lines of defense model more difficult.
• Lines of Defense Delineation and Hybrid Control Function in Operational Risk : Degree of independence of CORF may differ among banks ; engaging relevant
corporate control groups (e.g., compliance, legal, finance, and IT) to support its assessment of the ops risks and controls.
• Hybrid Functions Across First and Second Lines of Defense: When staff resources are limited, functions (finance, human resources, legal, ICT and information and
physical security departments ) undertake first and second line activities and act as hybrid functions  BCBS requires documenting and distinguishing first v/s
second line roles within these functions  emphasizing independence of the second line of defense.
Roles and responsibilities in Lines of
Defense
• First Line of Defense : Covers all commercial / front-office operational functions  “business”. Risk owners are those responsible for the consequences of the risks
they generate or supervise and assessment and mitigation.
• Responsibilities : identifying and assessing the materiality of operational risks inherent in the business ; establishing appropriate controls ; assessing design and
effectiveness of these controls ; monitoring and reporting business units’ operational risk profiles . If the business unit believes it lacks adequate resources, tools,
and training to ensure identification and assessment of operational risks, it should report that to the second line of defense (CORF) ; they should also report
residual ops risks not mitigated by controls, including operational loss events, control deficiencies, process inadequacies, noncompliance with ops risk tolerances.
• Risk Champions and “Line 1.5” : Ops risk management is decentralized by nature, being present in every process and every operation  organizations designate
“risk specialists” or “risk champions” in each business department to interact with risk function  “stewards” or “risk correspondents” = Line “1.5” or “1.b”
( observed in larger organizations) .
• Roles = being main correspondent for risk issues ; collecting and recording risk events and losses ; mapping risks and controls in line with group definitions ;
following-up on control rules defined, risk management action plans and audit tracking  Ownership of operational risk in first line of defense is not assumed by/
passed to specialist expertise.
• Second Line of Defense : Develop risk management framework and review and challenge its implementation by the first line. They shouldn’t be directly involved in
risk management activities performed by first line of defense, but rather provide guidance, oversight, and challenge to these activities  expertise in conceptual
and technical aspects of risk identification, assessment, mitigation and monitoring ; excellent knowledge of regulatory requirements and of business environment
to ensure compliance. The risk function requires great visibility over conduct of business operations as well as a deep understanding of impacting risk drivers.
Roles and responsibilities in Lines of
Defense
• Responsibilities - developing and maintaining operational risk management and measurement policies, standards and guidelines and designing and delivering
operational risk training to promote awareness and risk competency ; developing an independent view regarding business units’ risk management activity,
regarding their identification of material operational risks, design and effectiveness of key controls, respect of risk appetite and tolerance limit ; challenging
relevance and consistency of business unit’s implementation of operational risk management tools, measurement activities and reporting systems, and providing
evidence of challenge ; reviewing and contributing to monitoring and reporting of operational risk profile ; support process of making business decisions by
providing an informed view of possible risks and mitigating options available when choices are made  sounding board to business lines for decisions that would
modify risk profile of institution ( eg : related to new ventures, commercial accords or acquisitions etc) .
• Risk function needs to have enough delegated authority to veto some business decisions that may either contradict regulatory requirements or that exceed the
risk appetite limits agreed by the board.
• Second Line of Defense: Between Guidance and Challenge : Pure independence of second line of defense raises the question of potential redundancy with
internal audit ; it can be very difficult to operate effective oversight and challenge on risk management activities in the business before these activities are properly
implemented, understood, and maturing.
• First role of ops risk management function is to educate all internal parties on the essentials of ORM on concepts like ( what is operational risk? ; how are
operational incidents recognized and reported? what are the benefits of good operational risk management? What are the pitfalls of poor risk management?)
• Next - risk training can focus on description and implementation of risk management tools for risk identification, assessment, and root-cause analysis or scenario
workshops. Effective, engaging, and widespread training on operational risk is an important prerequisite for any implementation of a risk management framework
 Second line of defense can maintain its independence from first line of defense, by providing guidance and asking questions without preempting answers. (to
avoid exerting influence) but can challenge answers and their justifications.
• Second line owns the methodology; the first line owns the risks
Roles and responsibilities in Lines of
Defense
• Third Line of Defense : Internal audit is independent of the risk management process ; independently assesses control system of organization and compliance with
the policies and procedures of the different departments and activities ( including risk function)  defines its own view of organization’s key risks around which it
develops its audit universe.
• Audit and risk functions coordinate their agendas in order not to overload business-line managers with redundant visits and risk assessments. Sometimes, the
second and third lines of defense also exchange information and findings.
• Effective risk management, compliance and finance functions are essential parts of an organization’s corporate governance structure. Internal audit should be
independent of these functions and be neither responsible for, nor part of, them ; Internal audit should asses adequacy and effectiveness of risk management,
compliance and finance functions ; should always examine an appropriate sample of the activities under review ; should exercise informed judgement as to what
extent it is appropriate to take account of relevant work undertaken by others, such as risk management, compliance or finance in either risk assessment or
determination of level of audit testing of activities under review.
• Independent assurance is provided to the governing body, senior management, and external stakeholders, such as regulators and investors, by internal audit for
the general system of operational controls and by the external auditors for the organization’s financials and the system of controls around financial reporting.
• Internal audit must be independent and should report in solid line to a non-executive director of the firm . External audit must also be independent - role is to
provide its opinion on the financial statements.
• Three Lines of Accountability Lines of defense is refered to as “three lines of accountability”  insist on the delimitations of roles and responsibilities across the
different lines and to emphasize the importance of the accountability of these roles.
Institute of Internal Auditors (IIA) - 2021
• IIA’s Three Lines Model :. Refined model to reflect evolution of risk management within organizations and aim to foster closer collaboration between business
functions including internal audit.
• Model also reinforces role of expertise and support of second line and specifies that the challenge applies to risk-related matters ; In some cases , risk function has
taken a very independent stance vis-à-vis business function, emphasizing their oversight and challenge to the detriment of support and expertise, confusing their
role with that of internal audit.
• Second line is part of and reports to general management  moves the approach closer to the models that have evolved in many mature firms in risk management
Risk Appetite for Operational Risk
• a) Regulatory Guidance on Risk Appetite for Operational Risk : Board is responsible for determining nature and extent of risks(acceptable amount  risk appetite)
in achieving its strategic objectives ; maintain sound risk management and internal control systems  assessing all key risks ; establishing boundaries for
acceptable/unacceptable incidents, and creating the necessary controls that these limits require  BCBS : risk appetite and tolerance drive priorities of entire
control environment.
• BCBS : 4th operational risk management principle is for risk appetite and tolerance  need to be easy to communicate and understand, justify reasons for taking,
limiting, or avoiding certain types of operational risk, aligned with bank’s strategy and business plans. Risk appetite limits should be monitored ; forward-looking
and subject to scenario and stress testing and have a view of what events might push the bank outside limits of risk appetite and tolerance. Board of directors to
ultimately own the risk limits and validate them periodically  Board may delegate this responsibility to board risk committee  requests support of risk function to
ensure implementation of limits in controls and exposure in business and report them regularly.
• b) Risk Appetite Structure and Monitoring Risk appetite : motivations for taking/ avoiding certain types of risk  Risk–return trade-off decisions must be
addressed in risk appetite statements. Risk appetite must align with firm’s strategic objectives and risk management strategy of a firm should be consistent with its
business strategy.
• Rsk appetite is aligned to the strategic objectives of the bank guides decision-making at business level by setting limits on risk exposure, minimum requirements
on key controls, setting thresholds on frequency and severity of incidents of tolerated operational incidents  metrics for monitoring these limits  “boundaries or
indicators” (which may be quantitative or not) to enable monitoring of these risks.” by BCBS.  “monitoring KRIs.”
Risk Appetite for Operational
Risk..contd..
• Appetite and tolerance statements are usually expressed as per main risk type – eg : around their key processes with a different level of risk appetite for each
process.
• Risk appetite and tolerance statements must refer to consistent key controls. Documentation - such as the list of key controls for each main risk type, is particularly
useful for demonstrating to internal and external stakeholders, including regulators and clients, that the organization lives up to its objectives.
• Monitoring thresholds and key indicators for control reliability, activity limits, and other KRIs provide management with relevant information and assurance that
the business operates as it should. The comparison of incidents and near misses, with estimates of acceptable limits, reveals whether risk management actions in
place are effective enough to maintain the frequency and severity of incidents within the tolerated limits. Other tools and limits reflect appetite of an organization
for operational risk, such as risk scales used for risk assessment and heatmaps, or the tolerance thresholds set on monitoring metric or key risk indicators..
Risk Appetite for Operational
Risk..contd..
• c) Risk Appetite Governance : allocate a risk owner to each risk type labeled in risk appetite structure  as risk appetite sub-categories and controls cascade down
into limits, controls, and monitoring metrics, it is good governance to designate control owners and metrics owners for various operational risks
• Controls owners  responsible for design, implementation, and effectiveness of controls.
• Metrics owners  responsible for collection, reporting and monitoring of metrics capturing performance of organization with regards to risk appetite.
• Risk owners  managers that are responsible for managing, maintaining, and monitoring risks within stated limits of appetite and tolerance  first line of defense.
Risk Culture
• a) The Importance of Risk Culture for Regulators : better risk culture leads to less operational risk and improved resilience  “Banks with a strong culture of risk
management and ethical business practices are less likely to experience damaging operational risk events and are better placed to effectively deal with those
events that occur.” ; risk culture is closely associated with good conduct and ethics ( falls under responsibilities of board) :
• Board of directors should establish a code of conduct or an ethics policy to address conduct risk  code or policy should be regularly reviewed and approved by
board of directors and attested by employees
• b) Deploying a Risk Culture Program Board of directors must lead risk culture to be implemented by senior management. “tone at the top”: BoD should set tone
for the organization by their own conduct and by establishing expectations and consequences for employee conduct. A strong risk culture must be documented
through policies and codes, applicable to everyone in the organization.
• Risk awareness  application of policies and rules, alertness, ethics quality, and transparency are fundamental elements of a strong risk culture and a robust risk
management framework. Risk culture is supported by management reinforcement of the codes of conduct and ethics, compensation structure and training. Proper
risk-taking needs to be designed so that the risk-takers have “skin in the game,” and bear the consequences of their actions:
• By raising awareness of operational risks embedded in activities and processes and providing essential risk literacy to all, training programs are another important
part of building a sound risk culture.
• Reinforcement of adherence to the code of conduct and signaling of discipline are effective ways to influence behaviors  Reinforcement means that rules are
taken seriously, but unnecessary blame should be avoided. A “no-blame culture” is, along with “tone from the top” the most common recommendation for the
establishment of a good risk culture.