1204OpRiskArticles PDF

k s i R l a n Operatio rticles A l a n r u o J 2 1 0 2 1 1 20
OPERATIONAL RISK
Challenges
facing operational risk managers were discussed at a recent meeting of RMAs New York Chapter.
Risk and Businesses Must Work Closely Together

WORK CLOSELY WITH the businesses to understand the risks they face. This message was a key point addressed by panelists at a recent New York Chapter meeting exploring challenges in operational risk management. Other issues under discussion were risk reporting, benchmarking, technology, and data integrity. Andrew Leonard, who runs the operational group at the Depository Trust & Clearing Corporation (DTCC), says operational risk is the biggest risk his organization faces. His group has operational risk professionals married to his organizations seven major business lines. We try to understand their business, and then look at the risk and apply what we do to those risks, he said. We dont present them with a set of risks and ask if they apply to their business. DTCC also has a small team that looks across the enterprise to detect systemic risks that may not be apparent at the individual business levels.
Risk Reporting
Joe Iraci, head of corporate risk at TD Ameritrade, a brokerdealer, offered advice on reporting. First, determine the purpose of the reporting, he advised. Unlike credit or market risk, operational risk is very specic to the management level that its geared toward. A corporate risk group should report on a portfolio basis. The report should become increasingly more detailed as it is prepared for lower management levels.
Risk managers bring intellectual capital to the business, which is memorialized in a report, continued Iraci. Look at the report like a marketing person as you determine the target market for your report, he said. Are you meeting your markets needs? Consider the rms organizational structure because it reects how the risk organization is structured and that inuences reporting. Leonard agreed. At the business-line level, the information helps them manage the risk. At the board level, it informs them about the risks and who is managing them, he said, adding that some risks require the boards endorsement before the rm can move forward. Effective and scalable technology has played a big role in enabling collaboration when it comes to identifying risks. Gaurav Kapoor, chief operating ofcer, MetricStream, noted that the technology has allowed companies to move from silos of managing risk to an integrated model that allows them to aggregate and manage risk across the enterprise in a federated manner. In a federated structure, the enterprise risk function is aligned centrally with corporate governance and reporting, as well as distributed to lines of business, facilitating clear ownership and accountability for risk. Between the information model and collaboration, companies are able to go deeper into the organization and be more proactive in how they manage risk, Kapoor noted. Standards and benchmarks are company-specic for operational risk, unlike credit and market risks, which carry
HEMERA/THINKSTOCK
April 2012 The RMA Journal 57
Copyright 2012 by RMA
the same risk at any rm with similar exposures. Key risk indicators (KRIs) have to be graded according to your own data set, explained Iraci, who also advocated back-testing to differentiate between a one-rated indicator and a verated indicator. Yakov Lantsman, a business risk principal for Deloitte, noted that some processes around operational risk are standardized, which proCompanies need to build vides structure around what needs to be retheir own rules, in place ported. As an example, of the absent benchmarks, he pointed to Basel II with its matrix of risk and those that build the and business-line rules faster and better are types or product types. What doing a more effective is optimal to report? What should people job of managing risk. see? If we are going to a branch level, they need completely different information than people at the board level or manager level or product level.
Modeling Risk
for operational risk management, he said. Leonard believes the industry lost three to ve years of progress as it focused on capital. Just now are we getting more toward that balance between qualitative and quantitative, he said. Again, our goal is to align ourselves to the business so that we understand the business and then discuss its risks.
Back-testing
Back-testing of models is difcult in operational risk because data is scarce, making model performance unreliable. Lantsman suggests using scenario analysis to create a future operational risk database. For instance, if one rm experiences an event, your rm might also experience that event if your business, culture, or risk exposure is similar. Many of the losses are the result of faulty practices such as improperly performed risk control self-assessments (RCSAs). Until the industry can get meaningful information from RCSAs, it will be susceptible to nes and penalties based on practices, which are almost impossible to backtest, said Iraci.
Incentives to Manage Behavior
It always gets back to the data, and the panel members addressed the issue of data model integrity. Kapoor said the term big data is one that will be heard more frequently in the risk world. Big data is tons of data that stream in from multiple sources, he said. The challenge is to make sense of itderiving risk intelligence out of it. There has been a lot of talk of big data in the transactional and the operational world, and increasingly you hear a lot of it in the risk world as well. Many correlations exist between these data elements. The key is to effectively correlate the information from the credit, market, and operational sides. The analytics are about the rules that you can build within your originations, he said. Companies need to build their own rules, in place of the general benchmarks, and those that build the rules faster and better are doing a more effective job of managing risk. Lantsman noted that rms use two sets of models, one for reporting capital, which requires much less data, and another for expected loss, which comprises four elements: 1. Internal data. 2. External data. 3. Scenario analysis. 4. Key risk indicators. The downside of the focus on data compilation for capital purposes is that it has hurt the operational risk discipline because its detached itself from the business, thereby making it less useful, explained Leonard. Unless you can show how that capital actually relates back to the business, and embed that methodology into how they manage their business and reduce risk, its not useful
Leonard said the tone from the top is strong at DTCC and that it works well to manage behavior. Weve designed the scorecards so that the business agrees it represents how they look at their business. They accept those risks, and we bring in all the information, which is reported to the CEO, the chairman, and, on a quarterly basis, to the board. Its not unusual for the chairman to phone the head of one of our businesses and say, Hey, Im looking at your risk prole, and I have seen this has gone up. What are you doing about it? Iraci says behavior needs to be controlled by the compensation structure. In the best-case scenario, the business units would be evaluated by risk-adjusted return on capital, with their compensation structure built into it. Iraci is not aware of any rm that does this, but he believes the incentive often is a negative one. If something goes wrong and the rm loses a lot of money, senior management looks to re someone. If negative events are handled that way internally, people wont raise their hands on losses and then the losses get worse over time. There has to be a balance, but until were really better able to measure it with data sets, its difcult to inuence behavior.
Measuring Risk Appetite for Operational Risk
Within the past year, TD Ameritrade revaluated its risk appetite at the holding-company level with a view to establishing parameters, explained Iraci. It set outer boundaries for various risk types and established pass/fail measurements on specic indicators. And it is currently in the process of
58 April 2012 The RMA Journal
drilling down the indicators to a more granular level. We look at risk appetite and risk indicators as one and the same, said Iraci, but risk appetite is at the portfolio level; the indicators are more granular. Tools allow you to drill down through the business units and tie it back to the holding company. But aggregating the information and correlating market, credit, and operational risks across the enterprise are not so easy, and its not possible to get a precise gure for riskadjusted return on capital. Lantsman explained how Deloitte handles the situation: Were using scenario analysis to create some interrelationship between different risk types, and the same key risk issues arise. If you consider risks independently, your risk will be several orders of magnitude higher than the real one. Iraci noted that a simple risk appetite statement, such as We dont do proprietary trading, is an effective way to eliminate some risks. He said that TD Ameritrade has a single page that sets down which risks are acceptable and unacceptable within the rms risk appetite.
Fraud
present when Socit Gnrale suffered its $7 billion roguetrading loss. Sometimes rms lack risk managers who look at the entire life cycle of the business process, he said. People are responsible for pieces of it, so when they nd something thats squirrelly, theyre likely to say, Thats Joe and Janes department. Theyll gure it out. As risk managers, we can look at that full sweep of processes and ask if there are natural breaks in between the handoffs. By taking a holistic view, you can detect risks that you might not see if youre just looking at it in its pieces. In some of the spectacular loss events in recent years, nobody was tasked to look at the entire front-to-back process.
Conclusion
Challenges continue to confront the evolving discipline of operational risk management, but senior management recognizes its value, especially in light of the escalating costs associated with operational risk events. As New York Chapter Governor John Noto noted when introducing the panel, Bloomberg News reported that at least 50% of all errors made in organizations are related to operational risk. v
RMAs Governance, Compliance, and Operational Risk Conference will be held in Boston, April 25-26. Register at www.rmahq.org.
Can losses resulting from internal and external fraud be prevented if rms have better processes in place to identify KRIs or red ags? Leonard responded that red ags were
April 2012 The RMA Journal 59
Operational Risk
Validation
The Importance of
in Operational Risk Management
Verication
12
March 2012 The RMA Journal
2012 by RMA
BY
GREG MONTANA AND RICK PARSONS
IN THE TWO previous issues of The RMA Journal,1 we wrote about the value of clear roles and responsibilities in the sound management of operational risk. Those articles focused on the need for banks to create and maintain denitive roles for all staff and provided 10 considerations for operational risk leaders seeking role clarity in their organizations. One of the 10 considerations focused on clarifying roles to meet expectations for validation and verication. This article will present Bank of Americas approach to validation and vericationone that all banks can use regardless of their size. As practitioners are aware, the Basel Committee on Banking Supervision provided guidance on validation and verication in two papers published in June 2011: Operational Risk: Supervisory Guidelines for the Advanced Measurement Approaches and Principles for the Sound Management of Operational Risk. The substance of the Basel guidance was claried further by U.S. supervisors in their June 3 guidance, Interagency Guidance on the Advanced Measurement Approaches for Operational Risk. While this guidance helped explain the Basel II Final Rule requirements, operational risk practitioners still face many questions in terms of how to structure and manage the validation and verication of their operational risk management programs: 1. Which aspects of the regulatory guidance must be considered as you design your validation program? 2. How can you best differentiate the roles and responsibilities of multiple stakeholders? 3. How can you make the validation process consistent and repeatable? 4. What governance and routines can be implemented to manage the process?
Operational risk practitioners still face many questions in terms of how to structure and manage the validation and verification of their operational risk management programs.
The RMA Journal March 2012 13
ISTOCKPHOTO/THINKSTOCK
The following sections examine Bank of Americas approach to each of these questions, in the hope that industry practitioners will nd useful insights and methods they can apply to their organizations.
Which aspects of the regulatory guidance must be considered as you design your validation program?
The regulatory requirements and interpretations of the Basel II advanced measurement approaches (AMA) provide a framework, but not an exact road map, for banks seeking qualication. In fact, the Programs should Basel guidance emphasizes the word exibility: be designed to [i]n recognition of the provide assurance evolutionary nature of operational risk manageto management and ment as an emerging risk the board of directors management discipline, that operational risk the Committee provided signicant exibility to management processes banks in the developare functioning ment of their operational risk measurement and as designed. management system. This exibility was, and continues to be, a critical feature of the AMA.2 Moreover, the U.S. guidance provides that banks should develop formal policies that implement validation of the AMA framework.3 However, the scope of validation and the methodologies employed should be consistent with the materiality and complexity of the risks being managed.4 According to the Basel guidance, however, exibility in the development of an AMA does not suggest that supervisors are prepared to accept any practice or process that a bank adopts in implementing its AMA framework. On the contrary, supervisors are concerned with identifying and encouraging bank operational risk management practices that achieve robust and effective management and measurement systems that are consistent with safety, soundness and level playing eld objectives.5 Consistent with the Basel II Final Rule, at the same time rms are considering the latest supervisory guidance they must create a well-dened approach focused on the requirements of Pillar 1 (risk-based capital requirements for credit risk, market risk, and operational risk) and Pillar 2 (supervisory review of capital adequacy) of the AMA qualication framework. Firms also must nd a way to communicate these complex regulatory requirements so that they can be clearly understood by everyone within the organization. For example, Bank of America has implemented a risk framework that denes an operational risk appetite, governance, and reporting at all levels of the company,
from each line of business up to the board of directors. The program addresses the Pillar 1 qualication requirements provided in section 22 of the Final Rule covering operational risk management processes. Section 22 also covers methodologies and data, including a system of controls, oversight, and validation routines that must be implemented broadly across an organization and deeply within each of its business units. The Bank of America operational risk validation program also focuses on addressing standards set forth in Pillar 2. This pillar plays an important role in qualication because it gives regulators the opportunity to look holistically at the risk management processes described in the banks operational risk framework. It enables them to test the consistent adoption, use, and effectiveness of these processes at the enterprise level and in each line of business and enterprise control function. For Bank of America, this means that all divisions of the company must pass the use test providing evidence that operational risk management is being used in its six lines of business (LOBs): Consumer and small business banking. Home loans and insurance. Legacy asset servicing. Global wealth and investment management. Global commercial banking. Global banking and markets. Also required to pass the use test are the banks six enterprise control functions (ECFs): Global human resources. Finance. Global technology and operations. Global marketing and corporate affairs. Legal. Global risk management. When developing an approach to validation and verication, rms must consider the qualication requirements of both Pillars 1 and 2, yet also focus on adherence to the Basel guidance. These require the board of directors to: Establish clear accountability for implementing a strong control environment. Ensure that policies and procedures are implemented at all levels.6 Programs should be designed to provide assurance to management and the board of directors that operational risk management processes are functioning as designed, that program objectives are being met, and that appropriate actions are being taken to address and remediate program gaps. The U.S. interagency guidance states that operational risk validation is a process for ongoing monitoring to assess whether all aspects of the AMA framework have been implemented effectively, remain appropriate, and are performing as intended.7 Validation explicitly extends beyond using
14
Table 1
High-Level Requirement Conceptual Soundness An evaluation of the conceptual soundness of the risk measurement and management framework.
Basel Guidance Requirements and Key Operational Risk Validation Tasks

Requirement Details Consider whether the conceptual framework, governance, measurement and monitoring systems, management reporting and controls are appropriate give the size, complexity, and business activities. Tasks Operational risk program assessment Compliance conceptual soundness Risk and control self-assessment validation Key risk indicator validation Scenario analysis validation Internal loss data validation External loss data validation Issues and emerging risk validation Op. risk program effectiveness reporting Validation governance Validation issues management Validate back-testing internal losses to business environment and internal control factors As dened by Enterprise Model Risk Control Policy
Ongoing Monitoring Ongoing monitoring to assess whether all aspects of the AMA framework have been implemented effectively, remain appropriate, and are functioning as intended
Accurate and complete capture of internal and external data Scenario and BEICF data are well supported and structured to limit bias Effectiveness of risk monitoring and management Remediation of deciencies is appropriate and preformed Benchmarking qualitative process
Outcomes Analysis Outcomes analysis to compare risk measurement and management results to actual outcomes and losses Validation of Quantication Systems Operational risk model conceptual soundness, ongoing monitoring, and outcomes analysis
Comparison of operational-risk data assessment results to internal and external losses Supervisory Guidance on Model Risk Management, issued by the OCC, April 4, 2011
the AMA solely for regulatory compliance purposes8 and requires that validation should show that the banks framework is appropriate for its current and evolving risk prole. Validation also must assess the banks AMA program in its support of and enhancement of operational risk management policies and practices and in its impact on the banks ability to control or mitigate operational risk.9 All of this implies that a validation program must be both broad and deep as it validate(s), on an ongoing basis the banks operational-risk management processes, operationalrisk data and assessment systems, and operational-risk quantication systems.10 However, the depth and detail required to address the requirements outlined by both the Final Rule and the latest supervisory guidance present a paradox for validation program managers, who must nd a way to articulate the requirements simply and effectively. The focus areas below summarize the requirements of the validation program: Conceptual soundnessProvide a consistent approach for evaluating and independently validating the operational risk program for conceptual soundness. Ongoing monitoringLead an ongoing monitoring program to ensure that all components of the operational risk program are functioning as designed, that key gaps are identied, and that remediation plans are executed. Outcomes analysisCompare the banks risk measurement and management results to actual losses, with a goal of improving the banks risk identication and measurement processes. Validation of quantication systemsVerify the effectiveness of the banks operational risk management
framework by reviewing and validating the data and data collection processes used in capital modeling. Business unit assessmentAssess adoption of the operational risk program by the LOBs, ECFs, and the chief risk ofcer. ReportingReport results to senior management and board committees. Table 1 provides greater detail about the rst four focus areas, including requirement details and tasks Those designing the used for communicavalidation program tion purposes. Ultimately, those designing are responsible for the validation program understanding the are responsible for understanding the require- requirements of Pillars ments of Pillars 1 and 2 1 and 2 and the latest and the latest regulatory guidance on validation regulatory guidance and to build those re- on validation. quirements into their program design. They also must work to help simplify those requirements through clear and effective communication.
How can you best differentiate roles and responsibilities of multiple stakeholders?
The U.S. interagency guidance acknowledges that validation is a process encompassing a variety of activities that may be performed by different individuals and/or groups throughout the organization over time.11 This statement gives banks a great deal of exibility in assigning roles and responsibilities for validation across their
The RMA Journal March 2012
15
audits independent role in the validation of the Validation Framework advanced systems. The U.S. regulators address this issue in the last paragraph of their June Op Risk Testing guidance: Some banks use the internal audit Operational Risk function to validate nonLOB/ECF Risk Management Reporting to quantitative aspects of Program and Board of Directors applicable laws and Executive their advanced systems. Reasonable assurance that LOB/ LOB/ECF and regulations Management ECF operational risk management This could present a (Basel II) are met. program is executed as designed and Operational risk management conict of interestor control environment is sufcient. controls are executed as designed, delivering expected results. at least the appearance thereofin that a banks internal audit function Independent Assessment (Audit) is expected to assess the controls, including validation, related to Greater Accountability the advanced systems.15 Bank of America has created a program that follows the latest guidance using a Table 2 The Challenge Process variety of functions representing all three lines of defense: Step 1. Step 2. Step 3. the lines of business and the enterprise control functions Establish Basis for Challenge Present and Discuss Challenge Resolve Challenge (the rst line of defense), the risk management department The independent LOB/ECF risk Risk and the LOB/ECF agree (second line of defense), and the audit team (third line of team performs appropriate upon risk-mitigation actions and research (including monitoring establish action plans, or Risk defense). Figure 1, designed to be read from right to left, and testing) and develops The independent risk and the LOB/ECF do not agree. summarizes the banks framework for a validation team to points of view on risk and team presents and obtains The challenge may be escalated the control environment. acknowledgement of the chalfor resolution according to the manage the program holistically, leveraging other key teams lenge from the manager of following escalation path: to ensure both depth and breadth of program coverage. Risks points of view on the the impacted business unit. risk/control may differ from The senior independent This independent validation team completes operational the LOB/ECFs point of view. Challenges that are not LOB/ECF risk executive may risk validation testing of the banks operational risk manageacknowledged within the dened override the associated LOB/ Examples of differences include: response period are escalated. ECFs risk assertion. ment framework, covering all program elements, includissues identied by Risk that The COR executive has ing risk control self-assessment (RCSA), key risk indicators the LOB/ECF did not identify; a The LOB/ECF and independent the authority to override different risk rating or direction; risk team talk about the chalany risk assertion. (KRIs), scenario analysis, internal and external loss data, or a different assessment of lenge. Discussion is documented. issues and emerging risks, governance, and new product root cause. Differences such All actions required to respond as these are the basis for a to the resolved challenge process. The operational risk models are validated by a spedocumented challenge. are tracked to resolution. cialized model validation team. Verication is completed by the chief risk ofcer (LOB/ ECF Risk) teams responsible for independently overseeing organizational structure. That said, the guidance provides a the lines of business and enterprise control functions. This recommendation for addressing bias by emphasizing that verication comprises three activities: the [AMA] rule requires that a banks validation process Advice and counsel. must be independent of the advanced systems develop Review and approval. ment, implementation, and operation or that the valida Challenge. tion process be subjected to an independent review of its adequacy and effectiveness.12 That independent review Steps in the CRO challenge process are documented in stipulation is important, because it opens the door for alTable 2. lowing the operational risk management function (ORMF) The lines of business and enterprise control functions to perform validation work, provided that this work is execute the operational risk management program and reviewed by an independent party13 or have validation compare process and system outputs with operational risk work performed by an independent party within a business management program requirements, as well as with the unit, supplemented with a review by the ORMF .14 integrity of operational risk data. Naturally, all of these qualications have implications for Audit assesses the adequacy of the control environment by
Figure 1
16
testing and validating key controls and reporting weaknesses in the control environment. Audits work includes an annual assessment to meet the AMA requirement for independence of the process, ensuring that the validation work performed by other participants is unbiased. Figure 2 summarizes the verication and validation roles and responsibilities consistent with the Basel guidance.
How can you make the validation process consistent and repeatable?
Figure 2
Verication and Validation Framework, Basel Guidance View

Validation ORMF Organizational Structure ORMS Methodologies, Policies, Processes & Governance Process & Procedures Systems AMA Capital Outcome Validation Audit Audit Verication Annual Assessment Governance Data Model Validation Group Advanced Capital Model Validation Op Risk Validation Op Risk Program Validation (ORMS)
Verication CRO Op Risk Program Components
Processes
Figure 3
Five-step Process for Reviewing ORM Framework

5.0 Report and
3.0 Develop Test 4.0 Execute Test 1.0 Plan 2.0 Analyze Plan Action Regardless of their institutions size, bank Train test participants Internal Identify and engage Operational Develop detailed validation program critical stakeholders Publish draft report Establish validation Loss Review current testing objective routines managers should dedocumentation Determine scope of Review results with Design testing ne and document validation effort stakeholders Deploy testing RCSA Prioritize data/process methodology methodology elements for testing their process for Obtain documentation Issue nal report proDene initial and source data posed with action plan Analyze preliminary validating the operaRene timeline and reporting objective Enterprise KRIs including audit issues results identify capacity Review regulatory and non-audit issues. tional risk managerequirements Pilot testing process requirements Execute additional ment framework. At Establish tests as needed Scenario Finalize validation plan Create training plan Develop high-level monitoring plan Analysis for participants Bank of America, the plan and timeline Produce initial summary ndings validation program team has created a consistent, repeatable ve-step process for reviewing all key program elements in the process transparent and open (Figure 4). the banks operational risk management framework. The validation process results in a report and an issues Figure 3 summarizes the steps used for the four program action plan. Issues identied by the validation process can take the form of a self-identied audit issue, an audit issue elements, as well as for external operational losses, governance and reporting, emerging risks and issues, FFIEC identied by the validation program team, or a non-audit Schedule S, new product, and subsidiary governance. issue nding. Validation is performed using a checklist for each comAny nding that does not meet the level of an audit issue (an issue self-identied or issued by the validation program ponent of the operational risk process. The checklists team) is called a validation program team identied opporfollow a question format similar to the Operational Risk tunity and is tracked in a database owned by the validation Work Program for Basel II AMA. They dene the tests to be performed, test steps, and minimum requirements pass program team. The database is used by the team to generate a (meets) criteria. The input considerations for the checkmonthly report that can then be shared with all stakeholders. lists are the AMA requirements, applicable policies and If an opportunity for improvement that has been tracked in the database is not remediated within the agreed timeline, it standards, and the program components specic requireis subject to being escalated to an audit issue. ments (for example, those embedded in the RCSA tool). The validation team publishes the checklist, thus making Establishing a repeatable process that produces a con-
17
Figure 4
Validation Checklist
The Advanced Systems RCSA KRI Int/Ext Op Loss Scenario Analysis Issues and Emerging Risk Program Effectiveness Program Design/Playbook
R18 Control Effectiveness Control Description Control Description; Justication; Accountability H Ensure that controls associated with individual risks are appropriate Validity Op Risk Platform
Input Considerations
Check ID Short Name
Data Element/ Process Reference
Data/Process Element to Be Checked
Control Criticality H/M/L
Monitoring and Testing Objectives Emerging Key Concerns information (Top Risks, Emerging Risks and Mitigation Plans) cited are supported by the individual risks and mitigation plan detail Ensure individual risk descriptions are clearly written as inherent risks, describe the business impact, are categorized properly (Basel, PPSE) and are consistent with taxonomies
Check Type
Potential Documentation for Evidence of Activity
Testing Procedure Review information included in Key Concerns section 1) Verify information is contained in all three sections of Key Concerns (Top Risks, Emerging Risk, Mitigation Plans) 2) Verify top risks are supported in the individual risk elds Additional Check: 3)Compare emerging risks against E-Rim Review individual risk descriptions: 1) Verify individual risk statements are written as inherent risks and include risk, cause and impact, or have appropriate taxonomy categorization including causal Level 1, Level 2, and Impact 2) Verify proper categorization into Basel Level 1 and Level 2 For selected risks, validate controls are relevant. Sample basis check completeness and relevance of: 1) Control Description 2) Control Justication 3) Control Accountability 4) Control Design 5) Control Performance (May require interview to collect additional information on sample basis to validate control design and performance) Review evidence for challenge process for documentation of dialogue between LOB/ ECF Executive and Independent Risk Team Validate proper justication is provided where computed aggregate residual risk differs from entered aggregate residual risk
AMA Requirements
R06 Commentary on Key Concerns Support Commentary on Key Concerns Top Risk, Emerging Risk, and Mitigation plans H
Validity
Op Risk Platform
Business Environment and Internal Control Factors (BEICF) Policy/Standards
Content
Individual Risk Individual Descriptions/ Risk Field Taxonomy Operational Risk Description and Taxonomy
R10
Validity
Op Risk Platform
Output
R02
Stakeholder Stakeholder Challenge Documentation Certication
Challenges
Process
R12 Aggregate Risk Rating Summary Risk Ratings
Ensure RCSA review and challenge by LOB/ECF Executive and Independent Risk Team has occurred and is documented Ensure aggregate residual risk and control ratings match calculated value or are properly justied
Validity
Op Risk Platform or other CRO indicated area Op Risk Platform
Aggregate Risk Rating Field (Computed and User Selected)
Validity
sistent work product and reporting product has been enormously valuable for the Bank of America validation program. A process approach can be applied to banks of all sizes.
What governance and routines can be implemented to manage the process?
In our view, it is the responsibility of the validation program management team to provide the answers to the open-book test. This team also is reIf done correctly, sponsible for objectively grading each organizathe validation and tion on that open-book verification program test. The teams mantra should not be considered is transparency and clarity. Furthermore, redundant to existing an annual schedule of compliance and audit validation activities has been established, alignprogram requirements. ing each element of the operational risk program with its scheduled deployment. As mentioned, the interagency guidance species that any group performing validation must be either independent of the development, maintenance, and operation of the advanced systems, or subject to independent review. To
achieve this independence, Bank of America has established an annual audit of the validation program and has created governance and management for independent reporting to senior executives and the board of directors. This includes a steering group that provides input to validation activities, reviews validation results, and provides guidance regarding the scope and scale of validation efforts. The validation steering group is chaired by the leader of the operational risk validation program and includes representatives from the banks legal, compliance, audit, and enterprise capital management teams. The steering group performs an advisory function that provides input into the operational risk validation activities, such as validation planning and scheduling, testing design, review of results, and remediation reporting. The steering group also discusses, reviews, and provides recommendations, as appropriate, for communicating validation results and prioritizing remediation activities. The steering group also may recommend analytical activities and related agenda topics for review as the chairman and/or steering group members deem appropriate. The group meets quarterly, timed to precede a quarterly meeting with the banks supervisors, and prepares a quarterly status report to the Enterprise Risk Committee of the banks board of directors. It also provides guidance for the valida-
18
Figure 5
Levels of Governance and Oversight

Governance and Oversight Purpose Frequency
Board
Provide an annual report on validation and data management program results and plans Establish and maintain a governance function for all validation activities to provide guidance on planning, reporting, and escalation Capture, report, plan, communicate, and remediate issues identied through programs and projects Provide updates on the results and future plans on the Validation and Operational Risk Data Management programs
Annual Quarterly
Steering Group
Monthly
Stakeholders
tion programs annual presentation and formal report to the board of directors. Figure 5 illustrates the levels of governance and oversight, including purpose and frequency. Again, much like process clarity and consistency, a wellestablished governance process for validation will add value to any institutions program.
Conclusion
throughout the company and providing enterprise-risk-level reporting and monitoring for systemic risk issues. He can be reached at riskparsons@aol.com.
Notes 1. December 2011January 2012, pp. 5057; February 2012, pp. 60-65. 2. Basel Committee on Banking Supervision, Operational Risk: Supervisory Guidelines for the Advanced Measurement Approaches, June 2011, p. 1. 3. Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation, Ofce of the Comptroller of the Currency, and Ofce of Thrift Supervision, Interagency Guidance on the Advanced Measurement Approaches, June 3, 2011, p. 10. 4. Ibid., p. 10. 5. Basel Committee on Banking Supervision, Operational Risk: Supervisory Guidelines for the Advanced Measurement Approaches, June 2011, p. 1. 6. Basel Committee on Banking Supervision, Principles for the Sound Management of Operational Risk, June 2011, p. 9. 7. Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation, Ofce of the Comptroller of the Currency, and Ofce of Thrift Supervision, Interagency Guidance on the Advanced Measurement Approaches, June 3, 2011, p. 10. 8. Basel Committee on Banking Supervision, Operational Risk: Supervisory Guidelines for the Advanced Measurement Approaches, June 2011, p. 18. 9. Ibid., p. 18. 10. Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation, Ofce of the Comptroller of the Currency, and Ofce of Thrift Supervision, Interagency Guidance on the Advanced Measurement Approaches, June 3, 2011, p. 10. 11. Ibid., p. 10. 12. Ibid., p. 12. 13. Ibid., p. 12. 14. Ibid., p. 12. 15. Ibid., p. 12.
The latest guidance from regulators gives all nancial institutions reason to assess their programs against the latest requirements for validation and verication. The exibility of the guidance allows institutions an opportunity to customize their approach according to their size and complexity. The lessons of Bank of Americas program successes can be applied to institutions of all sizes. By leveraging your existing risk management framework and establishing clearly dened validation roles and responsibilities for rst-, second-, and third-line stakeholders, you can create buy-in for the program. And by following both the letter and the spirit of the regulatory guidance, you can ensure both compliance with Basel guidelines and a comprehensive assessment of program effectiveness. If done correctly, the validation and verication program should not be considered redundant to existing compliance and audit program requirements. Rather, it should be seen as a way to objectively identify opportunities for meaningful improvement throughout the entire institution. v
Greg Montana, senior vice president, senior operational risk executive, Bank of America, leads the assessment and validation of the corporate operational risk framework across all Bank of America and Merrill Lynch lines of business. He can be reached at greg. montana@bankofamerica.com. Rick Parsons, recently retired, was executive vice president and corporate operational risk executive at Bank of America. He was responsible for providing a consistent and structured approach for managing operational risk
19
Operational Risk
The Value of Clear Roles and Responsibilities in the Management of Operational Risk Part 2
In
60
February 2012 The RMA Journal
the December-January 2012 issue of The RMA Journal, the authors shared their perspectives on the roles and responsibilities of operational risk management and offered banks ve tactics for improving their programs. This concluding article offers ve additional strategies.
BY
RICK PARSONS AND GREG MONTANA

of the Basel Committee on Banking Supervision (BCBS) guidance. The BCBS guidance states, The purpose of these activities is to ensure that a banks operational risk management framework is functioning as intended and that it remains appropriate for the banks risk prole.1 Validation and verication can be invaluable in dening a strong operational risk program and measuring performance against it. But where do you begin to assess your validation and verication capabilities? Institutions should rst understand and assess their structure and capabilities against the Basel II nal rule requirements governing advanced measurement approach (AMA) banks, as well as the aforementioned supervisory guidance (Figure 1). Validation of the operational risk management framework is used to assess the banks organizational structure, policies, processes, procedures, and governance. It focuses on the effectiveness of the overall framework to ensure that the risk measurement methodologies result in a credible operational risk capital estimate. Proper assignment of responsibilities for validation and verication is critical to ensur-
IN JUNE OF last year, the Basel Committee on Banking Supervision published two documents that focused heavily on the need for clear roles and responsibilities in the area of operational risk: Principles for the Sound Management of Operational Risk and Operational Risk: Supervisory Guidelines for the Advanced Measurement Approaches. This guidance, along with the U.S. banking agencies Interagency Guidance on the Advanced Measurement Approaches for Operational Risk, also issued in June, updates the 11 principles and associated guidelines that dene operational risk management based on industry research, supervisory experience, and observed best practices. Our article in the previous issue of The RMA Journal offered ve of 10 key tactics that bank leaders should consider as they review opportunities for improving their operational risk programs. Here are the additional ve tactics. Key Tactic #6: Clarify roles to meet regulatory expectations for validation. Validation and verication are a clear focus
Figure 1
Verication and Validation Framework, Basel Guidance View

Validation ORMF Organizational Structure ORMS Methodologies, Policies, Processes & Governance Systems AMA Capital Outcome Validation Audit Audit Verication Annual Assessment Governance Data Model Validation Group Advanced Capital Model Validation Op Risk Validation Op Risk Program Validation (ORMS)
Process & Procedures
Verication CRO Op Risk Program Components
Processes
The RMA Journal February 2012
61
Figure 2
Validation Framework
Op Risk Testing
LOB/ECF Risk LOB/ECF Operational risk management controls are executed as designed, delivering expected results. Reasonable assurance that LOB/ ECF operational risk management program is executed as designed and control environment is sufcient.
Operational Risk Management Program and applicable laws and regulations (BASEL II) are met.
Reporting to Board of Directors and Executive Management
Independent Assessment (Audit)
Greater Accountability
Figure 3
Challenge and Validation Processes

Improvements in operational risk management will depend on the degree to which operational risk managers concerns are considered and the willingness of senior management to act promptly and appropriately on their warnings.*
LOB 2 Business Area 1
3.8 Assess Control C2 C4 C6 C3 3.9 Determine Residual Risk C2 C4 C10 3.10 Dene Action Plan 3.11 Document Risk Factors C4 (Operational Losses, Issues, KRIs) C2 C3 C4
LOB 1 Challenge Process (CRO)
Validation Process (CORF) Operational Risk Management Program objectives are met and appropriate actions are taken.
Business Area 2 Controls executed as designed, delivering expected results?
C3 C9
LOB/ECF operational risk management program is executed as designed and control environment is sufcient.
RISK ASSERTIONS
CHALLENGE
Independent Assessment (Audit) * Basel Committee on Banking Supervision (BCBS), Principles for the Sound Management of Operational Risk, June 2011, p. 5.
ing a robust process that achieves the goals mentioned earlier: to set expectations in a clear manner and to ensure proper monitoring and measurement against those expectations. The BCBS guidance provides signicant exibility to banks when it comes to developing their operational risk measurement and management systems. This exibility was, and continues to be, a critical feature of the AMA. For example, the interagency guidance states that banks should develop formal policies that implement validation of the AMA framework and that the scope
of validation and the methodologies employed should be consistent with the materiality and complexity of the risks being managed.2 We like to say at Bank of America that it is the responsibility of the teams conducting validation and verication to provide the answers to the test. It is an open book test, and transparency gives the entire organization goal clarity. It is the teams responsibility to objectively grade each organization against that open book test. Transparency and clarity are our mantra.
62
Key Tactic #7: Dene the roles in a risk framework clearly so that all levels of the organization will understand them. Building on the theme of transparency and clarity, enterprise stakeholders need not be Basel/AMA specialists, and the corporate operational risk function (CORF) should not promote a methodology requiring esoteric terminology that could be inconsistent with the banks overall risk framework. For that reason, an institution should put roles and responsibility requirements for validation and verication into its overall risk management framework and align them with its already established organizational structure. It is important for the framework and the roles within it to be clear and simple so that all levels of the organization will understand it. In the example provided in Figure 2, we start with the lines of business (LOBs) and enterprise control functions (ECFs). Their job is to ensure that operational risk management controls are executed as designed and deliver results. We then dene the roles and responsibilities of the independent LOB risk team (CRO team), as shown in Figure 3. If the CRO teams are the primary-challenge, second-line function in an organization, their role in challenging LOB execution of the operational risk program should be a natural extension of their role in credit risk and market risk. They are charged with ensuring that the LOB/ECF operational risk management program is executed as designed and that the control environment is effective. The role of the central Operational Risk Management Function (ORMF) is to ensure that the banks operational risk management framework is functioning as intended and remains consistent with the banks operational risk prole. Audit also has a vital role to play by providing independent assessment of the validation and verication program. The net effect of this approach should help ensure awareness, adoption, and ultimately effectiveness. In the case of the CRO teams, their role as a challenge function should be well dened. That denition should include their responsibility for managing to resolution disparate points of view between themselves as an independent risk oversight team and their associated LOB/ECF relative to the latters risk and control environment. Bank of America has dened this challenge process explicitly as part of the ORMFs Standard Operating Requirements. Key Tactic #8: Setting expectations regarding the challenge process is key. Establishing expectations in terms of what constitutes success is essential, as is frequency of review. These expectations should be established at the outset and designed with stakeholder input. They need to include oversight of the LOB/ECFs as the primary responsibility of the in-
Table 1
Step 1. Establish Basis for Challenge The independent LOB/ECF risk team performs appropriate research (including monitoring and testing) and develops points of view on risk and the control environment. Risks points of view on the risk/control may differ from the LOB/ECFs point of view. Examples of differences include: issues identied by Risk that the LOB/ECF did not identify; a different risk rating or direction; or a different assessment of root cause. Differences such as these are the basis for a documented challenge.
The Challenge Process

Step 2. Present and Discuss Challenge The independent risk team presents and obtains acknowledgement of the challenge from the manager of the impacted business unit. Step 3. Resolve Challenge Risk and the LOB/ECF agree upon risk-mitigation actions and establish action plans, or, Risk and the LOB/ECF do not agree. The challenge may be escalated for resolution according to the following escalation path:
Challenges that are not acknowledged within the dened response period are escalated. The senior independent LOB/ECF risk executive may The LOB/ECF and independent override the associated LOB/ risk team talk about the chalECFs risk assertion. lenge. Discussion is documented. The COR executive has the authority to override any risk assertion.
All actions required to respond to the resolved challenge are tracked to resolution.
dependent CRO risk teams. This oversight ranges from providing advice and counsel to managing a documented challenge process. Challenge is a structured, documented, time-sensitive process for managing to resolution incongruent points of view between an independent risk team and its associated LOB/ECF . Challenge is a potential outcome of Challenge is a the independent risk structured, documented, teams monitoring and testing of the LOB/ECF . time-sensitive process Table 1 illustrates the for managing to steps in the challenge resolution incongruent process documented in the Bank of America points of view between ORMF Standard Operan independent ating Requirements. The oversight role of risk team and its the independent CRO associated LOB/ECF. risk team to the LOB/ ECF incorporates the ongoing exchange of business and risk subject-matter expertise that drives comprehensive understanding and improved management of the business environment and internal control factors (BEICFs). This activity should be documented as a discussion, or the outcome of the discussion may be documented by the LOB/ECF as a risk. Examples include the use of Six Sigmas Five whys? which can result in a change in a risk and control self-assessment (RCSA) risk rating or a new issue, such as a self-identied audit issue. Key Tactic #9: Expectations need to go up over time. A maturity model and overall scorecard can help. Institutions need to evolve as the banks operational risk prole evolves. Two tools that can help improve and maintain a programs effectiveness over the long term are
63
Table 2
Sample Criteria Category Sample Data Management Components Mgmt. Scope and Role Leadership Management Routines Resources Measurement Program Execution Metrics Goals Compliance Tool Adoption Content Reporting/Communication Audience Timeliness Scoring Values * * * * * * * * * M 1
Maturity Model Sample

BASIC Awareness 1 * Criteria (Basic) * * * * * * * * * M 2 DEVELOPING Commitment 2 * Criteria (Developing) * * * * * * * * * M 3 MATURE Execution 3 * Criteria (Mature) * * * * * * * * * M 4 ADVANCED Predictive 4 * Criteria (Advanced)
Table 3
Dimension RCSA Process Op Loss Process Implementation KRI & Scenario Analysis Emerging Risks Data Quality Governance Adoption Effectiveness Culture Stafng Op Risk/Control Effectiveness * * * * * * * * *
Annual Assessment Summary Example

Measure * * * * * * * * * Source of Score * * * * * * * * * Frequency/Timing
maturity models and an overall business unit scorecard. The maturity model in Table 2 helps set the bar higher over time and allows benchmarking across business unitsthat is, it helps identify laggards and exemplars. At least once a year, all of the work completed at the detailed element and program levels should feed an overall annual assessment for all lines of defense (Table 3). Tying that evaluation to performance management will help drive adoption, adherence, and business results. Key Tactic #10: Keeping it simple is always a good policy. Unnecessarily complicating the discipline doesnt drive credibilityit only takes away from it. Going through Six Sigma black-belt training some years ago, we heard lots of fancy terms and soon realized that quite a bit of the methodology involved statistical analysis and commonsense management routines that we already knew. Have you ever heard of ANOVAs, Ishikawa diagrams, least squares analysis, and gage R&Rs? While there is undeniable value in a common taxonomy for processes and tools across large corporations, there is no need to intimidate audiences with confusing terms and acronyms. We favor connecting the operational risk program
with a larger and clearly articulated corporate vision for operational excellence. In short, wherever and whenever possible, keep it simple!
A Final Word
Owing to market volatility and changes in the nancial services industry, operational risk is high at all nancial institutions, both domestic and international. To deal with this operational risk and lower the residual risk levels, Bank of America has developed an extensive program to meet the Basel standards and drive ownership of operational risk at all levels, in all departments, globally. A major key to the success of the operational risk program has been the adoption of clear roles and responsibilities. Whether you lead operational risk management at a regional institution or one of the worlds largest multinationals, the same lessons apply. Rolling out a successful op risk program that has the stature to be embraced by the enterprise requires more than just a set of well-designed program elements to meet AMA specications. It requires setting a clear vision and establishing an operating model that ties all of the program components together and makes them real and useful for managing risk across all lines of defense. With a clear operating model in place, dened roles and responsibilities
64
for all practitioners, and a structure for measurement and accountability, institutions can create a deeply rooted capability and culture in operational risk management. v
Rick Parsons, recently retired, was executive vice president and corporate operational risk executive at Bank of America. He was responsible for providing a consistent and structured approach for managing operational risk throughout the company and providing enterprise-risk-level reporting and monitoring for systemic risk issues. He can be reached at rickparsons@aol.com. Greg Montana, senior vice president, senior operational risk executive, Bank of America, leads the assessment and validation of the corporate operational risk framework across all Bank of America and Merrill Lynch lines of business. He can be reached at greg.montana@bankofamerica.com.
Notes 1. Basel Committee on Banking Supervision, Operational Risk: Supervisory Guidelines for the Advanced Measurement Approaches, Basel Committee on Banking Supervision, June 2011, p. 11. 2. Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation, Ofce of the Comptroller of the Currency, and Ofce of Thrift Supervision, Interagency Guidance on the Advanced Measurement Approaches, June 3, 2011, p. 10. Consider signing up for the Operational Risk Management Discussion Group. Go to www.rmahq.org or call RMA Customer Care at 800-677-7621.
Providing financial institutions of all sizes with ALLL, stress test, and PD/LGD migration analysis for over a decade.
we know this business and have the analytics to prove it! See us at www.LoanAnalytics.com or email us at info@loananalytics.com The highest value at the lowest costguaranteed!
LoanAnalytics gives a tenth of all revenue to charity. "So that I come again to my father's house in peace; then shall the LORD be my God: And this stone, which I have set for a pillar, shall be God's house: and of all that thou shalt give me I will surely give the tenth unto thee." Genesis 28:21-22 (KJV)
65
Book Review
Resurrecting the Street: How U.S. Markets Prevailed After 9/11

By Jeff Ingber (2011)
REVIEWED BY MARK ZOELLER

MY REVIEW OF this book can be summed up in two words: Read it! All of us in the nancial community can learn from this volume. It reads relatively easily and its lessons could be critical. The most important lesson is that the nancial community is resilient in the face of disaster. In Resurrecting the Street, Jeff Ingber writes poignantly about the catastrophic losses in personnel and facilities suffered by the U.S. government securities, or Govie, market. Both were casualties of the conagration and collapse of the two towers of the World Trade Center on 9/11, a date seared into all of our memories. The Govie market is the largest nancial market in the world. While it had expanded over the years to include government agencies and a variety of derivatives, the market, out of historical inertia, was still centered in the World Trade Center. At the time, Ingber was general counsel of the Government Securities Clearing Corporation (GSCC), located several
66
blocks from the World Trade Center in lower Manhattan. The GSCC settled all Govie trades. Ingber was one of the 1 million evacuees from lower Manhattan on 9/11. Some 400,000 left the area by boat, mostly to New Jersey, in scenes reminiscent of the Dunkirk evacuation in World War II. The major trading rm in Govies, Cantor Fitzgerald, lost 658 personnel in the North Tower that day. Other rms also suffered terrible human losses. Ingber graphically describes how observers belatedly realized that Ron the debris falling from the towers was actually people who chose to jump from the buildings rather than be incinerated by burning jet fuel. There were 200 people who jumped. One landed on and killed a reghter, who was the rst reghter casualty of that day. The reghter was a close friend of one of Ingbers associates. All markets, including the stock markets, had to close, which spelled disaster for the nancial community. Many nancial rms relied on the repo market to fund operations. But the markets were stubborn and resilient; they reopened in just a few days. Cantor Fitzgerald and some others were back in the market on 9/13 as the Govie market opened on short hours with reduced volume. Communications lines had been destroyed and facilities were uninhabitable, but, as Ingber describes, the nancial community made Herculean efforts to bring the markets back. On 9/17, the stock markets reopened and the Govie market resumed full-day operations. Much was required from the people of Wall Street. Employees of the Amex entered their building through a temporary morgue as bodies were still being brought in. Companies offered space to their competitors. Meanwhile, the federal government acted as an encourager, while attempts to bring the markets back to an uneasy normalcy came from private initiatives. On 9/19, some 3,500 traders on the oor of the Chicago Board of Trade erupted into cheering and applause as the rst cash prices since 9/11 came onto the big display board. The prices came from Cantor Fitzgerald. Ingber reports that most of the backup facilities and communications links were inadequate in the wake of the
Our people ran out of the Trade

Center without a pencil. No trade records. No tickets. The business that we did in the North Tower we backed up in the South Tower, and vice versa. We didnt know where to go the next morning. Or even if there was a rm left.
Purpora, senior executive of Garban Securities LLC
disaster. Relocating thousands of personnel to sites never designed for nancial activities was a major problem. Computers and telephones by the thousands had to be bought and installed. Firms that used multiple telecom carriers as a redundancy later discovered that all these carriers routed their lines through a single switching station. Anyone involved in disaster preparations, including boards and CEOs, should pay close attention. Ingber also recounts how the GSCC accomplished the difcult task of reconciling trades after much of the originating paperwork was lost. At the height of the reconciling problem, GSCC had several hundred billion dollars of failed security deliveries (fails) and a huge overdraft at the Bank of New York. Most of the reconciliation was manual. The Federal Reserve also loaned nancial rms several hundred billion dollars to help them through the crisis. While the book is poignant, it is not mawkish. It belongs as part of the permanent history of 9/11. All economic and business history courses should make this book required reading. O
Mark Zoeller is president of Zoeller Credit Services. He can be reached at MarkZoe@ aol.com. Jeff Ingber is currently a managing director, Policy Compliance and Control, Citigroup. His daughter, Arielle Morris, is senior designer for The RMA Journal and designed the books cover.
67
Operational Risk
50
December 2011January 2012 The RMA Journal
The Value of Clear Roles and Responsibilities in the Management of Operational Risk
How
do you clarify the roles and responsibilities of operational risk practitioners to ensure the commitment of business management to the operational risk program and the independence of risk management? In a two-part article, the rst half of which appears here, the authors review the most recent regulatory guidance on risk practitioners roles and responsibilities and explore ve strategies every rm should consider when contemplating opportunities for improvement.
BY
RICK PARSONS AND GREG MONTANA

Collectively, the supervisory guidance is very specic regarding the roles and responsibilities of the board of directors and senior management, who are expected to set the tone from the top to ensure that a strong operational risk management culture exists throughout The supervisory the whole organization.1 In addition, the guidance is very specific Basel guidance charges regarding the roles and the board and senior responsibilities of the management with the responsibility for es- board of directors and tablishing a risk culture senior management. that is supported by codes of ethics/conduct, compensation strategies, and training. By linking the use of sound risk management practices to the effectiveness of the board and senior management, the supervisory guidance sets expectations and standards for governance, organizational structures, risk processes, routines, data and tools, loss collection and verication, and validation of the program and framework. The supervisory guidance clearly states that the board is expected to know and understand the operational structure of the bank and its risks. Moreover, it states that the board
ESTABLISHING A STRONG risk management culture, governance routines, and an optimal organizational structure is foundational to any sound operational risk management program. But even well-dened governance and organizational structures cannot be effective without clear and sustainable roles and responsibilities for the practitioners implementing these programs. This role clarity is crucial, and it needs to be recognized at all levels in the organization. Indeed, industry regulators are now stressing the importance of accountabilities, clear lines of management responsibility, and the acceptance of risk management as a company-wide concern (Figure 1). In June of this year, the Basel Committee on Banking Supervision published two documents that focused heavily on the need for clear roles and responsibilities in the area of operational risk: Principles for the Sound Management of Operational Risk and Operational Risk: Supervisory Guidelines for the Advanced Measurement Approaches. This guidance, along with the U.S. banking agencies Interagency Guidance on the Advanced Measurement Approaches for Operational Risk, also issued in June, updates the 11 principles and associated guidelines that dene operational risk management based on industry research, supervisory experience, and observed best practices.
The RMA Journal December 2011January 2012
51
Figure 1
Regulators Focus on Roles and Responsibilities

22. ...Clear expectations and accountabilities ensure that bank staff understand their roles and responsibilities for risk, as well as their authority to act. 29. Strong internal controls are a critical aspect of operational risk management, and the board of directors should establish clear lines of management responsibility and accountability for implementing a strong control environment. The control environment should provide appropriate independence/ separation of duties between operational risk control functions, business lines and support functions. Basel Committee on Banking Supervision, Consultative Document, Sound Practices for the Management and Supervision of Operational Risk Making risk management a company-wide concern and changing deeply engrained attitudes toward risk clearly require signicant attention to the people factor in the risk equation. As a result, major reassessment of roles and responsibilities is underway at many banks. E&Y, Navigating the Crisis: A Survey of Worlds Largest Banks We do place special responsibility with the public leaders charged with protecting our nancial system, those entrusted to run our regulatory agencies, and the chief executives of companies whose failures drove us to crisis. The individuals sought and accepted positions of signicant responsibility and obligations. Tone at the top does matter and, in this instance, we were let down. No one said no. Lending standards collapsed, and there was a signicant failure of accountability and responsibility throughout each level of the lending system... FDIC Inquiry Report Firms were more likely to maintain a risk prole consistent with board/senior management tolerances if there were regular, frequent risk management committees that included executive and senior leaders from key business lines and independent risk management and control functions to discuss signicant risk exposures across the rm. NY Fed Observations on Risk Management Examiners consider the following assessment factors when making judgements about the quality of operational risk management... The third assessment factor considered under Processes is: The adequacy of the governance structure around operational risk and the assignment of responsibility and accountability at every level. OCC Large Bank Supervision Comptrollers Handbook
needs to ensure that compensation policies and strategies are aligned with the banks statement of risk appetite. And nally, it highlights the role of governance and the importance of the three lines of defensethe lines The regulators are business (LOBs) and looking for clear evidence of the enterprise control of integration and functions (ECFs), the risk organization, and linkages between risk auditand their roles measurement and risk in the risk management process.2 management processes. In addition, the regulators now expect new risk management routines, including the close monitoring of limits and thresholds and tests to ensure that the operational risk management program is not implemented strictly to determine regulatory capital but to manage risk. The regulators are looking for clear evidence of integration and linkages between risk measurement and risk management processes. Also expected is risk management oversight of the LOBs and ECFs, as well as effective processes for issue resolution. In addition, new explicit guidance is provided for validat-
ing, verifying, and approving (formerly assessing) operational risk issues for all new products, activities, processes, and systems. The emphasis on roles and responsibilities extends internationally. In the United Kingdom, for example, the Turner and Walker reports focused on the need to clarify the roles and responsibilities of the board, the nonexecutive directors, and senior management in executing an effective operational risk program. The reports also highlighted the importance of the designated control functions and their accountability in the management of risk.3,4 In light of all this guidance, rms need to consider 10 key tactics. In this months article, we present the rst ve. Key Tactic #1: Start with a common understanding of the risk management process. In early 2010, Bank of Americas Operational Risk Management Function (ORMF) dened the corporations vision for operational risk management: To create an industry-leading, Basel-compliant program that makes operational risk an integral part of the businesss activity and culture. To achieve this vision, the ORMF team designed a set of standard operating requirements dening the model for the
52
operational risk management program, and it established roles and responsibilities for all Bank of America employees. As part of the program kick-off, the ORMF worked to communicate to all key stakeholders how operational risk management ts into the overall business operating model. The Basel guidance states that banks should develop, implement, and maintain a[n] [Operational Risk] Framework that is fully integrated into the banks overall risk management processes.5 This guidance is appropriate to help ensure that operation risk is culturally embraced as part of how the institution does business. Incorporating operational risk disciplines into the broader business and risk framework ensures that operational risk is not relegated to a second-tier position or thought of as a strictly regulatory exercise (Figure 2). This integration is particularly important because operational risk is the least mature of the risk disciplines. In banking, it was at the nascent stage during the 1990s and only recently entered the maturing stage (Figure 3). Key Tactic #2: Dene the roles and responsibilities for stakeholders at a strategic level. Building on the concept that operational risk must be a part of, not separate from, the banks overall risk management program allows the rm to dene stakeholder responsibilities at the highest strategic level (Figure 4). At the highest level, the board and senior management must actively encourage a culture focused on risk management. The board needs to understand the organizations risk prole and establish a risk appetite that is recognized by everyone as having come from the top. Meanwhile, senior management must help dene the risk appetite and set the risk management framework under which the risk practitioners can design a set of standard operating requirements for
Figure 4
Figure 2
Corporate Goals and Objectives

Risk Appetite Business and Risk Strategy Risk Management Process Governance
Identify and Measure Report and Review
Continuous Feedback
Execute Business Activities
Mitigate and Control
Monitor and Test
Independent Testing and Validation
Figure 3
Stages of Operational Risk in Banking
U.S. Final Rule Nascent 1990s Nonexistent U.S. ANPR Basel I & II
2010 BIS Sound Practices and Supervisory Guidance
1999-2007 Early Stage
2007-2010 Developing
2011-Beyond Maturing
Stakeholders must understand their role in the three lines of defense and their alignment with strategic program components.
Stakeholder View Strategic View
Board of Directors Governance Senior Mgmt. Risk Mgmt. Line of Business/ Enterprise Control Functions
Establish tone at the top Approve risk appetite Dene risk appetite and risk framework Establish clear and effective governance Dene program parameters Challenge and escalate Own risk management and mitigation Promote culture of escalation
Risk Prole
Risk Framework Policy (Standard Operating Requirements) Procedures
Validation and Verication
53
Figure 5
Operational Risk Management Process

Identify & Measure Mitigate & Control Monitor & Test Report & Review
Corporate Operational Risk (COR) Lines of Business (LOB) Participants Enterprise Control Functions (ECF) Independent LOB/ECF Risk Enterprise Risk Functions Corporate Audit Risk and Control Self-Assessment Basel II AMA Risk Appetite, Key Risk Indicators
Methods
Loss Data Collection and Analysis
Scenario Analysis Governance Reporting Operational Risk Management Platform Training and Communications Quality Assurance and Independent Validation Data Quality Issues and Emerging Risk Management
operational risk consistent with the supervisory guidance. Finally, the LOBs and the ECFs, including nance, human resources, marketing, corporate affairs, legal, technology, and operations, must own the operational risks and promote a culture of escalation, for which the risk organization performs an independent challenge function through oversight and governance. Key Tactic #3: Operational risk needs to be a part of everyones role. The Basel guidance highlights the importance of embedding an approach to operational risk management, ensuring that it becomes part of the banks overall management of risk and Maintaining role clarity, control. It also stresses the need for ownership we would argue, is an of operational risk at all effective mitigant to levels of the institution. However, that guidance the disruptive effect of not be interchange on an institutions should preted to mean that acoverall operational risk countability for specic roles does not have to management program. be assigned across the three lines of defense. This is a process easier said than done for large nancial institutions, where implementing
Enabled by
change can be a complicated and arduous task. The Basel guidance further provides that, in addition to the initial period required by supervisors as part of their use and embeddedness AMA [advanced measurement approaches] assessment, the requirement is ongoing and banks will need to ensure that their ability to demonstrate embeddedness is not adversely impacted over time by change.6 The last point is an important one, because it highlights the risk that change, which we all know is ubiquitous, could harm the sustainability of the operational risk management program throughout the organization. Thinking about change, we asked ourselves: What type of change could put our AMA program at risk? A change in strategy? A change in processes or systems? A change to management or business structure? All of these changes are potentially disruptive, but maintaining role clarity, we would argue, is an effective mitigant to the disruptive effect of change on an institutions overall operational risk management program. The risk and control self-assessment, or RCSA, is a tool designed to meet AMA requirements for providing a balanced assessment of both the risk in the business environment and the quality of internal controls.7 Along with key risk indicators and audit evaluations, it is one of the more tenured tools of most banks operational risk management programs (Figure 5). So lets use it as an example.
54
By its very name, the RCSA is clearly meant to be completed by the line of business as a self-assessment. However, when we talk with practitioners across the U.S. banking sector, a good portion of them report some institutional ambiguity about the roles of the rst and second lines of defense in the completion and assessment of this tool. While reluctant to use a sports analogy, we nd its too tempting here not to. Those who have had the opportunity to see soccer played at the highest level know that its called the beautiful game because players know their roles, they play their positions, and the game becomes a well-orchestrated dance. But if youve ever attended a childrens bumble bee soccer game, you know that the result is often a chaotic scene in which no one player knows his or her role, every player tries to score, and no one is thinking strategically. Moreover, a goal is rarely scored in these games. Internally, we like to use the term bumble bee risk process to describe the phenomenon. Its surprising how it can sneak up on us, despite our roles as risk professionals in the workplace. Were sure it would not take a lot for you to recall a few such moments youve experienced in your own organization. Key Tactic #4: Job titles must be clear and consistent so that everyone knows whose team they are on. To provide greater clarity and transparency to the operating model, the ORMF at Bank of America worked directly with the banks human resources department to create an optimal set of job codes, role descriptions, and responsibilities for each member of the operational risk stakeholder team. At the start of the exercise, the ORMF identied over 1,400 members of staff, in the rst line of defense, with the word risk in their titles. Like two teams playing in the same-color jersey on the soccer eld, it was difcult for anyone at Bank of America to know if a risk associate resided in the rst or second lines of defense. To address this issue, the ORMF created a strict taxonomy that allows for the word risk in the title of only those individuals who are members of the second line of defense: the chief risk ofcers organization. This move helped clarify whos who across the organization. Representative sample titles for those risk associates in the second line of defense include senior operational risk executive, operational risk executive, senior operational risk manager, operational risk manager, and operational risk analyst. Further, for all of the roles in this particular job family, there is a consistent set of responsibilities in line with the teams role that serve as a challenge and oversight function to the businesses they support. To distinguish the operational risk practitioners in the CRO organization from the ORMF staff who design and lead
the program and are not strictly aligned to specic business units as their second line of defense, the rm adopted a naming convention with the word corporate as its prex. Representative samples include corporate operational risk executive, corporate operational risk manager, and corporate operational risk specialist/analyst. Communicating roles However, the most and responsibilities starts dramatic change was to adopt a common at the strategic level naming convention for for all stakeholders. the 1,400 rst-line-ofdefense staff residing in the LOBs. The use of risk in their titles was changed to business control. Examples include business control executive, business control manager, and business control specialist/analyst. Clarity and consistency in roles and responsibilities, coupled with a standard set of naming conventions, help engender staff pride and a sense of empowerment in being a part of a specic team. Key Tactic #5: Dening roles across multiple dimensions helps align the organizations capabilities. In covering the previous key tactics, rst at the enterprise level and then at the operational risk program level, we discussed the simplicity of clarifying high-level roles. At that high level, its more like clarifying goals for each line of defense. What needs to follow that goal clarity is role clarity, and dening roles does require details. Explicitly communicating roles is critical, and doing so across multiple levels helps drive consistency across the banks operating framework. At Bank of America, the framework includes 1) Identify and measure, 2) Mitigate and control, 3) Monitor and test, and 4) Report and review. Together, they constitute what we call the IMMR Framework. The excerpt Who does what (Figure 6) was communicated to all associates and succinctly describes the roles and responsibilities of all lines of defense, putting ownership of operational risk clearly in the hands of the leaders who own and manage the risk-reward equation for their respective businesses. Communicating roles and responsibilities starts at the strategic level for all stakeholders. At a more tactical level, the bank provided additional context on the roles of the multiple lines of defense. That communication was critical to the successful adoption of the Operational Risk Framework because it helped clarify the role of the key stakeholders in the process, including the ORMF . Purposely centralized, the ORMF is charged with developing and guiding the operational risk strategy, ensuring its stature across the organization, and providing independent oversight of the operational risk management program.
55
Figure 6 By IMMR Framework

IMMR Step Identify and Measure Mitigate and Control Monitor and Test Report and Review ORMF Responsibilities

LOB Responsibilities (1st Line)

LOB CRO Responsibilities (2nd Line)

Audit Responsibilities (3rd Line)

Operational Risk: Who Does What All Bank of America associates practice operational excellence and are champions and practitioners of active debate of issues, issue and emerging risk identification, self-identifying audit issues, and root cause analysis. Business leaders are accountable for managing operational risk in their line of business. Chief risk officers own and manage the operational risk program in their areas. They identify the control gaps and take them to the business (leaders). Operational Risk Management Function sets the operational risk program strategy, standards, tools, and processes based on the Basel framework and provides guidance, oversight, and challenge to CRO, LOB, and ECF teams. Compliance manages compliance risk, including establishing compliance program standards and policies and overseeing bank interactions with regulatory agencies. Corporate Audit assesses the effectiveness of the program and supporting controls and the enterprises execution of the program.
By Program Element
Program Element Risk Appetite ORMF Responsibilities




Bus. Environ. & Int. Control Factors (RCSA/KRIs) Scenario Analysis Operational Loss Mgmt.

Within Governance
Governance Level Board Level Committees Sr. Mgmt. Level Committees LOB/ECF Committees ORMF Responsibilities




The ORMF ensures that business-unit CROs, who act as the second line of defense and independently lead risk for each of the banks LOBs and ECFs, are held accountable for oversight of the program for the businesses they support. At Bank of America, most of the CRO teams have an operational risk leader who reports to the CRO and is charged with leading the second-line operational risk program for their respective CROs. These operational risk leaders work directly with the LOB and ECF leaders, who are based primarily in the chief operating ofcer organizations. The oversight role of the independent CRO risk team to the LOBs and ECFs incorporates the ongoing exchange of business and risk subject-matter expertise that drives comprehensive understanding and improved management of the business environment and internal control factors. These discussions are documented in ways such as meeting minutes, and signicant outcomes are frequently captured in the identication and documentation of a specic risk, a change in risk rating, or as a new issue. These independent CRO teams may implement operational risk management review and approval processes for
the LOBs and ECFs they oversee, based on the specic risks and controls for each. This includes, but is not limited to, processes such as: New product review and approval. Reputational risk review and approval. Risk acceptance review and approval. However, the ORMF also works directly with these business leaders as well to ensure they own and manage operational risk in their lines of business as the rst line of defense. By communicating a clear operating model, with welldened roles and responsibilities at the division level, the ORMF has been successful in helping associates at all levels understand the denition of operational risk and their organizational role in it. The further step of providing clarity and consistency on specic roles within each of those key participant groups has effectively made it real for Bank of America staff. It has given associates a sense of ownership and empowerment in line with the banks operational risk vision. Role denition and clarity round out the rst ve of the authors considerations.
56
be reached at rickparsons@live.com. Greg Montana, senior vice president, senior operational risk executive, Bank of America, leads the assessment and validation of the corporate operational risk framework across all Bank of America and Merrill Lynch lines of business. He can be reached at greg.montana@bankofamerica.com.
Notes 1. Basel Committee on Banking Supervision, Principles for the Sound Management of Operational Risk, June 2011, p. 5. 2. Ibid., p. 3. 3. Financial Services Authority, The Turner Review: A Regulatory Response to the Global Banking Crisis, March 2009. 4. David Walker, A Review of Corporate Governance in UK Banks and Other Financial Industry Entities, November 2009. 5. Basel Committee on Banking Supervision, Principles for the Sound Management of Operational Risk, June 2011, p. 5. 6. Basel Committee on Banking Supervision, Operational Risk: Supervisory Guidelines for the Advanced Measurement Approaches, June 2011, p. 5. 7. Board of Governors of the Federal Reserve System, Federal Deposit Insurance Corporation, Ofce of the Comptroller of the Currency, and Ofce of Thrift Supervision, Interagency Guidance on the Advanced Measurement Approaches, June 3, 2011, p. 9.
To be continued
In next months RMA Journal, the authors explore the nal ve considerations and offer a word on the importance of roles and responsibilities in operational risk management. v
Rick Parsons, recently retired, was executive vice president and corporate operational risk executive at Bank of America. He was responsible for providing a consistent and structured approach for managing operational risk throughout the company and providing enterprise-risk-level reporting and monitoring for systemic risk issues. He can
an interthinx company
LookAhead
Scenario-based Forecasting, Stress Testing & Portfolio Management Solution
ROBUST: Scenario-based forecasts IMMEDIATE: Results with you in the drivers seat EXPLAINABLE: Reproducible forecasts to meet regulatory requirements SUPPORTED: A team of experts to help you design your solution
Solutions for Credit Card, Auto Loan & Leases, Mortgage, Personal Loans & Lines Configurable across enterprise business functions Access the Power of Predictive Analytics. Contact us: info@strategicanalytics.com
www.strategicanalytics.com
57
The RMA Journal Guidelines for Authors The RMA Journal encourages industry professionals to share their knowledge with readers. We are happy to publish first-time authors, as well as experienced writers. Below are some tips to help you get your article accepted for publication. Writing Tips By following these few tips, youll increase the chance of your article being recommended for publication. Read the Journal. It helps to know the types of articles we publish and the style they are written in. Query first. Although we accept articles that drop into our inbox, its a good idea to query us first to be sure your topic is acceptable. By sending us an article proposal first, we can often provide you with guidance about what to include or not include in your article. Keep the length reasonable. Most articles average about 2,500 words, but they can be longer or shorter if necessary. Its better to focus on making your points in the most efficient way, than to try to hit a particular word count. Use charts and graphs to illustrate your point. Not all articles benefit from charts and graphs, but many do. Charts and graphs may be created in Word and sent embedded within the article; if imported from another program, however, please send the files from which they originated, whether PowerPoint or Excel. Use bulleted and numbered points. No matter how technical the topic, the best writing is simple writing. By using short sentences, lists, and subheads, you make your article easier to read and understand. Explain how to. Our readers want to learn. Articles offering useful advice, such as what to consider when lending to hotels, are most popular. Readers also like to learn from others mistakes in Spilled Milk articles. Articles that offer problem-solving tips are also well read. Limit the use of footnotes. We discourage the use of more than 10 footnotes and actually prefer less than five. RMA Journal articles should not read like research papers. Email articles to the editor. Kathie Beans can be reached at kbeans@rmah.org and 215-446-4095.
The Article Review Process The RMA Journal is a peer-reviewed publication. Proposals and articles are reviewed by members of The RMA Journal Editorial Advisory Board. These reviews can take up to a few weeks. When an article is not recommended for publication, the author is given a clear explanation of why the article fell short. Once an article is accepted for publication, youll be asked to sign our standard copyright form, which gives us first publication rights. You can reuse your article however you wish as long as you indicate that it was first published in The RMA Journal. Well also ask you for a photo that we can use on our Contributors Page. This is optional. The RMA Journal does not offer payment for articles; however, the author receives a byline and sentence about his or her background at the end of the article and on the Contributors Page at the front of the Journal. An Adobe .pdf file of the article is e-mailed to the author as well. About The RMA Journal The RMA Journal is the most respected publication for professionals in the financial services industry. It dates back to 1918, just four years after RMA was founded, when it was a mimeographed letter called the Bulletin. Over the decades, The RMA Journal evolved with the industry. Today its focus on enterprise risk management addresses current issues in credit, market and operational risk, offering practical advice and alerting readers to emerging risk and regulatory issues. Journal subscribers number about 20,000 and secondary readership is estimated to be 100,000. Its published 10 times per year (every month but August and January).

1204OpRiskArticles PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

1204OpRiskArticles PDF

Uploaded by

Copyright:

Available Formats

k s i R l a n Operatio rticles A l a n r u o J 2 1 0 2 1 1 20

Risk and Businesses Must Work Closely Together

April 2012 The RMA Journal 57

Copyright 2012 by RMA

58 April 2012 The RMA Journal

April 2012 The RMA Journal 59

in Operational Risk Management

March 2012 The RMA Journal

GREG MONTANA AND RICK PARSONS

March 2012 The RMA Journal

Basel Guidance Requirements and Key Operational Risk Validation Tasks

The RMA Journal March 2012

March 2012 The RMA Journal

Verication and Validation Framework, Basel Guidance View

Verication CRO Op Risk Program Components

Five-step Process for Reviewing ORM Framework

The RMA Journal March 2012

Data Element/ Process Reference

Data/Process Element to Be Checked

Control Criticality H/M/L

Potential Documentation for Evidence of Activity

Business Environment and Internal Control Factors (BEICF) Policy/Standards

Stakeholder Stakeholder Challenge Documentation Certication

Op Risk Platform or other CRO indicated area Op Risk Platform

Aggregate Risk Rating Field (Computed and User Selected)

March 2012 The RMA Journal

Levels of Governance and Oversight

The RMA Journal March 2012

February 2012 The RMA Journal

Copyright 2012 by RMA

RICK PARSONS AND GREG MONTANA

Verication and Validation Framework, Basel Guidance View

Process & Procedures

Verication CRO Op Risk Program Components

The RMA Journal February 2012

Reporting to Board of Directors and Executive Management

Independent Assessment (Audit)

Challenge and Validation Processes

LOB 1 Challenge Process (CRO)

Business Area 2 Controls executed as designed, delivering expected results?

February 2012 The RMA Journal

The Challenge Process

The RMA Journal February 2012

Maturity Model Sample

Annual Assessment Summary Example

February 2012 The RMA Journal

The RMA Journal February 2012

Resurrecting the Street: How U.S. Markets Prevailed After 9/11

REVIEWED BY MARK ZOELLER

February 2012 The RMA Journal

Copyright 2012 by RMA

Our people ran out of the Trade

The RMA Journal February 2012

December 2011January 2012 The RMA Journal

Copyright 2011 by RMA

RICK PARSONS AND GREG MONTANA

The RMA Journal December 2011January 2012

Regulators Focus on Roles and Responsibilities

December 2011January 2012 The RMA Journal

Corporate Goals and Objectives

Execute Business Activities

Mitigate and Control

Monitor and Test