10 Key Principles of Operational Risk Management

Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending
1
JOIN. ENGAGE. LEAD.
10 KEY PRINCIPLES OF OPERATIONAL
RISK MANAGEMENT
By The RMA Operational Risk Council

2
JOIN. ENGAGE. LEAD.
OPERATIONAL RISK MANAGEMENT IS INTEGRAL
TO BUSINESS MANAGEMENT
Risk management is an integral part of business
management and should be incorporated into
your overall business and financial planning.

3
JOIN. ENGAGE. LEAD.
CHANGE GENERATES RISK
Rapid changes in
organizational structure
and management
approach will generate
operational risk within
your institution.
Implement changes
in a measured
fashion (not all at
once); they are
more likely to be
successful.

4
JOIN. ENGAGE. LEAD.
INCORPORATE POTENTIAL RISK OUTCOMES
Develop budgets, profit goals,
and profitability targets by fully
incorporating potential risk
outcomes and the expenses
required to administer risk
controls.

5
JOIN. ENGAGE. LEAD.
REDUCE SYSTEMIC RISK THROUGH
EXPERIMENTATION
Systemic risk in the
industry is reduced
and risk
management activities
are enhanced if:
you experiment with a
variety of business
models and
organizational
structures suiting your
institution’s size, scale,
and complexity.
Enforcing identical approaches by all participants
increases systemic risk.

6
JOIN. ENGAGE. LEAD.
THE OPERATIONAL RISK FRAMEWORK

7
JOIN. ENGAGE. LEAD.
1. RISK CULTURE
A strong risk culture is the basis for an effective
operational risk management framework:
It requires transparency regarding operational risk
issues throughout your organization, including
leadership and the businesses.
Accordingly, your operational risk management
function must be transparent as well.

8
JOIN. ENGAGE. LEAD.
1. RISK CULTURE (CONT.)
Your business culture must embrace
the value of risk escalation and
welcome independent challenge of risk
decisions.

9
JOIN. ENGAGE. LEAD.
Solicit multiple points of view
and engage in debate to get
better, more informed
decisions.

10
JOIN. ENGAGE. LEAD.
Your business
culture must
embrace
constant
questioning of
established
processes.
Encourage a
culture that
embraces
continuous,
steady
improvement.

11
JOIN. ENGAGE. LEAD.
Risk management influences a culture of proactive
management that emphasizes risk-adjusted performance and
incorporates regulatory compliance and best practices.
Business
management should
exhibit dedicated
involvement in the
risk management
program.
Human resources
practices should
actively encourage
rotation of talent
within risk disciplines
as well as to and from
business leadership
and risk roles.
Experience in risk
leadership should be
considered a
requirement for
general management
positions.

12
JOIN. ENGAGE. LEAD.
Develop and implement
training and education
programs to ensure that
your business culture’s
key principles are
properly understood and
consistently applied.

13
JOIN. ENGAGE. LEAD.
2. RISK APPETITE
Develop and implement a risk
appetite statement and
relevant thresholds and limits
based on your institution’s
business model and
tolerances.

14
JOIN. ENGAGE. LEAD.
2. RISK APPETITE (CONT.)
Consider internal and external
risk drivers and constraints.

15
JOIN. ENGAGE. LEAD.
3. COMMUNICATIONS
3 lines of defense.
Critical to effective
risk management.
Timely
communications
Clear
communications
Effective
communications

16
JOIN. ENGAGE. LEAD.
4. GOVERNANCE, POLICIES, AND PROCEDURES
Ensure accountability through an effective
governance structure that oversees your
institution’s risk and control environment.

17
JOIN. ENGAGE. LEAD.
4. GOVERNANCE, POLICIES,
AND PROCEDURES (CONT.)
Senior management
should provide direct
oversight of current and
emerging exposures..

18
JOIN. ENGAGE. LEAD.
Risk management
should be part of the
normal management
process and
governance.
It should not be made
a separate, adjunct
function.

19
JOIN. ENGAGE. LEAD.
are closely integrated
with business operations
and the decision-making
processes.
Risk teams should
comprise qualified,
high-performing
professionals who

20
JOIN. ENGAGE. LEAD.
Understand their
institution’s risk
appetite.
Understand their
actual and
prospective risks.
Define their risk
exposures.
Execute an effective
strategy to mitigate
controllable risk.
Educate associates on
the risks and how their
responsibilities
contribute to managing
them.
Effective risk management is a basic responsibility of
business leaders and managers, requiring them to:

21
JOIN. ENGAGE. LEAD.
Risk management
defines,
develops,
maintains, and
implements
best-practice tools,
frameworks,
and risk management
processes.

22
JOIN. ENGAGE. LEAD.
5. RISK IDENTIFICATION AND ASSESSMENT
You should strive
to understand all
the risks your
institution faces
and the potential
downside
implications
under a range of
scenarios.
You should develop:
Control
processes based
on this
understanding.
A process to
prioritize or rank
risks and allocate
risk management
resources
according to this
prioritization.

23
JOIN. ENGAGE. LEAD.
6. CONTROL ENVIRONMENT
Control development is
an outgrowth of risk
analysis.
Risk analysis should not
be an outgrowth of the
control environment.

24
JOIN. ENGAGE. LEAD.
6. CONTROL ENVIRONMENT (CONT.)
Business management owns
all risk mitigation activities
within their respective span
of operations.

25
JOIN. ENGAGE. LEAD.
The line of business
uses the controls
assessment framework
to identify and document
key controls.

26
JOIN. ENGAGE. LEAD.
The strength of key controls (control design adequacy) is
evaluated using the controls assessment framework’s criteria.
Control groups
provide oversight
of specific risk
types.
A structured
process validates
that key controls
are operating
effectively to meet
business
objectives.
Cross-functional
transparency
exists in instances
where the division
relies on another
division or an
internal/external
service provider for
performing key
controls.

27
JOIN. ENGAGE. LEAD.
Expert practitioners
responsible for executing
operations must have input
into risk analysis and
control design.
There must be clarity on
accountabilities,
responsibilities, and
performance measurement
based on agreed-upon
standards.

28
JOIN. ENGAGE. LEAD.
Risk management activities
dictated solely by remote
oversight functions lacking
detailed execution
experience are highly prone
to error and inefficiency.

29
JOIN. ENGAGE. LEAD.
7. MONITORING AND REPORTING
Establish and
maintain a
well-developed
risk reporting
structure.
• Place emphasis on risk escalation and risk
communication procedures for both current
and potential operational risks.
• Support reporting of risk data with a sound
and streamlined technology solution.
• Reporting systems need to provide different
articulations of the contents and specific
ways to develop the topics analyzed,
depending on the objectives and recipients
of the reports.

30
JOIN. ENGAGE. LEAD.
7. MONITORING AND REPORTING (CONT.)
Risk management should
partner with the business to
address risk events:
In a timely
way.
Escalate
them as
needed.
Report
accordingly.

31
JOIN. ENGAGE. LEAD.
8. QUANTIFICATION, MEASUREMENT, AND
MODELING
Follow a structured
methodology for establishing
and prioritizing the risk
management process
universe and performing risk
assessments based on
inherent risk level.

32
JOIN. ENGAGE. LEAD.
MODELING (CONT.)
When evaluating the risk level
in a given activity, consider
historical results over long
periods to be an important
indicator of future results,
particularly if the fundamentals
of the business activity and
management approach have
not changed.

33
JOIN. ENGAGE. LEAD.
MODELING (CONT.)
Use data for analysis and modeling to
support sound operational risk
management practices and business
decisions.

34
JOIN. ENGAGE. LEAD.
MODELING (CONT.)
A modeled approach is best
suited to transactional-style
risks with sufficient data points
(tail-style conduct risk issues
do not model well).

35
JOIN. ENGAGE. LEAD.
MODELING (CONT.)
In order to
take action as
needed, you
must have
effective
processes for
measuring
whether key
exposures are:
• Increasing.
• Decreasing.
• Remaining stable.

36
JOIN. ENGAGE. LEAD.
9. RISK DECISION-MAKING
As part of sound business and strategic decision-making,
assess and consider operational risk implications
to determine whether to:
Manage the risk. Tolerate the risk.
Transfer the risk
(e.g., by insuring
against the risk).
Decline the risk.

37
JOIN. ENGAGE. LEAD.
10. INCENTIVIZING BEHAVIORS
Compensation
practices should:
Promote the risk
culture of the
institution.
Promote
accountability of
results.
Incentivize
appropriate decision-
making and
behaviors.

38
JOIN. ENGAGE. LEAD.
The Operational Risk Council promotes sound
practices in the management of operational risk in
financial services institutions worldwide. It promotes
understanding the causes, events, and effects of
operational risk through the dissemination of sound
risk management methods, tools, and materials.
In support of its mission, the council also sponsors
research, facilitates links between the industry and
regulators, and advocates the professional
development of all those engaged in the
management of operational risk.
ABOUT RMA’S
OPERATIONAL RISK COUNCIL

39
JOIN. ENGAGE. LEAD.
SHARE THIS PRESENTATION
Visit http://www.rmahq.org for information on risk management
RMA is a member-driven professional association whose sole purpose is
to advance sound risk principles in the financial services industry.
RMA helps its members use sound risk principles to improve institutional
performance and financial stability, and enhance the risk competency of
individuals through information, education, peer sharing, and networking.
Become a member today.

10 Key Principles of Operational Risk Management

More Related Content

What's hot

Viewers also liked

Similar to 10 Key Principles of Operational Risk Management

More from Colleen Beck-Domanico

Recently uploaded

10 Key Principles of Operational Risk Management

Editor's Notes