The concept of heightened expectations was no surprise to banks, even before the publication of the notice of proposed rulemaking (NPR) that appeared in the Federal Register on January 27, 2014 (Volume 79, No. 17, page 4282). The OCC had been raising these issues for years. The NPR however, did provide more detail on OCC expectations.
1. Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending
1
JOIN. ENGAGE. LEAD.
OPERATIONAL RISK GOVERNANCE:
5 CORE REGULATORY
EXPECTATIONS
Adapted from Malcolm Griggs’s presentation at the
RMA Governance, Compliance, and Operational Risk
Conference
May 7, 2014
2. Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending
2
JOIN. ENGAGE. LEAD.
REGULATORY EXPECTATIONS
The notice of proposed rulemaking
that appeared in the Federal
Register on January 27, 2014
(Volume 79, No. 17, page 4282)
provides more details
on the OCC’s heightened
expectations of banks.
3. Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending
3
JOIN. ENGAGE. LEAD.
5 CORE EXPECTATIONS IN THE HEIGHTENED
REGULATORY ENVIRONMENT
The bank board must act in the best interests of the bank entity.
Banks must have well defined personnel management programs,
including staffing, succession, and compensation programs that do
not reward excessive risk taking.
Banks must articulate their risk appetite tolerance levels, using
capital at risk, earnings at risk, and liquidity measures.
Limits should be established and allocated to lines of business.
Banks must have strong audit and risk management programs.
Bank boards must evidence their willingness to challenge and
question bank management.
1
4
2
3
5
4. Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending
4
JOIN. ENGAGE. LEAD.
HEIGHTENED REGULATORY EXPECTATIONS
• The proposed rule includes details on
expectations relating to first, second,
and third lines of defense as part of the
bank’s risk governance framework.
• Operational risk governance alone will
not meet each of these expectations,
but it would difficult to comply fully
without a solid governance framework.
5. Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending
5
JOIN. ENGAGE. LEAD.
GOVERNANCE
In order to meet the
expectation that the board
will act in the best interests of
the bank, (expectation 1), the
board, or the board Risk
Committee must have accurate
and relevant information about:
1. Operational risks.
2. Operational risk limits
established under the
comprehensive risk appetite
framework.
1
6. Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending
6
JOIN. ENGAGE. LEAD.
Trading errors
(dollars and
count).
Fraud losses
(internal and
external).
Legal
settlements.
Control
gaps.
Regulatory
violations.
Severity and
frequency of
operational
losses.
Vendor errors
or vendor
concentration risk.
System outages
and recovery
time.
Information
security
breaches.
Employee attrition
and staffing
adequacy
(expectation 2).
Errors in
new product
launches.
Failed branch,
operations and
business audits.
Measurement of self-identified
issues vs. issues identified by
second or third lines of
defense.
OPERATIONAL RISK, LIMITS, OR
MEASUREMENTS
2
7. Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending
7
JOIN. ENGAGE. LEAD.
GOVERNANCE ROUTINES
• Understand what
drives operational
risk capital or stress
testing (impacts EaR
and VaR). This is
essential for strategic
planning, the development
of appropriate controls,
and the allocation of IT
and human resources
(expectation 3).
• Discuss operational
risks and
associated metrics
in an operational risk
committee meeting or
have a standing slot in
a comprehensive risk
committee meeting,
which discusses all types
of risks in one forum
(preferred).
• Should be established
and monitored for
breaches or trend lines
heading toward a KRI
breach.
• A key tool to assess the
level of operational risk.
(Similar to Risk and
Control Self Assessments,
but with more testing of
controls.) Management
Control
Assessments
Key Risk
Indicators
Understanding
Drivers
OR
Information
3
8. Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending
8
JOIN. ENGAGE. LEAD.
GOVERNANCE ROUTINES: CHANGE IS A KEY
OPERATIONAL RISK
Change can include:
• A merger.
• A sale or purchase of assets or
liabilities.
• A new product launch.
• A systems conversion.
• Etc.
“Ready–Aim–Fire” is always
better than “Fire–Ready– Aim.”
9. Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending
9
JOIN. ENGAGE. LEAD.
GOVERNANCE ROUTINES: CHANGE IS A KEY
OPERATIONAL RISK (CONT.)
Change
Control
Committee
Proposed change
to the control
environment is brought
for discussion and
decision is a valuable
tool to prevent
execution mistakes.
The membership is
generally comprised of
business leaders, Risk
Management,
Technology, Operations
and Compliance
Committee does not
decide whether a
proposal is appropriate
in theory or whether it
poses a legal or
regulatory risk. That
should have been vetted
earlier in other forums
Focus is on ensuring that the teams have thought
through everything that is needed to ensure an
execution that is consistent with expectations (i.e., no
surprises). This includes the results of UAT or FUT,
communications plans, checkpoints with key internal and
external partners, and a plan for monitoring the change
post-implementation
10. Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending
10
JOIN. ENGAGE. LEAD.
Auditors need
same experience.
Business must
understand the
operational risks it
incurs.
Hire/train people who
can develop operational
risk policies, procedures,
and programs
in line with the
bank’s risk
appetite
framework.
THE IMPORTANCE OF PERSONNEL AND
ROLES/RESPONSIBILITIES
Hire risk managers
with actual experience
in transaction
processing,
technology,
information
security, and
fraud detection
and prevention
(expectation 4).
4
11. Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending
11
JOIN. ENGAGE. LEAD.
THE BOARD
From a governance
standpoint, the board
must be fully informed
and fully engaged
(expectation 5).
5
12. Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending
12
JOIN. ENGAGE. LEAD.
BOARD ENGAGEMENT
The board should have a healthy degree of skepticism. They should
trust management, but make sure they fully understand a situation.
Key questions to ask in the operational risk space might include:
What was the root cause
of that loss?
How do you know it won’t
happen again?
What sort of testing of
controls did you do to
ensure that this gap is
closed?
So, you’ve closed this
control gap….are there
other similar gaps that
need work? How do you
know?
How does this rank in
terms of priority of risk
focus? Why?
Do you have the human
and technology resources
to address this issue?
Who are our largest or
key vendors?
How confident are you
that our vendor has their
end under control? How
do you know?
I read about the problem
XYZ Bank had with XXX.
Can this happen here?
How do you know/what
are you doing about it?
13. Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending
13
JOIN. ENGAGE. LEAD.
BOARD ENGAGEMENT: EQUALLY IMPORTANT
Not only must your
board be engaged…
you have to prove it.
14. Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending
14
JOIN. ENGAGE. LEAD.
BOARD ENGAGEMENT:
EQUALLY IMPORTANT (CONT.)
• Much more detailed minutes than
traditionally provided will be required:
Show questions or challenges the
board directed to management.
Recap active discussion among the
board members.
• Bank examiners can’t sign off on
what they can’t see.
15. Enterprise Risk · Credit Risk · Market Risk · Operational Risk · Regulatory Compliance · Securities Lending
15
JOIN. ENGAGE. LEAD.
SHARE THIS PRESENTATION
Visit http://www.rmahq.org for information on risk management
Visit our blog at http://rmablog.rmahq.org/
RMA is a member-driven professional association whose sole purpose is to
advance sound risk principles in the financial services industry.
RMA helps its members use sound risk principles to improve institutional
performance and financial stability, and enhance the risk competency of
individuals through information, education, peer sharing, and networking.
Become a member today.