Operational Risk. Corporate governance. Contents

Transcription

1 Operational Risk Corporate governance Contents 3. Introduction 3. Establish Operational Risk policies 4. Define Operational Risk framework to carry out these policies

2 2

3 Introduction The purpose of this briefing paper is to provide a suggested approach by senior management of a UKregulated firm to comply with its obligations in respect of the new FSA Operational Risk requirements of FSA. In broad terms, FSA s requirements on Corporate Governance in Operational Risk can be divided into three: establish Operational Risk policies define Operational Risk framework to carry out these policies address the cultural change in the firm This briefing paper considers how the senior management of a firm could set out some framework policies in each of these three areas. It does not take into account the additional Corporate Governance requirements that apply to listed companies, e.g. under the Combined Code. Establish Operational Risk policies Overall policies - general guidance This part of the policy needs to cover the following points: What, if any, other objectives does the Board have in introducing Operational Risk? For example, improving processes and infrastructure, reducing exposure to fraud, understanding if processes can be carried out better, etc. How this policy relates to Systems and Controls for credit, market, liquidity and insurance risks. How should the firm s strategy be documented for managing Operational Risk, including analysis of degree of Operational Risk on the firm and on its clients (particular types of exposure and its likelihood and impact)? Identification of risks which exist but are impossible to evaluate, e.g. natural disasters. The firm s appetite or tolerance for specific Operational Risks. Overall policies - example skeleton wording 1. The firm has carefully considered the FSA s guidance on Operational Risk described in CP142 and policy document [ ]. This document sets out the firm s policies for managing Operational Risk. 2. The Board of Directors ( the Board ) of the firm accept responsibility for introducing and maintaining Operational Risk policies within the firm. 3. The Board accepts that the Operational Risk Systems and Controls will need to relate to those already existing for credit, market, liquidity and insurance risk. In some cases they will overlap, and in other areas the Systems and Controls will be additional. 4. The Board has decided the firm s strategy for managing Operational Risk, and in particular will arrange for an analysis of the Operational Risks to which the firm and its clients are vulnerable including awareness, attitude and behaviour of employees towards Operational Risk. 5. An analysis will be made of the degree of Operational Risk including particularly the particular type of exposure, the likelihood of it occurring, and its likely impact upon the firm. 6. The analysis will include risks which are impossible to evaluate e.g. natural disasters. 7. The firm is unwilling to accept any Operational Risk which would put either the firm itself or its clients at serious risk. Each Operating Risk will be analysed and evaluated and any Operational Risk which may cause such serious risk will need to be considered by the Board. For this purpose, serious impact can be defined by maximum budgeted cost, or impact score using risk indicators. 8. The Board will periodically discuss and review its Operational Risk policies taking into account both internal factors (change of the firm s business), and external factors, e.g. market changes. 3

4 Define Operational Risk Framework to carry out these policies Risk identification - general guidance There is much guidance from FSA here: In order to identify the types of Operational Risk to which the firm is exposed, a thorough analysis (ideally based upon the examination of each process and service carried out by the firm) should be made. Some of the factors included in this analysis are listed in the Skeleton Policy below. The methodology of assessing the likelihood and impact of risks is still developing. There are two main methods quantitive and qualitative. The Board will need to decide or approve the methodology to be used. Some of the elements of the methodology are described in the Skeleton Policy below. The framework needs to define how Operational Risk will be monitored after the risks have been identified and assessed. This includes identifying the information which will be reported to the Board, the information that will be collected and reported to different levels of management and Operational Risk managers (and possibly committees) in the firm. Monitoring will need to be flexible to cover changes to the Operational Risk profile and exposures of the firm. The policy towards risk control. There are a variety of possible approaches here avoidance, transfer of risk, prevention or reduction of the likelihood of occurrence or reducing the potential impact of the risk. The structure below the Board which will enable the risk identification, assessment, monitoring and control to be established and maintained. Risk identification - example skeleton wording The Board has decided to establish the following framework to carry out its policies on Operational Risk: 1. The firm will identify the types of Operational Risk to which it is exposed, and in particular it will take account of: (a) customers, products and activities, e.g. highrisk/low-risk products; (b) sources of business and distribution, e.g. reliance on too few suppliers or distributors; (c) complexity and volume of transactions, e.g. offmarket transactions; (d) processes and systems used [an end to end process review will be conducted] (most important); (e) people risk including human resource (f) management practices such as CV verification recruitment checks; the geographic and market environments in which the firm operates, e.g. emerging markets, political risk; and (g) risk exposures resulting from non-core products and services, e.g. supply of outsourcing services to group companies. Risk assessment example skeleton wording 2. The firm will assess each of the risks which it has identified. In doing so it will use [quantitive] [qualitative] assessment methods. In particular the following methods: (a) internal assessment of Risks and Controls; (b) establishment of Key Risk Indicators; (c) evaluating external Operational Risk losses, e.g. temporary closure of markets, currency fluctuations etc. (d) changes in the external business operating environment, e.g. new competitors, mergers and acquisitions etc. (e) historic review of Operational Risk losses and near misses. Risk control - general guidance Having identified and assessed each Operational Risk, the firm will need to consider how to control it. There are a number of general ways in which this can be done, including avoiding it, transferring it to someone else (but note the need to monitor providers of outsourced 4

5 services), prevention or reduction of the likelihood of occurrence or potential impact of an operation or exposure. The appropriate technique will vary according to the nature of the risk and the extent of the exposure. Risk control - example skeleton wording The firm has a flexible policy on controlling the Operational Risks identified and assessed under the policies described earlier. We will therefore lay out a framework of different techniques which may be relevant according to the nature and impact of the particular risk. The method chosen will be recorded in the Risk Map or Risk Register which will be the responsibility of [the Risk Committee] [the Risk Manager] [such other person as we have chosen]. The Risk Map or Register will identify each Operational Risk, its likelihood and its impact upon the firm. Wherever possible, the risk will be quantified using this approach. If quantification is not possible, Key Risk Indicators should be used instead. The fact that a risk cannot be quantified does not take it outside the risk control systems of the firm. It should be included in the Risk Register or Map. If the impact of a risk comes within the risk appetite or tolerance of the firm as described in point [ ] earlier, the firm will accept the risk, but will nonetheless include it in its Risk Monitoring Programme to ensure that it stays within the tolerance limit in the policy. If the impact of the risk is outside the risk appetite or tolerance of the firm s policy, it will be necessary to find a method of controlling it so that it is brought back within the policy. There are a variety of means by which this may be done: avoid the risk, e.g. restructure the activity or process giving rise to the risk so that it no longer exists; transfer the risk to a third party, e.g. by outsourcing (but note that the firm remains responsible for the risk and therefore must continue to monitor the provider), use of credit derivatives, insurance etc. (but note that internal audit must review the documents establishing this to ensure the effective avoidance or transfer of the risk); prevention or reduction of the risk happening, e.g. introducing a new IT system for settlements to avoid human error; prevent or reduce the potential impact of the exposure, e.g. test business continuity plans in practice; adjust the culture of the relevant department or employees and create incentives for them to reduce either the likelihood of occurrence or potential impact of the risk; provide for expected losses e.g. bad debts or a contingency reserve for IT expenditure; at all times the financial resources of the firm should be adequate to meet unexpected losses i.e. in the market, from delays in settlements etc. Risk monitoring policies - general guidance The key here is for a firm to decide what information it needs to obtain in order to monitor Operational Risk exposures. This includes having a Risk Monitoring Programme, perhaps in the form of collecting information and making regular reports to different levels of management, e.g. the lowest level receiving the largest amount of information, and of potential problems. This filters up to the Board as it is collated with other information, but information from any source (unless serious risk) is reduced at each level. The Risk Monitoring process should also take into account any authorised deviations from the Operational Risk policy, and the level at which those deviations should be approved. Risk monitoring policies - example skeleton wording 1. That a risk monitoring programme should be established to ensure that the identification of risks and their assessment is continuous. 2. That the Risk Register or Risk Map established by the risk assessment process will be made available to the Board, and that information on any material Operational Risks identified there should be given to the Board on a regular basis [frequency to be defined]. 3. That any deviations from the firm s Operational Risk policy should be authorised at the appropriate level e.g. Board, Risk Committee, 5

6 Division Head etc. That any unauthorised deviations from the Operational Risk policy should give rise to an exception report to the relevant level of management depending upon the seriousness of the breach. Each level of risk management should clearly understand that reporting of any serious or potentially serious breach of the policy should not be held up while it is being investigated, but should be immediately notified to [senior management] [the Board]. Where possible, predefined thresholds will be developed to show whether the actual or potential cost of a breach is above a predefined material figure. 4. That [the Risk Committee] [the Board] should be informed of, and make changes to its policy relating to Operational Risk controls, whenever there is a significant change in the internal or external Operational Risk profile or exposure of the firm. Address cultural change - general guidance This is a major issue for many firms, particularly those focused upon profitability rather than risk control. The culture of the firm is established by the Board and its senior management. Therefore, any change in culture must start at that level. Assuming that there is an Operational Risk culture at the top, the question then becomes how the rest of the firm can be brought willingly to accept it as an equal priority to the other commercial objectives of the firm. In addition, there are personal interests of employees, e.g. remuneration, which may cut against an Operational Risk culture. Address cultural change - example skeleton wording The firm at all levels considers the management of Operational Risk important. Its importance goes beyond any regulatory requirements and goes to the heart of the business of the firm. It is for this reason that the Board of the firm have made an absolute commitment to the Operational Risk culture described in the rest of this policy. The responsibility for Operational Risk rests with individuals at all levels and in all departments. It is a critical part of the job specification of each person. All individuals will be given a copy of the firm s risk policies, and will be expected to follow them in their jobs. Some individuals will have responsibility for particular risks, and will be expected to be responsible for these under a Risk Map or organagram which they will receive. The extent to which individuals at all levels carry out the firm s policy towards Operational Risk is relevant to their [annual] review. Risk is only part of the Systems and Controls of the firm. These not only ensure the future prosperity of the firm, but also the information is useful for the commercial objectives of the firm in many other ways. Good risk control enables the firm to be more profitable. Your participation in identifying, assessing and controlling risks is very important. Your ideas as to how this should be done in your area will be well received. This is particularly important in the development of new services and new products. 6

7 7

8 Field Fisher Waterhouse LLP 35 Vine Street London EC3N 2AA t. +44 (0) f. +44 (0) This publication is not a substitute for detailed advice on specific transactions and should not be taken as providing legal advice on any of the topics discussed. Copyright Field Fisher Waterhouse LLP All rights reserved. Field Fisher Waterhouse LLP is a limited liability partnership registered in England and Wales with registered number OC318472, which is regulated by the Law Society. A list of members and their professional qualifications is available for inspection at its registered office, 35 Vine Street London EC3N 2AA. We use the word partner to refer to a member of Field Fisher Waterhouse LLP, or an employee or consultant with equivalent standing and qualifications.