Basel Committee serves up a healthy dose of operational risk management
26 August 2020
It’s been nine years since the last major update to the Principles for the Sound Management of Operational Risk (PSMOR), and six years since the Basel Committee for Banking Supervision (BCBS) reviewed how they had been implemented. Reading the recent consultation paper reveals where poor practice needs to be addressed. Despite its status as a key risk category, the discipline of operational risk management (ORM) has been notoriously light on specifics, with a principles-based regulatory approach preferred. As a concept, ORM requires firms to understand what they do, what could go wrong, how to stop things from going wrong, and how to respond when they do. Pretty simple, right?
Yet a recent European Banking Authority report highlighted the poor state of operational risk management within European banks, finding that only one in ten SREP (Supervisory Review and Evaluation Process) reviews considered operational risk management to be ‘good’ (i.e. rated 1 or 2 out of 4) compared with around 60% for Credit Risk and 80% for Market Risk.
There’s an analogy here with healthy living; most of us know we should eat right and stay active, but this hasn’t prevented the obesity crisis society faces. As a result, guidance has become more specific and more directive. Now we see colour-coded food labels, gadgets monitoring our (in)activity and recommendations on what exercise to do. So too with ORM - most firms want a robust approach, but haven’t achieved it in practice. Many accept that they should do more, but that’s always next year’s problem. Others have told themselves they’re fine (while figuratively struggling to button their trousers).
Things are changing - for a start, the revised principles place much more of the onus on senior managers than the Board. Previously, management responsibilities were defined within the broad context of the three lines of defence model: the new version would allocate responsibility more clearly, aligning with the SM&CR regime in the UK and addressing a key finding from the EBA summary report regarding concerns on internal governance. Senior managers must recognise their role in implementing a strong risk culture, including establishing appropriate risk ownership within the business.
Principle four on risk appetite and risk tolerance receives a makeover, with more prescriptive expectations on what’s required. This includes articulating how risk appetite and strategy relate to each other, and how risk tolerance thresholds operate and are set.
The paper also gives guidance on the role of supervisors. In the UK, operational risk has tended to be the remit of firm supervisors (rather than ORM specialists), who already have varied other priorities relating to all categories of risk. This may mean ORM concerns are crowded out by other competing priorities.
In parallel to the revised principles, BCBS has also published a consultation on principles of operational resilience, which we analyse in a separate blog. BCBS defines operational resilience as ‘an outcome that benefits from the effective management of operational risk', explicitly linking operational risk with operational resilience. Joining the dots should help firms ensure they’re considering both prevention and response strategies on operational disruption. For instance, having a clear understanding of the control framework will give confidence in assessing the effectiveness of response plans for scenario planning and testing.
The proposed revisions will undoubtedly help firms who’ve struggled to make progress in implementing the principles. While they are specifically relevant to banks, insurers and asset managers should adopt them too, as regulators will expect commonality across financial services. However, much like our health, better guidance will not necessarily make the difference. If we want to be the best version of ourselves, it's up to us to act.
Responses to the consultation can be submitted until 6 November 2020. Please read our summary for a more detailed analysis of the changes to the principles and reach out for a further discussion.
There is a parallel BCBS consultation underway on some proposed principles for operational resilience. Read more in our separate blog: Hollywood blockbuster or rotten tomato: does the Basel Committee paper on operational resilience deliver?