Operational risk frameworks are now increasingly being used by institutions to make estimates about future as well as historical approaches. This was not the case before the financial crisis. Earlier, not many institutions were able to analyse their overall risk profile and evaluate the importance of the impact of strategic decisions on the organization. The strategic decisions were usually made on the basis of operating entities, risk factors and single line of business. This would lead to bad choices and losses for the institution.
In the post-crisis world, institutions have understood the value of having a robust Operational Risk Framework to establish a strong link between the long-term goals and operational decisions and activities within the company.
HOW TO ESTABLISH AN OPERATIONAL RISK FRAMEWORK IN AN INSTITUTION
Identification of Risk:
The first step in designing a risk framework for an institution is to understand the extent to which the institution and its strategies are exposed to risk. A review of the present business and future business strategy against the risk that may be involved have to be defined within the scope of the Operational Risk Framework.
The type of risks that should be included in the risk framework are compliance risk, process risk, financial reporting risk, vendor risk and IT risk. After defining the risks, the risks are allocated to the specific operational risk management teams. This helps create a library of probable risks and related items like regulations, control policies and procedures, indicators and tests.
Core Risk Management Process:
The next step in the implementation process is putting in place the core Risk Management Processes. This includes key risk indicators, loss events, issue management and, risk and control self-assessment.
The risk and control self-assessment process identifies the operational risks to which the institution is exposed and the impact these risks can have on the business.
Key risk indicators establish transparency and reporting requirements, measure operational risks consistently and give early indicators of potential failures and control issues.
Loss event collection process helps identify and report operational losses. It promotes effective and transparent lost events management and reduces the negative effects.
Issue management record issues regarding risk management. It helps identify the target issue and set priority, responsibility and completion date for it.
Developing and delivering reports regarding the earlier mentioned risk management processes is the third step in the implementation process. Showcasing the link between the risk libraries and ORM processes is primary to this step. This will help in the timely identification of out of line processes, hence safeguarding against probable losses.
This stage focuses on the key risks faced by the institution and their communication to the management. It also includes review of the factors that may lead to those risks. It also develops risk calculation models with the help of data from all the processes.
Calculating Risk Appetite
The elementary responsibility of the Risk framework is calculating and presenting the possible risks to the management to weigh against the risk capacity of the institution. This is the stage where the risk appetite of the institution is calculated. After this, decisions regarding the risk appetite are taken and tactical changes are made to minimize the effect of the risks.
Audit and Review
This is the final stage of the implementation process and it should ideally be implemented along with the other stages and not held back till the end. This stage includes functions like developing audit and business teams.
The above stages ensure the implementation of a strong operational risk framework for the institution to effectively manage the risks and strike a balance between risk and opportunity.