Operational Risk Reporting
ORX continues to lead the way in setting the reporting standards by which the industry views operational risk events. By bringing together a wealth of knowledge and experience from our community of members, we are able to produce high-quality operational risk reporting standards for both the banking and insurance industry.
Operational Risk reporting
Our standards ensure our members receive data of a comparable standard and in an agreed format, but many other financial firms also benefit from using them to support their operational risk event collection and reporting practices.
Both sets of standards are maintained in collaboration with our Definitions Working Groups. They are continually updated to reflect contemporary issues and to meet the reporting requirements of our members in an ever-changing landscape.
The current edition of the banking operational risk reporting standards (B-ORRS) was approved by the ORX Board in 2016. Our latest revision to this edition outlines new reporting requirements for tax events (see section 3.2.4).
We developed them with leading global insurers to be in line with the CRO Forum high-level operational risk definitions and, wherever possible, to be consistent with our Banking ORRS. Like the B-ORRS, the I-ORRS is in two sections and contains definitions and detailed descriptions.
Operational risk management reports must address both organization wide and line of business results. These reports must summarize operational risk exposure, loss experience, relevant business environment, and internal control assessments, and should be produced on a quarterly basis. Operational risk reports must also be provided periodically to senior management and the board of directors, summarizing relevant organization wide operational risk information. Ongoing monitoring of operational risk exposures is a key aspect of an effective operational risk framework. To facilitate monitoring of operational risks, results from the measurement system should be summarized in reports that can be used by the organization wide operational risk and line of business management functions to understand, manage, and control operational risk and losses. These reports should serve as a basis for assessing operational risks and related mitigation strategies and for creating incentives to improve operational risk management throughout the organization.
High-level operational risk reports must be produced periodically to be reviewed by the board and senior management. These reports must provide information regarding the operational risk profile of the organization, including the sources of operational risks both from an organization wide and line of business perspective, versus established management expectations.
Operational risk reporting should work at two levels: internal and external. Internal reports are accessible to senior managers and the board of directors, and they should be able to receive, at a more corporate level, regular reports on financial, operational risk, and compliance data. External reports should include external market information about events and conditions that are relevant to operational risk management decision making. The results of monitoring activities should be included in regular management and board reports, and the reports should fully reflect identified problem areas and should motivate timely corrective actions on outstanding issues.
Operational risk management should ensure that information is received by the appropriate people, on a timely basis, and in a form and format that will aid in the monitoring and control of the business.
Motivated by the recognition of operational risk management as being crucial for banks and the importance of adequate reporting for enhancing market discipline, the present paper investigates operational risk disclosure practices in the 1998 to 2001 period. Whereas reporting was not mandatory at that time, disclosure increased in both extent and content. Consistent with arguments based on corporate finance theory, empirical evidence indicates that financial institutions with a lower equity/assets ratio and/or profitability ratio give greater importance to disclosing their assessment and management of operational risks whereas those with higher ratios choose a lower disclosure stance.
Key risk indicators (KRIs) are an important tool within risk management and are used to enhance the monitoring and mitigation of risks and facilitate risk reporting. Operational risk is defined as the risk of loss resulting from inadequate or failed internal processes, people and systems, or external events. Operational KRIs are measures that enable risk managers to identify potential losses before they happen. The metrics act as indicators of changes in the risk profile of a firm.
To qualify to use the Advanced Measurement Approach (AMA) to calculate operational risk capital under Basel II, the Basel Committee on Banking Supervision (BCBS) has specified detailed criteria for the use of forward-looking measures. The choice of each factor needs to be justified as a meaningful driver of risk and whenever possible, and the factors should be translatable into quantitative measures that lend themselves to verification. The sensitivity of a firms risk estimates to changes in the factors and the relative weighting of the various factors need to be well reasoned.
Kseniya (Kate) Strachnyi is an advisory consultant focused on risk management, governance, and regulatory response solutions for financial services institutions. Areas of expertise include governance frameworks, enterprise risk management programs, ICAAP, compliance risk management, operational risk management, Foreign Enhanced Prudential Standards, Basel II/III, and the Dodd-Frank Act.
Senior Management has two perspectives on risk. In the traditional Enterprise Risk Management (ERM) view, the goal is to find the perfect balance of risk and reward. Sometimes the organization will accept more risk for a chance at growing the organization more quickly and at other times the focus switches to controlling risks with slower growth. The Operational Risk Management (ORM) perspective is more risk-averse, and focuses on protecting the organization. Get an in-depth overview of Operational Risk Management, including the 5 steps of the ORM process.
Operational risk permeates every organization and every internal process. The goal in the operational risk management function is to focus on the risks that have the most impact on the organization and to hold accountable employees who manage operational risk.
When dealing with operational risk, the organization has to consider every aspect of all its objectives. Since operational risk is so pervasive, the goal is to reduce and control all risks to an acceptable level. Operational Risk Management attempts to reduce risks through risk identification, risk assessment, measurement and mitigation, and monitoring and reporting while determining who manages operational risk.
In the risk assessment, the risks are measured against a consistent scale to allow the risks to be prioritized and ranked comparative to one another. The measurement also considers the cost of controlling the risk related to the potential exposure.
Risks are monitored through an ongoing risk assessment to determine any changes over time. The risks and any changes are reported to senior management and the board to facilitate decision-making processes.
As the name suggests, the primary objective of Operational Risk Management is to mitigate risks related to the daily operations of an organization. The practice of Operational Risk Management focuses on operations and excludes other risk areas such as strategic risks and financial risks. While other risk disciplines, such as ERM, emphasize optimizing risk appetites to balance risk-taking and potential rewards, ORM processes primarily focus on controls and eliminating risk. The ORM framework starts with risks and deciding on a mitigation scenario.
Applying a control framework, whether a formal framework or an internally developed model, will help when designing the internal control processes. One approach to understanding how ORM processes look in your organization is by organizing operational risks into categories like people risks, technology risks, and regulatory risks.
The people category includes employees, customers, vendors and other stakeholders. Employee risk includes human error and intentional wrongdoing, such as in cases of fraud. Risks include breach of policy, insufficient guidance, poor training, bed decision making, or fraudulent behavior. Outside of the organization, there are several operational risks that include people. Employees, customers, and vendors all pose a risk with social media. Monitoring and controlling the people aspect of operation risk is one of the broadest areas for coverage.
Technology risk from an operational standpoint includes hardware, software, privacy, and security. Technology risk also spans across the entire organization and the people category described above. Hardware limitations can hinder productivity, especially when in a remote work environment. Software too can reduce productivity when applications do increase efficiency or employees lack training. Software can also impact customers as they interact with your organization. External threats exist as hackers attempt to steal information or hijack networks. This can lead to leaked customer information and data privacy concerns.
Risk for non-compliance to regulation exists in some form in nearly every organization. Some industries are more highly regulated than others, but all regulations come down to operationalizing internal controls. Over the past decade, the number and complexity of rules have increased and the penalties have become more severe.
Understanding the sources of risk will help determine who manages operational risk. Enterprise Risk Management and Operational Risk Management both address risks in the same areas but from different perspectives. In an effort to consolidate these disciplines, some organizations have implemented Integrated Risk Management or IRM. IRM addresses risk from a cultural point of view. Depending on the objective of the particular risk practice, the organization can implement technology with different parameters for teams like ERM and ORM. 041b061a72