From reaction to PRO-action! Implementing a comprehensive Operational Risk Management system: Banking is a risky business; however, until now, in most financial institutions, only two of the three major risk elements, Credit Risk, and Market Risk, have been subjected to analysis, measurement, and management. The third, and arguably, the most complex and critical, Operational Risk, has been largely ignored. The recent banking crisis and recent bank failures meant this had to change, and it has. Both the regulators and the boards of banks now understand that unexpected and uncontrolled Operational Risk can present a major threat to their institution. Insurance companies are in the business of assessing risk, yet they too, in the past, have largely ignored Operational Risk. Now, major insurers and their regulators are coming to understand the importance of massively significant threat to insurers’ activities.
To survive, develop, and prosper in this increasingly risky and competitive environment, financial services organizations need to be at the leading edge of operational Risk Measurement and Management; all of their stakeholders, along with their regulators, expect nothing less from them.
Our Operational Risk Management Methodology and software are designed to meet these requirements.
How can Alyafi group assist in meeting your Operational Risk Management challenges?
The Group’s ability to provide Operational Risk Management services is built around a software package called CAREweb™ (Control And Risk Evaluation). This web-based software provides a systematic, consistent and effective approach for categorizing Operational Risks, determining the effectiveness of internal controls in mitigating those risks and measuring the organizations Operational Risk proﬁle. It provides numerous reports that enable the board and management of an organization to measure the “Gaps” in the control environment, determine where improvements and enhancements to the control environment are required, prioritize such changes and follow-up on their implementation.
The Group's approach for implementing an Operational Risk Management process within an organization incorporates:
Reviewing the corporate structure to identify discrete risk units.
Developing an implementation schedule for the business.
Conducting a series of workshops to train the staff on the identiﬁcation, classiﬁcation, and measurement of risks and the evaluation of controls, and on the development of Compliance Tests for the periodical evaluation of controls.
Training the Risk Management Team on the use of CAREweb™ and on conducting/facilitating workshops.
Developing the forms and procedures of work needed for capturing loss events and “near-misses” and using CAREweb™ to record and analyze such events as well as to monitor the implementation of action plans to prevent their recurrence.
Designing, interpreting and using the reports generated by CAREweb™.
Adjusting the Internal Audit Charter to utilize CAREweb™ results for the implementation of a Risk-based audit methodology.
Training RM, Compliance and IA staff on the use of CAREweb™.
The Basel Committee on Banking Supervision, a committee of the Bank for International Settlements, has issued a number of papers that put the responsibility on the board and management of a bank for ensuring that the bank has an effective system of operational (internal) control. The board and management are also responsible for ensuring that the bank has a means of providing periodic assurance to them that the systems of control are working and that the role of internal audit is adapted to provide objective assurance of the adequacy of internal controls.
The relevant Basel Committee pronouncements include:
|The Regulatory Treatment of Operational Risk|
|Internal Audit in Banks and the Supervisor's Relationship with Auditors|
|Framework for Internal Control Systems in Banking Organizations|
|Enhancing Corporate Governance in Banking Institutions|
|Sound Practices for the Management and Supervision of Operational Risk|
|Minimum Capital Requirements|
|International Convergence of Capital Measurement and Capital Standards|
|Quantifying Regulatory Capital for Operational Risk|
|Sound Practices for the Management and Supervision of Operational Risk - Basel Committee|
Treatment of Operational Risk." Banks will be required to allocate capital against their operational risk profile, in the same way as for their credit and market exposures. Any bank that has a method for identifying its operational risks and measuring the effectiveness of its control environment, which is acceptable to its regulator, will benefit from a reduced capital charge requirement. The most important element from any bank's point of view is the requirement by the Basel Committee that:
The bank must have an independent operational risk management function that is responsible for the design and implementation of the bank's operational risk management system. The operational risk management function should be responsible for codifying bank-level policies and procedures concerning operational risk management and controls; for the design and implementation of the firm's operational risk measurement methodology; for the design and implementation of a risk-reporting system for operational risk; and for developing strategies to identify, measure, monitor and control operational risk."
BUT it should be emphasized that a bank should have an operational risk management process for the benefit of the bank's business, not just because the regulators require it.