| A number of key questions arise as a result
of the Basel Committee and Corporate Governance requirements
for which bank boards and management are responsible:
- Do the Board and Senior Management know the operational
risks that their business faces?
- For each identified risk, is there a clear and accountable
ownership within the business?
- Are the risks that have been identified controlled, adequately
and consistently?
- Has the potential impact of a risk occurring been measured
and the probability of occurrence estimated?
- Is there a system in place to ensure that operational
risks continue to be identified and adequatelycontrolled?
- Is there a reliable reporting system in place?
- Does the Bank have an accurate and valid process for recording
operational losses and identifying the causes of such losses?
There are many potential risks, which can
threaten an organisation. A systematic approach is required
to identify where the risks lie, what controls should be implemented
to mitigate them, how effective the system of internal control
is in mitigating those risks and which risks can be accepted
based on the Bank?s assessed appetite for risk.
Aldar Audit Bureau, in conjunction with its
associates in the UK, has adopted a unique software ?
Control And Risk
Evaluation (CARE) ? which meets all the requirements for
Operational Risk Management noted above. The software provides
a systematic, consistent and effective approach to the recognition
of operational risks, the effectiveness of internal controls
in mitigating those risks and to the measurement of the bank?s
operational risk profile. It provides reports which enable
the board and management of a bank to understand the bank?s
operational risk profile, to determine where improvements
and enhancements to the control environment are required,
to prioritise such changes and to measure the results. Above
all, CARE is extremely flexible to meet the needs of individual
organisations. The database is established anew for each organisation
? all data and criteria are set for each individual organisation.
The CARE software is now being enhanced ?
CARE for BASEL. The new module will allow for tracking losses
and ?near-misses?. IT will provide the basis needed for linking
the operational risk profile to the capital measurement approaches
of the Basel Capital Accord. This will ensure that expensive
capital can be better and more profitably employed.
The Grant Thornton procedure for implementing
an Operational Risk Management process within a bank incorporates:
- A review of the bank?s structure to identify discrete
risk units
- Development of an implementation schedule for the bank
- A series of workshops to train the bank?s staff on the
identification, classification and measurement of risks
and evaluation of controls and on the development of compliance
tests for the periodical assessment of controls
- Training the Bank?s Risk Management Team on the use of
CARE and on conducting/facilitating workshops
- Interpretation and use of the reports produced by CARE:
Examples of such reports are:
- Risk and Risk Impact reports: detail the operational
risks of a process, division or unit of the organisation.
These reports show the asset that would be affected
if each risk occurred, the probability of it occurring
if there were no controls in place and the impact if
it did occur. Based on system criteria tailored for
each organisation, scores are calculated for each risk
that show the target (perfect) score, the actual score
and the Gap in the related control environment (weaknesses).
- Control and Control Impact reports: detail the controls
currently in place, the risks that they mitigate, the
periodic self-assessment tests formulated and the results
of testing with regard to consistency of application.
- Risk / Control Matrix: shows in graphic form the risks,
controls, control effectiveness, and the assessment
of the of the control environment for each individual
risk and for the unit (consolidated scores).
- Appetite for Risk report: This report shows which
risks, given the assessed control environment, have
the capacity to result in losses that exceed management?s
predefined tolerance level.
- Entity Risk Profile: shows in graphic form the relationship
between the ideal control environment and the actual
environment.
The data in these reports enable management
to understand the operational risk profiles of their organisation
and to prioritise action plans for improvement.
|
The Basel Committee on Banking Supervision,
a committee of the Bank for International Settlements, has
issued a number of papers that put the responsibility on the
board and management of a bank for ensuring that the bank
has an effective system of operational (internal) control.
The board and management are also responsible for ensuring
that the bank has a means of providing periodic assurance
to them that the systems of control are working and that the
role of internal audit is adapted to provide objective assurance
of the adequacy of internal controls.
The relevant Basel Committee pronouncements include:
- The Regulatory Treatment of Operational Risk
- Internal Audit in Banks and the Supervisor?s Relationship
with Auditors
- Enhancing Bank Transparency
- Framework for Internal Control Systems in Banking Organisations
- Enhancing Corporate Governance in Banking Institutions
- Sound Practices for the Management and Supervision of
Operational Risk
- Customer Due Diligence for Banks
The need for a process to measure a bank?s operational risk
profile has taken on a new urgency as a result of the Basel
Committee paper "The Regulatory Treatment of Operational
Risk." Banks will be required to allocate capital against
their operational risk profile, in the same way as for their
credit and market exposures. Any bank that has a method for
identifying its operational risks and measuring the effectiveness
of its control environment, which is acceptable to its regulator,
will benefit from a reduced capital charge requirement. The
most important element from any bank?s point of view is the
requirement by the Basel Committee that:
"The bank must have an independent operational risk
management function that is responsible for the design and
implementation of the bank?s operational risk management system.
The operational risk management function should be responsible
for codifying bank-level policies and procedures concerning
operational risk management and controls; for the design and
implementation of the firm?s operational risk measurement
methodology; for the design and implementation of a risk-reporting
system for operational risk; and for developing strategies
to identify, measure, monitor and control operational risk."
BUT it should be emphasised that a bank should have an operational
risk management process for the benefit of the bank?s business
and future, not just because the regulators require it. |
