RMA GUIDANCE NOTE #2 OPERATIONAL RISK APPETITE

Transcription

1 RMA GUIDANCE NOTE #2 OPERATIONAL RISK APPETITE July 2014

2 CONTENTS 1. Introduction Key definitions Operational Risk Appetite: Objectives, Benefits and Critical Success Factors Components of Operational Risk Appetite Statements (ORAS) Operational Risk Appetite formulation, implementation and governance...11 Operational Risk Appetite formulation principles...11 Operational Risk Appetite formulation process Operational Risk Appetite implementation...18 Operational Risk Appetite Governance...22 Appendices A. Example of Operational Risk Appetite Statements B. Roles & Responsibilities...27 C. Acknowledgements Version Number Date Issued Summary of Changes July 2014 Final and approved version 2014 Risk Management Association Inc (Vic), ABN PO Box 20468, World Square, NSW 2002 Phone: secretariat@rmaaustralia.org Disclaimer The Guidance Note does not intend to prescribe a way of formulating Operational Risk Appetite, the information contained in this document is intended only to provide some suggestions based on industry experience, and considerations that should be given in implementation of this management tool. It is not intended to be comprehensive. It does not constitute, nor should it be treated as, legal advice or opinions. Users are encouraged to obtain professional advice about the application of any legislation or standard relevant to their particular circumstances and to exercise their own skill and care in relation to any material contained in this guide. The RMA Australia accepts no liability for any loss suffered as a result of reliance on this publication. This document has been published without prejudice. The information contained herein is current as at the date of this document. You may download, display, print and reproduce this material in unaltered form only (retaining this notice) for your personal, non-commercial use or use within your organisation. Operational Risk Appetite RMA Guidance Note #2 2

3 FOREWORD Following the successful release of the Risk and Control Self Assessment Guidance Note in March 2013, the RMA Interbank Operational Risk Forum agreed to prepare the next industry Guidance note on Operational Risk Appetite (ORA). This subject matter was selected for a number of reasons, the main factor being that a majority of Australian Financial Institutions are all facing the challenge of maturing their existing Operational Risk Appetite Statements. To this end the Interbank Operational Risk Forum agreed to establish a working group to document a combined industry approach on defining, developing, setting and implementing operational risk appetite. We hope that the accompanying document can serve in supporting member organisations in developing and rolling out their own tailored approach. The Guidance Note is not intended to be prescriptive in the manner in which an organisation should develop its risk appetite. Rather, it provides some guidance and practical examples to assist organisations in the development and implementation of ORA, given their size and level of maturity. This guidance note has been the culmination of collaboration between 24 dedicated operational risk professionals across 12 member banks. The sharing of their collective knowledge and their contribution to the principles and processes of this guidance note has been an extremely rewarding journey for all involved. In addition, this exercise has continued to grow and strengthen the network of operational risk professionals across the Australian banking fraternity, and I have personally enjoyed the interactions, learning and friendships that developed during this project. In closing, I would like to personally thank RMA Australia for their continued support and commitment to our Interbank Operational Risk Forum and PwC for their professional advice and significant work in facilitating and guiding the discussion and debate along the way. I would also like to thank the Editorial Committee for their unbridled work in collating and consolidating the work of the syndicate groups, and finally to each of the member banks and their representatives for their contribution and commitment to developing this Guidance Note. Regards Ian Falls Chair, RMA Interbank Operational Risk Forum Operational Risk Appetite RMA Guidance Note #2 3

4 1 INTRODUCTION The Interbank Operational Risk Forum, under the sponsorship of Risk Management Association (RMA) of Australia, established an Industry Working Group to develop this Guidance Note on Operational Risk Appetite (ORA). For many Banks, ORA is a fundamental component of their Operational Risk Management Framework (ORMF), and provides guidance on the amount of risk the organisation is willing to accept and the boundaries within which its employees must operate. However, the challenge has been to bring this concept to life and to make ORA meaningful for the business. ORA is often thought of through the sporting analogy of staying within the field of play, that is, operating within clear and predefined boundaries. This analogy is also relevant for businesses, which need to be able to deliver on their strategic objectives without taking undue risk. The objective of this Guidance Note is to produce industry relevant guidance for financial services organisations on the defining, setting and use of risk appetite as a key component of their management of operational risk. The ORA Guidance Note outlines the: Objectives for and benefits of having an ORA. Critical success factors. Method for developing ORA. Building blocks for formulating ORA. Implementation and Use of ORA. Purpose and application of Governance. This Guidance Note is not prescriptive, nor will it provide standardised templates. Rather it will outline the foundations needed to enable financial services organisations to develop and tailor ORA for their organisation, at their level of maturity. Operational Risk Appetite RMA Guidance Note #2 4

5 2 KEY DEFINITIONS Definitions of typical Risk Appetite terms will often differ between institutions and as a result the same term may have a different meaning. For the purposes of this Guidance Note, the following definitions apply. Operational Risk Risk Appetite Risk Appetite Statement Risk Capacity Risk Culture Risk Measure Risk Profile Division The risk of direct or indirect loss resulting from inadequate or failed internal processes, people and systems or from external events. The amount and type of risk that an organisation is prepared to seek, accept or tolerate in the pursuit of its long term objectives. Collection of individual statements within a single document or can relate to the overall document. The maximum resources (financial and non-financial) the organisation has available to pursue its objectives. Describes the values, beliefs, knowledge and understanding of risk commonly shared by individuals within an organisation that then informs and governs their actions and behaviours. Metric used to express the organisations tolerance for a risk. It may be expressed in a quantitative or qualitative form. Point in time assessment of the financial institution s gross and, as appropriate, net risk exposures (after taking into account mitigants) aggregated within and across each relevant risk category based on forward looking assumptions. Division is used as a general reference to denote: divisions, business units, business line etc. Operational Risk Appetite RMA Guidance Note #2 5

6 3 ORA: OBJECTIVES, BENEFITS AND CRITICAL SUCCESS FACTORS Risk Appetite is about more than just writing a series of risk appetite statements. The real value is demonstrated when risk appetite sets clear boundaries that assist Management to prioritise and deploy resources in the pursuit of their strategic objectives, while not exceeding the organisations prescribed level of risk. OBJECTIVES The objectives for the formulation, implementation and use of risk appetite are three-fold: Set clear expectations on how much risk is appropriate to take in the pursuit of the organisation s strategic objectives. Provide Management with a tool for effective decision making through the articulation of minimum standards, acceptable activities and corresponding metrics and limits. Establish a benchmark against which to measure, monitor and report on operational aspects of business performance. Organisations who define and use ORA should expect to realise some of the following benefits as ORA is implemented and its use and application matures over time. EXAMPLE: WHERE THE CHANGES REQUIRES GEOGRAPHIC EXPANSION DOES THE ORA SUPPORT SUCH A MOVE? BENEFITS Support, reinforce and meet strategic targets ORA supports on-going decision making in due diligence activity, new product approval processes and key business objectives. This use of ORA provides a means of assessing the level of risk being introduced and whether that level of risk is appropriate for the organisation. EXAMPLE: WHERE OUTSOURCING/OFFSHORING FORMS PART OF AN ORGANISATION S STRATEGY, THE ORA CAN OUTLINE THE ACTIVITIES THAT OUTSOURCING/ OFFSHORING CAN BE USED TO PROVIDE SUPPORT. Generate efficiencies and improved cost management Provides Management with a benchmark against which to measure, monitor and report on operational aspects of business performance. Such monitoring and reporting provide Management with greater insight into business capability, capacity and vulnerabilities on the current and forecasted risk and control environment, and highlight where action is required to dial up or dial down risk and controls. These insights aid Management to determine an appropriate course of action and, act to seek efficiencies and optimise investment in the control environment to generate cost savings. Considerations that drive the scale, depth and sustainability of the response include the urgency posed by the risk and degree to which acceptable limits have been breached. When faced with these decisions, ORA provides management with a tool for effective and efficient decision making without the need for unnecessary escalation. Operational Risk Appetite RMA Guidance Note #2 6

7 3 Prioritisation of investment spend Articulation of ORA assists in prioritisation of business initiatives and the corresponding investment spend. When aligned with a risk acceptance process, risks considered outside of risk appetite are escalated for management attention. Where insufficient funding is available to address key remedial initiatives, management is prompted to review their program of funding and determine if and where reprioritisation/re-allocation of funding is required. Extract more value from existing risk and other supporting frameworks The formulation and use of ORA creates a direct link between management activity, Risk Control Self- Assessment (RCSA) and capital. The existence of this link provides the foundation to set operational policy and to develop associated procedures and guidance. Through these mechanisms adverse behaviours and poor performance can be identified, and the right behaviour incentivised to drive good risk culture. Strong risk culture ORA strengthens an organisation s risk culture by setting clear expectations for the management of operational risk. Cultural maturity is a function of how well the Board, relevant risk committees, Divisional leaders and staff understand and embrace the organisation s risk management processes and systems and apply these in day to day business activities and decision making. CRITICAL SUCCESS FACTORS Several factors contribute to the successful formulation and implementation of ORA. These include: Support of the Board Tone from the top underpins the successful implementation of ORA. The Board needs to be engaged early and play a significant role in the formulation of the organisation s ORA. If the Board is indifferent about the organisation s ORA, then this attitude will most likely permeate throughout the organisation. Knowledge of the organisation s strategy and internal and external factors A thorough knowledge of the organisation s strategy, internal and external operational risk drivers, the business environment and risk profile are minimum requirements to define ORA. This is critical because the implementation of ORA is most effective when it is integrated with existing strategic planning /budgeting and capital management processes. Established ORMF The organisation must have in place a functional ORMF in order to: Provide a clear definition of operational risk, it s inclusions and exclusions (i.e. inclusion of compliance within the definition of operational risk, or not) that is uniformly understood by all stakeholders. Ensure that material risks and the associated control environments are identified, measured, managed and monitored. An understanding of the organisation s material risks is a minimum requirement to set ORA. Integrate ORA into the organisation s policies and procedures, code of conduct, and any other relevant guidance governing the behaviour of its people and the performance of business activities. Governance Structure Governance structures established under the organisation s ORMF must be well defined to enable effective oversight and governance of ORA. The effective operation of these governance structures is dependent on risk management systems and tools to support the monitoring of ORA. Ideally these should be in place prior to the formulation of the ORA. Defined accountability for Operational Risk Management The use and application of ORA depends on a clear understanding across the organisation of accountabilities and role and responsibilities as they relate to ORM. For example, accountability for the consideration of ORA in strategic and capital management planning needs to be defined. The effective execution of these accountabilities should be subject to oversight and challenge in accordance with the requirements of the organisation s governance framework. Operational Risk Appetite RMA Guidance Note #2 7

8 4 COMPONENTS OF OPERATIONAL RISK APPETITE STATEMENTS (ORAS) The form and composition of the ORAS will be influenced by the organisation s risk management philosophy and the nature of the operational risks it faces. While there are many different formats and styles for ORAS, the content needs to support the organisation s understanding of its material operational risks and clearly define the parameters within which it expects these risks to be managed. The key areas of operational risk, for which the organisation or Division wishes to articulate an appetite, should be clearly defined in the ORA. The ORA risk types are reflective of the businesses primary operational risk exposures and its strategic focus i.e. market segments, customer base, technological capability etc. Specific risks can be grouped into risk categories to support organisational monitoring and reporting. The following section sets out a list of components (nonexhaustive) that may be incorporated into an ORAS. Appendix A sets out alternative examples for expression of an ORAS. The content of an ORAS is primarily focused on articulating for the material operational risks faced, the level of appetite the organisation has for those risks and how they are measured. Key components typically observed in an ORAS include: Scale: The scale provides a means of qualitatively expressing the organisation s ORA and establishing the level of appetite for a given risk. Risk Measures: Are typically used to translate high level qualitative statements into more granular Divisional or risk specific metrics. This enables thresholds or triggers to be established to support early warning and regular reporting on the organisation s level of risk exposure relative to its risk appetite. EXAMPLE ORAS can be documented in many formats and styles and it is up to each organisation to determine the most appropriate approach. Consideration should be given to the level at which operational risk appetite is expressed. It can be expressed at various levels of the organisation. For example: 1. At the highest level of the organisation, i.e. As an organisation we have an appetite for operational risk losses not exceeding X% of income. 2. Expressed in a more granular manner for the organisation s material risks that are specific to the activities and/or strategic intentions of the business concerned (operational risk, outsourcing, compliance, etc). 3. Expressed using Basel categories (Internal fraud, External fraud, Employment practices and workplace safety, Clients, Products and Business practices, Damage to physical assets, Business disruption, Execution, delivery and process management). 4. Expressed in relation to key areas an organisation considers important to the execution of its strategy. An example would be a Level 1 risk category of Business disruption which may articulate a Low risk appetite for continuous disruption to key processes, premises or systems and then a Level 2 risk type within that category for the Retail Banking operation of key systems availability which may require key systems to be available for 99.5% of the time. Regardless of the level at which appetite is expressed, the following components of Scale and Risk Measures can be used. Operational Risk Appetite RMA Guidance Note #2 8

9 4 SCALE Using a scale to articulate appetite in the first instance assists in communicating it to a wide audience at all levels of the organisation and provides a point of reference for discussions and decisions around risk choices. In the absence of explicit risk measures a scale provides guidance as to how much risk the organisation is willing to accept. Key considerations in establishing an effective scale include: 1. The number of points on the scale. Typically there is a minimum of 4 points and no more than 6 or 8 points on the scale. It is recommended that the scale use an even number (rather than an odd number) of points to prevent a middle option, and consequently promote robust discussion and definitive positioning on the scale. 2. The basis of articulating the points on the scale. Options include numeric ( e.g. 1-5) or descriptive ( e.g. Very Low, Low, Medium, High) or posture statements (e.g. Expansionary, Conservative) which indicate the level of appetite tolerable in the pursuit of the organisation s strategic objectives. The basis of expression could be in absolute terms or relative to some benchmark (current state, peers, market levels etc.). 3. Use of a zero appetite level. Typically, this concept is only applied if the risk can be avoided or completely eliminated. If that is not possible due to the nature of the business giving rise to such risks, it is recommended that zero or no appetite not be applied. Examples of alternative scales that may be applied and possible descriptions are detailed below: Scale Type Scale Description Numeric 1 Avoidance of risk as much as possible. 2 Acceptance of a low return due to an unwillingness to accept risk beyond a limited exposure. Descriptive (Absolute) Descriptive (Absolute) Alternative Descriptive (Relative) Postures (Relative) 3 Desire for a balanced approach between risk and reward. 4 Willing to accept exposure to risk to maximise return. 1 Avoid exposure to the risk. 2 Minimise/reduce to risk as much as possible. 3 Take a balanced approach to risk and controls. 4 Willing to pursue (seek/ take) risk. Very low Low Moderate Modest High Very low Low Medium High Conservative Neutral Expansionary Not willing to accept risk or reward. Unwilling to accept even a low amount of risk unless it is significantly outweighed by the reward. Willing to accept some risk if the circumstances include reward. Willing to accept risks commensurate with the potential reward. Willing to accept a high level risk in circumstances where there are significant or important reward. Willing to accept losses only if they are significantly below industry norms. Willing to accept losses only if they are below industry norms. Willing to accept losses only if they are within industry norms. Willing to accept losses only if returns are above industry norms. Will accept below market returns in order to minimise the risk. Will adopt a risk position that achieves returns in line with market expectations. Will accept higher levels of return in pursuit of superior risk adjusted returns. Operational Risk Appetite RMA Guidance Note #2 9

10 4 RISK MEASURES Each operational risk type requires a measure to enable the organisation to determine the level of exposure to that risk type. Measures may be qualitative or quantitative. Measures specific to operational risk appetite can include the level of operational risk capital, the value of operational risk loss amounts for a given period, scenario analysis estimates of operational risk exposures, and tolerances or thresholds on key risk indicators. The number and type of measures used should be appropriate to the audience. At the Board level, there tends to be more focus on qualitative statements of appetite, with only a small number of key measures used (e.g. operational risk capital or losses). As the risk appetite is cascaded down to lower levels of the organisation, the measures are translated into a larger number of more detailed and operational metrics, with trigger points aligned to appetite within the relevant business. There are potentially hundreds of metrics that can be identified, and it is important to evaluate which ones add value and provide a meaningful indicator of the risk. Consideration should be given as to whether the measure and underlying data is readily available and can be produced at a level of frequency that will support the required degree of monitoring. Furthermore, consideration should be given as to whether a measure provides a backward looking view of expected outcomes, or whether it can provide a more leading indication of potential unexpected outcomes. There should be a mixture of both leading and lagging indicators. The relevance of a measure may also change over time, and the measures used should be those that are most relevant to the current business strategy and operational risk profile. In some cases it may not be possible to quantify a measure, for example indicators relating to people, culture and behaviour will often require a qualitative assessment based on subjective judgment. These will need to be monitored using a more qualitative approach. In all cases, an organisation should be mindful of potential unintended consequences arising from measuring operational risk against set tolerances, and should aim to ensure that the measures it selects drive appropriate behaviours across the organisation. The risk measures may change over time as better data becomes available or more relevant measures emerge. In turn, this may impact operational risk management and monitoring practices for the risk concerned and hence alter the organisation s appetite for that risk. Operational Risk Appetite RMA Guidance Note #2 10

11 5 OPERATIONAL RISK APPETITE FORMULATION, IMPLEMENTATION AND GOVERNANCE The remainder of the Guidance Note focuses on the principles and processes for formulating, implementing and governing ORA. SUMMARY OF KEY PRINCIPLES FOR ORA FORMULATION: Set tone from the top and guide decision making within the organisation. Align with the organisations strategic objectives and its definition of operational risk. Align with and form part of the strategic planning cycle of the organisation. Be supported by specific measures which should ensure consistency of risk taking across all levels of the organisation. OPERATIONAL RISK APPETITE FORMULATION PRINCIPLES ORA should set the tone from the top in terms of the behaviours and expectations of the organisation s Senior Leaders with respect to its risk culture, norms and attitudes. It should reference and/or be consistent with the organisations vision, values, and behavioural norms. Developing ORA requires a clear understanding of the organisations strategy and objectives, including key priorities for the business. This is because the risk appetite defines the risks the organisation is prepared to take and the parameters within which it must operate in pursuing its strategic objectives. ORA and the measures that are put in place to monitor it should align with the timelines of the strategic business plan and organisational objectives. This ensures that the setting of risk appetite aligns with the timeframes within which the objectives are being undertaken. Differing timeframes could result in excessive or insufficient risk taking and undermine the achievement of strategic objectives. While it would be repetitive to include them (either in part or by listing them), ORA should make clear that the organisation s policies and procedures are themselves an articulation of the organisation s risk appetite. This point is also important in developing policies and procedures they should be set with reference to the overall ORA of the organisation. ORA will need to be supported by well-developed measures to give practical guidance as to what is expected within the organisation. For efficiency these should, where possible, leverage organisational Key Performance Indicators (KPI) and other existing metrics. In turn, the setting of these KPIs and metrics should also take into account ORA. Some of the measures used will not be additive in the sense that they cannot be added up across the individual organisational units to arrive at a whole of organisation view. Such an example is staff turnover. Individual Divisions may have a higher staff turnover metric and still be consistent with the overall organisation wide staff turnover metric. As such it is important to ensure that there is a common understanding as to how these measures are set such that the overall objective is achieved. If done in isolation, the outcome could easily be inconsistent with the intent of the organisation-wide level ORA. Operational Risk Appetite RMA Guidance Note #2 11

12 5 OPERATIONAL RISK APPETITE FORMULATION PROCESS ORA by its nature must be a top down statement that establishes a frame of reference for the rest of the organisation. The structure and form of an ORAS can vary significantly from one organisation to the next. It is influenced by who and how the ORAS is formulated. There is no single way to develop an ORAS, but the following section provides some key steps and a few fundamental approaches in formulating ORA. Figure 1: ORA formulation process REVIEW & 1 PLANNING 2 CONDUCT 3 DRAFTING 4 5 APPROVE VALIDATE 1 PLANNING 1.1 Identify supporting information to be considered in drafting the ORAS Examples of information and supporting data collated in the planning stage include strategy/business plans, existing operational risk profiles, external and internal loss data, emerging risks and the ORMF and policies. The extent to which these factors influence the ORAS will depend on which level of the organisation the ORA is being formulated. 1.2 Stakeholder Engagement: Key to planning the ORA formulation is engagement of key stakeholders This includes strong engagement with: the Board who will establish the tone from the top ; the Senior Leadership required to apply the ORA in practice; and key business partners who support its application, for example, technology providers, human resources functions and control owners. An example of likely stakeholders to be engaged is set out on page Format and use: The form and purpose of the ORA needs to be determined up front This is influenced by the level in the organisation for which the ORA is being formulated. A Board level statement is set for the whole organisation and should guide the Group in its decision making and risk taking activities. A Division specific or risk specific statement guides decision making in relation to relevant operational activities. In the planning stage, operational risk and ORA should be clearly defined, the linkage to overarching organisational strategy established and the connection with other risk appetite statements made. CHALLENGES AND CONSIDERATIONS The availability and quality of data and information required as inputs to ORA formulation. Timeframes to complete formulation, in particular the time required to engage with key stakeholders. Alignment of the ORA engagement strategy with the existing governance calendars can streamline the process. 1.4 Ownership Allocation of ownership of the ORA involves determination of: accountability for its maintenance to ensure it is business relevant; and custodianship for administering changes and updates. Typically the Risk Management function is the custodian and the business or Board has accountability for the ongoing application of the ORA, depending on the level at which it is articulated. Operational Risk Appetite RMA Guidance Note #2 12

13 5 2 CONDUCT 2.1 Initial engagement Engaging with stakeholders is critical to build awareness and commitment, determine material operational risk categories and establish initial appetite preferences, in order to enable risk measures and tolerances to be established. 2.2 Facilitation The process for identifying and confirming material operational risks and risk appetite preferences is typically facilitated by the Risk Management function (i.e. Group for Board level ORA and Division Risk Management for Divisional level ORA). The Risk Management function is responsible for conducting this phase in accordance with the project plan, timelines and costs. In large organisations the Head of Operational Risk would typically lead discussions/sessions with identified stakeholders and the Chief Risk Officer (CRO) would have the right of veto in reviewing the proposed content and structure for example, a divergent view of the organisations risk appetite for external fraud will be settled by the CRO. In smaller organisations the roles of facilitation of discussions and challenging business views on risk appetite might be played by the Head of Risk. The process for ORA formulation may involve a range of engagement techniques such as surveys, interviews and workshops in order to determine and agree the following: Definition and purpose of ORAS. Categories of operational risk and risk types that are material to the organisation or business concerned. Means of articulating risk appetite i.e. Scale and Risk Measures to be used. Structure of the statement in terms of articulating both narrative and associated metrics, or a statement which is supported by a separate Operational Risk Dashboard setting out performance against agreed quantitative metrics and limits that are aligned to each risk category. Views on the appetite for the operational risks selected. An example of survey questions that can be used to facilitate the articulation of risk appetite preferences is provided on the following page. CHALLENGES AND CONSIDERATIONS Providing education and building awareness of the value of the ORA in order to generate stakeholder buy in. Determining if the defined ORA is representative of current state or is aspirational. Where a stakeholder is outlining what appears to be an unrealistic aspirational view, be prepared to discuss how this might be attained, resources that would be required and the likely timeframes to be within appetite. A key consideration is how achievable are the measures in the ORA? Now, in 1 year or in 3 years? Tackling zero tolerance: This is often a popular response when the level of operational risk appetite is discussed. In most cases this is unrealistic. Guide stakeholders away from its use by suggesting other means of framing risk appetite. Using the right language: The ORA needs to be relevant to the business and expressed in language that the business uses. If the Basel event types do not resonate with the business, do not use them. 2.3 Consolidation and review The facilitation process leads to: a defined ORA structure and scope; proposed content; and a determination of the appropriate level of detail and initial risk appetite positions. In large organisations a draft ORAS document would typically be presented to the CRO for discussion and approval before proceeding to the next phase. Operational Risk Appetite RMA Guidance Note #2 13

14 5 EXAMPLE ORA SURVEY QUESTION An example of the types of questions that might be included in a survey for the development of an operational risk appetite statement are outlined below: The risk is one for which the exposure and management approach should be visible to the Board Low Board approval required for decisions above a defined theshold and Peer reviews on all decisions above a defined threshold Medium Peer reviews on all decisions above a defined threshold High Scenario analysis conducted for all material decisions, including downturn or worse case scenario Governance Inadequate oversight/governance of critical decisions 1a 1b 1c Do you consider the inadequate oversight of critical (material) decisions to be a material risk for your organisation? Which of the following represents your view of your organisation s desired appetite for this risk? Given the risk appetite option selected, what would be the appropriate risk metric to manage this risk within your organisation s risk appetite? Low Appetite Yes Medium Appetite No High Appetite Example measures may include the following or please specify other measures in the free text box provided. Peer reviews on all decisions above a defined threshold Board approval required for decisions above a defined theshold Scenario analysis conducted for all material decisions, including downturn or worse case scenario A set of business actions specified to respond to a defined set of scenarios relating to the decisions Other performance measure, please define Low The risk should be minimised, regardless of the cost or capacity constraints associated with the associated risk management approach required; OR Medium The risk can be managed within defined parameters; OR High The risk can be increased, if it gives rise to protentially higher returns. Operational Risk Appetite RMA Guidance Note #2 14

15 5 3 DRAFTING 3.1 Objective Formally articulate risk appetite for operational risk, determining content, measures and narrative (qualitative and quantitative), taking into consideration information gathered during the planning and conduct phase. 3.2 Articulation Typically, in large organisations the CRO or in small organisations the Head of Risk is accountable for drafting the Group RAS. This involves incorporating stakeholder feedback, validating that the measures are appropriate (available and measurable) and guiding the document through the socialisation process. The CRO/Head of Risk may be the party that reviews the document and ensures alignment with the key elements and information captured throughout the planning and conduct phase. There is also a requirement for the Risk Management function to identify impacted policies to be updated to reflect and cross reference the ORA. Given decisions with operational risk impacts are not made in isolation and will depend, among other factors, on the organisation s goals and financial situation, the ORA articulated by an organisation may need to incorporate consideration of specific risk-return trade-offs. Where operational risk occurs, the organisation may have a preferred hierarchy for impact types, for example significant customer/reputational impacts may be considered less acceptable than financial impacts. Systemic regulatory impacts may be the least acceptable. Once the organisation s decision-making attributes are understood, management are better able to make consistent trade-off decisions. A hierarchy of these decision preferences can be included as part of the ORA to enable greater consistency and efficiency in decision making. Specific trade-0ff decisions may also be expressly included in the ORA to allow for transparency and a clear link between the ORA and strategy. Tolerances may also be set and monitored to ensure that these trade-off decisions are made within the parameters expected. CHALLENGES AND CONSIDERATIONS Ensuring Division level ORAs do not replicate the Board level ORA but do not conflict or exceed Board level risk appetite statements and associated measurements. Ensuring that stakeholder expectations have been met. Approval will be difficult to gain where expectations do not align. Successful application and use of ORA in the Business relies on the language used to express appetite being aligned and consistent with the behavioural outcomes the organisation is looking to drive. Operational Risk Appetite RMA Guidance Note #2 15

16 5 4 REVIEW & VALIDATE 4.1 Reconcile Reconcile the draft ORA against further feedback provided by the business and other relevant stakeholders following formal drafting. 4.2 Validate A validation exercise should be completed to ensure that the final draft of the RAS reconciles to: Strategic objectives. Policies and procedures. Culture and organisational values. Regulatory standards. Determining how measures will be sourced, from where and how frequently is critical to making ORA operational. Where data is not available, alternative measures need to be selected and approved, and potentially timeframes established for upgrading the measures as data becomes available. Where ORA is defined at Divisional level, a process of review needs to be in place to ensure these statements reconcile to those set by the Board. The validation process is also essential to determine completeness of the ORA and to align the statements to current organisational policies and procedures. CHALLENGES AND CONSIDERATIONS Determining the most appropriate party to conduct the validation is important. They need to be objective and able to assess if the ORA is fit for purpose before it is implemented. Some organisations test the ORA for a period of time in management discussions and planning processes before finalising. The most significant challenge is data availability for the proposed measures. Selecting measures that can be obtained and have integrity will be critical to the success of the ORA. 5 APPROVE 5.1 Approve Obtain explicit approval of the ORA by the appropriate approving body e.g. Board and/or key stakeholders, to ensure on-going ownership and practical application. 5.2 Communicate Visibility of the ORA will be determined by the approving body and then the document will be made available accordingly. CHALLENGES AND CONSIDERATIONS Providing access to the ORA can be contentious if there is commercially sensitive information contained in the ORA. Operational Risk Appetite RMA Guidance Note #2 16

17 5 NUMBER AND LEVEL OF ORAS Depending on the nature and scale of the organisation, lower level ORAS can be developed. This helps to cascade the overall statement within the organisation. It also allows for the development of measures more suited to the specific strategy and objectives of each subsidiary, division or business unit. Lower level ORA should be aligned to the way in which the organisation is managed and be consistent with how strategic objectives are cascaded. For some organisations this will mean that the ORAS are developed along divisional or business unit lines. For other organisations this will mean that ORA will be developed according to legal entities. It is not expected, nor is it likely to be practical, for ORA to be developed below that of the key strategic or divisional units of an organisation. However, smaller units can set individual measures to help implement the ORA. These must be aligned to the overall divisional (and organisational) ORA and help translate ORA into measures that are meaningful to the day-to-day business needs. Beyond this, appetite is operationalised and evidenced via the businesses Operational Risk Profiles. ROLES & ENGAGEMENT OF KEY STAKEHOLDERS The roles, engagement and input of key stakeholders are a critical aspect of the Planning phase of defining the ORA of the organisation. These key stakeholders (and their primary Role/Responsibilities) should include the following: Key Stakeholder Board Senior Leadership Risk/Business Owners Risk Management function (Line 2) Risk Management Specialists (Line 1) Regulators Primary Role/Responsibility Exercise oversight by defining the Operational Risk it considers acceptable. Note: Operational Risk Appetite is more often defined in qualitative terms at the Board level and largely addresses the attitudes and behaviours of the organisation as a whole. Interpreting and translating the stated position of the Board (in meaningful metrics) by defining a set of tolerances that ensures alignment to the Board s overall appetite. Note: Operational Risk Appetite at a Division level is expressed in quantitative terms usually by a set of metrics. Track and monitor their performance against defined tolerances established by Senior Leadership and escalate any breaches of defined thresholds. Facilitate the process of gauging the intent of the Board and Senior Leadership in addition to over-sighting the process undertaken in formulating ORA. Assist the Division in identifying tracking tolerances (though a process of trial and error) can be done in collaboration with the Risk Management function. Note: Under a more mature three lines, the role of the 2LOD should be to objectively challenge the ORA. Regulators that supervise the management of specific risks within the articulated ORA should be considered in the formulation process. For example, APRA and AUSTRAC have minimum requirements in relation to the management of particular operational risks such as outsourcing and AML/CTF. These requirements may shape the types of measures selected and the trigger levels established. Operational Risk Appetite RMA Guidance Note #2 17

18 5 OPERATIONAL RISK APPETITE IMPLEMENTATION Once the formulation of the ORA is complete, organisations need to integrate and embed the outputs into the operating rhythm of their business activities. This means organisations should be able to demonstrate the use and application of ORA (including targets and measures) in business decision-making. Use and application of ORA should include consideration of the overall business risk profile, capital management (including scenarios and relevant measures) and organisational strategy. The development of specific measures ensures that appetite statements are meaningful to the business by providing a means to track business performance against those measures. Practical examples of how ORA can be implemented within this framework and the challenges to its effective use and application are discussed below. SUMMARY OF KEY PRINCIPLES FOR ORA IMPLEMENTATION ORA is effectively communicated and understood across the organisation. ORA integrates with existing frameworks and supporting mechanisms across the organisation. Effective measures to cascade both the general understanding of the ORA as well as specific appetite requirements must be established. COMMUNICATION To assist the business to implement and embed risk appetite, when approved, ORAS should be formally communicated to the business. The effectiveness of any communication is increased when it is issued by Senior Leadership (reinforcing the tone from the top ) and considered in the context of business strategy. For example, informing the business that the ORAS has been updated as part of regular Senior Leadership communication newsletters or s. Organisations should also consider the most effective means of building awareness of the ORA as a key component of the ORMF. Typically the Risk Management function (either at a Group or Division level) would facilitate the communication of the ORA. Examples of how this could be performed include: Including discussions on ORA (and any changes/ updates) as part of regular meetings /discussions between risk management and the business. Including the ORAS in ORMF document repositories on the intranet (or equivalent) in order to allow staff to access the document. Integrating ORA considerations into training on the ORMF. Operational Risk Appetite RMA Guidance Note #2 18

19 5 PRACTICAL IMPLEMENTATION OF ORA STRATEGY DEVELOPMENT The first area in which ORA can influence decisions and drive operational risk management awareness is through the strategy development process. How ORA is used in the development of strategy throughout the organisation will directly impact the way in which operational risk is measured and monitored. Typically ORA is considered in the strategy development process through the business leadership and Risk Management teams coming together to determine the operational risk parameters within which the business strategy will be executed. The strategy development process is usually formalised with annual or semi-annual business plans developed for the organisation and its Divisions. Within these business plans the tolerances and thresholds established within the ORA can be applied in expressing strategic parameters such as avoidance to risk exposure and service level arrangements, where operational risk measures are relevant such as processing times or error rates. Consideration of the ORA in this process helps ensure that the risk capacity of the organisation is considered in formulating business objectives and operational risk constraints and their implications for the achievement of objectives are understood. This may influence factors such as the time horizons associated with achieving strategic outcomes or the level of investment required in systems and processes to support operational performance. The ORA should be challenged by the stakeholders developing strategy to ensure it is fit for purpose and is consistently reflected across the organisation. ORA is also an instrument to support the resolution of conflicts between business objectives and risk appetite preferences or regulatory or compliance requirements. The foremost benefit of incorporating ORA into the strategy development process is the discussion it drives, moving the organisation from a mindset of loss minimising to one of optimising the organisation s risk-return profile. COMMON CHALLENGES Common definition and understanding of the statements within the ORAS to enable consistent application across the organisation. Consider the wording of statements and associated measures to reduce the scope for interpretation. Leadership support is required in order to ensure Risk Management has a voice in the strategy development process. Measurement of the success of strategic outcomes should include risk-adjusted measures to ensure the incorporation of the ORAS is valid. Driving a culture that understands the need to align business objectives with operational risk appetite. OPERATIONAL EXECUTION Embedding the ORA into existing business practices across the end to end value chain requires determining where operational risk guidance needs to be clearly defined to support business performance. Key areas in which the ORA should be applied include: The development of new or revised products. Significant organisational changes such as supply chain model variations, operating model changes or organisational restructures. Major business projects where processes or systems will be transformed and operational risk exposures changed. Investment initiatives such as acquisitions and divestments. Using and applying ORA in the processes described above requires consideration of how these processes are executed in practice and how operational risk appetite preferences are relevant. For example, in the development of new products consideration should be given as to whether the product and/or its implementation introduce risks that are outside of appetite. A practical approach to ensuring that ORA is embedded in this process is to establish a new product development lifecycle that requires operational risk analysis and risk profile impact assessments to be performed prior to approval. In addition, post implementation reviews should be performed to confirm risk profile movements/outcomes. COMMON CHALLENGES Embedding ORA into the organisation s operating rhythm requires Senior Leadership support to ensure it is not considered a standalone component of the ORMF. This requires review of policy and procedure so that appetite is appropriately referenced and any conflicts resolved. For example, the alignment between ORA and business policies and procedures (i.e. do limits stated in policies align to the overall appetite of the organisation or do procedures/ system controls allow staff to inadvertently exceed desired appetite). Developing a consistent understanding and application of ORA across the organization so it can be effectively applied to business processes and initiatives. As ORA typically covers a diverse range of business activity and processes, statements in the document are not usually specific (for example, referring to general system availability/up time rather than referring to specific systems by name). Operational Risk Appetite RMA Guidance Note #2 19

20 5 MANAGEMENT & MONITORING The ability of ORA to influence business decisions and activities is driven significantly by the way organisations measure and monitor operational risk exposures. Translating the appetite statements into operational targets against which risk exposures and limits can be actively monitored is key to providing guidance to the business in the pursuit of its strategic and operational objectives. Measures are typically identified by business areas which then relate to specific appetite statements. Where measures are consistent across various business operations, the Risk Management function can help to ensure consistency of definition to enable the measures to be compared across the organisation. While consistency of measures is required to enable comparison, target levels may vary by Division. Reporting against ORA should be, to the extent possible, integrated into existing business reporting frameworks and promote discussion on the trade-off between risk and reward. Key features of monitoring and reporting activities that support the embedding of ORA include: A timely escalation process for measures which exceed appetite. The frequency of reporting and materiality of measures may influence the escalation process; however, where possible this should be integrated into existing business as usual processes. Typically this would involve initially escalating to line management prior to its inclusion in Risk Committee/forum reporting. Emphasis should be placed on treatment plans or acceptance being sought by the Risk Committee/forum. Monitoring of strategic decisions approved outside ORA. If the Risk Committee (or equivalent body) provides the appropriate approval, the business may operate outside of appetite. The reasons for this could be, for example, to enable the organisation to pilot a new approach, or allow time to implement more robust controls/mitigation strategies. These decisions should be reviewed and reported to the approving body to ensure the exposure is monitored. The frequency of the monitoring should be commensurate with the risk exposure and duration of the exemption to appetite. Action plan development to meet aspirational or a future state ORA. ORA may contain appetite statements that the organisation may currently not fully adhere to. This may reflect management or the Board s aspiration to change the organisation s level of appetite. This change may not be possible to initiate quickly and therefore action plans should be put in place to outline the approach and timeline for meeting the aspirational future state. Progress against these plans should be monitored and reported to the Risk Committee (or equivalent body). COMMON CHALLENGES The definition of data, the type of data, its source, accuracy, integrity and completeness is paramount to developing reporting for monitoring of ORA. For example, key questions to be answered in relation to these elements include: Data definition: Determining what measures should be monitored ( e.g. should a measure on staff turnover be limited to voluntary leavers? Should it include contract staff as well as fulltime staff? Should it be a point in time or a rolling historic measure?) Data completeness: What is the coverage of the dataset being used? ( e.g. are all required areas of the business included in the dataset?) ORA may contain a mix of current and aspirational appetite statements. It is important to ensure that the document considers the current risk environment and organisational capability in order to ensure the statements are achievable within desired timeframes. Aspirational targets could also be signposted in the document to provide clarity during implementation (e.g. it is our desire to reduce the current external fraud exposures. In this financial year we will be investing further resources to improve fraud controls and support bringing external fraud exposures within the organisation s low risk appetite ). Recognition that the monitoring process will need to evolve and be improved as the process develops. In addition, monitoring informs the recurring practice of revisiting and refreshing ORA targets to ensure relevance, currency and optimisation. The triggers used to monitor ORA should enable timely validation of settings and appetite levels. The output of this reporting (in conjunction with the other components of the ORMF) can be used to assess whether the business is taking too much or too little risk and therefore targets can be adjusted accordingly. Changes to the statements, measures, and targets should be subject to the appropriate governance approval process. Operational Risk Appetite RMA Guidance Note #2 20