This article introduces the RMA Operational Risk Management Framework.
Why Worry About a Framework?
Management frameworks should help organize an area of institutional activity. Good frameworks lay out a comprehensive and straightforward approach to organization that is sufficiently specific to be useful. They are easy to use and to communicate to boards, management, and other stakeholders.
The main reason for developing management frameworks in any company is that, when well designed and implemented, they improve economic performance. Banks and other financial institutions have regulatory pressure as an added incentive for implementing an operational risk management framework. Basel's Sound Practices Paper, published in February 2003, requires the board and senior management to understand and approve every bank's operational risk management framework, regardless of its size. In the European Union, it is likely that all financial institutions will have to meet this regulatory requirement soon. Other jurisdictions will no doubt follow their example in due course. So a good operational risk management framework is a "must have," not a "nice to have."
The Basic Elements
There are four basic elements in the RMA Operational Risk Management Framework: leadership, management, risk, and tools.
* Leadership is about creating the right culture, overseeing management, and creating the right environment for the various processes of risk management. While leadership responsibility begins with the board and senior management, other levels of management are involved, too.
* Management is a set of processes that channel and control the institution's risks. These processes are the responsibility of management at all levels.
* Risk involves understanding the pattern of operational risks the institution faces and takes on. To varying degrees, this is the responsibility of everyone in the institution.
* Tools refers to the collection of guides, templates, libraries, services, training, and software that are available to help implement the other elements of the framework.
Figure 1 shows the framework as a pyramid. The tools element appears "behind" the other three, since tools support the rest of the framework.
[FIGURE 1 OMITTED]
Risk is the best element to start within explaining the framework, because it's what the rest of the elements are all about. This element contains two things: 1) a common language for talking about operational risk management; and 2) the pattern of risk itself. That common language needs to include such concepts as:
* Risk, loss and harm, events, near misses or close calls, and causes and consequences, both direct and indirect.
* Operational risk, most commonly defined as "the risk of loss or harm resulting from inadequate or failed processes, people, or processes, or from an external event."
* The basic types of operational risk, such as internal fraud and process execution failure.
* A risk point framework--the points in a financial institution at which operational risks usually arise.
* Risk maps--representations of the severity of operational risks across risk points.
* The concepts of inherent risk, residual risk, control effectiveness, environmental factors, risk appetite, and risk profile.
* Severity, frequency and cumulative loss distributions, time horizons, and confidence intervals.
* Risk indicators--observable metrics that track aspects of the business environment, controls, or factors related to the severity of an inherent risk.
* High-impact low frequency and low-impact high frequency classifications of risks.
All of these concepts need to be defined and communicated. They all help in characterizing and understanding the pattern of actual risks--the second part of this …