Sigor's new sound practices paper says boards must set tone at the top

The Basel Committee on Banking Supervision's sub-group on operational risk (Sigor) has published for consultation the long-awaited redrafted Sound practices for the management and supervision of operational risk. The original paper, published in 2003, has been viewed as the best starting point for a firm embarking on setting up an operational risk management framework. The 2010 paper, which replaces the earlier document, "reflects improvements and enhancements in operational risk frameworks, tools and techniques in the interim", says Andrew Sheen, manager of the operational risk policy team at the UK Financial Services Authority and a member of Sigor.

Sigor states that the changes in this updated version of the paper, which are based on best industry practice and supervisory experience, highlight the evolution of operational risk management since 2003.

"The sound practice paper is intended to replace the 2003 document with a similar focus," says Mitsutoshi Adachi, chair of Sigor and director of the financial systems and bank examination department at the Bank of Japan. "The 2003 document established important practices for managing operational risk both at the industry and regulatory levels, but the operational risk discipline has evolved dramatically since its publication. Given that the recent crisis has also revealed many challenges that remain, we felt it was appropriate to publish a revised document at this juncture."

The 11 principles outlined in the report are discussed within the context of three overarching themes: governance, risk management and disclosure.

The first fundamental principle demonstrates how much the financial world has changed since the global financial crisis, as it puts the onus on the board of directors to establish a strong risk management culture. Principle 1 specifically states that the board is responsible for setting the 'tone at the top' to promote a robust op risk culture. Regulators have stated this for a number of years, but this is the first time it has been set out so broadly.

Adachi says: "One important message in this new document is that operational risk must be an integral part of banks' overall risk management processes. Elements of operational risk are embedded in every aspect of banking operations and are often hidden in other risk types such as credit and market risks, as the recent crisis has revealed – neglected internal procedures in subprime lending, inadequate collateral management, inappropriate documentation in the foreclosure debacle, just to name a few. Another important message from the revised document is the critical importance of establishing a strong risk culture consistent with professional and responsible behaviour."

The board and senior management are also tasked with setting a code of conduct that sets clear expectations for all staff about their responsibility for operational risk.

The paper reads: "Banks with a strong culture of risk management and ethical business practices are less likely to experience potentially damaging operational risk events and are better placed to deal effectively with those events that do occur."

"The new sound practices include for the first time fundamental principles for operational risk management that require the board to take the lead in establishing the tone at the top and promote strong risk management culture," says the FSA's Sheen.

The new paper also refers to compensation policies for the first time, reflecting current industry debate. "Compensation policies should be aligned to the bank's statement of risk appetite and tolerance, long-term strategic direction, financial goals and overall safety and soundness. They should also appropriately balance risk and reward," it reads.

Principle 3 states the firm's board of directors is responsible for establishing, approving and periodically reviewing its operational risk management framework, which Principle 2 states should be fully integrated into the bank's overall risk management process.

The board is also responsible for approving and reviewing a risk appetite and tolerance statement for operational risk, says Principle 4. Setting operational risk appetites and tolerances continues to be a challenge, even for banks using the advanced measurement approaches, and while the two short paragraphs in the paper that explain what the board needs to consider in its op risk appetite statement are functional, they are too brief to address such a complex subject. (Operational Risk & Regulation covered the myriad of challenges inherent in setting an op risk appetite in the November 2010 issue.)

The importance of firms having a robust risk governance structure has been the subject of heated discussion by politicians and regulators alike following the crisis. It is addressed again in Principle 5, which states senior management "should develop for approval by the board of directors a clear, effective and robust governance structure with well-defined, transparent and consistent lines of responsibility". The same principle also suggests for the first time that firms need to have a system in place to "report, track and, when necessary, escalate issues to ensure resolution". This demonstrates just how far operational risk software products have evolved since the 2003 paper, which makes no reference to the need for banks to use systems to better manage operational risk.

In the paper, banks are urged to demonstrate they are using the three-lines-of-defence approach and show it is operating satisfactorily. Sheen says: "In addition to the new and revised principles, the paper discusses the contribution the three-lines-of-defence model can make to enhancing operational risk frameworks."

The paper states "sound operational risk governance often relies on three lines of defence: (i) business line management; (ii) an independent corporate operational risk management function; and (iii) an independent review and challenge. Depending on the bank's nature, size and complexity, and the risk profile of a bank's activities, the degree of formality of how these three lines of defence are implemented will vary. In all cases, however, a bank's operational risk governance function should be fully integrated into the bank's overall risk management governance structure."

The paper goes on to set out in some detail the ideal three-lines-of-defence model and the various responsibilities for each department dependent on the scale and size of the organisation. This is first time the body has specifically endorsed this model, which has almost become the standard model for most firms.

The 2003 sound practices paper has been used for many years as the blueprint for firms embarking on setting up an operational risk management framework. With this updated paper, firms have a more robust set of guidelines to use when seeking to establish or update op risk frameworks. The FSA hopes it will be read in tandem with the guidance paper it issued in October on the same topic. "When the FSA worked with industry to draft its paper Enhancing frameworks in the standardised approach (TSA) to operational risk we were seeking to complement the revised sound practices paper," says Sheen. "UK firms are advised to read our guidelines in conjunction with this paper."