ING’s non-financial risk head Hans Grisel discusses AMA, Fatca and the cyber threat

The long haul to AMA

Hans Grisel, ING

ING’s non-financial risk head Hans Grisel discusses AMA, Fatca and the cyber threat

Page 1
Page 1

ING’s non-financial risk head Hans Grisel discusses AMA, Fatca and the cyber threat

page 2

page 3

When the Basel II capital adequacy rules were published in 2004, they brought operational risk to the forefront of banks’ attention. The accord indicated quite clearly that if banks wanted to get their operational risk right, their frameworks must be structured in one of three ways, with the advanced measurement approach (AMA) being seen as the gold standard of those three.

But uptake of the AMA has differed from country to country. German banks were mandated by their regulator, BaFin, to take up the AMA and accordingly 16 German institutions or groups of institutions operate on an AMA framework. The UK has been a different story. The AMA was not mandated, and as such take-up has been underwhelming. Eight years on from Basel II just two banks in the UK are AMA approved: Barclays and Citi UK.

In the Netherlands it is a slightly rosier picture. The AMA was not mandated by the Dutch regulator, Autoriteit Financiële Markten, yet two of its three main banks are AMA approved – ING and Rabobank. And its third – ABN Amro – is back on the way to AMA approval after having it withdrawn upon its merger with Fortis in 2010.

AMA also mandates banks’ boards of directors and senior managers to be actively involved in the management of operational risk frameworks. Hans Grisel is ING’s head of non-financial risk management. Since the bank approved the adoption of the AMA in January 2008, Grisel is clear about how rolling out the new approach has affected the bank’s risk culture.

“The benefit of the AMA is that operational risk awareness is being pushed into the organisation in a very structured manner, and it is a continuous process of improvement,” he says. “Fortunately we have limited experience of big operational risk events, and the AMA process gives us a better impression of what can happen by looking more closely at what we are doing and extrapolating this into scenarios while taking into account the external environment as well.”

He adds that the bank also sees benefits when it comes to risk and control self-assessments (RCSAs). Each year the bank captures inputs such as internal risk management assessments, loss and near-miss incidents and audit reports, which are all collected in a risk register. “That then forms the basis for next year’s RCSA, so this collection of data ultimately helps you not to lose sight of things that happened while also continuing to build on things, meaning you don’t have to reinvent the wheel every time. And that’s a very important aspect,” he says.

However, implementing an AMA programme does not come without its challenges, Grisel explains. He describes it as a big effort. “It is a completely different set of calculations – you have to pull in different numbers to those in the past that were pretty much based on external loss data. That still plays a role but more to feed the calculations than anything else. Our internal loss data plays a role. Our internal key control testing and RCSA cycles play a role. Very importantly, scenario analyses play a role, especially the scenario analyses that give you an indication of what you need, say, at the tail end of the distribution, to be prepared for the unexpected.”

He says the requirements are particularly rigorous as ING comes to the end of the process of validation. “This has been a very intense and intensive process, which has had wide ramifications within the organisation. It is not just a model that you put in place – let’s say a calculation tool – it is very much a way of dealing with operational risk that is much more proactive than it used to be. The burden that goes with that with regards to the organisation is significant.”

Only users who have a paid subscription or are part of a corporate subscription are able to print or copy content.

To access these options, along with all other subscription benefits, please contact or view our subscription options here:

You are currently unable to copy this content. Please contact to find out more.

Investment banks: the future of risk control

This survey report explores the current state of risk controls in investment banks, the challenges of effective engagement across the three lines of defence, and the opportunity to develop a more dynamic approach to first-line risk control

Op risk outlook 2022: the legal perspective

Christoph Kurth, partner of the global financial institutions leadership team at Baker McKenzie, discusses the key themes emerging from’s Top 10 op risks 2022 survey and how financial firms can better manage and mitigate the impact of…

Emerging trends in op risk

Karen Man, partner and member of the global financial institutions leadership team at Baker McKenzie, discusses emerging op risks in the wake of the Covid‑19 pandemic, a rise in cyber attacks, concerns around conduct and culture, and the complexities of…

Moving targets: the new rules of conduct risk

How are capital markets firms adapting their approaches to monitoring and managing conduct risk following the Covid‑19 pandemic? In a webinar in association with NICE Actimize, the panel discusses changing regulatory requirements, the essentials…

Building resilience into ESG risk management

Risk and resilience continue to play an important role in the navigation of an increasingly uncertain world. Fusion Risk Management explores why it is equally crucial for technology to support organisations in addressing pertinent environmental, social…

You need to sign in to use this feature. If you don’t have a account, please register for a trial.

Sign in
You are currently on corporate access.

To use this feature you will need an individual account. If you have one already please sign in.

Sign in.

Alternatively you can request an individual account here: