P2.T7.800. Principles for the sound management of operational risk: governance.

Nicole Seaman

Director of FRM Operations
Staff member
Learning objectives: Describe the three “lines of defense” in the Basel model for operational risk governance. Summarize the fundamental principles of operational risk management as suggested by the Basel Committee. Explain guidelines for strong governance of operational risk, and evaluate the role of the board of directors and senior management in implementing an effective operational risk framework.


800.1. Risk Manager Beth has drafted a re-design of her bank's operational risk management framework (ORMF) that includes roles and responsibilities for their Three Lines of Defense. In her proposed framework, the three lines are (i) business line management, (ii) an independent corporate operational risk management function (CORF), and (iii) an independent review by the auditors:


At a high level, her proposed design includes--but is not limited to--the following key responsibilities:

I. Business line management is responsible for identifying and managing the risks inherent in the products, activities, processes and systems for which it is accountable
II. The CORF challenges the business lines’ inputs to (and outputs from) the bank’s operational risk management, operational risk measurement, and operational risk reporting systems
III. The independent review can be conducted by EITHER an internal or external audit; however the auditors MUST design and implement the operational risk management framework (ORMF), and the independent review must include both verification and validation

At first glance, Beth's draft high-level framework looks reasonable EXCEPT which of the following is an obvious MISTAKE in her proposal?

a. Business line management is not a line of defense
b. Independent review includes neither verification nor validation
c. The auditors cannot be involved in the framework's design, development, or implementation
d. The independent review cannot be conducted internally, but rather must be conducted by external parties

800.2. In order for a bank to achieve sound management of its operational risk, necessarily features include a strong risk management culture, an integrated operational risk management framework (ORMF), an engaged Board of directors, senior managers who assume responsibility for the framework, and an independent corporate operational risk management function (CORF; aka, second line of defense). In regard to the fundamental principles of operational risk management, each of the following is true EXCEPT which is false?

a. To maintain independence, the ORMF prohibits any reporting relationship (even dotted-line) from the CORF to either the Chief Risk Officer (CRO) or the Board's Risk Committee
b. The ORMF should provide for a common taxonomy of operational risk terms to ensure consistency of risk identification (e.g., operational loss even types), exposure rating and risk management objectives
c. Compensation plans should be aligned with the bank's risk appetite and risk tolerance; and such plans may include incentive compensation explicitly linked to risk-adjusted measures, deferral mechanisms, or claw-backs
d. The Board of Directors approves a RISK APPETITE statement (i.e., a forward-looking, high-level view of risk acceptance that incorporates return expectations) and a RISK TOLERANCE statement (i.e., a more specific determination of the level of variation the bank is willing to accept around business objectives) for operational risk

800.3. The first two principles (among eleven in total) are the fundamental principles. Principle One requests the establishment of a strong risk management culture. Principle Two requests the development and implementation of an operational risk management framework (ORMF). Among the following responsibilities, each is the responsibility of senior management EXCEPT which is the responsibility of the Board of Directors?

a. Establishes and maintains robust challenge mechanisms and effective issue-resolution processes
b. Translates the ORMF into specific policies and procedures that can be implemented and verified within the different business units
c. To ensure implementation of the ORMF recruits experienced, technical staff and ensures sufficient level of operational risk training
d. Reviews and approves the ORMF (at regular intervals) to ensure that the bank has is managing (and has identified) the operational risks arising from external market changes and other environmental factors

Answers here: