GCC: Managing Operational Risk Effectively

In recent years, banks globally and here in the UAE were occupied by the implementation of IFRS 9. This tended to dwarf all other competing priorities for the risk and finance teams.

Regulators, too, appeared to be significantly engaged in the implementation of IFRS 9 and spent considerable time and resources reviewing calculated expected credit loss (ECL) charges under the new rules.

Operational risk has now become a heightened area of focus for financial institutions as the industry wrestles with challenges arising from cyberthreats, third-party concerns, trading, conduct and culture issues, anti-money laundering fines and sanctions, stress testing requirements, and technological innovations driving greater opportunities for process automation and digitisation.

 The Basel Committee on Banking Supervision (BCBS) first released Principles for the BCBS 195, Sound Management of Operational Risk in 2011. A review by the committee undertaken in 2014 highlighted that banks globally had not sufficiently implemented these principles which culminated in an additional BCBS paper, Review of the Principles for the Sound Management of Operational Risk, BCBS 292.

Taking notice of this, the Central Bank of the UAE (CBUAE) issued draft Operational Risk Standards and Operational Risk Regulations in 2016. Finalised and issued in August 2018 under CBUAE Operational Risk Standards and Regulations 163/2018, we are seeing this is as part of a growing trend across the Gulf Cooperation Council (GCC).

Several regulators have recently issued new rules or are refining existing rules relating to operational risk that are in line with international best practice.

Capital and guidance from central bank

Operational risk is often regarded as the most challenging risk for both regulators and banks. The rationale for this is that nothing can prevent a bank from experiencing a significant adverse event.

Ultimately, allocation of Pillar 1 capital (the regulator’s core measure of a bank’s viability, usually common stock and disclosed reserves) is designed to at least encourage bank boards and senior management to discuss how best to manage operational risk. In most cases, Pillar 1 capital will likely be lower than the loss history for nearly all banks.

The first reason is that ‘boundary events’ tend to get lumped 100 per cent under credit risk losses, with no allowance for apportionment for related operational risk failures involved in credit losses, such as inappropriate models, insufficient monitoring or fraud.

Secondly, losses resulting from operational risk generally tend to be under-reported, primarily due to the potential consequences and lack of awareness by bank staff. The August 2018 regulations laid out by the CBUAE are accompanied by a separate ‘standards’ release which provides additional clarity on what banks should be doing to achieve best practice.

The key areas for banks’ attention under the Operational Risk Standards are: governance, identification and assessment, control and mitigation, business continuity management, information technology and systems, and reporting.

Due to the inherently qualitative nature of managing operational risk (through implementing a robust internal control environment coupled with strong process level controls), many banks tend to believe that they are already ‘best in class’ with respect to their operational risk framework.

Accordingly, regulators often see the need to spell out principles, standards and rules for banks to follow. The Risk Based Supervisory approach adopted by CBUAE should ensure that a spectrum of results are possible when viewing how banks apply the new standards.

KPMG’s recent experience working with several GCC banks on operational risk initiatives implies that there may be room for improvement in enhancing operational risk frameworks and how the seven operational risk event types (as defined by the Basel Committee) are managed.

The event types comprise:

• Internal fraud
• External fraud
• Employment practices and workplace safety
• Clients, products, and business practice
• Damage to physical assets
• Business disruption and systems failures
• Execution, delivery, and process management

Next steps

It seems there is much work for banks to do as they strive toward operational risk excellence, including:

• Further positioning the operational risk management framework so that it is fully aligned with the banks’ strategy and viewed as an enabler of strategic change, business performance, and customer experience.
• Elevating first and second lines of defence (LOD) involvement and results in strengthening risk culture.
• Enhancing first LOD communication and escalation of issues outside of established risk appetite.
• Improving the communication between the first and second LODs on emerging risks and changes to the internal and external environment.
• Deploying end to end process risk assessments across business lines and divisions to develop a more complete picture of risk, dependencies, hand-offs, and redundant controls.
• Expanding convergence efforts beyond risk taxonomies and rating scales to drive increased efficiencies and more effective analysis and management of risk.
• Enhancing control testing to create more dynamic and efficient monitoring, escalation and management of exposure.
• Establishing robust operational risk dashboards supported by integrated data and tools to deliver consistently meaningful reporting to business lines, risk teams, executive management, and the board.

A specific area that is receiving significant focus from regulators and banks recently is mitigating internal and external fraud losses. It is observed that several banks are undertaking fraud risk framework reviews, whilst others are identifying material processes susceptible to fraud and carrying out fraud risk assessments.