Andrew Sheen spent 8 years at the UK regulator, firstly in the FSA (FCA) and subsequently at the PRA. In his time with these authorities Andrew represented the UK on the Basel Committee for Banking Supervisors Operational Risk Working Group. Andrew subsequently worked for large complex banking institutions before retiring last year and now promotes the development and discipline of Operational Risk.
With firms focused on dealing with the current pandemic and evolving their Operational Resilience frameworks, it is not surprising that the Basel Committee on Banking Supervision’s 6 August consultative document ‘Revisions to the Principles for the Sound Management of Operational Risk’(1) (PSMOR) failed to register on the radar of many financial institution’s risk management functions. However, with the 6 November deadline for the submission of comments rapidly approaching, firms wishing to respond to the consultation need to do so soon.
Firms reading the Committee’s consultative document ’Principles for Operational Resilience’ published on the same day will have seen that the resilience approach builds on updates to the PSMOR and also proposes that: ‘Banks should utilize their existing governance structure’ ; and, ‘Banks should leverage their respective functions for the management of operational risk’.
The principles were first published in February 2003 (2), updated in 2011(3) and in 2014(4) the Committee reviewed implementation of the Principles in 60 systemically important banks in 20 jurisdictions. I was fortunate to be part of the Basel Committee’s Operational Risk working group in 2011 and was involved in the drafting of the update. We developed 11 principles with each principle having a number of supporting paragraphs, which provided further detail to help banks understand how they might comply with the principles. These principles and supporting paragraphs provide an important insight into the issues regulators will consider when reviewing firm’s Operational Risk Management Frameworks, a valuable guide for firm’s developing and enhancing their frameworks and can also be used to benchmark existing methodologies.
As one of those who often criticises the regulatory community for a lack of engagement with firms, the revised PSMOR provide a valuable insight into regulatory expectations. However, given the passage of time since the publication of the 2011 edition of the PSMOR, the emergence of AI and Fin Tech and developments in information and communication technology (ICT) risk, it is not surprising that the Committee thought it appropriate to update the principles. The failures to adequately implement the 2011 edition identified in the 2014 review further evidence the need to update the guidance, notably in the following areas:
Risk identification and assessment tools and the monitoring of action plans;
- Change management;
- The assignment of roles and responsibilities;
- Board and senior management oversight;
- Risk appetite and tolerance;
- Risk disclosures
Having effectively experienced the marking of the 2011 drafting team’s homework it is interesting to see that many of the 11 principles are little changed. There are of course some revisions, which often update and clarify the actions required and strengthen Board and senior management accountability, in particular:
- Principle 3 – With most firms now having Operational Risk Frameworks in place, the Board’s responsibility for establishing, approving and reviewing the Framework has been replaced by a requirement to oversee material operational risks and the effectiveness of key controls and ensuring the senior management implements the framework;
- Principle 7 – The requirement for the senior management to ensure that there is an approval process for all new products, activities, processes and systems that assesses operational risk now encompasses the overall change management process;
- Principle 10 – While the 2011 edition included supporting paragraphs on technology risk as part of the control and mitigation principle, these are now the subject of a separate principle covering the need for robust Information and Communication Technology governance and an appropriate risk management framework.
Concerns over the implementation of the three lines of defence, especially with regard to the assignment of roles and responsibilities, resulted in the latest edition containing a discussion of the three lines of defence, which may not have pleased those who argue against this approach or promote a revised method. Nevertheless, irrespective of the approach adopted, we should all recognise the need for clarity around roles and responsibilities, particularly at a time when individual accountability is the focus of regulatory attention in a number of jurisdictions.
Certainly, when considering the latest PSMOR, the devil is in the detail and the supporting paragraphs accompanying each principle have also been subject to, in some cases significant, revision. These revisions add greater clarity to regulatory expectations and should be understood by firms.
Readers interpreting this brief summary of the changes as meaning the document does not deserve their attention would be making a major mistake. All regulated financial firms should undertake a comprehensive review of the consultative document, even those who would argue that the Basel Committee’s publications do not impact them directly.