The Basel Committee on Banking Supervision (“BCBS” or “Basel Committee”) issued a report on October 6, 2014, entitled Review of the Principles for the Sound Management of Operational Risk. The report serves as a review of systemically important banks’ (“SIBs” or “banks”) implementation of the Basel Committee’s Principles for the Sound Management of Operational Risk (“Principles”), which were published in June 2011 and cover governance, the risk management environment, the role of disclosure, and the three lines of defense.
The review, conducted in the form of a questionnaire for banks to self-assess their implementation progress, surveyed sixty SIBs operating in twenty jurisdictions. The objectives of the exercise were to establish the extent to which banks have implemented the Principles, identify common significant implementation gaps, and highlight emerging and noteworthy operational risk management (“ORM”) practices that are not currently addressed by the Principles.
Although the review identified challenges and themes within all of the Principles, four Principles were identified among the least thoroughly implemented, including: (1) operational risk identification and assessment, (2) change management, (3) operational risk appetite and tolerance, and (4) operational risk disclosure. In addition, weaknesses were observed in banks’ implementation of the overarching Principle for the three lines of defense.
The report concludes that, based on the responses received, SIBs have generally made “insufficient” progress in implementing the Principles, with many banks still in the process of implementing various ones. As a result, some SIBs may not be adequately identifying and managing their operational risk exposures due to the inconsistent deployment of the full range of ORM tools, such as risk and control self assessments (“RCSAs”), internal and external loss data collection and analysis, scenario analysis, key risk indicators (“KRIs”), key performance indicators (“KPIs”), change management, and comparative analysis. Additionally, banks will need to strengthen their implementation of the “three lines of defense” Principle, including clarifying roles and responsibilities, as well as improve their board and senior management oversight, their articulation of their operational risk appetite and tolerance statements, and the comprehensiveness of their operational risk disclosures.