Integrated Operational Risk Management E-Book

Table of Contents

Cover

Table of Contents

Title Page

Copyright

About the Authors

Preface

CHAPTER 1: Introduction

WHY ANOTHER BOOK ON ORM

OUR APPROACH

PART ONE: Background and Regulatory Context

CHAPTER 2: Enterprise Risk Management

Notes

CHAPTER 3: The Origins and Evolution of ORM

SCANDALS AND MORE SCANDALS!

MISSELLING OF RETAIL INVESTMENT PRODUCTS IN THE UK: ENDOWMENT MORTGAGES AND PERSONAL PENSIONS

BCBS, BASEL 2, CRD AND THE RESPONSES TO SCANDALS

THE UK FSA AND ITS ROLE IN BASEL 2/CRD

POLICY DEVELOPMENT AND SUPERVISORY APPROACH OF THE UK FSA

ORSG AND COLLABORATION WITH PRACTITIONERS ON POLICY

THE INSTITUTE OF OPERATIONAL RISK

THE RISE AND FALL…AND RISE OF ORM?

Notes

CHAPTER 4: Regulatory Approaches and Expectations

Notes

PART TWO: Operational Risk Management Tools and Frameworks

CHAPTER 5: Operational Risk Management – Building Blocks

Notes

CHAPTER 6: Risk Identification and Assessment – RCSA and Other Tools

TOP‐DOWN AND BOTTOM‐UP

RISK AND CONTROL SELF‐ASSESSMENTS

INTERNAL EVENTS

EXTERNAL EVENTS

SCENARIOS

CHANGE MANAGEMENT

EMERGING RISKS AND HORIZON SCANNING

COVID – BLACK SWAN

BLOGS

Notes

CHAPTER 7: Controls

Notes

PART THREE: Antifragility, Resilience and When Things Go Wrong

CHAPTER 8: Operational Resilience – The Outcome of Effective ORM

IT MELTDOWNS IN UK BANKS

THE RISING THREAT OF CYBERCRIME

UK REGULATORS ISSUE CONSULTATION PAPERS ON OPERATIONAL RESILIENCE

BCBS CONSULTATION

BCBS AND UK REGULATORS ISSUE FINAL RULES

RELATIONSHIP BETWEEN OPERATIONAL RESILIENCE AND BUSINESS CONTINUITY MANAGEMENT

UK REGULATORY APPROACH AND MEETING REGULATORY EXPECTATIONS

BCBS APPROACH AND DIFFERENCES TO THE UK APPROACH

EU DORA

OPERATIONAL RESILIENCE, INTOLERABLE HARM AND UK FCA'S CONSUMER DUTY

DON'T REINVENT THE WHEEL…EXCEPT IN TESTING?

EMBEDDING AND FUTURE EVOLUTION

Notes

CHAPTER 9: Risk Incidents

Note

CHAPTER 10: Third‐Party Risk Management – The Elephant in the Room

Notes

PART FOUR: Monitoring, Reporting and Taking Action

CHAPTER 11: Monitoring Risks and Controls – The Holy Grail of ORM

Note

CHAPTER 12: Mitigating and Managing Operational Risks

TAKING ACTION

MANAGING TRADE‐OFFS

RISK ACCEPTANCE

CASE STUDY: COVID‐19 LOCKDOWNS

Notes

CHAPTER 13: Reporting Risks

THE REPORTING PYRAMID

BUILDING EFFECTIVE ORM REPORTS

KEY ORM RISK REPORTS

Notes

PART FIVE: Hot Topics and the Future

CHAPTER 14: The Art of Regulatory Relations

FOR FIRMS WITHOUT A DEDICATED SUPERVISOR

FOR FIRMS WITH A DEDICATED SUPERVISOR

HOLDING SENIOR MANAGERS TO ACCOUNT

MANAGING REGULATORY VISITS

WHAT NOT TO TELL YOUR REGULATOR – OPERATIONAL RESILIENCE

Notes

CHAPTER 15: The Rise and Fall of AMA and the Modelling Controversy

Notes

CHAPTER 16: Selecting and Using a GRC

FIRST AND FOREMOST…

SELECTING A SYSTEM

ROLLING THE SYSTEM OUT

UTILISATION OF THE GRC SYSTEM

Notes

CHAPTER 17: GenAI – Uses and Risks

POTENTIAL APPLICATIONS OF GenAI IN OPERATIONAL RISK MANAGEMENT

CHALLENGES AND RISK

RISK MITIGATION STRATEGIES

Note

CHAPTER 18: ESG

GOVERNANCE – CHAPTER 5

RISK APPETITE – CHAPTER 5

TOP‐DOWN – CHAPTER 6

EMERGING RISKS AND HORIZON SCANNING – CHAPTER 6

RCSA – CHAPTER 6

INTERNAL EVENTS AND RISK INCIDENTS – CHAPTER 6

EXTERNAL EVENTS – CHAPTER 6

SCENARIOS – CHAPTER 6

CHANGE MANAGEMENT – CHAPTER 6

CONTROLS – CHAPTER 7

REPORTING – CHAPTER 13

THIRD‐PARTY RISK MANAGEMENT – CHAPTER 10

Notes

CHAPTER 19: The Future Challenges and Opportunities

THE FUTURE OF OPERATIONAL RISK MANAGEMENT AND MANAGERS

Index

End User License Agreement

List of Tables

Chapter 10

TABLE 10.1 Contents of the Outsourcing Policy

TABLE 10.2 Allocating Responsibilities Across the Three Lines

TABLE 10.3 Materiality Criteria

List of Illustrations

Chapter 2

FIGURE 2.1 Operational Risks

Chapter 5

FIGURE 5.1 An Indicative Operational Risk Framework. This Diagram is based o...

FIGURE 5.2 The Risk Life Cycle

FIGURE 5.3 Risk Appetite

FIGURE 5.4 Key Skills and Capabilities of Successful Risk Teams

Chapter 6

FIGURE 6.1 The Risk Cycle

FIGURE 6.2 The Key RCSA Stages

FIGURE 6.3 The Risk Wheel

FIGURE 6.4 RCSA Impact Scales

FIGURE 6.5 RCSA Likelihood

FIGURE 6.6 RCSA Heatmap

Chapter 7

FIGURE 7.1 The Bow Tie

FIGURE 7.2 Inherent and Residual Risk

Chapter 8

FIGURE 8.1 Enterprise Resilience

FIGURE 8.2 Drivers of the Regulatory Focus on Operational Resilience in the ...

FIGURE 8.3 BCBS Principles for Operational Resilience.

9

FIGURE 8.4 The Resilience Triangle

FIGURE 8.5 The NFR Umbrella

FIGURE 8.6 The Eight Steps to Resilience

FIGURE 8.7 Requirements on the Board and Judgements Required

FIGURE 8.8 Impact Tolerances and Intolerable Harm

FIGURE 8.9 The Nexus of Harm

Chapter 9

FIGURE 9.1 The Bow Tie

FIGURE 9.2 Causal Analysis Using Swim Lanes

FIGURE 9.3 Using RCSA Impact Scales to Determine Incident Significance

Chapter 10

FIGURE 10.1 TPRM vs Outsourcing

FIGURE 10.2 TPRM Lifecycle – The Three O's

Chapter 11

FIGURE 11.1 A Fisherman's Tale

FIGURE 11.2 The Candlestick

FIGURE 11.3 Risk Spider Gram

Chapter 13

FIGURE 13.1 The Reporting Pyramid

FIGURE 13.2 Leveraging Existing Reports

FIGURE 13.3 A Risk Heatmap Matrix

FIGURE 13.4 The Risk Heatmap

FIGURE 13.5 Risk Dashboards

Chapter 14

FIGURE 14.1 The Continuum of Trust – Firms

FIGURE 14.2 The Continuum of Trust – Regulators

Chapter 17

FIGURE 17.1 GenAI and Operational Risks

Chapter 18

FIGURE 18.1 TPRM Life cycle and ESG

Guide

Cover

Table of Contents

Title Page

Copyright

About the Authors

Preface

Begin Reading

Index

End User License Agreement

Pages

iii

iv

ix

x

xi

xii

1

2

3

4

5

7

8

9

10

11

12

13

14

15

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

33

34

35

36

37

38

39

40

41

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

85

86

87

88

89

90

91

93

95

96

97

98

99

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

151

152

153

154

155

156

157

158

159

161

162

163

164

165

166

167

169

170

171

172

173

174

175

176

177

178

179

180

181

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

215

216

217

218

219

220

221

222

223

225

226

227

228

229

230

231

232

233

234

235

236

237

239

240

241

242

243

244

255

256

257

258

259

260

261

262

263

264

265

266

267

268

269

270

271

Integrated Operational Risk Management

Tools, Techniques and Meeting Regulatory Expectations

AND

This edition first published 2025

© 2025 John Wiley & Sons, Ltd

All rights reserved, including rights for text and data mining and training of artificial intelligence technologies or similar technologies. No part of this publication may be reproduced, stored in a retrieval system, or transmitted, in any form or by any means, electronic, mechanical, photocopying, recording or otherwise, except as permitted by law. Advice on how to obtain permission to reuse material from this title is available at http://www.wiley.com/go/permissions.

The right of Jimi Hinchliffe and Andrew Sheen to be identified as the authors of this work has been asserted in accordance with law.

Registered Offices

John Wiley & Sons, Inc., 111 River Street, Hoboken, NJ 07030, USA

John Wiley & Sons Ltd, New Era House, 8 Oldlands Way, Bognor Regis, West Sussex, PO22 9NQ, UK

For details of our global editorial offices, customer services, and more information about Wiley products visit us at www.wiley.com.

The manufacturer’s authorized representative according to the EU General Product Safety Regulation is Wiley‐VCH GmbH, Boschstr. 12, 69469 Weinheim, Germany, e‐mail: [email protected].

Wiley also publishes its books in a variety of electronic formats and by print‐on‐demand. Some content that appears in standard print versions of this book may not be available in other formats.

Trademarks: Wiley and the Wiley logo are trademarks or registered trademarks of John Wiley & Sons, Inc. and/or its affiliates in the United States and other countries and may not be used without written permission. All other trademarks are the property of their respective owners. John Wiley & Sons, Inc. is not associated with any product or vendor mentioned in this book.

Limit of Liability/Disclaimer of Warranty

While the publisher and authors have used their best efforts in preparing this work, they make no representations or warranties with respect to the accuracy or completeness of the contents of this work and specifically disclaim all warranties, including without limitation any implied warranties of merchantability or fitness for a particular purpose. No warranty may be created or extended by sales representatives, written sales materials or promotional statements for this work. This work is sold with the understanding that the publisher is not engaged in rendering professional services. The advice and strategies contained herein may not be suitable for your situation. You should consult with a specialist where appropriate. The fact that an organization, website, or product is referred to in this work as a citation and/or potential source of further information does not mean that the publisher and authors endorse the information or services the organization, website, or product may provide or recommendations it may make. Further, readers should be aware that websites listed in this work may have changed or disappeared between when this work was written and when it is read. Neither the publisher nor authors shall be liable for any loss of profit or any other commercial damages, including but not limited to special, incidental, consequential, or other damages.

Library of Congress Cataloging‐in‐Publication Data is Available:

ISBN 9781394303816 (Cloth)

ISBN 9781394303823 (ePub)

ISBN 9781394303830 (ePDF)

Cover Design: Jon Boylan

Cover Image: © itchaznong/stock.adobe.com

About the Authors

Dr Jimi M.V. Hinchliffe has over 25 years of experience in operational risk management and regulation. In almost a decade at the UK regulator – the UK FSA – Jimi held several roles, including operational risk policy SME, Basel 2 Technical Specialist, acting manager of the Basel 2 Implementation team, and in four years as a supervisor, managed relationships with large Japanese and US GSIFI banks and investment firms. Jimi was then Director and then Executive Director at the largest Japanese mega‐bank, MUFG, with roles including Head of EMEA Regulatory Affairs and Head of Compliance Policy, Risk and Regulatory Affairs Department. Since 2016, he has been a consultant, supporting various clients, including banks, investment firms and a large pension fund, regarding operational risk management, resilience, TPRM and regulatory affairs. Jimi is a former director of the Institute of Operational Risk (IOR), and between May 2017 and March 2021 was Chairman of the IOR in England & Wales. Jimi was made a Fellow of the IOR in 2016. Jimi is also a member of the CISI and is on the CeFPro Non‐Financial Risk Advisory Board.

Andrew Sheen has been actively involved in operational risk management since the late 1990s when the Basel Committee on Banking Supervision's (BCBS) focus on this topic saw it emerge as a distinct risk discipline. Having worked as the Head of Operational Risk at an international bank and also a UK investment bank, Andrew joined the UK Financial Services Authority (UK FSA) where he led the Operational Risk Policy team and then the Risk Frameworks team, charged with reviewing operational risk and governance frameworks in firms of all types and sizes. When the UK FSA split into two, Andrew moved into the Prudential Regulation Authority. During his time with the regulators, Andrew is proudest of his participation in the BCBS Operational Risk Working Group. When the time came to take the difficult decision to leave the regulatory world, Andrew had the pleasure of working at HSBC and then Credit Suisse, up until his retirement.

Andrew subsequently added being retired to the list of things he is not very good at and established a consultancy to provide Operational Risk and Resilience advisory services and training.

Looking back over 50 years in risk management, Andrew is surprised at how many of the firms he worked for no longer exist for one reason or another, but stresses he can take no credit for their demise and was no longer with them when they ceased to exist (although he would say that, wouldn't he). Drafting his contributions to this book also caused Andrew to reflect on the many friendships he has made during his career and he would like to thank everyone who has helped shape his knowledge and experience.

Preface

Operational risk management (ORM) has always been a cornerstone of effective organisational management. However, managing these risks has become more challenging in today’s complex business environment, especially in financial services and banking, where interdependencies between technology, systems, processes and people are growing exponentially. The ever‐greater utilisation of third parties to deliver services also presents unique challenges for firms, especially in relation to managing threats to resilience. These myriad challenges are particularly pronounced in the UK, a global financial hub with a dynamic regulatory landscape that continuously evolves to address emerging risks and systemic vulnerabilities.

This book explores the critical importance of adopting an integrated approach to ORM that aligns risk management practices with strategic objectives while remaining responsive to increasing regulatory expectations. With the rise of operational resilience as a regulatory priority, organisations in the UK, and elsewhere, face increasing pressure to demonstrate their ability to prevent, adapt to, recover from and learn from operational disruptions and utilise ORM tools to deliver more demanding resilience outcomes. This book outlines the foundational principles of ORM and provides a practical roadmap for a successful and integrated approach.

This book combines the regulatory insights of two former regulators, real‐world examples and actionable strategies to equip practitioners with the tools they need to navigate the complexities of ORM robustly and sustainably. Drawing on the latest guidance from the international standard setter, the BCBS, and focusing on UK regulators, including the Financial Conduct Authority (FCA), Prudential Regulation Authority (PRA) and Bank of England, we delve into the synergies between compliance and proactive risk management.

Whether you are a risk professional, compliance officer, NED, senior manager or someone looking to deepen their understanding of ORM, this book aims to provide you with the knowledge and confidence to enhance your organisation’s operational resilience through an integrated approach to ORM. As operational risk continues to evolve, so must our approaches to managing it. By fostering a culture of integration, collaboration, forward‐thinking and always learning from errors, we can not only meet regulatory requirements but also unlock the strategic value of risk management as a driver of organisational success.

We hope this book serves as a valuable resource and sparks meaningful conversations about the future of ORM in the UK and beyond.

CHAPTER 1Introduction

A ship is safe in harbor, but that's not what ships are built for.

—John A. Shedd

Over the following 19 chapters, we will explore a topic that has become, over the last 25 years, a topic of growing importance. From a risk type that, as we shall see in Chapter 1, didn't even have a name, Operational Risk Management (ORM) has burgeoned into a topic at least on parity with the more traditional risk types of credit and market risk. The number of articles and books written, the large community of ORM professionals, the fervent interest in ORM conferences (such as Risk.net's ‘Op Risk Europe’ and ‘Op Risk America’ and CefPro's ‘New Generational Operational Risk’ events) and the attention given to it by regulators – both national and supranational – is testament to the importance of this once‐maligned subject.

Two decades ago, the Basel Committee on Banking Supervision's (BCBS) Basel 2 introduced operational risk into the capital regime for internationally active banks (which in the EU was then also applied to domestic banks and investment firms). A series of high‐profile scandals, most notably the collapse of Barings Bank due to the rogue trading of Nick Leeson, alerted regulators to the importance of the risks arising from people, processes, systems and external events. Unlike credit and market risks – which had previously been the primary focus of regulators and risk managers – operational risk had the potential to be catastrophic – as in the case of Barings. Basel 2 not only required firms to assign capital for operational risk but also crucially introduced ‘sound practices’ for its management.

In the years that followed, firms busily created operational risk functions, introduced new tools, including Risk Control Self‐Assessment (RCSA) and scenario analysis, started collecting operational risk loss data and using external loss data (including from external loss databases including the old British Banking Association's (BBA's) ‘GOLD’ and ORX) and created new operational risk governance committees to provide governance and oversight. The most ambitious firms (and those mandated by their regulators such as in the USA) pursued the Holy Grail of ORM, ‘The Advanced Measurement Approach’ (AMA), which was the most sophisticated of the three options available under the Basel 2 regime and required not only highly sophisticated capital modelling but also advanced management of operational risk.

By the late 2000s, most regulated firms in the UK employed operational risk managers and had established operational risk frameworks. This contrasted with the early 2000s, at which time when the UK Financial Services Authority (UK FSA) wanted to engage with the industry on the nascent Basel 2 and CRD regime, it had to engage with staff from compliance, finance and regulatory reporting functions within firms – operational risk functions simply didn't exist!

Many predicted that the controversial decision by the Basel Committee to kill off the AMA in 2015, a signal to many practitioners of the diminished status of operational risk, might be a final nail in the coffin for ORM as a distinct function altogether! Especially so, given the trend post‐GFC of fragmentation, whereby firms created new functions (often with separate risk frameworks) to consider hot topics like cyber conduct, vendor management, market conduct, fraud, financial crime and so forth. ORM as a distinct function or even as an umbrella seemed to be redundant!

To paraphrase the great Mark Twain, the report of operational risk's death was grossly exaggerated!

Lyndon Nelson, formerly a senior regulator at UK FSA and then PRA, in an excellent speech in June 2018 on operational resilience at OpRisk Europe (‘Resilience and continuity in an interconnected and changing world’, 13 June 2018), recounted how he had addressed a group of new operational risk managers and he had explained that they would be ‘pioneers’. Lyndon explained that operational resilience will establish itself on par with financial resilience and be a key part of the firm's risk profile. As regulators have made clear, operational resilience is an outcome and it is delivered through the management of operational risk.

WHY ANOTHER BOOK ON ORM

So readers may well ask, ‘Why another book on Operational Risk Management?’ After all, there are a plethora of excellent practitioner books out there. Our riposte is there are compelling reasons why we believe our book is worthwhile.

First, as highlighted above, operational risk as a discipline, including due to the regulatory focus on operational resilience as the outcome of effective operational risk management, is growing in importance and profile. By focusing on resilience outcomes rather than the process of managing ORM, regulators have reignited interest in ORM and the tools of ORM. As such, it is timely to re‐examine the tools of ORM in light of the outcomes now expected by boards and regulators.

Second, the inexorable progress of technology, including greater automation of processes, use of GenAI, LLM, NLP and the application of innovative new technology to the managing of risk, adds a new dimension to the operational risk landscape, both in terms of the nature of risk and how it is managed. Cyber risk is a perennial feature in the annual ‘Top Ten Risks’ carried out by various organisations, including Risk.net, where they survey ORM professionals to get a sense of the risks keeping risk professionals awake at night and digital resilience is a top focus of regulators.

Third, the inexorable rise in outsourcing by firms and the consequent focus by regulators on managing third and nth party risk make non‐financial risk management ever more important. The regulatory focus on operational resilience and managing vulnerabilities arising from third parties and sub‐outsourcing has again elevated the importance of this dimension to non‐financial risk management.

Finally, there are some excellent books by practitioners, most notably the books by Ariane Chapelle, Elena Pykhova, Michael Grimwade, Cathy Hampson, Tony Blundon and John Thirlwell, but none of these excellent books bring out the critical importance of operational resilience and none are written with a specific focus on the regulatory context, history and expectations. One of the key concerns and expectations of regulators, and a key theme of our book, is the need for an integrated approach to ORM that seeks to break down the silos in non‐financial risk management (i.e. between the different types of operational risk), avoid duplication, improve efficiency and add value. We will also argue that ORM should also have a legitimate role in seeking to address silos in the overall Enterprise Risk Management (ERM) framework given that these silos are a potential source of operational risk.

OUR APPROACH

In the 19 chapters that follow, we will explain ORM's place within the broader ERM universe (Chapter 2) and explore the origins and evolution of ORM as a discipline (Chapter 3), including the roles of the BCBS, UK FSA and the Institute of Operational Risk (IOR). In Chapter 4, we will delve into the different approaches taken by regulators to operational risk management, including in the UK, the USA, the EU and Asia.

In Chapters 5–7, we will explore ORM Tools and Frameworks, setting out best practices on the building blocks (including governance, risk appetite and taxonomy), risk identification and assessment (including best practices for RCSA and scenario testing) and how to assess and manage controls, including how to achieve the optimum balance of control.

In Chapter 8, we will discuss operational resilience, including its origins and evolution, the relationships to Business Continuity Management (BCM) and ORM, the BCBS principles and national approaches. We will also consider the EU's Digital Operational Resilience Act (DORA) and the relationship between concepts of harm in operational resilience and consumer regulations. Chapter 9 will review risk incidents, including how to get to the root causes using the bow tie. Chapter 10 will explain how Third Party Risk Management (TPRM) is the elephant in the room for ORM and resilience.

We will then consider monitoring and reporting of operational risk and the Holy Grail of predictive Key Risk Indicators (KRIs) in Chapter 11, before explaining how to mitigate and manage risks (Chapter 12) and risk reporting (Chapter 13). We will conclude by exploring hot topics and the future, including the art of regulatory relations (Chapter 14), the rise and fall of AMA (Chapter 15) and how to select and get the best use out of a Governance, Risk and Compliance (GRC) system (Chapter 16). We will then explore the potential use of GenAI and other innovative new technologies (Chapter 17), the importance of Environment, Social and Governance (ESG) and its interaction with ORM (Chapter 18) and future challenges, including the future role for ORM professionals (Chapter 19).

PART ONEBackground and Regulatory Context

As ex‐regulators, Jimi and I are surprised and disappointed at the number of times we talk to risk professionals who have no understanding of the objectives of the regulators with whom they interact or the context within which they themselves operate. This is perhaps best illustrated by a conversation I once witnessed with a senior banker who simply had no understanding of the role of the Financial Conduct Authority, despite being able to see their building from his window.

This part of our book seeks to establish a common understanding of the role of the risk function, board and senior management in the management of risk. We also explore the origins and evolution of operational risk and their role in the creation of the Basel 2 framework that saw regulators recognise operational risk as a distinct discipline requiring a capital allocation, for the first time. The origins of operational risk discuss at some length the collapse of Barings Bank. Those unfamiliar with this key event might want to watch the 1999 film Rogue Trader, where Ewan McGregor takes the part of Nick Leeson. We conclude this part by considering the roles of a number of regulatory authorities and the international regulatory framework. It is interesting to note that, at the time of writing, there is some discussion of creating a single UK financial regulator. Perhaps we will see a return of the Financial Services Authority (2001–2013) to replace the Prudential Regulation Authority and the Financial Conduct Authority.

CHAPTER 2Enterprise Risk Management

While banks and other financial institutions have been managing operational risk since their inception, and arguably earlier when bank's founders began to consider establishing an institution, operational risk only emerged as a distinct discipline in the late 1990s as the Basel Committee on Banking Supervision (BCBS) began to consult on the introduction of Basel 2 with its ‘new’ capital charge for operational risk. This process resulted in the BCBS capital framework definition of operational risk as:

the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events. This definition includes legal risk, but excludes strategic and reputational risk.

While this definition has understandably been widely adopted, some firms have nuanced their firmwide definition to reflect their operational risk management framework (ORMF) (rather than operational risk capital measurement) and in recognition of the evolution of operational risk management over the last 25 years. For example, some firms have adapted their definition to read:

Operational risk management is the risk of loss or impact on strategic objectives and business plans as a result of inadequate or failed processes, people and systems or from external events. This definition includes legal risk, strategic risk and reputational risk.

This revised definition recognises that not all operational risk events result in a loss and that strategic risk and reputational risk are key components of operational risk.

This definition also recognises that not all operational risk events result in a loss, and some may even result in a gain. I am aware of a firm that failed to transfer its dollar earnings into sterling at the end of each month in accordance with the bank's policy. When this error was identified and the dollar earnings were transferred into sterling, the bank discovered that the resultant sterling impact was greater than would have been experienced if the policy had been followed. This was clearly an operational risk event but did not result in a loss, in this instance, as the dollar had depreciated. Of course, a dollar appreciation would have generated a loss.

The BCBS also identified the seven loss event types, and firms are required to be able to map their losses to these categories:

Internal fraud;

External fraud;

Employment practices and workplace safety;

Clients, products and business practices;

Damage to physical assets;

Business disruption and system failure;

Execution, delivery and process management.

Once again operational risk categories in many firms have evolved over time and we will discuss taxonomies in greater detail in Chapter 5, Operational Risk Management Building Blocks.

Operational risk is best viewed as a combination of risks rather than, as in some firms, operations risk. While I do not propose to provide a complete list here, the risks identified in ‘Figure 2.1’ go beyond a firm's operations and would be included in the firm's risk universe. I use operational risk as an umbrella term to capture all these risks, which accounts for the umbrella in Figure 2.1 and the umbrellas on the front cover! A large number of firms manage their risks in these distinct silos, often using different GRC software and causing angst in the front line as each silo undertakes its version of a Risk and Control Self‐Assessment (perhaps in the form of a Compliance Self‐Assessment (CSA), Financial Crime Self‐Assessment (FCSA) and People Risk Self‐Assessment (PRSA), etc.). The sad reality is that these firms find themselves comparing apples with pears and fail to provide the various risk committees with a coherent holistic assessment of the risks faced by the firm. In my experience, the only function in a position to unite these risk silos is operational risk and where I have seen this unification achieved successfully it is clearly a tribute to the Head of Operational Risk and the heads of the other risk silos.

FIGURE 2.1 Operational Risks

Recognition of the need to establish a unified approach to operational risk management has led to the emergence of non‐financial risk, rather than the operational risk umbrella, as a term and discipline. I am using the term non‐financial risk management to capture all of the risks which are not covered by traditional financial risk management. As a result, I am taking non‐financial risk to capture all risks except liquidity, capital, credit and market risk. I realise that in many ways, the term non‐financial risk can be confusing, after all the BCBS defines operational risk ‘as the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events’. Losses certainly have a financial impact. I guess in the end this positive definition is better than the alternative negative definition of everything except liquidity, capital, credit and market risk. I imagine we would all rather have a business card that announces we are the ‘Head of Non‐Financial Risk’ than one that says ‘Responsible for everything except liquidity, capital, credit and market risk’.

For many firms, the move from risk silos to non‐financial risk and financial risk creates a pathway to Enterprise Risk Management (ERM). This is a holistic systemic risk approach that requires a high degree of communication and coordination within the organisation to identify and manage risks across the firm. The five components of an ERM framework are identified by the Committee of Sponsoring Organizations of the Treadway Commission (COSO) in their publicly available executive summary ‘Enterprise Risk Management, Integrating with Strategy and Performance’ (June 2017). This is an update to COSO's ‘2004 Enterprise Risk Management – Integrated Framework’ and reflects the increasing complexity of risk, emergence of new risks and both boards and executives increasing awareness and oversight of enterprise risk management while demanding improved risk reporting.

The five components identified in the COSO executive summary ‘Enterprise Risk Management, Integrating with Strategy and Performance’1 (June 2017) are:

Governance and culture:

Governance sets the organization's tone, reinforcing the importance of, and establishing oversight responsibilities for, enterprise risk management. Culture pertains to ethical values, desired behaviours and the understanding of risk in the entity.

Strategy and objective‐setting:

ERM, strategy and objective‐setting work together in the strategic‐planning process. A risk appetite is established and aligned with strategy; business objectives put strategy into practice while serving as a basis for identifying, assessing and responding to risk.

Performance:

Risks that may impact the achievement of strategy and business objectives need to be identified and assessed. Risks are prioritised by severity in the context of risk appetite. The organisation then selects risk responses and takes a portfolio view of the amount of risk it has assumed. The results of this process are reported to key risk stakeholders.

Review and revision:

By reviewing entity performance, an organisation can consider how well the enterprise risk management components are functioning over time and in light of substantial changes, and what revisions are needed.

Information, communication and reporting:

ERM requires a continual process of obtaining and sharing necessary information, from both internal and external sources, which flows up, down and across the organization.

As we should expect, many regulators define the role of the Board in general terms, probably requiring the Board to ensure the safety and soundness of the firm and to act prudently. Specific expectations around the Board's role in operational risk are often not articulated. Therefore, to understand the regulator’s expectation we should reference the BSBS Revisions to the Principles for the Sound Management of Operational Risk2 published in March 2021 and many regulators simply require their firms to comply with these principles. I must declare an interest here, having had the great pleasure of representing the Financial Services Authority and Prudential Regulation Authority on the BCBS Operational Risk Working Group and having been involved in the drafting of the June 2011 Principles for the Sound Management of Operational Risk,3 in what was one of the most enjoyable periods of my working life. As a great admirer of the BCBS operational risk documents I am always surprised at the number of operational risk professionals who are either unaware of these ‘Sound Management Principles’ or their content. In my chapters, endnotes are provided directing readers to the relevant BCBS documents that are available free from their website. If you have not recently, or ever, visited the BCBS website4 I would encourage you to do so.

The Revisions to the Principles for the Sound Management of Operational Risk document provides a mechanism for firms to assess the robustness and effectiveness of their ORMFs. When reading these principles, it is important to take a full account of the principles and also the supporting paragraphs. The BCBS has devoted the first four principles to the roles and responsibilities of the Board; these are:

Principle 1:

The board of directors should take the lead in establishing a strong risk management culture, implemented by senior management. The board of directors and senior management should establish a corporate culture guided by strong risk management, set standards and incentives for professional and responsible behaviour, and ensure that staff receives appropriate risk management and ethics training.

Principle 2:

Banks should develop, implement and maintain an ORMF that is fully integrated into the bank's overall risk management processes. The ORMF adopted by an individual bank will depend on a range of factors, including the bank's nature, size, complexity and risk profile.

Principle 3:

The board of directors should approve and periodically review the ORMF, and ensure that senior management implements the policies, processes and systems of the ORMF effectively at all decision levels.

Principle 4:

The board of directors should approve and periodically review a risk appetite and tolerance statement for operational risk that articulates the nature, types and levels of operational risk the bank is willing to assume.

In the case of the principles impacting Boards, the supporting paragraphs include references to: establishing a code of conduct along with supporting training; integrating the ORMF into the overall risk management process and the specific expectations of the Board regarding the operational risk management process. One interesting change included in the revisions is the amendment to principle 1 to specify that the senior management should implement the risk management culture. The revisions to the principles also detail the expectations of the senior management who play a crucial role in implementing the ORMF:

Principle 5:

Senior management should develop for approval by the board of directors a clear, effective and robust governance structure with well‐defined, transparent and consistent lines of responsibility. Senior management is responsible for consistently implementing and maintaining throughout the organisation policies, processes and systems for managing operational risk in all of the bank's material products, activities, processes and systems consistent with the bank's risk appetite and tolerance statement.

Principle 6:

Senior management should ensure the comprehensive identification and assessment of the operational risk inherent in all material products, activities, processes and systems to make sure the inherent risks and incentives are well understood.

Principle 7:

Senior management should ensure that the bank's change management process is comprehensive, appropriately resourced and adequately articulated between the relevant lines of defence.

Principle 8:

Senior management should implement a process to regularly monitor operational risk profiles and material operational exposures. Appropriate reporting mechanisms should be in place at the board of directors, senior management and business unit levels to support proactive management of operational risk.

In the case of the principles impacting Senior Management, the supporting paragraphs include references to: the senior management translating the ORMF into specific policies and procedures that can be implemented and verified; some of the tools that can be used to identify and assess operational risk (see Chapter 6, Risk Identification and Assessment); the need for policies and procedures for the review of new products, activities, processes and systems; and the need for banks to continuously improve the quality of operational risk reporting.

I would urge readers to benchmark their ORMF against the ‘Revisions to the Principles for the Sound Management of Operational Risk’ and ensure that any gaps are identified and remediated. Best to identify and remedy them yourself before an incident exposes the deficiency or perhaps worse, an internal audit or the regulator comes to town.

While some readers may feel that the focus of the BCBS's attention is on Globally Systemically Important Financial Institutions (G‐SIFIs) and these principles should not therefore apply to them, the mandate of the BCBS is to ‘strengthen the regulation, supervision and practices of banks worldwide with the purpose of enhancing financial stability’. In addition, these principles are equally relevant to non‐bank financial institutions and indeed some non‐financial institutions use these principles to help shape their operational risk frameworks.

Regulators would expect firms to have an independent operational risk function and for this function to report to a Chief Risk Officer (CRO). In the UK, this role is considered to be a key senior management function and is one of the roles (SMF 4) designated under the UK Senior Manager and Certification Regime. The CRO is a member of the senior management team responsible for the identification, assessment and management of the firm's risks, both financial and non‐financial. The role of the second line operational risk function is usually described as ‘oversight and challenge’ although unfortunately for me this generic term creates a picture of the second line leaning back in their chairs, with their feet on the desk, a cigar in one hand and a strong drink in the other. This definition is not therefore necessarily very useful, so let us explore in more detail what this activity might involve. I would expect the role of the CRO to include ensuring that the second line operational risk team:

Continues to maintain its independence;

Develops the ORMF policies, procedures and guidelines;

Develops and maintains a taxonomy covering causes, events and impacts;

Provides ongoing Operational Risk training;

Undertakes oversight of the first lines implementation of the ORMF;

Challenges

The operational risk identification and assessment processes undertaken throughout the firm, including but not limited to: the risk and control self‐assessments; scenario analysis and the recording of risk events;

Control testing and assessments;

The reports and information provided by the second line;

Monitors first line compliance with the firm's operational risk appetite.

The manner in which the ‘challenge’ is undertaken can be an important determinant of the operational risk team's relationship with the rest of the organisation. Clearly, an effective operational risk team needs to establish and maintain good working relationships throughout the firm, and I have found that a partnership model works best as long as it does not undermine the independence of the team. There will always be a concern that the risk function will be seen as a blocker rather than a partner and in April 2024 Lloyds Bank announced plans to reduce risk management roles as part of a restructure.

As part of some of the consultancy assignments we have undertaken, Dr. Jimi Hinchliffe and I have worked with some firms that are required by the UK FCA to comply with the Financial Reporting Council's ‘UK Corporate Governance Code’ published in July 2018.5 It would therefore be remiss of me not to briefly describe the code here. The Code contains five components:

Board leadership and company purposes;

Division of responsibilities;

Composition, succession and evaluation;

Audit, risk and internal control;

Remuneration.

The section dealing with audit, risk and internal control requires the board to ‘establish and maintain an effective risk management and internal control framework, and determine the nature and extent of the principal risks the company is willing to take in order to achieve its long‐term strategic objectives’. In addition, ‘the Board should monitor the company's risk management and internal control framework and, at least annually, carry out a review of its effectiveness. The monitoring and review should cover all material controls, including financial, operational, reporting and compliance controls’.

We can expect the importance of ERM to continue to increase in the next few years in the face of a number of increasing challenges, including: global political events; climate change; cyber‐crime; AI (friend or foe); crypto assets; and increasing unknown unknowns. Firms can strengthen their ERM frameworks by:

Ensuring they have a robust and effective risk and governance framework – firms must benchmark and maturity assess themselves against international standards, remediating any gaps or weaknesses;

Ensuring they can always quickly identify risks and challenges;

Ensuring they have a robust scenario testing programme;

Understanding why things go wrong;

Managing risk and not data – many firms use Word and Excel to manage their risks but in reality are managing data and not risk, rather than utilising a GRC system that enables them to manage risk;

Ensuring they have clear roles and responsibilities.

Notes

1.

The COSO Enterprise Risk Management – Integrating with Strategy and Performance Executive Summary can be found at

https://www.coso.org/_files/ugd/3059fc_61ea5985b03c4293960642fdce408eaa.pdf

.

2.

The BCBS Revisions to the Principles for the Sound Management of Operational Risk are available free of charge and can be found at

https://www.bis.org/bcbs/publ/d515.pdf

.

3.

The June 2011 BCBS Principles for the Sound Management of Operational Risk are available free of charge and can be found at

https://www.bis.org/publ/bcbs195.pdf

.

4.

The BCBS website is located at

https://www.bis.org/bcbs/index.htm

.

5.

The July Financial Reporting Council's UK Corporate Governance Code, July 2018, can be found at

https://www.frc.org.uk/library/standards-codes-policy/corporate-governance/uk-corporate-governance-code/

.

CHAPTER 3The Origins and Evolution of ORM

In this chapter, we explore the origins and evolution of operational risk management (ORM), starting with scandals, particularly the collapse of Barings Bank in 1995 due to Nick Leeson's rogue trading. We will consider how international regulators, through the Basel Committee on Banking Supervision (BCBS), responded through Basel 2 and then examine the role of the UK Financial Services Authority (FSA). Finally, we review the role of the Institute of Operational Risk (IOR) in the origins and evolution of ORM.

SCANDALS AND MORE SCANDALS!

Scandals have plagued the UK financial services sector, and scandals played an important role in the regulatory focus on operational risk. In the following section, we will explore the collapse of Barings in 1995 and the influence of rogue trader Nick Leeson on the evolution of ORM. We will then touch on how misselling scandals in the UK in the 1990s affected ORM's development.

Nick Leeson contributed more than anyone to developing ORM as a new, distinct and vital discipline! For it was the rogue trading scandal in which Leeson brought about the collapse of Barings Brothers Bank in 1995 (Barings was one of the oldest and most blue‐blooded of the City's merchant banks) and the subsequent high‐profile nature of the scandal (in part due to the book by Leeson, and the accompanying movie titled ‘Rogue Trader' released in 1999 starring Ewan McGregor) that awoke international regulators to this new risk type, and propelled the management of operational risk to the top of the regulatory agenda.

Leeson's infamy contributed significantly to the profile of this new risk type, called, at the time by regulators for want of a better term, ‘other risks'. In other words, risks other than the traditional credit and market risks. Indeed, the EU Commission Working Group, which read across the operational risk‐related elements of the Basel 2 regime to what would later become the EU Capital Requirements Directive (CRD), was called ‘The Working Group on Other Risks'.

Barings Bank was a UK‐based merchant bank that failed after a trader named Nick Leeson engaged in a series of unauthorised trades that went sour catastrophically in 1995. Having lost over one billion dollars (more than twice its available capital), Barings went bankrupt due to activity in the far‐off Singapore operation. The bank's assets were subsequently acquired by the Dutch ING Group, forming ING Barings, for £1. Following the rogue trading debacle, Leeson wrote his aptly titled ‘Rogue Trader' book while serving time in a Singapore prison.

Leeson began heading up the bank's new Singapore trading operation in 1992 at the young age of 25 and focused on directional trading on the Nikkei exchange using futures contracts. The trading strategy was to arbitrage slight differences in prices between the Osaka Securities Exchange (OSE) in Japan and the Singapore International Monetary Exchange (SIMEX). This strategy, known as index arbitrage, involved no directional or unhedged positions and was supposed to be low risk. Leeson initially made a lot of money; for instance, in 1994, he received a bonus of £450,000 for reporting profits of £28 million – an astonishing 60% of the bank's total earnings for the year! However, one of Leeson's team made a large error (old‐style pit trading was prone to significant operational risks, and mistakes were not uncommon) and to house the error temporarily, Leeson created the now infamous ‘5 × 8 error account'. Rather than address the errors or recognise the losses, the account was used increasingly to conceal his losses that grew to £100s of millions.

Initially, Leeson tried to trade his way out of the losses. At one point, he accumulated a staggering £7 billion notional position on the Nikkei using futures contracts (many multiples of the group's total capital reserves)! Leeson was also feverously selling options to generate income to help fund the enormous daily margin payments on his futures positions. As Leeson became increasingly desperate to conceal the scale of his losses, he succumbed to blatant fraud, including forgery of documents to senior management and the auditors to hide losses, exaggerate profits and conceal mounting risks. Disaster eventually struck Leeson when the Kobe Earthquake on 17 January 1995 sent the Nikkei into freefall, losing over 10% of its value in less than a week. After briefly trying to prop up the market – an indication of the hubris of the star trader – Leeson fled to Frankfurt, where he was arrested and returned to jail in Singapore.

The collapse of Barings due to Leeson's rogue trading quickly became a case study in both rogue trading and how not to manage operational risk, as just about everything in the case of Barings was done wrong:

Lack of preventative

segregation controls

between the front and back office. Leeson was in charge of the derivatives trading desk and clearing, settlement and accounting. ACA Compliance Chief Services Officer Carlo di Florio, a former senior executive at both FINRA (Financial Industry Regulatory Authority) and the US Securities and Exchange Commission (SEC), said this convergence of duties was tantamount to having ‘the fox guarding the hen house’.

1

As Leeson states in

Rogue Trader:

‘The lack of proper controls and supervision in both Singapore and London allowed me to take ever‐greater risks without anyone pulling me back’.

2

Failure to identify and manage

conflicts of interest

, especially concerning the lack of segregation between the front and back office. As Leeson noted, ‘I was effectively both the front office and the back office, placing the trades and settling them. That is a recipe for disaster’.

3

Lack of

detective controls

, for example, trade surveillance. Leeson could commit his fraudulent activity for a prolonged period without detection due to the absence of detective controls. Where controls that would otherwise have helped detect the fraud (e.g. reconciliation controls) did exist, Leeson was able to manipulate them due to his role spanning the front and back office.

Lack of

oversight

and

challenge

from the second line risk and compliance functions. Risk and compliance functions were weak and ineffective so Leeson could effectively run rings around them.

Lack of

effective governance

to oversee the Singapore operation – both locally within the Singapore office and at the group level in London. The board and senior management appeared happy to recognise the profits without questioning the risks taken or checking whether anything was untoward. Leeson recollects that ‘they [London] didn't ask questions because they were making so much money. Everyone was happy, and no one wanted to spoil the party’ (Leeson and Whitley 1996, p. 62).

Failures of

day‐to‐day line management

. Line management oversight is one of the most potent preventative and detective controls for internal fraud. Leeson reported day‐to‐day to Simon Jones, who oversaw the trading business at Barings Investment Bank, to Ron Baker, Head of Barings Futures Division, and to Peter Norris, the CEO of Baring's Investment Bank. This matrix reporting led to confusion and a lack of proper accountability for supervising him, which resulted in Leeson being effectively unsupervised locally in Singapore and at the group level.

Remuneration