Governance structures and leading practices for risk management inpractices for risk management in

central banks

Helena Tejero, Division Head, Risks & Processes, Bank of Spain

Central Bank Governance Forum 2014IMF / Hawkamah, Dubai, United Arab Emirates

December 8, 2014

FEDERAL RESERVE BANK OF PHILADELPHIA

Today‘s agenda

• International Operational Risk Working Group (IORWG) Overview

• Central Banks Risk Governance Structures

• Central Banks Risk Practices

• Conclusions

1

The views herein are the personal views of the speaker and do not necessarily represent the views of either the IORWG members or

the Bank of Spain.

International Operational Risk Working Group

2

International Operational Risk Working Group (IORWG) Overview

Leadership:• Chaired by the Federal Reserve Bank of

Philadelphia and the Bank of Spain.

Conferences organized: I. Spain, 2006II United States 2007p p

Objectives:• Share best practices.• Innovate new frameworks and methodologies.• Generate genuine interest on ORM*.

Membership Representatives:• Risk representatives from central banks and

monetary/supervisory authorities across the ld

II. United States, 2007III. Denmark, 2009IV. France, 2008V. Brazil, 2010VI. Thailand, 2011VII. Sweden, 2012VIII.Morocco, 2013IX. Israel, 2014X. South Africa (planned for 2015)

3

world.

Membership Benefits:• Knowledge sharing, networking opportunities,

and research topics with other central banks through “global” expert groups participation.

Information channels:• IORWG website (www.iorwg.org).• Regular email alerts to members.

(*) ORM stands for Operational Risk Management

In October 2005, 18 institutions agreed to be part of the IORWG …

LatviaLith i

Estonia

France

UKGermany

Sweden

AustriaLuxembourg

IrelandThe Netherlands

Denmark

Spain

ECB

JapanUnited States of America

Canada

ThailandPortugal

Switzerland

Mexico

Lithuania

Bulgaria

Philippines

Norway

Greece

KoreaBelgium

Jordan

PolandAzerbaijan

Hong KongCuraçao

4… 59 members in 2014.

Brazil

Morocco

International(Bank for International Settlements, BIS)

Australia

NewZealand

Malaysia

ChileSouth Africa

Israel

Malta

International(Bank for International Settlements, BIS)

ItalyDominican Republic

Bolivia

Ecuador

Costa RicaColombia

Indonesia

Argentina

Philippines

Madagascar

Uganda

India

Malawi

El Salvador

Singapore

UruguayAngola

IORWG Collaboration Efforts

Expert Group Process:

• Expert Group studies: 35 completed to date, e.g. last year’s topics: p p p , g y p– ORM Trends and Best Practices (Phase II).– Risk Culture and Awareness.– Incident Management and Reporting.– ORM Interdependencies with Management of Other Enterprise Risks.– Existing Governance Structures in the Area of Risk Management.– Risk Repository (Phase IV).

• 2015 topics will focus on continuing work associated with trends and best practices, reporting, advancement of the risk repository, information and cyber security, training practices and building a maturity model.

5

y y g p g y• Research topics use industry literature, conduct member surveys,

profile central bank practices in greater detail and summarize results at the conference (4-5 month effort).

• Use breakout groups on expert group topics to further discuss key items and report back to the group.

Risk Governance Structures

6

Three lines of defense model

Central banks governance structures generally rely on three lines of defense by which governing bodies and senior management in their responsibility for i k t f k d b th f ll i “li ”risk management framework are served by the following “lines”:

business line management

risk management function

internal audit function

“Owners” of risk. Responsible for identifying and managing the risks

Responsible for providing the risk framework and for

Responsible for independently opining on the overall appropriateness and

7

g ginherent in the products, activities, processes and systems for which they are accountable.

framework and for independently overseeing risk-taking activities bank-wide.

adequacy of the framework and the associated governance processes.

Board / board subcommittee

• Ultimate responsibility for risk management is generally assigned to th i b di (

• Common subcommittees:– The audit committee and, to a

h l t t th i kthe governing bodies (e.g. governor, board, executive committee).

• The board or a subcommittee of the board is often responsible for providing oversight and direction with regard to risk management (in some Central Banks (CBs), oversight is provided by the governor or a RMC* at the executive level)

much lesser extent, the risk oversight committee.

• Common duties :– Ensure the establishment and

maintenance of the framework.– Provide oversight over the

program– Review reports – activities and

status of risk management risk

8

RMC at the executive level).

(*) RMC stands for Risk Management Committee

• Improve the focus and dialogue on risk, challenge and dig deeper into emerging risks

status of risk management, risk profile, key risks, response to the most significant risks.

Committees involved in the risk governance

Four different approaches

Th B d d t d l t th

1 2

• The Board does not delegate the risk oversight responsibilities to a sub-committee.

• The Board is supported by existing committees, with a broad mandate, not dedicated to risk issues.

• The Board delegates to an executive sub-committee which is responsible for all risks and in some cases for operational risks only.

The Board delegates to a board The Board delegates to a board

3 4

9

• The Board delegates to a board subcommittee.

• In addition a RMC has an executive role – establish and maintain the risk management framework.

• The Board delegates to a board sub-committee.

• In addition there are:- RMC (executive risk committee)

and- Specialized Risk Committees.

Note: an Audit Committee generally exists in all approaches.

Governance (cont.)

• Governance is often not well documented or understood; responsibilities, particularly advisory roles, are not consistently applied.H l ti hi k i ti i t l i t t ith• How governance relationships work in practice is not always consistent with charter documentation.

• Formal guidance needs to be provided to ensure committees are consistently established, operated, and reviewed.

• Structure, roles, and decision rights across bodies are interpreted differently.

• Complex or undefined governance can result in confusion regarding accountability and prolonged decision making. This can increase operational risk and can lead to reputational risk

10

risk and can lead to reputational risk.

• Conduct self-assessments of governance practices

Operational risk function

• Most CBs have centralized independent ORM unit; several have

t li d li it

• Main responsibilities:– Provide risk management

th d l icentralized compliance units.– In some cases, the functions are

combined with other risk and control-related disciplines, e.g. Business continuity, IT security.

• Usually deals with legal, reputational and compliance risks. To a lesser extent with financial and strategic risks.

• Sample of central banks have on

methodologies. – Facilitate and consolidate the

results of risk assessments.– Assisting in developing

processes and controls.– Track risk incidents and report

on mitigation.– Coordinate reporting board,

RMC and senior management

11

Sample of central banks have on average 4 full-time equivalent in risk units.

• Challenge the business lines outputs from risk management activities

RMC and senior management.– Provide guidance and training.– Few include the operational

risk measurement.

Internal audit

• Central banks have an independent internal audit unit from 1st and 2nd

line of defense.Alth h ORM / till l h d d h i d– Although some ORM programs were/are still launched and championed by the internal audit.

• Main responsibilities:– Verify that the risk framework has been implemented as intended and is

functioning appropriately.– Assess the effectiveness of the bank’s operational risk management

controls, processes and systems, as well as governance. – Review the management and reporting of key risks.

12

• Ensure independence of risk management and internal audit although they may collaborate in activities such as awareness programs

Interdependencies

• Generally the tendency of disciplines is to operate in silos due mainly to a weak governance structure and immature risk culture.Th t t t t f li t ith ORM i i t d ith b i• The greatest extent of alignment with ORM is associated with business continuity, and IT and information security risks.

• There is also high interaction, meetings, exchange of reports with the internal audit unit.

– Building a common risk taxonomy, using the same process map, exchange of information, …

– In a few cases, permanent access to ORM/IA databases.

13

• Challenges with aligning ORM with other disciplines- Get acceptance for an integrated approach- Overcome differences in terminologies and views

regarding approaches and methodologies e.g. IT framework too technical and granular to integrate

Risk Practices

14

Central Banks ORM current status

• Generally ORM programs are fully or almost fully implemented in CBs.• Most ORM frameworks are internally developed.

Al f t COSO ESCB ISO B l t d d– Also some refer to COSO, ESCB, ISO or Basel standards. • Common ORM framework for all areas across the central bank.

– Different frameworks in few central banks still co-exist.• “ERM” approach is not generally implemented.

– Although major integration is seen in risk reporting. • Central banks follow a standardized phased approach for risk management

procedure: risk identification, assessment, responding to, reporting on and monitoring.

• Most banks use different IT solutions (mainly SharePoint MS Office or

15

Most banks use different IT solutions (mainly SharePoint, MS Office or internally developed) for different ORM activities, some do not use any tools.

– The use of an integrated IT tool to support the whole risk management procedure is rare (often cost prohibitive).

Central banks ORM practices

Ri k tit /

[Non exhaustive]

ORM development

•Risk and control self

•Risk appetite/ tolerance

•Risk awareness and culture

- +•Risk quantification

•Impactful/ value-added reports

•KRIs•Scenario analysis

•Risk identification

16

control self assessment

qadded reports•Incident reporting

Developing and reviewing central banks’ risk appetite/tolerance

• Risk Appetite is defined as “the • Risk Tolerance is “a series of limits

Risk Appetite Risk Tolerance

amount of risk, on a broad level, that an organization is willing to accept in the pursuit of its mission, vision, business objectives and overall strategic goals.”– Approved at the senior level,

embraced by the board, easy to communicate and embedded and understood at all levels.Set clear boundaries qualitative

which may either be set as not to be breached, or as an alert mechanism.”– While risk appetite is broad, risk

tolerance is tactical and operational.

– Tolerances form part of the risk appetite framework for specific risks, by guiding operational areas for appropriate risk taking and select the types of controls which

17

– Set clear boundaries – qualitative statements and quantitative measures.

– Reportable: through monitoring, action defined for any breaches (escalation, review, approval).

select the types of controls which are needed to ensure that limits are not exceeded.

Risk appetite/tolerance experiences

• Experiences– There is evidence of the gap between the financial system and central

b k di th d t di d t f th tbanks regarding the understanding and management of the concept– The concept of Risk Appetite / Tolerance has not yet been embraced in

CBs because of the reputational impact and the conservative profile of the CBs

– Nevertheless, generally CBs have incorporated some elements of risk appetite into their framework; different levels of maturity are noticed.

– Expressed as a statement, embedded in policies or part of risk matrix.– Some CBs publish their risk appetite on their main website to illustrate to

the public how their risk framework works

18

the public how their risk framework works.

• Introducing a clear distinction between appetite and tolerance should be the first step.

• Risk (all types of) appetite shall be more formally documented.

Central banks risk culture / awareness

• This topic remains the most challenging for IORWG central banks, as it is and will be the core driver of the business areas’ motivation to manage i krisks. – Few central banks rank culture as excellent; almost 70% see culture as

good and more than 20% as inadequate.• Generally staff in key functions have the appropriate level of skills,

knowledge and experience to enable sound risk management practices.– Senior management and key business heads have been trained in

most cases.– Training to all staff is in place only in some central banks.

• Risk awareness activities are regularly performed:

19

Risk awareness activities are regularly performed:– Monthly/quarterly risk bulletins, newsletters, quizzes to staff.– Periodic incident reporting.– Risk articles in the quarterly Bank magazine.

Central banks risk culture / awareness (cont.)

• Risk awareness activities are regularly performed (cont.):– Risk awareness week and other activities.

Monthly departmental/ business unit awareness– Monthly departmental/ business unit awareness.– Risk management workshops.– Monthly risk managers’ meetings.– Displaying messages or banners that promote a strong risk culture in

strategic areas.– Playing recorded risk messages in the elevators.

• Key levers for risk culture fostering:– Strong support from board and senior management.– ORM training.

Increased communication/cooperation with board senior management

20

– Increased communication/cooperation with board, senior management, business areas and staff.

– Enhanced risk methodology (clear and practical).

• Fostering a risk aware culture at all levels of the organization

Risk reporting practice

• Most common components:– Risk Control Self Assessments.

I id t R ti

• Most popular scoring method used is risk matrices.

– Incident Reporting.– Business Continuity

Management.– Market and credit risks.– Top organizational risks.– Risk Tolerance.– Emerging Risks.

• To a lesser extent:

5

4

3

2

1

1 2 3 4 5

Imp

act

Likelihood

21

To a lesser extent:– KRIs.– Project risks.– Scenario Analysis.– Liquidity risks.– KPIs.

Likelihood

Risk reporting practice (cont.)

Risk Reporting

Receiver Board or dedicated risk management committeeReceiver Board or dedicated risk management committeeSenior management/business areas for information, also internal audit

Frequency At least annually for approvalFrequent reporting on dedicated risks/incidents

Media Usually hard copy, some via e-mailInclude additional presentationsOnly a few provide information to all staff

22

Only a few provide information to all staff

Content Most focus only on operational risk- Major risks, mitigation, risk heat map, major incidents

Overview to Board/risk management committee about the risk profile of the Bank

Risk reporting practice (cont.)

Risk reporting remains a key challenge for central banks: how to create impactful and value-added reports along with data limitations?

Frequency

Accuracy

Appropriateness

Characteristics

Leading Indicators –

Forward Looking

Lagging indicators and

incident reports – trend analysis

Key tools

23

Comprehensiveness

Timeliness

Truthfulness

Dashboards and Heat maps

Identification of thresholds and trigger points

Incident management & reporting practice

• Only some central banks have a mature practice in place.– There are still many central banks at an early stage and few have no

f l i l t d tformal process implemented yet.• Incident management and reporting procedure:

– Most CBs utilize standardized templates.– Reporting includes “near misses”.– For the grading of the incidents most of the CBs use a scale of 1 to 5– Only a few CBs work with financial thresholds.– Generally decentralized – submission from business areas to ORM

function.– Incidents are analyzed – by the business units and/or ORM function –

24

– Incidents are analyzed by the business units and/or ORM function and appropriate action plans are agreed on.

– In the majority of the CBs, the business unit is in charge of any action plan follow up and the reporting.

Incident management & reporting practice (cont.)

• Major challenges– As regards the procedure, clear guidelines and a process description are

d dneeded.– As regards the awareness, there are major challenges to overcome:

– Overall Bank’s risk awareness and culture.– “Shame culture” or “blame game”.– Get a strong support from senior management.– Timeliness of reporting by business area.

– Technical difficulties:– Evaluation of financial impact is sometimes difficult.– Difficulties in determining a near miss

25

– Difficulties in determining a near miss.– Quality of the reports and the level of details.

Conclusions

26

Concluding remarks

• Central banks governance structures often rely on three lines of defense; a range of practice exists relating to the implementation of those.Th b d b itt f th b d i ft ibl f idi• The board or a subcommittee of the board is often responsible for providing oversight and direction to risk management. –How should we improve the focus and dialogue on risk?

• Risk committees are generally in place to support board and senior management’s risk management responsibilities.–Are the RMCs operating effectively?

• Most central banks have a centralized independent unit dealing with ORM.– How should we substantiate an independent review of the business lines

outputs?

27

outputs? • The greatest extent of alignment with ORM is associated with business

continuity and IT and information security risks. There is also high interaction, meetings, exchange of reports with internal audit. –How should we evolve into an enterprise-wide/integrated risk

management?

Concluding remarks (cont.)

• Generally ORM programmes are fully or almost fully implemented in central banks.

H h ld h t dit th i l t ti j f–How should we shorten or expedite the implementation journey for new-comers?

• Few ORM techniques are mature.• Some techniques still need to improve:

–Risk appetite shall be more formally documented.–Continue enhancement of risk awareness / culture.–Improve quality of risk information.–Enhance incident reporting from a procedural, cultural and technical point of

view

28

view.• Few techniques are still at infancy:

–KRIs, Scenario Analysis and Risk Quantification.

Thank you for your attentionThank you for your attention

Helena Tejero IORWGhelena.tejero@bde.es iorwg@bde.es

29