The Basel Committee has issued eleven risk management principles embodying transparency, risk mitigation, strong internal controls, and active board and senior management oversight. Principle 1 is that the board of directors and senior management establish a strong risk management culture throughout the organization with standards and incentives for responsible behavior. In this regard, the board should adopt a Code of Conduct setting clear expectations for integrity and ethical values of the highest standard and identifying acceptable business practices and prohibited conflicts.
The Code should set clear expectations and accountabilities to ensure that staff understands their roles and responsibilities for risk, as well as their authority to act. Basel envisions that strong and consistent senior management support for risk management will reinforce the Code. Further, compensation policies should be aligned to the firm’s statement of risk appetite and tolerance, long-term strategic direction, financial goals and overall safety and soundness. They should also appropriately balance risk and reward.
The fundamental premise of sound risk management, explained, the Committee, is that the board of directors and management understand the nature and complexity of the risks inherent in the portfolio of products, services and activities. This is particularly important for operational risk, given that operational risk is inherent in all business products, activities, and systems. Thus, Principle 2 demands that firms implement a Framework for operational risk that is fully integrated with their overall risk management processes. The Framework chosen by an individual firm will depend on a range of actors, including its nature, size, complexity and risk profile. Principle 3 requires the board of directors to approve and periodically review the Framework.
Under Principle 4, the board should approve and periodically review a risk appetite and tolerance statement for operational risk that articulates the nature, types and levels of risk that the firm is willing to assume. Specifically, the risk appetite statement should factor in the firm’s level of risk aversion, current financial condition and strategic direction, as well as set thresholds for specific operational risks. This review should consider changes in the external environment, material increases in business or activity volumes, the quality of the control environment, the effectiveness of risk management or mitigation strategies, loss experience, and the frequency, volume and nature of limit breaches.
Principle 5 requires senior management to translate the risk management Framework established by the board into specific policies and procedures that can be implemented and verified within the different business units. In doing so, senior management should assign responsibility and reporting relationships to encourage accountability, and ensure that the necessary resources are available to manage operational risk in line within the risk appetite and tolerance statement. Moreover, senior management should ensure that oversight is appropriate for the risks inherent in a business unit’s activity.
Similarly, under Principles 6 and 7, senior management should ensure the identification and assessment of the risk inherent in all material products, activities, processes and systems to make sure the inherent risks and incentives are well understood. Senior management should also ensure that there is an approval process for all new products, activities, processes and systems that fully assesses operational risk.
Principle 8 requires senior management to regularly monitor operational risk profiles and material exposures to losses. Appropriate reporting mechanisms should be put in place at the board, senior management, and business line levels that support proactive management of operational risk. The frequency of reporting should reflect the risks involved and the pace and nature of changes in the operating environment. Operational risk reports may contain internal financial, operational, and compliance indicators, as well as external market or environmental information about events and conditions that are relevant to decision making, including breaches of the risk appetite and tolerance statement, as well as thresholds or limits and details of recent significant internal operational risk events and losses.
More broadly, Principle 9 envisions a strong control environment with internal controls; and risk mitigation strategies. According to Basel, internal controls should provide reasonable assurance that a firm has effective operations, safeguards its assets, and produces reliable financial reports. Principle 10 requires that business resiliency and continuity plans in order to ensure an ability to operate on an ongoing basis and limit losses in the event of severe business disruption
Finally, Principle 11 requires public disclosures allowing stakeholders to assess the firm’s approach to risk management. The amount and type of disclosure should be commensurate with the size, risk profile and complexity of a firm’s operations, and evolving industry practice. In Basel’s view, disclosure of relevant risk management information can lead to transparency and the development of better industry practice through market discipline.