Operational risk is defined as the risk of loss resulting from inadequate or failed internal processes, people and systems, or from external events, including legal risk and excluding strategic and reputational risk (last two are treated as separate categories). Operational risk is demonstrated in every aspect of activity of the organisation and constitutes its intrinsic part.
In the year 2016 there could be observed a continuous use of standards implemented for the purpose of efficient management of operational risk, which are in line with the best practice of national and international financial institutions. The adopted risk management structure describes the various management levels and scopes of their duties and responsibilities.
Owners of defined business and support processes play a key role in the day-to-day operation of the Bank. Process owner, basing on thorough knowledge about the process, accurately identifies and mitigates recognized risks, thus constituting the first line of defence. The second line of defence is the level of specialized units dealing with the organization of the management and control of an acceptable level of risk, with particular consideration of the areas such as: compliance, antifrauds, security and business continuity as well as insurance and outsourcing. The third line of defence is the independent internal audit unit.
Every decision regarding optimising operational risk is preceded by cost-benefit analysis.
A higher risk management level is the Processes and Operational Risk Committee, which focuses on threats identified in more than one process. All and any activities concerning operational risk are coordinated and supervised by the Risk Committee, the Management Board and the Supervisory Board.
In keeping with the adopted model, risk management is a process of continuous improvement as regards identification, assessment, monitoring, mitigating and reporting by:
- Gathering operational risk events,
- Self-assessment of operational risk in individual processes,
- Analysis and monitoring of risk indicators.
The Group gathers operational risk events in an IT tool. The tool supports management of operational risk. Such events are being afterwards analysed in what concerns the source of event and possibility of mitigating the effects and apply appropriate preventive actions. In the IT tool, events are being ascribed to a certain risk category and proper process type, which is later used as a part of reporting and risk self-assessment validation. The internal database of risk events additionally meets qualitative and quantitative requirements for following the advanced approach in calculating capital requirements on account of operational risk.
The risk self-assessment was being realised together with the processes review. It relied on assessment of adopted solutions’ effectiveness in fulfilling expectations of Clients and business partners in the scope of both, services quality and costs optimisation. Approved operational risk and control methodology allowed assessment of risk level in a given process, taking into account existing controls and basing on accepted scenarios. Mitigation actions were proposed implemented and are monitored for purposes of assessment of risk levels above the accepted tolerance threshold.
During the risk and control self-assessment exercise an analysis of performance indicators was made, including risk indicators defined for each process. Key persons – responsible for creating and implementation activities in given processes – have defined and adjusted the indicators thus to make them the best forecasts of future risks. On-going monitoring of indicators serves the purpose of increasing effectiveness and productivity of processes as well as effective control of risk on the level of individual actions within processes.
Information about operational risk in processes is included in the top level dashboards consolidating information about the processes performance.
Considering the degree of development of operational risk management and the scale and profile of its activity, the Bank calculates its capital requirement due to the operational risk using the Standard Approach.