Читать книгу Non-financial Risk Management in the Financial Industry - Группа авторов - Страница 17
2.1 Introduction
ОглавлениеRisk management has always been a core element of financial institutions, which play a significant role in the transformation function of the financial markets, thereby transforming lot sizes, maturity and risk.[1] However, in recent years, not all loss events can be attributed to traditional financial risks. These so-called non-financial risks are, in fact, linked to operations.
As a first step in the discussion of risk management and the different types of risk, it makes sense to consider the definition of risk itself. According to the Oxford Learner’s Dictionary, risk is defined as “the possibility of something bad happening at some time in the future; a situation that could be dangerous or have a bad result.”
To offer products and services, financial institutions need business operations. These include headquarters and branch operations, such as physical assets like buildings, rental space or even vaults. These physical assets are complemented by IT infrastructure with both hardware as well as software.
Overall, there are five sources of potential operational risks or operational risk events.[2] These are people, processes, systems, external events and legal risks. All these components of the business and operating models give rise to a wide range of potential risks. These need to be identified, measured and managed. In managing these risks, banks must balance the expected return from risk-related activities with the amount of loss from these activities if risks materialise, as well as the costs of their management or mitigation. According to the Basel Committee, an effective operational risk management system and a robust level of operational resilience work together to reduce the frequency and impact of operational risk events.[3]
Financial business inherently includes numerous risk types, so complete risk avoidance in the sense of a “zero risk tolerance” is impossible. Risk taking and the management of risks is an integral part of the business. When providing loans to customers, financial institutions take on a credit risk. As the value of assets, such as securities, depends on certain underlying market parameters, such as interest rates, commodity prices or share prices, they are also exposed to market risks. Another core element of banking is taking deposits to fund loans. The management of the resulting cash inflow and outflow from assets and liabilities results in liquidity risks.
There are generally five basic management approaches to treating risks[4]: acceptance, avoidance, mitigation, sharing and transfer. Risk avoidance aims at fully evading the risk. This can mean that certain business activities need to be stopped or not performed, or processes need to be designed in a way to ensure that the particular risk does not arise. For example, when a bank wants to avoid any risk from outsourcing part of its value chain, the entire process needs to be done inhouse. If currency risks are to be avoided for certain currencies, then these currencies cannot be used either for trading, lending or payment services.
Risk mitigation describes the process of taking actions to reduce the possible loss event frequency or the possible impact of loss events. It is central to the mitigation strategy that an effective control environment is established, with preventive as well as detective controls. An internal control environment is an essential part of all risk management processes, and almost all regulators require financial institutions to have one. The European Banking Authority (EBA) publishes detailed guidelines on internal control frameworks in Title V of its guidelines on internal governance.[5]
In case internal controls do not adequately address risks, while accepting the risk is not a reasonable option, management can also share or transfer the risk to another party, for example by way of insurance products.[6] However, the Basel Committee points out that risk transfer is an imperfect substitute for sound controls and risk management programmes, hence, banks should view it as a complementary strategy rather than a replacement for thorough internal operational risk controls.[7]
Risk acceptance means that the risk is accepted without taking any specific measures. This can be the case when a certain risk type is deemed non-material for the financial institution. An indicator for this could be that the expected loss would be less than the costs related to the management activities to mitigate the risk.[8] In addition, this strategy is also applied to the assessment of residual risks, in which the latter is the risk exposure after controls have been considered.[9]
The choice of the approach for any particular risk type depends on the individual bank’s business model, i.e. its products, services, processes, people, transaction channels as well as physical and IT infrastructure. It further depends on the bank management’s risk strategy and risk appetite, as well as on the relevance of the risk type in this combination. The general approach to risk management stated in the risk strategy is detailed in the risk appetite statement, which elaborates on the types and amounts of risk a financial institution is willing to take. For more details on risk appetite, especially from a non-financial risk perspective, please refer to chapter 3.
The practices of risk management vary depending on the size and complexity of business models and operations. However, a general approach to risk management always contains four core steps for each identified risk type. The first step is the determination, description and measurement of the inherent risk of the particular risk type. Inherent risk is defined as the amount of that type of risk without any mitigating measures or control processes. In a second step, based on this inherent risk, an assessment of potential mitigating measures is performed. These mitigating measures can have different forms, one of which could be the use of internal controls for a certain type of risk. These types of mitigating measures are intended to reduce the impact of a risk event. The implementation of controls around the processes related to the specific risk type can help reduce the risk event’s probability and the impact of a risk event should it occur. Examples for such controls are the four-eyes principle or user access management. In a third step, the residual risk needs to be managed, if any remains after application of all mitigating measures and controls. Lastly, all of these steps need to be documented and reported to management, at least on an aggregated level.