Managing Risk at Commercial Bank
The Bank has established a database of operational losses and is in the process of expanding the same with a view to migrate to more advance approaches of computing Operational Risk capital in future. The Bank maintains this database of Operational Risk losses as per Basel II requirements under event types and business lines, which is used to formulate Key Operational Risk Indicators of the Bank.
| Event Type | Business Lines | |
| Internal Fraud | Corporate Finance | |
| External Fraud | Trading and Sales | |
| Employment Practices and Workplace Safety | Retail Banking | |
| Clients, Products and Business Practices | Commercial Banking | |
| Damage to Physical Assets | Payment and Settlement | |
| Business Disruptions and System Failures | Agency Services | |
| Execution, Delivery and Process Management | Asset Management | |
| Retail Brokerage |
Following two graphs depict the Operational Risk loss values and number of occurrences for the year 2011 under each event type, as a percentage of their respective totals with a comparison of previous two year figures.
As experienced in previous years, high frequency of loss events of the Bank is with low financial impact. Events with values less than Rs. 100,000 accounted for more than 99% of the total loss events. Execution, Delivery and Process Management which mainly consist of losses relating to cash operations taken place in over 230 delivery points accounted for the highest number of loss events (refer Graph I). Average Operational Loss Events for the year 2011 as a percentage of average number of transactions carried out in the year is negligible at 0.004%, which is comparable with that of previous years and it indicates the high level of controls maintained by the Bank to minimise Operational Losses.
Meanwhile Execution, Delivery & Process Management also count for the highest percentage losses followed by business Disruptions and External Frauds (refer Graph II). However, gross value of the total Operational Losses for the year 2011 (which includes near miss events) as a percentage of average gross income for the last three years (based on the income taken for the calculation of capital requirement for Operational Risk) is a mere 0.28%. The Bank maintains these figures at extremely lower levels compared to the mandatory capital allocation of 15% under ‘Basic Indicator Approach’ of capital computation as per Basel II, mainly due to the application of sound and effective systems and controls.
The Bank has a low appetite for material risks it is exposed to. Based on various factors such as historical loss data, budgets and forecasts, performances, existing systems and controls, observations of supervisory authorities on banking operations etc., the Bank has established tolerance levels for Operational Risk losses. Accordingly, alert level at 3% of the average audited gross income for the last three years and maximum level of 5% of the same has been established (refer Graph III). Further, these tolerance levels were segregated among types of Operational Losses to facilitate effective monitoring and control.
Operational Risk function of the Bank closely monitors the above tolerance levels and notifies the Management on the movements of the actual levels against the established thresholds. If any of the individual loss events reflect an adverse trend, the Bank would take immediate action to review the processes and controls relating to the area where losses have incurred.
Actual Operational Risk losses for the current year as mentioned earlier is only 0.28% (of average audited gross income for last three years) which is well within the internal alert level of 3% and maximum level of 5% as illustrated in Graph III. Further, the Bank has been able to maintain the Operational Risk losses well under control over a period. The position of previous three years is depicted in the Graph.
In addition to the above measures, a well-developed regulatory monitoring mechanism is adopted by the Bank to monitor reporting and compliance with all Mandatory Banking and other Statutory Requirements. A centralised monitoring unit has also been established to detect transactions relating to Anti Money Laundering (AML) and terrorist financing activities. An Incident Reporting mechanism is in place to streamline the loss reporting mechanism which also enriches the loss database covering all types of losses and near-miss incidents that have taken place in business lines.
Further, all high value Operational Losses are reported to the EIRMC and BIRMC along with the analysis of prevailing controls and corrective action taken to avoid repetition of similar losses. Operational Risk monitoring
Meanwhile Execution, Delivery & Process Management also count for the highest percentage losses followed by business Disruptions and External Frauds (refer Graph II). However, gross value of the total Operational Losses for the year 2011 (which includes near miss events) as a percentage of average gross income for the last three years (based on the income taken for the calculation of capital requirement for Operational Risk) is a mere 0.28%. The Bank maintains these figures at extremely lower levels compared to the mandatory capital allocation of 15% under ‘Basic Indicator Approach’ of capital computation as per Basel II, mainly due to the application of sound and effective systems and controls.
Operational Risk Appetite
Risk appetite, or risk tolerance, is the quantum of risk that the Bank is willing to accept in its different businesses over a specified time horizon. Though Risk Appetite relating to credit and market risks could be associated with returns, Risk Appetite for Operational Risk is not aligned with any direct returns. Hence, ideal Risk Appetite level for Operational Risk is zero. However, zero level tolerance for Operational Risk could not be practically achieved since all banking products and processes are associated with Operational Risks where some of those could not be fully eliminated unless the product or process is withdrawn.The Bank has a low appetite for material risks it is exposed to. Based on various factors such as historical loss data, budgets and forecasts, performances, existing systems and controls, observations of supervisory authorities on banking operations etc., the Bank has established tolerance levels for Operational Risk losses. Accordingly, alert level at 3% of the average audited gross income for the last three years and maximum level of 5% of the same has been established (refer Graph III). Further, these tolerance levels were segregated among types of Operational Losses to facilitate effective monitoring and control.
Operational Risk function of the Bank closely monitors the above tolerance levels and notifies the Management on the movements of the actual levels against the established thresholds. If any of the individual loss events reflect an adverse trend, the Bank would take immediate action to review the processes and controls relating to the area where losses have incurred.
Actual Operational Risk losses for the current year as mentioned earlier is only 0.28% (of average audited gross income for last three years) which is well within the internal alert level of 3% and maximum level of 5% as illustrated in Graph III. Further, the Bank has been able to maintain the Operational Risk losses well under control over a period. The position of previous three years is depicted in the Graph.
Operational Risk Monitoring and Reporting
As discussed earlier under the topics of Types of Operational Risk Exposures and Key Operational Risk Indicators (KORIs) and ‘Operational Risk Appetite’, KORI’s and monitoring of tolerance levels are the major elements of the monitoring and reporting functions under the Operational Risk.In addition to the above measures, a well-developed regulatory monitoring mechanism is adopted by the Bank to monitor reporting and compliance with all Mandatory Banking and other Statutory Requirements. A centralised monitoring unit has also been established to detect transactions relating to Anti Money Laundering (AML) and terrorist financing activities. An Incident Reporting mechanism is in place to streamline the loss reporting mechanism which also enriches the loss database covering all types of losses and near-miss incidents that have taken place in business lines.
Further, all high value Operational Losses are reported to the EIRMC and BIRMC along with the analysis of prevailing controls and corrective action taken to avoid repetition of similar losses. Operational Risk monitoring
and reporting functions are also strengthened by Risk Assessments carried out by the Integrated Risk Management Department (IRMD), Risk Control Self-Assessment (RCSA) by business units and preparation and reviewing of the Operational Risk Register to capture the ever changing risks in business processes.
In addition to the above, accepted mitigation and control functions such as three lines of defense (i.e, initially at individual business unit level, secondly Risk Management function and finally Audit function), circular instructions, operating guidelines, operation manuals, policies, organisational charts, job descriptions, segregation of duties, dual controls, staff rotation, automation of processes etc. are in place to mitigate operational risks associated with all products and processes.
It is a prudent Operational Risk Measurement to adopt a ‘risk transfer strategy’ for low probability - high impact events such as damage to physical assets by natural disasters, fire etc. Accordingly, the Bank has transferred insurable risks by obtaining insurance policies from reputed insurance providers covering physical assets of the Bank against possible harm from natural causes and other hazards, potential high valued external and internal frauds etc. Possible losses exceeding certain limits due to errors and omissions, information security and losses incurred in facilitating electronic payment mechanisms have also been duly insured.
Certain banking functions have been outsourced after carefully evaluating the risk factors and carrying out cost-benefit analysis of such decisions. All these outsourced functions are covered through the agreements which are subject to regular reviews.
Upgrading of software solutions including the core-banking system are being carried out as and when required. All modifications to the systems are routed through proper approving channels with recommendations of the Information Systems Audit function which operates independently from the business lines to identify and mitigate potential risks.
Comprehensive disaster recovery process covering all business units of the Bank is laid down under the Business Continuity Plan (BCP) which is regularly reviewed with the approval of the Board of Directors. Further, independent risk assessments of the BCP are carried out by the IRMD as per requirement under the Corporate Governance of Central Bank of Sri Lanka on Integrated Risk Management Committee to review the adequacy and effectiveness of the BCP.
Capital required for Operational Risk of the Bank for the year 2011 as per TSA approach is computed as follows for information purpose.
However, Operational Risk Requirement as per 'Basic Indicator Approach' for the year 2011 is Rs. 3,139.7 Mn.
Operational Risk Mitigation
The Bank believes that the most cost effective and prudent way of managing operational risk in its business processes is to establish proper controls and monitoring mechanisms and regularly review such measures to update their effectiveness. Based on this principle, the Bank has developed a comprehensive Operational Risk Management Policy and a Risk Register covering a variety of operational risks and controls relating to key business lines. A robust risk reporting structure supports the IRMD and management committees to monitor the operational risk events closely and initiate corrective measures where necessary.In addition to the above, accepted mitigation and control functions such as three lines of defense (i.e, initially at individual business unit level, secondly Risk Management function and finally Audit function), circular instructions, operating guidelines, operation manuals, policies, organisational charts, job descriptions, segregation of duties, dual controls, staff rotation, automation of processes etc. are in place to mitigate operational risks associated with all products and processes.
It is a prudent Operational Risk Measurement to adopt a ‘risk transfer strategy’ for low probability - high impact events such as damage to physical assets by natural disasters, fire etc. Accordingly, the Bank has transferred insurable risks by obtaining insurance policies from reputed insurance providers covering physical assets of the Bank against possible harm from natural causes and other hazards, potential high valued external and internal frauds etc. Possible losses exceeding certain limits due to errors and omissions, information security and losses incurred in facilitating electronic payment mechanisms have also been duly insured.
Certain banking functions have been outsourced after carefully evaluating the risk factors and carrying out cost-benefit analysis of such decisions. All these outsourced functions are covered through the agreements which are subject to regular reviews.
Upgrading of software solutions including the core-banking system are being carried out as and when required. All modifications to the systems are routed through proper approving channels with recommendations of the Information Systems Audit function which operates independently from the business lines to identify and mitigate potential risks.
Comprehensive disaster recovery process covering all business units of the Bank is laid down under the Business Continuity Plan (BCP) which is regularly reviewed with the approval of the Board of Directors. Further, independent risk assessments of the BCP are carried out by the IRMD as per requirement under the Corporate Governance of Central Bank of Sri Lanka on Integrated Risk Management Committee to review the adequacy and effectiveness of the BCP.
Computation of Operational Risk Requirement Under The Standardised Approach
Parallel computation of capital required for Operational Risk under The Standardised Approach (TSA) is being done along with the Basic Indicator Approach (BIA).Capital required for Operational Risk of the Bank for the year 2011 as per TSA approach is computed as follows for information purpose.
| Business Line | Weighted Average Rate (%) |
Capital Requirement (Rs. Mn.) |
| Corporate Finance | 18 | 4.7 |
| Trading and Sales | 18 | 810.6 |
| Retail Banking | 12 | 1,030.1 |
| Commercial Banking | 18 | 1,089.1 |
| Payment and Settlement | 18 | 100.1 |
| Total Requirement | 3,034.6 |
However, Operational Risk Requirement as per 'Basic Indicator Approach' for the year 2011 is Rs. 3,139.7 Mn.
