Tải bản đầy đủ
1 Foundation: the risk impact-grading scale
Harm to ECB essential interests
Drivers of business impact
• Affects the market
• Affects a statutory obligation
• Has a significant impact in
• Quality (incl. accuracy,
• Whether repetition creates
Very low / Negligible
Drivers of financial impact
• Write off on the balance sheet
of the ECB (incl. existing
• Opportunity cost
Drivers of reputation impact
• Degree of responsibility/influence
of the ECB
• Level and visibility of
• Geographical scope of
• Nature of media involved
• Duration of media coverage
Figure 13.2 Drivers of the risk impact-grading scale of the ECB.
thresholds. In the specific case of impact on reputation, exogenous and
subjective elements also play a critical role. As demonstrated in a few muchpublicized cases of reputational risk in recent years, perceptions by public
opinion tend to prevail over facts – and these perceptions tend to put more
emphasis on commonsense and ethical values than on applicable laws and
regulations. Legal risk is not represented as a separate risk impact category,
as litigation cases ultimately bear a reputational and/or a financial impact.
Impacts on reputation related to issues of staff security or confidentiality,
availability or integrity of information assets are assessed with consideration
of relevant standards and best practices. Business impacts related to staff
or information issues can be straightforwardly assessed by considering the
most plausible outcomes.
7.2 Implication: risk tolerance guidelines
The operational risk tolerance of the ECB is formalized via a set of ex ante,
explicit and high-level guidelines by the Executive Board. The latter provide
a prioritization scheme for investment in controls or other risk treatment
measures. As shown in Figure 13.3, tolerated levels of risk are expressed
considering both normal business conditions and worst-case scenarios.
The risk tolerance guidelines can be summarized as follows. Risk impacts
of level three (under normal business conditions) or four and five (in a
Operational risk management in central banks
(Business, reputation and/or financial)
observable risk events
‘under normal business conditions’
infrequent moderately frequent
> once/10 years 5–10 years 2–5 years 1–2 years
Figure 13.3 Operational risk tolerance: illustrative principles.
worst-case scenario) require implementing priority measures to reduce to
the maximum feasible or receiving explicit acceptance by the Executive
Board. In order to roughly ascertain the level of severity requiring top
management attention, it should be indicated that the financial thresholds
used for defining level four and five at the ECB are respectively EUR
1 million and EUR 10 million. Potential risk impacts of level two (in normal
business conditions) or three (in a worst-case scenario) require conducting
cost–benefit analyses of additional risk treatment measures. And potential
risk impacts of level one (in normal business conditions) or one and two (in
a worst-case scenario) are considered to be tolerable ‘incidents’. From a
strict ORM perspective, the latter only require adequate monitoring, yet
neither proactive intervention nor reporting. From a broader management
perspective, the effectiveness and efficiency of controls related to smaller
incidents may justify ad hoc reviews.
8. Top-down self-assessments
How should central banks start implementing ORM? Nowadays, central
banks generally recognize that priority should be given to top-down exercises due to their objective and scope. The experience of the ECB is presented to illustrate a possible approach and the related outputs and lessons
8.1 Objective and scope
As demonstrated by a survey of the IORWG (see acts of the 2007 conference
in Philadelphia), the vast majority central banks have historically opted to
start by a bottom-up approach at the level of individual processes or
After years of implementation, all concerned institutions confirm the
benefits of analysing risks and controls in a systematic and detailed manner.
However, many of them also stress: (a) the significant cost of conducting
bottom-up exercises across all areas; (b) the complexity of aligning and/or
reconciling risk information collected on a piecemeal basis; and ultimately
(c) the danger of losing sight of the wood for the trees. With the benefit of
hindsight, the central bank community nowadays agrees that ORM should
start from the top. In essence, top-down approaches achieve two key
provide an initial and well-calibrated ‘big picture’ of the critical events
bearing the highest risks for the achievement of business objectives,
reputation and/or financial assets of the institution; and
help prioritize subsequent more detailed bottom-up exercises on the
most critical processes, functions or organizational entities.
The scope of top-down exercises must facilitate a bird’s-eye view on
operational risks. In the case of the ECB, the top-down exercise is conducted
at the level of the eight core macro-processes (e.g. monetary policy, market
operations etc.) of the bank, of its six enabling functions (e.g. communication, IS etc.) as well as for very large projects. The top-down exercise
covers all the plausible risk scenarios, be it in a ‘worst case’ or under ‘normal
business conditions’, which may expose the bank to a risk impact of at least
three or more according to the impact-grading scale. From a timing perspective, the top-down exercise is to be conducted each year, as an integral
part of the strategy process.
Operational risk management in central banks
At the present juncture, central banks’ experience of top-down assessments
is probably too recent to describe standard practices and instruments.
A notable exception is represented by Bank of Canada, which has accomplished pioneer work in the central banking industry on ways and means
of integrating top-down assessments of operational risks with strategic
planning. At the ECB, the top-down exercise is centred around two types of
workshops: vertical workshops held at the level of each of the core or
enabling macro-process of the bank, and horizontal workshops dealing with
risk scenarios related to transversal issues of governance (e.g. communication, legal, procurement) and security (information security, physical
security, business continuity management).
Defining worst-case operational risk scenarios starts with considering to
which extent individual risk items listed in the risk event taxonomy actually
apply to a macro-process situation (‘What could go wrong?’ ‘Could any of these
events ever happen to us?’). An alternative way to verify whether the universe of
worst-case risks considered is comprehensive, is to ponder whether examples
of consequences listed in the impact-grading scale would be relevant (‘What
would be the worst impact(s) in this area?’) and then ‘reverse-engineer’ the
related worst-case operational risk scenario. In all cases, worst-case scenarios
are developed by considering worst-case risk events that have actually happened in partly comparable environments (e.g. governments, public agencies,
research centres, faculties, etc.) – thinking of the ECB as a public institution
delivering a set of generic functions (e.g. policy making, research/technical
advisory, compilation of information, communication of political messages).
Based on a mix of primary and secondary research, a database of about 150
relevant worst-case scenarios was compiled by the central ORM team to
support the initial top-down assessment and has been continuously updated
ever since. Worst-case scenarios are finally tailored to the specific environment
of the ECB after due consideration of parameters such as the specific business
objectives of the bank (e.g. not for profit dimension), important features
of its control environment (e.g. historical ‘zero-risk’ culture) and predictable changes in the business environment (e.g. transition from Target 1 to
Target 2 platform in the area of payment systems). A standard template is
completed to describe each worst-case scenario in a comprehensive manner.
historical evidence of external catastrophic events which have been
considered to establish the plausibility of the worst-case scenario;
a summary of all the parameters which substantiate the plausibility of
the worst-case scenario in the particular environment of the ECB – i.e.
specific assumptions pertaining to root causes, failures of mitigation
measures, other specific circumstances (e.g. shortage of staff due to
holiday season), and ultimate consequences (e.g. leakage/fraud becoming
an assessment by concerned senior managers of the potential business,
reputational and financial impact which the ECB might have to face
under the scenario described, including a detailed qualitative justification
of this evaluation.
Experts from the central ORM team check consistency of input provided
across all business areas and, if required, suggest slight readjustments of
assessed risk impacts to ensure overall consistency. During the initial assessment, covering the full universe of about eighty worst-case scenarios and
setting the corresponding baseline required a significant one-off effort over
a three-month horizon. Fortunately, worst-case scenarios tend to be fairly
stable over the medium term – requiring only limited updating during the
successive yearly top-down exercises. This should come as no surprise:
beyond a few fundamentally new trends in the business and technological
environment, and beyond unpredictable events and hazards in the economic and financial conjuncture, the base parameters of operational risks
are indeed fairly stable. ‘Why do you keep robbing banks?’, a somewhat
obstinate criminal was once asked. ‘Because it is where the money is’, was the
naı¨ve and profound answer.
8.3 Output and lessons learned
In the approach implemented by the ECB, a final report on the top-down
ORM assessment is to be produced by the middle of the year. The latter
includes an updated heat map charting the status of the bank’s key operational risks, a qualitative summary of the key findings, and an appendix
including all the compiled worst-case scenario sheets. Expectations regarding
initial top-down exercises must be kept at a realistic level. The experience
of the ECB indeed shows (or confirms) that only very few totally new risk
scenarios emerge from high-level historical analyses, expert brainstorming
and management workshops. At first sight, top-down heat map appears to
only document widely shared assumptions regarding the concentration of
key operational risks in certain macro-processes (e.g. market operations) and
horizontal risk categories (e.g. pandemic, massive attack on IS systems). Yet,
Operational risk management in central banks
very soon, the real benefits of a top-down exercise become much more
tangible. ORM workshops with senior management significantly reinforce
management awareness of worst-case scenarios – beyond traditional and indepth knowledge of recurrent incidents. They foster management dialogue
and help align fairly diverging individual perceptions regarding the plausibility and potential severity of certain risks (e.g. leak of information) and their
relative importance in the global risk portfolio of the bank. And they give new
impetus to critical initiatives (e.g. enhance the quality of mission critical IS
services to mitigate worst case scenarios related to information confidentiality, integrity and availability; refine business continuity planning arrangements to more proactively address pandemic, strike or other scenarios
causing extended unavailability of staff; develop non-IT-dependent contingencies to remedy various crisis situations; leverage enabling technologies
such as document management to address risks of information confidentiality, integrity and availability; enhance reputation management through
pre-emptive and contingency communication strategy and plans).
9. Bottom-up self-assessments
As a necessary complement to their recent developments regarding topdown exercises, central banks continue to conduct bottom-up exercises at
the level of their individual business processes (e.g. ‘liquidity management’)
as well as of horizontal risk and control categories (e.g. ‘hacking of information systems’). This section discusses the objective and scope of bottomup exercises. The experience of the ECB is presented to illustrate a possible
approach and to analyse the relationship between bottom-up risk assessments and Business Process Management (BPM) and Total Quality Management (TQM).
9.1 Objective and scope
Central banks have a long tradition of conducting bottom-up exercises to
identify and assess current operational risks, define new or enhance existing
controls or risk mitigation measures and prioritize related action plans.
In the case of the ECB, the scope of these exercises includes all observed or
potential operational risk events which may expose the bank to an impact of
at least level two according to the impact-grading scale – be it in a worstcase scenario or under normal business conditions. A rolling five-year
programme of bottom-up exercises is prepared by the central ORM team
in close cooperation with business areas and approved each year by the
Operational Risk Committee in line with the budget life cycle. This programme ensures that all the bank’s processes, horizontal risks and related
controls of the ECB (including those bearing lower impact levels) will
formally be assessed at least every five years, and that key business processes
and horizontal risks and related controls, as identified during the top-down
exercise, will be assessed in a coordinated manner over the next twelve
months. In practice, the programme derived from top-down analysis fosters
rational sequencing in ORM implementation and helps avoid that considerations of technical complexity prevail over risk management rationale.
Indeed, a few core central banking processes (e.g. related to economic
analysis and research) must by nature operate under significant uncertainty,
use to some extent incomplete and qualitative information and generally
heavily rely on human judgement. As a consequence, these, as well as a few
critical management processes (e.g. related to decision making and project
management), are typically much more complex to address than transactional processes (e.g. payments, IS operations) and are frequently less
covered in early years of ORM implementation.
In comparison with top-down exercises, the methodology used in the
context of bottom-up exercises typically includes additional elements and
generate more granular information.
At the ECB, the step of risk identification includes a quick review of
existing processes and underlying assets (people, information systems and
infrastructure). The required level of detail of process analysis (i.e. focus on
a ‘level one’ overview of key process steps as opposed to granular ‘level
three’ review of individual activities) is to some extent left to the appreciation of relevant senior managers depending on resource constraints and
assessed benefits. The central ORM team ensures the respect of minimal
standards (including the use of a standard process documentation tool).
The frequency and impact of process incidents is examined by experts and
managers. No subjective self-assessment is required for risk events in normal business conditions, as is the case in traditional ORM approaches. By
definition, historical facts and/or evidence must have been observed – even
though the latter, in most of the cases, are not yet formally compiled in
Operational risk management in central banks
Plausible worst-case scenarios at process level are defined according to the
same methodology as used in the top-down assessment. Specific opportunities
to bring normal and worst-case risks in line with the risk tolerance policy
are finally discussed. Wherever possible, all these analyses incorporate
results from other existing risk management activities to avoid redundancies and relieve management of unnecessary burden. During the next step,
a cost–benefit assessment of all identified risk treatment opportunities is
performed, using a simple ABC prioritization scheme. Finally, the conclusive steps of a bottom-up assessment include classical action-planning
activities as described in various risk management standards. Full documentation of the bottom-up self-assessment via standard templates ensures
consistency and re-usability of performed analyses.
9.3 Bottom-up risk assessments vs. BPM and TQM
Many components of the bottom-up exercises are well established and
widely shared by the central banking community, and inter alia well
documented by the IORWG. Still, two specific aspects of the methodology
used at the ECB are worth mentioning, as they underscore the specific value
of ORM vs. disciplines such as BPM and TQM.
ORM differs from operations management or BPM. Selectively organizing synergy between all these functions is certainly a good idea. Mixing
them up into all-purpose process reviews is a frequent and fatal mistake –
ultimately making bottom-up self-assessments costly and cumbersome and
hindering the cultural acceptance of risk management. Regarding the specific area of controls, the focus of the ECB is therefore to assess the
effectiveness (and to a lesser extent the efficiency) of new or enhanced
controls, not the efficiency (and to lesser extent the effectiveness) of all
existing controls. The latter approach is a traditional, COSO-based practice
which is technically required as a consequence of the following logic flow:
‘current risk’ ¼ ‘inherent risk’ minus ‘reduced risk through existing controls’
Yet, as mentioned above, the ECB framework focuses on actual (and
potential) risks and how to remedy them. Such an approach by definition
takes into account (and thereby implicitly ‘assesses’) the global effectiveness
of existing controls and of the general control environment.
Where required, a specific assessment of the general control environment
can be performed through use of compliance check lists reflecting relevant
process or functional standards.
For specific objectives pertaining much more to process optimization
than to ORM, more granular information on the effectiveness and efficiency
of individual controls may indeed be required. As benchmarking shows, two
approaches are possible in this respect:
The first, serious and fact based, is traditionally used for instance by
internal audit or organization departments. It consists of conducting
process or procedure walkthroughs on testing samples to verify ex post
how many incidents or anomalies are being detected through given types
of verifications or controls.
The alternative approach, frequently mentioned in traditional ORM
frameworks, is arguably always a case of artistic invention: using qualitative
self-assessment questionnaires, experts or managers ascertain whether a
given control is ‘unsatisfactory’, ‘partially satisfactory’ or ‘satisfactory’.
The problem in this approach is not only that subjective (and naturally
partial) opinions of concerned staff should always be challenged by a
neutral third party. More fundamentally, the question on control
effectiveness itself is meaningless in all frameworks where the objective/
target (i.e. the ‘risk tolerance’) is not specifically predefined. And at any
rate, even when the risk tolerance is defined, the question of effectiveness
by nature can only be satisfactorily addressed at the level of the full
control environment of the institution. By contrast, scoring models used
to assess the relative and incremental contribution of controls x, y or z to
the current risk situation must by design rely on weighting factors
reflecting totally subjective and unverifiable assumptions.
ORM is not total quality management. As a consequence, at the ECB, the
management of minor incidents is left out of proactive ORM. Benchmarking evidence show that many central banks have already started a few
years ago to compile databases on internal incidents, loss and near-loss
events. Over time, incident databases always help improving the reliability
and output quality of daily process operations. Even though they almost
never produce a sufficient basis for quantitative modelling, they also provide useful reference data points to challenge manager’s intuition and to
examine key patterns in smaller issues which may as well apply to catastrophes. Yet, systematic and massive capture of incident data has a very
significant cost. Reflecting on alternative investment priorities for ORM, it
may be useful to keep in mind that daily problems within departments or in
interaction with supplier and customer entities in essence constitute cost
and quality issues, not risk topics. This explains why, as seen before, the
Operational risk management in central banks
operational risk tolerance policy of the ECB does not require proactive
intervention nor reporting on level one incidents and why the latter are let
out of scope of bottom-up self-assessments.
10. ORM governance
Risk management requires a well-defined and integrated governance model.
Like most financial organizations, central banks generally make a distinction
between the management of financial and operational risks and usually have
separate management structures for dealing with these two types of risks.
Regarding the latter, ten sound practices for management and supervision
of operational risks have been defined in a seminal paper by the Basel
Committee on Banking Supervision (BCBS 2003). Ever since, a few of these
practices have been widely adopted by the central banking community (e.g.
general sponsorship and oversight function to be assumed by the Executive
Board; independent evaluations by internal and external audit functions;
key responsibility of line management to implement ORM). For reasons
mainly pertaining to individual central banks’ size or history, other practices
are being implemented under slightly diverging arrangements (e.g. composition of the committee specifically in charge of ORM; establishment or
not of a dedicated ORM officer; relative positioning of the central ORM
function vs. the business continuity function; precise level of decentralization of ORM activities in business areas etc.). Overall, in most central
banks, a key challenge is still to organize the convergence of all disciplines
related to operational risks and control (including business continuity,
physical security, information confidentiality etc.) and allow for an integrated management of the related risk portfolio.
The new ORM governance model adopted by the ECB in September 2007
comprises the following elements: an Operational Risk Committee (ORC),
staffed with seven senior managers of the bank, deals with strategic/mediumterm topics. The key mission of the ORC is to stimulate and oversee the
development, implementation and maintenance of all disciplines related to
operational risks. To that effect, the specific responsibilities of the ORC are
to endorse the relevant policy frameworks and strategies; assess the portfolio
of risks and the effectiveness and efficiency of treatments of operational risks
across the ECB; plan and monitor all related activities; foster the development of risk management culture in the ECB as well as ESCB – and
Eurosystem-wide through appropriate measures and to inform the Executive Board periodically about the status of ORM. Required input for strategic decision-making by the ORC is prepared, at a more tactical level, by an
informal network of operational risk managers and risk experts which work
on request of the ORC in the form of ad hoc taskforces. Efficiency of ORM
decision making is enhanced by addressing dossiers at the first competent
level and limiting representation in taskforces to key business and functional
A central and integrated ORM and BCM team, hosted by the Organizational Planning Division of the bank, acts as knowledge broker in charge
of cross-fertilizing best practices across business areas and specialized risk
disciplines. On top of coordinating all relevant activities (including response
to incidents), the team assumes classical central activities pertaining to
external benchmarking and cooperation, methodological maintenance (e.g.
library of controls) and development (e.g. integration of ORM databases
and tools), proactive monitoring of and advisory to business areas, consolidated reporting, and secretariat of the ORC.
The responsibility and accountability of line managers in the implementation of ORM in their respective business areas is confirmed and a
decentralized function of ORM coordinators is further formalized – without
creating additional resource requirements let alone new positions. Beyond
participation to mandatory top-down and bottom-up exercises, line managers, with the support of ORM coordinators, manage their operational risks
as part of daily operations. In particular, they are expected to proactively
consider the specific risk implications of defined trigger-point events (e.g.
assumed new service responsibility; significant staffing or management
change; recent centralization/de-centralization of business process or technology; introduction of new software or hardware; hired new vendor; identified issue during contingency test; specific findings in internal and external
audits etc.) where the benefits of ORM analyses are particularly obvious.
11. KRIs and ORM reporting
The ultimate function of ORM is not to report on the status of operational
risks but to provide insightful support for management decisions on
required actions and investments. The present section discusses the gap
between theory and practice in this respect and presents current developments in the ECB.