Definition of Operational Risk
Operational risk means the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events, and includes legal risk. Operational risk excludes business and reputational risk.
Particular prominent examples of operational risks are the following:
- Fraud Risk is the risk of incurring losses as a result of an intentional act or omission by an employee or by a third party involving dishonesty, for personal and/or business gain or to avoid personal and/or business loss such as falsification and/or alteration of records and/or reports, facilitation, breach of trust, intentional omission, misrepresentation, concealment, misleading, and abuse of position in order to obtain personal gain, business advantage and/or conceal improper/unauthorized activity.
- Business Continuity Risk is the risk of incurring losses resulting from the interruption of normal business activities. Interruptions to our infrastructure as well as to the infrastructure that supports our businesses (including third party vendors) and the communities in which we are located (including public infrastructure like electrical, communications and transportation) can be caused by: (i.) deliberate acts such as sabotage, terrorist activities, bomb threats, strikes, riots and assaults on the bank’s staff; (ii.) natural calamities such as hurricanes, snow storms, floods, disease pandemic and earthquakes; or (iii.) other unforeseen incidents such as accidents, fires, explosions, utility outages, and political unrest.
- Regulatory Compliance Risk is the potential that we may incur regulatory sanctions (such as restrictions on business activities, fines or enhanced reporting requirements), financial and/or reputational damage arising from its failure to comply with applicable laws, rules and regulations.
- Information Technology Risk is the risk that our Information Technology will lead to quantifiable losses. This comes from inadequate information technology and processing in terms of manageability, exclusivity, integrity, controllability, and continuity.
- Vendor Risk arises from adverse events and risk concentrations due to failures in vendor selection, insufficient controls and oversight over a vendor and/or services provided by a vendor and other impacts to the vendor which could not happen to us by nature, severity or frequency.
Legal Risk may materialize in any of the above risk categories. This may be due to the fact that in each category we may be the subject of a claim or proceedings alleging non-compliance with contractual or other legal or statutory responsibilities; or we may otherwise be subject to losses allegedly deriving from other law or legal circumstances applicable to any of the above categories.
The Head of Operational Risk Management (“ORM”) chairs the Operational Risk Management Committee (“ORMC”), which is a permanent sub-committee of the Risk Executive Committee and is composed of the operational risk officers from our business divisions and infrastructure functions. It is the main decision-making committee for all operational risk management matters.
While the day-to-day operational risk management lies with our business divisions and infrastructure functions, the Operational Risk Management function manages the cross divisional and cross regional operational risk as well as risk concentrations and promotes a consistent application of our operational risk management strategy across the bank. Based on this Business Partnership Model we aim to maintain close monitoring and high awareness of operational risk.