We manage operational risks by employing the tools and processes provided by our ORMF, which enables us to determine our Operational Risk profile in comparison to our risk appetite for Operational Risk, to systematically identify Operational Risk themes and concentrations, and to define risk mitigating measures and priorities.
In 2017, we enhanced the ORMF and the management of operational risks by simplifying our risk management processes, focusing on the identification of the most material operational risks and their effective mitigation, and by promoting an active and continuous dialogue between the 1st and 2nd LoDs. This allows challenge to be raised throughout the various risk management processes and makes the management of operational risks more transparent, meaningful and embedded in day-to-day business decisions.
In order to cover the broad range of risk types underlying Operational Risk, our ORMF contains a number of management techniques that apply to all Operational Risk types. These include:
Loss Data Collection: In a timely manner, we collect, categorize and analyze data on internal (with a P&L impact ≥ €10.000) and relevant external Operational Risk events. This data is used for senior management information, in a variety of risk management processes and the calculation of Operational Risk capital requirements.
Lessons Learned reviews analyze the causes of significant Operational Risk events, identify their root causes, and document appropriate remediation actions to reduce the likelihood of reoccurrence. They are required for all Operational Risk events that meet defined quantitative or qualitative criteria. The area in which the Operational Risk failure occurred that caused the event is formally responsible to complete the review, though engagement with other relevant 2nd LoD functions throughout the process is encouraged. NFRM provides independent review and challenge over the appropriateness of the review’s conclusions. In 2017, we harmonized several existing processes, moved to a workshop based approach and, thus, enhanced the consistency and quality of reviews.
Read Across reviews take the conclusions of the Lessons Learned process and seek to analyze whether similar risks and control weaknesses identified in a Lessons Learned review exist in other areas of the Bank, even if they have not yet resulted in problems. This allows preventative actions to be undertaken. Read Across reviews may also be undertaken based on events that have occurred at other relevant financial firms where sufficient information exists to allow meaningful analysis.
We complement our Operational Risk profile by using a set of scenarios including relevant external cases provided by a public database and additional internal scenarios. We thereby systematically utilize information on external loss events occurring in the banking industry to prevent similar incidents from happening to us, for example through particular deep dive analyses or risk profile reviews.
The Risk & Control Assessment process (RCA) comprises of a series of bottom-up assessments of the risks generated by businesses and infrastructure functions, the effectiveness of the controls in place to manage them, and the remediation actions required to bring the outsized risks back into risk appetite. This enables both the 1st and 2nd LoDs to have a clear view of the Bank’s material operational risks. Through 2017, we simplified the RCA process and made it easier to repeat by producing a smaller number of higher quality assessments that are easier to use for decision-making purposes. We developed control assessment and consequence management frameworks and held interactive workshops instead of running a sequential process. This increased the continuous engagement between risk owners, NFRM and RTCs and allowed for challenge to be raised throughout the process.
We regularly report and perform analyses on our Top Risks. Top Risks are rated in terms of both the likelihood that they could occur and the impact on the Bank should they do so. The reporting provides a forward-looking perspective on the impact of planned remediation and control enhancements. It also contains emerging risks and themes that have the potential to evolve as a Top Risk in future. Top Risk Reduction Programs comprise the most significant risk reduction activities that are key to bringing our operational top risk themes back within risk appetite.
Key Risk Indicators are used to monitor the Operational Risk profile, including against the Bank’s defined risk appetite, and to alert the organization to impending problems in a timely fashion. Key Risk Indicators enable the monitoring of the Bank’s major risks, its control culture and overall business environment and trigger risk mitigating actions. They facilitate the forward-looking management of operational risks, based on early warning signals.