BANK 7.2.6 Principle 6: risk identification and assessment

(1) The senior management of a banking business firm must ensure that the operational risk inherent in all of the firm’s products, activities, processes and systems is identified and assessed to make sure that the inherent risks and incentives are well understood.
Guidance
Risk identification and assessment are fundamental characteristics of an effective operational risk management system. Effective identification of risk considers both internal factors and external factors. Sound risk assessment allows the firm to better understand its risk profile and allocate risk management resources and strategies most effectively. Tools that can be used for identifying and assessing operational risk include:
audit findings—although audit findings primarily focus on control weaknesses and vulnerabilities, they can also give insight into inherent risk that is due to internal or external factors
internal loss data collection and analysis—internal operational loss data provides meaningful information for assessing the firm’s exposure to operational risk and the effectiveness of internal controls
external data collection and analysis—external data elements consist of gross operational loss amounts, dates, recoveries, and information about the causes of operational loss events at other organisations; external loss data can be compared with internal loss data, or used to explore possible weaknesses in the control environment or consider previously unidentified risk exposures
risk assessments—in a risk assessment, often referred to as a risk self-assessment, the firm assesses the processes underlying its operations against a library of potential threats and vulnerabilities and considers their potential impact; a similar approach, a risk control self-assessment (RCSA), typically evaluates inherent risk (the risk before controls are considered), the effectiveness of the control environment, and residual risk (the risk exposure after controls are considered); scorecards build on RCSAs by weighting residual risks to provide a means of translating RCSA output into metrics that give a relative ranking of the control environment
business process mapping—business process mappings identify the key steps in business processes, activities and organisational functions, and identify the key risk points in the overall business process; process maps can reveal individual risks, risk interdependencies, and areas of control or risk management weakness, and can help to prioritise management actions
risk and performance indicators—risk and performance indicators are risk metrics and statistics that provide insight into a firm’s risk exposure; risk indicators, often called key risk indicators, are used to monitor the main drivers of exposure associated with key risks; performance indicators, often called key performance indicators, provide insight into the status of operational processes, which may in turn provide insight into operational weaknesses, failures, and potential loss; risk and performance indicators are often paired with escalation triggers to warn when risk levels approach or exceed thresholds or limits and prompt the putting into operation of mitigation plans
scenario analysis—scenario analysis is a process of obtaining expert opinion from business line and risk managers to identify potential operational risk events and assess their potential outcomes; scenario analysis is an effective tool to consider potential sources of significant operational risk and the need for additional risk management controls or mitigation solutions; however, given that the scenario process is subjective, a robust governance framework is essential to ensure the integrity and consistency of the process
measurement—larger firms may find it useful to quantify their exposure to operational risk by using the output of the risk assessment tools as inputs into a model that estimates operational risk exposure; the results can be used in an economic capital process and can be allocated to business lines to link risk and return
comparative analysis—that is, comparing the results of the various assessment tools to provide a more comprehensive view of the firm’s operational risk profile; for example, comparison of the frequency and severity of internal data with RCSAs can help the firm to determine whether self-assessment processes are functioning effectively; scenario data can be compared to internal and external data to gain a better understanding of the severity of the firm’s exposure to potential risk events.
(2) The firm must ensure that its internal pricing and performance measurement mechanisms appropriately take operational risk into account.
Guidance
If operational risk is not considered, risk-taking incentives might not be appropriately aligned with the firm’s risk appetite and tolerance.
Derived from QFCRA RM/2020-2 (as from 1st January 2021)