This blog is one of a series designed to identify common mistakes made by firms. It explains why the mistake is damaging and could lead to regulatory sanctions, a capital add-on and even a skilled persons review (S166). If you are making this mistake then you need to change your practice.
Operational risk practitioners are faced by many rules, speeches, consultation papers and policy documents issued by a variety of supervisors and organisations. While not all the documents will be legally binding, they do reflect regulatory expectations and firms should therefore be aware of anything that is relevant to their businesses. Indeed, in many cases failure to comply can result in termination, regulatory sanction, a capital add-on and even a skilled persons review (S166). However, despite these potential consequences many practitioners fail to read and understand all the relevant documents. And if you don’t read and understand the regulator’s expectations, how can you be confident that you comply?
Managing operational risk
A valuable insight into global regulatory expectations can be found in the Consultative Document: Principles for Operational Resilience issued by the Basel Committee on Banking Supervision (BCBS). Published in August 2020, the 13 page paper discusses how to create an operational resilience capability and proposes that ‘Banks should utilise their existing governance structure’ and ‘leverage their respective functions for the management of operational risk’. In addition, the paper shows that the approach builds on updates to the BCBC’s Principles for the Sound Management of Operational Risk (PSMOR), issued at the same time.
Recent conversations have revealed that many practitioners are unaware of one or both documents. Given the importance of operational resilience and the evolution of regulatory thinking in the PSMOR (see publications from February 2003, June 2011, and October 2014) it is unwise and dangerous not to stay up-to-date with the latest advice on managing operational risk.
When I first left the regulator, I was surprised by the problems many practitioners had navigating and understanding the regulatory rule books. The subsequent evolution of the roles of the UK Prudential Regulation Authority (PRA) and the Financial Conduct Authority (FCA), and developments in their rule books, has done nothing to simplify this process. Nevertheless, practitioners must always understand the operational risk rules and requirements imposed on them by their regulator.
While it is beyond the scope of this blog to detail all the requirements that apply to a firm, if you fail to understand your requirements, you expose your firm and staff members (particularly those captured by the SM&CR regime in the United Kingdom) to a significant corporate and individual risk.
To protect against this risk:
- Operational risk teams should generate a library of the regulatory documents that inform and govern how the firm’s operational risk framework should operate and ensure that all relevant staff are fully aware of their contents;
- Operational risk staff should be asked to confirm annually that they are fully aware of the listed documents and their contents;
- Operational risk teams should undertake horizon scanning for relevant new documents, and wise practitioners will already subscribe to regulatory alerts where available;
- When new requirements or expectations are published the operational risk function should nominate an individual in the team to present a summary of the contents at the next team meeting.
These activities should be undertaken by the operational risk function, even in firms where a central regulatory compliance or regulatory change team exists. Without this understanding, how can you and your team be confident that you meet regulatory expectations?
We hope you find this blog helpful. For a full overview of our approach to framework, improvements, please contact us.