Governance structures and leading practices for risk management in practices for risk management in central banks Helena Tejero, Division Head, Risks & Processes, Bank of Spain Central Bank Governance Forum 2014 IMF / Hawkamah, Dubai, United Arab Emirates December 8, 2014 FEDERAL RESERVE BANK OF PHILADELPHIA Today‘s agenda • International Operational Risk Working Group (IORWG) Overview • Central Banks Risk Governance Structures • Central Banks Risk Practices • Conclusions The views herein are the personal views of the speaker and do not necessarily represent the views of either the IORWG members or the Bank of Spain. 1
International Operational Risk Working Group 2 International Operational Risk Working Group (IORWG) Overview Leadership: Conferences organized: • Chaired by the Federal Reserve Bank of I. Spain, 2006 Philadelphia and the Bank of Spain. p p II II. United States 2007 United States, 2007 III. Denmark, 2009 Objectives: IV. France, 2008 • Share best practices. • Innovate new frameworks and methodologies. V. Brazil, 2010 • Generate genuine interest on ORM*. VI. Thailand, 2011 VII. Sweden, 2012 Membership Representatives: VIII.Morocco, 2013 • Risk representatives from central banks and IX. Israel, 2014 monetary/supervisory authorities across the X. South Africa (planned for 2015) world. ld Information channels: Membership Benefits: • IORWG website (www.iorwg.org). • Knowledge sharing, networking opportunities, • Regular email alerts to members. and research topics with other central banks through “global” expert groups participation. (*) ORM stands for Operational Risk Management 3
In October 2005, 18 institutions agreed to be part of the IORWG … Estonia Latvia Lith Lithuania i Norway Sweden Denmark ECB Switzerland The Netherlands Poland Bulgaria Ireland UK Azerbaijan Germany Greece Belgium Canada Korea Austria Luxembourg Japan United France States of America Hong Kong Spain Curaçao Thailand Mexico Portugal Jordan Philippines Philippines Dominican Morocco Israel Costa Rica Indonesia Republic Italy Colombia Uganda El Salvador Malta Malaysia Ecuador New India Brazil International International Singapore Zealand Bolivia (Bank for (Bank for Madagascar Malawi International International Chile Settlements, BIS) Settlements, BIS) Argentina South Africa Australia Angola Uruguay … 59 members in 2014. 4 IORWG Collaboration Efforts Expert Group Process: • Expert Group studies: 35 completed to date, e.g. last year’s topics: p p p , g y p – ORM Trends and Best Practices (Phase II). – Risk Culture and Awareness. – Incident Management and Reporting. – ORM Interdependencies with Management of Other Enterprise Risks. – Existing Governance Structures in the Area of Risk Management. – Risk Repository (Phase IV). • 2015 topics will focus on continuing work associated with trends and best practices, reporting, advancement of the risk repository, information and cyber security, training practices and building a maturity model. y y g p g y • Research topics use industry literature, conduct member surveys, profile central bank practices in greater detail and summarize results at the conference (4-5 month effort). • Use breakout groups on expert group topics to further discuss key items and report back to the group. 5
Risk Governance Structures 6 Three lines of defense model Central banks governance structures generally rely on three lines of defense by which governing bodies and senior management in their responsibility for risk management framework are served by the following “lines”: i k t f k d b th f ll i “li ” business line risk management internal audit management function function “Owners” of risk. Responsible for independently opining Responsible for Responsible for identifying and on the overall providing the risk managing the risks g g appropriateness and framework and for framework and for adequacy of the inherent in the products, independently activities, processes and framework and the overseeing risk-taking associated governance systems for which they activities bank-wide. are accountable. processes. 7
Board / board subcommittee • Ultimate responsibility for risk • Common subcommittees: management is generally assigned to – The audit committee and, to a th the governing bodies (e.g. governor, i b di ( much lesser extent, the risk h l t t th i k board, executive committee). oversight committee. • The board or a subcommittee of the • Common duties : board is often responsible for – Ensure the establishment and providing oversight and direction maintenance of the framework. with regard to risk management (in – Provide oversight over the some Central Banks (CBs), oversight program is provided by the governor or a – Review reports – activities and RMC* at the executive level) RMC at the executive level). status of risk management risk status of risk management, risk profile, key risks, response to (*) RMC stands for Risk Management Committee the most significant risks. • Improve the focus and dialogue on risk, challenge and dig deeper into emerging risks 8 Committees involved in the risk governance Four different approaches 1 2 • The Board does not delegate the Th B d d t d l t th • The Board delegates to an risk oversight responsibilities to a executive sub-committee which is sub-committee. responsible for all risks and in • The Board is supported by existing some cases for operational risks committees, with a broad mandate, only. not dedicated to risk issues. 3 4 • The Board delegates to a board The Board delegates to a board • The Board delegates to a board The Board delegates to a board subcommittee. sub-committee. • In addition a RMC has an • In addition there are: executive role – establish and - RMC (executive risk committee) maintain the risk management and framework. - Specialized Risk Committees. 9 Note: an Audit Committee generally exists in all approaches.
Governance (cont.) • Governance is often not well documented or understood ; responsibilities, particularly advisory roles, are not consistently applied . • How governance relationships work in practice is not always consistent with H l ti hi k i ti i t l i t t ith charter documentation. • Formal guidance needs to be provided to ensure committees are consistently established, operated, and reviewed. • Structure, roles, and decision rights across bodies are interpreted differently . • Complex or undefined governance can result in confusion regarding accountability and prolonged decision making. This can increase operational risk and can lead to reputational risk risk and can lead to reputational risk. • Conduct self-assessments of governance practices 10 Operational risk function • Most CBs have centralized • Main responsibilities : independent ORM unit ; several have – Provide risk management centralized compliance units. t li d li it methodologies. th d l i – In some cases, the functions are – Facilitate and consolidate the combined with other risk and results of risk assessments. control-related disciplines, e.g. – Assisting in developing Business continuity, IT security. processes and controls. • Usually deals with legal, reputational – Track risk incidents and report and compliance risks . To a lesser on mitigation. extent with financial and strategic risks. – Coordinate reporting board, • Sample of central banks have on Sample of central banks have on RMC and senior management. RMC and senior management average 4 full-time equivalent in risk – Provide guidance and training. units. – Few include the operational risk measurement. • Challenge the business lines outputs from risk management activities 11
Internal audit • Central banks have an independent internal audit unit from 1 st and 2 nd line of defense. Although some ORM programs were/are still launched and championed Alth h ORM / till l h d d h i d – by the internal audit. • Main responsibilities : – Verify that the risk framework has been implemented as intended and is functioning appropriately. – Assess the effectiveness of the bank’s operational risk management controls, processes and systems, as well as governance. – Review the management and reporting of key risks. • Ensure independence of risk management and internal audit although they may collaborate in activities such as awareness programs 12 Interdependencies • Generally the tendency of disciplines is to operate in silos due mainly to a weak governance structure and immature risk culture. • The greatest extent of alignment with ORM is associated with business Th t t t t f li t ith ORM i i t d ith b i continuity, and IT and information security risks . • There is also high interaction, meetings, exchange of reports with the internal audit unit . – Building a common risk taxonomy, using the same process map, exchange of information, … – In a few cases, permanent access to ORM/IA databases. • Challenges with aligning ORM with other disciplines - Get acceptance for an integrated approach - Overcome differences in terminologies and views regarding approaches and methodologies e.g. IT framework too technical and granular to integrate 13
Recommend
More recommend
