We believe that a partnership between business, infrastructure, internal audit and
risk management is the key to success. How can this partnership be constituted? In
particular, what is the nature of the relationship between operational risk managers
and the bank audit function?
The essentials of proper risk management require that (a) appropriate policies be
in place that limit the amount of risk taken and (b) authority be provided to change
the risk profile, to those who can take action, and (c) that timely and effective
monitoring of the risk is in place. No one group can be responsible for setting policies,
taking action, and monitoring the risk taken, for to do so would give rise to all sorts
of conflict of interest Policy setting remains the responsibility of senior management,
even though the development of those policies may be delegated, and submitted to
the board of directors for approval.
The authority to take action rests with business management, who are responsible
for controlling the amount of operational risk taken within their business. Business
management often relies on expert areas such as information technology, operations,
legal, etc. to supply it with services required to operate the business. These infrastructure
and governance groups share with business management the responsibility
for managing operational risk.
The responsibility for the development of the methodology for measuring operational
risk resides with risk management. Risk management also needs to make
risks transparent through monitoring and reporting. Risk management should also
portfolio manage the firm’s operational risk. Risk management can actively manage
residual risk through using tools such as insurance. Portfolio management adds
value by ensuring that operational risk is adequately capitalized as well as analyzed
for operational risk concentration. Risk management is also responsible for providing
a regular review of trends, and needs to ensure that proper operational risk reward
analysis is performed in the review of existing business as well as before the
introduction of new initiatives and products. In this regard risk management works
very closely but is independent of the business infrastructure, and the other governance
groups.
Operational risk is often managed on an ad hoc basis. and banks can suffer from
a lack of coordination among functions such as risk management, internal audit,
and business management. Most often there are no common bank-wide policies,
methodologies or infrastructure. As a result there is also often no consistent reporting
on the extent of operational risk within the bank as a whole. Furthermore, most
bank-wide capital attribution models rarely incorporate sophisticated measures of
operational risk.
Senior management needs to know if the delegated responsibilities are actually
being followed and if the resulting processes are effective. Internal audit is charged
with this responsibility. Audit determines the effectiveness and integrity of the
controls that business management puts in place to keep risk within tolerable levels.
At regular intervals the internal audit function needs to ensure that the operational
risk management process has integrity, and is indeed being implemented along with
the appropriate controls. In other words, auditors analyze the degree to which
businesses are in compliance with the designated operational risk management
process. They also offer an independent assessment of the underlying design of
the operational risk management process. This includes examining the process
surrounding the building of operational risk measurement models, the adequacy
and reliability of the operations risk management systems and compliance with
external regulatory guidelines, etc. Audit thus provides an overall assurance on the
adequacy of operational risk management.
A key audit objective is to evaluate the design and conceptual soundness of the
operational value-at-risk (VaR) measure, including any methodologies associated
with stress testing, and the reliability of the reporting framework. Audit should also
evaluate the operational risks that affect all types of risk management information
systems – whether they are used to assess market, credit or operational risk itself –
such as the processes used for coding and implementation of the internal models.
This includes examining controls concerning the capture of data about market
positions, the accuracy and completeness of this data, as well as controls over the
parameter estimation processes. Audit would typically also review the adequacy and
effectiveness of the processes for monitoring risk. and the documentation relating to
compliance with the qualitative/quantitative criteria outlined in any regulatory
guidelines.
Regulatory guidelines typically also call for auditors to examine the approval
process for vetting risk management models and valuation models used by frontand
back-office personnel (for reasons made clear in Appendix 2). Auditors also need
to examine any significant change in the risk measurement process. Audit should
verify the consistency, timeliness and reliability of data sources used to run internal
models, including the independence of such data sources. A key role is to examine
the accuracy and appropriateness of volatility and correlation assumptions as well
as the accuracy of the valuation and risk transformation calculations. Finally,
auditors should examine the verification of the model’s accuracy through an examination
of the backtesting process.
Hiç yorum yok:
Yorum Gönder