What is a Risk Management Framework?

An overview of key components

Risk management frameworks identify, assess, prioritize, and manage risks.

Introduction

A risk management framework (RMF) or more specifically, an operational risk management framework (ORMF) is a structured and systematic approach used by organizations to identify, assess, prioritize, and manage risks in order to minimize potential threats and exploit opportunities.

The key components of a risk management framework for operational risk are shown below. In line with the Basel Committee on Banking Supervision’s (BCBS) principles, it is the responsibility of a bank’s board to ensure there is an appropriate and functioning RMF in place. Detailed aspects of the RMF are usually determined, implemented, and monitored by business and risk management.

>> Measurement and reporting basics for operational risk management

ORMF components include organizational structure & resourcing, infrastructure, policies, authorities, processes, and committee structures.

Components

Organizational structure & resourcing

For risk management to operate effectively, risk staff need to be organizationally separate from the business. This allows them to take an independent and dispassionate view when reviewing and assessing operational risk policies, processes, or individual exposures. Audit also provides an independent view, but only on a periodic basis.

Three Lines of Defense Model

Though some argue that it is a little outdated, the three lines of defense model has been deemed best practice and is the one used by supervisors when monitoring the effectiveness of bank’s operational risk management framework.

#1: The first line of defense is revenue-generating business and operating units.

This line “owns” the risks and is responsible for their management by putting in place appropriate policies and processes for identifying, assessing, and managing risks and controls to ensure they are working effectively.

#2: The second line of defense comprises various support or oversight functions such as risk, compliance, finance, and the back office.

It provides support and challenge to the first line of defense, becoming important if the controls outlined in the first line of defense are ineffective or missing.

The duties of this line of defense include:

  • Defining the requirements that the first line must follow when putting policies, processes, and controls in place
  • Monitoring that these meet expectations
  • Providing input on specific transactions or proposals
  • Monitoring operational risks at an aggregate level, and
  • Identifying and assessing emerging risks

#3: Internal audit is the third line of defense.

It carries out independent checks to ensure that documented policy and process requirements are being complied with and are adequate.

Checks are made in line with a risk-based program agreed with management, who receive reports on findings and take action to address them.

A key aspect of the Three Lines of Defense model is that the first line owns operational risk and is responsible for its management and control rather than relying on the second or third line for oversight.

There are other areas of a bank, such as the board and senior management, that lie outside the model, as well as interested third parties such as external auditors and regulators.

The Three Lines of Defense model is used when monitoring the effectiveness of a bank's RMF.

Infrastructure

Systems are required that are capable of processing large volumes of transactions in an efficient manner, as well as capturing, storing, and reporting data.

Policies

Policies set out requirements with respect to the identification, assessment, management, monitoring, and reporting of operational risk at all levels.

Authorities

These set out who has authority to approve what in relation to operational risk (for example, agreement on new or revised processes or outsourcing arrangements).

Processes

Processes cover:

  • The processing of transactions and checks and controls needed to ensure this is being undertaken correctly
  • The capture, aggregation, and reporting of data
  • The escalation procedures to be followed

Committee structures

There is often a hierarchy of risk committees that, within delegated authorities, approve elements of the RMF, such as risk policies, and monitor risk exposures and reports covering operational risk.

Operational risk committees are structured in much the same way as those for other risk types and have similar roles and responsibilities.

>>The ultimate guide to operational risk management

There is often a hierarchy of risk committees that, within delegated authorities, approve elements of the RMF, such as risk policies, and monitor risk exposures and reports covering operational risk

Challenges of implementation

While the components of an RMF are common across risk types, it is more challenging to build and implement the RMF for operational risk.

One reason for this is that operational risk is all pervasive. Market risk, for example, only applies to products affected by market prices/rates, but every product and service gives rise to operational risks. A second reason is the focus on minimizing loss, with banks aiming to minimize the impact of operational losses both in the normal course of business (small losses) and from extreme events (large losses).

The consequences of this for the various elements of the RMF are:

  • Materiality – resources and controls need to be focused on material risks, although materiality thresholds may vary according to the size and nature of the risk.
  • Likelihood and impact – requirements should address not only how to identify material risks, but also the likelihood of a risk event occurring and the impact should it occur.
  • Extreme events – estimation of likelihood should include an assessment of potential extreme events, as well as those considered part of the normal course of business.

A further challenge is that RMF requirements for operational risk tend to be different in nature from those for other risk types. Policies, for example, tend to be more high level and generic, and only go into greater detail where they focus on specific areas such as product development. Much more detail is often set out in process documentation. Similarly, in relation to authorities, there are few specific delegated authorities compared to (say) credit risk as operational risks are not generally accepted on their own but are factored into other decision-making processes – whether or not to launch a new product, for example.

While the components of an RMF are common across risk types, it is more challenging to build and implement the RMF for operational risk.

Conclusion 

By implementing a risk management framework, organizations can proactively identify and address potential risks, minimize negative impacts, and seize opportunities. It helps foster a culture of risk awareness and accountability throughout the organization, enabling better decision-making and enhancing overall resilience.

Test your knowledge of Operational Risk Management

Navigation menu

Introduction
Components
Challenges of implementation
Conclusion
Test your knowledge of ORM

Learn more about our operational risk management course and resources