In recent years, banks globally and here in the UAE were occupied by the implementation of IFRS 9. This tended to dwarf all other competing priorities for the risk and finance teams.
Regulators, too, appeared to be significantly engaged in the implementation of IFRS 9 and spent considerable time and resources reviewing calculated expected credit loss (ECL) charges under the new rules.
Operational risk has now become a heightened area of focus for financial institutions as the industry wrestles with challenges arising from cyberthreats, third-party concerns, trading, conduct and culture issues, anti-money laundering fines and sanctions, stress testing requirements, and technological innovations driving greater opportunities for process automation and digitisation.
The Basel Committee on Banking Supervision (BCBS) first released Principles for the BCBS 195, Sound Management of Operational Risk in 2011. A review by the committee undertaken in 2014 highlighted that banks globally had not sufficiently implemented these principles which culminated in an additional BCBS paper, Review of the Principles for the Sound Management of Operational Risk, BCBS 292.
Taking notice of this, the Central Bank of the UAE (CBUAE) issued draft Operational Risk Standards and Operational Risk Regulations in 2016. Finalised and issued in August 2018 under CBUAE Operational Risk Standards and Regulations 163/2018, we are seeing this is as part of a growing trend across the Gulf Cooperation Council (GCC).
Several regulators have recently issued new rules or are refining existing rules relating to operational risk that are in line with international best practice.
Capital and guidance from central bank
Operational risk is often regarded as the most challenging risk for both regulators and banks. The rationale for this is that nothing can prevent a bank from experiencing a significant adverse event.
Ultimately, allocation of Pillar 1 capital (the regulator’s core measure of a bank’s viability, usually common stock and disclosed reserves) is designed to at least encourage bank boards and senior management to discuss how best to manage operational risk. In most cases, Pillar 1 capital will likely be lower than the loss history for nearly all banks.
The first reason is that ‘boundary events’ tend to get lumped 100 per cent under credit risk losses, with no allowance for apportionment for related operational risk failures involved in credit losses, such as inappropriate models, insufficient monitoring or fraud.
Secondly, losses resulting from operational risk generally tend to be under-reported, primarily due to the potential consequences and lack of awareness by bank staff. The August 2018 regulations laid out by the CBUAE are accompanied by a separate ‘standards’ release which provides additional clarity on what banks should be doing to achieve best practice.
The key areas for banks’ attention under the Operational Risk Standards are: governance, identification and assessment, control and mitigation, business continuity management, information technology and systems, and reporting.
Due to the inherently qualitative nature of managing operational risk (through implementing a robust internal control environment coupled with strong process level controls), many banks tend to believe that they are already ‘best in class’ with respect to their operational risk framework.
Accordingly, regulators often see the need to spell out principles, standards and rules for banks to follow. The Risk Based Supervisory approach adopted by CBUAE should ensure that a spectrum of results are possible when viewing how banks apply the new standards.
KPMG’s recent experience working with several GCC banks on operational risk initiatives implies that there may be room for improvement in enhancing operational risk frameworks and how the seven operational risk event types (as defined by the Basel Committee) are managed.
The event types comprise:
It seems there is much work for banks to do as they strive toward operational risk excellence, including:
A specific area that is receiving significant focus from regulators and banks recently is mitigating internal and external fraud losses. It is observed that several banks are undertaking fraud risk framework reviews, whilst others are identifying material processes susceptible to fraud and carrying out fraud risk assessments.