BIL Group’s operational risk management framework relies on strong governance, with clearly defined roles and responsibilities. The following committees are responsible for operational risk at BIL:
• The OR&NPC is in charge of monitoring operational risk at BIL. To this end, the committee makes decisions on risks that have been identified and analysed as well as on suitable measures to be taken in order to improve weak processes; it also monitors any action taken. This committee is respon- sible for approving RCSA. It also supervises the launch of
new products and examines their operational aspects, mak- ing decisions on any project that could have an operational impact on BIL activities.
• The Monthly Operational Committee (MOC), part of the TFM business line, supervises BIL’s TFM projects and opera- tional risks, makes decisions in terms of tackling day-to-day problems and monitors other risks related to TFM Luxem- bourg’s activities.
• The Security Committee (SC) is mandated by the Manage- ment Board to oversee the risks to BIL’s information security and to that of its subsidiaries and branches, as well as all risks relating to the loss of the confidentiality, availability or integrity of the Bank’s information assets. It is also in charge of moni- toring security incidents involving BIL, making decisions on any project with the potential to have an impact on the security of BIL’s information assets and ensuring that the implementation and support of a global business continuity plan (BCP) follows the strategy defined by the BIL Management Committee. 5.1.4 Risk measurement and management
The operational risk framework is based on the following elements:
• Efficient data collection, • Self-assessment of risks, • Corrective actions.
5.1.4.1 Operational risk event data collection According to the Basel Committee, the systematic recording and monitoring of operational incidents is a fundamental aspect of risk management: “historical data on banking losses may provide significant information for assessing the Bank’s operational risk exposure and establishing a policy to limit/manage risk”. Regardless of the approach used to calculate capital (stand- ardised or advanced measurement approaches), data collection is required. Having a relevant procedure in place ensures that BIL complies with the Basel Committee’s require- ments (guidelines for reporting operational incidents). At the same time, the recording of incidents provides information that may be used to improve the internal control system and determine the operational risk profile.
A breakdown of losses by event type is shown in the chart below:
Information Technology and IT Failure External Fraud Execution, Delivery & Process Management 1% 5% 24% 70%
Client Products & Business Practices
5. Operational risk
5. Operational risk
Execution, delivery and process incidents represent 70% of the total amount of losses. Losses related to these incidents are usually due to human errors. In second place, 24% of losses occurring in 2013 were due to external fraud. While there are few incidents of this type (only 17 incidents), the amounts involved are significant. There was no internal fraud. Infor- mation, technology and IT failure incidents generally do not generate financial losses even if they tend to occur rather often. The impacts are generally in man-days lost. The “damage to assets and public safety” event type is covered by insurance. In terms of reporting, an exhaustive monthly document is produced for each line manager (head office, subsidiaries and branches). It covers all incidents that have arisen in their business over the previous month, based on reports filed. Recipients analyse the report and verify that all incidents brought to their attention have been included.
ORM also presents a report on operational risk report to OR&NPC at the end of each quarter.
On a quarterly basis, three operational risk indicators are reported to the members of Management Board to assess the Bank’s risk appetite: critical IT incidents, external fraud attempts and the ratio between income and the net amount of losses. 5.1.4.2 Self-assessment of risks and associated controls
A risk and control self-assessment (RCSA) is performed in order to identify the most significant risk areas for the Bank. This assessment provides a good overview of the various activities and existing checks and can lead to the definition of mitigation actions. The results of the assessment are reported to Management during meetings of the Operational Risk and New Products Committee.
5.1.4.3 Definition and follow-up of action plans As part of operational risk management, corrective action plans linked to major risks and events must be monitored closely.
Two types of action plan are managed through operational risk management:
• Action plans – incidents: following a significant incident, the management may implement action plans,
• Action plans – RCSA: in the event of unacceptable risk exposure, the management may identify action plans. 5.2 Calculation of the regulatory capital requirement
BIL applies the standardised Basel II approach to calculate regulatory capital for operational risk. This approach princi- pally consists of applying a percentage (called the “beta factor”, ranging from 12% to 18%) to an appropriate activity indicator (adjusted net banking income), calculated for each of the eight business lines defined by the Basel Committee (corporate finance, commercial banking, retail banking, trading and sales, asset management, agency services, retail brokerage, payment and settlement).
The relevant indicator is defined by the regulator and is based on the operational results of the underlying business, using an average over the past three years. The calculation is updated at the end of each year. The capital requirement for operational risk was 55.72 million at year-end 2013, as compared with 55.57 million at year-end 2012.
Beta factor Adjusted P&L Capital requirement 2013 Capital requirement 2012 Commercial banking 15% 70.26 10.54 9.04
Trading and sales 18% 16.71 3.01 2.58 Retail banking 12% 351.48 42.18 43.95
TOTAL 438.44 55.72 55.57
The chart below presents the breakdown of the capital requirement for operational risk for the business lines (according to the Basel II definitions) as at December 31, 2013.
Retail banking Trading and sales 19% 76% 5% Commercial Banking
6.1 Performance assessment
6.1.1 Performance management system