University of Modern Sciences (UMS)

College of Business Administration

Risk analysis and modeling

BUSN415
Fall 2015/2016
Assignment

Developing an operational risk policy

Submitted to
Dr. Ismail Abdulsalam
Submitted by
Musallam Alameri
20131334
Section 3

THE ESSENTIAL ELEMENTS OF AN OPERATIONAL RISK

POLICY

Operational risk is a fast emerging area in business. Awareness of

operational risk as a separate risk category has been relatively recent in
most organizations. Unlike market and credit risk, the operational risk factors
are largely linked to internal policies and procedures of the organization.
There is no mathematical link between individual risk factors and the
likelihood and size of operational loss. Losses arising from an organization's
operational risks may, on occasion, exceed those stemming from credit
losses. It is, therefore, a vital focus for management in ensuring a properly
controlled approach to the risks inherent in their business.
The processes of identifying and measuring operational risks are at a very
nascent stage. The organizations are only in the early stages of developing
an operational risk management framework.
Organizations must put in place suitable risk management policies and
procedures to enable them to identify, assess, monitor and control/mitigate
operational risk. These policies and procedures should be commensurate
with the scale and complexity of the institution's operations. In particular,
organization's policies and procedures should cover the following critical
elements:

Operational risk framework.

Role of board and senior management in overseeing the operational

risk framework.

Responsibility for implementation of the framework.

Independent control review.

Collection of operational risk loss event data.

Monitoring and reporting.

Organizations must also ensure that their operational risk framework and
arrangements are kept under regular review and amended as necessary,
having regard to changes in organizations' risk profiles as well as external
market developments. Changes in organizations' strategies, policies and
procedures for operational risk management must be properly reviewed and
approved.

The first step towards developing an operational risk framework is to develop

a comprehensive operational risk policy. Each organization must have
policies and procedures that clearly describe the major elements of the
operational risk management framework including identifying, assessing,
monitoring and controlling/mitigating operational risk. These policies and
procedures should be commensurate with the scale and complexity of the
organizations operations.
Definition of operational risk
One of the essential elements of an operational risk policy is the definition of
operational risk, including the loss event types that will be monitored.
Operational risk is defined as the risk of loss resulting from inadequate or
failed internal processes, people and systems, or from external events.
Roles and responsibilities
The policy should clearly explain the roles and responsibilities of the
independent organization-wide operational risk management function and
line of business management. The different roles in an operational risk
management function could be the risk committee of the board, executive
risk committee, operational risk manager, etc. The responsibilities of these
functions should be clearly explained in the policy.
Management oversight
The operational risk policy should contain the procedure for top-level reviews
of the organization's progress towards the stated objectives. Senior
management needs to review the risk exposure and the monitoring
mechanisms on a regular basis. The policy needs to define the risk tolerance
level for the organization, and break it down to appropriate sub-limits,
prescribing reporting levels and breach of limits.
Capture and use of operational risk loss data
The methodology for the capture and use of internal and external operational
risk loss data including data potential events (including the use of scenario
analysis) should be explained in detail. Extensive documentation is required
for the process of identifying, capturing, assessing and accepting loss data.
Organizations must put in place systems enabling them to identify and
systematically track all material operational loss events.
Business environment and internal control factor assessments
3

The development and incorporation of business environment and internal

control factor assessments into the operational risk framework is another
essential element of operational risk policy. An effective control mechanism
is a qualitative factor that will have a great impact in controlling operational
risk.
The policy should cover a detailed discussion of risk and control selfassessment and its methodology, the frequency with which it has to be done
and the persons involved in the process. The policy should also include a
discussion of qualitative factors and risk mitigates and how they are
incorporated into the operational risk framework. The key risk indicator
identification and assessment methodology has to be described in the policy.
Internal audit review and management review
A description of how the operational risk framework needs to be regularly
reviewed by independent audit is an important element in operational risk
policy. The operational risk management processes and procedures are
subject to audit review. In addition to the audit review, management also
needs to check compliance with management controls and regularly review
the internal control mechanisms.
Indicate the process to be adopted for immediate corrective action when the
issues are identified in audit review. There should be a documented
procedure for review, treatment and resolution of non-compliance issues. A
discussion of the models testing and verification processes and procedures
needs to be documented.
Analytical framework
The policy should contain a description of the internally derived analytical
framework that quantifies the operational risk exposure of the institution.
The operational risk policy needs to describe how the operational risk
exposure is calculated by using loss data, scenario analysis, risk and control
assessments, etc.
Review and approval mechanism
The process for the review and approval of significant policy and procedural
exceptions should be incorporated in the operational risk policy.
Organizations must ensure that their operational risk framework and
arrangements are kept under regular review and amended as necessary,
having regard to changes in institutions' risk profiles as well as external
4

market developments. Changes in institutions' strategies, policies and

procedures for operational risk management must be reviewed and approved
by the board of directors. A documented procedure should exist for
approving changes in policies and procedures, the persons responsible for
approving changes and the procedure for notifying the changes.
The policy should indicate a system of documented approvals and
authorizations and ensure accountability at an appropriate level of
management. The roles and responsibilities of the persons responsible for
approvals and authorizations have to be clearly mentioned.
Reporting requirements
A documented procedure should exist for risk reporting. The board/senior
management receives regular reports on critical risk issues facing the
organization and its control/mitigations. Management should develop
operational loss databases that track loss events on the basis of the mapping
approach to event type categories and business lines.
Senior management also needs to receive regular reports on risk
assessments, control assessments and risk exposure. Operational risk
reports will reflect the scope and sophistication of institution's operational
risk frameworks. For example, such a report might include information on the
level and trend of historical operational losses including, where relevant, a
summary of recent operational losses by loss event type, a brief description
of the most significant operational losses for the prior quarter and summary
of any operational risks identified as a result of an independent internal (or
external) review.

References

Hubbard, Douglas (2009). The Failure of Risk Management: Why It's

Broken and How to Fix It. John Wiley & Sons. p. 46

Dorfman, Mark S. (2007). Introduction to Risk Management and

Insurance (9 ed.). Englewood Cliffs, N.J: Prentice Hall. ISBN 0-13224227-3.

Jolly, Adam (2003). Managing Business Risk: A Practical Guide to

Protecting Your Business. Kogan Page Limited. pp. 67. ISBN 0-74944081-3.

Miles, D.Anthony (2011). Risk Factors and Business Models:

Understanding the Five Forces of Entrepreneurial Risk and the Causes
of Business Failure. Dissertation.com. p. 1. ISBN 978-1-59942-388-3.