Key changes to PSMOR and what they mean for operational risk

The recent update to the principles for the sound management of operational risk (PSMOR) brings them in line with contemporary practice. The changes proposed by the Basel Committee on Banking Supervision (BCBS) are relatively uncontroversial.

They are based on four key areas that were identified in their 2014 review:

1. Operational risk identification and assessment
2. Change management
3. Operational risk appetite and tolerance
4. Disclosure.

As well as the specific areas mentioned above, there are also some wider themes which run through many of the updates to multiple sections. Here's my breakdown of the main changes and what they mean for you and your operational risk team.

Four key areas of change

Principle 10 brings ICT into the PSMOR

With Principle 10, the BCBS introduced a specific principle for the management of Information and Communication Technology Risk (ICT). This reflects the increasing importance of cyber, information security and data risks.

Resilience removed from business continuity

In comparison to 2014, resilience is now a much larger focus for banking regulators. To avoid overlap between the PSMOR and the concurrently published principles on operational resilience, references to resiliency within the business continuity principle have been dropped.

Risk appetite statements clarified

Significantly more detail is given in Principle 4 (risk appetite), in what are now very ambitious criteria. According to the update, appetite statements should:

• Encompass a wide range of strategic and stakeholder (customers, shareholders, and regulators) interests
• Be forward-looking by aligning to short- and long-term strategy and being subject to scenario and stress testing
• Be clear, simple, easy to communicate and intuitive

Banks now required to disclose exposure

A final, potentially significant, change is in disclosure. The updated principle (12) now states that “Banks should disclose relevant operational risk exposure information to their stakeholders (including significant operational loss events)”. It acknowledges that care must be taken so that the disclosure itself does not increase exposure.

While disclosure, particularly of operational risk capital, has increased over recent years, this change could potentially have significant consequences. Furthermore, without industry standardised metrics for measuring exposure this may present more of a practical challenge for operational risk than the other risk disciplines

Thematic changes to the PSMOR

In addition to the changes I've outlined above, there are some clear themes that appear in changes to several principles:

1. Controls – there is much more explicit mention of controls throughout many of the principles
2. Governance – the update provides clarity on the specific responsibilities, particularly within the 3 lines of defence (3LOD) model, and the board and senior management
3. Material risks – in addition to several specific risks being highlighted, such as ICT, the need for a consistent risk management approach across all categories is also emphasised
4. Forward-looking and dynamic – it is emphasised that operational risk management should be forward-looking and change management should include continuous risk assessment

The latter two points confirm an emerging theme of the more agile and dynamic management of material operational risks. But what is perhaps lacking is a specific mention of efficiency and even simplification of the operational risk framework.

Furthermore, although the digitalisation of banking is partially reflected in the inclusion of the ICT principle, aside from a section on process automation there is little on the adoption of technology for risk management. Let's explore each of these key themes in more depth.

1. Controls mentioned in multiple principles

An emergent theme is how much an institution should understand its control framework. Within Principle 2 (ORMF – operational risk management framework), there are significant additions to how controls should be documented, including:

• Documenting the existence of tools for control identification and assessment – and the responsibilities within the 3LOD for them
• Documenting an approach to “ensuring controls are designed, implemented and operating effectively”
• Maintaining an inventory of both risks and controls
• Ensuring that policies are reviewed based on a continued assessment of the quality of the control environment.

Principle 3 (The Board of Directors), now states that “Controls should be regularly reviewed, monitored, and tested to ensure ongoing effectiveness.”, and within Principle 6 (identification and assessment) control testing is mentioned. This requires a “structured approach to the evaluation, review and ongoing monitoring and testing of key controls, sufficiency of control coverage” and introduces the notion of materiality so that “control monitoring should be appropriate for the different operational risks and key controls”.

In Principle 9, on controls itself, there are few changes, except the removal of technology risk which should be managed in line with other operational risks – a theme of consistency which I address in the section on material risks.

2. Governance, responsibilities and 3LOD

Use of the 3LOD has been added to the start of the document (outside of any specific principle) and it sets out responsibilities for each line. It is careful to say the model should be “adequately and proportionally used by financial institutions to manage every kind of operational risk sub-category, including ICT risk.”. Principle 5 (senior management) is extended so that, in addition to the board and senior management, the independent audit committee of the board also has a responsibility to ensure the 3LOD operates appropriately.

Implementation of 3LOD

Many other changes in the PSMOR clarify 3LOD implementation, particularly with respect to how responsibilities are assigned, and the role of both senior management and the board. For example:

• Principle 3 (The Board of Directors) clarifies how responsibility falls between the board and senior management for the ORMF; the board’s role is now described as providing oversight of material operational risks and effectiveness of key controls, whereas senior management are responsible for the implementation of the ORMF
• Principle 11 (BCP) now clearly states the need for validation and regular board review of business continuity plans, as well as a strong senior management involvement in reviewing and implementing them

It is also clear that effort has been made to distinguish between first and second line responsibilities, such as:

• The ORMF should be fully integrated into the overall risk management processes of the bank by the first line of defence
• Within change management, the first line should perform operational risk and control assessments of new products and initiatives, whereas the second line conducts review and challenge of all stages of the process and ensures “all control groups are involved as appropriate”
• For reporting, the first line conducts “reporting on any residual operational risks, including operational risk events, control deficiencies, process inadequacies and non-compliance with operational risk tolerances”

Later this year, we'll be publishing a practice benchmark exploring how well the 3LoD model is implemented within banking and insurance and allowing participants to see how their practice compares to their peers.

3. A consistent approach to material risks

For material risks, there is a dual focus. Although some important risks are individually mentioned, the update also emphasises that risks should be managed within a consistent framework. This supports the findings of our two studies on operational risk as an 'umbrella function'.

Contemporary top risks, including ICT, model, legal/conduct, third party and regulatory are all explicitly mentioned throughout the document. Examples include:

• Within Principle 2 (ORMF) detail is given on what an operational risk taxonomy should contain, highlighting ICT, conduct and model risk as specific areas of interest
• Principle 5 (governance) states that outsourcing is coordinated with operational risk, and calls for expertise in legal, technology and regulatory matters within governing committees
• When launching new products (Principle 7) the legal, ICT, model risks inherent in them should be considered
• In a nod to conduct risk, Principle 9 (control and mitigation) says that compliance with and exceptions to policy is now extended to include regulations and laws, and furthermore, it states that concentration risk, in the context of outsourcing, should be considered 

The importance of culture

Within Principle 1 (culture) it now states that it is senior management’s responsibility to implement a strong risk culture and draws a more categorical link between a strong risk culture and avoidance of operational risk events. The update suggests several methods for instilling good culture. The first is via a code of conduct* that is given a prominent role, along with a recommendation that for specific positions a separate code may be needed. The second is that customised training may be needed for some roles, and the final bit of guidance is that there is “strong and consistent board and senior management support for ORM and ethical behaviour”.

*This code of conduct should be regularly reviewed and approved by the board of directors and attested by employees; its implementation should be overseen by a senior ethics committee, or another board-level committee, and should be publicly available.

4. Forward-looking, dynamic and timely risk management

Proposed tools for the identification and assessment of operational risks (Principle 6) have had a significant update and reflect a move to a more forward-looking and dynamic approach.

A small section on measurement has been deleted, in effect removing modelled capital as a tool for assessing risks, although exposure models are mentioned in the context of metrics. However, there is a significant increase in the focus on scenario analysis. If you're looking for support with operational risk scenario practice, then take a look at the ORX Scenarios service.

This provides guidance on how to conduct scenarios, the challenges associated with them and their potential uses. For example, Principle 11 (BCP) states that forward-looking BCP should be based on scenario analysis, with a variety of potential impacts, each subject to thresholds for activation of plans.

This increased role for scenarios mirrors our observations from recent regulatory studies (see our most recent work on CCAR) and our observations from our discussions and report of the initial lessons operational risk can learn from the coronavirus (Covid-19) pandemic.

Other changes in tools to identify and assess risks include:

• Additional detail on risk self-assessments including quantitative and qualitative elements aspects
• The addition of “event management"
• The inclusion of “benchmarking and comparative analysis”, which is broad and covers qualitative and quantitative comparisons, against internal and external sources

A recurring theme in the update is to make framework elements more dynamic. For example, risk appetite is made forward-looking by aligning statements to short- and long-term strategy, subject to scenario and stress testing. Change management includes “continuous risk and control assessments” and should assess the evolution of associated risks across time. And emerging risks should be reported and monitored by metrics.

It should be remembered this work is still in draft form, and it is principles, meaning that the specific implementation and therefore impact on banks will not be certain until it is cascaded into regional and local regulation. An update to the principles was long overdue, and on balance, it is welcome and brings regulatory thinking broadly in line with current practice.