|
Partnership
m
odel
Partnership between line 1 and line 2
Provide oversight and
independent challenge
Escalate risk appetite
breaches
Provide risk assurance
(ERMF including
controls)
Provide an
independent and
forward-looking view
Line 2 validation
report
F I G U R E 9 . 1
Roles and responsibilities of the first and the second lines of defense
© Antonio Ybarra, Risk Director, Bupa Global Market Unit, 2013. Reproduced with
permission.
R I S K C O M M I T T E E S A N D O R G A N I Z A T I O N
Governance also means committees taking collegial decisions, based on reporting and
escalated information. This section briefly reviews the main committees in relation to
operational risk. Often, the size and complexity of the organization significantly influ-
ence the size and number of committees addressing the governance of operational risk.
T h e B o a r d o f D i r e c t o r s
This is the ultimate committee. The board of directors sits above the three lines of
defense model and it is where the three lines join. In corporate governance, the board
is in charge of all the administration of the firm. In practice, it delegates its powers
to various committees. For example, executive management is delegated to the exec-
utive committee, risk management to the risk committee, and the audit to the audit
committee. Boards are made up of executive directors (active in the management of
the firm) and non-executive directors (non-active in the firm), and dependent directors
(representing the interest of certain shareholders) and independent directors, with the
102
RISK MITIGATION
composition depending on the country, tradition and corporate governance code under
which the firm operates.
The vast literature on boards and board effectiveness is beyond the scope of this
book. True board value is as precious as it is rare. Board effectiveness in matters of oper-
ational risk requires profound knowledge and understanding of the business, besides a
strong background in risk management.
R i s k C o m m i t t e e s
The board of directors is ultimately responsible for the effective identification, man-
agement and oversight of operational risk. Oversight of operational risk identification
and management is typically delegated to the board’s risk committee, as is the review
and assessment of the effectiveness of the operational risk management framework.
The risk committee makes recommendations to the board with regards to risk-based
decisions, risk exposure and risk management.
The risk function prepares regular reports to the board of directors and to the
risk committee. The risk committee reviews and investigates larger incidents. The fre-
quency of meetings should ensure consistent oversight of operational risk and adequate
representation and escalation of potential issues to the board.
O p e r a t i o n a l R i s k C o m m i t t e e s a n d O t h e r S p e c i f i c R i s k
C o m m i t t e e s
Larger organizations have specific risk committees, either per risk type, such as
credit, market and operational risk committees, or committees at local, regional or
business unit levels. All these structures are fine, as long as they are justified by the
size and the complexity of the business. Operational risk itself is often split into
several main non-financial risk categories such as fraud, information security, and
legal and compliance. Sometimes, but less frequently, it includes business continuity
and third-party risks. In many large organizations, each category of risk usually has
its own committees, subordinated to either the risk committee (or enterprise risk
committee) or the operational risk committee, reporting in turn to the enterprise
risk committee. Figures 9.2 and 9.3 illustrate the two types of structure commonly
observed, especially in the U.S. and Canada.
P O L I C I E S A N D P R O C E D U R E S
Policies, procedures and other written guidelines or terms of reference are the backbone
of corporate governance for committees. Policies describe – or should describe – the
rules and principles according to which a company runs its business and organizes its
processes. Procedures and guidelines provide more specific guidance on how to execute
Do'stlaringiz bilan baham: |
