Management of operational risk is a key feature of sound risk management in large and small institutions. In community banks, an operational risk framework must be tailored to the capacity of the staff dedicated to ORM, which in some cases is just one staff member. That was the case for Terri L. Hendrix, vice president and director of operational risk at EverBank, who spoke on “Developing and Implementing an Operational Risk Framework for Community Banks.”
Financial institutions should follow a framework specific to its own internal operating environment. A robust ORM framework should include the following core components: clear objectives, culture, and tone set by the board and senior management; a strategy that provides guidance on risk appetite, policies, and processes; a clearly defined risk appetite and policy; clear communication of risk policy across the entire organization; periodic evaluations based on internal and external changes; structure that ensures the ORM framework is handled consistently; and procedures to ensure execution and compliance with ORM policy.
An operational risk committee is crucial as part of the governance structure. Business units should conduct comprehensive risk and control self-assessments (RCSAs) to identify key operational risks in day-to-day business processes. Risk monitoring should include internal and external audit issues, regulatory issues, testing of RCSAs, identifying and reporting of key risk indicators, collecting operational risk loss data, and ensuring this data is used by the business units in assessing residual risk rating. Risk reporting should include the results of RCSAs by line of business and aggregate; the status of remediation measures; operational losses; third-party relationships; new products, processes, and services; and business continuity and disaster recovery testing results.