Sound Practice Guidance Documents

Risk indicators are an important tool within operational risk management, facilitating the monitoring and control of risk. In so doing they may be used to support a range of operational risk management activities and processes, including: risk identification; risk and control assessments; and the implementation of effective risk appetite, risk management and governance frameworks (see IOR Guidance on Risk Appetite and Risk Governance).

Despite their usefulness relatively little guidance exists on how to use risk indicators in an effective manner. Moreover it is an area that has proven to be particularly challenging for many organisations. Hence there is a need for further guidance in this area.

What follows is the IOR’s perspective on current sound practices in relation to the use of risk indicators to support the management of operational risk. In so doing, this guidance covers the role and purpose of risk indicators, the elements of an effective risk indicator framework and some important practical considerations relating to the use of such frameworks within an operational risk management context.

Risk governance is the architecture within which risk management operates in a firm. It will reflect the firm’s risk culture. Since risk management is fundamental to running any business, risk governance is a fundamental part of corporate governance. The UK Corporate Governance Code states that ‘good governance should facilitate efficient, effective and entrepreneurial management that can deliver the long-term success of the company’. Similarly, good risk governance should result in risk being accepted and managed within known and agreed risk appetites. Risk management should be as much about identifying and taking opportunities, within agreed risk appetites, as it is about identifying and managing threats to the business which exceed those appetites.

Risk governance is not just concerned with risks internal to the firm, but must also cover the risks involved in, for example, outsourcing or wherever there is a third party dependency.

The risk governance framework should put in place a structure of risk responsibility throughout the firm. As a result, everybody in the firm will be aware of their own risk responsibilities and accountabilities and those of others with whom they work. Governance delivers effective accountability, including the accountability of the board2 to its owners.

In September 1992, the Committee of Sponsoring Organizations of the Treadway Commission (COSO) released a four volume report entitled Internal Control— Integrated Framework. This report presented a common definition of internal control, providing a framework against which internal control systems could be assessed and improved and later became a standard that U.S. companies now use to evaluate their compliance with the Foreign Corrupt Practices Act (FCPA).

Around the same time in the UK, the Combined Code and Turnbull guidance was under development, requiring UK companies to demonstrate a sound system of internal control and risk management and to review the effectiveness of their internal controls, providing a meaningful disclosure within their annual accounts.

These two initiatives largely lead to the creation of Risk Control Self Assessment (RCSA) and have since become an integral element of a firm’s overall operational risk management and control framework.

In common with a number of aspects of operational risk management, risk appetite is an area that attracts differing views among practitioners. One of the reasons for this may be the relative immaturity of the discipline. Another may be the wide variety of contexts e.g. size and structure of organisations,complexity of product/service offerings, regulatory jurisdictions etc.

For these reasons the following summary makes no attempt to suggest a one-size-fits-all solution to any of the practical challenges an organisation faces. Rather, it aims to outline a variety of good practices from which may be drawn a collection of appropriate, relevant and proportional ideas.