As the complexity of interactions between banks and non-banks increases, there is a need to upgrade the way operational risk is managed. In this context, after operational risk (OR) was formally integrated into banks' risk management framework under Basel II in 2003-2004, it is planned that all commercial banks will This was followed by an RBI guidance note covering For almost two decades, we have seen a tectonic shift in the complexity and complexity of operations, as the scope of core and non-core businesses expands, banks have to collaborate with a large number of non-banks, and banks face increasing OR. It has been.
Therefore, banks joined other regulated entities (REs) in providing diversified financial services such as insurance, mutual funds, and other ancillary services, exposing them to the deterioration of OR. With increasing GDP growth and sector expansion, the size of RE's balance sheet has increased significantly due to its exposure to various innovative business areas using interoperable technologies. Inter-institutional dependencies and product diversity, in sync with the changing profile of new-age technology-savvy customers, have further increased the complexity of OR.
Ultimately, deepening financial sector reforms based on innovative technologies, financial inclusion, and digital penetration have increased interconnected risks. The trinity of Jan Dhan, Aadhar and Mobile (JAM) has enabled last-mile connectivity with the hinterland, increasing the burden of improving RE's ability to balance business and business risks. The expanded scope of non-core businesses has allowed banks to potentially increase one-time fee income and reduce their dependence on interest income. Accelerating insurance sector reforms and the proliferation of alternative investment options have required RE to maintain a well-calibrated balance between core and non-core businesses, in sync with risk appetite to constrain OR. The increasing proportion of non-core business to increase fee income required corresponding skill improvement and robust internal controls to limit OR.
The RBI has consciously reduced regulatory arbitrage between banks and non-banks and directed a similar risk management architecture for all REs, but it is a continuous work in progress.
Recent experience of increased risk accumulation and increased penalties for non-compliance justifying regulatory action to direct under section 35A of the Banking Regulation Act 1949 has encouraged RE to reinvent its strategy and improve the It suggests that better internal controls need to be institutionalized to deal with institutions. or in combination with other forms of risk.
1. New OR guidance:
In a recent move, the RBI has announced that on April 30, 2024, the OR and Operational We have revised and published a new guidance note on resilience. The proportion of RE that takes into account the interconnections and interdependencies within the financial system resulting from a complex and dynamic environment. The guidance note on OR issued in 2005 will be repealed.
The current OR guidance is based on the Basel Committee on Banking Supervision (BCBS) published in March 2021 in line with the Revised Principles for the Sound Management of OR, which integrates operational resilience principles and international best practices. However, it is timely for RE. .
2. Main changes:
The revised guidance is more comprehensive and detailed. When implemented in letter and spirit, RE can be fenced against current and emerging forms of OR. The important changes that warrant institutional and policy shifts will be of interest.
(a) The scope of the guidance note on OR has been expanded from banks to include all REs including cooperative banks and all financial institutions in India, adding a new dimension of operational resilience. Ta. All REs will need to put in place appropriate systems and controls to ultimately reduce regulatory arbitrage and promote financial system resilience.
(b) The concept of a “three lines of defense” model for controlling risk is incorporated into the guidance, where it was previously missing. (i) business units form the first line of defense, (ii) organizational OR management functions (including compliance functions) form the second line of defense, and (iii) audit functions form the third line of defense. form a line.
(c) A typical OR organizational structure has been previously proposed for banks. But now, looking at diversity, size, and functional complexity, the structure and form of the organizational structure is left to RE.
(d) Going forward, REs will need to institutionalize a modern management change management system with detailed principles to improve their transition capabilities in a dynamic business and leadership environment.
(e) Mapping of internal and external interconnections and interdependencies, incident management, information and communication technology (ICT), and disclosure will be required.
(f) Guidance regarding third-party relationships and outsourcing was scattered. Going forward, RE will be required to provide principles that focus on third-party relationships, a broader concept than outsourcing.
(g) REs are now required to introduce another principle for mapping lessons learned based on the practice of obtaining continuous feedback from employees in order to change operations.
(h) OR's approach to capital calculation is not part of the guidance notes. This is based on the “Fundamental Circular – Basel III Capital Regulations” dated April 1, 2024 (as amended from time to time). This will be replaced by the Basic Instruction on Minimum Capital Requirements for Operational Risks dated June 26, 2023, which will come into force. Similarly, the classification of loss event data collection is based on the Basic Instructions on Minimum Capital Requirements for Operational Risk dated June 26, 2023 (available to REs). This is not part of the OR and Operational Resilience guidance notes. Accordingly, OR's capital charge calculations and loss data collection are based on the master instructions from time to time and are not part of the guidance.
3. Future direction:
The new guidance notes are comprehensive to help REs ring-fence their risks, and more importantly, their ORs. Managing OR is about controlling risks in day-to-day operations, while increasing operational resilience is about strengthening system management to transform the RE into a strong organization that can withstand all forms of unexpected OR. This is a long-term continuous goal.
The weaknesses and weaknesses recently observed in the management of OR in some REs indicate that gaps in risk governance still exist. That's exactly the case, and the RBI has increased the burden on REs to build operational resilience while managing ORs. REs should use this as a strategic tool to develop a long-term vision for managing OR and continuously work towards building operational resilience for good risk governance sustainability. Therefore, RE must not only harden the implementation of OR but also ensure operational resilience on a durable basis.
Disclaimer
The views expressed above are the author's own.
end of article