Op Risk Framework Design Practice Benchmark
- 26 April 2019
ORX has worked with 43 financial institutions to see how they manage their operational risk frameworks, which GRC tools they use to manage them, and what changes they are making to their frameworks.
From this study, we have created the ORX operational risk reference framework.
This reference framework allows you to compare your financial institution and the way you manage risk to your peers in the industry. Our ORX operational risk framework will also inform our future Practice Benchmarks.
The ORX Operational Risk Reference Framework
We created the reference framework using input from our 43 participants and the Basel Committee's Principles for the Sound Management of Operational Risk (PSMOR). We identified three main areas in a typical framework.
1. Governance, appetite and culture
Governance, appetite and culture form the structure surrounding and supporting the risk management environment. In many submitted frameworks, we saw governance and appetite sitting above the risk management environment, setting overarching expectations, accountabilities and strategic decisions for the entire risk management process.
Roles and responsibilities and the three lines of defence model are the most frequently represented elements in participants' frameworks.
2. Risk management environment
The risk management environment is where many of the risk management activities are represented (identification, assessment, mitigation/management, monitoring, and reporting).
RCSAs, loss data and issue and action management are the most frequently represented elements.
In the reference framework, enablers sit as key inputs into the risk management 'building', which reflects the position of these components in many of the submitted frameworks.
Framework change, management and systems
In addition to collecting participants' frameworks, we asked them a series of questions about whether they are planning to change their frameworks, how they manage their frameworks, and what governance, risk and compliance (GRC) tools or systems they use. ORX members can read more about these results in the full report.