Operational risk taxonomy and a unique risk tolerance policy are used for a harmonised risk assessment and response and consistent reporting.
The risk taxonomy provides clear and straightforward terminology for all operational risks. It is based on three interrelated components: risk events, leading causes and risk impact. The taxonomy of the leading causes and risk events provides a structured risk assessment, describes the risks, and prioritises them. All organisational units must use uniform scales to assess the risk impact and probability to achieve consistent risk assessment and reporting.
Operational risk tolerance policy
The tolerance policy is an established principle of response to operational risk, depending on the risk impact and probability level. The risk tolerance policy for organisational units serves as a reference point for assessing whether a specific risk requires a response. The risks are submitted to the competent manager - the Governor, Vice-Governor or Executive Director for decision.
A risk tolerance policy can be graphically represented by a matrix, using a five-level scale to determine impact and probability.
For risks in the "red zone", the responsible manager approves the response to the risk and the corresponding action plan for risk treatment. For risks in the "yellow zone", the person who organises work in the organisational unit approves the response to the risk and the corresponding action plan for risk treatment. By default, risks in the "green zone" are considered acceptable, and their treatment measures need not be determined. These risks, however, are also carefully monitored continuously since their level may increase.
Operational risk management process
The operational risk management process in the CBCG is carried out including the following stages:
- risk identification,
- risk assessment,
- response to risk, and
- risk reporting and monitoring.
Organisational units identify risks related to their most critical business functions and processes, considering interdependencies with other organisational units. Identified risks are consistently recorded to enable a consistent review and make the subsequent process stages effective.
Risk assessment considers the impact and probability and the existing controls/control objectives that are the basis for determining how to manage the risk. Depending on the available sources, risk assessment can be qualitative (expert opinion) and/or quantitative (statistical analysis based on incident data).
The purpose of risk response and implementing risk response measures is risk management following the risk tolerance policy. The following risk responses can be applied to a specific risk:
- reducing (changing a risk event’s impact probability by applying appropriate controls);
- accepting (risk tolerance, e.g. when there is a limited possibility to do something about the risk or when the costs of undertaking certain activities are not proportional to the potential benefits);
- transferring (risk transfer or sharing through insurance or contractual relationships);
- avoiding (stopping or abstaining from a risky activity).
Controls and control objectives are crucial mechanisms for risk modification and management, providing a reasonable and cost-effective reduction of the risk level per the risk tolerance policy.
An appropriate action plan is prepared and regularly updated to ensure compliance with control objectives and proper implementation progress monitoring. After implementing the action plan, a risk re-assessment is carried out. Moreover, control objectives are regularly updated to ensure their relevance.
Reporting is information on the key results of the operational risk management process. Consistent risk reporting aims to ensure that the risk management process functions effectively and efficiently and that risk is managed following the risk tolerance policy.
Adequate information and communication are integral to the risk management process and relate to all its stages. The process must ensure that all stakeholders have access to relevant information and a good overview of the risk situation.
Risk management is a continuous process. Therefore, risk reporting does not relate to a particular process stage, and the completion of the entire cycle does not condition it. It aims to provide an overview of the risk situation at a given time. Under the methodology, regular reports are prepared to inform the competent managers about the risk state and response.
Operational risks must be subject to regular monitoring. Risk monitoring is an ongoing process that:
- continuously verifies the status of key operational risks and internal controls,
- confirms that the operational risks follow the operational risk tolerance policy,
- ensures that the action plans are implemented according to the planned dynamics,
- analyses the business environment and best practices to detect new operational risks emergence,
- defines control objectives,
- incidents are proactively monitored and reported on.