We have created the RMF/ECRG framework for managing operational risk and have applied it to the RBC TD FX Regulatory Fine Case.
One of the requirements of the ECRG is that regulatory minimum requirements are met.
Let's test that. OSFI and Basel have published their minimum requirements for sound practices of the management of Operational Risk.
To test whether the ECRG is adequate against these required practices we do a gap analysis. a gap analysis is also used to add sub-layers to the ECRG.
A gap analysis is usually done by taking the requirements, parsing them into individual requirement paragraphs, and then adding each paragraph into an Excel spreadsheet.
Then within the spreadsheet, each requirement paragraph is rated on some scale ranging from full compliance to various degrees of non-compliance. For example, the rating scale could be full compliance, substantial compliance, partial compliance, and no compliance.
We don't stop at documentation. We take action. For each less-than-full compliance rate paragraph, an action plan to get to full compliance is developed. Of course, the action plan includes a target date for the completion of action to get to full compliance.
Often the regulator will require the FI to complete a prescribed gap analysis which they call a self-assessment. For example, OSFI issued a gap analysis/ sef-assessment template to be used by FI to complete their self-assessment against E21 Operational Risk Management.
Here is an excerpt of the self-assessment template
We will remix and repurpose this self-assessment template to test the ECRG to
ensure the 4 categories are sufficient to capture all the reg requirements and add a category if insufficient.
add sublayers to the categories as appropriate
Here is how we will do it.
The class is divided into 4 teams, with each team consisting of a set of MFRM groups like this:
Category Groups
Exposure: 1,2,3
Controls: 4,5,6
Resilience: 7,8,9
Governance: 10,11,12,13
Each team within a group will work for 15 minutes to map paragraphs into their respective category. For example
Group 10 may identify that Principle 6: "Senior management should ensure the identification and assessment of the operational risk inherent in all material products, activities, processes, and systems to make sure the inherent risks and incentives are well understood" can be mapped into the Governance Category. Then the team will populate the repurposed template in column 2 Governance for all applicable paragraphs; leaving blanks for paragraphs that do not belong to the Governance Category. Teams 11, 12, and 13 will do the same individually. After 15 minutes, and for the next 10 minutes Groups 10, 11, 12, and 13, will work together to consolidate their completed templates into one Team Governance Template.
Once the Team Governance Template is completed, the Team will test the Governance Category of the ECRG and add sub-layers to meet all the governance regulatory requirements. You may have to do several iterations to ensure your sub-layers are MECE
Teams E, C, and R will do the same thing for their respective categories
The target result is to end up with an ECGR 2.0 that looks something like this
you have 1/2 an hour.
Solution
One of the first things that you will observe about the Sound Management of Operational Risk regulation is that although it is organized into 12 Principles, many of the detailed items under the different principles overlap, with some principles being components of another principle such as Principle 8 ( monitoring and reporting) is actually part of Principle 9 Controls and some principles such as Principle 7 Change Management and Principle 10 Information and Communication are not separate components of the Operational Risk Management Component, but rather an application of the ORF to a particular management process such as change management. Likewise, Principle 9 item 54 is about controls for outsourcing. But controls for outsourcing are just one aspect of managing outsourcing risk. The whole framework applies to outscoring risk.
The regulation is a somewhat organized hierarchical but overlapping list of requirements for an operational risk framework intermeshed with the application of the ORF to some specific situations like outsourcing. It lacks the simplicity and clarity of a MECE structure.
Below is a MECE structure list of requirements, with references to the applicable Principles.
Some of the level two components have already been discussed at length such as event types, others will be discussed in future posts.
All regulations must be met at a minimum. This is part of the ORF Regulatory Minimum Standards under Governance. Two questions arise.
How do we know if the ORF is complete, ie it has indeed captured all the components of the regulatory requirements, of which disclosure is one?
And once completeness is confirmed how do we know it has been implemented and executed properly?
There is a tool for identifying and documenting any gaps between regulatory requirements often called self-assessments by regulators and generally known as gap analysis by the industry. The same gap analysis can be made against internal policies. These policies incorporate all the minimum regulatory requirements but also often contain in whole or in parts internal requirements which are above the minimum regulatory requirements, such as best practices.
At a minimum, gap analysis consists of a rating in terms of the degree to which each regulatory/internal policy requirement is met by current practices. For example, full compliance( no gap), substantial compliance (minor gaps), partial compliance ( some gaps), and non-compliance (major gaps) is an example of commonly used rating scheme.
The gap analysis documentation is usually a table with at least two columns. The first column lists each individual regulatory requirement per row. The second column contains the rating. This is the minimum. Often, there is a column that describes what is currently done that supports the rating where there is no gap, the fourth column describes the gaps, and a fifth column that describes what needs to be done to close the gap. ie achieve a rating of full compliance. The work that needs to be done by whom and by when to meet full compliance is commonly referred to as the Corrective Action Plan (CAP)
Below is an example of a gap analysis template. It is the OSFI template for doing a gap analysis against E21, OSFI's equivalent of the Basel Sound Management of Operational Risk.
You can download the entire spreadsheet.
Once a financial institution has established that the RMF/ECRG framework is complete, what mechanisms or processes can it use to verify that the framework is being implemented and executed correctly?
Aside from collecting compliance/partially compliance/not compliance data, what else information should institution collect for gap analysis? How can these data contributes to an improving policies standards.
Who will be responsible in completing the gap analysis?
It seems like if it is an internal practice and if this task is handled by the internal team I would expect internal team trying to paint a better picture than the reality.
I think the person/team completing this task shouldn't be biased and yet knowledgeable about the implementation process.