The Institute of International Finance (IIF) and the Global Financial Markets Association (GFMA) submitted a joint response letter to the Basel Committee on Banking Supervision’s (BCBS) Consultative Document “Revisions to the principles for the sound management of operational risk.” 

In the letter, the Associations welcome that some of the suggestions we raised with regard to the 2011 version of the Principles are reflected in this updated version, for instance a clearer distinction between the responsibilities of the board of directors and senior management and clarification on the three lines of defense. The introduction of a specific principle on information and communication technologies (ICT) risk management was also welcomed.

The following key messages are emphasized in the response letter:

• More clarity is needed on how the consultation is interlinked with the BCBS Consultative Document “Principles for operational resilience” since these two documents are overlapping in different items (for example on risk appetite, taxonomy, business continuity, tolerance thresholds). These concepts should be defined in the same way to avoid different interpretations or implementations;
• Across both documents, the role of the board of directors should be seen as to ensure that the overall Operational Risk Management Framework (ORMF) is established, approved, and periodically reviewed. Additionally, board of directors should oversee material operational risks and the effectiveness of key controls, while ensuring that senior management implements the policies, processes, and systems of the ORMF effectively at all decision levels;
• We also consider the principles too prescriptive and granular at times. The principles should ideally focus on materiality and provide institutions with the flexibility to tailor them to their respective organizations and the broader market convention in the region;
• Separately, the industry recommends that the BCBS clarifies what is the aim of the examples and that they are not exhaustive. We also suggest that in some cases clarity is provided to identify the principle behind the example but that the example may not present the only way to establish the controls;
• With regards to the broader benchmarking and comparative analysis, we recommend that the policymakers provide support in developing the appropriate benchmarks to facilitate comparative analysis. Supervisory expectations in terms of industry-wide standards should be limited until reliable and accepted benchmarks are in place;
• Discussion within our membership showed that some of the terminology is used differently across stakeholders and requires clarification in the guidelines; e.g. the difference between “event” and “incident” as well as terms such as “accountability” and “responsibility.” We suggest a simplification of some of the principles in favor of others, and cross-references between both sets of principles. It is also important to distinguish clearly between “risk appetite” and “tolerance” so that these concepts are not confused
• Additionally, it is crucial that regulatory requirements are harmonized to facilitate compliance and to avoid duplication and unnecessary overlap. Therefore, both set of principles should be linked with already existing international and regional practices and standards;
• In that sense, we consider any disclosure requirements on operational risk should be aligned within Pillar III Disclosure to ensure the comparability between different entities, being at the same time respectful with competitive and proprietary information. Disclosed information becomes more effective and meaningful when it is comparable avoiding inconsistent information across banks that may mislead users of information; and,
• We would also appreciate more clarity on how to use these Principles in parallel with the final Basel III package. In particular, while firms that use internal models broadly use a multitude of data sources to achieve better estimates of operational risks, the updated global standard only requires firms to compute a simplistic capital charge based on past loss events and a multiplier.