Definition of operational risk
Operational risk is a risk of a loss due to failure to apply or fallibility of internal processes, people and systems, or external events. The operational risk includes legal risks, but does not include reputation risk and business risk.
Purpose of operational risk management
The purpose of the Bank’s operational risk management is to keep operational risk at a secure level adequate to the activities, objectives, strategies and development of the Bank, and acceptable to the Bank’s Management Board and Supervisory Board.
Measurement and assessment of the operational risk
The Bank has in place a formalised operational risk management system to prevent operating events and incidents from occurring and minimise losses if the risk materialises. Operational risk management encompasses identification, measurement and assessment of operational risk, management activities as well as monitoring and control of risk at all levels, from organisational units responsible for operational risk management in their areas, Operational Risk Coordinators to the Operational Risk Management Department, Operational Risk Committee, to the Management Board and the Supervisory Board.
As part of identification of operational risks, the Bank collect data on events and losses both at the Bank and at its subsidiaries. Measurement and assessment of operational risks is carried out using quantitative metrics (including calculation of internal capital for operational risk using the AMA model) and qualitative metrics (e.g. self-assessment of operational risks). The AMA model uses in-house and third-party data on operational events, the factors of the business environment and the Bank’s in-house factors, as well as the results of scenario analyses.
Measurement and assessment of the operational risk encompasses:
- key Risk Indicators (KRI);
- target and limits;
- calculation of own funds requirements for operational risk – since 01/01/2018, the Bank has calculated the operational risk capital requirement in accordance with an advanced method (AMA) for the Bank, excluding its Romanian Branch, for which the standard method (TSA) is used;
- estimation of the Bank’s operational risk internal capital based on the output of the AMA model;
- stress tests;
- scenario analyses;
- operational risk self-assessment;
- determination of the extent to which operational risk limits have been used;
- valuation of actual and potential losses associated with identified operational events.
Operational risk measurement and reporting
The Operational Risk Management Department is responsible for current supervision of and strategic control of the operational risk on the second line of defence. This is an organisational unit responsible for, among others:
- development and rollout of appropriate methodologies and instruments for operational risk management;
- monitoring of the own funds requirements for operational risk in accordance the BIA approach for Alior Leasing, using the standardised approach (TSA) for the Romanian Branch and in accordance with the advanced measurement approach (AMA) for other activities at the Bank;
- providing opinions and consulting operational risk assessment in projects, products and procedures (new and modified ones);
- monitoring of the level of internal utilisation of the operational risk target and limit and taking managerial measures related to the occurrence of increased or high level of operational risk;
- collecting high-quality data on events and their operational consequences;
- monitoring internal and external events;
- monitoring of the Bank’s operational risk level using tools, including key risk indicators (KRI), self-assessments, stress tests;
- preparing regular reports on the Bank’s operational risk levels.
All workforce and organisational units of the Bank have the responsibility to monitor and limit operational risks in their daily work. The Bank’s employees control the level of operational risk on an ongoing basis in the processes they operate and pro-actively minimise the involved risks, taking all possible measures to avoid/limit operational losses. They are responsible for current registration of events and financial consequences within their respective activity areas, they define and report Key Risk Indicators (KRIs) against tolerance levels for processes particularly exposed to operational risks, as well as they take active part in the self-assessment process.
Tools for operational risk management
Operational risk management at Alior Bank is supported by the OpRisk IT system which, among other things, captures operational events and losses, and records the results of scenario analyses.
The Bank records operational events and consequences which enables it to effectively analyse and monitor operational risks. To monitor operational risks and their changes, key risk indicators (KRI) are used, for which tolerance levels are defined.
AMA approach is used for measuring the internal capital for operational risk. Based on the AMA approach, Alior Bank has built its proprietary statistical model used for the estimation of operational risk levels based on Loss Distribution Approach (LDA).
On 14 February 2019, the Bank has been authorised by the Polish Financial Supervision Authority to implement a significant expansion for the AMA approach by encompassing historical consequences of the acquired business of Bank BPH SA and for combined use by the Bank of:
- AMA approach – regarding Alior Bank SA’s activity taking into account historical consequences of Bank BPH SA’s business for the acquired separated part of BPH SA without the branch business in Romania,
- standardised approach regarding the Romanian Branch for the calculation of own funds requirements for operational risk since 14 February 2019.
The decision of 14 February 2019 also involved a consent for the Bank to maintain its own funds requirements using the AMA method at no less than 60% (previously 80%) of the requirements calculated based on the standardised approach.
The amount of gross operating losses recorded in 2019 for Alior Bank were within the adopted target and limit for the Bank’s operational risk.
In connection with the use of an advanced measurement approach (AMA) for operational risks, and to limit the risk of materialisation of rare but potentially severe operational events and in compliance with Article 454 CRR, the Bank purchased a number of insurance policies. These policies included, among others, coverage for: property (including electronic equipment), third-party liability, tax criminal liability, and professional liability.
The terms of particular policies are adapted to the scale and scope of risks. Such policies are not used as a mechanism to reduce the amount of own funds requirements for operational risk or a factor to mitigate the amount of internal capital for operational risk.