Overview

Operational risk is the risk of loss resulting from inadequate or failed internal processes, people, systems and external events. This definition includes legal risk but excludes reputational risk. The Bank recognises the significance of operational risk, which is inherent in all areas of our business. Operational risk is managed within acceptable levels through an appropriate level of management focus and resources.

Operational Risk Management Framework

FirstBank is committed to the management of operational risks. The Bank's operational risk management framework aims to:

1. Reduce losses arising from operational risk – a key role of operational risk management in the Bank is to reduce losses from operational failure and, in particular, avoid potentially large or catastrophic losses;
2. Improve performance measurement – the Bank's improved understanding of its operational risk profile shall enable appropriate allocation of risk and economic capital to individual lines of business which would allow improved performance measurement and evaluation of activities;
3. Ensure better control of operations – the Bank expects that increased understanding of risk activities within various business units, the Board and senior management will lead to improvement in the control of operations and the emergence of a more proactive operational risk management culture;
4. Provide early warning signals of deterioration in the Bank's internal control system; and
5. Raise awareness of operational risk in the Bank from top to bottom through the implementation of an enterprise-wide operational risk approach.

Operational Risk Strategy

Failure to manage operational risk effectively often leads to significant financial losses, regulatory fines or sanctions, reputational damage, brand erosion or even the loss of banking licence, all of which directly impact shareholder value. Accordingly, the FirstBank operational risk strategy aims to minimise the impact of operational risk on its shareholder value. Specifically, the Bank's strategy is to:

1. Reduce the likelihood of occurrence of unexpected events and related costs by managing the risk factors and implementing loss prevention or reduction techniques to reduce variation in earnings;
2. Minimise the impact of unexpected and catastrophic events including related costs through risk financing strategies that support the Bank's long-term growth, cash flow management and balance sheet protection; and
3. Make all managers responsible for the management of operational risk and thus minimise actual or potential losses. The Bank recognises that some losses, such as operational errors, are inevitable but it will ensure the consequent costs are kept within acceptable levels and potential losses are minimised.

In implementing this strategy, the Bank:

1. Has put in place best practice operational risk management policies and procedures. These include toolkits to help identify, assess, control, manage and report on operational risk within the Bank;
2. Ensures that roles and responsibilities are agreed and clearly understood by employees at all levels;
3. Ensures that all staff in business and support functions are aware of their responsibilities for operational risk management;
4. Considers the potential operational risk impact of its activities and products at the outset with a view to minimising these as far as possible;
5. Has put in place structures and processes for reporting control failures to designated individuals and escalating material issues to EXCO and the Board Audit and Risk Assessment Committee;
6. Ensures that staff are provided with appropriate operational risk management training that is commensurate with their roles;
7. Establishes workable business continuity plan (including disaster recovery and crisis management procedures) that minimises the impact of unexpected and catastrophic events on business operations and customer service;
8. Minimises financial impact of operational losses, through management of risk factors and utilisation of insurance or other risk transfer strategies; and
9. Ensures that staff responsibilities with respect to operational risk management are communicated through ongoing risk awareness workshops and management action.

Operational Risk Management Philosophy and Principles

The following philosophy and principles govern the management of operational risk in FirstBank:

1. The Board of Directors is responsible for setting the operational risk strategy of the Bank and its implementation;
2. The Board approves and periodically reviews the operational risk management framework;
3. Operational risk management in the Bank is co-ordinated through a centralised and independent operational risk management function;
4. Ownership, management and accountability of operational risk is decentralised with business and functional units;
5. There are consistent standards for defining, evaluating, measuring, monitoring and reporting operational risk;
6. The Bank's operational risk management practices are in line with Basel II;
7. The Bank's operational risk management practices are subject to regular independent review by internal and external auditors;
8. Operational risk management is governed by well-defined policies and procedures, which are clearly communicated across the Bank;
9. Operational risk related issues are taken into consideration in business decisions including new product and process designs;
10. Operational risk and loss events are reported openly and fully to the appropriate levels, once they are identified; and
11. Adequate processes and systems for identifying, measuring, monitoring, reporting and controlling operational risks are being implemented by the Bank.

Organisation and Structure

The Bank's overall approach is to create and promote a culture that emphasises effective operational risk management, adherence to operating controls and acting in accordance with the Bank's policies. The management of operational risk in the Bank is undertaken at three distinct levels, each with clearly defined roles and responsibilities as follows:

Board and Board Committees

See Role of the Board of Directors and Board of Committees

Senior Management

At the second level is a management function performed by the Risk Management Directorate. The Operational Risk Management Division has direct responsibility for formulating and implementing the Bank's operational risk management framework including methodologies, policies and procedures approved by the Board. The division works with the Bank's Internal Control and Internal Audit divisions to ensure that the day-today operations of the Bank are in line with the approved operational risk management policies.

Operational Risk Management (ORM) Division is an independent risk management function within FirstBank. The prime responsibility for the implementation of the operational risk framework as well as the day-to-day operational risk management lies with the business divisions. Based on this business partnership model, the Division ensures close monitoring and high awareness of operational risk, which are driven across the Bank through training and strategic communication initiatives.

Monitoring and Managing Operational Risk

Several tools and techniques are deployed in managing operational risks in FirstBank. These tools and techniques incorporate risk identification, risk assessment, implementation of adequate control measures to reduce the impact of risks, risk monitoring and reporting. They include:

Delphi Sessions:

A type of Risk Self Assessment which provides for brainstorming sessions during which 'experts' (in this case, senior personnel in business units) identify, measure and analyse the risks inherent in business units, activities and products, and draw up controls aimed at reducing the risks. This is done in collaboration with Operational Risk Managers who coordinate the sessions.

Risk Control Self Assessment (RCSA):

Risk Control Self Assessment (also called Control Self Assessment or CSA) is a process whereby business areas identify and evaluate inherent risks, the level of control the area has over these risks, and action points for improvement.

The goals of the Delphi sessions and RCSA are to continuously assess changing market and business conditions and evaluate all operational risks impacting the business.

The self-assessment process assists in identifying emerging operational risk issues and determining how lines of business should be managed.

Key Risk Indicators (KRIs):

KRIs have been developed and are used to help identify trends and issues at both corporate and business unit levels.

Key Operational Risks

Major operational risks faced by the Bank are internal fraud and armed robbery. Each incident is analysed and control failures identified and new controls designed. The Bank is also investing in enhanced physical security and collaborating with the security agencies to improve protection of branches and staff. Key counter-measures put in place include:

1. Enhanced staff training;
2. Issuance of appropriate and deterrent circulars;
3. Job rotation and segregation;
4. Dissemination of email and SMS alerts to customers for every transaction on their accounts;
5. Imposition of stiff disciplinary measures, including prosecution of fraudulent staff; and
6. Installation of panic alarm systems, closed-circuit televisions (CCTVs), deadman's doors etc.

Role of Internal Audit and Internal Control in Operational Risk Management

Internal Audit

The role of Internal Audit is to:

1. Provide independent assessment and evaluation of the Bank's operational risk management framework;
2. Monitor that business units and support functions comply with the Bank's operational risk policies;
3. Assess the adequacy of the Bank's Operational Risk measurement methodology;
4. Assess the effectiveness of the Bank's risk management and control process for operational risk; and
5. Conduct an independent assessment and evaluation of the risk in business units.

Internal Control

The Internal Control Division is responsible for evaluating and monitoring control activities as well as ensuring compliance with minimum control standards set in the framework. Other Internal Control activities include:

1. Top level review of appropriate activities and controls for branches and departments/divisions;
2. Physical control and checking for compliance with the Bank's policies, including exposure limits, system of approvals and authorisations;
3. Conduct independent verification and reconciliation.