All companies including financial institutions are subject to operational risk because of the uncertainty inherent in all business undertakings and decisions. This risk can be broken down into business risk and event risk.

Business risk is the risk of ‘being in business’, which affects any enterprise, financial or non-financial. It is the risk of loss due to changes in the competitive environment that damage the business’s franchise or operating economics. Typically, the fluctuation originates with variations in volume, pricing or margins against a fixed cost base. Business risk is thus mostly externally driven (by regulatory, fiscal, market and or competition changes, as well as strategic, reputation risks and other related risks), but it can be mitigated by effective management practices.

Event risk is the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events. This definition includes legal and compliance risk, but excludes strategic and reputation risk. Event risk is often internally driven (internal and external fraud involving employees, clients, products and business practices, as well as technological and infrastructure failures and other related malfunctions) and can be limited through management processes and controls.

7.7.1 Operational risk and management control

Central Risk Management has set up a framework for sound operational risk management and management control, covering all dimensions of operational risk. The operational risk and management control (ORMC) framework encompasses policies for the governance of operational risks, for the identification, assessment, measurement and reporting of those risks and for their mitigation. The embedding and use of the framework are assessed periodically.

The framework (described below) is fully implemented across all Banking businesses in compliance with Basel II requirements and will be implemented overtime in an appropriate manner for the Insurance companies-

This framework helps the organisation to increase operational risk awareness, monitor operational risk effectively and measure the operational risk profile and associated own fund requirements. To enable such a high-level approach, an all-encompassing Risk Management Organisation and an appropriate Risk Management/Mitigation Policy have been consistently implemented for the entire bank, at legal entity, business and country level. Global, local and country operational risk managers have been assigned to all bank-related businesses (including support functions) and main countries.

Each business and legal entity thus complies with the methodology and associated tooling, or has integrated its business approach into that framework. Key elements of responsibility allocation include the following:

7.7.2 Operational risk assessment, measurement, reporting and monitoring

For the effective and efficient identification and management of operational risks, the following tools and techniques are used:

• Loss Data Collection: since 2001, the businesses have continuously collated loss data, including causal information, in a central loss database. Central operational risk management monitors the quality, completeness and timeliness of the collated information in a quarterly report and analysis.
• Risk Assessments are conducted periodically at the businesses and support functions to ensure a forward-looking view on the operational risk profile. This consists of a bottom-up risk self-assessment aiming at identifying, assessing and measuring the operational risks in the organisational and process context. Top-down scenario analysis supplements the risk profile with the more systemic and ‘low frequency/high impact risks’ the organisation is exposed to. Central operational risk management ensures the objectivity and comprehensiveness of the risk assessments by means of an in-depth quality review and results benchmarking with internal and external loss data profiles.
• Key Risk Indicators are tracked in order to identify any apparent changes in the organisation’s operational risk profile due to organisational changes or changes in the business environment. They trigger re-assessments of the operational risk profile and ensure the organisation’s responsiveness to a changing environment as well as a level of own funds that is in line with a changing operational risk profile.
• Own fund requirements are calculated at central level using a model that complies with the criteria set by the advanced measurement approaches (AMA). Risk Assessment results are used as the primary input to ensure the level of own funds is in line with the organisational and business environment. Centrally calculated own fund requirements are allocated to the legal entities of the group and to the businesses using a risk-sensitive allocation mechanism based on stand-alone operational risk profiles.

Operational event risk-related information is reported, according to defined reporting lines, to various risk management units, e.g. risk management departments and committees at business and country level, to Central Risk Management and to the Operational Risk Policy Committee. Managers use that information to control their operational risk profile.

7.7.3 Operational control and mitigation

Fortis has a variety of tools to control and mitigate operational risk. Risk assessments, loss data analysis and key risk indicator movements enable the formalisation of actions to further control operational risks. These actions often relate to organisational and process context. Centrally coordinated operational risk mitigation techniques are business continuity management, information security measures, insurance and management control statements.

7.7.3.1 Business continuity management

Business continuity management (BCM) is a management process that identifies potential threats to an organisation and the impacts on business operations that those threats, if realised, might have, and that provides a framework for building organisational resilience with the ability to make an effective response that safeguards the interests of its stakeholders, reputation, brand and value creating activities.

As a financial services organisation, Fortis acknowledges the importance of BCM. It describes its approach in the Fortis BCM policy document. This is based on international regulations and best practice guidelines as issued by:

• The Basel Committee on Banking supervision: High Level Principles for Business Continuity
• The Business Continuity Institute: Good Practice Guidelines (BCI GPG)
• The British Standards Institute¹¹⁾.

The scope of BCM at Fortis is:

• Internal: Fortis in all its dimensions (i.e. all Fortis businesses and support functions, all countries, all Fortis legal entities and subsidiaries)
• External: any third parties that process Fortis information or provide other vital services or products that support mission-critical Fortis services (external outsourcing).

The Fortis BCM approach entails the following steps:

Lastly, Fortis needs to be able to demonstrate that its strategies and plans are effective, credible and suitable for their purpose by exercising, testing and self-assessing the BCM response.

7.7.3.2 Information security

To Fortis, as a financial services firm, information is critically important. Financial services are knowledge and information-intensive as reliable information is essential to Fortis' success. Information must thus be protected continuously and appropriately against a wide range of threats. Fortis does this by establishing a structured information security approach to assure the confidentiality, integrity and availability of information.

The Fortis Information Security Policy defines the organisational framework, management and staff responsibilities and the information security directives that apply throughout the Fortis group and to third parties with whom Fortis exchanges information. Furthermore, Fortis extracts specific information security controls from existing international best practices like ISO/IEC 27001 and ISO/IEC 17799 – 2005.

Businesses and support functions pursue the Fortis Information Security Policy on a ‘comply or explain’ basis. Responsibility for the design and implementation of information security is delegated to the Operational Risk Policy Committee (OPC). The strategy for implementing policy utilises existing best practices at Fortis as much as possible.

The OPC has specifically appointed an Information Security and Business Continuity Steering Committee, comprising senior managers from the businesses and support functions, to steer policy implementation at strategic level. Fortis achieves this by setting up several key group-wide projects to drive information security (e.g. identify management, business continuity and security awareness).

7.7.3.3 Risk transfer through insurance

Fortis recognises insurance as a valid tool to transfer the effects of operational risk to the external market. CRM coordinates this insurance centrally, and more precisely handles the transfer of specific event risks such as financial losses due to fraud, computer crime, professional liability and personal liability.

In line with industry practices, Fortis purchases following insurance policies from third-party insurers:

• Combined Bankers Blanket Bond, Computer Crime and Professional Liability Insurance
• Directors and Officers Insurance.

In addition to this external insurance cover, Fortis uses internal reinsurance captives to finance operational risks. In this way the deductibles of the external Combined Bankers Blanket Bond, Computer Crime and Professional Liability Insurance are reinsured as risk retention by an internal captive.

7.7.3.4 Management control statements (MCS)

While operational risk management focuses mainly on operational event risks, management control is mostly concerned with business risk (including strategic and reputation issues). However, operational risk management and management control are interrelated:

• methods of risk assessment, control assessment and remediation of weaknesses are similar
• results of the operational (event) risk self-assessments serve as input for the risk assessment performed by senior management, as part of the annual management control statement procedure that is coordinated by CRM.

Management teams sign their management control statements and formulate action plans (if necessary) to improve steering/control. CRM coordinates reporting on the follow-up to those action plans. The MCS is an attestation, every year-end, of the functioning of the risk management and internal control system during the year. The MCS process covers the whole of Fortis (including Insurance and non-AMA legal entities).