8. Operational risk Operational risk is an integral part of doing business. Operational Risk Management (ORM) within Rabobank is aimed at having a healthy balance between the exposure to these risks and tools to manage these risks.The objective of ORM is to identify, measure, mitigate and monitor operational risk, and promote risk awareness and a risk culture within Rabobank. Risk quantification and awareness helps the management in charge to set priorities in their actions and to allocate people and resources. Within Rabobank, operational risk is defined as the risk of losses resulting from inadequate or failed internal processes, people and systems or from external events, including potential reputational consequences. 8.1 Operational Risk Management framework Inhoudsopgave Bestuursverslag Corporate governance Jaarrekening Rabobank Groep Jaarrekening Rabobank Pillar 3 Rabobank Group has applied the Advanced Measurement Approach (AMA) to calculate operational risk capital requirements. The current version of Rabobank's capital model has been in use since January 2013. Incremental changes take place continuously to safeguard alignment of the model. The operational risk model of Rabobank includes the following elements: Internal data; External data from consortium; Scenario analyses; and Business environment and internal control factors (BEICFs). The option to reduce capital requirements through insurance mitigation or other risk-transfer instruments is currently not used. The internal loss data is captured from the mandatory reporting on operational losses over 10,000. Incident reporting is signed-off by management and validated by the Non-Financial Risk department (NFR) for quality assurance. Internal loss data is used in the capital model for defining frequency distributions and for calculating capital per entity. The external loss data is based on quarterly reports from a data consortium that specialises in operational risk loss data collection. External loss data is reviewed on relevance and suitability for the Rabobank organisation before being added to the capital model. Consortium data is used in the capital model for defining severity distributions. Rabobank has developed a number of loss scenarios which are used to substantiate and benchmark the model based on internal and external historical data. An example is a fraud related scenario, which estimates the probability and impact for Rabobank of the execution of unauthorised transactions. BEICFs are based on reports available at group level or from the entities. BEICFs are annually gathered using multiple risk identification methods. The BEICFs are used in the capital model as incentive to complement the modelled capital. Rabobank uses the following BEICFs: Business Environment and Internal Control factor assessments at group level; Scenario program at group level (as stated above); Risk and control self-assessment at entity level; and Indicators for key risks and controls at entity level. A schematic overview of Rabobank's capital model is presented in Figure 3. Managing operational risks edtf 31 The Non-Financial Risk Committee (NFRC) is responsible for ratifying the operational risk policy and its parameters at Rabobank Group level. Approval of NFR policies will be done by the Executive Board as from 2016 on. The primary responsibility for the management of operational risk lies within the business, as it should be fundamentally woven into their strategic and day-to-day decision-making. Within the group entities, risk management committees have an important role in identifying and monitoring the operational risks of the entity. These responsibilities are supported by Risk Management, which provides oversight, tools, expertise and challenge to the group entities and transparency throughout the Group and towards senior management. In addition, NFR reports quarterly to the RMC Group on developments in group wide operational losses. 362 Rabobank Jaarverslag 2015

Rabobank Bronnenarchief

Jaarverslagen Rabobank | 2015 | | pagina 363