8. Operational risk
Operational risk (OpRisk) is an integral part of doing business. Operational Risk Management (ORM)
within Rabobank is aimed at having a healthy balance between the exposure to these risks and tools
to manage these risks.The objective of ORM is to identify, measure, mitigate and monitor operational
risk, and promote risk awareness and a healthy risk culture within Rabobank. Risk quantification and
awareness helps management set priorities in their actions and allocate people and resources. Within
Rabobank, operational risk is defined as the risk of losses resulting from inadequate or failed internal
processes, people and systems or from external events, including potential reputational consequences.
8.7 Operational Risk Management framework
Inhoudsopgave Voorwoord Bestuursverslag Corporate governance Consolidated Financial Statements Company Financial Statements Pillar 3
Rabobank Group has applied the Advanced Measurement
Approach (AMA) to calculate operational risk capital
requirements. The current version of Rabobank's capital model
has been in use since January 2013. Incremental changes take
place continuously to safeguard alignment of the model.
The operational risk model of Rabobank includes the following
elements:
Internal data;
External data from consortium;
Scenario analyses; and
Business environment and internal control factors (BEICFs).
The option to reduce capital requirements through insurance
mitigation or other risk-transfer instruments is currently
not used.
The internal loss data is captured from the mandatory reporting
on operational losses of 10,000 euro and higher. Incident
reporting is signed-off by management and validated by the
Operational Risk function of the entity for quality assurance.
Internal loss data is used in the capital model for defining
frequency distributions and for calculating capital per entity.
The external loss data is based on quarterly reports from
a data consortium that specialises in operational risk loss data
collection. External loss data is reviewed on relevance and
suitability for the Rabobank organisation before being added to
the capital model. Consortium data is used in the capital model
for defining severity distributions.
Rabobank has developed a number of loss scenarios which
are used to substantiate and benchmark the model based on
internal and external historical data. An example is an external
fraud related scenario, which estimates the probability and
impact for Rabobank of the execution of unauthorised
transactions.
BEICFs are based on reports available at Group level or from
the entities. BEICFs are annually gathered using multiple risk
identification methods. The BEICFs are used in the capital model
as incentive to adjust the modelled capital. Rabobank uses the
following BEICFs:
Business Environment and Internal Control factor assessments
at Group level;
Scenario programme at Group level (as stated above);
Risk and control self-assessment at entity level; and
Indicators for key risks and controls at entity level.
347 8. Operational risk