Operational risk
EDTF 31 Rabobank defines operational risk as the risk of losses caused by inadequate or failing internal
processes, people or systems or by external events. In assessing and addressing operational risk,
allowance is also made for potential legal and reputational risks. Rabobank Group operates
within the frameworks of the Basel II Advanced Measurement Approach as regards measuring
and managing operational risk.
The operational risk policy is based on the principle that the primary responsibility for
managing operational risk rests with the Group entities and should be part and parcel of the
strategic and day-to-day decision-making process. The objective of operational risk
management is to identify, measure, mitigate and monitor operational risk. Risk quantification
helps the management in charge to set priorities in their actions and to allocate people and
resources.
To implement this, Rabobank applies the three-lines-of-defence model. The Group entities are
the first line of defence and bear full responsibility for daily risk acceptance and comprehensive
risk management and risk mitigation within the set risk appetite. The second line of defence is
formed by the risk management functions at entity level and Risk Management. The Group
entities' risk management functions advise on risks and challenge the first line of defence on
how to manage risks at the entity level. Risk Management is responsible for the Group-wide risk
policy and challenging the Group entities and local risk management functions on their risk
management. The internal audit functions at Group and entity level make up the third line of
defence.
The Operational Risk Committee is responsible for defining operational risk policy and its
parameters at Group level. In addition, Risk Management reports on developments in Group-
wide operational risks once every quarter. Within the Group entities, risk management
committees have been established to identify, manage and monitor, among other things, the
operational risks, including system continuity and fraud risks, of the relevant entity.
The Group entities perform a Risk Self-Assessment. In doing so, they identify key operational
risks and mitigating measures if the risks are outside the risk appetite. This process is facilitated
by Risk Management and the outcome is fed back at Group level to the Operational Risk
Committee. In addition, Risk Management annually coordinates scenario analyses with senior
managers throughout Rabobank Group to provide an understanding of the Group's risk profile.
103 Rock-solid bank: risk management