8. Operational risk
Operational risk is an integral part of doing business. Operational Risk Management (ORM) within
Rabobank is aimed at having a healthy balance between the exposure to these risks and tools to
manage these risks.The objective of ORM is to identify, measure, mitigate and monitor operational
risk, and promote risk awareness and a risk culture within Rabobank. Risk quantification and awareness
helps the management in charge to set priorities in their actions and to allocate people and resources.
Within Rabobank, operational risk is defined as the risk of losses resulting from inadequate or failed
internal processes, people and systems or from external events, including potential reputational
consequences.
8.1 Operational Risk Management
framework
Contents Management report Corporate governance Consolidated financial statements Financial statements
Rabobank Group has applied the Advanced Measurement
Approach (AMA) to calculate operational risk capital
requirements. The current version of Rabobank's capital model
has been in use since January 2013. Incremental changes take
place continuously to safeguard alignment of the model.
The operational risk model of Rabobank includes the following
elements:
Internal data;
External data from consortium;
Scenario analyses; and
Business environment and internal control factors (BEICFs).
The option to reduce capital requirements through insurance
mitigation or other risk-transfer instruments is currently
not used.
The internal loss data is captured from the mandatory reporting
on operational losses over 10,000. Incident reporting is
signed-off by management and validated by the Non-Financial
Risk department (NFR) for quality assurance. Internal loss data
is used in the capital model for defining frequency distributions
and for calculating capital per entity.
The external loss data is based on quarterly reports from
a data consortium that specialises in operational risk loss data
collection. External loss data is reviewed on relevance and
suitability for the Rabobank organisation before being added to
the capital model. Consortium data is used in the capital model
for defining severity distributions.
Rabobank has developed a number of loss scenarios which
are used to substantiate and benchmark the model based
on internal and external historical data. An example is a fraud
related scenario, which estimates the probability and impact for
Rabobank of the execution of unauthorised transactions.
BEICFs are based on reports available at group level or from
the entities. BEICFs are annually gathered using multiple risk
identification methods. The BEICFs are used in the capital
model as incentive to complement the modelled capital.
Rabobank uses the following BEICFs:
Business Environment and Internal Control factor assessments
at group level;
Scenario program at group level (as stated above);
Risk and control self-assessment at entity level; and
Indicators for key risks and controls at entity level.
A schematic overview of Rabobank's capital model is presented
in Figure 3.
Managing operational risks
edtf 31 The Non-Financial Risk Committee (NFRC) is
responsible for ratifying the operational risk policy and
its parameters at Rabobank Group level. Approval of NFR
policies will be done by the Executive Board as from 2016 on.
The primary responsibility for the management of operational
risk lies within the business, as it should be fundamentally
woven into their strategic and day-to-day decision-making.
Within the group entities, risk management committees have
an important role in identifying and monitoring the operational
risks of the entity. These responsibilities are supported by Risk
Management, which provides oversight, tools, expertise and
challenge to the group entities and transparency throughout
the Group and towards senior management. In addition, NFR
reports quarterly to the RMC Group on developments in group
wide operational losses.
352 Rabobank Annual Report 2015