Operational risk is defined as the risk of direct or indirect loss resulting from inadequate or failed internal processes, people and systems or from external events. Operational risks are not actively sought and have no direct material upside in terms of return/income generation, yet operational incidents are inherent to doing business. Operational incidents can result in non-compliance with applicable (internal and external) standards, in financial losses or misstatements in the financial reports. Operational incidents – including those related to information security and personal data breach – are identified and assessed and mitigating controls are evaluated and where applicable implemented. FMO has defined risk appetite levels for the following risk metrics:
Operational incidents (P&L impact)
Misstatements in financial reporting (P&L impact)
FMO has an operational risk framework in place, that supports and governs the process of identifying, measuring, mitigating, monitoring and reporting operational risks, and that aims of keeping operational risks within the operational risk profile. This framework is in line with The Principles for Sound Operational Risk Management and is aligned to the Enterprise Risk Management model of COSO (Committee of Sponsoring Organisations of the Treadway Commission). FMO aims to manage operational risk in a cost effective way.
Operational risks are managed and monitored in accordance with three Lines of Defense governance principle. Management of the first Line of Defense is primarily responsible for managing risks and embedding risk management in the day-to-day business processes. The first line acts within the risk management framework and supporting guidelines defined by specialized risk departments and committees in the second Line of Defense. Internal Audit in its role of third Line of Defense provides independent assurance on the effectiveness of the first and second lines.
Despite all preventive measures, operational incidents and/or operational losses cannot always be avoided. FMO systematically collects incident information and analyses such events in order to take appropriate action. Operational risks resulting from new products or activities are assessed in FMO’s Product Approval and Review Process.
Operational risk management also encompasses the domains of Information Security and Business continuity management.
Information is one of the bank’s most valuable assets. In recognition of the importance of protecting the bank’s information and its associated assets, such as systems and infrastructure, FMO has established a structured information security approach to ensure the confidentiality, integrity and availability of information. This approach defines the organizational framework, responsibilities and information security directives that apply to FMO, its vendors and third parties with whom the bank exchanges information.
Business continuity management ensures organizational resilience of the FMO organization and the ability to respond effectively to threats, thus safeguarding stakeholders’ interests and the organization’s reputation.
Once a year, Directors review the strategy and business/strategic objectives in a risk perspective. Based on these Risk and Control Self Assessments, Directors sign an internal In Control Statement at the end of each year, which sets the foundation for the management declaration in the Annual Report.