Directors routinely receive materials, often in the board packet, reporting on all aspects of a bank’s operations, including credit, liquidity and market risk (collectively called portfolio risks). It is no less important for the board to receive regular reports on operational risk. However, unlike portfolio risk monitoring reports, which focus largely on quantitative measures, such as non-performing loans, liquidity gaps, and income and capital at risk, many operational risk-related reports tend to focus more on qualitative matters.

As a board member, it can be very helpful to be aware of controls and indicators of operational risk incidents. These include:

1. Management assessment of internal controls over financial reporting
1. The Sarbanes-Oxley Act of 2002 requires that the financial statement of publicly traded companies include an internal controls report on financial reporting.
2. For more information, review the applicability of Sarbanes-Oxley and additional details on reporting requirements.
2. Risk assessment reports
1. These reports specify management’s view of the inherent risks in a bank’s individual activities and controls to mitigate those risks.
2. For more information, review Internal Controls in the Meeting Materials.
3. Suspicious Activity Reports (SARS)
1. This required report must be filed with the Financial Crimes Enforcement Network when a bank believes it is the victim of a suspicious activity.
2. For more information, review the SARS Tool in the Meeting Materials.
4. Key Risk Indicators
1. Key risk indicators are measures of the risks associated with activities and their possible future impact.
2. For more information, review the Key Risk Indicators in the Meeting Materials.

Because a significant part of a bank’s operational risk control is accomplished through its internal controls process, the principle concern is whether the process is appropriate (in terms of effectiveness and efficiency) for the risk in the bank’s activities. Traditionally, this assessment is a job assigned to internal and external audit; for more information, review The Internal Audit Function.

In general, audit assesses the adequacy, appropriateness and adherence to a bank’s system of controls. Consequently, audit helps identify control weaknesses that deserve management’s attention, making audit reports an important monitoring tool. For more information on audit reports, review Reading Audit Reports. It is equally important for the board to ensure that management addresses weakness found and to track management’s progress in correcting those weaknesses.

Regulatory reports of examination, both safety & soundness and compliance, also contain helpful information on the bank’s operational risks. The regulatory agencies review bank management systems, processes and procedures during the course of their examinations. In some instances, they may go so far as to perform an in-depth review of the processes underlying some of the bank’s inherently risky activities, such as wire transfer, loan administration and securities. Where they find weaknesses in internal controls, bank examiners will comment on them and bring them to the attention of management and the board.

Although there are other monitoring tools, a final one is reminiscent of an old management tool called the “walk-about manager.” Being a walk-about board member can be a highly effective monitoring tool, especially in smaller banks. This monitoring approach entails informally visiting with and observing personnel in the bank’s high-risk areas and asking questions about what you see.

Some questions that can be helpful for a walk-about board member to ask include the following:

• What do you do? And why?
• Do you see any control gaps that need to be filled?
• Do you have any suggestions on how to fill identified gaps?
• Have you noticed anything unusual occurring in your department?

Later, compare your notes with the bank’s written policies and procedures. This can be a time-consuming process, but it forces you to become more knowledgeable about these and other controls and makes them more real by observing and hearing how they are implemented. Ultimately, this increases understanding of audit reports and other monitoring data that you are likely to review.

In summary, operational risk requires regular monitoring, and banks accomplish this in a variety of ways. Audit reports and commercial bank examination reports are two important monitoring tools. Suspicious activity report reviews, key risk indicators, and exception report reviews provide insight into the bank’s operational risks and emphasize concerns which need to be monitored further. Finally, firsthand knowledge from conversations with bank personnel who work in the bank’s high-risk activities increases understanding of risk management processes in those areas. It’s also helpful in interpreting audit reports and additional information provided by other operational risk monitoring tools.