Operational risk management in financial institutions: Process assessment in concordance with Basel II

The improvement of banks’ operational risk management frameworks concerns new requirements addressed in the Basel II Framework, a new capital adequacy regulation proposed by the Basel Committee on Banking Supervision (BCBS). Basel II will apply to internationally active banks and to all banks and investment firms in the EU via transposition of a new Directive into national regulations. By doing so, the national financial supervisory authority (CSSF )in Luxembourg, and a public research center (CRPHT) have engaged in a joint research project that investigates solutions conformant to ISO/IEC 15504 for assessing operational risk management frameworks implemented in banks. The ISO/IEC 15504 requirements can meet the CSSF’s expectation on consistent, transparent and sound risk assessments, as well as the expectation on promoting enhancements in institutions’ risk management practices without dictating the form or operational detail of their policies and practices. Moreover, although the domain is largely outside the scope of software and systems engineering, the ISO/IEC 15504 process assessment standard provides for an adequate solution to the so-called supervisory review process. This adequacy is validated through the structure of Basel II and financial domain requirements. Last but not least, we will show that ISO/IEC 15504 provides an adequate approach to assessing institutions in two sub-domains, namely the domain of credit operational risk management and the domain of IT risk management (including IT security risks management).