16.6.2012   

EN

Official Journal of the European Union

C 173/1

BCM

Business Continuity Management

BCP

Business Continuity Plan

BIA

Business Impact Analyses

BIS

Bank for International Settlements

BPH

Business Practice Handbook

CBPP

Covered Bonds Purchase Programme

CRO

Chief Risk Officer

D-CO

Directorate Communication

DG-A

Directorate-General Administration

DG-H

Directorate-General Human Resources, Budget and Organisation

DG-IS

Directorate-General Information System

DG-M

Directorate-General Market Operations

DG-P

Directorate-General Payment Systems

DG-S

Directorate-General Statistics

EB

Executive Board

ECB

European Central Bank

ESCB

European System of Central Banks

FOS

Financial Operation Services

GIPS

Global Investment Performance Standards

IAS

International Accounting Standards

IASB

International Accounting Standards Board

IFRS

International Financial Reporting Standards

INV

Investment division

MOS

Market Operations Systems

NCBs

National Central Banks

OFM

Own Funds Management

ORC

Operational Risk Committee

ORM

Operational Risk Management

RMA

Risk Management Division (of DG-H)

SMP

Securities Markets Programme

VaR

Value at Risk

1.

The European Central Bank (ECB) and the national central banks of all European Union (EU) Member States together constitute the European System of Central Banks (ESCB). The primary objective of the ESCB is to maintain price stability. The ESCB also supports the general economic policies of the EU with a view to contributing to the achievement of the EU’s objectives (1). For this purpose, the ECB carries out the tasks specified in its Statute (2) and is responsible for managing its activities and finances.

2.

The European Court of Auditor’s (the Court) audit of the operational efficiency of the ECB is based on Article 27(2) of the Protocol on the Statute of the ESCB and of the ECB (3). The 2010 audit covers the risk management procedures and systems established by the ECB and their application.

3.

The decision-making bodies of the ECB are the Governing Council and the Executive Board (4). The Executive Board implements monetary policy in accordance with the guidelines and decisions laid down by the Governing Council (5) and has overall responsibility for the management of the day-to-day business of the ECB and its resources. The Executive Board is also ultimately responsible for risk management at the ECB.

4.

Risks are managed through two separate frameworks at the ECB. The operational risk management unit (ORM (6)/BCM) covers all operational risks (see footnote 22) including business continuity. The Risk management division (RMA) deals with the financial risk management (see paragraph 70), including the ECB’s investment activities and credit operations.

5.

The objective of the Court’s 2010 financial year audit was to assess the adequacy of the ECB’s operational and financial risk management framework (7). The risk management at the ECB was assessed in terms of the following key audit questions:

6.

The audit of the risk management of the ECB (8) included the following elements:

7.

The ECB’s stated ambition is to apply best practice in its risk management: ‘The European Central Bank placed, from the very beginning, particular attention to risk management. As a new member of the central bank community, it had the ambition of fulfilling the highest governance standards in organising its risk management function within the institution and applying state-of-the-art tools’ (10).

8.

‘A strong institution-wide risk culture is one of the key elements for effective risk management. One of the prerequisites for creating this risk culture is the establishment of a comprehensive (covering all risk types, business lines and relevant risks) and independent risk management function under the direct responsibility of the Chief Risk Officer (CRO), or the senior management if a CRO is not appointed, following the principle of proportionality’ (11).

9.

At the ECB each organisational unit (12) is responsible for managing its own risks and controls. Two functions/divisions support organisational units in the risk management process:

10.

As a support to the Executive Board’s (EB) decision-making, several committees have been set up which deal with various aspects of risk management, including the Operational Risk Committee, Investment Committee, Assets and Liabilities Committee and Credit Committee.

11.

There is a comprehensive organisational structure with clearly assigned roles and responsibilities. However, there is a strong demarcation between the management of financial and operational risks in the ECB which increases the risk that the view of the Bank wide exposures might not be comprehensive.

12.

No independent, single, body, such as a Chief Risk Officer or overall risk management committee, has been set up between the EB and the two risk function/units, ORM/BCM and RMA. At the time of the audit the EB member charged with risk management also had a number of other areas of responsibility, whereas a CRO would solely concentrate on risk management.

13.

Furthermore, the lack of a hierarchically independent risk management function increases the risk that insufficient priority is given to risk management issues, e.g. allocation of staff resources to risk management tasks, as such matters are subject to DG-H decisions.

14.

A review of best practices in other similar international organisations has shown that the Bank of Canada has adopted an integrated risk management framework, including a Chief Risk Officer and a risk management working group. Both deal with establishing a comprehensive risk profile for the Bank that includes business, operational and financial risks as described in Box 1. The Bank’s risk management framework is fully embedded within its strategic planning, budgeting and year-end performance evaluation processes.

Box 1

An example of integrated risk management — Bank of Canada

The Chief Risk Officer has the following responsibilities:

The Risk Management Working Group has the following tasks:

15.

16.

The ECB publishes an annual report, including the annual accounts and the accompanying disclosure notes (16). The information about risk management in the annual accounts is rather limited and the information about the ECB’s risk management principles and figures is not publicly available (except for the consolidated value at risk (17) (VaR) figure). The annual report of the ECB contains brief information about certain risk management issues but does not disclose an overview of the risk management process in the organisation, the risks faced as well as the management’s approach to those risks.

17.

The use of International Financial Reporting Standards (IFRS) (18) is best practice in presenting an entity’s accounts. The IFRS 7 ‘Financial instruments disclosure’, deals with the presentation of the risks faced by an organisation in its accounts, however, it has not been applied by the ECB.

18.

Other international or national central bank organisations such as the Bank for International Settlement (BIS) and the Bank of Canada disclose, in their annual financial statements, risk management information even though one of them does not apply IFRS (see Box 2 below).

Box 2

Illustration of application of risk management disclosures

19.

Business continuity management complements the ECB’s operational risk management (ORM) framework, and both form an important element of corporate governance (20).

20.

An effective operational risk management framework includes clear strategies and oversight by the board of directors and senior management, a strong operational risk culture and internal control culture (including clear lines of responsibility and segregation of duties) and effective internal reporting.

21.

To assess the management of operational risks at the ECB the Court examined:

22.

23.

The operational risk management framework of the ECB was approved by the Executive Board in October 2007 (21) and is described in the Business Practice Handbook (BPH) published on the intranet and available to all staff. It outlines the ECB’s ORM definition (22), risk tolerance policy, roles and responsibilities as well as outlining the policies for assessment, response and reporting and monitoring.

24.

The ORM policies established provide a clear bank-wide definition of operational risk and lay down the policies outlining the Bank’s approach to assessing, monitoring and controlling/mitigating the risk. However, the BPH does not provide details of the Bank’s approach to identifying risks.

25.

26.

The EB is ultimately responsible for operational risk management at the ECB. The Operational Risk Committee (ORC) deals with strategic and medium-term topics, as well as relevant short-term and ad-hoc topics (23). The committee consists of EB member (Chairman) and seven senior managers of the Bank (24). It has decision-making powers for risk acceptance at medium level whereas high-level risks must always be accepted by the EB. Meetings are held every two months or more frequently if needed.

27.

The BPH clearly outlines the business areas as responsible for managing their operational risks (25). Accordingly, each business area should nominate (at least) one risk coordinator who supports business area managers in ORM and acts as the first point of contact in ORM matters within the business area. Business area managers are also responsible for ensuring that staff gain and maintain the necessary competences to assume responsibility and accountability as regards ORM. The ORM/BCM function should develop and maintain the ORM framework and coordinates the business areas approach to ORM.

28.

Of eight staff in the ORM-BCM function only four were permanent employees at the time of the audit. The others were on secondment from national central banks or on fixed-term contracts of three months to two years. This means that there is a high staff turnover which leads to a loss of continuity in an important function and increases the risk of the ORM framework not being adequately implemented in the ECB.

29.

The awareness of staff of the ORM framework was included in staff surveys in 2009 and 2010. The 2009 survey showed that approximately 40 % of the respondents said they did not receive enough information about ORM; 56 % did not know who was appointed risk coordinator of their business area and 45 % did not know where to find information about ORM on the intranet. In the 2010 survey 40 % still did not know where to find information about ORM.

30.

31.

An important part of establishing the ECB’s risk profile is the annual assessment of operational risks conducted by the business areas and the ORM/BCM function. The assessments for 2009 were carried out by the business areas in June to August 2009 and a calibration meeting took place afterwards with the risk coordinators. The top-down report was finalised in January 2010.

32.

The risk profile should be one of the inputs to the strategic planning process, which in turn drives the financial plan. The audit showed, however, that there is no integration of the annual assessment of operational risks and the strategic and financial planning cycle of the ECB. Therefore, ORM runs the risk of becoming an isolated exercise, and the financial plan may not be directing resources appropriately to achieve strategic goals (26).

33.

An example of good practice is the Bank of Canada where the risk profile of the bank is an integrated part of the overall strategic and financial planning cycle of the bank (27).

34.

35.

The ORM framework has been implemented mainly by top-down assessments. According to the risk policy of the ECB the business areas should also continuously perform bottom-up assessments of business area processes and the risks identified should be approved (28).

36.

The ECB has conducted top-down risk assessments in 2008 and 2009. The ORM/BCM function provided the business areas with some pre-defined high-level risks which was the basis for their risk assessments. In the final report an action plan for each of the business areas was included. The BPH requires that the business areas should analyse and define risk response strategies and conduct a cost-benefit analysis of possible solutions.

37.

All business areas had identified risks and responses in relation to the 2009 top-down exercise. The 2009 top-down assessment report contained follow-up action points for each business area. However, no cost-benefit analyses were documented in the sampled business areas.

38.

For some risks the acceptance procedure by the ORC/EB was very slow after the risk was identified by the business area. For example, two risks identified in July-August 2009 were still not approved as of December 2010. The list of open action points reviewed at the ORC meetings also shows that some remained open for more than one year and some for up to two years.

39.

For only three out of six sampled business areas was it possible to identify specific resources allocated to the ORM-activities in their work programme, but the description of ORM activities was vague and it was not possible to trace the action points from the 2009 ORM top-down exercise to the business area work programmes.

40.

Business continuity management (BCM) is a significant component of operational risk management. It requires contingency and recovery plans for the worst case scenarios to ensure continuity of critical activities and processes should a crisis occur.

41.

The Court examined whether:

42.

Business continuity management is an overall business approach that includes policies, standards and procedures for ensuring that specified operations can be maintained or recovered in a timely fashion in the event of a disruption. Its purpose is to minimise the operational, financial, legal, reputational and other material consequences arising from a disruption  (29).

43.

The purpose of BCM is to ensure that the business continuity arrangements and solutions comply with the ECB’s objectives, obligations, statutory duties and the ECB’s risk tolerance policy (30).

44.

The audit included a review of the key documents constituting the BCM framework:

45.

The ECB has developed a crisis manual that defines roles, responsibilities and processes in the event of a crisis as well as contact details of the crisis management team. Each business area has full responsibility for developing its BCP. However, the high-level BCP template does not require an overall BCP at ECB level and one has not been prepared.

46.

The ECB has set up a sound framework providing guidance on the BCM policies, processes and responsibilities in the organisation. However, its decentralised approach also creates a risk that, in the absence of strict coordination, BCM might not be consistently implemented across the organisation.

47.

Business impact analyses (BIA) is a dynamic process for identifying critical operations and services, key internal and external dependencies and appropriate resilience levels. It assesses the risks and potential impact of various disruption scenarios on an organisation’s operations and reputation  (31).

48.

The most recent full business impact analysis (BIA) was performed in 2006 (32) to identify the ECB’s deliverables and services critical to the continuity of the Bank’s main operations. The key areas of focus for the BIA performed included:

49.

A comprehensive BIA update performed in 2007 identified gaps in terms of business continuity and the arrangements valid at that time. A follow-up strategy was established. It included options to close the identified gaps or accept the risks and costs. However, whilst this document presented the costs in terms of IT and logistical infrastructure solutions, this was not broken-down to show the impact of the different risk-levels on costs.

50.

The most recent BIA update to close the gaps identified in 2007 was completed in 2010. No full business impact analysis has been made since the financial crisis.

51.

The BCPs should be designed so that the critical operations are identified to ensure that the ECB should be able to fulfil its statutory obligations as defined in the relevant protocol on the statute of the ECB  (33). BCPs should be developed around a ‘worst case scenario’ with the understanding that the response can be scaled down appropriately to match the actual crisis  (34).

52.

The ECB has set primary benchmarks for the determination of criticality relative to a number of risks and based on its statutory obligations (see Box 3).

Box 3

Primary benchmarks for the determination of criticality

Meeting the statutory obligations, including:

The impact of interruption to an identified process with respect to:

Source: ECB BIA review 2006.

53.

Based on the Court’s review of these primary benchmarks and a preliminary assessment of the potential level of operations continued under scenarios established (35), the plans developed were designed to ensure that the statutory obligations would be met. However, the Court’s review of the BCPs identified a lack of plans to address a serious loss of human resources (36) in case of disaster. Although the business areas in charge of the processes defined the business continuity staff and identified their replacements, none had a back-up plan in case of wide-scale unavailability of staff.

54.

An organisation shall weigh its direct benefit from measures to improve its resilience to operational disruptions against the cost of those measures  (40).

55.

The overall ECB high-level BCP template provides the mandatory structure and contents of individual business area BCPs. As such, this template only includes the structure of the BCP documents to be provided by the areas.

56.

BCPs are prepared at the level of business area, department or division. The high-level BCP template is generally respected in terms of mandatory content, but there are large differences in the degree of the detail. Although the ORM/BCM function plays a central coordination role, the quality of the individual BCPs depends on the person responsible at the business area level. There was no evidence that the individual BCPs are sufficiently reviewed by the ORM/BCM function.

57.

Out of the five business areas (41) selected for detailed testing, four delivered a BCP in line with the requirements, three of which fully addressed the critical processes identified in the BIA.

58.

In most of the cases, no cost-benefit analysis was documented in the sampled business areas regarding the business continuity options, including assessment of various risk levels.

59.

Organisations should test their business continuity plans, evaluate their effectiveness, and update their business continuity management, as appropriate  (42). BS25999  (43) requires the organisation to ensure that its BCM arrangements are validated by exercise and review and are kept up to date.

60.

The following documents were reviewed:

61.

The testing strategy focuses on the BCPs and information systems recovery plans developed to review critical processes according to the BIA. The testing framework includes a clear allocation of responsibilities, setting the scope of testing, reporting requirements, test frequency as well as relevant medium-term testing programme. The review indicated that an adequate testing framework has been established in line with the requirements of BS 25999.

62.

The tests held identified that the testing exercises, although covering key personnel and carried out on a regular basis, do not always simulate the circumstances the ECB would face in case of major business disruption. Tests planned in 2009 and 2010 did not cover all scenarios set up by the ECB and not all tests originally planned were carried out.

63.

The crisis management and response teams should be educated about their responsibilities and duties. Teams should be trained at least annually and new members should be trained when they join. All personnel should be trained to perform their individual responsibilities in case of a crisis. They should also be briefed on the key components of the business continuity plan  (45).

64.

The training strategy adopted by the ECB specifies that all staff should benefit from a BCM awareness enhancement programme (46). As for testing, the training strategy foresees the establishment of a training programme that shall provide implementation details.

65.

In 2010 five half day crisis management training programmes were held to provide a ‘walk through’ of the Crisis Manual adopted by the ECB. Overall, both the introduction of the manual as well as the training session received positive assessments from the course participants, but it was also noted that simulation testing would be highly appreciated.

66.

Whilst the audit found clear evidence that the training of relevant business continuity personnel takes place, namely through the BCPs testing, it did not find evidence that other staff’s awareness of the business continuity framework and processes was actively addressed. Several internal reference documents (47) recognise that although testing plays a key role in staff training, there is a need to address all staff by means of a staff awareness programme. Such a programme has not been developed so far, as the central ORM/BCM function considers that the awareness among staff of the business continuity arrangements is satisfactory. Nevertheless, an internal survey (48) points out that more than 12 % (20 % in 2009) of respondents are not aware of the business continuity arrangements for their business area and would not know where to find information on how to respond in the case of a crisis.

67.

Financial risk management is a process to deal with the uncertainties resulting from financial markets. It involves assessing the financial risks facing an organisation and developing management strategies consistent with internal priorities and policies.

68.

The Court examined whether:

69.

The framework should provide a firm-wide definition of financial risk and lay down the principles of how financial risk is to be identified, assessed, monitored, and controlled/mitigated  (49). The bank must have a financial risk management system with clear responsibilities assigned.

70.

The ECB’s financial risk management framework is designed to cover risks arising from two ECB’s operations: (i) investment; and (ii) credit. The investment operations relate to the two investment portfolios, foreign reserves (50) (60 600 million euro as at 31 December 2010) and own funds (51) (13 300 million euro as at 31 December 2010). The credit operations relate to monetary policy operations (52). The ECB’s investment activities include the management of the foreign reserves of the ECB (53), the ECB’s own funds portfolio, the management of the pension fund and activities related to the two portfolios held for monetary policy purposes (54).

71.

The RMA division is responsible for maintaining the general risk management framework for investment operations and monitoring, assessment and controls of the risks resulting from these operations. It monitors compliance with agreed market and credit risk management policies and processes. Cases of non-compliance are reported according to agreed escalation procedures.

72.

DG-M is the business area conducting investment operations at the ECB. It is also responsible for the maintenance and further development of the Eurosystem’s portfolio management application (55). The Investment Division of DG-M is responsible for the preparation of Investment Committee proposals for the tactical benchmark for the foreign reserves portfolios and the direct management of the ECB’s own funds portfolio.

73.

The Handbook of Financial Risk Management (56), the key document for financial risk management of investment activities, provides a comprehensive overview of all the relevant policies, processes and procedures in particular by referring to the documents endorsed by the ECB’s decision-making body.

74.

The overall framework and the financial risk management set up by the ECB for the management of investment and policy operations provides a bank-wide definition of financial risk and lays down the principles of how financial risk is to be identified, assessed, monitored, and controlled/mitigated.

75.

76.

The ECB Handbook of Financial Risk Management defines the following elements:

77.

The foreign reserves investment process is steered by a three-layer structure encompassing the strategic benchmark, the tactical benchmark and the actual portfolios. The strategic benchmark reflects the long term risk-return preferences and is decided by the Governing Council.

78.

The own funds investment process is based on a two-layer structure, the strategic benchmark and the actual portfolio. The strategic benchmark is decided by the Executive Board.

79.

Returns are maximised subject to the no-loss and asset allocation constraints and are implemented through a specific strategic asset allocation (58).

80.

Lists of eligible countries, issuers and counterparties are maintained by the RMA. Limits for the counterparties are set by RMA based on the methodology approved by the Executive Board. For foreign reserves management, the limits are allocated to NCBs based on the methodology approved by the Governing Council. Once a year, a systematic update of all limits is undertaken. In addition, implications of rating changes on eligibility and limits are taken into account immediately.

81.

The strategic asset allocation takes into account the following high level policy requirements:

The investment and risk horizons are set at one year for the foreign reserves and at five years for the own funds.

82.

The Court’s audit included a review of:

83.

The review of the financial risk management framework indicates that the financial risk management methodology sufficiently determines the risk appetite and provides comprehensive guidance for the investment operations at the ECB.

84.

85.

The Court’s audit included:

86.

For the value at risk framework review the following aspects were considered:

87.

The testing showed that the methodology was adequately implemented. However, the ‘four eyes principle’ had not been documented. In addition, the review of the models used for the calculation of the strategic and tactical benchmarks as well as VaR calculations, including the model validation showed that for some of the models:

88.

A review of best practices in other similar international organisations has shown that following the financial crisis in the US and as part of strengthening its financial risk management capabilities, the Federal Reserve Bank of New York set up a model validation team. The key tasks of this team are described in Box 4.

Box 4

Model validation team at Federal Reserve Bank of New York

The key tasks of the team are outlined below:

89.

90.

Compliance with agreed market and credit risk management policies and processes is monitored by RMA, which is also responsible for reporting non-compliance according to agreed escalation procedures. The ECB RMA reports regularly on risk return and performance of both the ECB foreign reserves and own funds portfolios as well as on the associated strategic and tactical benchmarks. Reporting takes place at daily, weekly, monthly, quarterly and annual frequency.

91.

The tests and interviews performed by the auditors confirmed that reporting of performance is done regularly and is distributed to the executive management on a timely manner. However, it was noted that GIPS (59) standards, considered to be best practice, is not fully complied with for the purpose of ECB internal reporting of performance.

92.

The ECB has established a comprehensive organisational structure, the roles and responsibilities are clearly assigned. However, there is a strong demarcation between the management of financial and operational risks in the Bank, this increases the risk that the view of the Bank’s exposures might not be comprehensive. No independent, single, body, such as a risk officer or committee, has been set up between the Executive Board and the two risk function/units, ORM/BCM and RMA.

93.

The annual accounts of the ECB contain only brief information about certain risk management issues rather than disclosing an overview of the risk management process in the organisation, the risks faced as well as the management’s approach to those risks.

Recommendations

94.

The ECB has a clear organisational structure and established adequate operational risk management policies outlining the Bank’s approach to assessing, monitoring and controlling/mitigating risks.

95.

Although top-down assessments were conducted in 2008 and 2009, and action plans for each business area were identified, no cost-benefit analyses were documented.

96.

A system of reporting, monitoring and follow-up has been established and a timetable agreed for the follow-up of the risk mitigation measures for medium and high risks. However, for some risks, the acceptance procedure by the ORC/EB took a very long time. There is no integration of planning and ORM cycles. Also, the ORM activities were not clearly shown in the work programmes of some business areas tested.

97.

The ECB has developed a comprehensive crisis manual that defines roles, responsibilities and processes in the event of a crisis as well as contact details of the crisis management team. Each business area has full responsibility for developing its BCP.

98.

The ECB has set up a sound framework providing guidance on the BCM policies, processes and responsibilities in the organisation. However:

Recommendations

99.

The overall framework and the financial risk management set up by the ECB for the management of investment and policy operations is adequate. The review of the financial risk management framework indicated that the financial risk management methodology designed is sound and adequate for the management of investment and policy operations at the ECB. However, improvements are required in the practical application of the methodology, e.g. in the area of models used for the calculations of strategic and tactical benchmarks as well as VaR calculations.

100.

The internal risk management reports provide accurate, adequate and comprehensive financial risk management information to the senior management and to the Board of the ECB. Reporting of performance is regular and timely, but it is not regularly updated to reflect changes in GIPS standards.

Recommendations