1. Overview of Operational Risk Management
The Bank of Korea (BOK) effectively performs risk management activities to identify and control risk factors that exist internally and externally within the organization, ensuring smooth operations of its fundamental functions, such as currency issuance, implementation of monetary policy, and the operation of payment settlement systems.
Operational risk refers to the risk of hindering the achievement of organizational goals or causing financial losses and reputational damage due to inappropriate business processes, systems, inadequate staff management, or external events.
- Business Process Risk : Inappropriate business design, delays, and interruptions in operations, etc.
- Security Risk : Security of key facilities, document security, etc.
- Human Risk : Inadequate human resource management, negligence and misconduct, corruption, etc.
- IT Risk : System failures, cybersecurity, etc.
- External Risk : Natural disasters, environmental changes, etc.
- Legal Risk : Contract breaches, non-compliance with regulations, etc.
Risk appetite refers to the level of risk that an organization can tolerate in the process of achieving its objectives. The BOK establishes a risk appetite that its employees should consider in their work and regularly reviews its appropriateness.
BOK Risk Appetite Statement
The Bank of Korea sets the following risk appetites for operational risk management in order to adhere to its founding purpose, its vision as a globally trusted advanced central bank, its organizational values, its employee ethics code, and its employee code of conduct.
- 1. Business Process Risk:Business processes should be designed efficiently according to internal standards, including risk control activities. Employees should comply with and effectively utilize the business processes. Business process risks, such as inappropriate business design, non-compliance with procedures, errors, delays and interruptions in operations, and neglect of project management, should be maintained at a low level (a low appetite). However, in the case of business delays and interruptions that require priority recovery, the risk appetite should be maintained at a very low level (a very low appetite).
- 2. Security Risk:To protect the Bank of Korea's assets and information, a high level security environment should be provided. The risk appetite for security risks, including security vulnerabilities at key facilities and document security, should be maintained at a very low level (a very low appetite).
- 3. Human Risk:Employees should possess expertise, a sense of responsibility, and perform policies in a neutral manner while pursuing the public interest through effective communication. Therefore, for human risks, such as inadequate human resource management, negligence, misconduct, embezzlement, neglect of non-regular employees, or insufficient workplace safety, the risk appetite should be maintained at a very low level (a very low appetite).
- 4. IT Risk:For risks that could significantly impact the Bank of Korea's key functions, such as threats to cybersecurity and failures or defects in core systems (priority recovery systems of priority 1 and 2), the risk appetite should be maintained at a very low level (a very low appetite). However, for other system failures or defects, change management, violations of system access authorization, or risks that may arise from system procurement or development, the risk appetite should be maintained at a low level (a low appetite).
- 5. External Risk:The Bank of Korea should be able to appropriately respond to external shocks to protect its employees and ensure business continuity. For external risks that may arise from natural disasters, actions of external individuals, financial and economic changes, etc., as a result of inappropriate pre- and post-response, the risk appetite should be maintained at a low level (a low appetite).
- 6. Legal Risk:The Bank of Korea should manage and minimize legal disputes or risks that could have a significant impact. For risks arising from legal disputes, the risk appetite should be maintained at a very low level (a very low appetite). However, for cases such as contract breaches, conflicts of interest, and non-compliance with regulations, the risk appetite should be maintained at a low level (a low appetite).
However, for risks related to anti-corruption among the six risk categories mentioned above, no risk appetite (no appetite) is acceptable. These risks should be strictly managed to reflect the high expectations of the public regarding public integrity.
2. Operational Risk Management Governance Structure
The operational risk management of the BOK is structured in the form of a Three-Lines of Defense model(3-lines of defense model) consisting of front-line departments, dedicated risk management departments, and the audit office.
- 1st Line of Defense : Each department, branch, and overseas office directly involved in their respective tasks serves as the first line of defense and performs activities such as identifying operational risks, assessing their likelihood, and conducting control activities. Each department designates a deputy director general as an operational risk manager to proactively prevent risks that may occur during their operations and to manage activities so as to respond quickly in any emergency situation.
- 2nd Line of Defense : The Strategy and Coorination Department (Operational Risk Team), which is a dedicated organization for operational risk management, is responsible for the second line of defense. The Strategy and Coordination Department manages bank-wide operational risk and business continuity plans, coordinates and supports risk management activities in each department, and supports executive decision-making related to operational risk.
- 3rd Line of Defense : The third line of defense takes the form of internal audits. The Audit Department is responsible for verifying the adequacy of risk management and internal controls in the first and second lines of defense.
3. Operational Risk Management Organization
In order to manage bank-wide operational risks and to ensure business continuity, a dedicated Operational Risk Team has been established within the Strategy and Coordination Department to support operational risk management activities across all departments.
Furthermore, through the Risk Committee composed of relevant department heads, we strengthen the risk management framework and support senior management in making risk-related decisions.
- The deputy governor in charge of management serves as the chairman.
- It is composed of the Operational Risk Branch and the Financial Risk Branch.
- In order to incorporate independent and objective evaluations of the bank's risk management processes, external experts in relevant fields (law, IT, etc.) also participate as members of the Operational Risk Division.
In the event of a serious disaster or the possibility thereof, the Emergency Response Committee is convened to oversee bank-wide responses.
- The senior deputy governor serves as the chairman.
- Decisions regarding the declaration and termination of a disaster situation, transfer to alternative workspaces, remote and distributed work, and the support roles of departments are made.
- Procedures for business recovery during a disaster situation are reflected in the business continuity plan.
4. Operational Risk Management Tools
Operational risk management at the BOK utilizes the following tools.
- Risk Register Management
A risk register refers to a list of identified risks categorized by risk type, and each department regularly updates the risk register by identifying potential risks through a business process analysis.
- Risk Control Self-Assessment (RCSA)
Through Risk Control Self-Assessment (RCSA), departments can assess the current level of risks and control activities within the organization, and verify the effectiveness of control activities. This enables them to effectively achieve business objectives.
- Monitoring Key Operational Risk Indicators (KORI)
By monitoring Key Operational Risk Indicators (KORI), we regularly examine major risk factors that could lead to business disruption, financial loss, or reputational damage. This proactive approach helps prevent the occurrence of related incidents and provides valuable reference material for management decision-making.
- Risk Reports
Risk Reports are periodically prepared to capture the overall risk management status and assessment of the BOK. These reports aim to identify efficient response strategies for the risks faced by the BOK.
Business Continuity Management : The BOK has established and maintains a Business Continuity Plan (BCP) to ensure an effective response and to enhance organizational resilience in the event of a disaster that could disrupt core business operations. The development of the BCP follows the Three-Lines of Defense model similar to operational risk management.
- In preparation for any situation where core business operations at BOK headquarters could become infeasible, alternative work locations have been established to ensure the continuity of all operations.
- Recovery Time Objectives (RTO), which represent the target time for recovering priority business functions, are systematically included along with provisions for backup personnel and emergency communication networks to facilitate a swift business recovery.
- Regular and ad hoc drills are conducted, simulating real-life scenarios, to enhance adaptability to various disaster situations.
- 1st Line of Defense : Departments directly involved in frontline operations establish department-specific business continuity plans through a business impact analysis.
- 2nd Line of Defense : The Strategy and Coordination Department (Operational Risk Team) coordinates management activities of business continuity plans in each department and establishes and manages bank-wide business continuity plans.
- 3rd Line of Defense : The Audit Department examines the business continuity management activities of each department, and objectively verifies and evaluates the effectiveness of the business continuity management system and activities.
