Response to consultation on Regulatory Technical Standards on operational risk loss

Go back

Question 1: Do you think that the granularity of and the distinction between the different Level 2 categories is clear enough? If not, please provide a rationale.

  • In general, change management failures are not explicitly included. Change management risk refers to the risk of loss resulting from non-delivery or failure of changes. This includes the improper design of new products, services, or operations (e.g., incorrect parameters), incorrectly executed changes to current products, services, or operations (e.g., a change not deployed), or non-delivery or failure of key projects (e.g., a project not delivered), or products launched without appropriate approvals.
  • Moreover, EBA guidelines on IT risk management specifically define ICT change risk, so this area should be made visible.
  • Category 4.4 “Improper market practices, product and service design or licensing” should be split. It currently includes conduct risk, product design, and compliance (licensing).

Question 2: Do you perceive the attribute “greenwashing risk” as an operational risk or as a reputational risk event? Please elaborate.

  • First of all, we understand reputational risk to be more a type of impact than a risk itself.
  • This note aside, the greenwashing attribute could be allocated to OpRisk, provided it involves a failure of people, processes, or systems. For example, a deliberate management decision (in that case, it could be allocated as a sub-type of fraud), a reporting error due to errors systems, or non-compliance with regulation, or damaging clients (by misleading information) depending on context. And yes, this could result in reputational damage.

Question 3: To which Level 1 event types and/or Level 2 categories would you map greenwashing losses? Please provide a rationale.

  • 1.4 (Internal fraud committed against other stakeholders) – in case management deliberately decides to do greenwashing
  • 6.4 (Software failure not related to management of transactions) or 4.7 Model / methodology design error – e.g. in case of unintentional errors
  • 7.9 (Regulatory and Tax authorities, including reporting) – e.g. in case of error in reports to authorities, misunderstandings/different interpretations on what is required
  • 7.5 Improper distribution / marketing – e.g. in cases when the company would be misleading clients about its products (“green funds” would not be really green)

Question 4: Is “Environmental – transition risk” an operational risk event? If yes, to which Level 2 categories should it be mapped? Please provide a rationale.

  • We don’t think that materialization of “environmental-transition risk” would be an OpRisk event.
  • Typical example of impact in this area would be e.g. that a building we have invested into and have like a collateral loses value due to change in regulation requiring expensive refitting of its heating systems. This however we would see as a business risk, not operational one – there was no failure of our people/process/systems etc. when we concluded that deal. 

Question 5: Which of these attributes do you think would be the most difficult to identify? Please elaborate.

  • Environmental physical risk – may look simple as it can be easily allocated into business continuity area, however, in fact it is impossible to determine direct causal nexus (e.g. a flood is an event which historically occasionally happens, or this specific flood is caused by global warming?). 
  • Environmental transition risk – problematic, see Q4 (it is not failure of an OpRisk factor)
  • Social risk - these new attributes would not actually fit to Operational risk as it is currently understood so this will be problematic.
  • Governance risk – OK, no problem (Governance risk refers to the potential for adverse effects on an organization due to weaknesses or failures in its governance structure and practices. It encompasses a range of risks that can arise from poor decision-making processes, lack of accountability, inadequate oversight, and non-compliance with laws and regulations so it can be allocated easily).
  • Greenwashing – OK (see Q2 for comments)

Question 6: Do you agree with the inclusion of the attribute “Large loss event”? If not, please elaborate.

  1. We don’t see any benefit of having this attribute in the database of loss data collection. Management deals with big events no matter the flags in system. 
  2. The threshold number will change among years, thus impacting the consistency of data in time. 
  3. Practically, it is easier to add such attribute in reporting. 

Question 7: Do you think that the granularity the proposed list of attributes is clear enough? Would you suggest any additional relevant attribute? Please elaborate your rationale.

  • We would add change management risk. Preferably as a L2 category, or at least as an attribute. 
  • We would avoid the following: 
    • Large loss event - it is easier to add such attribute into reporting and further data processing. 
    • Ten largest loss events – Similar as above. This will be automatically assigned by the system during reporting, no need to have separated attribute in database. Management allocates its capacities based on importance and impact of events no matter the flag.
    • Environmental transition risk – not an OpRisk event
    • Social risk we don’t consider it to be under OpRisk at all

We consider the following as useless due to duplication: 

  • Legal risk - Misconduct - covered already by relevant L2 categories          
  • Legal risk – Other than misconduct - covered already by relevant L2 categories 
  • Model risk - covered already by relevant L2 categories (4.7, 7.7)
  • Pending losses – OK but We think that this can be however achieved differently. 

Attributes where we see no problem: 

  • ICT risk - covered from a big part by relevant L2 categories except for change management area as per EBA guidelines on ICT risk, but there may be cases where this may be useful
  • Credit, Market, Third Party – OK, boundary risks
  • retail, commercial banking, trading, other - OK, according to business lines          
  • Environmental physical risk – OK
  • Governance risk - OK
  • Greenwashing risk – OK, see Q2

Question 8: Would it be disproportionate to also map the three years preceding the entry into force of these Draft RTS to Level 2 categories? If yes, what would be the main challenges?

  • Yes. Enormous manual work as it is impossible to establish automatic direct link / classification into the database.

Question 9: Is the length of the waivers (three years and one year) for institutions that, post merger or acquisition fall into the EUR 750 million – EUR 1 billion band for the business indicator, sufficient to set up the calculation of the operational risk loss following a merger or acquisition? If not, please provide a rationale.

N/A for us.

Question 10: Are there other cases where it should be considered to be unduly burdensome for institutions to calculate the annual operational risk loss?

N/A for us.

Question 11: Which of the provisions of Article 317(7), as developed by the draft RTS on the development of the risk taxonomy, and Article 318 of the CRR would be most difficult to implement after a merger or acquisition for the reporting entity? Please elaborate.

N/A for us.

Question 12: In your experience, would the provisions of this article apply to most mergers and acquisitions, or would data usually be promptly implemented in the loss data set of the reporting institution?

N/A for us.

Question 13: Are there other adjustments that should be considered in these draft RTS? If yes, please elaborate.

  • Reflect and create direct link to taxonomy in other EBA guidelines  - especially on ICT risk. 
  • Reflect and/or provide direct linking to ORX industry standard (example is enclosed).

Upload files

Name of the organization

PPF Financial Holdings