Operational risk is the risk of loss resulting from flaws in the type and scale of the Group’s operations, internal processes and procedures for carrying out banking operations and other transactions, the violation thereof by staff or other individuals (due to unintentional or intentional acts or omissions), the inadequacy or lack of functionality of IT and other systems and/or the failure (breakdown) thereof, as well as damaging external events. Operational risk includes legal risks but does not include strategic or reputational risks.
VTB Bank’s operational risk management system is designed to minimise incidents of operational risk, including reducing the likelihood of business process failures, the inability to provide high-quality services to the Bank’s clients caused by staff errors, system breakdowns, internal or external fraud, breaches of client obligations or violations of contractual obligations, and incurring possible losses from taking on such risk.
In managing operational risk, the Bank adheres to the Bank of Russia’s regulations, as well as the recommendations of the Basel Committee on Banking Supervision. To implement its operational risk strategy, VTB carries out regular procedures to identify, assess, monitor, control and minimise operational risk. All significant deficiencies from a risk perspective that are identified within the internal control system are subjected to detailed analysis. Based on this analysis, mitigation measures are taken in order to eliminate the causes and sources of the risk.
To manage operational risk, the Bank has implemented the following unified mechanisms to identify, assess and monitor the level of operational risk: a centralised process to collect information on incidents of operational risk and related consequences; control over the level of key indicators related to operational risk, and procedures to minimise operational risk. The application of the above-mentioned mechanisms makes it possible to carry out a quantitative assessment of operational risk indicators in relation to the Bank’s products, processes and systems, including in the context of individual risk categories and the Bank's activities, the identification of sources of risk, the development and adoption of mitigating measures and the generation of management reports.
The Bank uses the following methods to respond to operational risks:
- Minimising risk: developing and implementing the necessary corrective measures to reduce identified risks;
- Taking risk: questions related to whether or not to take a certain risk are subject to approval by the authorised bodies/individuals within the Bank in the event that measures aimed at minimising the risk are not economically feasible;
- Avoiding risk: refusal to carry out a business operation subject to an identified risk if the potential losses as a result of the risk would be critical for the Bank and/or if carrying out the operation in question could jeopardise the economic feasibility of the activity associated with the risk, and if measures aimed at minimising the risk are not economically feasible;
- Transferring risk (risk insurance): risk insurance involves those operational risks that the Bank is unable to manage and that exceed the Bank’s direct control (including the risk of the loss of collateral pledged to the Bank to secure credit, the risks associated with the transportation and storage of valuables and cash, property risks, etc.).
The Bank uses the following key methods to reduce and limit its operational risk:
- Maintaining an integrated system of ongoing and follow-up internal controls that cover all of the Bank’s divisions and operations;
- Regulating all key operations using internal standards and codes of practice;
- Registering and documenting banking operations and transactions, and maintaining consistent control over primary documents and operating accounts;
- Applying the principles of dividing and limiting employees’ functions, authority and responsibilities; implementing dual controls; collective decision-making; setting limits on the terms and scale of operations;
- Automating banking operations using high-performance IT systems that are constantly monitored and repaired promptly in case of breakdown;
- Operating a well-managed HR policy, good staff training and education;
- Taking preventive steps to ensure the continuity and recovery of activities related to banking operations and transactions by setting up alternative communications channels; geographically distributed server rooms; independent sources of power, heat and water supply; and by taking fire protection measures.
The insurance programmes covering risks related to the Bank’s professional activities in 2018 were provided by insurance against crime under the Financial Institution’s Blanket Bond scheme (including electronic and computer crimes), liability insurance for directors and officers of the Group’s companies, insurance for funds and valuables while in storage and during transit, ATM insurance, etc. VTB Bank also insures against risks related to business activities (including buildings, equipment and vehicles).
In 2018, the Group took the following steps to develop its system for managing operational risk:
- Development and implementation of mechanisms to monitor the level of operational risk at the level of the Bank and the Group’s companies as part of the management of risk appetite;
- Unification of methodological approaches to operational risk management at the Group level, including risk management of fraud and IT risks;
- Development of the methodology for a unified system of tools to be used for operational risk management at the VTB Group level (collection of data on the occurrence of operational risks and related consequences, self-assessment, key risk indicators, corrective action plans to reduce risks and the consequences thereof, scenario analysis);
- Improving regular reporting on the Group’s operational risks.
Operational risk did not have a significant impact on the Bank’s performance in 2018.