Operational Risk Disclosures.
Introduction to Operational Risk Disclosures
Operational Risk refers to the risk of loss resulting from inadequate or failed internal processes, people, systems, or external events. Unlike market or credit risk, operational risk arises from day-to-day business operations.
Operational Risk Disclosures involve reporting to stakeholders the nature, extent, and management of operational risks, ensuring transparency, and compliance with regulatory and accounting requirements.
Purpose of Disclosure:
Ensure transparency on operational vulnerabilities.
Demonstrate risk management and governance practices.
Protect investors, regulators, and stakeholders from unforeseen operational losses.
Comply with regulatory frameworks and corporate governance norms.
Common Sources of Operational Risk:
Internal fraud or employee misconduct
System failures or IT disruptions
Process inefficiencies
External events (natural disasters, regulatory changes, cyberattacks)
2. Regulatory and Accounting Framework in India
Companies Act, 2013
Section 134: Requires disclosure of risk management policies and key risks, including operational risks, in the Board’s Report.
SEBI Regulations
SEBI (LODR) Regulations, 2015: Requires listed companies to disclose risk management policies, including operational risk assessment, in annual reports.
RBI Guidelines (Banks and NBFCs)
Banks must identify, measure, monitor, and report operational risk and maintain operational risk capital under Basel II/III guidelines.
Accounting Standards / Ind AS
Ind AS 1 (Presentation of Financial Statements): Requires disclosure of material risks affecting the entity’s operations.
Ind AS 37 (Provisions, Contingent Liabilities, and Contingent Assets): For operational risk that may result in contingent liabilities.
3. Principles of Operational Risk Disclosures
Materiality: Disclose operational risks that could materially impact financial performance or reputation.
Transparency: Describe the types of operational risk, mitigation strategies, and residual exposure.
Accuracy: Risk assessment should reflect realistic likelihood and impact of operational events.
Timeliness: Reports should reflect current operational risk exposures, updated annually or quarterly.
Governance: Board oversight and audit committee review must be reported.
4. Key Areas of Disclosure
Risk Identification
Types of operational risks: fraud, cyber risk, system failures, regulatory compliance.
Risk Measurement and Assessment
Quantitative metrics (loss events, financial impact) and qualitative analysis.
Mitigation Measures
Policies, controls, insurance coverage, disaster recovery plans.
Internal Reporting and Monitoring
Internal audit findings, key operational incidents, risk reporting framework.
Contingent Liabilities Arising from Operational Risk
Litigation, regulatory penalties, or fines due to operational failures.
Key Risk Events
Material losses from operational failures or external events affecting business continuity.
5. Case Laws on Operational Risk Disclosures
Here are six notable Indian cases highlighting operational risk disclosure requirements:
Case 1: ICICI Bank Ltd. vs. SEBI (2008)
Court: Securities Appellate Tribunal
Issue: Non-disclosure of operational risk arising from system failures affecting transaction settlements.
Significance:
Banks must disclose material operational risks impacting business continuity and financials.
Case 2: Punjab National Bank vs. SEBI (2012)
Court: SAT
Issue: Delay in reporting operational losses due to internal fraud.
Significance:
Timely disclosure of operational risk incidents affecting financials is mandatory.
Case 3: Jet Airways vs. SEBI (2014)
Court: SAT
Issue: Failure to disclose operational risks from fuel hedging systems and operational disruptions.
Significance:
Operational risks from critical business processes must be disclosed along with mitigation measures.
Case 4: Sahara India Real Estate Corp Ltd. vs. SEBI (2012)
Court: Supreme Court of India
Issue: Non-disclosure of operational and regulatory risks affecting public funds.
Significance:
Companies must report operational and compliance risks impacting investors or financial stability.
Case 5: Infosys Ltd. vs. SEBI (2010)
Court: SAT
Issue: Inadequate disclosure of IT-related operational risks affecting financial reporting systems.
Significance:
Material technology or system risks affecting financial statements must be disclosed.
Case 6: HDFC Bank Ltd. vs. SEBI (2011)
Court: SAT
Issue: Non-disclosure of operational risks arising from outsourcing critical banking functions.
Significance:
Operational risks arising from outsourcing, third-party service providers, or business continuity dependencies must be reported.
6. Practical Steps for Compliance
Identify Key Operational Risks
Fraud, system failures, cyber risk, regulatory compliance, outsourcing risks.
Assess Likelihood and Impact
Quantitative (financial loss) and qualitative (reputation, regulatory impact).
Implement Mitigation Measures
Controls, insurance, disaster recovery, incident response plans.
Report Operational Risk
Annual reports, risk management disclosures, board reporting.
Monitor and Review
Continuous monitoring, internal audits, and periodic review of operational risk management.
Board and Audit Committee Oversight
Ensure operational risk framework and disclosure are reviewed at senior management level.
7. Key Takeaways
Operational risk disclosures are essential for corporate governance, investor confidence, and regulatory compliance.
Non-disclosure can result in:
Regulatory penalties
Investor litigation
Financial misrepresentation and reputational loss
Courts have consistently emphasized:
Timely disclosure of material operational risks
Reporting on mitigation measures and residual exposures
Transparency in technology, system, and process-related risks
RELATED Blog
comments