Central Bank Governance and the Role of Nonfinancial Risk Management

Contributor Notes

Author’s E-Mail Address: akhan4@imf.org

This paper argues that nonfinancial risk management is an essential element of good governance of central banks. It provides a funnelled analysis, on the basis of selected literature, by (i) presenting an outline of central bank governance in general; (ii) zooming in on internal governance and organization issues of central banks; (iii) highlighting the main issues with nonfinancial risk management; and (iv) ending with recommendations for future work. It shows how attention for nonfinancial risk management has been growing, and how this has amplified the call for better governance of central banks. It stresses that in the area of nonfinancial risk management there are no crucial differences between commercial and central banks: both have people, processes, procedures, and structures. It highlights policy areas to be explored.


This paper argues that nonfinancial risk management is an essential element of good governance of central banks. It provides a funnelled analysis, on the basis of selected literature, by (i) presenting an outline of central bank governance in general; (ii) zooming in on internal governance and organization issues of central banks; (iii) highlighting the main issues with nonfinancial risk management; and (iv) ending with recommendations for future work. It shows how attention for nonfinancial risk management has been growing, and how this has amplified the call for better governance of central banks. It stresses that in the area of nonfinancial risk management there are no crucial differences between commercial and central banks: both have people, processes, procedures, and structures. It highlights policy areas to be explored.

I. Introduction

Effective governance is of the utmost importance for central banks trying to achieve their goals. This applies to central banks that have a single primary objective, price stability, as well as to those that have additional mandates relating to, for instance, financial stability.

The key pillars of central bank governance relate to mandates, independence, accountability and transparency and internal governance. Of these the issues of independence (political, operational, and financial) and accountability/transparency have long been dealt with by the economic literature, trying to contain political influences on monetary decision-making.1 The matter of central bank mandates has received increasing attention since the global financial crisis, as central banks struggled with issues relating to solvency and liquidity issues of commercial banks.2

Among all governance issues, it is the nonfinancial risk management of central banks that has been examined the least. Functions such as internal audit and compliance, the structure of the board and its decision-making processes have been well-charted in central banks. These issues require more attention, as nonfinancial risks carry potentially large adverse (financial) effects for central banks. For a number of reasons this attention has started to increase, as central banks acting as investors (and in the public spotlight) are opening up to the full range of practices and tools that risk management has to offer.

This paper will provide a funneled overview of central bank governance and the role of nonfinancial risk management, in particular: (i) Outline the issue of central bank governance in general; (ii) zoom in on internal governance and organization issues of central banks; (iii) highlight the main issues with nonfinancial risk management; and (iv) end with a number of recommendations for future work.

II. Prerequisites for Proper Nonfinancial Risk Management

The global financial crisis has prompted new thinking on central bank governance issues. Firstly, it has done so by extending traditional governance ideas from the monetary policy side to the supervisory and/or regulatory side of central banks. Discussions in recent years have examined whether the concept of independence should apply to the supervisory side of a central bank; how the dual mandate of price stability and financial stability should be shaped, and other similar questions.3 And second, discussions have moved beyond the realm of central bank issues relating to its own organization, and even elements of behavior and culture.4

The concept of governance is related to the structure, processes, incentives and relationships, necessary to build trust. There is no universal definition of governance, but many standards and practices refer to the definition put forward by Organization for Economic Co-operation and Development (OECD) (2004). Governance is generally defined as a set of relationships between a company’s management, its board, its shareholders, and other stakeholders. It provides the structure through which the objectives of the company are set, and the means of attaining those objectives and monitoring performance. It provides proper incentives for the board and management to pursue objectives that are in the interest of the company and its shareholders and should facilitate effective monitoring. The presence of an effective corporate governance system, within an individual company or group and across an economy as a whole, helps provide a degree of confidence that is necessary for the proper functioning of a market economy.

Defining governance as a means to build confidence and trust, is applicable to companies and central banks alike. This definition makes no distinction between nonfinancial and financial companies and Small and Medium-Sized Enterprises, or commercial companies and central banks. The focus of governance as a means to build trust in the specific organization and on a general level trust in the society in which that organization operates, is generic to all forms of organizations.

Accountability and Transparency of Financial Supervisors

The Basel Committee on Banking Supervision Task Force on Impact and Accountability (see www.bis.org) provides guidance to central banks that also have a mandate on financial supervision. It sees accountability and transparency as core drivers for effective financial supervision, helping supervisors to strengthen their willingness to act and to deliver sound supervisory outcomes. It would also strengthen supervisors’ technical independence, helping to counter institutional capture (i.e., supervisors being too close to the institutions they supervise).

Accountability reinforces democratic checks and balance to ensure the highest quality of supervision as a public service provided by government agencies under a legal monopoly. Objective and transparent procedures should be in place to call board members and senior staff to account when poor performance in the discharge of the supervisory mandate is evident. As Figure 1 demonstrates, lack of accountability will erode support credibility of/trust in the central bank.

Figure 1.
Figure 1.

Overview of Central Bank Governance

Citation: IMF Working Papers 2016, 034; 10.5089/9781498376051.001.A001

Source: IMF staff.

Transparency put supervisors’ actions and decisions under public scrutiny, in order to be accountable to stakeholders. Transparency, while taking issues of confidentiality into account, cannot be used as an excuse for supervisors to hide from public scrutiny. Transparency in supervisory outcomes and decision-making procedures limits the arbitrariness of supervisors, exposes undue government and industry interference, and encourage good and effective supervisory practices.

Because central banks perform several functions in different countries, there is no blueprint for central bank governance. The Bank for International Settlements (BIS)5 defines central banks as “public policy institutions whose main goals are to preserve monetary stability and promote financial stability”. In addition, they “provide core components of payment systems (…) and often manage the country’s gold and foreign exchange reserves”. And, “also play a major role in the oversight and development of the financial system”. In some countries central banks also perform other tasks suchs as banking services and asset and debt management to the state, or even providing general economic advice to the government.

Yet, one can still determine four specific characteristics that is common to all central banks: (1) the public policy objectives (which can vary), (2) the lender of last resort role, (3) balance sheet structure (including the fact that central banks do not go bankrupt), and (4) the need to “lead by example” (which includes a certain fiduciary responsibility to society).6 In addition, the legal structure of central banks can be complicated and differentiated and can have both public and private corporate elements.

Given these characteristics, one can distinguish four main governance issues relevant to all central banks: (a) mandates; (b) independence; (c) accountability and transparency; and (d) internal governance. See Figure 1. Each relates to a form of checks and balances of the central bank. They form the pillars of effective central bank governance: they cannot support proper governance on their own, but are interconnected. Issues relating to mandates, accountability and transparency will not be discussed further in this paper: they have been discussed in central bank literature over the years.7 Box 1 gives an example of thought development on accountability and transparency for central banks that are also financial supervisors. Some considerations on central bank independence will be listed below. Independence has different forms, has given rise to numerous academic papers,8 and is closely linked to internal governance.

A. Central Bank Independence

Central bank independence is a complex concept that has different interpretations. Lybek (2004a), for example makes a distinction between “autonomy” (operational freedom) over “independence” (lack of institutional constraints), and subsequently distinguishes four types of autonomy (goal, target, instrument and limited). In Figure 1 we made the following distinction9:

  • 1) Political independence: central banks formulate and execute their monetary policy without undue political influence of the executive and/or legislative power.10 Examples of checks and balances to this extent can be found in legal requirements on approval and dismissal procedures for central bank governors (and board members in general). Some countries require a “double veto”: both the executive power (e.g., the minister of finance) and the legislative power (the parliament) or even judicial power (the courts) need to be involved in the hiring and especially firing of a governor, in order to avoid “politically inspired changes”, for instance after a general election. In addition, reasons for firing a governor should be clearly laid down in the central bank’s law.

  • 2) Operational independence: central banks should be severely limited in / prohibited to financing public sector expenditure, to avoid the harmful impact on inflation of financing the fiscal deficit with central bank money. Central banks are free to formulate interest rate policy, and its execution is an exclusive responsibility of the central bank. Some countries require the central bank to agree with the government on the inflation target (no target or goal independence): the central bank is not in a position to define the short-run trade-off between inflation and unemployment, an issue that falls within the political sphere and must, therefore, be decided in consultation with the government.

  • 3) Financial independence: the government should ensure the central bank’s capital integrity to support the central bank’s policy independence. In return, the central bank transfers profits to government after accumulating appropriate legal reserve provisioning. This allows the central bank to conduct open market operations without financial restrictions, and to try and achieve its policy goals. In addition, the central bank should not engage in quasi-fiscal operations (see operational independence), which on most occasions deteriorate its financial position. Central bank financial independence and the transparency of its financial relations with the government facilitate accountability.

Legal independence is not so much a fourth category, but rather a cross-cutting component for all forms of independence. “First, it indicates what is the degree of independence that legislators meant to confer on the central bank. Second, practically all existing attempts at systematically characterizing central bank independence rely solely on legal aspects of independence”.11

B. Internal Governance

Internal governance incorporates all arrangements of the internal organization of the central bank. Clear examples are structure, decision-making processes, risk management arrangements and control mechanisms, and internal audit: everything that influences the decision-making of and within the central bank. Figure 2 outlines how internal governance fits in the overall governance of central banks.

The sections below will provide a brief overview of these internal governance issues of central banks, before zooming in further on (nonfinancial) risk management in particular.

Figure 2.
Figure 2.

Overview of Key Internal Governance Issues of Central Banks

Citation: IMF Working Papers 2016, 034; 10.5089/9781498376051.001.A001

Source: IMF staff.

Behavior and culture of central banks are the root cause of all their governance issues. The World Bank’s World Development Report 2015 is aptly titled “Mind, Society, and Behavior”. It summarizes key research findings from behavioral economics, sociology, and psychology, and how these insights could be applied not only in the work of the World Bank, but also to its own staff: “[e]xperts, policy makers… like everyone else, are themselves subject to the biases and mistakes that can arise from thinking automatically, thinking socially, and using mental models. They need to be more aware of these biases, and organizations should implement procedures to mitigate them… Multiple psychological and social factors can affect whether a policy succeeds”12.

Board Effectiveness

The findings of the World Bank resonate into the specific topic of board effectiveness: Boards of central banks (and their individual members) are an influential part of the organization, and especially the Governor/President is a powerful individual. Psychological and sociological insights13 demonstrate that individuals—any individuals—behave differently when in a group. Issues relating to peer pressure, group think, identification and conformity are now common ground. Since the financial crisis boards of financial institutions have been scrutinized on behavior of the CEO (too aggressive, too dominant, and too self-assured?) and other board members (not experienced enough, not providing any feedback/pushback, challenge to the CEO, and not capable of understanding key issues of the company and its context). But what makes an effective board in general and for central banks in particular?

Effectiveness of a central bank board can be measured in the way it has a collective vision of its mandate/purpose, culture, values and behaviors.14 According the British Financial Reporting Council an effective board:

  • - provides direction for management (both on form and in substance);

  • - demonstrates ethical leadership, displaying—and promoting—behaviors consistent with the culture and values it has defined;

  • - creates a performance culture that drives value creation without exposing it to excessive risk of value destruction;

  • - makes well-informed and high-quality decisions based on a clear line of sight into the business;

  • - creates the right framework for helping directors meet their statutory duties;

  • - is accountable; and

  • - thinks carefully about its governance arrangements and embraces evaluation of their effectiveness.

For central bank boards15 the issue of board effectiveness is not a new topic though. Especially in the area of monetary policy decision making (where the board has that responsibility), issues have been raised on how decisions are made as a result of a group process. De Haan (2007) says on the role of monetary policy committees: “Broadly speaking, policy decisions within the committee may be made in a highly collegial manner, or they are taken primarily on the basis of the members’ personal view. Likewise, communication may be more collegial or individualistic”.16 Cukierman (1992) noted already in the early nineties that “[t]he legal status of a central bank is only one of several elements that determine its actual independence. Many central bank laws are highly incomplete and leave a lot of room for interpretation. As a result, factors such as tradition or the personalities of the governor and other high officials of the bank at least partially shape the actual level of central bank independence. Even when the law is quite explicit, reality may be very different.”17 The topic of “board evaluations” of central bank boards is relatively new, but might provide quite useful tools for central banks in the near future.18

Specified qualifications and requirements of board members are common for central banks. Professional criteria and integrity aspects make up the majority of qualifications. But educational and sometime geographical or sectoral aspects also come into play.19 In the pre-crisis era, Lybek (2004a) referred to this need by pointing out that “the composition of [central bank] board(s) should reflect its function(s).… The governor, deputy governors, and board members should observe certain qualification requirements, including being of good moral standing and having relevant experience”20. In addition, aspects relating to “soft skills”, “people skills”, or perhaps even more general organizational skills relating to change management and project management, have not been common place for central banks21. However, there is really no argument against applying standards stressing fitness and propriety demands for commercial bankers (such as the European Banking Authority Guidelines on Internal Governance and the European Capital Requirements Directive IV), to the central banking community as well.

When it comes to applying psychology or sociology to central bank boards, there is work to be done. Central bankers are human beings. Human beings are influenced by the group they participate in, the context of that group, the informal rules etc. Central bankers and/or economists22 apply limited insights of what other social sciences such as psychology and sociology might offer to the realm of central bank governance. Generally, these insights are met with skeptical enthusiasm, such as by the BIS: “Although anecdotal information supports the relevance of social psychology research in the case of central banking, it remains to be demonstrated by structured studies”23. The earlier referred to World Development Report 2015 is the first international financial institution’s flag ship report to be entirely devoted to behavioral insights and their application in the World Bank’s working areas, and to their own staff.

Accounting and Reporting

Accounting and reporting requirements influence central bank operations significantly. Accounting can be defined as “the financial quantification of the results of an entity’s activities and transactions for internal and external reporting purposes.”24 A recent article examining the effects of accounting on central banks noted, however, that “[a]ccounting is not considered a core activity of a central bank and is usually seen by many as merely an auxiliary function”.25 Yet accounting requirements affect the central bank’s roles in both the monetary policy and financial stability area.

The bigger the balance sheet, the bigger the potential influence of accounting requirements. Central banks have seen their balance sheets expand significantly since the GFC, mostly due to so–called unconventional monetary policy, including large scale quantitative easing in the US and Europe. This has exposed central banks to numerous additional risks. This also feeds into (re)capitalization issues of the central bank by the government, which in some countries might require additional legal requirements. As one author puts it: “Complex new rules associated particularly with financial instruments represent a massive shift in conventional treasury, product, financial and operational risk management techniques (…). This is of considerable significance for central banks”.26

Control Functions

The control functions of a central bank include risk management, compliance/legal and internal audit (as an assurance function). As addressed further on in this paper, all three have a specific internal role to play within the central bank when it comes to identifying and mitigating risks. Risk management is a so–called second line of defense, just like compliance and/or legal (managing risks from the business, within the business). Compliance might have a more narrow focus on specific issues relating to overstepping legal boundaries; risk management in general looks at all financial and nonfinancial risks. The third line, internal audit, forms an additional, independent assurance check (reporting to the governor/the Board).27

The functions of compliance and internal audit will be left out of scope in this paper. We will continue to focus on risk management in particular. In a number of cases the difference between especially risk management and internal audit will be highlighted (see further).

Other organizational functions (Board, audit, compliance/legal) have their own roles to play. Clarification of the roles these different functions play is needed to avoid confusion. They all share a contribution to risk management of the central bank, which will be explained in more detail in Section C hereafter. In essence, when applying the three Lines of Defense model: (1) the first line (the business departments) consists of the risk owners: they are responsible for the activities that create risk and the first assessment of these risks; (2) the second line (the—centralized—Risk Management Department (RMD)) is responsible for controlling those risks emanating from the first line, by means of challenging and monitoring; the third line (Internal Audit Department; some also consider the external auditor to be part of the third line) is responsible for assurance that risks are properly identified, controlled and monitored by the first and second lines of defense (see Figure 3).

Figure 3.
Figure 3.

Three Lines of Defense—Overview of Roles in Risk Management

Citation: IMF Working Papers 2016, 034; 10.5089/9781498376051.001.A001

Source: Swedbank, www.swedbank.com.

III. Risk Management

Central bank financial risk management relates to market, credit, interest rate, and liquidity risks.28 Given that most central banks have the right to print money, liquidity risks might be largely mitigated (though those risks might very well be pushed into the domain of price and financial stability). Interest rate risk stems from both domestic and foreign rates. Credit risks relate to the role the central bank could play as lender of last resort and as fiscal agent. Generally though, credit and market risk will come from the central bank’s exposure to foreign exchange/reserves.29 The increased role of instruments such as quantitative easing, sovereign bond purchases, and retail lending schemes has made financial risks even larger—and more volatile—for central banks30.

As some central bank risk management traditionally focused on decentralized control and monitoring. As central banks are acting more as investors in the public spotlight, risk management changes to actively managing risks at the central level. The main reason for the control and monitoring approach is that risk management was largely decentralized in a number of central banks; departments/divisions each “taking care” of their own risks. However, for proper management of risks, an independent department (or at least separated from the actual “business” departments) with an integrated overview of all of the central banks’ risks is necessary. The majority of central banks still have separate functions and processes for financial and nonfinancial risk management.31 Central banks do not have very strong incentives to reshape their risk management: they can have negative capital, the state provides guarantees, and they have the right to seigniorage. Some authors indicate that the rethinking of central bank risk management has been slowly developing over the past 15 to 20 years,32 with the GFC providing an extra spark for a more substantial discussion on central bank risk management.

Risk management in the broadest sense is defined as “the coordinated activities to direct and control an organization with regard to risks.”33 Generally speaking, governance arrangements for risk management of central banks relate to (1) overall responsibility, (2) day-to-day management and (3) systems. Speaking a couple of years after the GFC events of 2008, the European Central Bank (ECB) Executive Board member Lorenzo Bini Smaghi described the specific nature of central banks as exactly the reason why “the establishment of state-of-the-art risk management frameworks and the highest governance standards” was needed.34

ISO 31000 is the general standard for risk management implementation in corporate institutions. Published in 2009 it provides principles and guidelines that institutions can use to design, implement and maintain risk management processes throughout an organization. “Organization” in terms of ISO 31000 is not a limited category, but rather includes “any public, private or community enterprise, association, group or individual.”35 In that sense, the standard provides a high level overview of what risk management relates to, see Figure 4.

Figure 4.
Figure 4.

Relationships between the Risk Management Principles, Framework, and Process

Citation: IMF Working Papers 2016, 034; 10.5089/9781498376051.001.A001

Source: ISO 31000.

The management of nonfinancial risks, however, is particularly underdeveloped in central banks. By definition, nonfinancial risk management deals with all risks that are not financial (credit, liquidity, market, interest). In its “post-2008 crisis” report the BIS noted36 that it is exactly those nonfinancial risks that are handled in less advance manners than financial risks. This is understandable, as financial risks are well-defined, and relate to a number of specified and clear variables. Nonfinancial risks, on the other hand, are more complex and can vary widely: “As the types of operational risk events are of a theoretically infinite number, organizations of all size always must cope with inextricable issues of paucity of historical data to validate Operational Risk Management (ORM) analyses”.37 To give a concrete example: even the application of financial risk models, common in all central banks, entails a number of operational risks varying from sensitivity to fraud and human error, to IT-related problems.

The organizational functions of risk management and internal audit feed into and strengthen each other, but have distinctly different roles concerning the central bank’s risks. Risk management, as a function in the central bank, is traditionally a (preferably centralized) middle office tasked with identifying, assessing, prioritizing and monitoring risks and risk mitigation measures. Internal audit is an assurance function more at distance from the actual central bank operations, tasked with conducting independent examinations (audits) of (for instance) risk management procedures, systems and/or the functioning of the RM department. There are central banks that combine internal audit and risk management in one department. This is a practice grown from limited attention for and understanding of either of the functions and internal capacity constraints. However, central banks should avoid combining both functions, in order to let them play their specific organizational role on risk management of the central bank.38 This is not to say that risk management and internal audit should not work closely together. Kearns offers the following example: “Risk and audit offer synergistic opportunities. Both functions have the possibility to benefit from shared resources and skillsets. For example, operational risk assessments of business processes are a valuable input into auditor’s prioritisation of audits and which relevant controls should be tested. Auditor’s feedback helps operational risk managers validate their information”.39

Combined assurance is an increasingly popular way of reinforcing both internal audit and risk management. In essence, combined assurance means that internal assurance providers (such as internal audit, risk management, compliance), management assurance (such as strategy, IT, HR) and external assurance (such as external audit) are connected to the key risks of the company (or central bank) and allocated to the assurance function that can most efficiently and effectively deal with this—while keeping the other functions in the loop. It is a risk based application of internal and external control. An example is South Africa, where the practice of combined assurance has gained significant weight after the country’s (first) “King Governance Report” in 2009. 40

In order to look at nonfinancial risk management more closely, this paper breaks it down into three subcategories, see the figure below:

  • (a) Operational risk,

  • (b) Policy risk,

  • (c) Reputational risk.

Figure 5.
Figure 5.

Central Bank Internal Governance, including Nonfinancial Risk Management

Citation: IMF Working Papers 2016, 034; 10.5089/9781498376051.001.A001

Source: author.

Operational Risk

Operational risk is linked to failures due to internal processes, systems, people or external events. The introduction of operational risk in Basel II for commercial banks might have formed an incentive from a “practice what you preach” approach for central banks to examine their own operational risk management, which in essence does not differ from those that any other institution would run. Its people, system and internal processes might differ, but the weaknesses in all of those form a risk for central banks as well.41 The ECB applies an even wider definition of operational risk: “the risk of negative business, reputational or financial impact for the bank which derives from specific risk events due to or facilitated by root causes pertaining to governance, people, processes, infrastructure, information systems, legal, communication and changes in the external environment”.42

Examples can be found in events that have occurred throughout the existence of central bank, and are likely to keep occurring. Operational risks relating to people and reputation deals, for instance, with remuneration issues of central bankers (if not their base salaries, then, for instance, expensive business trips/usage of chauffeur-driven cars and/or even private planes). In the area of system failures it is IT that ranks very high: problems with payment systems, clearance and settlement, protection of classified information regarding financial institutions.

And regarding internal processes cases have emergedof central banks not following their own internal rules and procedures, for instance regarding their duties as employers.43

Operational risk is divided in 7 event categories, as per the Basel II definition:

  • 1) Internal Fraud: misappropriation of assets, tax evasion, intentional mismarking of positions, bribery;

  • 2) External Fraud: theft of information, hacking damage, third-party theft and forgery;

  • 3) Employment Practices and Workplace Safety: discrimination, workers compensation, employee health and safety;

  • 4) Clients, Products, and Business Practice: market manipulation, antitrust, improper trade, product defects, fiduciary breaches, account churning;

  • 5) Damage to Physical Assets: natural disasters, terrorism, vandalism;

  • 6) Business Disruption and Systems Failures: utility disruptions, software failures, hardware failures; and,

  • 7) Execution, Delivery, and Process Management: data entry errors, accounting errors, failed mandatory reporting, negligent loss of client assets.

Appendix 1 gives an overview of some well-known and less well-known cases of recent central bank cases relating to operational risks (as published in (inter)national press and/or on the websites of the central banks involved). They include: Albania (stealing of banknotes), The Netherlands (stealing of banknotes), Austria (money-printing bribes and money laundering), Australia (money-printing bribes), Bank of England (manipulation of auctions), New York Fed (regulatory capture), Swaziland (internal Fraud), and Tanzania (internal Fraud), without passing judgment on the accuracy of the press reports. These casesserve as examples of reputational risks of central banks in general.

In summary, operational risks are all the nonfinancial risks that any organization—including a central bank—will run, regardless of its business model, geographical location, or size. It is also the only category of risks that does not have the possible upside of producing a higher yield if the exposure to those risks increases. Legal risk is often included in definition of operational risk, but can be seen as a result of one of the above occurring, rather than a standalone risk category.

The development of best practices in central bank operational risk management has gained some momentum. Notable is the so called International Operational Risk Working Group (IORWG44), which was set up as an initiative of Banco de España and the Federal Reserve Bank of Philadelphia in 2005 to “promote the exchange of operational risk management best practices in central banking”.45 The IORWG currently has 61 central bank members, and is dedicated to sharing experiences and best practices in operational risk, but also in related areas such as compliance, internal audit, and training. Though not an official international organization, the IORWG demonstrates the need in the central bank community to share practices and on and contributes to ORM—and related topics. Additionally, the BIS facilitates the Central Bank Governance Group and network.

Policy Risk

Policy (or strategy) risk results from the key areas in which the central bank is active. In the case of any central bank, this will always involve risks related to its monetary policies. With the expanding mandates of central banks this might also involve risks related to policy making in other areas (financial stability/financial supervision and regulation, banking resolution and/or market supervision and financial integrity). According to the BIS46 most central banks see at least the risks of monetary policy as part of decision-making process in the monetary policy committee (a committee at board level). Some central banks include policy risk management into their general risk management, working on the thought that all risks to the central bank should be approached from a single framework. Risks relating to monetary policy operations are kept under particular close scrutiny by central banks, for instance by incorporating strict risk control criteria to collateral (in case of lending to commercial banks).47

Policy risk can have both financial and nonfinancial risk consequences. The availability of a central bank’s reserves is a policy risk that manifests itself in a form of central bank liquidity risk, which is clearly financial. However, when the Federal Reserve chooses to intervene in JP Morgan, but not in Lehman Brothers, it is making a policy decision that also carries nonfinancial risks (for instance, questions about the consistency of Fed policy, the expectations of the public that changed and reputational risk as a clear consequence).

The three examples listed below will demonstrate how policy risk emerges from key central bank policy areas, and how it manifests itself (in these cases) in operational risks.

(1) Policy Risk and Financial Integrity Units

Supervision of anti-money laundering and combating the financing of terrorism (AML/CFT) has increased substantially in the last decade. Especially after the 9/11 attacks in the US, regulators and supervisors have placed a lot of effort in combating money laundering and terrorism financing.

Financial Integrity Units (FIUs) are organizations at the centre of AMLCFT. According to the authoritative Financial Action Task Force (FATF), FIUs serve “as a national centre for the receipt and analysis of (a) suspicious transaction reports; and (b) other information relevant to money laundering, associated predicate offences and terrorist financing, and for the dissemination of the results of that analysis. The FIU should be able to obtain additional information from reporting entities, and should have access on a timely basis to the financial, administrative and law enforcement information that it requires to undertake its functions properly.”48 In a large number of cases FIUs are in housed at central banks: “The actual administrative location of such FIUs varies: the most frequent arrangements are to establish the FIU in the ministry of finance, the central bank, or a regulatory agency.”49

When FIUs are part of the central bank, a conflict of interests between the central bank side and the FIU may arise. The FIU deals with highly sensitive information on banks and other financial institutions that might seem “suspicious” from an AML/CFT perspective. There are numerous recent cases against banks (including recent ones such as BNP Paribas,50 Credit Suisse,51 and HSBC),52 with fines running into billions of U.S. dollars. Not surprisingly, information on whether or not a bank faces any such suspicions could be of interest to other policy areas in the central bank—especially the financial stability and financial supervision side. This is even more the case when the FIU also acts as a so called integrity supervisor.53 Interestingly enough, a central bank’s independence might actually be a reason to house the FIU in these to safeguard its own independence from the government.54

Central banks that house FIUs face policy risk issues related to mandate and objective issues, and organizational issues. About 50 countries have some form of “cohabitation” of the FIU and the central bank. The typical role of central banks is to focus on monetary and financial stability issues, including prudential regulation and supervision. This might clash with the FIU role when a central bank is more limited in its transparency (see Box 1 in Section II), whereas the FIU function’s focus would be on quickly and effectively exposing malpractices and outrights violations of the law. This, additionally, also raises risks in the areas of incompatibility of functions and budgetary matters (including on whether or not the FIU should have more budget autonomy).

(2) Policy Risk and Reserve Management

As per the official IMF definition,55 central banks’ reserve management relates to ensuring that there are adequate official public sector foreign assets. These need to be readily available to, and controlled by the authorities for meeting their (pre-defined) objectives. Reserve management is clearly a central bank activity related to core policy decisions.56 The buying, selling, managing of the central bank’s foreign assets entail risk, not just financial, but also nonfinancial. “Reserve management should seek to ensure that (1) adequate foreign exchange reserves are available for meeting a defined range of objectives; (2) liquidity, market, credit, legal, settlement, custodial, and operational risks are controlled in a prudent manner; and (3) subject to liquidity and other risk constraints, reasonable risk-adjusted returns are generated over the medium to long term on the funds invested.”57 (underlining added)

To contain / mitigate reserve management’s operational risks, proper internal governance arrangements are essential. The IMF Guidelines highlight, for instance, the need to “be guided by the principles of clear allocation and separation of responsibilities and accountabilities”. The central bank is advised to have “appropriate hierarchical levels”, a “committee structure” and a clear separation of the investment side from the risk control/management side to avoid improper incentives. Reserve management also requires checks and balances in the form of internal audits and well-trained staff. Most indicative of the operational risk effects that reserve management activities can have, is the statement that “it is important to identify the level of authority that would reconcile inconsistencies or interferences between reserve management activities and other central bank functions. Unwanted signaling effects from reserve management operations should be avoided.”58

The IMF Guidelines on FX Reserve Management present59 several clear examples of operational risks related to reserve management:

  • a) Control system failure risks: There have been a few cases of outright fraud, money laundering, and theft of reserve assets that were made possible by weak or missing control procedures, inadequate skills, poor separation of duties, and collusion among reserve management staff members.

  • b) Financial error risk: Incorrect measurement of the net foreign currency position has exposed reserve management entities to large and unintended exchange rate risks, and led to large losses when exchange rate changes have been adverse. This has also occurred when risk has been measured only by reference to the currency composition of reserves directly under management by the reserve management unit, and has not included other foreign-currency-denominated assets and liabilities on and off the reserve management entity’s balance sheet.

  • c) Financial misstatement risk: In measuring and reporting official foreign exchange reserves, some authorities have incorrectly included funds that have been lent to domestic banks, or the foreign branches of domestic banks. Similarly, placements with a reserve management entity’s own foreign subsidiaries have also been incorrectly reported as reserve assets.

  • d) Loss of potential income: A failure to reinvest funds accumulating in clearing (nostro) accounts with foreign banks in a timely manner has given rise to the loss of significant amounts of potential revenue. This problem arises from inadequate procedures for monitoring and managing settlements and other cash flows, and for reconciling statements from counterparts with internal records.

(3) Policy Risk and FMIs

Financial Market Infrastructures (FMIs60) play an important role in a country’s financial system at large. FMIs “facilitate the clearing, settlement, and recording of monetary and other financial transactions [which] can strengthen the markets they serve and play a critical role in fostering financial stability.” Given this role, they could also “pose significant risks to the financial system and be a potential source of contagion, particularly in periods of market stress”. 61 The 2012 BIS/IOSCO Principles for Financial Markets Infrastructures (PFMI) were drafted precisely to help identify and mitigate risks related to this systemic nature of FMIs.

FMIs can differ hugely in organization, structure and objectives. In the case of central bank-operated FMIs there might be a strong need for tailor-made governance approach to avoid conflicts of interests with other policy areas. On this issue the FMI principles note that systems operated by central banks, “[i]f a central bank is an operator of an FMI, as well as the overseer of private-sector FMIs, it needs to consider how to best address any possible or perceived conflicts of interest that may arise between those functions.”62

A common case of a central bank acting as an FMI is the services it provides through the Real Time Gross Settlement payment system (RTGS). In an RTGS, transfers from one bank to another take place in real time and on a gross basis. RTGS’ are essential for a smooth and efficient banking system. The central bank can provide the RTGS infrastructure. The PFMI, therefore, state that governance arrangements are essential for the safety and efficiency of not just the FMI, but also the stability of the financial system as a whole63 The BIS’ Committee on Payment and Settlement Systems is currently working on a guidance note on how to apply the PFMI specifically to central bank FMIs.

Operational risk is one of the key risks FMIs face. PFMI principle 17 expands on this and puts the key responsibility with the board of directors for defining operational risk (both roles and responsibilities, as well as endorsing the framework).. It goes on to specify details on business continuity plans, policies relating to physical and information security, as well as outsourcing risks, and how monitoring should ideally take place.

The PMFI highlight similarity with commercial risk management practices, stressing that commercial standards on information security, business continuity, and project management can be helpful for FMIs. This makes good sense, as to a large extent commercial institutions have had extensive experience in defining standards in these operational areas. As mentioned earlier, there is no reason why such standards should not be applied by central banks themselves, if the underlying processes are no different.64

Reputational Risk

Reputational risk (either direct or indirect) is a broad category encompasses all risks, financial and nonfinancial. Reputational risk can manifest itself either directly as a direct result of some actions, or indirectly as a consequence of the financial and nonfinancial risks the central banks runs. Direct reputational risk emerges from the way a central bank conducts its own business and the degree of transparency it follows to report its actions. A truly transparent central bank would publish sustainability reports on its organization to be held responsible by society (press, non-governmental organizations, labor unions, etc.).65

Reputational risk had gained more prominence in recent years. The active “unconventional” roles played by many central banks during the global financial crisis, events relating to market manipulation (Libor), faulty impairments on nonperforming loans and even the discussion on bankers’ remuneration, all are instances that illustrate how the public might hold a central bank responsible for issues that relate (in)directly to its actions, or even for issues that do not fall within the central bank’s mandate at all.66 This largely relates to the fact that central banks, in developed, developing and transition countries alike, are almost always the institutions that are trusted the most by society.67

To summarize, the two pictures below illustrate the interrelationship of operational risk, policy risk and reputational risk, in conjunction with “regular” financial risk, though simultaneously highlighting that there is no blueprint for making a distinction between financial risks, business risks and enterprise risks.

The Bank of Canada works on the basis of the overview shown in Figure 7 below. Here, operational risks feature both in the organizational area (enterprise risks) and in the policy area (business risks). This approach makes less of a clear distinction between the formal definition of operational risks and risks that relate to policy of the central bank (as shown in Figure 6 above, from Bank Negara Malaysia). Regardless of the delineation, it is important for central banks to note: (a) that operational risks are a distinct category of risks, separate from financial risks and (b) that financial and nonfinancial/operational risks should be seen in an integrated context and linked to reputational risk.

Figure 6.
Figure 6.

Illustration of different (Non)financial Risks of Central Banks

Citation: IMF Working Papers 2016, 034; 10.5089/9781498376051.001.A001

Source: Bank Negara Malaysia.
Figure 7.
Figure 7.

Risk Categories according to the Bank of Canada

Citation: IMF Working Papers 2016, 034; 10.5089/9781498376051.001.A001

Source: Cosier (2014).

The following chapters will examine elements of risk management, with a specific focus on nonfinancial risk management, and challenges ahead.

IV. Risk Management Elements

Risk management of central banks needs to be embedded in a supportive organization. There are three necessary elements of risk management for central banks: (1) a strong risk culture, (2) a clear and well-defined risk governance and (3) proper risk tools.68 This applies for both the management of financial and nonfinancial risks, though in the following paragraphs we will examine in particular the necessity of these aspects for nonfinancial risk management. These aspects are based on best practices and standards applied to commercial banks.

However, as indicated earlier, unlike the risks themselves, the internal organization and the process of risk management does not differ significantly from that of commercial banks.69

A. Risk Culture

A strong risk culture is a conditio sine qua non for risk management policies and tools. Risk culture is a difficult concept to define. The Institute of International Finance (IIF) describes it as “the way risks are identified, understood, discussed, and acted upon in the organization.… It is, above all, about actual behavior – what you do, not just what you say.”70 This makes risk culture the basis on which risk management and its policies, tools and processes are to be build. The Financial Stability Board (FSB) describes this as follows: “A sound risk culture will provide an environment that is conducive to ensuring that emerging risks that will have material impact on an institution, and any risk-taking activities beyond the institution’s risk appetite, are recognized, escalated, and addressed in a timely manner.”71

Recent work of the IMF distinguishes between different indicators of a sound risk culture. Viñals et al (2014) argues that structural measures would help to steer the business cultures of banks away from excessive risk taking. In the 2014 Global Financial Stability Report (GFSR)72 risk taking by banks is directly linked to the corporate (risk) culture: “At instances when incentive rules are insufficient, corporate culture will guide decisions and complement a bank’s ability to manage risk. Therefore, corporate culture provides a set of unwritten, but widely accepted, rules that determine what is acceptable behavior—which may include disregarding written rules”. The GFSR also refers to the FSB’s “culture indicators”73. (a) integrity in behavior by a bank’s board and management, (b) accountability of a bank’s staff for their actions and their impact on risk taking, (c) communication and discussion of the decision-making process should be possible and should take place, and (d) both financial and nonfinancial incentives should be consistent with the bank’s values.

Risk culture, therefore, starts with a strong “tone at the top”. Given that risk culture relates to individual behavior, it is not unreasonable that the behavior of those at the top of the organization (including central banks) sets the standard for what is acceptable and what not. Examples of such behavior are governors and/or other board members voicing specific support for risk management, naming best practices and basically leading by example.74 This also means that risk management would be an integral part of all board discussions – something to be facilitated by agenda setting of the Risk Management Committee (see below). The effect of a strong risk culture is an environment in which risks are recognized, escalated and addressed in a timely manner. Another reason for the required “tone at the top” is that an ideal operational risk management exercise should start top-down to not get lost in too many details at the start and have a proper prioritization of risks.75

It is difficult to measure a risk culture in quantitative terms, especially in terms of nonfinancial risk. However, qualitative research can give some indicators. Currently, only 15 out of 93 central banks and 1 out of 4 monetary unions have any specific reference to “risk management” in their central bank legislation.76 These references relate to a role the “Internal Auditor” or “Audit Committee” or the “Council77 /Board” plays. In most cases the reference made is to “risk management” as a general term or “risk management procedures” in general. In some cases risk management is linked to “internal control”. In a couple of cases risk management is described as part of the accounting framework or of the financial supervision mandate: risk management of supervised entities themselves. No central bank or monetary union has a specific reference to nonfinancial or operational risk, or a specific Risk Management Department. This feeds into the differences discussed above between risk management and internal audit, and how central banks might not make this distinction as clearly as would be required from a proper governance perspective.78

Figure 8.
Figure 8.

Overview of Roles and Content that Risk Management is Associated With

Citation: IMF Working Papers 2016, 034; 10.5089/9781498376051.001.A001

Sources: CBLD, author’s sample of August 2014.

No specific reference to risk management in the most important legal texts of a central bank, can be indicative of its risk culture (of the lack of it). Though not conclusive, a reference to risk management in central bank laws could indicate the level of importance the central bank (through its Board) attaches to risk management. Linking risk management to other functions within the central bank, can also be indicative of how senior management of the central bank views risk management. For instance, risk management in conjunction with the role of internal audit could indicate that risk management is seen as part of internal control, whereas linking it to the role of the Council/Board could make risk management more of an explicit management tool. A survey back in 1999 found that only 15 percent of the central banks examined had an independent risk management unit, which, again, might be indicative of the slow development process that central banks have been going through in risk management.79

Tabakis (2011) lists three main characteristics of central bank risk culture, that have a strong effect on how risk management is shaped within a central bank:

  • 1) Reputational consequences of materialized risks are ceteris paribus considered more important and attract much more attention from top management than financial impact;

  • 2) Central banks are generally risk averse, at least when operating under normal market conditions (which in the case of operational risk management could result in suppressing reporting on incidents and thus underestimating their potential impact – given that operational risks cannot be avoided80); and

  • 3) Central banks have been always aware that while risk management considerations must be known and accounted for when decisions are made, the importance of financial stability may transcend the standard management of financial risks.

B. Risk Governance

Risk governance deals with systemic, organizational measures that are necessary for making risk management work. It relates to the entirety of organizational and operational elements that form the context within which the activity of managing risks take place.

The FSB has provided a recent and clear overview of relevant terminology.81 If we would apply this to central banks’ risk governance some elements applicable to commercial banks would not hold (e.g., a different set of stakeholders, corporate structure), but the majority of principles would still be valid for central banks:

  • Risk appetite framework (RAF): Comprises the overall approach, including policies, processes, controls, and systems through which risk appetite is established, communicated, and monitored. It includes a risk appetite statement, risk limits, and an outline of the roles and responsibilities of those overseeing the implementation and monitoring of the RAF. The RAF should consider material risks to the central bank, as well as to the institution’s reputation vis-à-vis the government, commercial banks and other stakeholders. The RAF aligns with the central bank’s strategy.

  • Risk appetite statement: The articulation in written form of the aggregate level and types of risk that a central bank is willing to accept, or to avoid, in order to achieve its business objectives. It includes qualitative statements as well as quantitative measures expressed relative to earnings, capital, risk measures and other relevant measures as appropriate. It should also address risks that are difficult to quantify, such as reputation and conduct risks (for instance, risk related to money laundering and unethical practices).

  • Risk capacity: The maximum level of risk the central bank can assume given its current level of resources before breaching constraints determined by statutory capital,82 the operational environment (for instance, technical infrastructure, risk management capabilities, expertise) and obligations, also from a conduct perspective, to government/shareholders, commercial banks, as well as other stakeholders and the society at large;

  • Risk appetite: The aggregate level and types of risk a central bank is willing to assume within its risk capacity to achieve its objectives and business plan.

  • Risk limits: Quantitative measures based on forward looking assumptions that allocate the central bank’s aggregate risk appetite statement (e.g. measure of loss or negative events) to business lines, legal entities as relevant,83 specific risk categories, concentrations, and as appropriate, other levels.

  • Risk profile: Point in time assessment of the central bank’s gross and, as appropriate, net risk exposures (after taking into account mitigants) aggregated within and across each relevant risk category based on forward looking assumptions84.

  • Example of risk governance in central banks: Risk related decision-making at the Board level: the Risk Committee

Central bank decision-making on risk issues could be strengthened by using a committee structure at the board level. According to the OECD85 committees at the board level86 with corporate institutions have “heightened in importance with regard to effective board functioning and ensuring objective independent judgment”. This extends especially to committees dealing with audit, nomination and remuneration—all key issues since the crisis, as we have seen above.

Audit committees at board level have been around for some time, but are nowadays paired more and more with issues of risk management as well.87 Not surprisingly, the OECD notes that most audit/risk committees have requirements of full or majority independence of its members, including the chair. Central banks have often formed committees connected to their councils or boards. In cases where the central bank has a dual structure (with a supervisory board/council as well as a policy/management board), the supervisory board almost always has an Audit Committee. Additionally, supervisory boards (given their focus on oversight and organizational issues) will often have committees relating to nominations, remuneration (of board members) and the central bank budget. Central banks with a single board structure often have a separate Monetary Policy Committee,88 though as the BIS points out, this is not always specified by the central bank law. Some central banks have separate Financial Stability Committees as well. More frequently, financial stability issues are dealt with by an interagency committee outside the central bank (especially in cases when supervision on and regulation of, for example, insurance companies, pension funds and securities lie outside of the central bank).

Committees at the board level can improve central bank decision-making by adding more perspectives and providing more arguments. Advisory committees generally operate as a portal to decision-making by the actual board and/or council. Committee members “permit a wider range of perspectives to be brought to bear, which adds to legitimacy and credibility of central bank decisions”89. Actual decision-making committees are usually a reflection of the central bank’s board (with not all board members participating), relevant department directors (such as the financial stability director in case of a Financial Stability Committee) and possibly external experts (as could be the case in Monetary Policy Committees).

However, committees can also add extra layers and more bureaucracy to the decision-making process. Rules on the mandate of committees would need to be specified, as well as on their composition. Additionally, if the governor would chair a number of these committees (which is likely in the case of at least monetary policy and financial stability); this could imply a significant increase in workload. This demonstrates that risk governance measures would always need to be examined in the specific context of the central bank—and should not be a matter of copy and paste.

C. Enterprise Risk Management

Enterprise Risk Management (ERM) provides one of the ways that central banks can manage their nonfinancial risks. ERM is a widely used and found generic term that refers to the way companies manage their risks. Figure 9 illustrates the different steps followed in an ERM process: from risk identification, to assessment/measurement, to prioritization/management, to monitoring/reporting and finally back to identification on the basis of that ongoing monitoring.

Figure 9.
Figure 9.

General Overview of the Risk Management Process

Citation: IMF Working Papers 2016, 034; 10.5089/9781498376051.001.A001

Source: author

There are different ERM frameworks – all of which cover the aspects listed in Figure 9. One of the more popular ones in the financial sector is the COSO model; the more recent and widely accepted one is ISO 31000. No specific preference for either of these models can be made.

COSO stands for the Committee of Sponsoring Organizations of the Threadway Commission, and was set up in 1985 by 5 American private sector organizations.90 The Treadway Commission itself was an initiative by the American private sector to “inspect, analyze, and make recommendations on fraudulent corporate financial reporting” in the US. COSO published its report “Internal Control – Integrated Framework” in 1992, with a common definition of, and a framework for “internal control”. In 2004 COSO published its “Enterprise Risk Management-Integrated Framework”91. Work on the framework started in 2001: “The period of the framework’s development was marked by a series of high-profile business scandals and failures92 where investors, company personnel, and other stakeholders suffered tremendous loss”.

Figure 10 gives a specific example, that of the integrated risk management process of the Bank of Canada.

Figure 10.
Figure 10.

Example: Bank of Canada Integrated Risk Management Process

Citation: IMF Working Papers 2016, 034; 10.5089/9781498376051.001.A001

Source: Cosier (2014), p.287.

COSO identifies four objectives, eight ERM components, and four levels within the organization. These components all influence one and other and an organization would need to deal with every one of them, at different levels (and thus proportionately) throughout the organization in order to come to a successful form of risk management—and achieve its objectives:

Table 1.

COSO ERM Objectives, Components, and Levels

article image
Source: COSO (2004).

ISO 31000 is the recent and widely accepted standard. It was published in 2009, just after the start of the financial crisis, and—as with all ISO standards—is internationally accepted. Unlike the COSO framework, it is therefore not specifically focused on specific domestic issues (with COSO emerging after the mentioned US reporting scandals). The US focus of COSO does not diminish its value, clearly, as it is still the overarching ERM model for companies listed (or wanting to be listed) in the United States.93 In addition to the ISO 31000 standard, the ISO guide 73: Risk Management is of importance for clarifying key concepts used in the ISO ERM framework.

ERM can help central banks approach their nonfinancial risk management in a structured manner. It offers a clear methodology that can be applied even for central banks, regardless of their mandate and internal structure. Its added benefit is that ERM provides a risk language that is recognized worldwide and might help central banks interact with other peers in order to develop specific central bank best practices.

D. Risk Tools and Methodology

The development of practical tools is needed to ensure day-to-day insights into relevant risks and reporting to key decision-makers. Especially in the area of operational risk management a large number of tools have been developed in order to help organizations in practice. The common and important ones are listed below based on the BCBS Sound Practices for Operational Risk Management,94 applied specifically in the area of central banking:

  • Internal loss data collection and analysis: When operational losses occur, they should be reported and accounted for, and monitored at the aggregate level. In addition, root cause analysis should be performed by the first line of defense, and a resulting action plan should be created to address the control deficiencies and breakdowns. This reporting process should be in place for actual losses, but also for potential losses and near misses.

  • External loss data collection and analysis: Whether it is identifying general central bank events that could have an impact internally or understanding whether a specific central bank has similar weaknesses, analysis of operational losses that occurred at other banks is also a great tool to use. An example (see Appendix 1) is that of the Federal Reserve’s examination of potential regulatory capture at the New York Fed.

  • Audit findings: While audit findings primarily focus on control weaknesses and vulnerabilities, they can also provide insight into inherent risk due to internal or external factors.

  • Risk & control assessments: In a risk assessment, often referred to as a Risk Self Assessment (RSA), a central bank assesses the processes underlying its operations against a library of potential threats and vulnerabilities and considers their potential impact. A similar approach, Risk Control Self Assessments (RCSA), typically evaluates inherent risk (the risk before controls are considered), the effectiveness of the control environment, and residual risk (the risk exposure after controls are considered). Scorecards build on RCSAs by weighting residual risks to provide a means of translating the RCSA output into metrics that give a relative ranking of the control environment;

  • Business Process Mapping: Business process mappings identify the key steps in business processes, activities and organizational functions. They also identify the key risk points in the overall business process. Process maps can reveal individual risks, risk interdependencies, and areas of control or risk management weakness. They also can help prioritize subsequent management action.

  • Risk and Performance Indicators: Risk and performance indicators are risk metrics and/or statistics that provide insight into a bank’s risk exposure. Risk indicators, often referred to as Key Risk Indicators (KRIs), are used to monitor the main drivers of exposure associated with key risks. Performance indicators, often referred to as Key Performance Indicators (KPIs), provide insight into the status of operational processes, which may in turn provide insight into operational weaknesses, failures, and potential loss. Risk and performance indicators are often paired with escalation triggers to warn when risk levels approach or exceed thresholds or limits and prompt mitigation plans.

  • Scenario Analysis: Scenario analysis is a process of obtaining expert opinion of business line and risk managers to identify potential operational risk events and assess their potential outcome. Scenario analysis is an effective tool to consider potential sources of significant operational risk and the need for additional risk management controls or mitigation solutions. Given the subjectivity of the scenario process, a robust governance framework is essential to ensure the integrity and consistency of the process.

  • Measurement: it could be useful to quantify exposure to operational risk by using the output of the risk assessment tools as inputs into a model that estimates operational risk exposure (see further).

  • Comparative Analysis: Comparative analysis consists of comparing the results of the various assessment tools to provide a more comprehensive view of the central bank’s operational risk profile. For example, comparison of the frequency and severity of internal data with RCSAs can help the bank determine whether self assessment processes are functioning effectively. Scenario data can be compared to internal and external data to gain a better understanding of the severity of the central bank’s exposure to potential risk events.

For central banks it is crucial to apply these tools to their own organization. One way of doing so is, for instance, by means of the ECB’s financial buffer exercise (FBE)—though this is limited to financial risks only. This is a yearly exercise held by the ECB and the 18 Eurozone central banks to test “stress scenarios” and their effects on the balance sheets of the participating central banks. At this point, operational risks are not included into the framework, but it might be helpful to examine the possibilities to do so; the approach seems to be equally applicable to operational risks and might help to further quantify the effects on central bank finances. Currently, it has two main objectives:

  • 1) Identify the risk profile of the central bank’s balance sheet, and subsequently;

  • 2) Assess whether or not the financial buffers / capital of the central bank are sufficient enough.

Its target is to specifically measure the impact of those scenarios on the balance sheet; not so much to facilitate strategic asset allocation. The FBE uses about 20 stress scenarios (some with gloomy names such as “the perfect storm”), which relate, amongst others, to exposures on (corporate) bonds, equity, gold, currency risk.

Example: the ECB has developed its own taxonomy/categorization of operational risks, in order to get a more tailor-made risk management approach: “the three objectives of this taxonomy are to provide a clear and common language for all risk, control and security stakeholders of the ECB, to support the quality of risk analysis via robust, mutually exclusive and commonly exhaustive categorizations, and to allow for consistency in risk reporting”.95

Figure 11.
Figure 11.

Example. ECB Taxonomy of Operational Risk

Citation: IMF Working Papers 2016, 034; 10.5089/9781498376051.001.A001

Source: Sevet (2009), p.470.

V. Conclusions/Challenges Ahead

Effective governance is of utmost importance for independent central banks trying to achieve their goals. This applies to central banks focusing solely on price stability, and on those that have additional mandates relating to, for instance, financial stability.

The key pillars of central bank governance relate to mandates, independence, accountability and transparency, and internal governance. Of these the issues of independence (political, operational and financial) and accountability/transparency have long been dealt with by economists trying to safeguard undue political influences on monetary decision making. The matter of central bank mandates has received increasing attention since the crisis, as central banks struggled with short-term issues relating to solvency and liquidity issues of commercial banks.

But it is nonfinancial risk management of central banks that has received the least attention. Functions such as internal audit and compliance, the structure of the board and its decision-making processes have been well-charted in central banks. Yet issues relating to nonfinancial risk management have been largely overlooked by central bank policy makers, even though nonfinancial risks carry potentially large adverse effects for central banks.

It is important for central banks to understand the value of incorporating nonfinancial risk management into their strategic planning and governance framework. One way of doing so is by integrating financial and nonfinancial risk management within the organization. Another way is by quantifying as much as possible nonfinancial risks. Additionally, central banks could examine the applicability of tools and frameworks that have been developed outside the realm of central banking, but relate to the nonfinancial risks that central banks run. One key challenge is to take into account into the risk management framework central banks’ public sector nature and its objectives to provide public services under a legal monopoly.

For the international financial institutions, nonfinancial risk management should be integrated into a comprehensive framework of risk management of central banks. The International Monetary Fund in particular could examine how to further integrate issues of internal governance of central banks, and in particular nonfinancial risk management, in its surveillance, safeguards, and advisory work, or even add these to their existing Codes and Practices. Central banks with extensive experience in this area (such as the Bank Negara Malaysia, the Bank of Canada, or the ECB) or in the process of further transforming their risk management (such as the Federal Reserve New York, the CBJ) should be enticed to share their experiences with other central banks that are willing to learn from them, for instance in the context of the IORWG, the BIS central bank governance forum or IMF/WB technical assistance programs.


  • Apps, P.,The role and importance of internal audit,” in Sullivan, K., M. Horáková (eds.), Financial Independence and Accountability for Central Banks, 2014 (London: Central Banking Publications).

    • Search Google Scholar
    • Export Citation
  • Bayoumi, T, G. Dell’Ariccia, K. “Habermeier, and others, Monetary Policy in the New Normal,IMF Staff Discussion Note No. 14/3, 2014.

    • Search Google Scholar
    • Export Citation
  • BCBS, 2006, Joint Forum High-level Principles for Business Continuity.

  • BCBS, 2010, Principles for Enhancing Corporate Governance.

  • BCBS, 2011, Principles for the Sound Management of Operational Risk.

  • BCBS, 2012, Principles for the Internal Audit Function in Banks.

  • BIS, 2009, Issues in the Governance of Central Banks – A Report from the Central Bank Governance Group (Basel: Bank for International Settlements).

    • Search Google Scholar
    • Export Citation
  • BIS, 2013, “Central bank finances,BIS paper no. 71.

  • BIS, International Organization of Securities Commissions, 2012, Principles for financial markets infrastructures (Basel: Bank for International Settlements).

    • Search Google Scholar
    • Export Citation
  • Camilleri, M-T., T. Lybek, K. Sullivan, 2007, “Audit Committees in Central Banks,IMF Working Paper no. 07/73.

  • Committee of Sponsoring Organizations of the Treadway Commission, 2004, Enterprise Risk Management – Integrated Framework (Committee of Sponsoring Organizations of the Treadway Commission).

    • Search Google Scholar
    • Export Citation
  • Cosier, J., 2014, “Managing and reporting operational risk,” in K., Sullivan, M. Horáková (eds.), Financial Independence and Accountability for Central Banks, 2014 (London: Central Banking Publications).

    • Search Google Scholar
    • Export Citation
  • Cukierman, A., S.B. Webb, B. Neyapti, 1992, “Measuring the independence of central banks and its effect on policy outcomes,” World Bank Economic Review, Vol. 6, no. 3 (September 1992) (in: Eijffinger, S., D. Masciandaro (eds.), 2014, Modern Monetary Policy and Central Bank Governance (London: Edward Elgar Publishing).

    • Search Google Scholar
    • Export Citation
  • Deloitte, 2011, Combined assurance: taking corporations to the next level of maturity (Johannesburg: Deloitte).

  • Deloitte, 2011, Key Challenges Facing Central Banks: Adapting to a New Era (London: Deloitte).

  • Eijffinger, S., D. Masciandaro, (eds.), 2014, Modern Monetary Policy and Central Bank Governance (London: Edward Elgar Publishing).

  • FATF, 2012, International Standards On Combating Money Laundering And The Financing Of Terrorism and Proliferation - The FATF Recommendations (Paris: FATF).

    • Search Google Scholar
    • Export Citation
  • Foster, J.,Central bank risk management and international standards,” in Pringle, R., N. Carver (eds.), 2003, New Horizons in Central Bank Risk Management (London: Central Banking Publications).

    • Search Google Scholar
    • Export Citation
  • FRC, 2011, Guidance on Board Effectiveness.

  • FSB, 2013, Principles for An Effective Risk Appetite Framework.

  • FSB, 2014, Guidance on Supervisory Interaction with Financial Institutions on Risk Culture - A Framework for Assessing Risk Culture.

  • Grilli, V., D. Masciandaro, G. Tabellini, and others, 1991, “Political and monetary institutions and public financial policies in the industrial countries,” in Eijffinger, S., D. Masciandaro, (eds.), 2014, Modern Monetary Policy and Central Bank Governance (London: Edward Elgar Publishing).

    • Search Google Scholar
    • Export Citation
  • Groothuis, M., A. Wijngaards, A. Khan,Board Evaluations,” in: Kellermann, J.A., J. de Haan, F. de Vries (eds.), 2013, Financial Supervision in the 21stCentury (Berlin: Springer Verlag).

    • Search Google Scholar
    • Export Citation
  • Haan, J. de, S.C.W. Eijffinger, K. Rybińskif, 2007, “Central bank transparency and central bank communication: Editorial introduction,European Journal of Political Economy, Volume 23, Issue 1.

    • Search Google Scholar
    • Export Citation
  • IAIS, OECD, 2009, Issues Paper on Corporate Governance.

  • IIA, 2004, International Standards for the Professional Practice of Internal Auditing.

  • IIF, 2012, Governance for Strengthened Risk Management

  • IMF, 1999, Good Practices on Transparency in Monetary and Financial Policies.

  • IMF, 2013, Guidelines on FX Reserve Management.

  • IMF, 2014, Global Financial Stability Report: Risk Taking, Liquidity, and Shadow Banking: Curbing Excess While Promoting Growth.

  • IMF, World Bank, 2004, Financial Intelligence Units: An Overview.

  • Kearns, A.,The organisation of risk management in central banks,” in Sullivan, K., M. Horáková (eds.), Financial Independence and Accountability for Central Banks, 2014 (London: Central Banking Publications).

    • Search Google Scholar
    • Export Citation
  • Lybek, T., 2004a, “Central Bank Autonomy, Accountability, and Governance: Conceptual Framework,IMF Legal Department Seminar August 2004.

    • Search Google Scholar
    • Export Citation
  • Lybek, T., J. Morris, 2004b, “Central Bank Governance: A Survey of Boards and Management,IMF Working Paper No. 04/226.

  • Nicholl, P.,Central bank board and risk management: Form, function and facilitation,” in Sullivan, K., M. Horáková (eds.), Financial Independence and Accountability for Central Banks, 2014 (London: Central Banking Publications).

    • Search Google Scholar
    • Export Citation
  • OECD, 2004, Principles of Corporate Governance.

  • OECD, 2014, Corporate Governance Factbook.

  • Rajan, R., 2008, “The Future of the IMF and the World Bank,American Economic Review,

  • Schwarz, C. e.a., 2014, “Why Accounting Matters – A Central Bank Perspective,ECB Occasional Paper Series No. 153.

  • Scott, C., 1996, “Internal Audit in a Central Bank,Handbooks in Central Banking 4 (London: Bank of England).

  • Sevet, J.-C., 2011, “Operational risk management in central banks,” in Risk Management for Central Banks and Other Public Investors, 2011, Bindseil, U., F. Gonzalez, E. Tabakis (eds.) (Cambridge: Cambridge University Press).

    • Search Google Scholar
    • Export Citation
  • Sullivan, K., M. Horáková (eds.), Financial Independence and Accountability for Central Banks, 2014 (London: Central Banking Publications).

    • Search Google Scholar
    • Export Citation
  • Sunstein, C., 2014, “The Ethics of Nudging” (SSRN).

  • Tabakis, E., 2011, “Organizational issues in the risk management function of central banks,” in Risk Management for Central Banks and Other Public Investors, 2011, Bindseil, U., F. Gonzalez, E. Tabakis (eds.) (Cambridge: Cambridge University Press).

    • Search Google Scholar
    • Export Citation
  • Viñals, J., C. Pazarbasioglu, J. Surti, and others, 2013, “Creating a Safer Financial System: Will the Volcker, Vickers, and Liikanen Structural Measures Help?,IMF Staff Discussion Note No. 13/4, 2013.

    • Search Google Scholar
    • Export Citation
  • World Bank, 2014, World Development Report 2014: Risk and Opportunity – Managing Risk for Development.

  • World Bank, 2015, World Development Report 2015: Mind, Society, and Behavior.

  • Wytenburg, R.,Managing and reporting financial risk,” in Sullivan, K., M. Horáková (eds.), Financial Independence and Accountability for Central Banks, 2014 (London: Central Banking Publications).

    • Search Google Scholar
    • Export Citation

Appendix I Examples of Good Practices in Central Bank Risk Management

The following examples give illustrative insights into what a number of central banks consider as their own good practices in different areas of risk management. These are not meant to be indicative of general best practices.

(1) NY Fed’s Operational Risk Management

The New York Federal Reserve sees operational risk as one of its predominant risks. It has been developing an operational risk framework since 2005 and has undertaken the following actions:96

  • In 2009/2010 it hired an external firm to build risk management expertise. It subsequently established the role of a Chief Risk Officer (CRO), as well as a Risk Oversight Committee, which incorporated 5 previously separate committees.

  • Currently (2013-2014) it established a Risk Group under the CRO with responsibility for both operational and financial risk. It is also transforming the Risk Oversight Committee to be the Bank’s overall risk subcommittee (including both financial and operational risks). The main challenge is to align the ‘languages’ but also the involved staff and their expertise.

  • The operational risk function strives to demonstrate and quantify the link between operational risk and the NY Fed’s credit risk in order to bridge the gap.

  • Involvement of Internal Audit and the Board’s Audit and Risk Committee (“tone at the top”) is crucial for making an integrated view of risk management work.

  • Additionally, a culture of “reporting mistakes” needs to be continuously fostered. It’s not in people’s nature to speak out on mistakes. The NY Fed uses the role of ‘risk champions’, especially at the management level to stimulate behavior throughout the organization

  • A Risk Advisory Council was established, which is an informal council consisting of participants from all the NY Fed’s departments (“groups”) and which gives both information and discussion input to the risk managers. This creates buy in for risk management, as the ‘business’ departments are responsible for their own risks and the actions/strategy to mitigate those.

  • The NY Fed currently does not do any “stress testing” with oprisk scenarios (running adverse scenarios and analyzing the potential effects on its balance sheet), but its Business Continuity Department is examining the possibilities.

  • The newly developed Strategic Planning Office should ensure alignment between operational risk assessments and strategic choices by the NY Fed’s Board of Directors.

(2) The Central Bank of the Netherlands’ (De Nederlandsche Bank, DNB) information Security Policy

Given the sensitive nature of a central bank’s activities, information security is a key area. The DNB strengthened its governance and coordination of information security in 2013, thus trying to mitigate the related operational risks:

  • It developed a governance model with three layers: (1) Information Security Expert Team (operational level—IS experts), (2) Information Security Coordination Group (tactical level—middle management), and (3) Governance Board Information Management (on strategic level – top management).

  • The goal of the governance model was to promote consistency in the protection of the DNB’s three “information security gates”.97

  • Additionally, DNB installed within its Operational Risk Management Unit a dedicated Information Security Function (“CISO”) and an Information Security Risk Manager for centralized coordination of information security topics. Both these functions work in close cooperation with regular business management, support functions and internal audit.

  • This strategy has had the following concrete results:

    • - Begin 2014 centralized quarterly reporting about information risks had been taken up, leading to information on: security incidents, information risks, information security projects, and information security successes across the bank.

    • - End of the second quarter of 2014 DNB started with multiple investigations (i.e., using its own supervision model for measuring maturity levels, but also measuring behavior) about how well information security was embedded within DNB’s organization.

    • - End of the second quarter of 2014 DNB also started its renewed and permanent Information Security Awareness Campaign. Tailored information provided employees practical ‘do’s and don’ts’. It also led to management becoming even more involved.

    • - All in all, by the end of 2014 information security topics were addressed at all levels within DNB, leading to a consistent approach to the protection of the “gates”.

(3) Bank Al-Maghrib’s (BAM), Risk Management Approach

For BAM, the Central Bank of Morocco implemented its operational risk management framework back in 2004. Its focus was to root a risk culture within day-to-day management, and to increase the efficiency of internal control. Its key elements are:

  • A decentralized risk organization based on a network of risk managers in each business unit, directly reporting to the unit’s head. Their main role is to help the business unit (as “risk owner”) to identify, assess, and mitigate risks linked to the specific activities.

  • A bank-wide consolidated risk map is completed by the RMD Management based on each business unit’s risk map, identifying top risks, the bank’s global risk appetite and tolerance, as well as risk mitigating actions that are reviewed and adopted by the governor/board.

  • The risk map serves as a input for the BAM’s strategic and budgeting planning, and for internal audit as part of its yearly audit planning (e.g., auditors review the specific risk maps on how risks have been identified and assessed, but also examine the coherence with mitigation measures). Audit findings feed into the new updates of the units’ risk maps.

  • The Risk Framework is based on a bottom-up approach, whereby risks were identified by business operators, combined with a top-down approach involving the Bank’s top managers (matching risks from at the operational level with bank-wide risks).

  • Additionally, a specific Project Risk Approach was developed, because of the large number of projects at the BAM. This approach is mandatory rolled out for each strategic project (10 to 12 per 3 years’ strategic cycle; projects are designated strategic upon decision by the governor) to make sure that projects meet requirements in terms of delay, budget and service quality. Consolidated and common projects risks are reviewed on annual basis, as part of the bank’s global risk map.

  • For more efficiency, the bank is now contemplating in completing a global and integrated risk approach, starting by global consolidated reporting, including strategic, operational, projects and financial risks. BAM’s three year strategic plans usually contain 10 to 15 strategic objectives.

(4) Central Bank of Jordan’s (CBJ) Risk Management Department

The (CBJ) has recently (since 2014) kick-started its work on developing an operational risk management framework. It has set up a RMD that integrates risk management into the CBJ’s goals and strategy. The CBJ undertook the following main steps:

  • Risk governance: as the most crucial governance step, a permanent Risk Management Committee chaired by the Governor was set up. Subsequently, attention was devoted to examining to what extent the three lines of defense were implemented throughout the organization. This entailed working together with vested interests throughout the organization, by means of assigning “risk champions” in business departments and having them share their experiences with other departments.

  • Risk Appetite: here, the CBJ developed a risk appetite based on a bottom-up approach (input from the operational levels), rather than just a top-down (board) approach. This enabled the board to get a better understanding of the specific risks of the CBJ, and decide on the risk appetite accordingly. Keen interest by the CBJ’s Board members on what was really happening within the organization formed the driver for this approach.

  • Risk culture:

    • - A loss data collection methodology was designed on the basis of “If you see it, you must ensure someone reports it”, thus creating risk responsibility for all CBJ staff and management.

    • - A mandatory Training Framework has been set up to include innovative methods (including case workshops, quizzes before accessing the password portal, screensavers) for gaining and proving competencies in risk management, increasing both understanding and a certain amount of autonomy throughout the CBJ’s department on how to deal with risk management, both at the departmental and centralized level.

  • Business Continuity Plan: additionally, the CBJ identified business continuity as a key part of its risk management. Its three pillars are (a) a Business Impact Analysis (determining critical business departments, operating systems and processes), (b) working with scenario-analysis, as well as (c) empowering business departments to develop their own partial BCPs.

  • Strategy and Policy Risk: the CBJ has also considered strategy and policy risks as important components of its ERM risk management framework, and has started work on developing a methodology to facilitate the building of a registry of strategic and policy risks.

Appendix II. Examples of Some Recent Operational Risk Related Central Bank Cases

The cases listed below have been taken from public news sources. The content has not been changed, other than slightly abbreviating some of the articles and deleting the names of the people listed. The cases are intended to demonstrate how easy operational risk related events can find their way into mainstream news and thus pose additional reputational risks as well. The listing of these cases in no way constitutes a claim on the validity of the statements made in or by those articles and/or news sources.

article image
article image
article image
article image
article image
article image
article image
article image
article image
article image

The author is grateful for comments from Kenneth Sullivan, Tonny Lybek, Elie Chamoun, Atilla Arda, Mario Tamez, Chady El Khoury, Antonio Pancorbo, Mikari Kashima, Aman Trana, Carel van den Berg, Marco Engel, Leonie Hulst, Robert-Jan van Leijden, Debra Gruber, Mohammed Amrani, Sahar Qaqeesh. Research assistance was provided by Karen Lee. All remaining errors are my own.


See, e.g., Eijffinger (2014), Lybek (2004a, 2004b), and references therein.


See, e.g., Bayoumi (2014), Eijffinger (2014).


See also, e.g., Grilli (1991), p.368.


See, e.g., Eijffinger (2014), p. xii: “the ability to implement the noninflationary monetary policy without any external (political) short-sighted interference”.


See, e.g., FSB (2009), World Bank (2014).


“Board” in the context of this paper refer to a “policy board” or “executive board”, that is a board that is involved in policy setting of the central bank (this includes monetary policy committees), as opposed to a “fiduciary board” which is predominantly involved in oversight. The latter will be referred to in this paper as “council” or “supervisory council”. This is the terminology used by the majority of central banks, with the notable exception of the Bank of Canada (which uses “Council” for its policy board and “Board” for its fiduciary board). See, e.g., Nicholls (2014), p.101.


Cukierman (1992), p.361-363.


See, e.g., Groothuis (2013).


BIS (2009), p.73.


In an unprecedented move of transparency, the Bank of England in 2012 published an advert in The Economist (September 14, 2012) for the position of its governor. The advert included references to requirements such as “strong communicator, have good interpersonal skills and will be a person of undisputed integrity and standing”.


Other than, e.g., behavioral economists. See, e.g., Sunstein (2014), p.3, on using choice architecture to promote economic growth. See the discussion under section C (Control Functions) and the reference to the IMF’s Global Financial Stability Report and its call for attention for “risk culture”.


BIS (2009), p.90.


This is in line with IFRS 7, see e.g. Wytenburg (2014), p.253 for a further breakdown.


See, e.g., Kearns (2014), p.87, Nicholls (2014), p.105.


See, e.g., Sevet (2009), p. 483: “Overall, in most central banks, a key challenge is still to organize the convergence of all disciplines related to operational risks and control (including business continuity, physical security, information, confidentiality etc.) and allow for an integrated management of the related risk portfolio.” and Wytenburg (2014), p.262-263.


Tabakis (2009), p.443, 445.


ISO guide 73:2009 (Risk management - Vocabulary).


“Risk Management in Central Banking”, lecture at the Free University of Amsterdam, June 15, 2011.


BIS (2009), p.151.


Sevet (2009), p.463.


Sevet (2009), p.472 gives the following example: “In order to encourage business areas to fully disclose incidents or near-losses, candidly discuss emerging threats and define relevant measures, internal auditors do not participate in self-assessments workshops, nor are they associated in their actual implementation or in the preparation of risk reports.”


See, e.g., Deloitte (2011).


See also Deloitte (2011); Tabakis (2009), p.457.


In Sevet (2009), p.465.


In which case everything that happens in “normal” companies, also happens in central banks: cases of sexual misconduct, wrongful termination of contracts (and everything else that can go wrong in “hirings and firings”), skewed public procurements.


See Sevet (2009), p.461.


BIS (2009), p.155.


See, e.g., Tabakis (2009), p.456.


FATF (2012), Recommendation 29. See also IMF (2004), p.ix.


IMF (2004), p.10.


See, e.g., “Justice Dept. Seeks More Than $10 Billion Penalty From BNP Paribas”, Wall Street Journal, May 30, 2014. BNP Paribas ended up paying a fine of 8.9 billion USD to the US Department of Justice.


See, e.g., “How Credit Suisse Helped Americans Avoid Taxes and Iran Dodge U.S. Sanctions”, Newsweek, February 2, 2014. The bank had to pay 2.6 billion USD.


See, e.g., “HSBC to pay $1.9 billion U.S. fine in money-laundering case”, Reuters, December 11, 2012.


In a number of countries the FIU might be either placed inside or outside the central bank, but the central bank itself conducts AML/CFT monitoring. See IMF (2004), p.71 for different options and examples.


See IMF (2004), p.24.


See IMF (2013), Article 50: “Reserve management strategies should be consistent with and supportive of a country’s or union’s specific policy environment, in particular it’s monetary and exchange arrangements”.


IMF (2013), Article 8.


IMF (2013), Section C, articles 24-33.


Which includes payments systems, Central Securities Depositories (CSDs), Securities Settlement Systems (SSSs), Central Counterparties (CCPs), and Trade Repositories (TR).


See, BIS (2012), p.32 (Principle 2: Governance).


See, e.g., BIS (2012), p.96.


This practice is common amongst commercial financial institutions; among central banks,. however, only the Central Bank of the Netherlands (DNB) applies the internationally accepted Global Reporting Initiative (GRI) reporting standards on sustainability. See www.globalreporting.org.


Sevet (2009), p.474: “As demonstrated in a few much-publicized cases of reputational risk in recent years, perceptions by public opinion tend to prevail over facts – and these perceptions tend to put more emphasis on commonsense and ethical values than on applicable laws and regulations.”


See, e.g., Nicholls (2014), p.105 for some examples.


Some authors have made other distinctions. See, for instance, Tabakis (2009), who describes the 6 principles of risk management in central banks: (1) independence of the RM function, (2) separation of policy area from investment, (3) transparency and accountability, (4) adequate resources, (5) clear RM responsibilities, and (6) a RM culture.


Similarly, Tabakis (2009), p.449: “the recent trend of diversification of investments in central banks in particular in the case of accumulation of significant foreign reserves may indicate that [the] traditional central bank environment of low risk appetite [vis-a-vis commercial banks] is changing”. Another concrete example is that of the South-African Reserve Bank, which tries to apply the governance principles of the South-African King III report (which was written for / on the country’s commercial banking sector) to the reserve bank itself, where appropriate.

See also, BIS (2013), p.8: “there is a growing emulation of commercial banking’s risk management and asset and liability management frameworks”.


IMF (2014), p.114.


Kearns (2014), p.109-110, gives the example from his time as Governor of the Central Bank of Bosnia and Herzegovina, where he “suspended the manager of the bank’s foreign reserves investment section because he breached one of the bank’s investment guidelines.… No further breaches… occurred.… The message that risk management guidelines are obligatory, not optional, was clearly seen”. Another example is that of the Central Bank of Jordan, where the Governor and both the Deputy Governors not only voice their support to proper risk management, but are also seen by staff as having this as one of their key priorities.


See, e.g., Sevet (2009), p.476 on the ECB ORM exercise: “the top-down exercise is conducted at the level of the eight core macro-processes (e.g. monetary policy, market operations etc.) of the bank, of its six enabling functions (e.g. communication, IS etc.) as well as for very large projects. The top-down exercise covers all the plausible risk scenarios.”


Based on a sample from the IMF Central Bank Legislation Database (CBLD), August 2014.


See earlier footnote 17 on the distinction between board and (supervisory) council.


The IMF has been trying to facilitate discussion on the different contributions of both risk management and internal audit for central banks. A clear example is its recent “Central Bank Governance Forum: Audit Oversight & Assurance Mechanisms”, which was held in Dubai (December 2014) and was organized by the IMF’s Safeguards Department and the Hawkamah corporate governance institute.


See Foster (2004), p.76 referring to Frowen, S.F., R. Pringle, B. Weller (ed.), 1999, Risk Management for Central Bankers (London: Central Banking Publications).


In this sense, the approach of dealing with risks by either (a) avoiding, (b) mitigating, (c) exploiting, or (d) ignoring them, leaves very little wiggling room for risk averse central banks that preferably would not see any operational risks altogether.


Statutory capital of a central bank is its authorized capital plus general reserves.


E.g., in the case of entities owned by the central bank. An example that is not uncommon amongst many central banks is that of the National Bank of Ukraine (NBU). The NBU owns, for instance, the Ukrainian paper mill responsible for printing the hryvnia and the Lviv University of Banking (www.ubs.gov.ua).


Clearly, the non-standard monetary operations (be it in the form of quantitative easing or other unconventional monetary policies) that many central banks started effectuating after the GFC, have had large effects on the balance sheets of central banks, “changing their risk profiles substantially” (Schwarz (2014), p.7).


See earlier reference to the distinction between unitary boards and dualistic board structures with a separate policy/management board and a supervisory board or council.


See, e.g., BIS (2009).


For clarity’s sake, it needs to be pointed out that this would be a decision-making committee, rather than an advisory committee.


IMA (Institute of Management Accountants), AAA (American Accounting Association), AICPA (American Institute of Certified Public Accountants), IIA (Institute of Internal Auditors) and FEI (Financial Executives International), see www.coso.org.


COSO (2004).


I.a., Enron, WorldCom, Tyco International [AK].


See, for a brief comparison, e.g., A structured approach to Enterprise Risk Management (ERM) and the requirements of ISO 31000, 2010, report by the UK organizations AIRMIC, Alarm, and IRM. Similarly, the Institute of Internal Auditors (IIA) indicates that it does not endorse any specific ERM model, even though it has drafted a practice guide for internal auditors using ISO 31000 (see, IIA IPPF – Practice Guide, Assessing the Adequacy of Risk Management Using ISO 31000, 2010).


See Sevet (2009), p.470-471.


The three information security gates relate to the three different ways outsiders could try to break through DNB’s security: (a) through an employee (the social gate), (2) by breaking into the ICT systems (the technical gate), and/or (3) unauthorized access to an area of DNB (the physical port). Each gate has its own specific security measures and therefore its own specific weaknesses. A consistent approach to the protection of the gates is therefore of great importance.

Central Bank Governance and the Role of Nonfinancial Risk Management
Author: Mr. Ashraf Khan