Operational Risk Management Structure


In June 2006, the Brazilian Monetary Council (CMN), through the Central Bank of Brazil, issued Resolution 3,380, which sets forth the definition of the policy of the operational risk management structure in financial institutions and its implementation.

The operational risk was defined as the possibility of occurrence of losses resulting from failure, deficiency or inadequacy of internal processes, persons and systems, or from external events. The definition includes the legal risk associated with the inadequacy or deficiency in agreements executed by the institution, as well as with sanctions due to non-compliance of legal provisions and with third-party damages arising from activities developed by the institution.

Operational risk events include, among others:

  • internal frauds;
  • external frauds;
  • labor lawsuits and inadequate workplace safety;
  • unsuitable practices related to clients, products and services;
  • damage to own physical assets or assets in use by the institution;
  • events causing the interruption of the institution’s operations;
  • failure in information technology systems;
  • failure in the implementation and management of the institution’s operations and in meeting related deadlines.

Banrisul’s Institutional Policy for Management of Operational Risks has been in effect since 2008 and was reviewed by the Board of Executive Officers on November 4, 2013, and the Board of Administration on November 5, 2013. This policy has the purpose of providing Banrisul with parameters, guidelines, principles, models and methods for identification, assessment, monitoring, control and mitigation of operational risks, and disclosing internally and externally the levels of Banrisul’s exposure to operational risk. Thus, it aims to maintain confidence in all levels of the business, with a reduction in exposure to risks and losses. Seeking to get all of Banrisul Group employees involved, the policy provides for shared participation in the control of the Operational Risk: all Banrisul’s employees, interns and outsourced service providers are responsible for adopting behavioral measures that avoid exposure to risks within the limits of their assignments. The document also gives responsibilities for managers, internal controls agents and committees, among others.

Initially, the Controllership has been defined as the area responsible for coordinating the operational risk management process. In August 2010, the Corporate Risk Management Unit was created and, within that, the Operational Risk Management area, which has been given the responsibility previously attributed to the Controllership, with respect to operating risk. Chief Risk Officer, Mr. Luiz Carlos Morlin, is in charge of Banrisul’s conglomerate operational risk.

The chart below shows the operational risk management structure:


The methodology employed by Banrisul to perform qualitative analysis comprises the decentralized evaluation, from the stand point of the managers of the bank‘s processes, of the efficiency of controls and the potentiality of risks, enabling the detection of undesirable exposures and the implementation of remedial measures. This methodology entails the identification, assessment, monitoring, control and mitigation of operational risks as all critical processes have their risks identified, assessed, treated and monitored.

The methodology adopted for the management involves carrying out periodic cycles, at least annually, of analysis of operational risks in the Bank‘s units and conglomerate companies.

With regard to quantitative analysis, Banrisul’s Internal Operational Risk Database is aims at providing information regarding loss near misses events and occurred, in order to increase effectiveness in the management of the company’s operating risks and to comply with relevant norms.

Identification of risks

The identification of operational risks within the institution is carried out through activities and techniques that enable the verification of the possibility of operational risk events and their consequences in the Institution’s processes, activities, operations, products, services, systems and channels, considering the key controls existing towards minimizing the risks.

The bottom line of the process of risk identification is the building of an array of operational risks, which delimits the scope of work and contains information about each risk.

Risk Assessment

The risk assessment of the Institution’s processes, activities, operations, products, services, systems and channels is conducted with their managers and, through activities and techniques, evaluates the impact and frequency of identified risks, considering the existing controls. From the outcome, managers are requested their risk responses with possible solutions for treatment. The risk responses are sent for deliberation of the committees of Corporate Risk and Banking Management, the Board of Executives and the Board of Administration, and its implementation is monitored by the compliance area of the Controllership.

Control and Mitigation

The control and mitigation of operational risks are carried out through actions and strategies to keep the operational risk exposure of the Bank at appropriate levels.

At this stage, the identified and evaluated operational risks are treated, considering the financial exposure and other impacts (regulatory, images, etc.). The manager should necessarily opt for only one of the treatment alternatives: accept, reduce, transfer or avoid.

Treatment options for operational risk are formalized in Risk Response Forms that may contain one or more actions and mitigate one or more risks, the actions being sufficient proposals to mitigate the operational risks identified, with deadlines, cost- benefit, responsible, etc.

The control and mitigation phase results in the formal establishment of strategies and responses to operational risks identified in the risk matrix. These strategies and responses aimed at keeping the operational risk exposure of the Bank at an appropriate level, and are reported to management for review and deliberation.


Consist of activities aimed at monitoring the evolution of exposure to operational risks and mitigation actions implemented by the Bank over the time.

Risk monitoring is accomplished through the following actions, among others:

  • monitoring of operational losses through the Internal Operational Risk Database;
  • monitoring of compliance with the proposed action plans and effectiveness of mitigation actions implemented;
  • periodic reporting of information on operational risk;
  • periodic calculations of KRIs (Key Risk Indicators).


Banrisul adopts the Basic Indicator Approach (BIA), with the objective of determining the portion of the risk weighted assets regarding operational risk in the standardized approach (RWAopad), as established by Circular No. 3.640, of March 03, 2013, and Circular No. 3,675, of October 31, 2013, published by the Central Bank of Brazil.

The BIA methodology sets forth that the capital to be allocated for operating risks must be calculated semiannually, taking into account the last three annual periods. The Operating Risk Exposure Indicator (IE) corresponds, for each annual period, to the sum of the biannual amounts of income from financial intermediation and income from services rendered, less financial intermediation expenses. A factor of capital allocation (β) of 15% is applied to this calculation.