• OM OM Operational Risk Management

    • OM-A OM-A Introduction

      • OM-A.1 OM-A.1 Purpose and Scope

        • OM-A.1.1

          The purpose of this module is to provide rules and guidance to banks operating in Bahrain on establishing parameters and control procedures to monitor and mitigate operational risks.

        • OM-A.1.2

          This module provides support for certain other parts of the Rulebook, mainly:

          (a) Principles of Business; and
          (b) High Level Controls.

        • OM-A.1.3

          The contents of this Module apply to all banks, except where noted in individual chapters.

      • OM-A.2 OM-A.2 Key requirements

        • General procedures

          • OM-A.2.1

            Banks' management must establish written policies and procedures to manage the risks arising out of banks' activities.

        • Outsourcing

          • OM-A.2.2

            A licensee must formally notify the Agency and seek its prior approval before committing to a new material outsourcing arrangement. The notification must:

            (a) be made in writing to the licensee's normal supervisory contact;
            (b) contain sufficient detail to demonstrate that relevant issues raised in section OM-2.4 onward of this chapter have been addressed; and
            (c) be made at least 6 weeks before the licensee intends to commit to the arrangement.

          • OM-A.2.3

            Once an outsourcing arrangement has been implemented, the Agency requires a licensee to continue to monitor the associated risks and the effectiveness of its mitigating controls.

        • Electronic money and electronic banking activities

          • OM-A.2.4

            The Agency specifically urges licensees to use the 'Fourteen Risk Management Principles and Sound Practices' set out in the Basel Committee paper stated in section OM-3.1 below, as guidelines, in order to recognise, address and manage risks associated with e-banking in a prudent manner.

        • Business continuity, contingency planning and security

          • OM-A.2.5

            The Agency requires its licensees to submit to the Agency a description of their succession plans for their senior management team. Amongst other things, banks should summarise who is covered by their succession plan, and confirm that the plan has been reviewed and endorsed at Board level. This information should be submitted to the Agency by the end of each calendar year.

          • OM-A.2.6

            All full commercial banks must implement security measures which satisfy the Agency's minimum requirements as laid out in Chapter OM-5. These measures include external physical security measures as well as internal measures for staff security and the handling of cash.

      • OM-A.3 OM-A.3 Regulation history

        • OM-A.3.1

          This module was first issued in July 2004 as part of the conventional principles volume. All regulations in this volume have been effective since this date. All subsequent changes are dated with the month and year at the base of the relevant page and in the Table of Contents. Chapter UG-3 of Module UG provides further details on Rulebook maintenance and control.

        • OM-A.3.2

          The most recent changes made to this module are detailed in the table below:

          Summary of changes

          Module Ref. Change Date Description of Changes
          OM-5.1 01/04/05 Physical security measures
          OM-4.2 01/10/05 Succession planning for locally incorporated banks
          OM-5.1 01/10/05 Clarification of security manager role for smaller banks and deletion of requirement for cash trays.
          OM-B & OM-1.2 01/04/06 Minor amendments concerning roles of Board and management and editing of OM B.
          OM-5.1.15OM-5.1.24 01/04/06 New security requirements for ATM security arrangements and reporting of security related complaints

        • Evolution of the Module

          • OM-A.3.3

            Prior to the development of this Rulebook, the Agency had issued various circulars representing regulations covering different aspects of operational risk management. These circulars have now been consolidated into this module covering the operational risk management regulation. These circulars and their evolution into this module are listed below:

            Circular Ref. Date of Issue Module Ref. Circular Subject
            BS/9/03 14 Sep 2003 OM-1 Operational Risk Management
            ODG/162/03 21 May 2003 OM-2 Outsourcing
            BC/9/98 16 Jun 1998 OM-3 Electronic Money and Electronic Banking Activities
            BC/6/02 24 Jun 2002 OM-3 Risk Management Principles for Electronic Banking
            ODG/347/03 28 Sep 2003 OM-4.2 Succession Planning

        • Effective date

          • OM-A.3.4

            The contents in this module are effective from the date depicted in the original circulars (see paragraph OM-A.3.3) or from the date of the change shown in paragraph OM-A.3.2.

    • OM-B OM-B General guidance and best practice

      • OM-B.1 OM-B.1 Guidance provided by other international bodies

        • OM-B.1.1

          The papers below provide guidance which promotes best practice and can be generally applied by all licensees to their activities.

        • Basel Committee: Framework for Internal Controls Systems in Banking Organisations

          • OM-B.1.2

            The paper (see www.bis.org/publ/bcbs40.pdf) issued in September 1998 presents the first internationally accepted framework for supervisors to use in evaluating the effectiveness of the internal controls over all on- and off-balance-sheet activities of banking organizations.

          • OM-B.1.3

            The paper describes elements that are essential to a sound internal control system, recommends principles that supervisors can apply in evaluating such systems, and discusses the role of bank supervisors and external auditors in this assessment process.

        • Basel Committee: Sound Practices for the Management and Supervision of Operational Risk

          • OM-B.1.4

            The paper (see www.bis.org/publ/bcbs96.pdf) issued in February 2003 by the Risk Management Group of the Basel Committee on Banking Supervision, outlines a set of principles that provide a framework for the effective management and supervision of operational risk, for use by banks and supervisory authorities when evaluating operational risk management policies and practices.

          • OM-B.1.5

            The paper also recognises that clear strategies and oversight by the Board of Directors and senior management, a strong operational risk culture and internal control culture (including, among other things, clear lines of responsibility and segregation of duties), effective internal reporting, and contingency planning are all crucial elements of an effective operational risk management framework for banks of any size and scope.

        • Basel Committee: Risk Management for Electronic Banking and Electronic Money Activities

          • OM-B.1.6

            The paper (see www.bis.org/publ/bcbs35.pdf) issued in March 1998 provides guidelines for supervisory authorities and banking organisations as they develop methods for identifying, assessing, managing and controlling the risks associated with electronic banking and electronic money.

          • OM-B.1.7

            The paper indicates that, while providing new opportunities for banks, electronic banking and electronic money activities carry risks as well as benefits and it is important that these risks are recognised and managed in a prudent manner.

        • Basel Committee: Risk Management Principles for Electronic Banking

          • OM-B.1.8

            The paper (see www.bis.org/publ/bcbs98.pdf) issued in July 2003 recognizes new risks associated with the increase in distribution of financial services through electronic channels, or e-banking. To emphasize the importance of these risks, the Committee has placed responsibility on the shoulders of the Board and senior management to ensure their institutions have analysed, identified and modified operations to mitigate these risks.

          • OM-B.1.9

            To facilitate these developments, the Committee has identified fourteen Risk Management Principles for Electronic Banking to help banking institutions expand their existing risk oversight policies and processes to cover their e-banking activities.

          • OM-B.1.10

            The Risk Management Principles fall into three broad, and often overlapping, categories of issues that are grouped to provide clarity: Board and Management Oversight; Security Controls; and Legal and Reputational Risk Management.

    • OM-1 OM-1 General procedures

      • OM-1.1 OM-1.1 Overview

        • OM-1.1.1

          This Chapter provides guidance and rules for operational risk and sets out requirements for an appropriate risk management environment. Operational risk is defined as the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events. This definition includes legal risk, but excludes strategic and reputational risk.

        • OM-1.1.2

          Operational risk is inherent in all types of banks' activities, and therefore all new products and services should be reviewed for operational risks prior to their implementation. As these risks are important and can result in substantial losses, bank auditors should include operational audits in the scope of all audits.

        • OM-1.1.3

          The importance of operational risk has gained prominence as increasing reliance on sophisticated technology raises concerns of potential losses should unforeseen events cause technological failures. Banks have traditionally focused on controlling and mitigating credit and liquidity risks, however, enhanced levels of automation, while reducing costs and processing times, also pose potential risks. As such any one process or system failure may itself or through a series of systematic failures, cause financial or other losses to a bank. Therefore, it has become imperative that banks should establish policies and procedures to monitor and control operational risks.

        • OM-1.1.4

          For detailed guidance on the management of operational risk within a bank, refer to the Basel Committee paper 'Sound Practices for the Management and Supervision of Operational Risk' (see www.bis.org/publ/bcbs_wp96.htm).

        • OM-1.1.5

          The Agency will use the paper mentioned in paragraph OM-1.1.4 as a guideline in evaluation of the internal control systems of banks operating in Bahrain. Such evaluations will be made through the Agency's normal supervisory processes (e.g. meetings with management, on-site examinations (Module BR) and the use of reporting accountants (Module AR)).

      • OM-1.2 OM-1.2 Developing an appropriate risk management environment

        • OM-1.2.1

          It should be standard practice for a bank's management to establish policies and procedures to manage risks arising out of a bank's activities. The bank should maintain written policies and procedures that identify the risk tolerances of the Board of Directors and should clearly delineate lines of authority and responsibility for managing the risks. Banks' employees and loan officers in particular should be fully aware of all policies and procedures that relate to their specific duties.

        • OM-1.2.2

          The bank's strategy should define its tolerance for risk and lay out the Board's understanding of the specific characteristics of operational risk.

        • The Board of Directors

          • OM-1.2.3

            The Board of Directors should be aware of the major aspects of the bank's operational risk as a distinct and controllable risk category.

          • OM-1.2.4

            The responsibilities of the Board of Directors of the bank should include:

            (a) approving the bank's operational risk strategy;
            (b) periodically reviewing the bank's operational risk strategy;
            (c) approving the basic structure of the framework for managing operational risk; and
            (d) ensuring that senior management is carrying out its risk management responsibilities.

        • Senior management

          • OM-1.2.5

            The responsibilities of the senior management of the bank should include:

            (a) implementing the operational risk strategy approved by the Board of Directors;
            (b) ensuring that the strategy is implemented consistently throughout the whole banking organisation;
            (c) ensuring that all levels of staff understand their responsibilities with respect to operational risk management;
            (d) developing and implementing policies, processes and procedures for managing operational risk in all of the bank's products, activities, processes and systems; and
            (e) Developing succession plans for senior staff.

        • Management information system

          • OM-1.2.6

            The management information system of a banking organisation plays a key role in establishing and maintaining an effective operational risk management framework.

            (a) 'Communication flow' serves the purpose of establishing a consistent operational risk management culture across the bank.
            (b) 'Reporting flow' enables:
            1. senior management to monitor the effectiveness of the risk management system for operational risk; and
            2. the Board of Directors to oversee senior management performance.

      • OM-1.3 OM-1.3 Identification, measurement, monitoring, and control

        • OM-1.3.1

          As part of an effective operational risk management system, banks should:

          (a) identify critical processes, resources and loss events;
          (b) establish processes necessary for measuring operational risk;
          (c) monitor operational risk exposures and loss events on an on-going basis; and
          (d) develop policies, processes and procedures to control or mitigate operational risk.

        • OM-1.3.2

          Banks should assess the costs and benefits of alternative risk limitation and control strategies and should adjust their operational risk exposure using appropriate strategies, in light of their overall risk profile.

    • OM-2 OM-2 Outsourcing

      • OM-2.1 OM-2.1 Introduction

        • OM-2.1.1

          This chapter sets out the Agency's approach to outsourcing by licensees. It also sets out various requirements that licensees must address when considering outsourcing an activity or function.

        • OM-2.1.2

          In the context of this chapter, 'outsourcing' means an arrangement whereby a third party performs on behalf of a licensee an activity which was previously undertaken by the licensee itself (or in the case of a new activity, one which commonly would have been performed internally by the licensee). Examples of services that are typically outsourced include data processing, customer call centres and back-office related activities.

        • OM-2.1.3

          Most of the Regulations in this chapter are concerned with situations where the third party provider is outside the licensee's group. Section OM-2.8, however, sets out the Agency's requirements when a service is outsourced to a company within the licensee's group.

        • OM-2.1.4

          The requirements in this chapter only apply to 'material' outsourcing arrangements. These are arrangements that, if they failed in any way, would pose significant risks to the on-going operations of a licensee, its reputation and/or quality of service provided to its customers. For instance, the outsourcing of all or a substantial part of functions such as customer sales and relationship management, settlements and processing, IT and data processing and financial control, would normally be considered 'material'.

        • OM-2.1.5

          Management should carefully consider whether a proposed outsourcing arrangement falls under this chapter's definition of 'material'. If in doubt, management should consult with the Agency.

        • OM-2.1.6

          The requirements in this chapter only apply to outsourcing arrangements entered into after the issuance of the original circular as depicted in paragraph OM-A.3.3. In the case of pre-existing outsourcing agreements, the Agency requires licensees to apply the requirements of this chapter to the fullest extent possible when these arrangements are subsequently renewed.

        • Legal source

          • OM-2.1.7

            The BMA "Standard Conditions and Licensing Criteria" require a licensee's activities to be conducted in an orderly manner and subject to appropriate sound risk management systems, in accordance with the regulations, circulars, notices and directions of the Agency.

      • OM-2.2 OM-2.2 Supervisory approach

        • OM-2.2.1

          The Agency recognises the benefits that can potentially be achieved through outsourcing an activity to a third party provider. They can include reduced costs, enhanced service quality and a reduction in management time spent on non-core activities. However, outsourcing an activity also poses potential risks. These include the ability of the service provider to maintain service quality levels, reduced control over the activity and access to relevant information, and increased legal and client confidentiality risks.

        • OM-2.2.2

          The Agency's approach is to allow licensees the freedom to enter into outsourcing arrangements, providing these have been properly structured and associated risks addressed. The Agency requires prior approval to be sought by licensees wishing to outsource material activities, to give the Agency the opportunity to verify that the proposed arrangements are adequate.

        • OM-2.2.3

          The Agency expects licensees to have undertaken a thorough assessment of a proposal before formally submitting a notification to the Agency. However, the Agency is also willing to discuss ideas informally at an early stage of development, on a 'no-commitment' basis. It especially encourages an early approach when the proposed outsourcing is particularly material or innovative.

        • OM-2.2.4

          Once an outsourcing arrangement has been implemented, the Agency requires a licensee to continue to monitor the associated risks and the effectiveness of its mitigating controls. It will verify this through the course of its normal on-site and off-site supervisory processes, such as prudential meetings and on-site examinations. The Agency also requires access to the outsourced activity, which it may occasionally want to examine itself, through management meetings or on-site examinations.

        • OM-2.2.5

          Fundamental to the Agency's supervisory approach to outsourcing is that the Board and management of the licensee may not abdicate their responsibility for a licensee's business and the way its customers are treated. The Board and management remain ultimately responsible for the effectiveness of systems and controls in outsourced activities.

      • OM-2.3 OM-2.3 Notifications and prior approval

        • OM-2.3.1

          A licensee must formally notify the Agency and seek its prior approval before committing to a new material outsourcing arrangement.

        • OM-2.3.2

          The above notification must:

          (a) be made in writing to the licensee's normal supervisory contact;
          (b) contain sufficient detail to demonstrate that relevant issues raised in section OM-2.4 onward of this chapter have been addressed; and
          (c) be made at least 6 weeks before the licensee intends to commit to the arrangement.

        • OM-2.3.3

          The Agency will review the information provided and provide a definitive response within 6 weeks of receiving the notification. Where further information is requested from the licensee, however, the time taken to provide this further information will not be taken into account. The Agency may also contact home or host supervisors of the licensee or the service provider, to seek their comments — in such cases, the 6-week turnaround is also subject to the speed of their response.

        • OM-2.3.4

          Once an activity has been outsourced, a licensee must immediately inform its normal supervisory contact at the Agency of any material problems encountered with the outsourcing provider. In exceptional cases, the Agency reserves the right to direct a licensee to make alternative arrangements for the outsourced activity.

      • OM-2.4 OM-2.4 Risk assessment

        • OM-2.4.1

          Licensees must undertake a thorough risk assessment of an outsourcing proposal, before formally notifying the Agency and committing itself to an agreement.

        • OM-2.4.2

          The risk assessment should — amongst other things — include an analysis of:

          (a) the business case;
          (b) the suitability of the outsourcing provider; and
          (c) the impact of the outsourcing on the licensee's overall risk profile and its systems and controls framework.

        • OM-2.4.3

          In assessing the suitability of the outsourcing provider, the licensee should amongst other things consider its financial soundness, its technical competence, its commitment to the arrangement, and its reputation.

        • OM-2.4.4

          Once an outsourcing agreement has been entered into, licensees must regularly review the suitability of the outsourcing provider and the on-going impact of the agreement on their risk profile and systems and controls framework. Such reviews should take place at least every year.

        • OM-2.4.5

          A licensee must nominate a member of senior management with day-to-day responsibility for handling the relationship with the outsourcing provider and ensuring that relevant risks are addressed. This person should be notified to the Agency as part of the notification required under section OM-2.3 above.

      • OM-2.5 OM-2.5 Outsourcing agreement

        • OM-2.5.1

          The activities to be outsourced and respective contractual liabilities and obligations of the outsourcing provider and licensee must be clearly specified in an outsourcing agreement. This agreement must — amongst other things — address the following points:

          (a) Control over outsourced activities
          1. The Board and management of licensees are held ultimately responsible by the Agency for the adequacy of systems and controls in outsourced activities. Licensees must therefore ensure that they have adequate mechanisms for monitoring the performance of, and managing the relationship with, the outsourcing provider.
          2. A service level agreement ("SLA") — setting out the standards of service to be provided — must form part of the outsourcing agreement. Where the outsourcing provider interacts directly with a licensee's customers, the SLA should — where relevant — reflect the licensee's own standards regarding customer care.
          3. Mechanisms for the regular monitoring by licensees of performance against the SLA and other targets, and for implementing remedies in case of any shortfalls, should also form part of the agreement.
          4. Clear reporting and escalation mechanisms should be specified in the agreement.
          5. Where an outsourcing provider in turn decides to sub-contract to other providers, the original provider must remain contractually liable to the licensee for the quality and level of service agreed, and its obligations to the licensee must remain unchanged.
          (b) Customer data confidentiality
          1. Licensees should ensure that outsourcing agreements comply with all applicable legal requirements regarding customer confidentiality.
          2. Licensees should ensure that the outsourcing provider implements adequate safeguards and procedures. Amongst other things, customer data should be properly segregated from those belonging to other clients the outsourcing provider may have. Outsourcing providers should give suitable undertakings that the company and its staff will comply with all applicable confidentiality rules. Licensees should have contractual rights to take action against the service provider in the event of a breach of confidentiality.
          3. Licensees should assess the impact of using an overseas-based outsourcing provider on their ability to maintain customer data confidentiality, for instance, because of the powers of local authorities to access such data.
          (c) Access to information
          1. Outsourcing agreements must ensure that the licensee's internal and external auditors have timely access to any relevant information they may require to fulfill their responsibilities. Such access must allow them to conduct on-site examinations of the outsourcing provider, if required.
          2. Licensees must also ensure that the Agency has timely access to any relevant information it may reasonably require under the law. Such access must allow the Agency to conduct on-site examinations of the outsourcing provider, if required.
          3. Where the outsourcing provider is based overseas, the outsourcing provider must confirm in the outsourcing agreement that there are no regulatory or legal impediments to either the licensee's internal and external auditors, or the Agency, having the access described above. Should such restrictions subsequently be imposed, the licensee must communicate this fact to the Agency as soon as it becomes aware of the matter.
          4. The outsourcing provider must commit itself, in the outsourcing agreement, to informing the licensee of any developments that may have a material impact on its ability to meet its obligations. These may include, for example, relevant control weaknesses identified by the outsourcing provider's internal or external auditors, and material adverse developments in the financial performance of the outsourcing provider.
          (d) Business continuity
          1. Licensees should ensure that service providers maintain, regularly review and test plans to ensure continuity in the provision of the outsourced service.
          2. Licensees should have an adequate understanding of the outsourcing provider's arrangements, to understand the implications for its own contingency arrangements (see section OM-2.6).
          (e) Termination
          1. Licensees must have the right to terminate the agreement should the outsourcing provider undergo a change of ownership (whether direct or indirect) that poses a potential conflict of interest; becomes insolvent; or goes into liquidation or administration.
          2. Termination under any other circumstances allowed under the agreement must give licensees a sufficient notice period in which they can effect a smooth transfer of the service to another provider or bring it back in-house.
          3. In the event of termination, for whatever reason, the agreement should provide for the return of all customer data — where required by licensees — or their destruction.

      • OM-2.6 OM-2.6 Contingency planning

        • OM-2.6.1

          Licensees should maintain and regularly review contingency plans to enable them to set up alternative arrangements — with minimum disruption to business — should the outsourcing contract be suddenly terminated or the outsourcing provider fails. This may involve the identification of alternative outsourcing providers or the provision of the service in-house. These plans should consider how long the transition would take and what interim arrangements would apply.

        • OM-2.6.2

          See chapter OM-4 for further guidance on business continuity and contingency planning.

      • OM-2.7 OM-2.7 Internal audit outsourcing

        • OM-2.7.1

          Because of the critical importance of an effective internal audit function to a licensee's control framework, all proposals to outsource internal audit operations are to be considered material.

        • OM-2.7.2

          The Agency will generally not permit licensees to outsource their internal audit function to the same firm that acts as their external auditors. However, the Agency may allow short-term outsourcing of internal audit operations to a licensee's external auditor, to meet unexpected urgent or short-term needs (for instance, on account of staff resignation or illness). Any such arrangement will normally be limited to a maximum of one year.

        • OM-2.7.3

          Licensees who have existing outsourcing arrangements in place with their external auditors relating to the provision of internal audit services are required to find suitable alternatives when the existing arrangements terminate or come up for renewal.

        • OM-2.7.4

          In all circumstances, Board and management of licensees must retain responsibility for ensuring that an adequate internal audit programme is implemented, and will be held accountable in this respect by the Agency.

      • OM-2.8 OM-2.8 Intra-group outsourcing

        • OM-2.8.1

          As with outsourcing to non-group companies, the Board and management of licensees are held ultimately responsible by the Agency for the adequacy of systems and controls in activities outsourced to group companies.

        • OM-2.8.2

          However, the degree of formality required — in terms of contractual agreements and control mechanisms — for outsourcing within a licensee's group is likely to be less, because of common management and enhanced knowledge of other group companies.

        • OM-2.8.3

          A licensee must formally notify the Agency at least 6 weeks before committing to a material intra-group outsourcing. The request must be made in writing to the licensee's normal supervisory contact, and must set out a summary of the proposed outsourcing, its rationale, and an analysis of its associated risks and proposed mitigating controls. The Agency will respond to the notification in the same manner and timescale as set in section OM-2.3 above.

        • OM-2.8.4

          The Agency expects, as a minimum, an agreed statement of the standard of service to be provided by the group provider, including a clear statement of responsibilities allocated between the group provider and licensee.

        • OM-2.8.5

          The Agency also expects a licensee's management to have addressed the issues of customer confidentiality, access to information and business continuity covered above (section OM-2.5 and OM-2.4).

    • OM-3 OM-3 Electronic money and electronic banking activities

      • OM-3.1 OM-3.1 Electronic banking

        • OM-3.1.1

          This chapter refers to Basel Committee papers that the Agency requires relevant licensees to use as guidance on electronic banking activities.

        • OM-3.1.2

          The Agency considers that the provisions of the following papers represent best practice and provide guidelines for recognising, addressing and managing risk associated with this area. Banks should take appropriate steps for the implementation of relevant recommendations set out therein:

          (a) 'Risk Management for Electronic Banking and Electronic Money Activities' issued in March 1998 (see section OM-B.2 for further references to the paper);
          (b) 'Risk Management Principles for Electronic Banking' issued in May 2001 (see section OM-B.2 for further references to the paper).

        • OM-3.1.3

          Licensees must use the 'Risk Management Principles and Sound Practices' in the Basel Committee paper in OM-3.1.2(b) as guidelines to recognise and prudently manage risks associated with e-banking.

    • OM-4 OM-4 Business continuity and contingency planning

      • OM-4.1 OM-4.1 Contingency planning

        • OM-4.1.1

          Although operations risks are difficult to quantify, they can often be evaluated by examining a series of "worst-case" or "what-if" scenarios (stress testing), such as a power loss, a doubling of transaction volume or a mistake found in the pricing software for collateral management. They can also be assessed through periodic reviews of procedures, documentation requirements, data processing systems, contingency plans and other operational practices. Such reviews may help to reduce the likelihood of errors and breakdowns in controls, improve the control of risk and the effectiveness of the limit system and prevent unsound marketing practices and the premature adoption of new products or lines of business.

        • OM-4.1.2

          Such stress tests should not be limited to quantitative exercises that compute potential losses or gains. They should also include more qualitative analyses of the actions management might take under particular scenarios. Contingency plans are important products of such qualitative analyses.

        • OM-4.1.3

          Since the delivery of corporate and customer services represents key strategic and reputational issues, such problems could cause serious difficulties for banks and even jeopardise their ability to conduct key business activities. This potential requires the bank to establish business continuity and contingency plans outlining operating procedures and lines of communication, both formal and informal, in the event of an unexpected disaster (also see Basel Committee paper 'Framework for Internal Control Systems in Banking Organizations' for further guidance).

        • OM-4.1.4

          For contingency planning relating to outsourcing activities, see section OM-2.6.

      • OM-4.2 OM-4.2 Succession planning

        • OM-4.2.1

          Succession planning is an essential precautionary measure for a bank if its leadership stability — and hence ultimately its financial stability — is to be protected. Succession planning is especially critical for smaller institutions, where management teams tend to be smaller and possibly reliant on a few key individuals.

        • OM-4.2.2

          The Agency will generally monitor banks' succession plans through the work of its on-site examiners. In order to supplement these efforts, the Agency requires locally incorporated banks to submit to the Agency a description of their succession plans for their senior management team. Locally incorporated banks must summarise who is covered by their succession plan and confirm that the plan has been reviewed and endorsed at Board level.

        • OM-4.2.3

          The information required in paragraph OM-4.2.2 should be submitted to the Agency by the end of each calendar year. It should be addressed to the Executive Director, Banking Supervision, as appropriate.

    • OM-5 OM-5 Security Measures for Banks

      • OM-5.1 OM-5.1 Physical Security Measures

        • External Measures

          • OM-5.1.1

            The content of this section is applicable to all full commercial banks licensed by the Agency in the Kingdom of Bahrain.

          • OM-5.1.2

            All head offices are required to maintain Ministry of Interior ("MOI") guards on a 24 hours basis. All branches must maintain a 24 hour MOI guard. However, if branches satisfy the criteria mentioned in paragraphs OM-5.1.3 to OM-5.1.20 below, they may maintain MOI guards during opening hours only. Furthermore, banks will be allowed to replace MOI armed guards with private security guards subject to the approval of the MOI. Training and approval of private security guards will be given by the MOI. Head Offices must always have a 24 hour MOI guard.

          • OM-5.1.3

            Public entrances to head offices and branches must be protected by measures such as steel rolling shutters, or the external doors must be of solid steel or a similar solid material of equivalent strength and resistance to fire.

          • OM-5.1.4

            Other external entrances should have steel doors or be protected by steel rolling shutters. Preferably, all other external entrances should have the following security measures:

            •  Magic eye.
            •  Locking device (key externally and handle internally).
            •  Door closing mechanism.
            •  Contact sensor with alarm for prolonged opening time.
            •  Combination access control system (e.g. access card and key slot or swipe card and password).

          • OM-5.1.5

            If additional security measures to those mentioned in OM-5.1.3 and OM-5.1.4 such as security cameras, motion detectors or intruder alarms are installed, the requirement for steel external doors or protection by steel rolling shutters is waived.

          • OM-5.1.6

            External windows should have security measures such as anti blast films and movement detectors. For ground floor windows, banks may also wish to add steel grills fastened into the wall.

          • OM-5.1.7

            Branch alarm systems should have the following features:

            a) PIR motion detectors
            b) Door sensors
            c) Anti vibration/movement sensors on vaults
            d) External siren
            e) The intrusion detection system must be linked to the bank's (i.e. head office) monitoring unit and also the MOI Central Monitoring Unit.

        • Internal Measures

          • OM-5.1.8

            Teller counters must be screened off from customers by a glass screen of no less than 1 meter in height from the counter work surface or 1.4 meters from the floor.

          • OM-5.1.9

            All areas where cash is handled must be screened off from customers and other staff areas.

          • OM-5.1.10

            Access to teller areas must be restricted to authorised staff only. The design of the teller area should not allow customers to pass through it.

          • OM-5.1.11

            Panic alarm systems for teller staff must be installed. The choice between silent or audible panic alarms is left to individual banks. Kick bars and/or hold up buttons must be spread throughout the teller and customer service areas and the branch manager's office. The panic alarm must be linked to the MOI Central Monitoring Unit.

        • Cash Safety

          • OM-5.1.12

            Cash precious metals and bearer instruments must be kept in fireproof cabinets/safes. Preferably, these cabinets/safes should be located in strong rooms.

          • OM-5.1.13

            Strong rooms must be made of reinforced solid concrete, or reinforced block work. Doors to strong rooms must be steel and preferably also have a steel shutter fitted. Dual locking devices should be installed in strong room doors. Strong room doors should be located out of the sight of customers.

          • OM-5.1.14

            Strong rooms must not contain any other openings except the entry door and where necessary, an air conditioning outlet. The air conditioning outlet must be protected with a steel grill.

          • OM-5.1.15

            ATMs should not normally be replenished during customer opening hours. Replenishment of off-site ATMs should be performed by specialised service providers, comprising a crew of at least two persons. ATM replenishment staff must carry a mobile phone or communication device in case of emergency.

          • OM-5.1.16

            All cash movements between branches, to and from the BMA and to offsite ATMs should be performed by specialised service providers.

          • OM-5.1.17

            All ATMs must be properly maintained and covered by service or maintenance agreements. All ATMs must be inspected daily by bank staff to check that they are functioning properly and have not been tampered with.

          • OM-5.1.18

            All banks must maintain a list of all maintenance, replenishment and inspection visits by staff or other authorised parties.

          • OM-5.1.19

            All ATMs must be fitted with fraud detection and inhibiting devices (mandatory by year end 2006).

        • CCTV Network Systems

          • OM-5.1.20

            All head offices and branches must have a CCTV network which is connected to a central monitoring unit located in the head office, and to the MOI Central Monitoring Unit.

          • OM-5.1.21

            The location and type of CCTV cameras is left to the discretion of banks. At a minimum, CCTV cameras should cover the following areas:

            a) Main entrance
            b) Other external doors
            c) Any other access points (e.g. ground floor windows)
            d) The banking hall
            e) Tellers' area
            f) Strongroom entrance
            g) ATMs (by way of internal or external cameras)

          • OM-5.1.22

            Notices of CCTV cameras in operation should be put up for the attention of the public. CCTV records should be maintained for a minimum 45 day period. The transmission rate (in terms of the number of frames per second) should be high enough to make for effective monitoring. Delayed transmission of pictures to the Central Monitoring Unit is not acceptable. The CCTV system should be operational 24 hours per day.

        • Training and Other Measures

          • OM-5.1.23

            Banks should establish the formal position of security manager. This person will be responsible for ensuring all bank staff are given annual, comprehensive security training. Banks should produce a security manual or procedures for staff, especially those dealing directly with customers. For banks with three or more branches, this position should be a formally identified position. For banks with one or two branches, the responsibilities of this position may be added to the duties of a member of management.

          • OM-5.1.24

            The security manager must maintain records on documented security related complaints by customers and take corrective action or make recommendations for action on a timely basis. Actions and recommendations must also be documented.

          • OM-5.1.25

            Banks should consider safety and security issues when selecting premises for new branches. Key security issues include prominence of location (i.e. Is the branch on a main street or a back street?), accessibility for emergency services, and assessment of surrounding premises (in terms of their safety or vulnerability), and the number of entrances to the branch. All banks are required to hold an Insurance Blanket Bond (which includes theft of cash in its cover).

    • OM-8 OM-8 Qualitative Aspects

      • OM-8.1 OM-8.1 Introduction

        • OM-8.1.1

          Section CA-7.1 of the Capital Adequacy Module allows banks to use either the basic indicator approach or standardised approach to compute capital charge for operational risk. This chapter sets out the qualitative aspect of these two approaches.

          Added: April 2008

        • OM-8.1.2

          Operational risk is defined as the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events. This definition includes legal risk1, but excludes strategic and reputational risk.

          Added: April 2008

          1 Legal risk includes, but is not limited to, exposure to fines, penalties, or punitive damages resulting from supervisory actions, as well as private settlements.

      • OM-8.2 OM-8.2 Basic Indicator Approach

        • OM-8.2.1

          Banks applying the basic indicator approach for capital adequacy purposes as detailed in section CA-7.1 of Capital Adequacy Module are encouraged to comply with the principles set forth in this section.

          Added: April 2008

        • Developing an Appropriate Risk Management Environment

          • OM-8.2.2

            Failure to understand and manage operational risk, which is present in virtually all bank transactions and activities, may greatly increase the likelihood that some risks will go unrecognised and uncontrolled. Both the board and senior management are responsible for creating an organisational culture that places high priority on effective operational risk management and adherence to sound operating controls. Operational risk management is most effective where a bank's culture emphasises high standards of ethical behaviour at all levels of the bank. The board and senior management should promote an organisational culture which establishes through both actions and words the expectations of integrity for all employees in conducting the business of the bank.

            Added: April 2008

          • OM-8.2.3

            Principle 1: The board of directors must be aware of the major aspects of the bank's operational risks as a distinct risk category that must be managed, and it must approve and periodically review the bank's operational risk management framework. The framework must provide a bank-wide definition of operational risk and lay down the principles of how operational risk is to be identified, assessed, monitored, and controlled/mitigated.

            Amended: July 2011
            Added: April 2008

          • OM-8.2.4

            The board of directors should approve the implementation of a bank-wide framework to explicitly manage operational risk as a distinct risk to the bank's safety and soundness. The board should provide senior management with clear guidance and direction regarding the principles underlying the framework and approve the corresponding policies developed by senior management.

            Added: April 2008

          • OM-8.2.5

            An operational risk framework should be based on an appropriate definition of operational risk which clearly articulates what constitutes operational risk in that bank. The framework should cover the bank's appetite and tolerance for operational risk, as specified through the policies for managing this risk and the bank's prioritisation of operational risk management activities, including the extent of, and manner in which, operational risk is transferred outside the bank. It should also include policies outlining the bank's approach to identifying, assessing, monitoring and controlling/mitigating the risk. The degree of formality and sophistication of the bank's operational risk management framework should be commensurate with the bank's risk profile.

            Added: April 2008

          • OM-8.2.6

            The board is responsible for establishing a management structure capable of implementing the bank's operational risk management framework. Since a significant aspect of managing operational risk relates to the establishment of strong internal controls, it is particularly important that the board establishes clear lines of management responsibility, accountability and reporting. In addition, there should be separation of responsibilities and reporting lines between operational risk control functions, business lines and support functions in order to avoid conflicts of interest. The framework should also articulate the key processes the bank needs to have in place to manage operational risk.

            Added: April 2008

          • OM-8.2.7

            The board should review the framework regularly to ensure that the bank is managing the operational risks arising from external market changes and other environmental factors, as well as those operational risks associated with new products, activities or systems. This review process should also aim to assess industry best practice in operational risk management appropriate for the bank's activities, systems and processes. If necessary, the board should ensure that the operational risk management framework is revised in light of this analysis, so that material operational risks are captured within the framework.

            Added: April 2008

          • OM-8.2.8

            Principle 2: The board of directors must ensure that the bank's operational risk management framework is subject to effective and comprehensive internal audit by operationally independent, appropriately trained and competent staff. The internal audit function must not be directly responsible for operational risk management.

            Amended: July 2011
            Added: April 2008

          • OM-8.2.9

            Banks should have in place adequate internal audit coverage to verify that operating policies and procedures have been implemented effectively. The board (either directly or indirectly through its audit committee) should ensure that the scope and frequency of the audit programme is appropriate to the risk exposures. Audit should periodically validate that the bank's operational risk management framework is being implemented effectively across the bank.

            Added: April 2008

          • OM-8.2.10

            To the extent that the audit function is involved in oversight of the operational risk management framework, the board should ensure that the independence of the audit function is maintained. This independence may be compromised if the audit function is directly involved in the operational risk management process. The audit function may provide valuable input to those responsible for operational risk management, but should not itself have direct operational risk management responsibilities. In practice, the CBB recognises that the audit function at some banks (particularly smaller banks) may have initial responsibility for developing an operational risk management programme. Where this is the case, banks should see that responsibility for day-to-day operational risk management is transferred elsewhere in a timely manner.

            Added: April 2008

          • OM-8.2.11

            Principle 3: Senior management must have responsibility for implementing the operational risk management framework approved by the board of directors. The framework must be consistently implemented throughout the whole banking organisation, and all levels of staff must understand their responsibilities with respect to operational risk management. Senior management must also have responsibility for developing policies, processes and procedures for managing operational risk in all of the bank's material products, activities, processes and systems.

            Amended: July 2011
            Added: April 2008

          • OM-8.2.12

            Management should translate the operational risk management framework established by the board of directors into specific policies, processes and procedures that can be implemented and verified within the different business units. While each level of management is responsible for the appropriateness and effectiveness of policies, processes, procedures and controls within its purview, senior management should clearly assign authority, responsibility and reporting relationships to encourage and maintain this accountability, and ensure that the necessary resources are available to manage operational risk effectively. Moreover, senior management should assess the appropriateness of the management oversight process in light of the risks inherent in a business unit's policy.

            Added: April 2008

          • OM-8.2.13

            Senior management should ensure that bank activities are conducted by qualified staff with the necessary experience, technical capabilities and access to resources, and that staff responsible for monitoring and enforcing compliance with the institution's risk policy have authority independent from the units they oversee. Management should ensure that the bank's operational risk management policy has been clearly communicated to staff at all levels in units that incur material operational risks.

            Added: April 2008

          • OM-8.2.14

            Senior management should ensure that staff responsible for managing operational risk communicate effectively with staff responsible for managing credit, market, and other risks, as well as with those in the bank who are responsible for the procurement of external services such as insurance purchasing and outsourcing agreements. Failure to do so could result in significant gaps or overlaps in a bank's overall risk management programme.

            Added: April 2008

          • OM-8.2.15

            Senior management should also ensure that the bank's remuneration policies are consistent with its appetite for risk. Remuneration policies which reward staff that deviate from policies (e.g. by exceeding established limits) weaken the bank's risk management processes.

            Added: April 2008

          • OM-8.2.16

            Particular attention should be given to the quality of documentation controls and to transaction-handling practices. Policies, processes and procedures related to advanced technologies supporting high transactions volumes, in particular, should be well documented and disseminated to all relevant personnel.

            Added: April 2008

        • Risk Management: Identification, Assessment, Monitoring and Mitigation/Control

          • OM-8.2.17

            Principle 4: Banks must identify and assess the operational risk inherent in all material products, activities, processes and systems. Banks must also ensure that before new products, activities, processes and systems are introduced or undertaken, the operational risk inherent in them is subject to adequate assessment procedures.

            Amended: July 2011
            Added: April 2008

          • OM-8.2.18

            Risk identification is paramount for the subsequent development of a viable operational risk monitoring and control system. Effective risk identification considers both internal factors (such as the bank's structure, the nature of the bank's activities, the quality of the bank's human resources, organisational changes and employee turnover) and external factors (such as changes in the industry and technological advances) that could adversely affect the achievement of the bank's objectives.

            Added: April 2008

          • OM-8.2.19

            In addition to identifying the most potentially adverse risks, banks should assess their vulnerability to these risks. Effective risk assessment allows the bank to better understand its risk profile and most effectively target risk management resources.

            Added: April 2008

          • OM-8.2.20

            Amongst the possible tools used by banks for identifying and assessing operational risk are:

            (a) Self- or Risk Assessment: a bank assesses its operations and activities against a menu of potential operational risk vulnerabilities. This process is internally driven and often incorporates checklists and/or workshops to identify the strengths and weaknesses of the operational risk environment. Scorecards, for example, provide a means of translating qualitative assessments into quantitative metrics that give a relative ranking of different types of operational risk exposures. Some scores may relate to risks unique to a specific business line while others may rank risks that cut across business lines. Scores may address inherent risks, as well as the controls to mitigate them. In addition, scorecards may be used by banks to allocate economic capital to business lines in relation to performance in managing and controlling various aspects of operational risk.
            (b) Risk Mapping: in this process, various business units, organisational functions or process flows are mapped by risk type. This exercise can reveal areas of weakness and help prioritise subsequent management action.
            (c) Risk Indicators: risk indicators are statistics and/or metrics, often financial, which can provide insight into a bank's risk position. These indicators tend to be reviewed on a periodic basis (such as monthly or quarterly) to alert banks to changes that may be indicative of risk concerns. Such indicators may include the number of failed trades, staff turnover rates and the frequency and/or severity of errors and omissions.
            (d) Measurement: some banks have begun to quantify their exposure to operational risk using a variety of approaches. For example, data on a bank's historical loss experience could provide meaningful information for assessing the bank's exposure to operational risk and developing a policy to mitigate/control the risk. An effective way of making good use of this information is to establish a framework for systematically tracking and recording the frequency, severity and other relevant information on individual loss events. Some banks have also combined internal loss data with external loss data, scenario analyses, and risk assessment factors.
            Added: April 2008

          • OM-8.2.21

            Principle 5: Banks must implement a process to regularly monitor operational risk profiles and material exposures to losses. There must be regular reporting of pertinent information to senior management and the board of directors that supports the proactive management of operational risk.

            Amended: July 2011
            Added: April 2008

          • OM-8.2.22

            An effective monitoring process is essential for adequately managing operational risk. Regular monitoring activities can offer the advantage of quickly detecting and correcting deficiencies in the policies, processes and procedures for managing operational risk. Promptly detecting and addressing these deficiencies can substantially reduce the potential frequency and/or severity of a loss event.

            Added: April 2008

          • OM-8.2.23

            In addition to monitoring operational loss events, banks should identify appropriate indicators that provide early warning of an increased risk of future losses. Such indicators (often referred to as key risk indicators or early warning indicators) should be forward-looking and could reflect potential sources of operational risk such as rapid growth, the introduction of new products, employee turnover, transaction breaks, system downtime, and so on. When thresholds are directly linked to these indicators an effective monitoring process can help identify key material risks in a transparent manner and enable the bank to act upon these risks appropriately.

            Added: April 2008

          • OM-8.2.24

            The frequency of monitoring should reflect the risks involved and the frequency and nature of changes in the operating environment. Monitoring should be an integrated part of a bank's activities. The results of these monitoring activities should be included in regular management and board reports, as should compliance reviews performed by the internal audit and/or risk management functions. Reports generated by (and/or for) supervisory authorities may also inform this monitoring and should likewise be reported internally to senior management and the board, where appropriate.

            Added: April 2008

          • OM-8.2.25

            Senior management should receive regular reports from appropriate areas such as business units, group functions, the operational risk management office and internal audit. The operational risk reports should contain internal financial, operational, and compliance data, as well as external market information about events and conditions that are relevant to decision making. Reports should be distributed to appropriate levels of management and to areas of the bank on which areas of concern may have an impact. Reports should fully reflect any identified problem areas and should motivate timely corrective action on outstanding issues. To ensure the usefulness and reliability of these risk and audit reports, management should regularly verify the timeliness, accuracy, and relevance of reporting systems and internal controls in general. Management may also use reports prepared by external sources (auditors, supervisors) to assess the usefulness and reliability of internal reports. Reports should be analysed with a view to improving existing risk management performance as well as developing new risk management policies, procedures and practices.

            Added: April 2008

          • OM-8.2.26

            In general, the board of directors should receive sufficient higher-level information to enable them to understand the bank's overall operational risk profile and focus on the material and strategic implications for the business.

            Added: April 2008

          • OM-8.2.27

            Principle 6: Banks must have policies, processes and procedures to control and/or mitigate material operational risks. Banks must periodically review their risk limitation and control strategies and must adjust their operational risk profile accordingly using appropriate strategies, in light of their overall risk appetite and profile.

            Amended: July 2011
            Added: April 2008

          • OM-8.2.28

            Control activities are designed to address the operational risks that a bank has identified. For all material operational risks that have been identified, the bank should decide whether to use appropriate procedures to control and/or mitigate the risks, or bear the risks. For those risks that cannot be controlled, the bank should decide whether to accept these risks, reduce the level of business activity involved, or withdraw from this activity completely. Control processes and procedures should be established and banks should have a system in place for ensuring compliance with a documented set of internal policies concerning the risk management system. Principle elements of this could include, for example:

            (a) Top-level reviews of the bank's progress towards the stated objectives;
            (b) Checking for compliance with management controls;
            (c) Policies, processes and procedures concerning the review, treatment and resolution of non-compliance issues; and
            (d) A system of documented approvals and authorisations to ensure accountability to an appropriate level of management.
            Added: April 2008

          • OM-8.2.29

            Although a framework of formal, written policies and procedures is critical, it needs to be reinforced through a strong control culture that promotes sound risk management practices. Both the board of directors and senior management are responsible for establishing a strong internal control culture in which control activities are an integral part of the regular activities of a bank. Controls that are an integral part of the regular activities enable quick responses to changing conditions and avoid unnecessary costs.

            Added: April 2008

          • OM-8.2.30

            An effective internal control system also requires that there be appropriate segregation of duties and that personnel are not assigned responsibilities which may create a conflict of interest. Assigning such conflicting duties to individuals, or a team, may enable them to conceal losses, errors or inappropriate actions. Therefore, areas of potential conflicts of interest should be identified, minimised, and subject to careful independent monitoring and review.

            Added: April 2008

          • OM-8.2.31

            In addition to segregation of duties, banks should ensure that other internal practices are in place as appropriate to control operational risk. Examples of these include:

            (a) Close monitoring of adherence to assigned risk limits or thresholds;
            (b) Maintaining safeguards for access to, and use of, bank assets and records;
            (c) Ensuring that staff have appropriate expertise and training;
            (d) Identifying business lines or products where returns appear to be out of line with reasonable expectations (e.g., where a supposedly low risk, low margin trading activity generates high returns that could call into question whether such returns have been achieved as a result of an internal control breach); and
            (e) Regular verification and reconciliation of transactions and accounts.

            Failure to implement such practices has resulted in significant operational losses for some banks in recent years.

            Added: April 2008

          • OM-8.2.32

            Operational risk can be more pronounced where banks engage in new activities or develop new products (particularly where these activities or products are not consistent with the bank's core business strategies), enter unfamiliar markets, and/or engage in businesses that are geographically distant from the head office. Moreover, in many such instances, banks do not ensure that the risk management control infrastructure keeps pace with the growth in the business activity. A number of the most sizeable and highest-profile losses in recent years have taken place where one or more of these conditions existed. Therefore, it is incumbent upon banks to ensure that special attention is paid to internal control activities where such conditions exist.

            Added: April 2008

          • OM-8.2.33

            Some significant operational risks have low probabilities but potentially very large financial impact. Moreover, not all risk events can be controlled (e.g., natural disasters). Risk mitigation tools or programmes can be used to reduce the exposure to, or frequency and/or severity of, such events. For example, insurance policies, particularly those with prompt and certain pay-out features, can be used to externalise the risk of "low frequency, high severity" losses which may occur as a result of events such as third-party claims resulting from errors and omissions, physical loss of securities, employee or third-party fraud, and natural disasters.

            Added: April 2008

          • OM-8.2.34

            However, banks should view risk mitigation tools as complementary to, rather than a replacement for, thorough internal operational risk control. Having mechanisms in place to quickly recognise and rectify legitimate operational risk errors can greatly reduce exposures. Careful consideration also needs to be given to the extent to which risk mitigation tools such as insurance truly reduce risk, or transfer the risk to another business sector or area, or even create a new risk (e.g. legal or counterparty risk).

            Added: April 2008

          • OM-8.2.35

            Investments in appropriate processing technology and information technology security are also important for risk mitigation. However, banks should be aware that increased automation could transform high-frequency, low-severity losses into low frequency, high-severity losses. The latter may be associated with loss or extended disruption of services caused by internal factors or by factors beyond the bank's immediate control (e.g., external events). Such problems may cause serious difficulties for banks and could jeopardise an institution's ability to conduct key business activities. As discussed below in Principle 7, banks should establish disaster recovery and business continuity plans that address this risk.

            Added: April 2008

          • OM-8.2.36

            Banks should also establish policies for managing the risks associated with outsourcing activities. Outsourcing of activities can reduce the institution's risk profile by transferring activities to others with greater expertise and scale to manage the risks associated with specialised business activities. However, a bank's use of third parties does not diminish the responsibility of the board of directors and management to ensure that the third-party activity is conducted in a safe and sound manner and in compliance with applicable laws. Outsourcing arrangements should be based on robust contracts and/or service level agreements that ensure a clear allocation of responsibilities between external service providers and the outsourcing bank. Furthermore, banks need to manage residual risks associated with outsourcing arrangements, including disruption of services.

            Added: April 2008

          • OM-8.2.37

            Depending on the scale and nature of the activity, banks should understand the potential impact on their operations and their customers of any potential deficiencies in services provided by vendors and other third-party or intra-group service providers, including both operational breakdowns and the potential business failure or default of the external parties. The board and management should ensure that the expectations and obligations of each party are clearly defined, understood and enforceable. The extent of the external party's liability and financial ability to compensate the bank for errors, negligence, and other operational failures should be explicitly considered as part of the risk assessment. Banks should carry out an initial due diligence test and monitor the activities of third party providers, especially those lacking experience of the banking industry's regulated environment, and review this process (including re-evaluations of due diligence) on a regular basis. For critical activities, the bank may need to consider contingency plans, including the availability of alternative external parties and the costs and resources required to switch external parties, potentially on very short notice.

            Added: April 2008

          • OM-8.2.38

            In some instances, banks may decide to either retain a certain level of operational risk or self-insure against that risk. Where this is the case and the risk is material, the decision to retain or self-insure the risk should be transparent within the organisation and should be consistent with the bank's overall business strategy and appetite for risk.

            Added: April 2008

          • OM-8.2.39

            Principle 7: Banks must have in place contingency and business continuity plans to ensure their ability to operate on an ongoing basis and limit losses in the event of severe business disruption.

            Amended: July 2011
            Added: April 2008

          • OM-8.2.40

            For reasons that may be beyond a bank's control, a severe event may result in the inability of the bank to fulfil some or all of its business obligations, particularly where the bank's physical, telecommunication, or information technology infrastructures have been damaged or made inaccessible. This can, in turn, result in significant financial losses to the bank, as well as broader disruptions to the financial system through channels such as the payments system. This potential requires that banks establish disaster recovery and business continuity plans that take into account different types of plausible scenarios to which the bank may be vulnerable, commensurate with the size and complexity of the bank's operations.

            Added: April 2008

          • OM-8.2.41

            Banks should identify critical business processes, including those where there is dependence on external vendors or other third parties, for which rapid resumption of service would be most essential. For these processes, banks should identify alternative mechanisms for resuming service in the event of an outage. Particular attention should be paid to the ability to restore electronic or physical records that are necessary for business resumption. Where such records are backed-up at an off-site facility, or where a bank's operations must be relocated to a new site, care should be taken that these sites are at an adequate distance from the impacted operations to minimise the risk that both primary and back-up records and facilities will be unavailable simultaneously.

            Added: April 2008

          • OM-8.2.42

            Banks should periodically review their disaster recovery and business continuity plans so that they are consistent with the bank's current operations and business strategies. Moreover, these plans should be tested periodically to ensure that the bank would be able to execute the plans in the unlikely event of a severe business disruption.

            Added: April 2008