Back Custom print Link Text Only Rich Text Print

  • OM-1 OM-1 General procedures

    • OM-1.1 OM-1.1 Overview

      • OM-1.1.1

        This Chapter provides guidance and rules for operational risk and sets out requirements for an appropriate risk management environment. Operational risk is defined as the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events. This definition includes legal risk, but excludes strategic and reputational risk.

      • OM-1.1.2

        Operational risk is inherent in all types of banks' activities, and therefore all new products and services should be reviewed for operational risks prior to their implementation. As these risks are important and can result in substantial losses, bank auditors should include operational audits in the scope of all audits.

      • OM-1.1.3

        The importance of operational risk has gained prominence as increasing reliance on sophisticated technology raises concerns of potential losses should unforeseen events cause technological failures. Banks have traditionally focused on controlling and mitigating credit and liquidity risks, however, enhanced levels of automation, while reducing costs and processing times, also pose potential risks. As such any one process or system failure may itself or through a series of systematic failures, cause financial or other losses to a bank. Therefore, it has become imperative that banks should establish policies and procedures to monitor and control operational risks.

      • OM-1.1.4

        For detailed guidance on the management of operational risk within a bank, refer to the Basel Committee paper 'Sound Practices for the Management and Supervision of Operational Risk' (see www.bis.org/publ/bcbs_wp96.htm).

      • OM-1.1.5

        The Agency will use the paper mentioned in paragraph OM-1.1.4 as a guideline in evaluation of the internal control systems of banks operating in Bahrain. Such evaluations will be made through the Agency's normal supervisory processes (e.g. meetings with management, on-site examinations (Module BR) and the use of reporting accountants (Module AR)).

    • OM-1.2 OM-1.2 Developing an appropriate risk management environment

      • OM-1.2.1

        It should be standard practice for a bank's management to establish policies and procedures to manage risks arising out of a bank's activities. The bank should maintain written policies and procedures that identify the risk tolerances of the Board of Directors and should clearly delineate lines of authority and responsibility for managing the risks. Banks' employees and loan officers in particular should be fully aware of all policies and procedures that relate to their specific duties.

      • OM-1.2.2

        The bank's strategy should define its tolerance for risk and lay out the Board's understanding of the specific characteristics of operational risk.

      • The Board of Directors

        • OM-1.2.3

          The Board of Directors should be aware of the major aspects of the bank's operational risk as a distinct and controllable risk category.

        • OM-1.2.4

          The responsibilities of the Board of Directors of the bank should include:

          (a) approving the bank's operational risk strategy;
          (b) periodically reviewing the bank's operational risk strategy;
          (c) approving the basic structure of the framework for managing operational risk; and
          (d) ensuring that senior management is carrying out its risk management responsibilities.

      • Senior management

        • OM-1.2.5

          The responsibilities of the senior management of the bank should include:

          (a) implementing the operational risk strategy approved by the Board of Directors;
          (b) ensuring that the strategy is implemented consistently throughout the whole banking organisation;
          (c) ensuring that all levels of staff understand their responsibilities with respect to operational risk management;
          (d) developing and implementing policies, processes and procedures for managing operational risk in all of the bank's products, activities, processes and systems; and
          (e) Developing succession plans for senior staff.

      • Management information system

        • OM-1.2.6

          The management information system of a banking organisation plays a key role in establishing and maintaining an effective operational risk management framework.

          (a) 'Communication flow' serves the purpose of establishing a consistent operational risk management culture across the bank.
          (b) 'Reporting flow' enables:
          1. senior management to monitor the effectiveness of the risk management system for operational risk; and
          2. the Board of Directors to oversee senior management performance.

    • OM-1.3 OM-1.3 Identification, measurement, monitoring, and control

      • OM-1.3.1

        As part of an effective operational risk management system, banks should:

        (a) identify critical processes, resources and loss events;
        (b) establish processes necessary for measuring operational risk;
        (c) monitor operational risk exposures and loss events on an on-going basis; and
        (d) develop policies, processes and procedures to control or mitigate operational risk.

      • OM-1.3.2

        Banks should assess the costs and benefits of alternative risk limitation and control strategies and should adjust their operational risk exposure using appropriate strategies, in light of their overall risk profile.