OM-2 OM-2 General Requirements
OM-2.1 OM-2.1 Overview
OM-2.1.1
This Chapter provides guidance and rules for operational risk and sets out requirements for an appropriate risk management environment, including business continuity, outsourcing and electronic banking. Operational risk is defined as the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events. This definition includes legal risk, but excludes strategic and
reputational risk .October 07OM-2.1.2
Operational risk is inherent in all types of banks' activities, and therefore all new products and services should be reviewed for operational risks prior to their implementation. As these risks are important and can result in substantial losses, bank auditors should include operational audits in the scope of all audits.
October 07OM-2.1.3
The importance of operational risk has gained prominence as increasing reliance on sophisticated technology raises concerns of potential losses should unforeseen events cause technological failures. Banks have traditionally focused on controlling and mitigating credit and liquidity risks, however, enhanced levels of automation, while reducing costs and processing times, also pose potential risks. As such any one process or system failure may itself or through a series of systematic failures, cause financial or other losses to a bank. Therefore, it has become imperative that banks should establish policies and procedures to monitor and control operational risks.
October 07OM-2.1.4
The CBB will use the papers mentioned in Paragraphs OM-1.1.1 to OM-1.1.11 as guidelines in evaluation of the internal control systems of banks operating in Bahrain. Such evaluations will be made through the CBB's normal supervisory processes (e.g. meetings with management, on-site examinations (Module BR) and the use of
appointed experts (Section BR-6.5).Amended: January 2012
Amended: January 2011
October 07OM-2.2 OM-2.2 Developing an Appropriate Risk Management Environment
OM-2.2.1
It must be standard practice for a bank's management to implement policies and procedures to manage risks arising out of a bank's activities. The bank must maintain written policies and procedures that identify the risk tolerances approved by the Board of Directors and must clearly delineate lines of authority and responsibility for managing the risks. Banks' employees and loan officers in particular must be fully aware of all policies and procedures that relate to their specific duties.
Amended: July 2011
October 07OM-2.2.2
The bank's strategy must define its tolerance for risk and lay out the Board's understanding of the specific characteristics of operational risk.
October 07The Board of Directors
OM-2.2.3
The Board of Directors must be aware of the major aspects of the bank's operational risk as a distinct and controllable risk Category.
Amended: July 2011
October 07OM-2.2.4
The responsibilities of the Board of Directors of the bank must include:
(a) Approving the bank's operational risk strategy;(b) Periodically reviewing the bank's operational risk strategy;(c) Approving the basic structure of the framework for managing operational risk; and(d) Ensuring that senior management is carrying out its risk management responsibilities.October 07Senior Management
OM-2.2.5
The responsibilities of the senior management of the bank must include:
(a) Implementing the operational risk strategy approved by the Board of Directors;(b) Ensuring that the strategy is implemented consistently throughout the whole banking organisation;(c) Ensuring that all levels of staff understand their responsibilities with respect to operational risk management;(d) Developing and implementing policies, processes and procedures for managing operational risk in all of the bank's products, activities, processes and systems;(e) Developing succession plans for senior staff; and(f) Developing Business Continuity Plans for the bank.October 07Management Information System
OM-2.2.6
The management information system of a banking organisation plays a key role in establishing and maintaining an effective operational risk management framework.
October 07OM-2.2.7
'Communication flow' serves the purpose of establishing a consistent operational risk management culture across the bank. 'Reporting flow' enables:
(a) Senior management to monitor the effectiveness of the risk management system for operational risk; and(b) The Board of Directors to oversee senior management performance.Amended: January 2012
October 07OM-2.3 OM-2.3 Identification, Measurement, Monitoring and Control
OM-2.3.1
As part of an effective operational risk management system, banks must:
(a) Identify critical processes, resources and loss events;(b) Establish processes necessary for measuring operational risk;(c) Monitor operational risk exposures and loss events on an on-going basis; and(d) Develop policies, processes and procedures to control or mitigate operational risk.October 07OM-2.3.2
Banks should assess the costs and benefits of alternative risk limitation and control strategies and should adjust their operational risk exposure using appropriate strategies, in light of their overall risk profile.
Amended: January 2012
October 07OM-2.4 OM-2.4 Succession Planning
OM-2.4.1
Succession planning is an essential precautionary measure for a bank if its leadership stability – and hence ultimately its financial stability – is to be protected. Succession planning is especially critical for smaller institutions, where management teams tend to be smaller and possibly reliant on a few key individuals.
October 07OM-2.4.2
The CBB requires locally incorporated banks to document their Board-approved
succession plans for their senior management team and have these ready at any time for onsite inspection by CBB staff.Amended: July 2011
Amended: January 2011
October 07OM-2.4.3
[This Paragraph was deleted in July 2011].
