Developing an Appropriate Risk Management Environment
OM-8.2.2
Failure to understand and manage operational risk, which is present in virtually all bank transactions and activities, may greatly increase the likelihood that some risks will go unrecognised and uncontrolled. Both the board and senior management are responsible for creating an organisational culture that places high priority on effective operational risk management and adherence to sound operating controls. Operational risk management is most effective where a bank's culture emphasises high standards of ethical behaviour at all levels of the bank. The board and senior management should promote an organisational culture which establishes through both actions and words the expectations of integrity for all employees in conducting the business of the bank.
Added: April 2008OM-8.2.3
Principle 1: The board of directors must be aware of the major aspects of the bank's operational risks as a distinct risk category that must be managed, and it must approve and periodically review the bank's operational risk management framework. The framework must provide a bank-wide definition of operational risk and lay down the principles of how operational risk is to be identified, assessed, monitored, and controlled/mitigated.
Amended: July 2011
Added: April 2008OM-8.2.4
The board of directors should approve the implementation of a bank-wide framework to explicitly manage operational risk as a distinct risk to the bank's safety and soundness. The board should provide senior management with clear guidance and direction regarding the principles underlying the framework and approve the corresponding policies developed by senior management.
Added: April 2008OM-8.2.5
An operational risk framework should be based on an appropriate definition of operational risk which clearly articulates what constitutes operational risk in that bank. The framework should cover the bank's appetite and tolerance for operational risk, as specified through the policies for managing this risk and the bank's prioritisation of operational risk management activities, including the extent of, and manner in which, operational risk is transferred outside the bank. It should also include policies outlining the bank's approach to identifying, assessing, monitoring and controlling/mitigating the risk. The degree of formality and sophistication of the bank's operational risk management framework should be commensurate with the bank's risk profile.
Added: April 2008OM-8.2.6
The board is responsible for establishing a management structure capable of implementing the bank's operational risk management framework. Since a significant aspect of managing operational risk relates to the establishment of strong internal controls, it is particularly important that the board establishes clear lines of management responsibility, accountability and reporting. In addition, there should be separation of responsibilities and reporting lines between operational risk control functions, business lines and support functions in order to avoid conflicts of interest. The framework should also articulate the key processes the bank needs to have in place to manage operational risk.
Added: April 2008OM-8.2.7
The board should review the framework regularly to ensure that the bank is managing the operational risks arising from external market changes and other environmental factors, as well as those operational risks associated with new products, activities or systems. This review process should also aim to assess industry best practice in operational risk management appropriate for the bank's activities, systems and processes. If necessary, the board should ensure that the operational risk management framework is revised in light of this analysis, so that material operational risks are captured within the framework.
Added: April 2008OM-8.2.8
Principle 2: The board of directors must ensure that the bank's operational risk management framework is subject to effective and comprehensive internal audit by operationally independent, appropriately trained and competent staff. The internal audit function must not be directly responsible for operational risk management.
Amended: July 2011
Added: April 2008OM-8.2.9
Banks should have in place adequate internal audit coverage to verify that operating policies and procedures have been implemented effectively. The board (either directly or indirectly through its audit committee) should ensure that the scope and frequency of the audit programme is appropriate to the risk exposures. Audit should periodically validate that the bank's operational risk management framework is being implemented effectively across the bank.
Added: April 2008OM-8.2.10
To the extent that the audit function is involved in oversight of the operational risk management framework, the board should ensure that the independence of the audit function is maintained. This independence may be compromised if the audit function is directly involved in the operational risk management process. The audit function may provide valuable input to those responsible for operational risk management, but should not itself have direct operational risk management responsibilities. In practice, the CBB recognises that the audit function at some banks (particularly smaller banks) may have initial responsibility for developing an operational risk management programme. Where this is the case, banks should see that responsibility for day-to-day operational risk management is transferred elsewhere in a timely manner.
Added: April 2008OM-8.2.11
Principle 3: Senior management must have responsibility for implementing the operational risk management framework approved by the board of directors. The framework must be consistently implemented throughout the whole banking organisation, and all levels of staff must understand their responsibilities with respect to operational risk management. Senior management must also have responsibility for developing policies, processes and procedures for managing operational risk in all of the bank's material products, activities, processes and systems.
Amended: July 2011
Added: April 2008OM-8.2.12
Management should translate the operational risk management framework established by the board of directors into specific policies, processes and procedures that can be implemented and verified within the different business units. While each level of management is responsible for the appropriateness and effectiveness of policies, processes, procedures and controls within its purview, senior management should clearly assign authority, responsibility and reporting relationships to encourage and maintain this accountability, and ensure that the necessary resources are available to manage operational risk effectively. Moreover, senior management should assess the appropriateness of the management oversight process in light of the risks inherent in a business unit's policy.
Added: April 2008OM-8.2.13
Senior management should ensure that bank activities are conducted by qualified staff with the necessary experience, technical capabilities and access to resources, and that staff responsible for monitoring and enforcing compliance with the institution's risk policy have authority independent from the units they oversee. Management should ensure that the bank's operational risk management policy has been clearly communicated to staff at all levels in units that incur material operational risks.
Added: April 2008OM-8.2.14
Senior management should ensure that staff responsible for managing operational risk communicate effectively with staff responsible for managing credit, market, and other risks, as well as with those in the bank who are responsible for the procurement of external services such as insurance purchasing and outsourcing agreements. Failure to do so could result in significant gaps or overlaps in a bank's overall risk management programme.
Added: April 2008OM-8.2.15
Senior management should also ensure that the bank's remuneration policies are consistent with its appetite for risk. Remuneration policies which reward staff that deviate from policies (e.g. by exceeding established limits) weaken the bank's risk management processes.
Added: April 2008OM-8.2.16
Particular attention should be given to the quality of documentation controls and to transaction-handling practices. Policies, processes and procedures related to advanced technologies supporting high transactions volumes, in particular, should be well documented and disseminated to all relevant personnel.
Added: April 2008
