OM-8.1.1

The contents of this Chapter apply in full to all Bahraini conventional bank licensees both on a consolidated basis and on a solo basis.

OM-8.1.1A

This Chapter may be used as guidance for overseas conventional bank licensees.

OM-8.1.1B

Section CA-7.1 of the Capital Adequacy Module allows banks to use either the basic indicator approach or standardised approach to compute capital charge for operational risk. This chapter sets out the qualitative aspect of these two approaches.

OM-8.1.2

Operational risk is defined as the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events. This definition includes legal risk¹, but excludes strategic and reputational risk.

¹ Legal risk includes, but is not limited to, exposure to fines, penalties, or punitive damages resulting from supervisory actions, as well as private settlements.

OM-8.1.3

Operational risk is inherent in all banking products, activities, processes and systems, and the effective management of operational risk must be a fundamental element of a bank's risk management programme. Sound operational risk governance relies upon three lines of defence:

OM-8.1.4

In the context of this Chapter, 'independent' and 'independent review' have the following meanings. The review functions must be independent of the risk generating business lines or the process or system under review. An independent review would include the following components:

OM-8.1.5

The operational risk management function must be functionally independent of the risk generating business lines and will be responsible for the design, maintenance and ongoing development of the operational risk Framework ("Framework" – see also Paragraphs OM-8.2.12 and OM-8.2.13 for a description of the "Framework") within the bank.

OM-8.1.6

For the purpose of Paragraph OM-8.1.5, "functionally independent" means that the risk management function cannot report hierarchically and/or functionally to any person or function that is directly responsible for risk generation.

OM-8.1.7

The operational risk management function should include the operational risk measurement and reporting processes, risk committees and responsibility for board reporting. A key function of the operational risk management function is to challenge the business lines' inputs to, and outputs from, the bank's risk management, risk measurement and reporting systems. The operational risk management function should have a sufficient number of personnel skilled in the management of operational risk to effectively address its many responsibilities.

OM-8.1.8

The independent review functions are the audit and compliance functions and the staff occupying these functions must be competent and appropriately trained and not be involved in the development, implementation and operation of the operational risk Framework (for example, internal audit and compliance must not be involved with the setting of risk appetite or risk tolerance, but internal audit should be reviewing the robustness of the process of how these limits are set and why and how they are adjusted in response to changing circumstances). Internal Audit should independently verify that the Framework has been implemented as intended and is functioning effectively. Internal audit coverage should include opining on the overall appropriateness and adequacy of the Framework and the associated governance processes across the bank. Internal audit should not simply be testing for compliance with board approved policies and procedures, but should be evaluating whether the Framework meets organisational needs and supervisory expectations. More details on the Internal Audit Function and the Role of the Audit Committee are to be found in Chapter HC-3.