Back Custom print Link Text Only Rich Text Print

  • OM-8.2 OM-8.2 Basic Indicator Approach

    • OM-8.2.1

      Banks applying the basic indicator approach for capital adequacy purposes as detailed in Section CA-7.1 of Module CA (Capital Adequacy) are encouraged to comply with the principles set forth in this Section.

      Added: October 2012

    • Fundamental Principles of Operational Risk Management

      • OM-8.2.2

        Principle 1: The board of directors must take the lead in establishing a strong risk management culture. The board of directors and senior management must establish a corporate culture that is guided by strong risk management and that supports and provides appropriate standards and incentives for professional and responsible behaviour. In this regard, it is the responsibility of the board of directors to ensure that a strong operational risk management culture exists throughout the whole organisation.

        Added: October 2012

      • OM-8.2.3

        Banks with a strong culture of risk management and ethical business practices are less likely to experience potentially damaging operational risk events and are better placed to deal effectively with those events that do occur. The actions of the board and senior management, and policies, processes and systems provide the foundation for a sound risk management culture. More details on the role of the board and senior management are to be found in Chapters HC-1, HC-2, and HC-6 as well as in Chapters CM-1 and OM-2.

        Added: October 2012

      • OM-8.2.4

        The board must establish a code of conduct or an ethics policy that sets clear expectations for integrity and ethical values of the highest standard and identify acceptable business practices and prohibited conflicts (see Section HC-2.2).

        Added: October 2012

      • OM-8.2.5

        Clear expectations and accountabilities ensure that bank staff understand their roles and responsibilities for risk, as well as their authority to act. Strong and consistent senior management support for risk management and ethical behaviour convincingly reinforces codes of conduct and ethics, compensation strategies, and training programmes.

        Added: October 2012

      • OM-8.2.6

        Compensation policies must be aligned to the bank's statement of risk appetite and tolerance, long-term strategic direction, financial goals and overall safety and soundness. They must also appropriately balance risk and reward (see Chapter HC-5 concerning remuneration).

        Added: October 2012

      • OM-8.2.7

        Banks should refer to the Financial Stability Board's Principles for Sound Compensation Practices, published in September 2009 regarding compensation policies.

        Added: October 2012

      • OM-8.2.8

        Senior management should ensure that an appropriate level of operational risk training is available at all levels throughout the organisation. Training that is provided should reflect the seniority, role and responsibilities of the individuals for whom it is intended.

        Added: October 2012

      • OM-8.2.9

        Principle 2: Banks must develop, implement and maintain a Framework that is fully integrated into the bank's overall risk management processes. The Framework for operational risk management chosen by an individual bank will depend on a range of factors, including its nature, size, complexity and risk profile.

        Added: October 2012

      • OM-8.2.10

        The fundamental premise of sound risk management is that the board of directors and bank management understand the nature and complexity of the risks inherent in the portfolio of bank products, services and activities. This is particularly important for operational risk, given that operational risk is inherent in all business products, activities, processes and systems.

        Added: October 2012

      • OM-8.2.11

        A vital means of understanding the nature and complexity of operational risk is to have the components of the Framework fully integrated into the overall risk management processes of the bank. The Framework should be appropriately integrated into the risk management processes across all levels of the organisation including those at the group and business line levels, as well as into new business initiatives' products, activities, processes and systems. In addition, results of the bank's operational risk assessment should be incorporated into the overall bank business strategy development processes.

        Added: October 2012

      • OM-8.2.12

        The Framework must be comprehensively and appropriately documented in board of directors approved policies and must include definitions of operational risk and operational loss. Banks that do not adequately describe and classify operational risk and loss exposure may significantly reduce the effectiveness of their Framework.

        Added: October 2012

      • OM-8.2.13

        Framework documentation must clearly:

        (a) Identify the governance structures used to manage operational risk, including reporting lines and accountabilities;
        (b) Describe the risk assessment tools and how they are used;
        (c) Describe the bank's accepted operational risk appetite and tolerance (see Paragraphs OM-8.2.17 and OM-8.2.18), as well as thresholds or limits for inherent and residual risk, and approved risk mitigation strategies and instruments;
        (d) Describe the bank's approach to establishing and monitoring thresholds or limits for inherent and residual risk exposure;
        (e) Establish risk reporting and Management Information Systems (MIS);
        (f) Provide for a common taxonomy of operational risk terms to ensure consistency of risk identification, exposure rating and risk management objectives;
        (g) Provide for appropriate independent review and assessment of operational risk; and
        (h) Require the policies to be reviewed whenever a material change in the operational risk profile of the bank occurs, and revised as appropriate.
        Added: October 2012

    • Governance: The Board of Directors

      • OM-8.2.14

        Principle 3: The board of directors must establish, approve and periodically review the Framework. The board of directors must oversee senior management to ensure that the policies, processes and systems are implemented effectively at all decision levels.

        Added: October 2012

      • OM-8.2.15

        The board of directors must:

        (a) Establish a management culture, and supporting processes, to understand the nature and scope of the operational risk inherent in the bank's strategies and activities, and develop comprehensive, dynamic oversight and control environments that are fully integrated into or coordinated with the overall Framework for managing all risks across the enterprise;
        (b) Provide senior management with clear guidance and direction regarding the principles underlying the Framework and approve the corresponding policies developed by senior management;
        (c) Regularly review the Framework to ensure that the bank has identified and is managing the operational risk arising from external market changes and other environmental factors, as well as those operational risks associated with new products, activities, processes or systems, including changes in risk profiles and priorities (e.g. changing business volumes);
        (d) Ensure that the bank's Framework is subject to effective independent review by audit or other appropriately trained parties such as the compliance function; and
        (e) Ensure that as best practice evolves, management is availing themselves of these advances.
        Added: October 2012

      • OM-8.2.16

        Strong internal controls are a critical aspect of operational risk management, and the board of directors must establish clear lines of management responsibility and accountability for implementing a strong control environment. The control environment must provide appropriate independence/separation of duties between operational risk management functions, business lines and support functions.

        Added: October 2012

      • OM-8.2.17

        Principle 4: The board of directors must approve and review a risk appetite and tolerance statement for operational risk that articulates the nature, types and levels of operational risk that the bank is willing to assume.

        Added: October 2012

      • OM-8.2.18

        When approving and reviewing the risk appetite and tolerance statement, the board of directors must consider all relevant risks, the bank's level of risk aversion, its current financial condition and the bank's strategic direction. The risk appetite and tolerance statement should encapsulate the various operational risk appetites within a bank and ensure that they are consistent. The board of directors must approve appropriate thresholds or limits for specific operational risks, and an overall operational risk appetite and tolerance.

        Added: October 2012

      • OM-8.2.19

        The board of directors must regularly review the appropriateness of limits and the overall operational risk appetite and tolerance statement. This review must consider changes in the external environment, material increases in business or activity volumes, the quality of the control environment, the effectiveness of risk management or mitigation strategies, loss experience, and the frequency, volume or nature of limit breaches. The board must monitor management adherence to the risk appetite and tolerance statement and provide for timely detection and remediation of breaches.

        Added: October 2012

      • Senior Management

        • OM-8.2.20

          Principle 5: Senior management must develop for approval by the board of directors a clear, effective and robust governance structure with well defined, transparent and consistent lines of responsibility. Senior management is responsible for consistently implementing and maintaining throughout the organisation policies, processes and systems for managing operational risk in all of the bank's material products, activities, processes and systems consistent with the risk appetite and tolerance.

          Added: October 2012

        • OM-8.2.21

          Senior management is responsible for establishing and maintaining robust challenge mechanisms and effective issue-resolution processes. These must include systems to report, track and, when necessary, escalate issues to ensure resolution. Banks must be able to demonstrate that the three lines of defence (as highlighted in Paragraph OM-8.1.3) approach is operating satisfactorily and to explain how the board and senior management ensure that this approach is implemented and operating in an appropriate and acceptable manner.

          Added: October 2012

        • OM-8.2.22

          Senior management must translate the operational risk management Framework established by the board of directors into specific policies, processes and procedures that can be implemented and verified within the different business units. Senior management must clearly assign authority, responsibility and reporting relationships to encourage and maintain this accountability, and ensure that the necessary resources are available to manage operational risk in line with the bank's risk appetite and tolerance statement. Moreover, senior management must ensure that the management oversight process is appropriate for the risks inherent in a business unit's activity.

          Added: October 2012

        • OM-8.2.23

          Senior management must ensure that staff responsible for managing operational risk coordinate and communicate effectively with staff responsible for managing credit, market, and other risks, as well as with those in the bank who are responsible for the procurement of external services such as insurance risk transfer and outsourcing arrangements. Failure to do so could result in significant gaps or overlaps in a bank's overall risk management programme.

          Added: October 2012

        • OM-8.2.24

          A bank's risk management function should be commensurate with the nature, size, complexity and risk profile of the bank's activities. The managers of the corporate operational risk management function should be of sufficient stature within the bank to perform their duties effectively, ideally evidenced by title commensurate with other risk management functions such as credit, market and liquidity risk.

          Added: October 2012

        • OM-8.2.25

          Senior management should ensure that bank activities are conducted by staff with the necessary experience, technical capabilities and access to resources. Staff responsible for monitoring and enforcing compliance with the institution's risk policy should have authority independent from the units they oversee.

          Added: October 2012

        • OM-8.2.26

          A bank's governance structure should be commensurate with the nature, size, complexity and risk profile of its activities. When designing the operational risk governance structure, a bank must take the following into consideration:

          (a) Committee structure;
          (b) Committee composition; and
          (c) Committee operation.
          Added: October 2012

        • OM-8.2.27

          Sound industry practice for larger and more complex organisations with a central group function and separate business units is to utilise a board-created enterprise level risk committee for overseeing all risks, to which a management level operational risk committee reports. Depending on the nature, size and complexity of the bank, the enterprise level risk committee may receive input from operational risk committees by country, business or functional area. Smaller and less complex organisations may utilise a flatter organisational structure that oversees operational risk directly within the board's risk management committee.

          Added: October 2012

        • OM-8.2.28

          Sound industry practice is for operational risk committees (or the risk committee in smaller banks) to include a combination of members with expertise in business activities and financial, as well as independent risk management (refer to Module HC for details on committee membership).

          Added: October 2012

        • OM-8.2.29

          Committee meetings should be held at appropriate frequencies with adequate time and resources to permit productive discussion and decision-making. Records of committee operations should be adequate to permit review and evaluation of committee effectiveness.

          Added: October 2012

    • Risk Management Environment: Identification and Assessment

      • OM-8.2.30

        Principle 6: Senior management must ensure the identification and assessment of the operational risk inherent in all material products, activities, processes and systems to make sure the inherent risks and incentives are well understood.

        Added: October 2012

      • OM-8.2.31

        Risk identification and assessment are fundamental characteristics of an effective operational risk management system. Effective risk identification considers both internal factors (such as the bank's structure, the nature of the bank's activities, the quality of the bank's human resources, organisational changes and employee turnover) and external factors (such as changes in the broader environment and the industry and advances in technology). Sound risk assessment allows the bank to better understand its risk profile and allocate risk management resources and strategies most effectively.

        Added: October 2012

      • OM-8.2.32

        Examples of tools that may be used for identifying and assessing operational risk include:

        (a) Audit Findings: While audit findings primarily focus on control weaknesses and vulnerabilities, they can also provide insight into inherent risk due to internal or external factors;
        (b) Internal Loss Data Collection and Analysis: Internal operational loss data provides meaningful information for assessing a bank's exposure to operational risk and the effectiveness of internal controls. Analysis of loss events can provide insight into the causes of large losses and information on whether control failures are isolated or systematic. Banks may also find it useful to capture and monitor operational risk contributions to credit and market risk related losses in order to obtain a more complete view of their operational risk exposure;
        (c) External Data Collection and Analysis: External data elements consist of gross operational loss amounts, dates, recoveries, and relevant causal information for operational loss events occurring at organisations other than the bank. External loss data can be compared with internal loss data, or used to explore possible weaknesses in the control environment or consider previously unidentified risk exposures;
        (d) Risk Assessments: In a risk assessment, often referred to as a Risk Self Assessment (RSA), a bank assesses the processes underlying its operations against a library of potential threats and vulnerabilities and considers their potential impact. A similar approach, Risk Control Self Assessments (RCSA), typically evaluates inherent risk (the risk before controls are considered), the effectiveness of the control environment, and residual risk (the risk exposure after controls are considered). Scorecards build on RCSAs by weighting residual risks to provide a means of translating the RCSA output into metrics that give a relative ranking of the control environment;
        (e) Business Process Mapping: Business process mappings identify the key steps in business processes, activities and organisational functions. They also identify the key risk points in the overall business process. Process maps can reveal individual risks, risk interdependencies, and areas of control or risk management weakness. They also can help prioritise subsequent management action;
        (f) Risk and Performance Indicators: Risk and performance indicators are risk metrics and/or statistics that provide insight into a bank's risk exposure. Risk indicators, often referred to as Key Risk Indicators (KRIs), are used to monitor the main drivers of exposure associated with key risks. Performance indicators, often referred to as Key Performance Indicators (KPIs), provide insight into the status of operational processes, which may in turn provide insight into operational weaknesses, failures, and potential loss. Risk and performance indicators are often paired with escalation triggers to warn when risk levels approach or exceed thresholds or limits and prompt mitigation plans;
        (g) Scenario Analysis: Scenario analysis is a process of obtaining expert opinion of business line and risk managers to identify potential operational risk events and assess their potential outcome. Scenario analysis is an effective tool to consider potential sources of significant operational risk and the need for additional risk management controls or mitigation solutions. Given the subjectivity of the scenario process, a robust governance Framework is essential to ensure the integrity and consistency of the process;
        (h) Measurement: Larger banks may find it useful to quantify their exposure to operational risk by using the output of the risk assessment tools as inputs into a model that estimates operational risk exposure. The results of the model can be used in an economic capital process and can be allocated to business lines to link risk and return; and
        (i) Comparative Analysis: Comparative analysis consists of comparing the results of the various assessment tools to provide a more comprehensive view of the bank's operational risk profile. For example, comparison of the frequency and severity of internal data with RCSAs can help the bank determine whether self assessment processes are functioning effectively. Scenario data can be compared to internal and external data to gain a better understanding of the severity of the bank's exposure to potential risk events.
        Added: October 2012

      • OM-8.2.33

        The bank must ensure that the internal pricing and performance measurement mechanisms appropriately take into account operational risk. Where operational risk is not considered, risk-taking incentives might not be appropriately aligned with the risk appetite and tolerance.

        Added: October 2012

      • OM-8.2.34

        Principle 7: Senior management must ensure that there is an approval process for all new products, activities, processes and systems that fully assesses operational risk.

        Added: October 2012

      • OM-8.2.35

        In general, a bank's operational risk exposure is increased when a bank engages in new activities or develops new products; enters unfamiliar markets; implements new business processes or technology systems; and/or engages in businesses that are geographically distant from the head office. Moreover, the level of risk may escalate when new products activities, processes, or systems transition from an introductory level to a level that represents material sources of revenue or business-critical operations. A bank should ensure that its risk management control infrastructure is appropriate at inception and that it keeps pace with the rate of growth of, or changes to, products activities, processes and systems.

        Added: October 2012

      • OM-8.2.36

        A bank must have policies and procedures that address the process for review and approval of new products, activities, processes and systems. The review and approval process should consider:

        (a) Inherent risks in the new product, service, or activity;
        (b) Changes to the bank's operational risk profile and appetite and tolerance, including the risk of existing products or activities;
        (c) The necessary controls, risk management processes, and risk mitigation strategies;
        (d) The residual risk;
        (e) Changes to relevant risk thresholds or limits; and
        (f) The procedures and metrics to measure, monitor, and manage the risk of the new product or activity.
        Added: October 2012

      • OM-8.2.37

        The approval process should also include ensuring that appropriate investment has been made for human resources and technology infrastructure before new products are introduced. The implementation of new products, activities, processes and systems should be monitored in order to identify any material differences to the expected operational risk profile, and to manage any unexpected risks.

        Added: October 2012

    • Monitoring and Reporting

      • OM-8.2.38

        Principle 8: Senior management must implement a process to regularly monitor operational risk profiles and material exposures to losses. Appropriate reporting mechanisms must be in place at the board, senior management, and business line levels that support proactive management of operational risk.

        Added: October 2012

      • OM-8.2.39

        Banks are encouraged to continuously improve the quality of operational risk reporting. A bank should ensure that its reports are comprehensive, accurate, consistent and actionable across business lines and products. Reports should be manageable in scope and volume; effective decision-making is impeded by both excessive amounts and paucity of data.

        Added: October 2012

      • OM-8.2.40

        Reporting should be timely and a bank should be able to produce reports in both normal and stressed market conditions. The frequency of reporting should reflect the risks involved and the pace and nature of changes in the operating environment. The results of these monitoring activities should be included in regular management and board reports, as should assessments of Framework performed by the internal audit and/or risk management and compliance functions. Reports generated by (and/or for) supervisory authorities should also be reported internally to senior management and the board, where appropriate.

        Added: October 2012

      • OM-8.2.41

        Operational risk reports may contain internal financial, operational, and compliance indicators, as well as external market or environmental information about events and conditions that are relevant to decision making. Operational risk reports should include:

        (a) Breaches of the bank's risk appetite and tolerance statement, as well as thresholds or limits;
        (b) Details of recent significant internal operational risk events and losses; and
        (c) Relevant external events and any potential impact on the bank and operational risk capital.
        Added: October 2012

      • OM-8.2.42

        Data capture and risk reporting processes should be analysed periodically with a view to continuously enhancing risk management performance as well as advancing risk management policies, procedures and practices.

        Added: October 2012

    • Control and Mitigation

      • OM-8.2.43

        Principle 9: Banks must have a strong control environment that utilises:

        (a) Policies, processes and systems;
        (b) Appropriate internal controls; and
        (c) Appropriate risk mitigation and/or transfer strategies.
        Added: October 2012

      • OM-8.2.44

        Internal controls must be designed to provide assurance that a bank will:

        (a) Have efficient and effective operations;
        (b) Safeguard its assets;
        (c) Produce reliable financial reports; and
        (d) Comply with applicable laws and regulations.
        Added: October 2012

      • OM-8.2.45

        A sound internal control programme consists of five components that are integral to the risk management process: control environment, risk assessment, control activities, information and communication, and monitoring activities. These components are outlined in more detail in the Basel Committee paper "Framework for Internal Control Systems in Banking Organisations".

        Added: October 2012

      • OM-8.2.46

        Control processes and procedures should be established and banks should have a system in place for ensuring compliance with a documented set of internal policies concerning the risk management system. Principal elements of this could include, for example:

        (a) Top-level reviews of the bank's progress towards the stated objectives;
        (b) Verifying compliance with management controls;
        (c) Review of the treatment and resolution of instances of non-compliance;
        (d) Evaluation of required approvals and authorisations to ensure accountability to an appropriate level of management; and
        (e) Tracking reports for approved exceptions to thresholds or limits, management overrides and other deviations from policy.
        Added: October 2012

      • OM-8.2.47

        An effective internal control environment also requires appropriate segregation of duties. Assignments that establish conflicting duties for individuals, or a team without dual controls or other countermeasures may enable concealment of losses, errors or inappropriate actions. Therefore, areas of potential conflicts of interest should be identified, minimised, and subject to careful independent monitoring and review.

        Added: October 2012

      • OM-8.2.48

        In addition to segregation of duties and dual controls, banks should ensure that other traditional internal controls are in place as appropriate to address operational risk. Examples of these controls include:

        (a) Clearly established authorities and/or processes for approval;
        (b) Close monitoring of adherence to assigned risk limits or thresholds;
        (c) Safeguards for access to, and use of, bank assets and records;
        (d) Appropriate staffing level and training to maintain expertise;
        (e) Ongoing processes to identify business lines or products where returns appear to be out of line with reasonable expectations;
        (f) Regular verification and reconciliation of transactions and accounts; and
        (g) A vacation policy that provides for officers and employees being absent from their duties for a period of not less than two consecutive weeks.
        Added: October 2012

      • OM-8.2.49

        Effective use and sound implementation of technology can contribute to the control environment. For example, automated processes are less prone to error than manual processes. However, automated processes introduce risks that must be addressed through sound technology governance and infrastructure risk management programmes.

        Added: October 2012

      • OM-8.2.50

        The use of technology related products, activities, processes and delivery channels exposes a bank to strategic, operational, and reputational risks and the possibility of material financial loss. Consequently, a bank should have an integrated approach to identifying, measuring, monitoring and managing technology risks. Sound technology risk management uses the same precepts as operational risk management and includes:

        (a) Governance and oversight controls that ensure technology, including outsourcing arrangements, is aligned with and supportive of the bank's business objectives;
        (b) Policies and procedures that facilitate identification and assessment of risk;
        (c) Establishment of a risk appetite and tolerance statement as well as performance expectations to assist in controlling and managing risk;
        (d) Implementation of an effective control environment and the use of risk transfer strategies that mitigate risk; and
        (e) Monitoring processes that test for compliance with policy thresholds or limits.
        Added: October 2012

      • OM-8.2.51

        Management should ensure the bank has a sound technology infrastructure that:

        (a) Meets current and long-term business requirements by providing sufficient capacity for normal activity levels as well as peaks during periods of market stress;
        (b) Ensures data and system integrity, security, and availability; and
        (c) Supports integrated and comprehensive risk management.
        Added: October 2012

      • OM-8.2.52

        Mergers and acquisitions resulting in fragmented and disconnected infrastructure, cost-cutting measures or inadequate investment can undermine a bank's ability to aggregate and analyse information across risk dimensions or the consolidated enterprise, manage and report risk on a business line or legal entity basis, or oversee and manage risk in periods of high growth. Management should make appropriate capital investment or otherwise provide for a robust infrastructure at all times, particularly before mergers are consummated, high growth strategies are initiated, or new products are introduced.

        Added: October 2012

      • OM-8.2.53

        In those circumstances where internal controls do not adequately address risk and exiting the risk is not a reasonable option, management can complement controls by seeking to transfer the risk to another party such as through insurance. The board of directors should determine the maximum loss exposure the bank is willing and has the financial capacity to assume, and should perform an annual review of the bank's risk and insurance management programme.

        Added: October 2012

      • OM-8.2.54

        Because risk transfer is an imperfect substitute for sound controls and risk management programmes, banks should view risk transfer tools as complementary to, rather than a replacement for, thorough internal operational risk control. Having mechanisms in place to quickly identify, recognise and rectify distinct operational risk errors can greatly reduce exposures. Careful consideration also needs to be given to the extent to which risk mitigation tools such as insurance truly reduce risk, transfer the risk to another business sector or area, or create a new risk (eg counterparty risk).

        Added: October 2012

    • Role of Disclosure

      • OM-8.2.55

        Principle 10: A bank's public disclosures must allow stakeholders to assess its approach to operational risk management.

        Added: October 2012

      • OM-8.2.56

        A bank's public disclosure of relevant operational risk management information can lead to transparency and the development of better industry practice through market discipline. The amount and type of disclosure should be commensurate with the size, risk profile and complexity of a bank's operations, and evolving industry practice. See also Chapter HC-8 and Chapter PD-1 on disclosure requirements.

        Added: October 2012

      • OM-8.2.57

        A bank should disclose its operational risk management Framework in a manner that will allow stakeholders to determine whether the bank identifies, assesses, monitors and controls/mitigates operational risk effectively.

        Added: October 2012

      • OM-8.2.58

        A bank's disclosures should be consistent with how senior management and the board of directors assess and manage the operational risk of the bank.

        Added: October 2012

      • OM-8.2.59

        A bank must have a formal disclosure policy approved by the board of directors that addresses the bank's approach for determining what operational risk disclosures it will make and the internal controls over the disclosure process. In addition, banks must implement a process for assessing the appropriateness of their disclosures, including the verification and frequency of them.

        Added: October 2012