Back Custom print Link Text Only Rich Text Print

  • Fundamental Principles of Operational Risk Management

    • OM-8.2.2

      Principle 1: The board of directors must take the lead in establishing a strong risk management culture. The board of directors and senior management must establish a corporate culture that is guided by strong risk management and that supports and provides appropriate standards and incentives for professional and responsible behaviour. In this regard, it is the responsibility of the board of directors to ensure that a strong operational risk management culture exists throughout the whole organisation.

      Added: October 2012

    • OM-8.2.3

      Banks with a strong culture of risk management and ethical business practices are less likely to experience potentially damaging operational risk events and are better placed to deal effectively with those events that do occur. The actions of the board and senior management, and policies, processes and systems provide the foundation for a sound risk management culture. More details on the role of the board and senior management are to be found in Chapters HC-1, HC-2, and HC-6 as well as in Chapters CM-1 and OM-2.

      Added: October 2012

    • OM-8.2.4

      The board must establish a code of conduct or an ethics policy that sets clear expectations for integrity and ethical values of the highest standard and identify acceptable business practices and prohibited conflicts (see Section HC-2.2).

      Added: October 2012

    • OM-8.2.5

      Clear expectations and accountabilities ensure that bank staff understand their roles and responsibilities for risk, as well as their authority to act. Strong and consistent senior management support for risk management and ethical behaviour convincingly reinforces codes of conduct and ethics, compensation strategies, and training programmes.

      Added: October 2012

    • OM-8.2.6

      Compensation policies must be aligned to the bank's statement of risk appetite and tolerance, long-term strategic direction, financial goals and overall safety and soundness. They must also appropriately balance risk and reward (see Chapter HC-5 concerning remuneration).

      Added: October 2012

    • OM-8.2.7

      Banks should refer to the Financial Stability Board's Principles for Sound Compensation Practices, published in September 2009 regarding compensation policies.

      Added: October 2012

    • OM-8.2.8

      Senior management should ensure that an appropriate level of operational risk training is available at all levels throughout the organisation. Training that is provided should reflect the seniority, role and responsibilities of the individuals for whom it is intended.

      Added: October 2012

    • OM-8.2.9

      Principle 2: Banks must develop, implement and maintain a Framework that is fully integrated into the bank's overall risk management processes. The Framework for operational risk management chosen by an individual bank will depend on a range of factors, including its nature, size, complexity and risk profile.

      Added: October 2012

    • OM-8.2.10

      The fundamental premise of sound risk management is that the board of directors and bank management understand the nature and complexity of the risks inherent in the portfolio of bank products, services and activities. This is particularly important for operational risk, given that operational risk is inherent in all business products, activities, processes and systems.

      Added: October 2012

    • OM-8.2.11

      A vital means of understanding the nature and complexity of operational risk is to have the components of the Framework fully integrated into the overall risk management processes of the bank. The Framework should be appropriately integrated into the risk management processes across all levels of the organisation including those at the group and business line levels, as well as into new business initiatives' products, activities, processes and systems. In addition, results of the bank's operational risk assessment should be incorporated into the overall bank business strategy development processes.

      Added: October 2012

    • OM-8.2.12

      The Framework must be comprehensively and appropriately documented in board of directors approved policies and must include definitions of operational risk and operational loss. Banks that do not adequately describe and classify operational risk and loss exposure may significantly reduce the effectiveness of their Framework.

      Added: October 2012

    • OM-8.2.13

      Framework documentation must clearly:

      (a) Identify the governance structures used to manage operational risk, including reporting lines and accountabilities;
      (b) Describe the risk assessment tools and how they are used;
      (c) Describe the bank's accepted operational risk appetite and tolerance (see Paragraphs OM-8.2.17 and OM-8.2.18), as well as thresholds or limits for inherent and residual risk, and approved risk mitigation strategies and instruments;
      (d) Describe the bank's approach to establishing and monitoring thresholds or limits for inherent and residual risk exposure;
      (e) Establish risk reporting and Management Information Systems (MIS);
      (f) Provide for a common taxonomy of operational risk terms to ensure consistency of risk identification, exposure rating and risk management objectives;
      (g) Provide for appropriate independent review and assessment of operational risk; and
      (h) Require the policies to be reviewed whenever a material change in the operational risk profile of the bank occurs, and revised as appropriate.
      Added: October 2012