Governance: The Board of Directors
OM-8.2.14
Principle 3: The board of directors must establish, approve and periodically review the
Framework . The board of directors must overseesenior management to ensure that the policies, processes and systems are implemented effectively at all decision levels.Added: October 2012OM-8.2.15
The board of directors must:
(a) Establish a management culture, and supporting processes, to understand the nature and scope of the operational risk inherent in the bank's strategies and activities, and develop comprehensive, dynamic oversight and control environments that are fully integrated into or coordinated with the overallFramework for managing all risks across the enterprise;(b) Provide senior management with clear guidance and direction regarding the principles underlying theFramework and approve the corresponding policies developed by senior management;(c) Regularly review theFramework to ensure that the bank has identified and is managing the operational risk arising from external market changes and other environmental factors, as well as those operational risks associated with new products, activities, processes or systems, including changes in risk profiles and priorities (e.g. changing business volumes);(d) Ensure that the bank'sFramework is subject to effective independent review by audit or other appropriately trained parties such as the compliance function; and(e) Ensure that as best practice evolves, management is availing themselves of these advances.Added: October 2012OM-8.2.16
Strong internal controls are a critical aspect of operational risk management, and the board of directors must establish clear lines of management responsibility and accountability for implementing a strong control environment. The control environment must provide appropriate independence/separation of duties between operational risk management functions, business lines and support functions.
Added: October 2012OM-8.2.17
Principle 4: The board of directors must approve and review a risk appetite and tolerance statement for operational risk that articulates the nature, types and levels of operational risk that the bank is willing to assume.
Added: October 2012OM-8.2.18
When approving and reviewing the risk appetite and tolerance statement, the board of directors must consider all relevant risks, the bank's level of risk aversion, its current financial condition and the bank's strategic direction. The risk appetite and tolerance statement should encapsulate the various operational risk appetites within a bank and ensure that they are consistent. The board of directors must approve appropriate thresholds or limits for specific operational risks, and an overall operational risk appetite and tolerance.
Added: October 2012OM-8.2.19
The board of directors must regularly review the appropriateness of limits and the overall operational risk appetite and tolerance statement. This review must consider changes in the external environment, material increases in business or activity volumes, the quality of the control environment, the effectiveness of risk management or mitigation strategies, loss experience, and the frequency, volume or nature of limit breaches. The board must monitor management adherence to the risk appetite and tolerance statement and provide for timely detection and remediation of breaches.
Added: October 2012Senior Management
OM-8.2.20
Principle 5:
Senior management must develop for approval by the board of directors a clear, effective and robust governance structure with well defined, transparent and consistent lines of responsibility. Senior management is responsible for consistently implementing and maintaining throughout the organisation policies, processes and systems for managing operational risk in all of the bank's material products, activities, processes and systems consistent with the risk appetite and tolerance.Added: October 2012OM-8.2.21
Senior management is responsible for establishing and maintaining robust challenge mechanisms and effective issue-resolution processes. These must include systems to report, track and, when necessary, escalate issues to ensure resolution. Banks must be able to demonstrate that the three lines of defence (as highlighted in Paragraph OM-8.1.3) approach is operating satisfactorily and to explain how the board andsenior management ensure that this approach is implemented and operating in an appropriate and acceptable manner.Added: October 2012OM-8.2.22
Senior management must translate the operational risk managementFramework established by the board of directors into specific policies, processes and procedures that can be implemented and verified within the different business units.Senior management must clearly assign authority, responsibility and reporting relationships to encourage and maintain this accountability, and ensure that the necessary resources are available to manage operational risk in line with the bank's risk appetite and tolerance statement. Moreover,senior management must ensure that the management oversight process is appropriate for the risks inherent in a business unit's activity.Added: October 2012OM-8.2.23
Senior management must ensure that staff responsible for managing operational risk coordinate and communicate effectively with staff responsible for managing credit, market, and other risks, as well as with those in the bank who are responsible for the procurement of external services such as insurance risk transfer and outsourcing arrangements. Failure to do so could result in significant gaps or overlaps in a bank's overall risk management programme.Added: October 2012OM-8.2.24
A bank's risk management function should be commensurate with the nature, size, complexity and risk profile of the bank's activities. The managers of the corporate operational risk management function should be of sufficient stature within the bank to perform their duties effectively, ideally evidenced by title commensurate with other risk management functions such as credit, market and liquidity risk.
Added: October 2012OM-8.2.25
Senior management should ensure that bank activities are conducted by staff with the necessary experience, technical capabilities and access to resources. Staff responsible for monitoring and enforcing compliance with the institution's risk policy should have authority independent from the units they oversee.Added: October 2012OM-8.2.26
A bank's governance structure should be commensurate with the nature, size, complexity and risk profile of its activities. When designing the operational risk governance structure, a bank must take the following into consideration:
(a) Committee structure;(b) Committee composition; and(c) Committee operation.Added: October 2012OM-8.2.27
Sound industry practice for larger and more complex organisations with a central group function and separate business units is to utilise a board-created enterprise level risk committee for overseeing all risks, to which a management level operational risk committee reports. Depending on the nature, size and complexity of the bank, the enterprise level risk committee may receive input from operational risk committees by country, business or functional area. Smaller and less complex organisations may utilise a flatter organisational structure that oversees operational risk directly within the board's risk management committee.
Added: October 2012OM-8.2.28
Sound industry practice is for operational risk committees (or the risk committee in smaller banks) to include a combination of members with expertise in business activities and financial, as well as independent risk management (refer to Module HC for details on committee membership).
Added: October 2012OM-8.2.29
Committee meetings should be held at appropriate frequencies with adequate time and resources to permit productive discussion and decision-making. Records of committee operations should be adequate to permit review and evaluation of committee effectiveness.
Added: October 2012
