Control and Mitigation
OM-8.2.43
Principle 9: Banks must have a strong control environment that utilises:
(a) Policies, processes and systems;(b) Appropriate internal controls; and(c) Appropriate risk mitigation and/or transfer strategies.Added: October 2012OM-8.2.44
Internal controls must be designed to provide assurance that a bank will:
(a) Have efficient and effective operations;(b) Safeguard its assets;(c) Produce reliable financial reports; and(d) Comply with applicable laws and regulations.Added: October 2012OM-8.2.45
A sound internal control programme consists of five components that are integral to the risk management process: control environment, risk assessment, control activities, information and communication, and monitoring activities. These components are outlined in more detail in the Basel Committee paper "Framework for Internal Control Systems in Banking Organisations".
Added: October 2012OM-8.2.46
Control processes and procedures should be established and banks should have a system in place for ensuring compliance with a documented set of internal policies concerning the risk management system. Principal elements of this could include, for example:
(a) Top-level reviews of the bank's progress towards the stated objectives;(b) Verifying compliance with management controls;(c) Review of the treatment and resolution of instances of non-compliance;(d) Evaluation of required approvals and authorisations to ensure accountability to an appropriate level of management; and(e) Tracking reports for approved exceptions to thresholds or limits, management overrides and other deviations from policy.Added: October 2012OM-8.2.47
An effective internal control environment also requires appropriate segregation of duties. Assignments that establish conflicting duties for individuals, or a team without dual controls or other countermeasures may enable concealment of losses, errors or inappropriate actions. Therefore, areas of potential conflicts of interest should be identified, minimised, and subject to careful independent monitoring and review.
Added: October 2012OM-8.2.48
In addition to segregation of duties and dual controls, banks should ensure that other traditional internal controls are in place as appropriate to address operational risk. Examples of these controls include:
(a) Clearly established authorities and/or processes for approval;(b) Close monitoring of adherence to assigned risk limits or thresholds;(c) Safeguards for access to, and use of, bank assets and records;(d) Appropriate staffing level and training to maintain expertise;(e) Ongoing processes to identify business lines or products where returns appear to be out of line with reasonable expectations;(f) Regular verification and reconciliation of transactions and accounts; and(g) A vacation policy that provides for officers and employees being absent from their duties for a period of not less than two consecutive weeks.Added: October 2012OM-8.2.49
Effective use and sound implementation of technology can contribute to the control environment. For example, automated processes are less prone to error than manual processes. However, automated processes introduce risks that must be addressed through sound technology governance and infrastructure risk management programmes.
Added: October 2012OM-8.2.50
The use of technology related products, activities, processes and delivery channels exposes a bank to strategic, operational, and reputational risks and the possibility of material financial loss. Consequently, a bank should have an integrated approach to identifying, measuring, monitoring and managing technology risks. Sound technology risk management uses the same precepts as operational risk management and includes:
(a) Governance and oversight controls that ensure technology, including outsourcing arrangements, is aligned with and supportive of the bank's business objectives;(b) Policies and procedures that facilitate identification and assessment of risk;(c) Establishment of a risk appetite and tolerance statement as well as performance expectations to assist in controlling and managing risk;(d) Implementation of an effective control environment and the use of risk transfer strategies that mitigate risk; and(e) Monitoring processes that test for compliance with policy thresholds or limits.Added: October 2012OM-8.2.51
Management should ensure the bank has a sound technology infrastructure that:
(a) Meets current and long-term business requirements by providing sufficient capacity for normal activity levels as well as peaks during periods of market stress;(b) Ensures data and system integrity, security, and availability; and(c) Supports integrated and comprehensive risk management.Added: October 2012OM-8.2.52
Mergers and acquisitions resulting in fragmented and disconnected infrastructure, cost-cutting measures or inadequate investment can undermine a bank's ability to aggregate and analyse information across risk dimensions or the consolidated enterprise, manage and report risk on a business line or legal entity basis, or oversee and manage risk in periods of high growth. Management should make appropriate capital investment or otherwise provide for a robust infrastructure at all times, particularly before mergers are consummated, high growth strategies are initiated, or new products are introduced.
Added: October 2012OM-8.2.53
In those circumstances where internal controls do not adequately address risk and exiting the risk is not a reasonable option, management can complement controls by seeking to transfer the risk to another party such as through insurance. The board of directors should determine the maximum loss exposure the bank is willing and has the financial capacity to assume, and should perform an annual review of the bank's risk and insurance management programme.
Added: October 2012OM-8.2.54
Because risk transfer is an imperfect substitute for sound controls and risk management programmes, banks should view risk transfer tools as complementary to, rather than a replacement for, thorough internal operational risk control. Having mechanisms in place to quickly identify, recognise and rectify distinct operational risk errors can greatly reduce exposures. Careful consideration also needs to be given to the extent to which risk mitigation tools such as insurance truly reduce risk, transfer the risk to another business sector or area, or create a new risk (eg counterparty risk).
Added: October 2012
