Back Custom print Link Text Only Rich Text Print

  • OM-1.1 OM-1.1 Operational Risk Management Framework

    • Overview

      • OM-1.1.1

        This chapter contains the requirements relating to operational risk management. It sets out the requirements for an appropriate risk management environment. Operational risk is defined as the risk of loss resulting from inadequate or failed internal processes, people and systems including internal frauds, or from external events including external frauds. This definition includes legal and Shari'a non-compliance risks, but excludes strategic and reputational risk. Legal risk is the risk arising from the potential that unenforceable contracts, lawsuits or adverse judgments may disrupt or otherwise negatively affect the operations or financial condition of a bank. As legal risk is one type of operational risk, banks should ensure that all requirements included in this Module are also applied to the management of legal risks requirement.

        Added: January 2020

      • OM-1.1.2

        Operational risk is inherent in all types of bank activities, and can result in substantial losses. Sound operational risk governance, therefore, relies upon three lines of defence:

        (a) Business line management;
        (b) An independent operational risk management unit; and
        (c) Internal Audit and functions that provide independent assurance.
        Added: January 2020

      • OM-1.1.3

        All new products and services must be reviewed for operational risks prior to their implementation. A bank's internal auditors play an important role in controlling operational risks and should include operational risk in the scope of internal audits.

        Added: January 2020

      • OM-1.1.4

        Shari'a non-compliance is a unique risk for Licensees offering shari'a-complaint products and services through Islamic windows resulting from non-compliance with the rules and principles of Shari'a. It is crucial to identify the Shari'a non-compliance risk inherent in different kinds of Shari'a-compliant contracts, and to outline a set of variables that help to estimate the likelihood and severity of Shari'a non-compliance risk. Refer to Appendix B for Shari'a requirements on financing contracts.

        Added: January 2020

    • Establishing a Strong Risk Culture

      • OM-1.1.5

        The Board of Directors must take the lead in establishing a strong operational risk management culture in the bank that supports and provides appropriate standards and incentives for effectively managing operational risk and for promoting professional and responsible behaviour.

        Added: January 2020

      • OM-1.1.6

        For branches of foreign bank licensees, all references in this Module to the board of directors should be interpreted as the Head Office/Regional Office unless such responsibility is formally delegated to a committee at the branch level.

        Added: January 2020

    • Operational Risk Management Framework

      • OM-1.1.7

        Conventional bank licensees must develop, implement and maintain an Operational Risk Management Framework (ORMF) that is fully integrated into the bank's overall risk management processes. The ORMF must consider a range of factors, including the nature, size, complexity and risk profile of the bank.

        Added: January 2020

      • OM-1.1.8

        The Board of Directors and senior management should understand the nature and complexity of the risks inherent in the portfolio of bank products, services and activities. This is particularly important for operational risk, given that operational risk is inherent in all business products, activities, processes and systems.

        Added: January 2020

      • OM-1.1.9

        A bank must ensure that its ORMF is appropriate at inception and that it keeps pace with the rate of growth of, or changes to, products, activities, processes and systems. The ORMF must be comprehensively and appropriately documented.

        Added: January 2020

      • OM-1.1.10

        At minimum, the ORMF documentation must:

        (a) Identify the governance structures used to manage operational risk, including roles, responsibilities, reporting lines and accountabilities;
        (b) Identify policy for approval of policies by the Board;
        (c) Describe the risk assessment processes and tools and how they are used;
        (d) Describe the bank's accepted operational risk appetite and tolerance (see Paragraphs OM-1.2.2 to OM-1.2.4), and the approach to setting thresholds or limits for inherent and residual risk, and approved risk mitigation strategies;
        (e) Establish risk reporting and Management Information Systems ('MIS');
        (f) Provide a common taxonomy of operational risk terms to ensure consistency of risk identification, exposure rating and risk management objectives; and
        (g) Provide for appropriate independent review and assessment of operational risk.
        Added: January 2020