Operational Risk Management Framework
OM-1.1.7
Conventional bank licensees must develop, implement and maintain an Operational Risk Management Framework (ORMF) that is fully integrated into the bank's overall risk management processes. The ORMF must consider a range of factors, including the nature, size, complexity and risk profile of the bank.Added: January 2020OM-1.1.8
The Board of Directors and senior management should understand the nature and complexity of the risks inherent in the portfolio of bank products, services and activities. This is particularly important for operational risk, given that operational risk is inherent in all business products, activities, processes and systems.
Added: January 2020OM-1.1.9
A bank must ensure that its ORMF is appropriate at inception and that it keeps pace with the rate of growth of, or changes to, products, activities, processes and systems. The ORMF must be comprehensively and appropriately documented.
Added: January 2020OM-1.1.10
At minimum, the ORMF documentation must:
(a) Identify the governance structures used to manage operational risk, including roles, responsibilities, reporting lines and accountabilities;(b) Identify policy for approval of policies by the Board;(c) Describe the risk assessment processes and tools and how they are used;(d) Describe the bank's accepted operational risk appetite and tolerance (see Paragraphs OM-1.2.2 to OM-1.2.4), and the approach to setting thresholds or limits for inherent and residual risk, and approved risk mitigation strategies;(e) Establish risk reporting and Management Information Systems ('MIS');(f) Provide a common taxonomy of operational risk terms to ensure consistency of risk identification, exposure rating and risk management objectives; and(g) Provide for appropriate independent review and assessment of operational risk.Added: January 2020
