OM-1.2 OM-1.2 Operational Risk Governance
OM-1.2.1
The Board of Directors must:
(a) Establish, approve and regularly review the operational risk management policy;(b) Ensure that senior management establish, approve and regularly review supporting policies, procedures, systems and processes in line with the nature and scope of the operational risks inherent in the bank's products, services and activities, and implement comprehensive, dynamic oversight and control environments that are fully integrated into, or coordinated with, the overall ORMF for managing all risks across the bank; and(c) Ensure that the bank's ORMF is subject to effective independent review (See Paragraph OM-1.6.1).Added: January 2020Risk appetite
OM-1.2.2
The Board of Directors must approve and review the risk appetite and tolerance statement for operational risk that articulates the nature, the types and levels of operational risk that the bank is willing to assume.
Added: January 2020OM-1.2.3
When approving and reviewing the risk appetite and tolerance statement, the Board of Directors should consider all relevant risks, the bank's level of risk aversion, its current financial condition and the bank's strategic direction. The Board of Directors should approve appropriate thresholds or limits for specific operational risks.
Added: January 2020OM-1.2.4
In addition to the review of material operational risks and limits, the Board should also consider changes in the external environment, material increases in business or activity volumes, the quality of the control environment, the effectiveness of risk management and mitigation strategies, loss experience, and the frequency, volume and nature of limit breaches.
Added: January 2020OM-1.2.5
The board must monitor management adherence to the risk appetite and tolerance statement and provide for timely detection and remediation of breaches.
Added: January 2020OM-1.2.6
Senior management is responsible for consistently implementing and maintaining throughout the organisation, the policy, procedures, processes and systems for managing operational risk in all of the bank's products, activities, processes and systems.Added: January 2020OM-1.2.7
Banks must establish, commensurate with its nature, size and complexity, an Operational Risk Management Unit (ORMU), independent of the risk generating business lines, which is responsible for the design, maintenance and ongoing development of the ORMF within the bank. The ORMU must be adequately staffed with skilled resources.
Added: January 2020OM-1.2.8
Senior management is responsible for establishing and maintaining effective channels for internal review of operational risk issues, as well as ensuring adequate resolution processes. These should include systems to report, track and, when necessary, escalate issues to ensure resolution. Banks should be able to demonstrate that the three lines of defence (as highlighted in Paragraph OM-1.1.2) approach is operating satisfactorily and to explain how the Board andsenior management ensure that this approach is implemented and operating in an appropriate and acceptable manner.Added: January 2020OM-1.2.9
Senior management must translate the ORMF into specific processes and procedures that can be implemented and verified within the different business units.Senior management must clearly assign authority, responsibility and reporting relationships to encourage and maintain this accountability, and ensure that the necessary resources are available to manage operational risk in-line with the bank's risk appetite and tolerance statement. Furthermore,senior management must ensure that the management oversight process is appropriate for the risks inherent in a business unit's activity.Added: January 2020OM-1.2.10
Senior management should ensure that staff responsible for managing operational risk, coordinate and communicate effectively with staff responsible for managing credit, market, liquidity and other risks, as well as with those in the bank who are responsible for the procurement of external services, such as insurance risk transfer and outsourcing arrangements. Failure to do so could result in significant gaps or overlaps in a bank's overall risk management programme.Added: January 2020OM-1.2.11
The Head of the ORMU must be of sufficient stature within the bank to perform his duties effectively, ideally evidenced by a title commensurate with other risk management units, such as credit, market and liquidity risk.
Added: January 2020OM-1.2.12
Senior management must ensure that bank activities are conducted by staff with the necessary experience, qualifications, technical capabilities and access to resources. Staff responsible for monitoring and enforcing compliance with the bank's risk policies must be independent from the units they oversee.Added: January 2020OM-1.2.13
Senior management must ensure that an appropriate level of operational risk training is available at all levels throughout the organisation. The training that is provided must reflect the seniority, role and responsibilities of the individuals for whom it is intended.Added: January 2020OM-1.2.14
A bank's risk governance structure should be commensurate with the nature, size, operational complexity and risk profile of its activities. When designing the operational risk governance structure, a bank should take the following into consideration:
(a) Committee structure;(b) Committee composition; and(c) Committee operation.Added: January 2020OM-1.2.15
Sound industry practice is for Operational Risk Committees (or the Risk Committee) to include a combination of members with expertise in business activities and financial, as well as risk managers.
Added: January 2020OM-1.2.16
Committee meetings should be held at appropriate frequencies, with adequate time and resources to permit productive discussion and decision-making. Records of committee meetings should be adequate to permit review and evaluation of committee effectiveness.
Added: January 2020
