• OM-1.3 OM-1.3 Identification, Measurement, Monitoring and Control

    • OM-1.3.1

      As part of an effective ORMF, banks must have policies, procedures and system for the identification, measurement, monitoring, mitigating and controlling of the operational risk inherent in all products, services, activities, processes and systems.

      Added: January 2020

    • OM-1.3.2

      Risk identification and assessment are fundamental characteristics of an effective ORMF. Effective risk identification considers both internal factors (such as the bank's structure, the nature of the bank's activities, the quality of the bank's human resources, organisational changes and employee turnover) and external factors (such as changes in the broader environment and the industry and advances in technology). Sound risk assessment allows the bank to better understand its risk profile and allocate risk management resources and strategies most effectively. Banks may use the classification categories contained in Appendix A for determining and classifying operational risk events.

      Added: January 2020

    • OM-1.3.3

      Examples of tools that may be used for identifying and assessing operational risk include:

      (a) Audit Findings: While audit findings primarily focus on control weaknesses and vulnerabilities, they can also provide insight into inherent risk due to internal or external factors;
      (b) Internal Loss Data Collection and Analysis: Internal operational loss data provides meaningful information for assessing a bank's exposure to operational risk and the effectiveness of internal controls. Analysis of loss events can provide insight into the causes of large losses and information on whether control failures are isolated or systematic. Banks may also find it useful to capture and monitor operational risk contributions to credit and market risk related losses in order to obtain a more complete view of their operational risk exposure;
      (c) External Data Collection and Analysis: External data elements consist of gross operational loss amounts, dates, recoveries, and relevant causal information for operational loss events occurring at organisations other than the bank. External loss data can be compared with internal loss data, or used to explore possible weaknesses in the control environment or consider previously unidentified risk exposures;
      (d) Risk Assessments: In a risk assessment, often referred to as a Risk Self-Assessment ('RSA'), a bank assesses the processes underlying its operations against a library of potential threats and vulnerabilities and considers their potential impact. A similar approach, Risk Control Self-Assessments ('RCSA'), typically evaluates inherent risk (the risk before controls are considered), the effectiveness of the control environment, and residual risk (the risk exposure after controls are considered). Scorecards build on RCSAs by weighting residual risks to provide a means of translating the RCSA output into metrics that give a relative ranking of the control environment;
      (e) Business Process Mapping: Business process mappings identify the key steps in business processes, activities and organisational functions. They also identify the key risk points in the overall business process. Process maps can reveal individual risks, risk interdependencies, and areas of control or risk management weakness. They also can help prioritise subsequent management action;
      (f) Risk and Performance Indicators: Risk and performance indicators are risk metrics and/or statistics that provide insight into a bank's risk exposure. Risk indicators, often referred to as Key Risk Indicators ('KRIs'), are used to monitor the main drivers of exposure associated with key risks. Performance indicators, often referred to as Key Performance Indicators ('KPIs'), provide insight into the status of operational processes, which may in turn provide insight into operational weaknesses, failures, and potential loss. Risk and performance indicators are often paired with escalation triggers to warn when risk levels approach or exceed thresholds or limits and prompt mitigation plans;
      (g) Scenario Analysis: Scenario analysis is a process of obtaining expert opinion of business line and risk managers to identify potential operational risk events and assess their potential outcome. Scenario analysis is an effective tool to consider potential sources of significant operational risk and the need for additional risk management controls or mitigation solutions. Given the subjectivity of the scenario process, a robust governance ORMF is essential to ensure the integrity and consistency of the process;
      (h) Measurement: Banks may find it useful to quantify their exposure to operational risk by using the output of the risk assessment tools as inputs into a model that estimates operational risk exposure. The results of the model can be used in an economic capital process and can be allocated to business lines to link risk and return; and
      (i) Comparative Analysis: Comparative analysis consists of comparing the results of the various assessment tools to provide a more comprehensive view of the bank's operational risk profile. For example, comparison of the frequency and severity of internal data with RCSAs can help the bank determine whether self-assessment processes are functioning effectively. Scenario data can be compared to internal and external data to gain a better understanding of the severity of the bank's exposure to potential risk events.
      Added: January 2020

    • OM-1.3.4

      Banks should ensure that the internal pricing and performance measurement mechanisms appropriately take into account operational risk measures commensurate with the nature, size and complexity of its business operations.

      Added: January 2020

    • New Products, Process and Change Management

      • OM-1.3.5

        In general, a bank's operational risk exposure is increased when a bank engages in new activities or develops new products; enters unfamiliar markets; implements new business processes or technology systems; and/or engages in businesses that are geographically distant from the head office. Moreover, the level of risk may escalate when new products, activities, procedures, processes, or systems transition from an introductory level to a level that represents material sources of revenue or business-critical operations.

        Added: January 2020

      • OM-1.3.6

        A bank must have a policy and procedures for review and approval of new products, services, activities, procedures, processes and systems. The review and approval process must consider, as appropriate, the following:

        (a) Inherent and residual risks;
        (b) Changes to the bank's operational risk profile and appetite and tolerance;
        (c) The necessary controls, risk management processes and risk mitigation strategies;
        (d) Changes to relevant risk thresholds or limits; and
        (e) The procedures and metrics to measure, monitor, and manage the risk.
        Added: January 2020

      • OM-1.3.7

        The approval process must also ensure that adequate and well trained human resources and appropriate technology infrastructure are in place before new products, services, activities, procedures, processes or systems are introduced. The implementation of new products, activities, procedures, processes and systems must be monitored in order to identify any material differences to the expected operational risk profile, and to manage any unexpected risks.

        Added: January 2020

      • OM-1.3.8

        The use of technology-related products, services, activities, processes and delivery channels exposes a bank to strategic, operational and reputational risks, and the possibility of material financial loss. Consequently, a bank should have an integrated approach to identifying, measuring, monitoring and managing technology risks. Sound technology risk management uses the same precepts as operational risk management and includes:

        (a) Governance and oversight controls that ensure technology, including outsourcing arrangements, is aligned with, and supportive of, the bank's business objectives;
        (b) Policy and procedures that facilitate identification and assessment of risk;
        (c) Establishment of a risk appetite and tolerance statement, as well as performance expectations to assist in controlling and managing risk;
        (d) Implementation of an effective control environment and the use of risk transfer strategies that mitigate risk; and
        (e) Monitoring processes that test for compliance with policy thresholds or limits
        Added: January 2020

    • Monitoring and Reporting

      • OM-1.3.9

        Senior management must implement a process to regularly monitor operational risk profiles and material exposures to losses. Appropriate reporting mechanisms must be in place at the board, senior management, and business line levels that support proactive management of operational risk.

        Added: January 2020

      • OM-1.3.10

        Banks must ensure that the operational risk reports are comprehensive, accurate, consistent and actionable across business lines and products.

        Added: January 2020

      • OM-1.3.11

        Reporting should be timely, and the bank must be able to produce reports in both normal and stressed market conditions. The frequency of reporting must reflect the risks involved and the pace and nature of changes in the operating environment. The results of these monitoring activities must be included in regular management and Board reports. Reports generated by (and/or for) supervisory authorities must also be reported internally to senior management and the Board, where appropriate.

        Added: January 2020

      • OM-1.3.12

        Operational risk reports may contain internal financial, operational, and compliance indicators, as well as external market or environmental information about events and conditions that are relevant to decision-making. Operational risk reports should include:

        (a) Breaches of the bank's risk appetite and tolerance statement, as well as thresholds or limits;
        (b) Details of recent significant internal operational risk events and losses; and
        (c) Relevant external events and any potential impact on the bank and operational risk capital.
        Added: January 2020

      • OM-1.3.13

        Data capture and risk reporting processes should be analysed periodically with a view to continuously enhancing risk management performance, as well as advancing risk management policy, procedures and practices.

        Added: January 2020

    • Controls and mitigation

      • OM-1.3.14

        Banks must have a strong control environment that utilises policies, procedures, processes and systems; appropriate internal controls; and appropriate risk mitigation and/or transfer strategies.

        Added: January 2020

      • OM-1.3.15

        Strong internal controls are a critical aspect of operational risk management, and the banks should establish clear lines of management responsibility and accountability for implementing a strong control environment. The control environment should provide appropriate independence/separation of duties between the operational risk management unit, business lines and support functions.

        Added: January 2020

      • OM-1.3.16

        An effective internal control environment also requires appropriate segregation of duties. Assignments that establish conflicting duties for individuals, or a team without dual controls or other countermeasures may enable concealment of losses, errors or inappropriate actions. Therefore, areas of potential conflicts of interest must be identified, minimised, and subject to careful independent monitoring and review.

        Added: January 2020

      • OM-1.3.17

        In addition to segregation of duties and dual controls, banks should ensure that other traditional internal controls are in place, as appropriate, to address operational risk. Examples of these controls include:

        (a) Clearly established authorities and/or processes for approval;
        (b) Close monitoring of adherence to assigned risk limits or thresholds;
        (c) Safeguards for access to, and use of, bank assets and records;
        (d) Appropriate staffing level and training to maintain expertise;
        (e) Ongoing processes to identify business lines or products where returns appear to be out of line with reasonable expectations;
        (f) Regular verification and reconciliation of transactions and accounts; and
        (g) A vacation policy in line with Bahrain Labour Law.
        Amended: April 2022
        Added: January 2020

      • OM-1.3.18

        Internal control consists of five interrelated components:

        (a) Control environment: The Board of Directors and senior management are responsible for promoting high ethical and integrity standards, and for establishing a culture within the organisation that emphasises and demonstrates to all levels of personnel the importance of internal controls. All personnel at a banking organisation need to understand their role in the internal controls process and be fully engaged in the process;
        (b) Risk assessment: An effective internal control system requires that the material risks that could adversely affect the achievement of the bank's goals are being recognised and continually assessed. This assessment should cover all risks facing the bank and the consolidated banking organisation (that is, credit risk, country and transfer risk, market risk, profit rate risk, liquidity risk, operational risk, legal risk and reputational risk). Internal controls may need to be revised to appropriately address any new or previously uncontrolled risks;
        (c) Control activities: Control activities should be an integral part of the daily activities of a bank. An effective internal control system requires that an appropriate control structure is set up, with control activities defined at every business level. These should include: Top level reviews; appropriate activity controls for different departments or divisions; physical controls; checking for compliance with exposure limits and follow-up on non-compliance; a system of approvals and authorisations; and a system of verification and reconciliation;
        (d) Information and communication: An effective internal control system requires that there are adequate and comprehensive internal financial, operational and compliance data, as well as external market information about events and conditions that are relevant to decision-making. Information should be reliable, timely, accessible, and provided in a consistent format. It requires that there are reliable information systems in place that cover all significant activities of the bank. These systems, including those that hold and use data in an electronic form, must be secure, monitored independently and supported by adequate contingency arrangements. It also requires effective channels of communication to ensure that all staff fully understand and adhere to policy and procedures affecting their duties and responsibilities and that other relevant information is reaching the appropriate personnel; and
        (e) Monitoring activities: The overall effectiveness of the bank's internal controls should be monitored on an ongoing basis. Monitoring of key risks should be part of the daily activities of the bank, as well as periodic evaluations by the business lines and internal audit. There should be an effective and comprehensive internal audit of the internal control system carried out by operationally independent, appropriately-trained and competent staff. The Internal Audit function, as part of the monitoring of the system of internal controls, should report directly to the Board of Directors or its Audit Committee, and to senior management. Internal control deficiencies, whether identified by business line, Internal Audit, or other control personnel, should be reported in a timely manner to the appropriate management level and addressed promptly. Material internal control deficiencies should be reported to senior management and the Board of Directors.
        Added: January 2020

      • OM-1.3.19

        Control processes and procedures should be established and banks should have a system in place for ensuring compliance with a documented set of internal policies concerning the risk management system. Principal elements of this could include, for example:

        (a) Top-level reviews of the bank's progress towards the stated objectives;
        (b) Verifying compliance with management controls;
        (c) Review of the treatment and resolution of instances of non-compliance;
        (d) Evaluation of required approvals and authorisations to ensure accountability to an appropriate level of management; and
        (e) Tracking reports for approved exceptions to thresholds or limits, management overrides and other deviations from policy.
        Added: January 2020

      • OM-1.3.20

        Effective use and sound implementation of technology can contribute to the control environment. For example, automated processes are less prone to error than manual processes. However, automated processes introduce risks that should be addressed through sound technology governance and infrastructure risk management programmes.

        Added: January 2020

      • OM-1.3.21

        Management must ensure the bank has a sound technology infrastructure that:

        (a) Meets current and long-term business requirements by providing sufficient capacity for normal activity levels, as well as peaks during periods of market stress;
        (b) Ensures data and system integrity, security, and availability; and
        (c) Supports integrated and comprehensive risk management.
        Added: January 2020

      • OM-1.3.22

        Mergers and acquisitions resulting in fragmented and disconnected infrastructure, cost-cutting measures or inadequate investment can undermine a bank's ability to aggregate and analyse information across risk dimensions or the consolidated enterprise, manage and report risk on a business line or legal entity basis, or oversee and manage risk in periods of high growth. Management should make appropriate capital investment or otherwise provide for a robust infrastructure at all times, particularly before mergers are consummated, high growth strategies are initiated, or new products are introduced.

        Added: January 2020

      • OM-1.3.23

        In those circumstances where internal controls do not adequately address risk and exiting the risk is not a reasonable option, management can complement controls by seeking to transfer the risk to another party such as through insurance. The Board of directors should determine the maximum loss exposure the bank is willing, and has the financial capacity to assume, and should perform a regular review of the bank's risk and insurance management programme.

        Added: January 2020

      • OM-1.3.24

        Because risk transfer is an imperfect substitute for sound controls and risk management programmes, banks should view risk transfer tools as complementary to, rather than a replacement for, thorough internal operational risk control. Having mechanisms in place to quickly identify, recognise and rectify distinct operational risk errors can greatly reduce exposures. Careful consideration also needs to be given to the extent to which risk mitigation tools such as insurance truly reduce risk, transfer the risk to another business sector or area, or create a new risk (e.g. counterparty risk).

        Added: January 2020