Back Custom print Link Text Only Rich Text Print

  • New Products, Process and Change Management

    • OM-1.3.5

      In general, a bank's operational risk exposure is increased when a bank engages in new activities or develops new products; enters unfamiliar markets; implements new business processes or technology systems; and/or engages in businesses that are geographically distant from the head office. Moreover, the level of risk may escalate when new products, activities, procedures, processes, or systems transition from an introductory level to a level that represents material sources of revenue or business-critical operations.

      Added: January 2020

    • OM-1.3.6

      A bank must have a policy and procedures for review and approval of new products, services, activities, procedures, processes and systems. The review and approval process must consider, as appropriate, the following:

      (a) Inherent and residual risks;
      (b) Changes to the bank's operational risk profile and appetite and tolerance;
      (c) The necessary controls, risk management processes and risk mitigation strategies;
      (d) Changes to relevant risk thresholds or limits; and
      (e) The procedures and metrics to measure, monitor, and manage the risk.
      Added: January 2020

    • OM-1.3.7

      The approval process must also ensure that adequate and well trained human resources and appropriate technology infrastructure are in place before new products, services, activities, procedures, processes or systems are introduced. The implementation of new products, activities, procedures, processes and systems must be monitored in order to identify any material differences to the expected operational risk profile, and to manage any unexpected risks.

      Added: January 2020

    • OM-1.3.8

      The use of technology-related products, services, activities, processes and delivery channels exposes a bank to strategic, operational and reputational risks, and the possibility of material financial loss. Consequently, a bank should have an integrated approach to identifying, measuring, monitoring and managing technology risks. Sound technology risk management uses the same precepts as operational risk management and includes:

      (a) Governance and oversight controls that ensure technology, including outsourcing arrangements, is aligned with, and supportive of, the bank's business objectives;
      (b) Policy and procedures that facilitate identification and assessment of risk;
      (c) Establishment of a risk appetite and tolerance statement, as well as performance expectations to assist in controlling and managing risk;
      (d) Implementation of an effective control environment and the use of risk transfer strategies that mitigate risk; and
      (e) Monitoring processes that test for compliance with policy thresholds or limits
      Added: January 2020