RM-5.1.1

Investment firm licensees must document their framework for the proactive management of operational risk. This policy must be approved and regularly reviewed by the Board of Directors of the licensee.

RM-5.1.2

Operational risk is the risk to the licensee of loss resulting from inadequate or failed internal processes, people and systems, or from external events. In identifying the types of operational risk losses that it may be exposed to, licensees should consider, for instance, the following:

RM-5.1.3

A licensee should recognise that it may face significant operational exposures from a product or activity that may not be material to its business strategy. A licensee should consider the appropriate level of detail at which risk identification is to take place, and may wish to manage the operational risks that it faces in risk categories that are appropriate to its organisational and legal structures.

RM-5.1.4

Investment firm licensees must consider the impact of operational risks on their financial resources and solvency.

RM-5.1.5

An investment firm licensee's operational risk policy must outline the licensee's strategy and objectives for operational risk management and the processes, including internal controls and risk management mechanisms that it intends to adopt to achieve these objectives.

RM-5.1.6

When assessing its operational risks, a licensee may be able to differentiate between expected and unexpected operational losses. A licensee should consider whether it is appropriate to adopt a more quantitative approach to the assessment of its expected operational losses, for example by defining tolerance, setting thresholds, and measuring and monitoring operational losses and exposures. In contrast, a licensee may wish to take a more qualitative approach to assessing its unexpected losses.

RM-5.1.7

Although a licensee may currently be unable to assess certain operational risks with a high degree of accuracy or consistency, it should, according to the nature, scale and complexity of its business, consider the use of more sophisticated qualitative and quantitative techniques as they become available.

RM-5.1.8

Investment firm licensees must establish mechanisms to ensure adequate internal controls are in place.

RM-5.1.9

For the purposes of RM-5.1.8, internal controls for investment firm licensees should include books and records requirements, appropriate organisation structure, segregation of duties, and related controls that are designed to safeguard entity and client assets.

RM-5.1.10

Investment firm licensees must establish mechanisms to verify that controls, once established, are being followed. The verification procedures must include internal audits, which must be independent of trading desks and the revenue side of the business.

RM-5.1.11

In establishing mechanisms and controls, the investment firm licensee should consider:

RM-5.1.12

Investment firm licensee's business continuity planning, risk identification and reporting must cover reasonably foreseeable external events and their likely impact on the licensee and its business portfolio.

RM-5.1.13

Business continuity management includes policies, standards, and procedures for ensuring that specified operations can be maintained or recovered in a timely fashion in the event of a disruption. Its purpose is to minimise the operational, financial, legal, reputational and other material consequences arising from a disruption. Effective business continuity management concentrates on the impact, as opposed to the source, of the disruption, which affords financial industry participants and financial authorities greater flexibility to address a broad range of disruptions. At the same time, however, investment firm licensees cannot ignore the nature of risks to which they are exposed.

Risk Monitoring and Controlling

Record Keeping