Back Custom print Link Text Only Rich Text Print

  • OM-1 OM-1 General Requirements

    • OM-1.1 OM-1.1 Overview

      • OM-1.1.1

        This Module provides guidance and rules for operational risk and sets out requirements for an appropriate risk management environment, including outsourcing, electronic financing activities, business continuity and security measures.

        January 2014

      • OM-1.1.2

        Operational risk is defined as the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events. This definition includes legal risk1, but excludes strategic and reputational risk.

        1 Legal risk includes, but is not limited to, exposure to fines, penalties, or punitive damages resulting from supervisory actions, as well as private settlements.

        January 2014

      • OM-1.1.3

        Operational risk is inherent in all types of licensees' transactions and activities, processes and systems, and the effective management of operational risk must be a fundamental element of a licensee's risk management programme. Sound operational risk governance relies upon three lines of defence:

        (a) Business line management;
        (b) An independent operational risk management function; and
        (c) Independent review functions
        January 2014

    • OM-1.2 OM-1.2 Developing an Appropriate Risk Management Environment

      • OM-1.2.1

        Licensee's management must implement policies and procedures to manage risks arising out of a licensee's activities. The licensee must maintain written policies and procedures that identify the risk tolerances approved by the Board of Directors and must clearly delineate lines of authority and responsibility for managing the risks. Licensees' employees and credit officers in particular must be fully aware of all policies and procedures that relate to their specific duties.

        January 2014

      • OM-1.2.2

        The board of directors must take the lead in establishing a strong risk management culture. The board of directors and senior management must establish a corporate culture that is guided by strong risk management and that supports and provides appropriate standards and incentives for professional and responsible behaviour. In this regard, it is the responsibility of the board of directors to ensure that a strong operational risk management culture exists throughout the whole organisation.

        January 2014

      • OM-1.2.3

        The operational risk management function must be functionally independent of the risk generating business lines and will be responsible for the design, maintenance and ongoing development of the operational risk framework within the licensee.

        January 2014

      • OM-1.2.4

        For the purpose of Paragraph OM-1.2.3, 'functionally independent' means that the risk management function cannot report hierarchically and/or functionally to any person or function that is directly responsible for risk generation.

        January 2014

      • OM-1.2.5

        The operational risk management function should include the operational risk measurement and reporting processes, risk committees and responsibility for board reporting. A key function of the operational risk management function is to challenge the business lines' inputs to, and outputs from, the licensee's risk management, risk measurement and reporting systems. The operational risk management function should have a sufficient number of personnel skilled in the management of operational risk to effectively address its many responsibilities.

        January 2014

      • OM-1.2.6

        Both the board and senior management are responsible for creating an organisational culture that places high priority on effective operational risk management and adherence to sound operating controls. Operational risk management is most effective where a licensee's culture emphasises high standards of ethical behaviour at all levels of the licensee. The board and senior management should promote an organisational culture which establishes through both actions and words the expectations of integrity for all employees in conducting the business of the licensee.

        January 2014

      • The Board of Directors

        • OM-1.2.7

          The board of directors must establish, approve and periodically review the framework. The board of directors must oversee senior management to ensure that the policies, processes and systems are implemented effectively at all decision levels.

          January 2014

        • OM-1.2.8

          The board of directors must:

          (a) Establish a management culture, and supporting processes, to understand the nature and scope of the operational risk inherent in the licensee's strategies and activities, and develop comprehensive, dynamic oversight and control environments that are fully integrated into or coordinated with the overall framework for managing all risks across the enterprise;
          (b) Provide senior management with clear guidance and direction regarding the principles underlying the framework and approve the corresponding policies developed by senior management;
          (c) Regularly review the framework to ensure that the licensee has identified and is managing the operational risk arising from external market changes and other environmental factors, as well as those operational risks associated with new products, activities, processes or systems, including changes in risk profiles and priorities (e.g. changing business volumes);
          (d) Ensure that the licensee's framework is subject to effective independent review by audit or other appropriately trained parties such as the compliance function; and
          (e) Ensure that as best practice evolves, management is availing themselves of these advances.
          January 2014

        • OM-1.2.9

          Strong internal controls are a critical aspect of operational risk management, and the board of directors must establish clear lines of management responsibility and accountability for implementing a strong control environment. The control environment must provide appropriate independence/separation of duties between operational risk management functions, business lines and support functions

          January 2014

      • The Role of Committees

        • OM-1.2.10

          A licensee's governance structure should be commensurate with the nature, size, complexity and risk profile of its activities. When designing the operational risk governance structure, a licensee must take the following into consideration:

          (a) Committee structure;
          (b) Committee composition; and
          (c) Committee operation.
          January 2014

        • OM-1.2.11

          Sound industry practice for larger and more complex organisations with a central group function and separate business units is to utilise a board-created enterprise level risk committee for overseeing all risks, to which a management level operational risk committee reports. Depending on the nature, size and complexity of the licensee, the enterprise level risk committee may receive input from operational risk committees by country, business or functional area. Smaller and less complex organisations may utilise a flatter organisational structure that oversees operational risk directly within the board's risk management committee.

          January 2014

        • OM-1.2.12

          Sound industry practice is for operational risk committees (or the risk committee in smaller licensees) to include a combination of members with expertise in business activities and financial, as well as independent risk management

          January 2014

      • Risk Appetite and Tolerance

        • OM-1.2.13

          The board of directors must approve and review a risk appetite and tolerance statement for operational risk that articulates the nature, types and levels of operational risk that the licensee is willing to assume.

          January 2014

        • OM-1.2.14

          When approving and reviewing the risk appetite and tolerance statement, the board of directors must consider all relevant risks, the licensee's level of risk aversion, its current financial condition and the licensee's strategic direction. The board of directors must approve appropriate thresholds or limits for specific operational risks, and an overall operational risk appetite and tolerance.

          January 2014

        • OM-1.2.15

          The risk appetite and tolerance statement should encapsulate the various operational risk appetites within a licensee and ensure that they are consistent.

          January 2014

        • OM-1.2.16

          The board of directors must regularly review the appropriateness of limits and the overall operational risk appetite and tolerance statement. This review must consider changes in the external environment, material increases in business or activity volumes, the quality of the control environment, the effectiveness of risk management or mitigation strategies, loss experience, and the frequency, volume or nature of limit breaches. The board must monitor management adherence to the risk appetite and tolerance statement and provide for timely detection and remediation of breaches.

          January 2014

        • OM-1.2.17

          The licensee must ensure that the internal pricing and performance measurement mechanisms appropriately take into account operational risk. Where operational risk is not considered, risk-taking incentives might not be appropriately aligned with the risk appetite and tolerance.

          January 2014

      • Ethics Policy

        • OM-1.2.18

          The board of directors must establish a code of conduct or an ethics policy that sets clear expectations for integrity and ethical values of the highest standard and identify acceptable business practices and prohibited conflicts (See Section HC-2.2).

          January 2014

        • OM-1.2.19

          Clear expectations and accountabilities ensure that staff understand their roles and responsibilities for risk, as well as their authority to act. Strong and consistent senior management support for risk management and ethical behaviour convincingly reinforces codes of conduct and ethics, compensation strategies, and training programmes.

          January 2014

      • Compensation Policies

        • OM-1.2.20

          Compensation policies must be aligned to the licensee's statement of risk appetite and tolerance, long-term strategic direction, financial goals and overall safety and soundness. They must also appropriately balance risk and reward.

          January 2014

      • Operational Risk Training

        • OM-1.2.21

          Senior management should ensure that an appropriate level of operational risk training is available at all levels throughout the organisation. Training that is provided should reflect the seniority, role and responsibilities of the individuals for whom it is intended.

          January 2014

      • Risk Management Framework

        • OM-1.2.22

          Licensees must develop, implement and maintain a framework that is fully integrated into the licensee's overall risk management processes.

          January 2014

        • OM-1.2.23

          The framework for operational risk management chosen by an individual licensee will depend on a range of factors, including its nature, size, complexity and risk profile.

          January 2014

        • OM-1.2.24

          The board is responsible for establishing a management structure capable of implementing the licensee's operational risk management framework. Since a significant aspect of managing operational risk relates to the establishment of strong internal controls, it is particularly important that the board establishes clear lines of management responsibility, accountability and reporting. In addition, there should be separation of responsibilities and reporting lines between operational risk control functions, business lines and support functions in order to avoid conflicts of interest. The framework should also articulate the key processes the licensee needs to have in place to manage operational risk.

          January 2014

        • OM-1.2.25

          The framework must be comprehensively and appropriately documented in board of directors approved policies and must include definitions of operational risk and operational loss.

          January 2014

        • OM-1.2.26

          Licensees that do not adequately describe and classify operational risk and loss exposure may significantly reduce the effectiveness of their framework.

          January 2014

        • OM-1.2.27

          Framework documentation must clearly:

          (a) Identify the governance structures used to manage operational risk, including reporting lines and accountabilities;
          (b) Describe the risk assessment tools and how they are used;
          (c) Describe the licensee's accepted operational risk appetite and tolerance, as well as thresholds or limits for inherent and residual risk, and approved risk mitigation strategies and instruments;
          (d) Describe the licensee's approach to establishing and monitoring thresholds or limits for inherent and residual risk exposure;
          (e) Establish risk reporting and Management Information Systems (MIS);
          (f) Provide for a common taxonomy of operational risk terms to ensure consistency of risk identification, exposure rating and risk management objectives;
          (g) Provide for appropriate independent review and assessment of operational risk; and
          (h) Require the policies to be reviewed whenever a material change in the operational risk profile of the licensee occurs, and revised as appropriate.
          January 2014

        • OM-1.2.28

          The board should review the framework regularly to ensure that the licensee is managing the operational risks arising from external market changes and other environmental factors, as well as those operational risks associated with new products, activities or systems. This review process should also aim to assess industry best practice in operational risk management appropriate for the licensee's activities, systems and processes. If necessary, the board should ensure that the operational risk management framework is revised in light of this analysis, so that material operational risks are captured within the framework.

          January 2014

      • Independent Review of Operational Risk

        • OM-1.2.29

          The board of directors must ensure that the licensee's operational risk management framework is subject to effective and comprehensive independent review.

          January 2014

        • OM-1.2.30

          The independent review functions are the internal audit and compliance functions and the staff occupying these functions must be competent and appropriately trained and not be involved in the development, implementation and operation of the operational risk framework.

          January 2014

        • OM-1.2.31

          With reference to Paragraph OM-1.2.30, internal audit and compliance should not be involved with the setting of risk appetite or risk tolerance. Internal audit should be reviewing the robustness of the process of how these limits are set and why and how they are adjusted in response to changing circumstances. More details on the internal audit function and the role of the audit committee are included in Chapter HC-3.

          January 2014

        • OM-1.2.32

          An independent review consists of the verification of the framework on a periodic basis and is typically performed by the licensee's internal and/or external audit, but may involve other suitably qualified independent parties from external sources. Verification activities test the effectiveness of the overall framework, consistent with policies approved by the board of directors, and also test validation processes to ensure that they are independent and implemented in a manner consistent with established policies of the licensee.

          January 2014

        • OM-1.2.33

          Licensees should have in place adequate internal audit coverage to verify that operating policies and procedures have been implemented effectively. The board (either directly or indirectly through its audit committee) should ensure that the scope and frequency of the audit programme is appropriate to the risk exposures. Audit should periodically validate that the licensee's operational risk management framework is being implemented effectively across the licensee.

          January 2014

      • Senior Management

        • OM-1.2.34

          The responsibilities of the senior management of the licensee must include:

          (a) Developing for approval by the board of directors a clear, effective and robust governance structure with well defined, transparent and consistent lines of responsibility;
          (b) Implementing the operational risk strategy approved by the Board of Directors;
          (c) Ensuring that the strategy is implemented consistently throughout the whole organisation;
          (d) Ensuring that all levels of staff understand their responsibilities with respect to operational risk management;
          (e) Developing, maintaining and implementing policies, processes and procedures for managing operational risk in all of the licensee's products, activities, processes and systems consistent with the risk appetite and tolerance;
          (f) Developing succession plans for senior staff; and
          (g) Developing business continuity plans for the licensee.
          January 2014

        • OM-1.2.35

          Senior management is responsible for establishing and maintaining robust challenge mechanisms and effective issue-resolution processes. These must include systems to report, track and, when necessary, escalate issues to ensure resolution. Licensees must be able to demonstrate that the three lines of defence approach is operating satisfactorily and to explain how the board and senior management ensure that this approach is implemented and operating in an appropriate and acceptable manner.

          January 2014

        • OM-1.2.36

          Senior management must translate the operational risk strategy established by the board of directors into an operational risk management framework that refers to specific policies, processes and procedures that can be implemented and verified within the different business units.

          January 2014

        • OM-1.2.37

          While each level of management is responsible for the appropriateness and effectiveness of policies, processes, procedures and controls within its purview, senior management should clearly assign authority, responsibility and reporting relationships to encourage and maintain this accountability.

          January 2014

        • OM-1.2.38

          Senior management must ensure that the necessary resources are available to manage operational risk effectively. Moreover, senior management must assess the appropriateness of the management oversight process in light of the risks inherent in a business unit's activity.

          January 2014

        • OM-1.2.39

          Senior management should ensure that the licensee's activities are conducted by qualified staff with the necessary experience, technical capabilities and access to resources. Staff responsible for monitoring and enforcing compliance with the institution's risk policy should have authority independent from the units they oversee.

          January 2014

        • OM-1.2.40

          Senior management must ensure that staff responsible for managing operational risk coordinate and communicate effectively with staff responsible for managing credit, market, and other risks, as well as with those in the licensee who are responsible for the procurement of external services such as insurance purchasing and outsourcing agreements. Failure to do so could result in significant gaps or overlaps in a licensee's overall risk management programme.

          January 2014

        • OM-1.2.41

          The managers of the corporate operational risk management function should be of sufficient stature within the licensee to perform their duties effectively, ideally evidenced by title commensurate with other risk management functions such as credit, market and liquidity risk.

          January 2014

        • OM-1.2.42

          Particular attention should be given to the quality of documentation controls and to transaction-handling practices. Policies, processes and procedures related to advanced technologies supporting high transactions volumes, in particular, should be well documented and disseminated to all relevant personnel.

          January 2014

      • Management Information System

        • OM-1.2.43

          The management information system of an organisation plays a key role in establishing and maintaining an effective operational risk management framework.

          January 2014

        • OM-1.2.44

          Communication flow serves the purpose of establishing a consistent operational risk management culture across the licensee. Reporting flow enables:

          (a) Senior management to monitor the effectiveness of the risk management system for operational risk; and
          (b) The Board of Directors to oversee senior management performance.
          January 2014

    • OM-1.3 OM-1.3 Identification and Assessment

      • OM-1.3.1

        Licensees must identify and assess the operational risk inherent in all material products, activities, processes and systems to make sure the inherent risks and incentives are well understood. Licensees must also ensure that before new products, activities, processes and systems are introduced or undertaken, the operational risk inherent in them is subject to adequate assessment procedures.

        January 2014

      • OM-1.3.2

        Risk identification and assessment are fundamental characteristics of an effective operational risk management system. Effective risk identification considers both internal factors (such as the licensee's structure, the nature of the licensee's activities, the quality of the licensee's human resources, organisational changes and employee turnover) and external factors (such as changes in the broader environment and the industry and technological advances) that could adversely affect the achievement of the licensee's objectives.

        January 2014

      • OM-1.3.3

        In addition to identifying the most potentially adverse risks, licensees should assess their vulnerability to these risks. Sound risk assessment allows the licensee to better understand its risk profile and most effectively target risk management resources.

        January 2014

      • OM-1.3.4

        Amongst the possible tools used by licensees for identifying and assessing operational risk are:

        (a) Self- or Risk Assessment: a licensee assesses its operations and activities against a menu of potential operational risk vulnerabilities. This process is internally driven and often incorporates checklists and/or workshops to identify the strengths and weaknesses of the operational risk environment. Scorecards, for example, provide a means of translating qualitative assessments into quantitative metrics that give a relative ranking of different types of operational risk exposures. Some scores may relate to risks unique to a specific business line while others may rank risks that cut across business lines. Scores may address inherent risks, as well as the controls to mitigate them;
        (b) Risk Mapping: in this process, various business units, organisational functions or process flows are mapped by risk type. This exercise can reveal areas of weakness and help prioritise subsequent management action;
        (c) Risk Indicators: risk indicators are statistics and/or metrics, often financial, which can provide insight into a licensee's risk position. These indicators tend to be reviewed on a periodic basis (such as monthly or quarterly) to alert licensees to changes that may be indicative of risk concerns. Such indicators may include the number of failed trades, staff turnover rates and the frequency and/or severity of errors and omissions; and
        (d) Measurement: some licensees have begun to quantify their exposure to operational risk using a variety of approaches. For example, data on a licensee's historical loss experience could provide meaningful information for assessing the licensee's exposure to operational risk and developing a policy to mitigate/control the risk. An effective way of making good use of this information is to establish a framework for systematically tracking and recording the frequency, severity and other relevant information on individual loss events. Some licensees have also combined internal loss data with external loss data, scenario analyses, and risk assessment factors.
        January 2014

      • Approval Process

        • OM-1.3.5

          Senior management must ensure that there is an approval process for all new products, activities, processes and systems that fully assesses operational risk.

          January 2014

        • OM-1.3.6

          In general, a licensee's operational risk exposure is increased when a licensee engages in new activities or develops new products; enters unfamiliar markets; implements new business processes or technology systems; and/or engages in businesses that are geographically distant from the head office. Moreover, the level of risk may escalate when new products activities, processes, or systems transition from an introductory level to a level that represents material sources of revenue or business-critical operations. A licensee should ensure that its risk management control infrastructure is appropriate at inception and that it keeps pace with the rate of growth of, or changes to, products activities, processes and systems.

          January 2014

        • OM-1.3.7

          A licensee must have policies and procedures that address the process for review and approval of new products, activities, processes and systems.

          January 2014

        • OM-1.3.8

          The review and approval process referred to in Paragraph OM-1.3.7 should consider:

          (a) Inherent risks in the new product, service, or activity;
          (b) Changes to the licensee's operational risk profile and appetite and tolerance, including the risk of existing products or activities;
          (c) The necessary controls, risk management processes, and risk mitigation strategies;
          (d) The residual risk;
          (e) Changes to relevant risk thresholds or limits; and
          (f) The procedures and metrics to measure, monitor, and manage the risk of the new product or activity.
          January 2014

        • OM-1.3.9

          The approval process should also ensure that appropriate investment has been made for human resources and technology infrastructure before new products are introduced. The implementation of new products, activities, processes and systems should be monitored in order to identify any material differences to the expected operational risk profile, and to manage any unexpected risks.

          January 2014

    • OM-1.4 OM-1.4 Monitoring

      • OM-1.4.1

        Licensees must implement a process to regularly monitor operational risk profiles and material exposures to losses. There must be regular reporting of pertinent information at the board, senior management and business levels that supports the proactive management of operational risk.

        January 2014

      • OM-1.4.2

        Licensees are encouraged to continuously improve the quality of operational risk reporting. A licensee should ensure that its reports are comprehensive, accurate, consistent and actionable across business lines and products. Reports should be manageable in scope and volume; effective decision-making is impeded by both excessive amounts and paucity of data.

        January 2014

      • OM-1.4.3

        Reporting should be timely and a licensee should be able to produce reports in both normal and stressed market conditions. The frequency of monitoring should reflect the risks involved and the frequency and nature of changes in the operating environment. Monitoring should be an integrated part of a licensee's activities. The results of these monitoring activities should be included in regular management and board reports, as should compliance reviews performed by the internal audit and/or risk management functions. Reports generated by (and/or for) supervisory authorities may also inform this monitoring and should likewise be reported internally to senior management and the board, where appropriate.

        January 2014

      • OM-1.4.4

        Operational risk reports may contain internal financial, operational, and compliance indicators, as well as external market or environmental information about events and conditions that are relevant to decision making. Operational risk reports should include:

        (a) Breaches of the licensee's risk appetite and tolerance statement, as well as thresholds or limits;
        (b) Details of recent significant internal operational risk events and losses; and
        (c) Relevant external events and any potential impact on the licensee.
        January 2014

      • OM-1.4.5

        Data capture and risk reporting processes should be analysed periodically with a view to continuously enhancing risk management performance as well as advancing risk management policies, procedures and practices.

        January 2014

    • OM-1.5 OM-1.5 Control and Mitigation

      • OM-1.5.1

        Licensees must have a strong control environment that utilises:

        (a) Policies, processes and systems;
        (b) Appropriate internal controls; and
        (c) Appropriate risk mitigation and/or transfer strategies.
        January 2014

      • OM-1.5.2

        Internal controls must be designed to provide assurance that a licensee will:

        (a) Have efficient and effective operations;
        (b) Safeguard its assets;
        (c) Produce reliable financial reports; and
        (d) Comply with applicable laws and regulations.
        January 2014

      • OM-1.5.3

        Control activities are designed to address the operational risks that a licensee has identified. For all material operational risks that have been identified, the licensee should decide whether to use appropriate procedures to control and/or mitigate the risks, or bear the risks. For those risks that cannot be controlled, the licensee should decide whether to accept these risks, reduce the level of business activity involved, or withdraw from this activity completely.

        January 2014

      • OM-1.5.4

        Control processes and procedures should be established and licensees should have a system in place for ensuring compliance with a documented set of internal policies concerning the risk management system. Principal elements of this could include, for example:

        (a) Top-level reviews of the licensee's progress towards the stated objectives;
        (b) Verifying compliance with management controls;
        (c) Policies, processes and procedures concerning the review, treatment and resolution of non-compliance issues;
        (d) Evaluation of required approvals and authorisations to ensure accountability to an appropriate level of management; and
        (e) Tracking reports for approved exceptions to thresholds or limits, management overrides and other deviations from policy.
        January 2014

      • OM-1.5.5

        Although a framework of formal, written policies and procedures is critical, it needs to be reinforced through a strong control culture that promotes sound risk management practices. Both the board of directors and senior management are responsible for establishing a strong internal control culture in which control activities are an integral part of the regular activities of a licensee. Controls that are an integral part of the regular activities enable quick responses to changing conditions and avoid unnecessary costs.

        January 2014

      • OM-1.5.6

        An effective internal control system also requires that there be appropriate segregation of duties and that personnel are not assigned responsibilities which may create a conflict of interest. Assigning such conflicting duties to individuals, or a team, may enable them to conceal losses, errors or inappropriate actions. Therefore, areas of potential conflicts of interest should be identified, minimised, and subject to careful independent monitoring and review.

        January 2014

      • OM-1.5.7

        In addition to segregation of duties, licensees should ensure that other internal practices are in place as appropriate to control operational risk. Examples of these include:

        (a) Clearly established authorities and/or processes for approval;
        (b) Close monitoring of adherence to assigned risk limits or thresholds;
        (c) Maintaining safeguards for access to, and use of, licensee assets and records;
        (d) Appropriate staffing level and training to maintain expertise;
        (e) Ongoing processes to identify business lines or products where returns appear to be out of line with reasonable expectations;
        (f) Regular verification and reconciliation of transactions and accounts; and
        (g) A vacation policy in line with Bahrain Labour Law.
        Amended: April 2022
        January 2014

      • OM-1.5.8

        Some significant operational risks have low probabilities but potentially very large financial impact. Moreover, not all risk events can be controlled (e.g., natural disasters). Risk mitigation tools or programmes can be used to reduce the exposure to, or frequency and/or severity of, such events. For example, insurance policies, particularly those with prompt and certain pay-out features, can be used to externalise the risk of "low frequency, high severity" losses which may occur as a result of events such as third-party claims resulting from errors and omissions, physical loss of securities, employee or third-party fraud, and natural disasters.

        January 2014

      • OM-1.5.9

        Licensees should view risk mitigation tools as complementary to, rather than a replacement for, thorough internal operational risk control. Having mechanisms in place to quickly recognise and rectify legitimate operational risk errors can greatly reduce exposures. Careful consideration also needs to be given to the extent to which risk mitigation tools such as insurance truly reduce risk, or transfer the risk to another business sector or area, or even create a new risk (e.g. legal or counterparty risk).

        January 2014

      • OM-1.5.10

        Investments in appropriate processing technology and information technology security are also important for risk mitigation. However, licensees should be aware that increased automation could transform high-frequency, low-severity losses into low frequency, high-severity losses. The latter may be associated with loss or extended disruption of services caused by internal factors or by factors beyond the licensee's immediate control (e.g., external events). Such problems may cause serious difficulties for licensees and could jeopardise an institution's ability to conduct key business activities.

        January 2014

      • OM-1.5.11

        In some instances, licensees may decide to either retain a certain level of operational risk or self-insure against that risk. Where this is the case and the risk is material, the decision to retain or self-insure the risk should be transparent within the organisation and should be consistent with the licensee's overall business strategy and appetite for risk.

        January 2014

      • OM-1.5.12

        Licensees should assess the costs and benefits of alternative risk limitation and control strategies and should adjust their operational risk exposure using appropriate strategies, in light of their overall risk profile.

        January 2014

    • OM-1.6 OM-1.6 Succession Planning

      • OM-1.6.1

        Succession planning is an essential precautionary measure for a licensee if its leadership stability – and hence ultimately its financial stability – is to be protected. Succession planning is especially critical for smaller institutions, where management teams tend to be smaller and possibly reliant on a few key individuals.

        January 2014

      • OM-1.6.2

        The CBB requires licensees to document succession plans for their senior management team and have these ready at any time for onsite inspection by CBB staff. Licensees must summarise who is covered by their succession plan and confirm that the plan has been reviewed and endorsed at Board level.

        January 2014

    • OM-1.7 OM-1.7 Disclosure

      • OM-1.7.1

        A licensee's public disclosures must allow stakeholders to assess its approach to operational risk management.

        January 2014

      • OM-1.7.2

        A licensee's public disclosure of relevant operational risk management information can lead to transparency and the development of better industry practice through market discipline. The amount and type of disclosure should be commensurate with the size, risk profile and complexity of a licensee's operations, and evolving industry practice. See Section PD-1.3 on disclosure requirements.

        January 2014

      • OM-1.7.3

        A licensee should disclose its operational risk management framework in a manner that will allow stakeholders to determine whether the licensee identifies, assesses, monitors and controls/mitigates operational risk effectively.

        January 2014

      • OM-1.7.4

        A licensee's disclosures should be consistent with how senior management and the board of directors assess and manage the operational risk of the licensee.

        January 2014

      • OM-1.7.5

        A licensee must have a formal disclosure policy approved by the board of directors that addresses the licensee's approach for determining what operational risk disclosures it will make and the internal controls over the disclosure process. In addition, licensees must implement a process for assessing the appropriateness of their disclosures, including the verification and frequency of them.

        January 2014