Back Custom print Link Text Only Rich Text Print

  • Risk Management Framework

    • OM-1.2.22

      Licensees must develop, implement and maintain a framework that is fully integrated into the licensee's overall risk management processes.

      January 2014

    • OM-1.2.23

      The framework for operational risk management chosen by an individual licensee will depend on a range of factors, including its nature, size, complexity and risk profile.

      January 2014

    • OM-1.2.24

      The board is responsible for establishing a management structure capable of implementing the licensee's operational risk management framework. Since a significant aspect of managing operational risk relates to the establishment of strong internal controls, it is particularly important that the board establishes clear lines of management responsibility, accountability and reporting. In addition, there should be separation of responsibilities and reporting lines between operational risk control functions, business lines and support functions in order to avoid conflicts of interest. The framework should also articulate the key processes the licensee needs to have in place to manage operational risk.

      January 2014

    • OM-1.2.25

      The framework must be comprehensively and appropriately documented in board of directors approved policies and must include definitions of operational risk and operational loss.

      January 2014

    • OM-1.2.26

      Licensees that do not adequately describe and classify operational risk and loss exposure may significantly reduce the effectiveness of their framework.

      January 2014

    • OM-1.2.27

      Framework documentation must clearly:

      (a) Identify the governance structures used to manage operational risk, including reporting lines and accountabilities;
      (b) Describe the risk assessment tools and how they are used;
      (c) Describe the licensee's accepted operational risk appetite and tolerance, as well as thresholds or limits for inherent and residual risk, and approved risk mitigation strategies and instruments;
      (d) Describe the licensee's approach to establishing and monitoring thresholds or limits for inherent and residual risk exposure;
      (e) Establish risk reporting and Management Information Systems (MIS);
      (f) Provide for a common taxonomy of operational risk terms to ensure consistency of risk identification, exposure rating and risk management objectives;
      (g) Provide for appropriate independent review and assessment of operational risk; and
      (h) Require the policies to be reviewed whenever a material change in the operational risk profile of the licensee occurs, and revised as appropriate.
      January 2014

    • OM-1.2.28

      The board should review the framework regularly to ensure that the licensee is managing the operational risks arising from external market changes and other environmental factors, as well as those operational risks associated with new products, activities or systems. This review process should also aim to assess industry best practice in operational risk management appropriate for the licensee's activities, systems and processes. If necessary, the board should ensure that the operational risk management framework is revised in light of this analysis, so that material operational risks are captured within the framework.

      January 2014