Senior Management
OM-1.2.34
The responsibilities of the
senior management of thelicensee must include:(a) Developing for approval by the board of directors a clear, effective and robust governance structure with well defined, transparent and consistent lines of responsibility;(b) Implementing the operational risk strategy approved by the Board of Directors;(c) Ensuring that the strategy is implemented consistently throughout the whole organisation;(d) Ensuring that all levels of staff understand their responsibilities with respect to operational risk management;(e) Developing, maintaining and implementing policies, processes and procedures for managing operational risk in all of thelicensee's products, activities, processes and systems consistent with the risk appetite and tolerance;(f) Developing succession plans for senior staff; and(g) Developing business continuity plans for thelicensee .January 2014OM-1.2.35
Senior management is responsible for establishing and maintaining robust challenge mechanisms and effective issue-resolution processes. These must include systems to report, track and, when necessary, escalate issues to ensure resolution.
Licensees must be able to demonstrate that the three lines of defence approach is operating satisfactorily and to explain how the board and senior management ensure that this approach is implemented and operating in an appropriate and acceptable manner.January 2014OM-1.2.36
Senior management must translate the operational risk strategy established by the board of directors into an operational risk management framework that refers to specific policies, processes and procedures that can be implemented and verified within the different business units.
January 2014OM-1.2.37
While each level of management is responsible for the appropriateness and effectiveness of policies, processes, procedures and controls within its purview,
senior management should clearly assign authority, responsibility and reporting relationships to encourage and maintain this accountability.January 2014OM-1.2.38
Senior management must ensure that the necessary resources are available to manage operational risk effectively. Moreover,
senior management must assess the appropriateness of the management oversight process in light of the risks inherent in a business unit's activity.January 2014OM-1.2.39
Senior management should ensure that thelicensee's activities are conducted by qualified staff with the necessary experience, technical capabilities and access to resources. Staff responsible for monitoring and enforcing compliance with the institution's risk policy should have authority independent from the units they oversee.January 2014OM-1.2.40
Senior management must ensure that staff responsible for managing operational risk coordinate and communicate effectively with staff responsible for managing credit, market, and other risks, as well as with those in thelicensee who are responsible for the procurement of external services such as insurance purchasing and outsourcing agreements. Failure to do so could result in significant gaps or overlaps in alicensee's overall risk management programme.January 2014OM-1.2.41
The managers of the corporate operational risk management function should be of sufficient stature within the
licensee to perform their duties effectively, ideally evidenced by title commensurate with other risk management functions such as credit, market and liquidity risk.January 2014OM-1.2.42
Particular attention should be given to the quality of documentation controls and to transaction-handling practices. Policies, processes and procedures related to advanced technologies supporting high transactions volumes, in particular, should be well documented and disseminated to all relevant personnel.
January 2014
