Back Custom print Link Text Only Rich Text Print

  • OM-1.3 OM-1.3 Identification and Assessment

    • OM-1.3.1

      Licensees must identify and assess the operational risk inherent in all material products, activities, processes and systems to make sure the inherent risks and incentives are well understood. Licensees must also ensure that before new products, activities, processes and systems are introduced or undertaken, the operational risk inherent in them is subject to adequate assessment procedures.

      January 2014

    • OM-1.3.2

      Risk identification and assessment are fundamental characteristics of an effective operational risk management system. Effective risk identification considers both internal factors (such as the licensee's structure, the nature of the licensee's activities, the quality of the licensee's human resources, organisational changes and employee turnover) and external factors (such as changes in the broader environment and the industry and technological advances) that could adversely affect the achievement of the licensee's objectives.

      January 2014

    • OM-1.3.3

      In addition to identifying the most potentially adverse risks, licensees should assess their vulnerability to these risks. Sound risk assessment allows the licensee to better understand its risk profile and most effectively target risk management resources.

      January 2014

    • OM-1.3.4

      Amongst the possible tools used by licensees for identifying and assessing operational risk are:

      (a) Self- or Risk Assessment: a licensee assesses its operations and activities against a menu of potential operational risk vulnerabilities. This process is internally driven and often incorporates checklists and/or workshops to identify the strengths and weaknesses of the operational risk environment. Scorecards, for example, provide a means of translating qualitative assessments into quantitative metrics that give a relative ranking of different types of operational risk exposures. Some scores may relate to risks unique to a specific business line while others may rank risks that cut across business lines. Scores may address inherent risks, as well as the controls to mitigate them;
      (b) Risk Mapping: in this process, various business units, organisational functions or process flows are mapped by risk type. This exercise can reveal areas of weakness and help prioritise subsequent management action;
      (c) Risk Indicators: risk indicators are statistics and/or metrics, often financial, which can provide insight into a licensee's risk position. These indicators tend to be reviewed on a periodic basis (such as monthly or quarterly) to alert licensees to changes that may be indicative of risk concerns. Such indicators may include the number of failed trades, staff turnover rates and the frequency and/or severity of errors and omissions; and
      (d) Measurement: some licensees have begun to quantify their exposure to operational risk using a variety of approaches. For example, data on a licensee's historical loss experience could provide meaningful information for assessing the licensee's exposure to operational risk and developing a policy to mitigate/control the risk. An effective way of making good use of this information is to establish a framework for systematically tracking and recording the frequency, severity and other relevant information on individual loss events. Some licensees have also combined internal loss data with external loss data, scenario analyses, and risk assessment factors.
      January 2014

    • Approval Process

      • OM-1.3.5

        Senior management must ensure that there is an approval process for all new products, activities, processes and systems that fully assesses operational risk.

        January 2014

      • OM-1.3.6

        In general, a licensee's operational risk exposure is increased when a licensee engages in new activities or develops new products; enters unfamiliar markets; implements new business processes or technology systems; and/or engages in businesses that are geographically distant from the head office. Moreover, the level of risk may escalate when new products activities, processes, or systems transition from an introductory level to a level that represents material sources of revenue or business-critical operations. A licensee should ensure that its risk management control infrastructure is appropriate at inception and that it keeps pace with the rate of growth of, or changes to, products activities, processes and systems.

        January 2014

      • OM-1.3.7

        A licensee must have policies and procedures that address the process for review and approval of new products, activities, processes and systems.

        January 2014

      • OM-1.3.8

        The review and approval process referred to in Paragraph OM-1.3.7 should consider:

        (a) Inherent risks in the new product, service, or activity;
        (b) Changes to the licensee's operational risk profile and appetite and tolerance, including the risk of existing products or activities;
        (c) The necessary controls, risk management processes, and risk mitigation strategies;
        (d) The residual risk;
        (e) Changes to relevant risk thresholds or limits; and
        (f) The procedures and metrics to measure, monitor, and manage the risk of the new product or activity.
        January 2014

      • OM-1.3.9

        The approval process should also ensure that appropriate investment has been made for human resources and technology infrastructure before new products are introduced. The implementation of new products, activities, processes and systems should be monitored in order to identify any material differences to the expected operational risk profile, and to manage any unexpected risks.

        January 2014