Back Custom print Link Text Only Rich Text Print

  • Approval Process

    • OM-1.3.5

      Senior management must ensure that there is an approval process for all new products, activities, processes and systems that fully assesses operational risk.

      January 2014

    • OM-1.3.6

      In general, a licensee's operational risk exposure is increased when a licensee engages in new activities or develops new products; enters unfamiliar markets; implements new business processes or technology systems; and/or engages in businesses that are geographically distant from the head office. Moreover, the level of risk may escalate when new products activities, processes, or systems transition from an introductory level to a level that represents material sources of revenue or business-critical operations. A licensee should ensure that its risk management control infrastructure is appropriate at inception and that it keeps pace with the rate of growth of, or changes to, products activities, processes and systems.

      January 2014

    • OM-1.3.7

      A licensee must have policies and procedures that address the process for review and approval of new products, activities, processes and systems.

      January 2014

    • OM-1.3.8

      The review and approval process referred to in Paragraph OM-1.3.7 should consider:

      (a) Inherent risks in the new product, service, or activity;
      (b) Changes to the licensee's operational risk profile and appetite and tolerance, including the risk of existing products or activities;
      (c) The necessary controls, risk management processes, and risk mitigation strategies;
      (d) The residual risk;
      (e) Changes to relevant risk thresholds or limits; and
      (f) The procedures and metrics to measure, monitor, and manage the risk of the new product or activity.
      January 2014

    • OM-1.3.9

      The approval process should also ensure that appropriate investment has been made for human resources and technology infrastructure before new products are introduced. The implementation of new products, activities, processes and systems should be monitored in order to identify any material differences to the expected operational risk profile, and to manage any unexpected risks.

      January 2014