OM-1.5 OM-1.5 Control and Mitigation
OM-1.5.1
Licensees must have a strong control environment that utilises:(a) Policies, processes and systems;(b) Appropriate internal controls; and(c) Appropriate risk mitigation and/or transfer strategies.January 2014OM-1.5.2
Internal controls must be designed to provide assurance that a
licensee will:(a) Have efficient and effective operations;(b) Safeguard its assets;(c) Produce reliable financial reports; and(d) Comply with applicable laws and regulations.January 2014OM-1.5.3
Control activities are designed to address the operational risks that a
licensee has identified. For all material operational risks that have been identified, thelicensee should decide whether to use appropriate procedures to control and/or mitigate the risks, or bear the risks. For those risks that cannot be controlled, thelicensee should decide whether to accept these risks, reduce the level of business activity involved, or withdraw from this activity completely.January 2014OM-1.5.4
Control processes and procedures should be established and
licensees should have a system in place for ensuring compliance with a documented set of internal policies concerning the risk management system. Principal elements of this could include, for example:(a) Top-level reviews of thelicensee's progress towards the stated objectives;(b) Verifying compliance with management controls;(c) Policies, processes and procedures concerning the review, treatment and resolution of non-compliance issues;(d) Evaluation of required approvals and authorisations to ensure accountability to an appropriate level of management; and(e) Tracking reports for approved exceptions to thresholds or limits, management overrides and other deviations from policy.January 2014OM-1.5.5
Although a framework of formal, written policies and procedures is critical, it needs to be reinforced through a strong control culture that promotes sound risk management practices. Both the board of directors and
senior management are responsible for establishing a strong internal control culture in which control activities are an integral part of the regular activities of alicensee . Controls that are an integral part of the regular activities enable quick responses to changing conditions and avoid unnecessary costs.January 2014OM-1.5.6
An effective internal control system also requires that there be appropriate segregation of duties and that personnel are not assigned responsibilities which may create a conflict of interest. Assigning such conflicting duties to individuals, or a team, may enable them to conceal losses, errors or inappropriate actions. Therefore, areas of potential conflicts of interest should be identified, minimised, and subject to careful independent monitoring and review.
January 2014OM-1.5.7
In addition to segregation of duties,
licensees should ensure that other internal practices are in place as appropriate to control operational risk. Examples of these include:(a) Clearly established authorities and/or processes for approval;(b) Close monitoring of adherence to assigned risk limits or thresholds;(c) Maintaining safeguards for access to, and use of,licensee assets and records;(d) Appropriate staffing level and training to maintain expertise;(e) Ongoing processes to identify business lines or products where returns appear to be out of line with reasonable expectations;(f) Regular verification and reconciliation of transactions and accounts; and(g) A vacation policy in line with Bahrain Labour Law.Amended: April 2022
January 2014OM-1.5.8
Some significant operational risks have low probabilities but potentially very large financial impact. Moreover, not all risk events can be controlled (e.g., natural disasters). Risk mitigation tools or programmes can be used to reduce the exposure to, or frequency and/or severity of, such events. For example, insurance policies, particularly those with prompt and certain pay-out features, can be used to externalise the risk of "low frequency, high severity" losses which may occur as a result of events such as third-party claims resulting from errors and omissions, physical loss of securities, employee or third-party fraud, and natural disasters.
January 2014OM-1.5.9
Licensees should view risk mitigation tools as complementary to, rather than a replacement for, thorough internal operational risk control. Having mechanisms in place to quickly recognise and rectify legitimate operational risk errors can greatly reduce exposures. Careful consideration also needs to be given to the extent to which risk mitigation tools such as insurance truly reduce risk, or transfer the risk to another business sector or area, or even create a new risk (e.g. legal or counterparty risk).January 2014OM-1.5.10
Investments in appropriate processing technology and information technology security are also important for risk mitigation. However,
licensees should be aware that increased automation could transform high-frequency, low-severity losses into low frequency, high-severity losses. The latter may be associated with loss or extended disruption of services caused by internal factors or by factors beyond thelicensee's immediate control (e.g., external events). Such problems may cause serious difficulties forlicensees and could jeopardise an institution's ability to conduct key business activities.January 2014OM-1.5.11
In some instances,
licensees may decide to either retain a certain level of operational risk or self-insure against that risk. Where this is the case and the risk is material, the decision to retain or self-insure the risk should be transparent within the organisation and should be consistent with thelicensee's overall business strategy and appetite for risk.January 2014OM-1.5.12
Licensees should assess the costs and benefits of alternative risk limitation and control strategies and should adjust their operational risk exposure using appropriate strategies, in light of their overall risk profile.January 2014
