RM-3 RM-3 Operational Risk
RM-3.1 RM-3.1 General Requirements
RM-3.1.1
Licensees must document their framework for the proactive management of operational risk. This policy must be approved and reviewed at least annually by the board ofdirectors of thelicensee .July 2014RM-3.1.2
Operational risk is the risk to the
licensee of loss resulting from inadequate or failed internal processes, people and systems, or from external events. In identifying the types of operational risk losses that it may be exposed to,licensees should consider, for instance, the following:(a) The nature of alicensee's customers , products and activities, including sources of business, distribution mechanisms, and the complexity and volumes of transactions;(b) The design, implementation, and operation of the processes and systems used in the end-to-end operating cycle for alicensee's products and activities;(c) The risk culture and human resource management practices at alicensee ; and(d) The business operating environment, including political, legal, socio-demographic, technological, and economic factors as well as the competitive environment and market structure.July 2014RM-3.1.3
Licensees must assess and evaluate the impact of operational risks on their financial resources and solvency.July 2014Business Continuity Planning
RM-3.1.4
A
licensee's business continuity planning, risk identification and reporting must cover reasonably foreseeable external events and their likely impact on thelicensee and its business portfolio.July 2014Record Keeping
RM-3.1.5
L
icensees must retain an appropriate record of their operational risk management activities.July 2014RM-3.2 RM-3.2 Identification, Measurement, Monitoring and Control
RM-3.2.1
As part of an effective operational risk management system,
licensees must:(a) Identify critical processes, resources and loss events; and(b) Develop policies, processes and procedures to control or mitigate operational risk.July 2014RM-3.3 RM-3.3 Succession Planning
RM-3.3.1
Succession planning is an essential precautionary measure for a
licensee if its leadership stability — and hence ultimately its financial stability — is to be protected. Succession planning is especially critical for smaller institutions, where management teams tend to be smaller and possibly reliant on a few key individuals.July 2014RM-3.4 RM-3.4 Business Continuity Requirements
Vital Records Management
RM-3.4.1
A business continuity plan must clearly identify information deemed vital for the recovery of critical business and support functions in the event of a significant disruption to business, including an event considered as a disaster, as well as the relevant protection measures to be taken for protecting vital information, whether stored on electronic or non-electronic media.
July 2014RM-3.4.2
Copies of vital records must be stored off-site as soon as possible after creation. A back-up of all vital records must be readily accessible for emergency retrieval. Access to back-up vital records should be adequately controlled to ensure that they are reliable for business resumption purposes. For certain critical business operations or services,
licensees should consider the need for instantaneous data back up to ensure prompt system and data recovery. There should be clear procedures indicating how and in what priority vital records are to be retrieved or recreated in the event that they are lost, damaged or destroyed.July 2014RM-3.5 RM-3.5 Security Measures for Microfinance Institutions
RM-3.5.1
Licensees that maintain cash on their premises must put in place security measures to minimize the risk of theft or fraud.July 2014RM-3.5.2
Licensees are required to install an alarm system for those premises where cash is held.July 2014RM-3.5.3
Where appropriate,
licensees may consider the need to maintain a trained security guard on the premises.July 2014RM-3.5.4
All
licensees are required to have in place insurance coverage to cover potential losses arising from liability, theft, fire and other potential operational risk.July 2014
