Back Custom print Link Text Only Rich Text Print

  • CRA-6.5 CRA-6.5 Operational Risk

    • CRA-6.5.1

      Licensees must document their framework for the proactive management of operational risk. This policy must be approved by the Board of Directors and regularly reviewed by the senior management of the licensee.

      Amended: April 2023
      Added: April 2019

    • CRA-6.5.2

      Licensees must consider the impact of operational risks on their financial resources and solvency.

      Added: April 2019

    • CRA-6.5.2A

      Licensees must identify possible sources of operational risk, both internal and external, and mitigate their impact through the use of appropriate systems, policies, procedures, and controls. Systems should be designed to ensure a high degree of security and operational reliability including having adequate capacity.

      Added: April 2023

    • CRA-6.5.2B

      Licensees must, among other things:

      (a) Establish a robust operational risk-management framework with appropriate systems, policies, procedures, and controls to identify, monitor, mitigate and manage operational risks;
      (b) Have in place clearly defined roles and responsibilities for addressing operational risk;
      (c) Have in place clearly defined operational reliability objectives and have policies in place that are designed to achieve those objectives;
      (d) Ensure that it has adequate capacity proportionate to stress volumes to achieve its service-level objectives; and
      (e) Have a comprehensive physical and information security policy that addresses all potential vulnerabilities and threats.
      Added: April 2023

    • CRA-6.5.3

      Licensees' business continuity planning, risk identification and reporting must cover reasonably foreseeable external events and their likely impact on the licensee and its business portfolio.

      Added: April 2019

    • CRA-6.5.4

      Business continuity management includes policies, standards, and procedures for ensuring that specified operations can be maintained or recovered in a timely fashion in the event of a disruption. Its purpose is to minimise the operational, financial, legal, reputational and other material consequences arising from a disruption. Effective business continuity management concentrates on the impact, as opposed to the source, of the disruption, which affords financial industry participants and financial authorities greater flexibility to address a broad range of disruptions. At the same time, however, licensees should not ignore the nature of risks to which they are exposed.

      Added: April 2019

    • Business Continuity and Disaster Recovery

      • CRA-6.5.5

        Licensees must establish and maintain a written business continuity and disaster recovery plan reasonably designed to ensure the availability and functionality of the Licensee's services in the event of an emergency or other disruption to the Licensee's normal business activities. The business continuity and disaster recovery plan, at minimum, must:

        (a) Identify documents, data, facilities, infrastructure, personnel, and competencies essential to the continued operations of the Licensee's business;
        (b) Identify the supervisory personnel responsible for implementing each aspect of the business continuity and disaster recovery plan; include a plan to communicate with essential Persons in the event of an emergency or other disruption to the operations of the Licensee, including employees, counterparties, regulatory authorities, data and communication providers, disaster recovery specialists, and any other Persons essential to the recovery of documentation and data and the resumption of operations;
        (c) Include procedures for the maintenance of back-up facilities, systems, and infrastructure as well as alternative staffing and other resources to enable the timely recovery of data and documentation and to resume operations as soon as reasonably possible following a disruption to normal business activities;
        (d) Include procedures for the back-up or copying, with sufficient frequency, of documents and data essential to the operations of the Licensee and storing of the information off site; and
        (e) Identify third parties that are necessary to the continued operations of the Licensee's business.
        Amended: April 2023
        Added: April 2019

      • CRA-6.5.6

        Licensees must distribute a copy of the business continuity and disaster recovery plan, and any revisions thereto, to all relevant employees and must maintain copies of the business continuity and disaster recovery plan at one or more accessible off-site locations.

        Amended: April 2023
        Added: April 2019

      • CRA-6.5.7

        Licensees must provide relevant training to all employees responsible for implementing the business continuity and disaster recovery plan regarding their roles and responsibilities.

        Amended: April 2023
        Added: April 2019

      • CRA-6.5.8

        Licensees must immediately notify the CBB of any emergency or other disruption to its operations that may affect its ability to fulfil regulatory obligations or that may have a significant adverse effect on the Licensee, its counterparties, or the market.

        Amended: April 2023
        Added: April 2019

      • CRA-6.5.9

        The business continuity and disaster recovery plan must be tested at least annually by qualified, independent internal personnel or a qualified third party, and revised accordingly.

        Amended: April 2023
        Added: April 2019