Unofficial Translation prepared by Baker & McKenzie and with the courtesy of The Foreign Banks' Association

Transcription

1 Unofficial Translation prepared by Baker & McKenzie and with the courtesy of The Foreign Banks' Association This translation is for the convenience of those unfamiliar with the Thai language. Please refer to the Thai text for the official version BANK OF THAILAND 17 August 2004 To Manager All commercial banks registered in Thailand All branches of foreign commercial banks No. ThorPorTor SorNorSor (31) Wor 1410/2547 Re: Collecting Information on Operational Loss Event 1. Objective 1.1 To urge commercial banks to develop a system to collect information on loss event resulting from an operational risk in a bid to help them manage their operational risk more efficiently; 1.2 To make commercial banks especially the board of directors and senior executives to realize and appreciate operational risk that banks are exposed to, and also push forward for a policy to improve and develop the operational risk management systems that are commensurate with their risk profiles and in line with the principles of sound practices; and 1.3 To enable commercial banks to start preparing their operational risk management systems for an implementation of the New Basel Capital Accord in the future. 2. Scope of Application All commercial banks registered in Thailand and branches of foreign commercial banks. 3. Essence of the Circulars The Bank of Thailand circulates a standard loss collecting template as a guidance for commercial banks to develop a system to collect information on loss event resulting from an operational risk, whereby the template contains information which is not only helpful for the bank s risk management, it can also be used to build a statistical model for risk measurement in the future. Should commercial banks consider adding other information aside from what is set in the template, commercial banks may be able to do so. To determine appropriate loss threshold commercial banks are to report, they must consider costs and benefits from the reporting as well. In addition, the Bank of Thailand issues policy guidelines on management of operational risk to assist commercial banks to develop their risk management systems. The policy guidelines are adapted from the principles of Sound Practices for the Management and

2 Supervision of Operation Risk issued by the Basel Committee on Banking Supervision (BCBS), which has already been circulated to commercial banks under the circular No. FPG.(31) C. 1328/2546 dated 30 May In addition, comments and suggestions of commercial banks received during the consultation have already been incorporated to improve the policy guidelines. The policy guidelines consist of three parts as follows: 1. Key principles for management of operational risk: this is to serve as a broad framework depicting components and important factors that will render a development of a sound operation risk management system of commercial banks; 2. The policy guidelines on management of operational risk: this is to elaborate on establishment and development of a sound operational risk management environment, operational risk management system and disclosure of operational risk management information; and 3. Lists of relevant notifications and circulars which commercial banks are encouraged to study. 4. Effective Date This circular is effective from now on. Yours faithfully, (M.R. Pridiyathorn Devakula) Governor Enclosure: 1. Standard template to collect information on operational loss event. 2. Key principles for management of operational risk. 3. The policy guidelines on management of operational risk. 4. Lists of relevant notifications and circulars. Capital Policy Department Tel , and Remark: [X] The BOT will arrange a clarification meeting.. at.. [X] There will be no clarification meeting

3 Standard Template to Collect Information on Operational Loss Event No. (1) Business Unit (2) Business Line (3) Date Event Occurred (4) Date Event Discovered (5) Details of Event (6) Cause (7) Event Type (8) Loss Amount (9) Recoverable Amount (10) Date of Recovery (11) Recovery Expenses (12) Measures To Be Taken (13) 1. Branch teller- Bang Khun Prom BL 3 (RB) 18/02/04 29/05/04 Teller fraud Teller trusted by customer to withdraw money on behalf of account owner LET 1 (internal -fraud) 50,000 50,000 06/06/ Manager urges teller to strictly comply with rules and regulations on deposit account and inform customers of such rules within one month 2. Check with and warn other branches within one month. (1) No. (9) Monetary value of the loss including loss or damage to assets, legal liability, (2) Business unit / division / department / branch where loss event loss of recourse and write-down, excluding opportunity cost, foregone revenue and cost occurred related to investment programs to prevent subsequent losses (3) Business line as classified by the BCBS, totaling eight business (10) Recoverable amount received from offenders or insurance companies lines (11) Date when recovery is received (4) Date when the loss event occurred (12) Recovery expenses i.e. legal expenses (5) Date when the loss event is discovered (13) Measures to be taken in order to prevent loss event occurring in the future such as upgrading of internal control system, ensuring strict compliance with the rules and (6) Details of the loss event regulations, upgrading security system etc. where timeline and responsible person must (7) Cause of the loss event known or found by the business unit be clearly identified together with closed monitoring of the actions. so as to determine future measures to be taken to prevent future loss occurring (8) Loss event type as classified by the BCBS, totaling seven loss event types * Further information on operational loss data collection can be found from various sources such as the British Bankers Association (BBA) ( and the Operational Riskdata exchange Association (ORX) (

4 Key Principles for Management of Operational Risk I. Establishment and Development of the Sound Operational Risk Management Environment The board of directors should consider and approve the bank s definition of an operational risk, a policy framework as well as an operational risk management action plans and processes. The board of directors should set up an Operational Risk Management Unit together with ensuring efficient and independent internal audit to ensure an organization-wide compliance with the established policy framework. Senior executives should develop a policy framework into rules, processes or procedures to be used in the bank and communicate to all staffs so they understand and are aware of its importance as well as their responsibilities. II. Operational Risk Management System To establish a system to identify and assess an operational risk in each of commercial banks product and service, system or unit, particularly in the case where a new product and service of the bank is launched or when a new system is implemented. To set up a system to monitor the risk, collect operational loss and other information and report the risk as well as to develop and introduce key risk indicators, whereby reports should be made available to senior executives and the board of directors on a regular basis. To formulate a policy or procedures to control and mitigate the risk, whereby it should be revised and adjusted according to the type, scale and the bank s risk profile. To have in place a contingency plan to ensure undisrupted operation of the bank as well as a recovery plan that is in line with the size and complexity of commercial banks. III. Disclosure of an Operational Risk Management Information To disclose to the public, including depositors and stakeholders sufficient to understand and able to assess the bank s operational risk management practices.

5 Policy Guidelines on Management of Operation Risk Background At present, competition and business environment of the banking industry has dramatically changed. Commercial banks are forced to adjust to remain competitive in a number of ways; for example, Increasing use of information technology in the banking business as well as a rise in e-banking transactions. Engaging in new financial products tailored to meet customers needs. Merging with other institutions and business groups. Outsourcing to the third party and appointment of the bank s authorized agents. These developments have led to higher operational risk and resulted in more complicated risk profiles of commercial banks themselves. Events of major loss in the past as well as a proposal by the Basel Committee on Banking Supervision of the Bank of International Settlements to require commercial banks to maintain capital funds against an operational risk under the New Basel Capital Accord, have all reinforced an importance of an operational risk and the necessity for commercial banks to have in place an operational risk management system. Efficient risk management system will not only prevent and mitigate loss that may incur from an operational risk but also increase the bank s operational efficiency and induce customers confidence, which will also add long term value to the bank. Operational risk has now become increasingly complicated and therefore influenced the concept and means which organization used to manage its operational risk. It evolves from mainly reliant on an internal audit to control the risk of the bank to a more comprehensive risk management framework in the same manner as other types of risk where risks are identified, assessed, monitored, controlled, mitigated and where relevant information is collected and reported in a systematic manner. Information technology is also being used to help monitor an operational risk throughout the organization. Besides, the bank should set up an Operational Risk Management Unit to oversee overall operational risk in the organization. To improve and develop an operational risk management system toward that direction requires time, resources and determination. Commercial banks therefore should give a priority to this task and start immediately. A plan to develop an operational risk management system should be in accordance with the scale, type and complication of the bank s business. The policy guidelines will elaborate on roles and responsibilities of the board of directors and senior executives of commercial banks to establish and develop a sound operational risk management environment, an operational risk management system and disclosure of an operational risk management information.

6 Operational risk 1 means the risk of loss resulting from inadequate supervision or lack of corporate governance and control within the organization, which involves commercial bank s internal processes, people and system, or from external events, and affect incomes and capital fund. It also includes legal risk. The definition aforementioned is generally accepted. However, commercial banks may define its operational risk in a broader sense if deemed appropriate for the bank s risk management. Loss event resulting from operational risk can be classified into seven loss event types as follow: Internal fraud such as employee s malpractice or unauthorized transaction; External fraud such as falsifying cheque, hacking and robbery; Employment practices and workplace safety such as being prosecuted against labor law or the law governing workplace s safety; Clients, products and business practices such as commercial banks were used and damaged from money laundering; Damage to physical assets such as property damage as a result of natural disaster and terrorists; Business disruption and system failure such as hardware, software and IT system malfunction; and Execution, delivery and process management such as human errors, loss of important documents, damages caused by outsource provider. Details on Operational Risk Management System I. Establishment and Development of the Sound Operation Risk Management Environment 1.1 Roles and Responsibilities of the Board of Directors (1) To give an operational risk a priority as it is one of major risks which commercial banks are exposed to. Issues related to the bank s operational risk should be placed on an agenda for the board of directors and senior executives meetings on a regular basis. (2) To set an appropriate policy framework, a strategy and an action plan, a definition of operational risk including a risk limit, and communicate to all staffs and relevant business units so they understand and are aware of its importance and their 1 Operational risk is the risk of loss resulting from inadequate or failed internal processes, people and system or from external events, refer to the definition by the Basel Committee on Banking Supervision of the Bank for International Settlements

7 responsibilities regarding control of the bank s operational risk. The board should review a policy framework from time to time. (3) To establish an Operational Risk Management Unit separating from other units including an internal audit. The ORM unit should report directly to the bank s Risk Management Committee. The ORM unit should have duties as follows: a. To propose a policy, an action plan and operational risk management processes to the board of directors for approval; b. To supervise and support business units to manage its operational risk based on a determined guidelines; c. To supervise and support an establishment of a system to collect and report operational loss event; d. To supervise and support business units to have in place, review and update their working manuals as well as a contingency plans on a timely basis; and e. To study and develop the bank s operational risk management guidelines, and communicate to all staffs so they understand and are aware of importance and their responsibilities concerning control of the bank s operational risk which will help to create the sound operational risk management environment. The ORM unit should also coordinate with other risk management units within bank. (4) To approve a policy, an action plan and operational risk management processes proposed by the ORM unit. (5) To ensure that the bank s structure is suitable for the efficient management of operational risk where division of responsibility and reporting line is clearly made and in line with the good internal auditing principles. An internal audit that is independent and efficient will be an important mechanism to control and prevent future operational loss occurring, whereby the Audit Committee must ensure that an audit plan is detailed and frequent enough to match the bank s operational risk. (6) To promote corporate governance that will create transparency and fairness. (7) To appoint an external auditor with proper qualifications to audit the bank s financial statements. (8) To ensure that the bank is in compliance with laws and relevant rules and regulations such as the Commercial Banking Act, notifications or circular letters of the Bank of Thailand, requirements of the Stock Exchange of Thailand and the Office of the Securities and Exchange Commission, rules and regulations with regard to anti money-laundering and terrorism measures. In case that commercial banks have an overseas operation, those laws and relevant rules and regulations of overseas regulators are also fully complied. In this regard, efficient internal audit and compliance unit are required.

8 1.2 Roles and Responsibilities of Senior Executives (1) To turn a policy framework into rules, processes and procedures and communicate to all staffs. It will help to promote caution and awareness in the workplace. Communication can be made in forms of a newsletter or via public relations unit. In addition, senior executives must ensure that units under one s supervision are strictly compliant with the established rules, processes and procedures. (2) To clearly assign division of responsibilities and reporting line within the unit, whereby head of the unit should be responsible for its operational risk since they have the best knowledge and understanding of the risk in the unit. Senior executives should control an operational risk arising from people, internal processes, system and external events by: a. Risk arising from people To recruit, train and develop all staffs such that they have appropriate qualifications, experiences and expertise to perform duties and ensure that resources are. Sufficiently available. To ensure staffs understand and are aware of their responsibilities regarding control of the bank s operational risk as well as to adhere to high ethical standards particularly in units that demand staff integrity such as those handling cash and assets of the bank. To apply the principles of an internal control such as a segregation of duties, checks and balances, a dual control, a regular verification and reconciliation of accounts as well as to minimize conflict of interest within the organization. To set an appropriate remuneration policy; for example, avoiding a policy which solely ties remunerations with short-term the bank s profit because it may induce staffs malpractices. To prepare a clear operational manual especially in a unit that involves complicated IT system, large number of transactions or a strict compliance with rules and regulations such as anti-money laundering measures. Risk sensitive areas should be clearly identified in the manuals and staffs can easily gain access to such manuals when needed. To ensure that staffs are in compliance with a operational manual and procedures of the bank and there exist appropriate punishment measures for those breaching of the set rules and procedures. b. Risk arising from internal processes and system

9 Information Technology System: senior executives should ensure that IT systems are commensurate with size and complexity of the bank whereby the system should be constantly developed, updated and supervised. In addition, a data back-up facility and a relevant contingency plan should be put in place. Operational Manual: senior executives should ensure that there are detailed manuals that clearly describe the bank s operational procedures within and across the bank s business units so as to ensure continuous operation of the bank in case of emergency and reduce errors in the bank s operation. Contract and Documents: all contracts, documents, advertisements and financial statements to be disseminated to the public should be carefully verified for its legal enforcement, accuracy and succinctness by all relevant units such as compliance, legal and marketing units. Asset and Information Security System: senior executives should establish a system, rules and procedures concerning an access to the bank s asset and confidential information and ensure strict compliance. Information can be in forms of physical documents or electronic file including what staffs have known during their works. Unauthorized uses of the bank s asset and information such as insider trading may cause a financial damage and affect its reputation. c. Risk arising from external events: Senior executives should consider external factors such as stage of competitions, economic conditions, possible natural disasters, and threats from terrorism and money laundering activities as well as changes in relevant laws, when making a business decision. The bank therefore should have a contingency plan well in place or purchase insurance policy to cover or mitigate operational losses from factors beyond the bank s direct control. These will be elaborated in more details hereafter. Furthermore, senior executives should pay attentions to all these risk factors, i.e., people, internal processes, system and external events especially when new financial products and services are launched or engaging in the new business line that are not aligned with the bank s main business strategy. In addition, they must be certain that involved risks have been thoroughly analyzed, identified, assessed and controlled and relevant operational risk management plans have been appropriately approved. II. Operational Risk Management System An operational risk management system that commercial banks should pursue has similar characteristics and components as other risk management systems. To elaborate, there must be a system to identify, monitor, control or mitigate risk as well as a system to collect information and report risk. Commercial banks must design and develop their own operational risk management systems that are commensurate with size and complexity of the bank. When developing an operational risk management system, commercial banks should consider in parallel strategic, marketing and business plans to ensure that the

10 system can really accommodate the business expansion and increasing risks in the future. 2.1 Risk Identification Risk identification is a crucial fundamental for the risk management processes. Commercial banks should identify risk sensitive areas, types of risks and risk factors in every financial products and services, operational system or business units. Business units having the best knowledge and understanding of the working processes and risks embedded should play a major role in risk identification procedure where they shall consider the following factors such as: Efficiency of an internal control system, corporate culture and readiness of personnel and resources available for business operations; Volume, complexity and types of transactions including end-to-end operating cycle and distribution mechanism of goods and services to the bank s customers; Operational loss events of the unit in the past or near-misses that occurred; Operational loss events of other financial institutions; and Changes in technology, launches of new products as well as legal, social, political and economic changes. 2.2 Risk Assessment Since operational risk measurement modalities and techniques are being developed, at present risk assessment must therefore largely depend on judgments and experiences of the business units themselves. However, commercial banks should closely monitor the development of risk measurement modalities and techniques so as to adapt it to measure the bank s true operational risk in the future. When assessing the risk, commercial banks should assess both likelihood/frequency and severity of the possible events. Risk assessment can be in forms of figures, symbols, colors as well as description of risk levels. Explanation of the symbols and colors should be clearly provided so that commercial banks can prioritize their actions to further control and mitigate such operational risk. Commercial banks should consider using the tools that have been developed to help identifying and assessing the risk such as Risk and Control Self-assessment, Risk Mapping and Key Risk Indicators. Besides, the risk identification and assessment processes must be regularly implemented and reviewed. 2.3 Risk Monitoring An efficient risk monitoring process will help commercial banks to prevent and control operational loss events occurring in due time. Commercial banks should design the key risk indicators (KRIs) that reflect the cause and probability of loss events and used them to monitor the risk.

11 Key risk indicators that the bank should regularly monitored should be forward-looking and reflect a change in an operational risk such as rapid growth of overall business or particular products, number of new product launches, staff turnover rate, period of temporary system suspension, number of new recruits, number of customer s complaints or substantial change in gross income. Types of the indicators and monitoring frequency assigned to the business unit will depend on the risk and complexity of the business unit themselves. Commercial banks should therefore set and communicate the tolerance level to all business units and require a systematic and comprehensive report of such indicators. However, reports of an operational loss event and KRIs are usually subjected to a transparency problem. Commercial banks must therefore set up proper measures to ensure that accurate and reliable reports of information can be obtained. These include creating understandings and incentives for the business units and the internal audit should conduct a random check as well. 2.4 Risk Control/Mitigation An efficient risk control system is a main mechanism to control and mitigate operational loss events. Aside from internal and risk control systems mentioned under the roles of senior executives, commercial banks should formulate a risk mitigating policy including procedures and actions to be taken. For example, when the risk in a business unit is higher than a certain limit, business unit must take action to control the risk either by strengthening an internal control or reducing a number of transactions in the unit. In case that the risk still exceeds a certain limit, commercial banks may consider to cease the transactions or to mitigate possible losses by purchasing an insurance policy against an operational risk. At present, there are a growing number of operational risk-related insurance policies. Commercial banks wishing to purchase this kind of policy should take into consideration of the following: Financial status and stability of an insurance company; Conditions and exemptions of the policy; and Time spent to claim compensation. Commercial banks should be aware that purchase of an insurance policy is merely a risk mitigant and it will, in no way, reduce probability the operational loss events occurring. In addition, insurance policy will alter the bank s risk profile by transforming it into a legal or counterparty risk. In case that insurance company is an affiliate or subsidiary of the commercial bank, it must ensure that the risk has been properly transferred out of the group until it is acceptable. An introduction of information technology and automation system to substitute to increase the bank s efficiency and reduce human error has changed the bank s risk profile. To ensure the risk from IT system failure is minimized, commercial banks must therefore review an interconnection between a number of the

12 bank s internal and external operating systems. Furthermore, an anti-virus and hacking systems must be readily installed to provide the secured IT system. In addition, commercial banks increasingly outsource and appoint an authorized agent to increase efficiency and reduce an operating cost. Commercial banks thereby should pay a special attention to these activities by formulating a risk management policy with regard to outsourcing risk by taking into consideration the following: Efficiency and ability of service providers; Past performance of service providers; Having detailed service level agreements which should indicate compensation in case of damage caused by service providers; and Having contingency plan in place especially for an important unit. This includes a plan to find other service providers, which take into account all the expenses that may incur from relocating of the activities. Furthermore, selection of service providers must be taken in a transparent manner and in line with the overall bank s strategy and risk profile. 2.5 Collection of Operational Loss Events and Report of Risk Commercial banks should set up a system to collect and report information on operational loss events. Not only it will be helpful the bank s risk management, it will also be used to build a statistical model for risk measurement in the future. The Basel Committee on Banking Supervision has proposed the guidelines to classify the bank s business lines and loss event types into several categories. In case that the bank has collected information in a different format, such information must be able to map into the guidelines prescribed by the Basel Committee on Banking Supervision. Commercial banks should determine appropriate loss threshold for the reporting. Information of operational loss events to be collected should include: Date when loss event occurred and date when loss event is discovered; Business unit / division / department / branch where loss event occurred; Loss event type as classified by the BCBS, totaling seven loss event types; Monetary value of the loss; Recoverable amount received from offenders or insurance companies, recoverable period and recoverable expenses; Details and causes of loss event; and Action to be taken in order to prevent loss event occurring in the future. Aside from collecting and reporting loss events, commercial banks are encouraged to collect information about near-misses that is an event that the bank can

13 prevent loss occurring in time, which will also be helpful for the development of the bank s operational risk management system. To ensure that the business units themselves, senior executives and the board of directors realize the trend and changes in the bank s operational risk and therefore be able to timely take actions to prevent, control or mitigate loss that may occur, there should be a regular report prepared by the Operation Risk Management Unit. The report should consist of information on: Operational loss events that occurred; Key risk indicators; Major risk sensitive areas; Risk control/mitigation actions; and Weaknesses in the operational risk management system. Commercial banks may use this operational risk report in conjunction with other reports from internal audit, compliance function and of external auditor to control the risk in the bank. 2.6 Contingency Plan A contingency plan is a part of the business continuity and risk management program of commercial banks. Commercial banks must therefore have a contingency plan in place to handle operational loss events caused by external factors that are beyond the bank s own control such as natural disaster, terrorism and infrastructure problems so as to ensure continued and smooth operation of the business. A contingency plan should comprise of: Business Continuity Plan, which describe processes, procedures and systems to restore or resume the bank s business operation; and Business Recovery Plan, which describe plan or a process to restore or rebuild the damaged system, facilities or infrastructures to a normal condition. Commercial banks must formulate guidelines and procedures to ensure that the bank has in place an organization-wide contingency plan, which address critical factors of the bank s operation such as facilities, equipments, operating systems, data and information in both physical and electronic forms, infrastructure, IT system and most importantly staffs of the bank. A sound contingency plan shall: Clearly cite responsibility of those supervising the plan; Set a time limit where the system or business units must be able to resume to their normal working condition and for important units whose operation may affect

14 the entire financial institution such as the clearing and settlement unit, such time limit should be determined such that its operation can be resume to normal condition as quickly as possible; Communicate regularly to and train every party involved so they are aware and understand the procedures in the contingency plan; A contingency plan should be regularly tested both at a business unit and organization-wide levels, whereby the test should be conducted together with involved external parties such as telecommunications companies, the bank s service providers and major counterparties of the bank so they are familiar with and understand a contingency plan of the bank; A contingency plan should be reviewed and developed both at unit and organization-wide levels to ensure that it remain in touch with changes in technology, businesses, line of command or key personnel, and adhere to the standard of financial institutions; and A data-backup site should be located reasonably far from the head office and should not depend on the same public utilities so to prevent the wide area disruption that may occur. In case that commercial banks share the back-up site with other financial institutions, it should include a case where a wide-area disruption disrupting an access and operations at the bank s back-up site. III. Disclosure of Operational Risk Management Information Commercial banks should disclose sufficient information regarding their operational risk management to the public, depositors and stakeholders so that they understand and be able to assess the efficiency the bank s risk management system. An extent to which the information will be disclosed will depend on the size, complexity and risk of the bank s business. However, commercial banks should study and use disclosure of the Pillar 3 Market Discipline under the New Basel Capital Accord as guidelines.

15 Supporting Documents for Policy Guidelines on Management of Operational Risk The Bank of Thailand s circulars and notifications: 1. Financial Institution Directors handbook 2. Operation Risk Assessment Manual 3. Circulars No. FPG.(21) C. 2258/2544 Re: Guidelines for Internal Audit Practices of Financial Institutions dated 15 October Circulars No. FPG.(31) C. 2507/2545 Re: Permission for Commercial Banks to Provide Back Office Services to Others dated 7 November Circulars No. FPG.(31) C. 2733/2545 Re: Criteria for Approval of Commercial Bank s External Auditors dated 26 November Circulars No. FPG.(31) C. 2770/2545 Re: Board Structure to Enhance Corporate Governance of Commercial Bank dated 3 December Circulars No. FPG.(01) C. 1191/2546 Re: Guidelines on IT Outsourcing dated 14 May circulars No.FPG.(11) C. 2484/2546 Re: Guidelines on Security in Electronic Financial Service dated 19 November 2003 Other documents: 1. Sound Practices for the Management and Supervision of Operational Risk, Basel Committee on Banking Supervision, February Framework for Internal Control System in Banking Supervision, Basel Committee on Banking Supervision, September Customer Due Diligence for Banks, Basel Committee on Banking Supervision, October The Disaster Recovery Institute international ( or the Business Continuity Institute (