Sound Practices for the Management of Operational Risk



Similar documents
RESERVE BANK OF VANUATU OPERATIONAL RISK MANAGEMENT

Advisory Guidelines of the Financial Supervisory Authority. Requirements regarding the arrangement of operational risk management

Operational Risk Management Policy

GUIDELINES FOR THE MANAGEMENT OF OPERATIONAL RISK

RISK MANAGEMENT AND COMPLIANCE

GUIDELINES ON CORPORATE GOVERNANCE FOR LABUAN BANKS

GUIDANCE NOTE FOR DEPOSIT-TAKERS. Operational Risk Management. March 2012

Basel Committee on Banking Supervision. Sound Practices for the Management and Supervision of Operational Risk

Internal Control Systems and Maintenance of Accounting and Other Records for Interactive Gaming & Interactive Wagering Corporations (IGIWC)

Supervisory Policy Manual

Supervisory Guidance on Operational Risk Advanced Measurement Approaches for Regulatory Capital

GUIDANCE NOTE ON MANAGEMENT OF OPERATIONAL RISK

Prudential Practice Guide

Supervisory Policy Manual

Charter of the Compliance and Operational Risk Management Office (CORMO)

Capital Requirements Directive Pillar 3 Disclosure. December 2015

Risk Management Guidelines For Co-operative Financial Institutions

GUIDANCE FOR MANAGING THIRD-PARTY RISK

PART I - PRELIMINARY...1 Objective...1 Applicability...2 Legal and Regulatory Provision...2

Information Technology

Financial Services Guidance Note Outsourcing

NOTICE 158 OF 2014 FINANCIAL SERVICES BOARD REGISTRAR OF LONG-TERM INSURANCE AND SHORT-TERM INSURANCE

Vendor Management. Outsourcing Technology Services

6/8/2016 OVERVIEW. Page 1 of 9

Solvency II Detailed guidance notes

Policy on the Management of Country Risk by Credit Institutions

Any business relationship between a bank and another entity, by contract or otherwise

Saxo Capital Markets CY Limited

Part A OVERVIEW Introduction Applicability Legal Provision...2. Part B SOUND DATA MANAGEMENT AND MIS PRACTICES...

Statement of Guidance: Outsourcing All Regulated Entities

Morgan Stanley. Policy for the Management of Third Party Residential Mortgage Servicing Providers

Operational Risk Management Program Version 1.0 October 2013

Board of Directors Meeting 12/04/2010. Operational Risk Management Charter

Operational Risk Management Concept Paper

Risk Management Framework

GUIDELINES ON RISK MANAGEMENT AND INTERNAL CONTROLS FOR INSURANCE AND REINSURANCE COMPANIES

Capital Adequacy: Advanced Measurement Approaches to Operational Risk

INSURANCE ACT 2008 CORPORATE GOVERNANCE CODE OF PRACTICE FOR REGULATED INSURANCE ENTITIES

Operational Risk Publication Date: May Operational Risk... 3

Financial Stability Standards for Securities Settlement Facilities

SUPERVISION GUIDELINE

PRINCIPLES ON OUTSOURCING OF FINANCIAL SERVICES FOR MARKET INTERMEDIARIES

Standard 4.1. Establishment and maintenance of internal control and risk management. Regulations and guidelines

Unofficial Translation prepared by Baker & McKenzie and with the courtesy of The Foreign Banks' Association

Core Principles for Effective Banking Supervision: New Edition Released

Sample Financial institution Risk Management Policy 2011

NATIONAL BANK OF ETHIOPIA MICROFINANCE INSTITUIONS SUPERVISION DIRECTORATE. RISK MANAGEMENT GUIDLEIES for MICROFINANCE INSTITITTIONS (FINAL)

on Asset Management Management

EVALUATION OF THE INVESTMENT COMPENSATION SCHEME DIRECTIVE DG INTERNAL MARKET AND SERVICES EXECUTIVE REPORT AND RECOMMENDATIONS

YEARENDED31DECEMBER2013 RISKMANAGEMENTDISCLOSURES

Credit Union Liability with Third-Party Processors

Basel II, Pillar 3 Disclosure for Sun Life Financial Trust Inc.

IMPLEMENTATION FRAMEWORK

OECD/ IOPS GOOD PRACTICES FOR PENSION FUNDS RISK MANAGEMENT SYSTEMS

IOPS GOOD PRACTICES IN RISK MANAGEMENT OF ALTERNATIVE INVESTMENTS BY PENSION FUNDS

OCC 98-3 OCC BULLETIN

GUIDELINES FOR THE MANAGEMENT OF OPERATIONAL RISK FOR CREDIT UNIONS

EURIBOR - CODE OF OBLIGATIONS OF PANEL BANKS

PART B INTERNAL CAPITAL ADEQUACY ASSESSMENT PROCESS (ICAAP)

REGULATION 9 ON OPERATIONAL RISK MANAGEMENT. Article 1 Purpose and Scope

Loi M Bakani: Effective compliance, risk mitigation and control

Guidelines for Financial Institutions Outsourcing of Business Activities, Functions, and Processes Date: July 2004

GUIDELINES ON OUTSOURCING

The PNC Financial Services Group, Inc. Business Continuity Program

THE INTERNATIONAL ORGANISATION OF PENSION SUPERVISORS (IOPS)

Reserve Bank of Fiji Insurance Supervision Policy Statement No. 8 MINIMUM REQUIREMENTS FOR RISK MANAGEMENT FRAMEWORKS OF LICENSED INSURERS IN FIJI

DEVELOPING A KRI PROGRAM: GUIDANCE FOR THE OPERATIONAL RISK MANAGER SEPTEMBER Mayowa BabatolaMayowa BabatolaBITS 2004 September 2

REINSURANCE RISK MANAGEMENT GUIDELINE

How To Manage Risk At Atb Financial

How To Manage Operational Risk

Managing Risk at Bank of America Corporation. Overview

Operational Risk. The new FSA requirements. Contents. February 2004

PRINCIPLES ON OUTSOURCING OF FINANCIAL SERVICES FOR MARKET INTERMEDIARIES

Capital Policy and Safeguards Statement for Merchant Acquirer Limited Purpose Banks

ugust, 2010 RISK MANAGEMENT GUIDELINES FOR BANKS AND FINANCIAL INSTITUTIONS, 2010

Regulation for Establishing the Internal Control System of an Investment Management Company

APPENDIX A NCUA S CAMEL RATING SYSTEM (CAMEL) 1

Principles for An. Effective Risk Appetite Framework

Risk Management Programme Guidelines

Report on Internal Control

HSBC FINANCE CORPORATION CHARTER OF THE RISK COMMITTEE

Adopted by the Board of Directors on 23 April 2015 with entry into force as of 24 April OPERATIONAL RISK MANAGEMENT POLICY

Operational risk management frameworks and methodologies

Guidelines on Investment in Shares, Interest-in-Shares and Collective Investment Schemes

Draft Prudential Practice Guide

Capital Market Services UK Limited Pillar 3 Disclosure

Third Party Relationships

GUIDANCE NOTE OUTSOURCING OF FUNCTIONS BY ENTITIES LICENSED UNDER THE PROTECTION OF INVESTORS (BAILIWICK OF GUERNSEY) LAW, 1987

Issued on: 1 March Risk Governance

Basel Committee on Banking Supervision. Review of the Principles for the Sound Management of Operational Risk

Risk Management of Outsourced Technology Services. November 28, 2000


LIQUIDITY RISK MANAGEMENT GUIDELINE

GUIDELINES FOR BUSINESS CONTINUITY IN WHOLESALE MARKETS AND SUPPORT SYSTEMS MARKET SUPERVISION OFFICE. October 2004

Information Technology Risk

The PNC Financial Services Group, Inc. Business Continuity Program

Statement of Policy for the Risk Management Program

Financial Services Regulatory Commission Antigua and Barbuda Division of Gaming Customer Due Diligence Guidelines for

Statement of Guidance

EASY FOREX TRADING LTD DISCLOSURE AND MARKET DISCIPLINE IN ACCORDANCE WITH CAPITAL ADEQUACY AND THE REQUIREMENTS ON RISK MANAGEMENT

Transcription:

1 Sound Practices for the Management of Operational Risk Authority 1.1 Section 316 (4) of the International Business Corporations Act (IBC Act) requires the Commission to take any necessary action required to ensure the integrity of the International Business Corporation sector. The International Business Corporations (Prudential Management of Licensed Corporations) Regulations, 2004 - Statutory Instrument No. 9 of 2004- prescribe that a licensed corporation: shall carry out its business in a prudent manner in accordance with the industry standards and best practices and any guidelines or directions issued by the Commission [regulation 4]. establish and implement policies, practices and procedures relating to identification, measurement, monitoring and control of credit risk, liquidity risk, interest rate risk, legal risks and operational risks [regulation 8(1) (g)]. shall be guided by such guidelines or directions as the Commission may issue in relation to policies, practices and procedures of a licensed corporation [regulation 6]. 1.2 These guidelines are being issued for the guidance and compliance by the corporations licensed to carry on international banking business but shall be applicable to other licensed corporations also to the extent they are relevant. 2 Background 2.1 According to the Basel Committee operational risk is the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events. The definition includes legal risk but excludes strategic and reputational risk. Operational risk is a distinct class of risk similar to credit and market risk. Examples of operational risk include: Internal and external fraud Employment practices and workplace safety Clients, products and business practices Damage to physical assets Business disruption and system failures Execution, delivery and process management (for example, data entry errors, collateral management failures, incomplete legal documentation, unapproved access given to client accounts, non-client counterparty misperformance, and vendor disputes.) 2.2 Operational risk differs from other banking risks in that it is typically not directly taken in return for an expected reward, but exists in the natural course of corporate activity. At the same time, failure to properly manage operational risk can result in a misstatement of an institution s risk profile and expose the institution to significant losses. 2.3 Management of operational risk includes identification, assessment, monitoring and control/mitigation of risk. 3 Developing an Appropriate Risk Management Environment 3.1 The board of directors should be aware of the major aspects of the bank s operational risks as a distinct risk category that should be managed, and it should approve and periodically review the

2 bank s operational risk management framework. The framework should provide a firm-wide definition of operational risk and lay down the principles of how operational risk is to be identified, assessed, monitored, and controlled/ mitigated. 3.2 The board should provide senior management with clear guidance and direction regarding the principles underlying the framework and approve the corresponding policies developed by senior management. 3.3 The framework should cover the bank s appetite and tolerance for operational risk, as specified through the policies for managing this risk and the bank s prioritization of operational risk management activities, including the extent of, and manner in which, operational risk is transferred outside the bank. It should also include policies outlining the bank s approach to identifying, assessing, monitoring and controlling/mitigating the risk. The degree of formality and sophistication of the bank s operational risk management framework should be commensurate with the bank s risk profile. 3.4 The board should establish a management structure capable of implementing the firm s operational risk management framework. It should establish clear lines of management responsibility, accountability and reporting. In addition, there should be separation of responsibilities and reporting lines between operational risk control functions, business lines and support functions in order to avoid conflicts of interest. 3.5 The board should review the framework regularly to ensure that the bank is managing its operational risks and conforms to industry best practice. If necessary, the board should revise its operational risks so that all material operational risks are captured. 4 Internal Audit 4.1 The board of directors should ensure that the bank s operational risk management framework is subject to effective and comprehensive internal audit by operationally independent, appropriately trained and competent staff. The internal audit function should not be directly responsible for operational risk management. 4.2 The board (either directly or indirectly through its audit committee) should ensure that the scope and frequency of the audit program is appropriate to the risk exposures. Audit should periodically validate that the firm s operational risk management framework is being implemented effectively across the firm. 4.3 Where audit function at some banks (particularly smaller banks) has initial responsibility for developing an operational risk management program, banks should see that responsibility for day-to-day operational risk management is transferred elsewhere in a timely manner. 5 Senior Management 5.1 Senior management should have responsibility for implementing the operational risk management framework approved by the board of directors. The framework should be consistently implemented throughout the whole banking organisation, and all levels of staff should understand their responsibilities with respect to operational risk management. Senior management should also have responsibility for developing policies, processes and procedures for managing operational risk in all of the bank s material products, activities, processes and systems.

3 5.2 Senior management should clearly assign authority, responsibility and reporting relationships to encourage and maintain accountability, and ensure that the necessary resources are available to manage operational risk effectively. Senior management should assess the appropriateness of the management oversight process in light of the risks inherent in a business unit s policy. 5.3 Senior management should ensure that bank activities are conducted by qualified staff with the necessary experience, technical capabilities and access to resources, that staff responsible for monitoring and enforcing compliance with the institution s risk policy have authority independent from the units they oversee and that the bank s operational risk management policy has been clearly communicated to staff at all levels in units that incur material operational risks. 5.4 Senior management should ensure that staff responsible for managing operational risk communicate effectively with staff responsible for managing credit, market, and other risks, as well as with those in the firm who are responsible for the procurement of external services such as insurance purchasing and outsourcing agreements. 5.5 Senior management should also ensure that the bank s remuneration policies are consistent with its appetite for risk. Remuneration policies which reward staff that deviate from policies (e.g. by exceeding established limits) weaken the bank s risk management processes. Particular attention should be given to the quality of documentation controls and to transaction-handling practices. Policies, processes and procedures related to advanced technologies supporting high transactions volumes, in particular, should be well documented and disseminated to all relevant personnel. 6 Identification, Assessment, Monitoring and Mitigation/Control of Operational Risk Identification 6.1 Banks should identify and assess the operational risk inherent in all material products, activities, processes and systems. Effective risk identification considers both internal factors (such as the bank s structure, the nature of the bank s activities, the quality of the bank s human resources, organizational changes and employee turnover) and external factors (such as changes in the industry and technological advances) that could adversely affect the achievement of the bank s objectives. Assessment 6.2 Banks should ensure that before new products, activities, processes and systems are introduced or undertaken, the operational risk inherent in them is adequately assessed. Monitoring 6.3 Banks should implement a process to regularly monitor operational risk profiles and material exposures to losses. In addition to monitoring operational loss events, banks should identify appropriate indicators that provide early warning of an increased risk of future losses. Such indicators (often referred to as key risk indicators or early warning indicators) should be forwardlooking and could reflect potential sources of operational risk such as rapid growth, the introduction of new products, employee turnover, transaction breaks, system downtime, and so on. When thresholds are directly linked to these indicators an effective monitoring process can help identify key material risks in a transparent manner and enable the bank to act upon these risks appropriately.

4 6.4 There should be regular reporting of pertinent information to senior management and the board of directors. The board of directors should receive sufficient higher-level information to enable them to understand the bank s overall operational risk profile and focus on the material and strategic implications for the business. Mitigation/Control 6.5 Banks should have policies, processes and procedures to control and/or mitigate material operational risks. For all identified risks the bank should decide whether to use appropriate procedures to control and/or mitigate the risks, or bear the risks. For those risks that cannot be controlled, the bank should decide whether to accept these risks, reduce the level of business activity involved, or withdraw from this activity completely. 6.6 Some important constituents of a mitigation/control program are: Formal, written policies and procedures Strong control culture that promotes sound risk management practices Appropriate segregation of duties Assignment of responsibilities such that there is no conflict of interest. Close monitoring of adherence to assigned risk limits or thresholds Maintaining safeguards for access to, and use of, assets and records Ensuring that staff have appropriate expertise and training; Identifying business lines or products where returns appear to be out of line with reasonable expectations (e.g., where a supposedly low risk, low margin trading activity generates high returns that could call into question whether such returns have been achieved as a result of an internal control breach); Regular verification and reconciliation of transactions and accounts; and. Investments in appropriate processing technology and information technology security (However, banks should be aware that increased automation could transform highfrequency, low-severity losses into low frequency, high-severity losses.) 7 Outsourcing 7.1 Banks should establish policies for managing the risks associated with outsourcing activities. A bank s use of third parties does not diminish the responsibility of the board of directors and management to ensure that the third-party activity is conducted in a safe and sound manner and in compliance with applicable laws. 7.2 Outsourcing arrangements should be based on robust contracts and/or service level agreements that ensure a clear allocation of responsibilities between external service providers and the outsourcing bank. Furthermore, banks need to manage residual risks associated with outsourcing arrangements, including disruption of services. 7.3 Potential impact on operations and customers due to any potential deficiencies in services provided by vendors and other third-party or intra-group service providers, including both operational breakdowns and the potential business failure or default of the external parties should be identified. The board and management should ensure that the expectations and obligations of each party are clearly defined, understood and enforceable. The extent of the external party s liability and financial ability to compensate the bank for errors, negligence, and other operational failures should be explicitly considered as part of the risk assessment.

5 7.4 Banks should carry out an initial due diligence test and monitor the activities of third party providers, especially those lacking experience of the banking industry s regulated environment, and review this process (including re-evaluations of due diligence) on a regular basis. For critical activities, the bank may need to consider contingency plans. 7.5 Banks should periodically review their risk limitation and control strategies and should adjust their operational risk profile accordingly using appropriate strategies, in light of their overall risk appetite and profile. 8 Contingency Plans 8.1 Banks should have in place contingency and business continuity plans to ensure their ability to operate on an ongoing basis and limit losses in the event of severe business disruption. Such plans should be in place for all critical business processes and take into account different types of plausible scenarios. Particular attention should be paid to the ability to restore electronic or physical records that are necessary for business resumption. 8.2 Banks should periodically review their disaster recovery and business continuity plans so that they are consistent with the bank s current operations and business strategies. These plans should be tested periodically to ensure that the bank would be able to execute the plans in the unlikely event of a severe business disruption. 9 Disclosure 9.1 Banks should make sufficient public disclosure to allow market participants to assess their approach to operational risk management. The amount of disclosure should be commensurate with the size, risk profile and complexity of a bank s operations and should be in a manner that will allow investors and counterparties to determine whether a bank effectively identifies, assesses, monitors and controls/mitigates operational risk. 10 Review by the Commission 10.1 The bank s policies, procedures and practices related to operational risks would be subject to review by the Commission as part the examination conducted under the IBC Act.

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information