1.In general, a Bank’s operational risk exposure is increased when a Bank engages in new activities, develops new products, enters unfamiliar markets, implements new business processes or technology systems and/or engages in businesses that are geographically distant from its head office. A Bank must ensure that its risk management control infrastructure is appropriate and that it keeps pace with the development of or changes to its products, activities, processes and systems.
2.A Bank must have policies and procedures that address the process for review and approval of new products, activities, processes and systems. The review and approval process must consider at a minimum:
a.Inherent risks, including but not limited to legal risks, in the new product, service or activity;
b.Changes to the Bank’s risk profile and operational risk appetite, including the risk of existing products or activities;
c.The necessary controls, risk management processes and risk mitigation strategies;
d.Residual risk;
e.Changes to relevant risk thresholds or limits;
f.Procedures and metrics to measure, monitor and manage the risk of the new product or activity; and
g.Whether appropriate investment has been made for human resources and technology infrastructure before new products are introduced.
3.A Bank must ensure that the implementation of new products, activities, processes and systems is monitored in order to identify any material differences to the expected operational risk profile and to manage any unexpected risks.