1.The fundamental premise of sound risk management is that the Board and the management of a Bank understand the nature and complexity of the risks inherent in the portfolio of the Bank’s products, services and activities. This is particularly important for operational risk.
2.A Bank must establish, implement and maintain an operational risk governance framework, which enables it to identify, assess, evaluate, monitor, mitigate and control operational risk. The operational risk governance framework consists of policies, processes, procedures, systems and controls.
3.The operational risk governance framework must be documented and approved by the Board of the Bank, must provide for a sound and well-defined framework to address the Bank's operational risk and must include definitions of operational risk and material operational loss.
4.A Board is responsible for establishing, maintaining and overseeing a robust operational risk governance framework that must take into account the risk profile, nature, size and complexity of the Bank's business and structure.
5.A Board must approve and subsequently review, at least annually, a risk appetite statement for operational risk that articulates the nature, types and levels of operational risk that the Bank is willing to assume and that sets appropriate limits and thresholds.
6.The operational risk governance framework must be fully integrated into the Bank’s overall risk governance framework and risk management processes. This applies to all levels and areas of the Bank including to business lines and, if applicable, to Group levels, as well as new business initiatives, products, activities, processes and systems.
7.The operational risk governance framework must clearly:
a.Identify the governance structures used to manage operational risk, including reporting lines, responsibilities and accountabilities;
b.Establish operational risk reporting and management information systems;
c.Provide for periodic independent review and assessment of operational risk; and
d.Require policies to be reviewed and revised as appropriate, whenever a material change in the operational risk profile of the Bank occurs.
8.Larger or more complex Banks must have an Operational Risk Committee or other designated committee that addresses operational risk.
9.A Bank must measure operational risks for capital purposes using the approach most appropriate to the risk profile, nature, size and complexity of the Bank's business and structure. Holding capital against operational risks, however, is not a substitute for effective operational risk management.
10. A Bank must meet the following minimum criteria or demonstrate to the Central Bank that its framework meets the requirements for a comprehensive approach to operational risk management without the presence of all of the criteria enumerated below.
a.A Bank must have an operational risk management system with clear responsibilities assigned to an operational risk management function. These responsibilities must include, but not be limited to, developing strategies to identify, assess, monitor and control or mitigate operational risk; codifying bank-level policies and procedures concerning operational risk management and controls; the design and implementation of the Bank’s operational risk assessment methodology; and the design and implementation of a risk-reporting system for operational risk.
b.A Bank must systematically track relevant operational risk data including material losses by business line. Its operational risk assessment system must be closely integrated into the risk management processes and procedures of the Bank. Its output must be an integral part of the process of and procedures for monitoring and controlling the Banks operational risk profile. For instance, this information must play a prominent role in risk reporting, management reporting and risk analysis. The Bank must have techniques for creating incentives to improve the management of operational risk throughout the Bank.
c.There must be regular reporting of operational risk exposures, including material operational losses, to business unit management, Senior Management and to the Board. The Bank must have procedures for taking appropriate action according to the information within the management reports.
d.A Bank’s operational risk management system must be well documented. A Bank must have a routine in place for ensuring compliance with a documented set of internal policies, controls and procedures concerning the operational risk management system, which must include policies for the treatment of non-compliance issues.
e.A Bank’s operational risk management processes and assessment system must be subject to regular internal audit review. These reviews must include both the activities of the business units and of the operational risk management function.