CHAPTER 7. Operational Risk
Introduction
Guidance
(1) This chapter sets out the regulatory requirements in respect of a Bank’s obligation to manage effectively its Operational Risk exposures. Operational Risk refers to the risk of incurring losses due to inadequate or failed internal systems, processes, and people, or from external events. Operational Risk losses also include losses arising out of legal risk but excludes strategic and reputational risk. This chapter aims to ensure that a Bank has a robust Operational Risk management framework commensurate with the nature, scale and complexity of its operations and that it holds sufficient regulatory capital against Operational Risk exposures.
(2) This chapter includes requirements that a Bank:
- (a) implement a comprehensive Operational Risk management framework to manage, measure and monitor its operational Risk exposures commensurate with the nature, scale and complexity of its operations;
- (b) address specific elements of an Operational Risk management framework relating to IT systems, information security, outsourcing, business continuity and disaster recovery and the management of Operational Risks in trading rooms; and
- (c) calculate and hold the Operational Risk Capital Requirement, according to the methodologies provided in the BPG issued by the AFSA.
(3) The detailed requirements specifying the calculation methodologies, parameters, metrics and formulae in respect of the primary requirements outlined in this Chapter are provided in the BPG issued by the AFSA. The BPG also provides detailed guidance on the elements to be included in the policies, systems and controls for managing operational risk, qualitative guidance and standards to be followed in addressing specific components of operational risk like Business continuity risk, detailed parameters, formulae and methodology for calculation of Operational risk capital requirements mandated by this Chapter.
7.1. Operational Risk Management Framework and Governance
(1) A Bank must implement and maintain an Operational Risk management policy which enables it to identify, assess, monitor, control and mitigate its Operational Risk exposures.
(2) The Operational Risk management policy must be documented and include the Bank’s risk appetite for Operational Risk exposures. The policy must also set out as to how the Bank identifies, assesses, mitigates, controls and monitors Operational Risk.
(3) The Operational Risk management policy of a Bank must be approved by its Governing Body.
(4) A Bank must:
- (a) identify, assess, monitor, mitigate and, control its Operational Risk exposures;
- (b) ensure that its risk management framework including but not limited to tools, methodologies and, systems enable it to implement its Operational Risk management policy;
- (c) hold adequate Capital, at all times, to support its Operational risk exposures;
- (d) review and update its Operational Risk management policy at a frequency appropriate to the nature, scale and complexity of its Trading Book activities.
(5) A Bank’s Governing Body must ensure that its Operational risk management policy enables it to obtain a comprehensive bank-wide view of its Market Risk exposures and takes into account therisk of a significant deterioration in market liquidity of its exposures. Note:Guidance in respect of the contents of a Bank’s Operational Risk management policy, systems and controls which is required to satisfy the regulatory requirement in the Rule 7.1 is provided in the BPG issued by the AFSA.
7.2 Technology Risk and Business Continuity – Policies
(1) A Bank’s operational risk management policy must include effective and comprehensive procedures for disaster recovery and business continuity. The Bank must have a business continuity plan for possible scenarios of severe business disruption. The plan must provide for the Bank to continue to operate as a going concern, and to minimise losses (especially those from disturbances to payment and settlement systems), in those scenarios.
(2) A Bank must establish and implement appropriate information technology policies for the accurate and timely identification, measurement, evaluation, management and control or mitigation of operational risk. In particular, the policies must enable the Bank to maintain an adequate and sound information infrastructure:
- (a) that meets the Bank’s current and projected requirements (under normal circumstances and in times of stress);
- (b) that ensures that the data, and the system itself, remain secure and available; and
- (c) that supports integrated and comprehensive risk management
(3) The Bank’s information infrastructure must enable it to compile and analyse operational risk data, and must facilitate reporting to its Governing Body and senior management and the AFSA.
(4) A Bank must establish and maintain appropriate systems and controls to manage its information security risk.
7.3. Outsourcing risk - Policies
(1) A Bank must establish appropriate policies to assess, manage and monitor the operational risk associated with its outsourced activities. The management of those risks must include the following elements:
- (a) carrying out due diligence for selecting service providers
- (b) structuring outsourcing arrangements
- (c) managing and reporting the risks associated with an outsourcing
- (d) ensuring effective control over an outsourcing; and
- (e) contingency planning
(2) The outsourcing policies must require a Bank to have comprehensive contracts and service level agreements. The contracts and agreements must clearly state the allocation of responsibilities between service providers and the Bank.
7.4. Powers of the AFSA
Despite anything in these rules, if the AFSA identifies points of exposure or vulnerability to operational risk that are common to 2 or more Banks, it may impose specific capital requirements or limits on each affected Bank.
7.5. Operational Risk Management
(1) A Bank must:
- (a) ensure that it identifies and assesses the Operational Risks inherent in all the Bank’s products, activities, processes and systems;
- (b) ensure the inherent risks identified are understood by relevant Employees of the Bank;
- (c) systematically track Operational Risk events and any financial impact associated with such events; and
- (d) ensure that the tracking in (c) is consistent with the Operational Risk event types described in the Basel III framework.
- (e) regularly monitor material Exposures to Operational Risk losses;
- (f) ensure that appropriate reporting mechanisms are in place at its Governing Body, senior management, and business line levels to support effective management of the Bank’s Operational Risk;
- (g) have appropriate reporting procedures to keep the AFSA informed of developments affecting its operational risk profile; and
- (h) immediately notify the AFSA of any material Operational Risk event including notification of any resulting financial impact, positive or negative, associated with such event.
(2) A Bank must ensure that its Operational Risk management policy referred in the Rule 7.1 (1):
- (a) includes an approval process for all new products, activities, processes and systems; and
- (b) such a process enables the Bank to identify and assess the Operational Risk exposures inherent in its new products, activities, processes and systems.
7.6 Basic indicator approach
(1) A Bank must use the basic indicator approach to operational risk. Operational risk capital requirement is the amount of capital that the Bank must have to cover its operational risk.
(2) The Bank’s Operational Risk capital requirement is calculated in accordance with the following formula:
where:
GI is the Bank’s average annual gross income (as defined in sub-rule (3) or (4)) for those years (out of the previous 3 years) for which the Bank’s annual gross income is more than zero.
α is 15% or a higher percentage set by the AFSA.
n is the number of years out of the previous 3 years for which the Bank’s gross income is more than zero.
(3) Because of the definitions of GI and n in (2) above, figures for any year in which the annual gross income of a Bank is negative or zero must be excluded from both the numerator and denominator when calculating the average.
(4) For a Bank, gross income, for a year, means net interest income plus net non-interest income for the year. It must be gross of:
- (a) any provisions (including provisions for unpaid interest);
- (b) operating expenses; and
- (c) losses from the sale of securities in the ‘Held to Maturity’ and ‘Available for Sale’ categories in the Banking Book.
(5) For a Bank, gross income excludes:
- (a) realised profits from the sale of securities in the Banking Book;
- (b) realised profits from securities in the ‘Held to Maturity’ category in the Banking Book;
- (c) extraordinary or irregular items of income;
- (d) income derived from insurance;
- (e) any collection from previously written-off loans; and
- (f) income obtained from the disposal of real estate and other assets during the year.