Back to Article

Chapter 7 Operational Risk

A. Operational Risk Management Framework & Governance

1. This section of the BPG sets out the standards, guidance and norms required to fulfil the regulatory requirements in respect of the Operational Risk management framework and governance, specified in Section 7.1 of Chapter 7 of BBR. These elements convey the supervisory expectations of the AFSA regarding Operational Risk management framework & governance in a Bank. The AFSA will use these standards, norms and key elements specified here to assess compliance with BBR Rules on Operational Risk management.


2. A Bank’s Operational Risk management policy is expected to address the following key elements:


(a) the governance structures used to manage Operational Risk, including reporting lines and accountabilities;


(b) risk assessment tools and how they are used;


(c) the Authorised Firm’s accepted Operational Risk appetite, permissible thresholds or tolerances for inherent and residual risk, and approved risk mitigation strategies and instruments;


(d) the Authorised Firm’s approach to establishing and monitoring thresholds or tolerances for inherent and residual risk Exposure;


(e) risk reporting and MIS; and


(f) appropriate independent review and assessment of the Authorised Firm’s Operational Risk framework.


3. An Authorised Firm’s Operational Risk policy should, amongst other things, include consideration of Principles for the Sound Management of Operational Risk, issued by the Basel Committee on Banking Supervision (BCBS) and the Guidelines on the management of Operational Risk in market- related activities issued by the European Banking Authority which are useful in relation to activities other than banking.


4. The GEN Module contains Rules and Guidance regarding corporate governance requirements for Authorised Firms, including the responsibilities of an Authorised Firm regarding risk management. In developing, implementing and maintaining an effective Operational Risk framework, an Authorised Firm’s Governing Body should:


(a) approve and review a risk appetite and tolerance for Operational Risk that articulates the nature, types and levels of Operational Risk that the Authorised Firm is willing to assume;


(b) consider all relevant risks, the Authorised Firm’s level of risk appetite, its current financial condition and its strategic direction. The Governing Body should monitor management adherence to the risk appetite and tolerance and provide for timely detection and remediation of breaches;


(c) encourage a management culture, and develop supporting processes, which help to engender within the Authorised Firm an understanding by relevant Employees of the nature and scope of the Operational Risk inherent in the Authorised Firm’s strategies and activities;


(d) provide senior management with clear guidance and direction regarding the principles underlying the Authorised Firm’s Operational Risk management framework and approve the corresponding policies developed by senior management;

(e) regularly review the Authorised Firm’s Operational Risk policy to ensure that the Authorised Firm has identified and is managing the Operational Risk arising from external market changes and other environmental factors, as well as those Operational Risks associated with new strategies, products, activities, or systems, including changes in risk profiles and priorities (e.g. changing business volumes). Such review should also take into account the Operational Risk loss experience, the frequency, volume or nature of limit breaches, the quality of the control environment and the effectiveness of risk management or mitigation strategies;


(f) ensure that the Authorised Firm’s Operational Risk policy and framework is subject to effective independent review by audit or other appropriately-trained Persons;


(g) ensure that management is incorporating industry best practice in managing Operational Risk; and


(h) establish clear lines of management responsibility and accountability for implementing a strong control environment. The control environment should provide appropriate independence/separation of duties between Operational Risk control functions, business lines and support functions.

Senior Management Responsibilities

5. GEN Rules include regulatory requirements and guidance regarding the role and responsibilities of senior management of a Bank in respect of Operational Risk management. In relation to establishing and maintaining a robust Operational Risk management framework, a Bank’s senior management should:


(a) translate the Operational Risk management framework established by its Governing Body into specific policies and procedures that can be implemented and verified within the different business units;


(b) clearly assign authority, responsibility and reporting relationships to encourage and maintain accountability, and to ensure that the necessary resources are available to manage Operational Risk in line within the Authorised Firm’s risk appetite and tolerance; and


(c) ensure that the management oversight process is appropriate for the risks inherent in a business unit’s activity.

B. Operational Risk Management Processes and standards

6. This section of the BPG sets out the standards, guidance, and best practices required to fulfil the regulatory requirements in respect of the Operational Risk management processes, specified in Section 7.5 of Chapter 7 of BBR. The AFSA will use these standards, norms and key elements to assess compliance with BBR Rules on Operational Risk management processes and procedures and the effectiveness of such processes.


7. A Bank should record all Operational Risk events, including near misses and events which result in a positive financial outcome. Tools that an Authorised Firm may employ for identifying and assessing Operational Risk include:


(a) internal loss data collection and analysis;


(b) external data collection and analysis;


(c) risk assessments;

(d) business process mapping;


(e) risk and performance indicators; and


(f) scenario analysis.


8. GEN Rules require an Authorised Person in the AIFC to establish and maintain arrangements to provide its Governing Body and senior management with the information necessary to organise and control its activities, to comply with legislation applicable in the AIFC and to manage risks.


9. BBR Rule 7.5 (1) (f) requires Banks to establish and maintain reporting mechanisms specifically addressing the Operational Risk matters. The frequency of internal reporting of Operational Risks required by BBR Rule 7.5 (1) (f) should reflect the risks involved and the pace and nature of changes in the Bank’s operating environment.


10. The following lists some of the items that an Authorised Firm should consider including in its internal reporting of Operational Risks:


(a) the results of monitoring activities;


(b) assessments of the Operational Risk framework performed by control functions such as internal audit, compliance, risk management and/or external audit;


(c) reports generated by (and/or for) supervisory authorities;


(d) material breaches of the Authorised Firm’s risk appetite and tolerance with respect to Operational Risk;


(e) details of recent significant internal Operational Risk events and losses, including near misses or events that resulted in a positive return; and


(f) relevant external events and any potential impact on the Authorised Firm and its Operational Risk framework, including Operational Risk capital.


11. Banks are required to establish and maintain systems and controls, including but not limited to financial and risk systems and controls that ensure that its affairs are managed effectively and responsibly by its senior management. In order to comply with the rules in BBR Chapter 7, Banks are expected to establish and maintain a strong control environment that uses policies, processes and systems, appropriate internal controls and appropriate risk mitigation and/or transfer strategies.


12. In order to establish such a strong control environment to address Operational Risk, a Bank should consider the following:


(a) clear segregation of duties and dual control;


(b) clearly established authorities and/or processes for approval;


(c) close monitoring of adherence to assigned risk limits or thresholds;


(d) safeguards for access to, and use of, the Authorised Firm’s assets and records;


(e) appropriate staffing level and training to maintain expertise;


(f) ongoing processes to identify business lines or products where returns appear to be out of line with reasonable expectations; and

(g) regular verification and reconciliation of transactions and accounts.

New Product Approval & Control

13. A Bank should have policies and procedures that address the process for review and approval of new products, activities, processes and systems. The review and approval process should include consideration of:


(a) inherent risks in any new product, service, or activity;


(b) resulting changes to the Authorised Firm’s Operational Risk profile, appetite and tolerance, including changes to the risk of existing products or activities;


(c) necessary controls, risk management processes, and risk mitigation strategies;


(d) residual risk;


(e) changes to relevant risk limits;


(f) procedures and metrics to measure, monitor, and manage the risk of the new product or activity; and


(g) appropriate investment in human resources and technology infrastructure.

C. Specific elements of Operational Risk

Technology Risks & Business Continuity

14. This section of the BPG provides useful guidance on the expectations of the AFSA and compliance requirements in respect of managing operations risk related to use of IT systems, use of technology, business continuity. IT systems include the computer systems and information technology infrastructure required for the automation of processes and systems, such as application software, operating system software, network infrastructure, and desktop, server and mainframe hardware.


15. An Authorised Firm should consider the following in establishing its systems and controls for the management of IT system risks:


(a) governance and oversight controls that ensure technology, including outsourcing arrangements, is aligned with and supportive of the Authorised Firm’s business objectives;


(b) an Authorised Firm’s organisation and reporting structure for technology operations, including adequacy of senior management oversight; and


(c) the appropriateness of the systems acquisition, development and maintenance activities, including the allocation of responsibilities between IT development and operational areas.


16. In order to comply with the BBR Rule 7.2 (4), a Bank should consider the following in establishing a framework to manage information security risks faced by it, in the course of its activities:


(a) confidentiality: restriction of information access to persons or systems with appropriate authority, using firewalls and/or entry restrictions;


(b) the risk of loss or theft of customer data;


(c) integrity: safeguarding the accuracy and completeness of information and its processing;

(d) non-repudiation and accountability: ensuring that the person or system that processed the information cannot deny their actions; and


(e) internal security: including premises security, staff vetting; access rights and portable media, staff internet and email access, encryption, safe disposal of customer data, and training and awareness.

Outsourcing Risk

17. In order to comply with the BBR Rule 7.3, a Bank should consider the following guidance in establishing a framework to manage Operational Risks associated with its outsourcing activities. The assessment of outsourcing risk at the Bank may depend on several factors, including the scope and materiality of the outsourced activity, how well it manages, monitors and controls outsourcing risk, and how well the service provider manages and controls the potential risks of the operation.


18. Factors that the Bank should consider in establishing outsourcing arrangements include the following:


(a) the financial, reputational and operational impact on the Authorised Firm of the failure of a service provider to perform adequately the activity;


(b) potential losses to an Authorised Firm’s customers and counterparts in the event of a service provider failure;


(c) the consequences of outsourcing the activity on the ability and capacity of the Authorised Firm to conform with regulatory requirements and changes in such requirements;


(d) the interrelationship of the outsourced activity with other activities within the Authorised Firm;


(e) the cost associated with the outsourcing;


(f) any affiliation or other relationship between the Authorised Firm and the service provider;


(g) the regulatory status of the service provider;


(h) the degree of difficulty and time required to select an alternative service provider or to bring the business activity in-house, if necessary;


(i) the complexity of the outsourcing arrangement. For example, the ability to control the risks where more than one service provider collaborates to deliver an end-to-end outsourcing solution; and


(j) any data protection, security and other risks which may be adversely affected by the geographical location of an outsourcing service provider. To this end, specific Risk management expertise in assessing country risk related, for example, to political or legal conditions, could be required when entering into and managing outsourcing arrangements that are taken outside of the home country.

Additional Capital Requirement

19. The following are examples of instances in which the AFSA might invoke its power to impose additional capital requirements on specific Banks referred in BBR Rule 7.4, on the basis of its assessment that those banks are vulnerable to common Operational Risk drivers.


Examples

➢ outsourcing of important operations by many banking business firms to a single provider

➢ severe disruption to providers of payment and settlement services.