Entire Act

A. Operational Risk Management Framework & Governance

1. This section of the BPG sets out the standards, guidance and norms required to fulfil the regulatory requirements in respect of the Operational Risk management framework and governance, specified in Section 7.1 of Chapter 7 of BBR. These elements convey the supervisory expectations of the AFSA regarding Operational Risk management framework & governance in a Bank. The AFSA will use these standards, norms and key elements specified here to assess compliance with BBR Rules on Operational Risk management.


2. A Bank’s Operational Risk management policy is expected to address the following key elements:


(a) the governance structures used to manage Operational Risk, including reporting lines and accountabilities;


(b) risk assessment tools and how they are used;


(c) the Authorised Firm’s accepted Operational Risk appetite, permissible thresholds or tolerances for inherent and residual risk, and approved risk mitigation strategies and instruments;


(d) the Authorised Firm’s approach to establishing and monitoring thresholds or tolerances for inherent and residual risk Exposure;


(e) risk reporting and MIS; and


(f) appropriate independent review and assessment of the Authorised Firm’s Operational Risk framework.


3. An Authorised Firm’s Operational Risk policy should, amongst other things, include consideration of Principles for the Sound Management of Operational Risk, issued by the Basel Committee on Banking Supervision (BCBS) and the Guidelines on the management of Operational Risk in market- related activities issued by the European Banking Authority which are useful in relation to activities other than banking.


4. The GEN Module contains Rules and Guidance regarding corporate governance requirements for Authorised Firms, including the responsibilities of an Authorised Firm regarding risk management. In developing, implementing and maintaining an effective Operational Risk framework, an Authorised Firm’s Governing Body should:


(a) approve and review a risk appetite and tolerance for Operational Risk that articulates the nature, types and levels of Operational Risk that the Authorised Firm is willing to assume;


(b) consider all relevant risks, the Authorised Firm’s level of risk appetite, its current financial condition and its strategic direction. The Governing Body should monitor management adherence to the risk appetite and tolerance and provide for timely detection and remediation of breaches;


(c) encourage a management culture, and develop supporting processes, which help to engender within the Authorised Firm an understanding by relevant Employees of the nature and scope of the Operational Risk inherent in the Authorised Firm’s strategies and activities;


(d) provide senior management with clear guidance and direction regarding the principles underlying the Authorised Firm’s Operational Risk management framework and approve the corresponding policies developed by senior management;

(e) regularly review the Authorised Firm’s Operational Risk policy to ensure that the Authorised Firm has identified and is managing the Operational Risk arising from external market changes and other environmental factors, as well as those Operational Risks associated with new strategies, products, activities, or systems, including changes in risk profiles and priorities (e.g. changing business volumes). Such review should also take into account the Operational Risk loss experience, the frequency, volume or nature of limit breaches, the quality of the control environment and the effectiveness of risk management or mitigation strategies;


(f) ensure that the Authorised Firm’s Operational Risk policy and framework is subject to effective independent review by audit or other appropriately-trained Persons;


(g) ensure that management is incorporating industry best practice in managing Operational Risk; and


(h) establish clear lines of management responsibility and accountability for implementing a strong control environment. The control environment should provide appropriate independence/separation of duties between Operational Risk control functions, business lines and support functions.

Senior Management Responsibilities

5. GEN Rules include regulatory requirements and guidance regarding the role and responsibilities of senior management of a Bank in respect of Operational Risk management. In relation to establishing and maintaining a robust Operational Risk management framework, a Bank’s senior management should:


(a) translate the Operational Risk management framework established by its Governing Body into specific policies and procedures that can be implemented and verified within the different business units;


(b) clearly assign authority, responsibility and reporting relationships to encourage and maintain accountability, and to ensure that the necessary resources are available to manage Operational Risk in line within the Authorised Firm’s risk appetite and tolerance; and


(c) ensure that the management oversight process is appropriate for the risks inherent in a business unit’s activity.