Entire Act

B. Operational Risk Management Processes and standards

6. This section of the BPG sets out the standards, guidance, and best practices required to fulfil the regulatory requirements in respect of the Operational Risk management processes, specified in Section 7.5 of Chapter 7 of BBR. The AFSA will use these standards, norms and key elements to assess compliance with BBR Rules on Operational Risk management processes and procedures and the effectiveness of such processes.


7. A Bank should record all Operational Risk events, including near misses and events which result in a positive financial outcome. Tools that an Authorised Firm may employ for identifying and assessing Operational Risk include:


(a) internal loss data collection and analysis;


(b) external data collection and analysis;


(c) risk assessments;

(d) business process mapping;


(e) risk and performance indicators; and


(f) scenario analysis.


8. GEN Rules require an Authorised Person in the AIFC to establish and maintain arrangements to provide its Governing Body and senior management with the information necessary to organise and control its activities, to comply with legislation applicable in the AIFC and to manage risks.


9. BBR Rule 7.5 (1) (f) requires Banks to establish and maintain reporting mechanisms specifically addressing the Operational Risk matters. The frequency of internal reporting of Operational Risks required by BBR Rule 7.5 (1) (f) should reflect the risks involved and the pace and nature of changes in the Bank’s operating environment.


10. The following lists some of the items that an Authorised Firm should consider including in its internal reporting of Operational Risks:


(a) the results of monitoring activities;


(b) assessments of the Operational Risk framework performed by control functions such as internal audit, compliance, risk management and/or external audit;


(c) reports generated by (and/or for) supervisory authorities;


(d) material breaches of the Authorised Firm’s risk appetite and tolerance with respect to Operational Risk;


(e) details of recent significant internal Operational Risk events and losses, including near misses or events that resulted in a positive return; and


(f) relevant external events and any potential impact on the Authorised Firm and its Operational Risk framework, including Operational Risk capital.


11. Banks are required to establish and maintain systems and controls, including but not limited to financial and risk systems and controls that ensure that its affairs are managed effectively and responsibly by its senior management. In order to comply with the rules in BBR Chapter 7, Banks are expected to establish and maintain a strong control environment that uses policies, processes and systems, appropriate internal controls and appropriate risk mitigation and/or transfer strategies.


12. In order to establish such a strong control environment to address Operational Risk, a Bank should consider the following:


(a) clear segregation of duties and dual control;


(b) clearly established authorities and/or processes for approval;


(c) close monitoring of adherence to assigned risk limits or thresholds;


(d) safeguards for access to, and use of, the Authorised Firm’s assets and records;


(e) appropriate staffing level and training to maintain expertise;


(f) ongoing processes to identify business lines or products where returns appear to be out of line with reasonable expectations; and

(g) regular verification and reconciliation of transactions and accounts.

New Product Approval & Control

13. A Bank should have policies and procedures that address the process for review and approval of new products, activities, processes and systems. The review and approval process should include consideration of:


(a) inherent risks in any new product, service, or activity;


(b) resulting changes to the Authorised Firm’s Operational Risk profile, appetite and tolerance, including changes to the risk of existing products or activities;


(c) necessary controls, risk management processes, and risk mitigation strategies;


(d) residual risk;


(e) changes to relevant risk limits;


(f) procedures and metrics to measure, monitor, and manage the risk of the new product or activity; and


(g) appropriate investment in human resources and technology infrastructure.