C. Specific elements of Operational Risk
Technology Risks & Business Continuity
14. This section of the BPG provides useful guidance on the expectations of the AFSA and compliance requirements in respect of managing operations risk related to use of IT systems, use of technology, business continuity. IT systems include the computer systems and information technology infrastructure required for the automation of processes and systems, such as application software, operating system software, network infrastructure, and desktop, server and mainframe hardware.
15. An Authorised Firm should consider the following in establishing its systems and controls for the management of IT system risks:
(a) governance and oversight controls that ensure technology, including outsourcing arrangements, is aligned with and supportive of the Authorised Firm’s business objectives;
(b) an Authorised Firm’s organisation and reporting structure for technology operations, including adequacy of senior management oversight; and
(c) the appropriateness of the systems acquisition, development and maintenance activities, including the allocation of responsibilities between IT development and operational areas.
16. In order to comply with the BBR Rule 7.2 (4), a Bank should consider the following in establishing a framework to manage information security risks faced by it, in the course of its activities:
(a) confidentiality: restriction of information access to persons or systems with appropriate authority, using firewalls and/or entry restrictions;
(b) the risk of loss or theft of customer data;
(c) integrity: safeguarding the accuracy and completeness of information and its processing;
(d) non-repudiation and accountability: ensuring that the person or system that processed the information cannot deny their actions; and
(e) internal security: including premises security, staff vetting; access rights and portable media, staff internet and email access, encryption, safe disposal of customer data, and training and awareness.
Outsourcing Risk
17. In order to comply with the BBR Rule 7.3, a Bank should consider the following guidance in establishing a framework to manage Operational Risks associated with its outsourcing activities. The assessment of outsourcing risk at the Bank may depend on several factors, including the scope and materiality of the outsourced activity, how well it manages, monitors and controls outsourcing risk, and how well the service provider manages and controls the potential risks of the operation.
18. Factors that the Bank should consider in establishing outsourcing arrangements include the following:
(a) the financial, reputational and operational impact on the Authorised Firm of the failure of a service provider to perform adequately the activity;
(b) potential losses to an Authorised Firm’s customers and counterparts in the event of a service provider failure;
(c) the consequences of outsourcing the activity on the ability and capacity of the Authorised Firm to conform with regulatory requirements and changes in such requirements;
(d) the interrelationship of the outsourced activity with other activities within the Authorised Firm;
(e) the cost associated with the outsourcing;
(f) any affiliation or other relationship between the Authorised Firm and the service provider;
(g) the regulatory status of the service provider;
(h) the degree of difficulty and time required to select an alternative service provider or to bring the business activity in-house, if necessary;
(i) the complexity of the outsourcing arrangement. For example, the ability to control the risks where more than one service provider collaborates to deliver an end-to-end outsourcing solution; and
(j) any data protection, security and other risks which may be adversely affected by the geographical location of an outsourcing service provider. To this end, specific Risk management expertise in assessing country risk related, for example, to political or legal conditions, could be required when entering into and managing outsourcing arrangements that are taken outside of the home country.
Additional Capital Requirement
19. The following are examples of instances in which the AFSA might invoke its power to impose additional capital requirements on specific Banks referred in BBR Rule 7.4, on the basis of its assessment that those banks are vulnerable to common Operational Risk drivers.
Examples
➢ outsourcing of important operations by many banking business firms to a single provider
➢ severe disruption to providers of payment and settlement services.