Operational Risk Management

Operational Risk Management
Concept Paper
Issued on: 27 June 2014
BNM/RH/CP 028-11
PART A
Prudential Financial Policy

Department
Page
2/23
Overview ............................................................................................................ 3
1.
Introduction ............................................................................................................... 3
2.
Policy objectives ........................................................................................................ 3
3.
Applicability ............................................................................................................... 3
4.
Legal provisions ........................................................................................................ 4
5.
Effective date............................................................................................................. 4
6.
Interpretation ............................................................................................................. 4
7.
Related legal instruments and policy documents ....................................................... 5
PART B
PRInciples for sound operational risk management....................................... 6
8.
Board oversight ......................................................................................................... 6
9.
Role of senior management....................................................................................... 9
10.
Sound internal control environment ......................................................................... 13
11.
Identification and assessment of operational risks ................................................... 15
12.
Operational risk response and mitigation strategies................................................. 17
13.
Key operational risk indicators and metrics .............................................................. 19
14.
Operational risk reporting ........................................................................................ 20
Appendix 1 Example of Operational Risk Governance Model for Large Financial

Institutions ........................................................................................................................ 22
Appendix 2 Operational Risk Loss Event Type Classification.................................... 23
BNM/RH/CP 028-11
PART A

Department
Page
3/23
OVERVIEW
1. Introduction
1.1
Operational risk refers to the risk of loss resulting from inadequate or failed
internal processes, people and systems; or from external events. Operational risk
is inherent in all activities, products and services of financial institutions and can
transverse multiple activities and business lines within the financial institutions. It
includes a wide spectrum of heterogeneous risks such as fraud, physical damage,
business disruption, transaction failures, legal and regulatory breaches1 as well as
employee health and safety hazards. Operational risk may result in direct financial
losses as well as indirect financial losses (e.g. loss of business and market share)
due to reputational damage.
2. Policy objectives
2.1
This policy document:

a. sets out the Banks supervisory expectations with regard to the financial
institutions operational risk management framework and practices; and
b. forms the basis for the Banks supervisory assessments of the effectiveness
of an individual financial institutions management of operational risks.
3. Applicability
3.1
The policy document is applicable to all financial institutions as defined in

paragraph 6.2.
3.2
Notwithstanding paragraph 3.1:

a. paragraph 8.5 is only applicable to an active financial market player as
defined in paragraph 6.2;
b. paragraphs 9.3 and 9.4 are only applicable to a large financial institution as
defined in paragraph 6.2; and
Including fiduciary breaches and Shariah non-compliance by Islamic financial institutions.
BNM/RH/CP 028-11

Department
Page
4/23
c. paragraph 9.8 is only applicable to a large financial institution or an active

financial market player as defined in paragraph 6.2.
4. Legal provisions
4.1
The requirements of this policy document are specified pursuant to:

a. sections 47(1), 56 and 266 of the Financial Services Act 2013 (FSA);
b. sections 57(1), 65 and 277 of the Islamic Financial Services Act 2013
(IFSA); and
c. section 41(1) of the Development Financial Institutions Act 2002 (DFIA).
5. Effective date
5.1
This policy document comes into effect on DD MM 20XX.
6. Interpretation
6.1
The terms and expressions used in this policy document shall have the same
meanings assigned to them in the FSA, IFSA or DFIA, as the case may be, unless
otherwise defined in this policy document.
6.2
For purposes of this policy document:

S denotes a standard, requirement or specification that must be complied with.
Failure to comply may result in one or more enforcement actions;
G denotes guidance which may consist of such information, advice or
recommendation intended to promote common understanding and sound
industry practices which are encouraged to be adopted;
financial institution refers to:
a. a licensed bank, licensed investment bank, and licensed insurer under the
FSA;
BNM/RH/CP 028-11

Department
Page
5/23
b. a licensed Islamic bank, licensed international Islamic bank and licensed

takaful operator under the IFSA; and
c. a prescribed institution under the DFIA;
active financial market player refers to a financial institution that is a major
or key participant, or an infrastructure/service provider (such as clearing,
payment, settlement and custodial agents) in the capital, money, foreign
exchange and derivative markets.
large financial institution refers to:
a. a financial institution with multiple sizeable businesses within the entity;
b. a financial institution with a large network of offices within or outside the
country; or
c. a financial conglomerate with multiple sizeable entities within the corporate
group.
7. Related legal instruments and policy documents

7.1
This policy document must be read together with the following policy documents
issued by the Bank:
a. Policy Document on Risk Governance;
b. Policy Document on Operational Risk Reporting Requirement Operational
Risk Integrated Online Network (ORION);
c. Guidelines on Introduction of New Products;
d. Guidelines on Outsourcing;
e. Guidelines on Management of IT Environment; and
f.
Guidelines on Business Continuity Management.
BNM/RH/CP 028-11
PART B

Department
Page
6/23
PRINCIPLES FOR SOUND OPERATIONAL RISK MANAGEMENT
8. Board oversight
Principle 1: The Board must be aware of and understand all major operational risks
that could significantly impede the financial institutions ability to meet its obligations
towards customers and counterparties, as well as those that could threaten the
financial institutions safety and soundness. The Board must approve the financial
institutions operational risk appetite that sets out the tolerance towards the major
operational risks and the strategies for managing risks within the tolerance limits.
S 8.1
The Board must be aware of and understand the nature and complexity of the
major operational risks in its business and operating environment, including risks
arising from transactions or relationships with third parties, vendors and
suppliers2.This should include an understanding of both the financial and nonfinancial impact of operational risk to which the financial institution is exposed
such as the impact arising from legal liability, loss of recourse, restitution, write
downs, business interruption and damage.
S 8.2
The Board must receive assurance that all key interdependencies between
business and functional lines3 are identified and ensure that it has a good
understanding of the inter-relationship between operational risk and other financial
and non-financial risks4. In particular, the Board must recognise and understand
how operational risks affect the management of other financial and non-financial
risks, and vice versa.
S 8.3
The Board must review and approve the operational risk appetite statement that
covers all major operational risks that the financial institution is exposed to. In
doing so, the Board must consider the financial institutions level of risk aversion,
its financial condition, its current and future business direction and the quality of its
internal control environment.
Suppliers include outsourcing service providers. Specific requirements on outsourcing management

are set out in the Guidelines on Outsourcing.
3
Such as Human Resource, Finance and Information Technology.
4
Including but not limited to credit, market, liquidity, Shariah and insurance risks.
BNM/RH/CP 028-11
S 8.4

Department
Page
7/23
The risk appetite statement must include risk limits and thresholds approved by
the Board for specific operational risks and an aggregate operational risk limit
reflecting the financial institutions tolerance towards operational risks. The risk
limits must be consistent with managements strategies for managing risks within
the limits and thresholds set.
S 8.5
In respect of an active financial market player, the Board must ensure that the
operational risk appetite statement includes all major operational risks associated
with the financial market activities that the institution is involved in5.
G 8.6
The operational risk limits and thresholds should reflect an appropriate

combination of quantitative metrics as well as qualitative analysis of major
operational risk exposures, taking into account conditions in the financial
institutions business and operating environment as well as factors that can
increase operational risk exposures but which may not be adequately captured by
quantitative measures. The Board should also consider limitations in operational
risk measurement methodologies that are still evolving, and ensure that the
operational risk limits and thresholds set appropriately address these limitations in
order to effectively manage and contain exposures to operational risk.
Principle 2: The Board must oversee the design and implementation of a sound
operational risk management framework and provide constructive challenge to senior
management on the credibility and robustness of the policies, processes and systems
for managing major operational risks.
S 8.7
The Board must ensure that the design and implementation of the financial
institutions operational risk management framework provides for:
a.
a clear definition of operational risk and operational risk loss. This must be
supported by a common operational risk taxonomy that includes the
operational risk event types and causal categories to facilitate the consistent
identification of operational risks across the organisation and the
management of operational risk in an integrated manner;
Operational risk is one of the major risks in financial market activities that could result in severe
financial losses and reputation damage to the financial institutions due to the high value, volume and
velocity of the transactions, complexity of financial market instruments and the inter-dependencies
among financial market participants, service providers and infrastructure.
BNM/RH/CP 028-11
b.

Department
Page
8/23
appropriate governance and oversight structures, reporting lines and

accountabilities for managing operational risk;
c.
a clear description of risk limits, thresholds and risk impact rating scales6
that correspond to the financial institutions approved operational risk
appetite and tolerance;
d.
the approved risk mitigation strategies and instruments for keeping risks
within the thresholds and limits set;
e.
a sound approach to operational risk identification, assessment, monitoring

and reporting that utilises appropriate operational risk management tools;
f.
the periodic review of the framework, policies and methodologies at regular

intervals or whenever there are material changes in the financial institutions
operational risk profile; and
g.
the regular independent review of the framework by the internal audit

function.
S 8.8
The operational risk management framework must cover all businesses and
functions of the financial institution, including those that are outsourced to external
parties.
S 8.9
The operational risk management framework must be well integrated with other
risk management processes of the financial institution. The Board must ensure in
particular that the operational risk management framework addresses the interrelationship between the framework and the financial institutions processes for
managing technology, compliance and Shariah risks so as to ensure a
comprehensive and consistent approach to the identification and profiling of
operational risks in the financial institution.
S 8.10
For financial institutions that offer Islamic products and services, the Board should
be aware of the unique operational risks that may arise due to Shariah noncompliance such as the financial and non-financial implications when established
Shariah requirements and rulings are not effectively communicated, translated into
Risk impact rating scales would assist in segregating risks that are within the risk tolerance, risks
that are reaching the risk tolerance level and risks that have breached the risk tolerance level.
Impact rating scales may be defined in quantitative and/or qualitative terms. While quantitative rating
scales (e.g. financial impact ratings) bring a greater degree of precision and measurability,
qualitative descriptions are needed when the risks do not lend themselves to quantification.
BNM/RH/CP 028-11

Department
Page
9/23
internal policies or observed by the financial institution across different businesses

and functional units. This is particularly relevant for a financial institution that offers
both conventional and Islamic products and services, and adopts an operating
model where common staff undertakes the sales, support and control functions for
both conventional and Islamic products and services.
S 8.11
The Board must ensure that it receives adequate information on material

developments in the operational risk profile of the financial institution, including
pertinent information on the current and emerging operational risk exposures and
vulnerabilities and information on the effectiveness of the operational risk
management
framework.
The
Board
must
challenge
the
quality
and
comprehensiveness of the operational risk information it receives and be satisfied

with the reliability of the financial institutions operational risk information and
monitoring system.
9. Role of senior management

Principle 3: The senior management must ensure effective implementation and
maintenance of policies, processes and systems for managing operational risk in all
material products, activities, processes and systems, consistent with the operational
risk management framework and operational risk appetite and tolerance approved by
the Board.
S 9.1
The
senior
management
must
translate
the
approved
operational
risk
management framework into specific policies, processes and limits that can be
implemented for all material products, activities, processes and systems across
the financial institution. Responsibilities must be clearly set out for communicating
these operational risk management policies, processes and limits throughout the
organisation and ensuring their effective implementation and maintenance. This
must be supported by the appropriate authority given to the staff carrying these
responsibilities, effective reporting and escalation procedures and adequate
resources to discharge their responsibilities.
S 9.2
Senior management must establish an effective platform (i.e. a senior

management oversight body) for overseeing the financial institutions operational
BNM/RH/CP 028-11

Department
Page
10/23
risk exposures and ensuring the robust implementation of the operational risk
management framework and processes at the enterprise-wide level. Such a
platform must allow for the effective deliberation by senior management of
operational risk developments at the enterprise-wide level, facilitate coordination
with the financial institutions management of other risks and support senior
managements ongoing review of the adequacy of the financial institutions
operational risk management programme, including its implementation within
significant businesses and functional units.
S 9.3
In respect of a large financial institution, a dedicated sub-committee7 at each

significant business or function must be established to support senior
management in its enterprise-wide oversight of operational risks. The subcommittee must serve to provide a platform for more detailed deliberations of
operational risk exposures and issues specific to the businesses or functions and
input to senior managements assessment of the financial institutions overall
management of operational risks at the enterprise-wide level.
S 9.4
The responsibilities of the dedicated sub-committees and the scope of operational

risks covered by each sub-committee must be clearly defined. There must be
clear arrangements established on how the sub-committees engage with and
report to the senior management oversight body on their assessments of
operational risks within significant businesses and functions.
S 9.5
Records kept by the senior management oversight body and sub-committees

must be adequate to facilitate the review and evaluation of their effectiveness.
Principle 4: Senior management must put in place an effective internal governance

structure as approved by the Board for managing operational risks, with clearly
defined accountabilities, roles, authority and reporting relationships that complement
and mutually reinforce one another.
An illustration of a possible governance structure and inter-relationship between the senior

management committee and the sub-committees within the significant businesses and functions is
provided in Appendix 1.
BNM/RH/CP 028-11
S 9.6

Department
Page
11/23
Business and functional line management is responsible for the identification and
management of operational risks within its products, activities, processes and
systems.8 The business and functional line management must establish and
execute risk mitigation strategies and processes as approved by the Board and
senior management of the financial institution, and ensure that internal controls
are implemented effectively.
S 9.7
The business and functional line management must periodically review whether
internal controls and operational risk mitigation strategies are working effectively
to manage operational risks within the financial institutions approved risk
tolerance. There must be clear expectations and processes established to ensure
prompt escalation and actions to address any gaps or issues identified.
S 9.8
In respect of a large financial institution or an active financial market player, an

embedded operational risk function must be established within each significant
business and functional line. The embedded operational risk function is
responsible for implementing the operational risk management activities within the
business and functional lines and undertakes detailed assessments, supported by
credible data analytics, of the operational risks in the business and functional
lines. Staff in the embedded operational risk function must not have responsibility
for risk-taking activities in the business or functional lines.
G 9.9
The embedded operational risk function provides a business-specific focus on the

implementation of operational risk management activities and supports more
effective day-to-day monitoring of major operational risks. Given the inherent
complexity and scale of operations of large financial institutions and active
financial market players, the embedded operational risk function is considered to
be sound practice to strengthen the management of operational risks by business
and functional lines through a dedicated focus on operational risk management
activities that are supported by relevant business-specific expertise.
S 9.10
A central operational risk management function9 that is independent of the

business and functional line management and reports to the Chief Risk Officer
Including risks associated with the procurement of external services, insurance risk transfer and
outsourcing arrangements.
An illustration of the structure and inter-relationship between the central operational risk
management function and an embedded operational risk function is provided in Appendix 1.
BNM/RH/CP 028-11

Department
Page
12/23
(CRO), must be made primarily responsible for the design, ongoing development
and maintenance of an effective and consistent enterprise-wide operational risk
management framework. This includes facilitating the consistent implementation
of policies and processes for managing operational risks across all business and
functional lines and validating compliance with the approved operational risk
management framework.
S 9.11
The central operational risk management function must also be responsible for
reviewing the identification and management of major operational risks by
business and functional lines and integrating operational risks at the enterprise
level. An important part of this process includes constructively challenging
operational risk assessments produced by the business and functional lines
(including the embedded operational risk function established within business and
functional lines required under paragraph 9.8) and evaluating the effectiveness of
risk mitigation activities.
S 9.12
The CRO must ensure that operational risk information reported to the Board and
senior management oversight bodies is timely, relevant and presented in a
manner that focuses attention on important operational risk developments and
supports informed and sound risk decisions.
S 9.13
Consistent with paragraph 8.9, the CRO must ensure that the central operational
risk management function does not operate in silo but coordinates and
communicates effectively with the financial institutions other risk management
and control functions10.
S 9.14
The internal governance structure must provide for regular independent reviews
and assessments of the operational risk management framework, processes and
systems by the internal audit function. The review by the internal audit function
must include an assessment of the effectiveness of risk management activities
undertaken by business and functional lines and the centralised operational risk
management function, the effectiveness of senior management oversight of
operational risks and whether the operational risk management framework
remains comprehensive, robust and has been implemented as intended.
10
Such as credit, market, liquidity, Shariah, insurance risk management, compliance and internal
audit functions.
BNM/RH/CP 028-11
S 9.15

Department
Page
13/23
The results of the independent reviews by internal audit must be effectively

communicated to senior management and the Board. The Board and senior
management must in turn ensure that appropriate and timely actions are taken to
maintain an effective operational risk management framework.
10. Sound internal control environment

Principle 5: A financial institution must establish policies, procedures and systems
that ensure a sound internal control environment. The internal control activities and
processes must be commensurate with the financial institutions operational risk
profile.
S 10.1
A financial institutions internal control systems must be designed to provide

assurance of the integrity of the financial institutions operations, including the
safeguarding of its assets, reliability of financial reports and compliance with
applicable laws and regulations as well as internal policies. These internal control
systems should support the effective control of operational risks at multiple stages
and layers within a business process to provide an adequate defence against a
breakdown in controls at any stage or layer. A financial institution must be able to
demonstrate that the strength of the overall internal control systems is
commensurate with the financial institutions operational risk exposures.
G 10.2
In providing controls at multiple stages and layers, financial institutions should

avoid using similar control triggers at all stages to improve the probability of
detecting a breach in internal controls or reducing impact of the breach in the
event of a breakdown at any stage or layer. The design of layered controls should
balance the complexity that this can add to operational processes against the
associated level of operational risk impact to the financial institutions resulting
from a breakdown in controls.
S 10.3
The internal control environment must be supported by the effective ongoing

supervision of business activities at all operating levels of a financial institution,
with clearly defined reporting responsibilities for all staff. A financial institution
BNM/RH/CP 028-11

Department
Page
14/23
must ensure that there are no gaps in reporting lines that may enable individuals
to conceal unauthorised actions and material errors or losses.
S 10.4
A financial institution must identify and minimise areas of potential conflicts and
ensure that critical areas of operations are subjected to appropriate segregation of
duties, dual control and independent monitoring.
S 10.5
A financial institution must ensure that both preventive and detective controls11,
are effectively deployed. This includes:
a.
documented policies and procedures with clearly established authorities and

processes for approval;
b.
enforcement and monitoring of assigned risk thresholds and limits;
c.
safeguards for access to and use of assets and records;
d.
on-going processes to identify business lines or products where returns

appear to be out of line with reasonable expectations;
e.
regular and ad-hoc verification and reconciliation of transactions and

accounts; and
f.
requirements for key officers and employees to be on mandatory block

leave.
S 10.6
The use of information technology to support a financial institutions products,

activities and processes must be subject to a sound technology risk management
framework and governance arrangements12 to mitigate operational risks that can
arise from compromised system and data integrity, security and performance. A
financial institution must further
ensure that
its
information technology
infrastructure meets current and long term business requirements by providing

sufficient capacity for a normal level of activity as well as for periods of market
stress. An assessment of the adequacy of the financial institutions information
technology infrastructure must be undertaken before material changes to the
financial institutions business strategy are pursued.
S 10.7
A financial institution must monitor and regularly evaluate its internal control
systems to ensure that they are operating effectively and to take account of
11
12
Preventive controls are designed to keep errors and irregularities from occurring, while detective
controls are designed to detect errors and irregularities that may have occurred.
Detailed requirements on technology governance and information system infrastructure risk
management programme are as per the Guidelines on Management of IT Environment.
BNM/RH/CP 028-11

Department
Page
15/23
changing internal and external conditions. Enhancements must be made to these

systems to address identified gaps and maintain their effectiveness.
S 10.8
The evaluation of internal control effectiveness must include established

processes for:
a.
transaction sampling to test the level of compliance with internal policies and
procedures;
b.
reviewing the treatment and resolution of instances of non-compliance;
c.
affirming that the required approvals and authorisations to ensure

accountability are assigned to an appropriate level of management; and
d.
analysing reports of approved exceptions to thresholds and limits,

management overrides and other deviations from policy.
11. Identification and assessment of operational risks

Principle 6: A financial institution must have in place a robust process for the
identification and assessment of operational risks that considers both internal and
external factors and is comprehensive in its approach. The process must also
facilitate effective risk management activities by identifying potentially significant
operational risk events through the use of scenario analysis.
S 11.1
The operational risk identification and assessment processes must have a strong
focus on material operational risks and vulnerabilities that could significantly
impede the financial institutions ability to meet obligations towards customers and
counterparties, or threaten the financial institutions safety and soundness.
G 11.2
A sound operational risk identification and assessment methodology should be

able to identify the critical success factors of the key business objectives and
strategies, examine the risk drivers in both the internal and external environments,
evaluate and test the effectiveness of existing internal control systems and risk
mitigations, and be sufficiently granular so as to be able to determine the root
causes that need to be treated and monitored.
S 11.3
In identifying and assessing operational risks, a financial institution must consider

the following important information sources:
BNM/RH/CP 028-11
a.

Department
Page
16/23
management's knowledge of the current and future outlook of business and

operating conditions and anticipated changes in products, processes,
regulation and markets;
b.
the operational risk exposures or control deficiencies identified by internal

audit, control functions or regulators;
c.
business process mappings that identify the key steps, as well as risk
(including risk interdependencies) and control points in business processes;
d.
the key operational risk indicators that capture the main drivers of
operational risk exposures;
e.
the historical loss experience and root-cause analyses of significant

operational risk events; and
f.
the analysis of relevant external loss information (i.e. information on

significant losses experienced by other organisations), where available.
S 11.4
A financial institution must combine both top-down and bottom-up approaches in

its operational risk identification and assessment programme.
G 11.5
A top-down approach to operational risk identification and assessment can help a

financial institution to identify priority areas and top operational risk concerns that
could undermine the soundness of the financial institution, whereas the bottom-up
approach ensures comprehensiveness and promotes risk ownership and
accountability. The use of both approaches allows financial institutions to validate
the enterprise-wide level view of operational risks and to prioritise resources
towards managing the major operational risks within the key businesses and
activities.
S 11.6
A financial institution must develop plausible scenarios under which the identified
major enterprise-wide operational risks could materialise. For each scenario, the
financial institution must evaluate the strengths and limitations of the current
controls and risk mitigants, analyse the circumstances under which the controls
and risk mitigants could fail, and estimate the probable rate of occurrence and
severity of the impact of an operational risk failure, including under a potential
worst case scenario.
S 11.7
Given the subjectivity of scenario analysis, a financial institution must ensure that
the analysis is well-supported by a methodology and process which involves
BNM/RH/CP 028-11

Department
Page
17/23
proper design and planning, inputs from business and functional lines, risk
managers and expert assessors, independent challenge by the key control
functions13 and the regular review of the assumptions used. The process must be
documented and approved by the Board to ensure a consistent approach and
integrity of the results of the scenario analysis.
S 11.8
Operational risk identification and assessment must remain current, reflective of

the dynamic nature of the financial institutions business and aligned with the time
horizon of the financial institutions business strategies and operational risk
tolerance14. The operational risk identification and assessment must also be
updated as and when there are major operational risk events or developments
that could invalidate the earlier risk identification and assessments.
12. Operational risk response and mitigation strategies

Principle 7: A financial institution must ensure that the operational risk mitigation
strategies and responses effectively address all identified major operational risks in
line with the operational risk tolerance set by the Board.
S 12.1
A financial institution must devise and implement appropriate risk mitigation

strategies and responses to address identified major operational risks in a timely
manner. This may include strengthening internal controls, transferring residual
risks through insurance and reinforcing business continuity management
arrangements.
S 12.2
When devising mitigation strategies, a financial institution must consider the

impact of the mitigation strategies on other risks and whether the strategies
adopted could introduce new risks to the financial institution, or create unintended
effects on incentives or on business and operational performance. The financial
13
14
The key control functions include senior management, central operational risk management,
compliance and internal audit functions.
For example, since the outlook for capital planning is one year, operational risk identification and
assessment must have a forward-looking time horizon of at least one year. However, given the
dynamic changes in business and operating environment, the assessment may need to be
updated at a more frequent interval (e.g. half-yearly).
BNM/RH/CP 028-11

Department
Page
18/23
institution must ensure that these implications are clearly identified and effectively
addressed in the financial institutions overall risk management framework.
S 12.3
Insurance arrangements can be useful to complement the management of

operational risks, but they are not a substitute for a sound internal control
environment. Where insurance arrangements are used, a financial institution must
assess the residual risks as well as new risks that arise, including an assessment
of:
a.
the financial strength of the insurance provider and the ability to honor the
insurance claim;
b.
the potential legal risk that may arise from the policy contract;
c.
the potential liquidity risk that may arise due to the timing of insurance
compensation payments; and
d.
G 12.4
the level of deductibles for each major risk type.
A financial institution should also consider the limitations of insurance as a risk

mitigation strategy, taking into account operational risk interdependencies which
can change over time, the quantification challenges as well as gaps between the
actual operational risk exposure and the scope of insurance coverage.
S 12.5
A financial institution must be able to provide a high degree of assurance that the
risk mitigation strategies and responses can contain operational risk exposures of
the financial institution within the operational risk tolerance of the Board. This must
be supported by a regular assessment of trends in the financial institutions
operational risk exposures as identified under Principle 6 and a process for
affirming that the risk mitigation strategies and responses remain appropriate.
S 12.6
A financial institution must establish business continuity plans that are

commensurate with its operational risk profiles and the approved risk tolerance
towards business disruptions. The financial institutions business continuity plans
must cover all critical business operations and address plausible business
disruption events or scenarios associated with these operations15.
15
Detailed requirements on business continuity management are set out in the Guidelines on
Business Continuity Management.
BNM/RH/CP 028-11

Department
Page
19/23
13. Key operational risk indicators and metrics

Principle 8: A financial institution must establish processes for monitoring
operational risk exposures that includes the systematic collection and analysis of
relevant operational risk data and metrics.
S 13.1
A financial institution must identify and monitor key operational risk indicators and
metrics that provide insights on the material operational risk exposures of the
financial institution. The risk indicators and metrics must be able to alert those
responsible for managing operational risks of emerging risks and potential
changes to the financial institutions operational risk profile well in advance of the
risks materialising. Accordingly, there must be appropriate thresholds and limits
set for each indicator to trigger appropriate escalation and mitigation actions.
S 13.2
The key operational risk indicators and metrics must include:

a.
generic indicators that are comparable across different business and

functional units and can be aggregated on an enterprise-wide basis (e.g.
staff turnover rate, mandatory leave utilisation, system downtime and
compliance breaches); and
b.
customised indicators that monitor specific operational risks within individual

business units and processes (e.g. reconciliation breaks, service level
breaches, trade errors, amendments and cancellations).
S 13.3
A financial institution must be able to capture and track actual operational risk loss
events and near misses. This includes incidences of Shariah non-compliance for
Islamic finance operations and operational risk-related events that lead to losses
in other risk types (e.g. credit, market and insurance losses).
S 13.4
The systems employed for tracking and monitoring the operational risk loss events
must conform to the internal operational risk event taxonomy and include relevant
information such as date of the loss event, gross loss amount and recoveries,
descriptive information about the loss event, its causes and drivers and remedial
actions. The internal operational risk event taxonomy must be at least mapped to
the Level 2 Category of the Operational Risk Loss Event Type Classification, as
per Appendix 2.
BNM/RH/CP 028-11
S 13.5

Department
Page
20/23
A financial institution must ensure that the systems for tracking and monitoring
operational risk loss events are complete and accurate by establishing the
framework, processes and controls for collecting and reporting operational risk
loss events. This must include a standard to be consistently adopted for loss
recognition (e.g. to ascertain direct and indirect financial losses), criteria for
allocating losses arising in centralised functions or activities that span more than
one business lines as well as requirements for quantified losses to be validated
against and reconciled with accounting records and other internal information.
14. Operational risk reporting

Principle 9: Operational risk reports to the senior management and Board must be
comprehensive, accurate, timely and appropriately designed to facilitate effective
communication and understanding of operational risk issues and decision-making.
S 14.1
Operational risk reports must facilitate timely management responses and

decision making. The reporting frequency must therefore reflect the level of risks
involved, as well as the pace and nature of changes in the operating and external
environments.
S 14.2
Operational risk reports to the senior management and Board must contain
financial, operational and compliance information, as well as external market or
environmental information about events and conditions that are relevant to
decision-making.
G 14.3
Examples of operational risk information that could aid informed decision-making

by the senior management and Board include:
a.
an analysis of the current operational risk profile, the emerging trends and
patterns of the key operational risk indicators and the direction of the risks
over a defined horizon (e.g. over the next three months);
b.
the status of mitigation action plans for material operational risks;
c.
breaches of operational risk thresholds and limits, in particular those

resulting in the financial institutions enterprise-wide operational risk level
being higher than the approved risk appetite and tolerance;
BNM/RH/CP 028-11
d.

Department
Page
21/23
observations of operational risk management deficiencies by the central

operational risk management function, internal audit or regulators;
e.
highlights on significant operational risk events, control failures and losses;

and
f.
the lessons learnt from relevant external loss events and internal
assessments of the probability and potential impact of similar events
occurring in the financial institution.
S 14.4
The scope, context and level of granularity of operational risk reports must be
appropriately tailored for the different group of users of the reports.
G 14.5
For example, detailed operational risk information specific to activities and

operations of the business and functional units is appropriate and useful to the
business and functional line management, whereas a high-level overview of the
overall operational risk profile of the financial institution and executive summaries
of significant enterprise-level operational risks would be more beneficial to the
senior managements and Boards decision-making process.
BNM/RH/CP 028-11

Department
Page
22/23
APPENDIX 1 Example of Operational Risk Governance Model for Large Financial

Institutions
Board of Directors
Board Risk
Committee
Chief Executive
Management Risk Committee /
Committee
(Para 9.2)
Head, Consumer
Banking
Business-level
Committee
(Para 9.3)
Embedded
Operational Risk
Function
(Para 9.8)
Business functions:
Consumer
Finance
Cards & Wealth
Virtual Banking &
Payments
Community
Distribution
HNW & Affluent
Banking
SME Banking
Marketing &
Branding
Head, Global
Banking
Business-level
Committee
(Para 9.3)
Chief Risk Officer
Central Operational Risk

Management Function
(Para 9.10)
Embedded
Operational Risk
Function
(Para 9.8)
Business functions:
Business Banking
Corporate Banking
Investment
Banking
Global Markets
Transaction
Banking
Asset
Management
International
Business
Management Risk Committees accountability includes the oversight of the enterprise-wide

operational risk. The Management Risk Committee may establish an Operational Risk
Management Committee to ensure a more focused oversight on operational risk.
Business-level committees within the large businesses of the financial institution are entrusted
with the responsibility to monitor and deliberate on operational risk issues specific to the
business. This would reduce the load on the Management Risk Committee and promote risk
ownership by the businesses.
The Central Operational Risk Management function is responsible for the design and
implementation of the enterprise-wide operational risk framework, policies and processes, as well
as validating and challenging the results of operational risk management activities of the
businesses.
The embedded operational risk function, which is part of the business, would assist the business
in implementing and monitoring the operational risk management activities within the business.
The embedded operational risk functions close relationship and knowledge of the business
allows for more focused implementation and oversight.
BNM/RH/CP 028-11

Department
Page
23/23
APPENDIX 2 Operational Risk Loss Event Type Classification

Event-type Category (Level 1)
Categories (Level 2)
Internal Fraud
Losses due to acts of a type intended to defraud,
misappropriate property or circumvent regulations,
the law or company policy, excluding diversity/
discrimination events, which involves at least one
internal party.
Unauthorised Activity
External Fraud
Losses due to acts of a type intended to defraud,
misappropriate property or circumvent the law, by
a third party.
Theft and Fraud
Theft and Fraud
Systems Security
Employment Practices and Workplace Safety
Losses arising from acts inconsistent with
employment, health or safety laws or agreements,
from payment of personal injury claims, or from
diversity / discrimination events.
Clients, Products and Business Practices
Losses arising from an unintentional or negligent
failure to meet a professional obligation to specific
clients (including fiduciary and suitability
requirements), or from the nature or design of a
product.
Employee Relations
Safe Environment
Diversity and Discrimination

Suitability, Disclosure and
Fiduciary
Improper Business or Market

Practices
Product Flaws
Damage to Physical Assets

Losses arising from loss or damage to physical
assets from natural disaster or other events.
Business Disruption and System Failures
Losses arising from disruption of business or
system failures.
Selection, Sponsorship and

Exposure
Advisory Activities
Disasters and Other Events
Systems failure and disruption
Business disruption (non-system)

Execution, Delivery and Process Management
Losses from failed transaction processing or
process management, from relations with trade
counterparties and vendors.
Transaction Capture, Execution

and Maintenance
Monitoring and Reporting

Customer Intake and
Documentation
Customer/ Client Account
Management
Trade Counterparties
Vendors and Suppliers
Activity Examples (Level 3)

Transactions not reported (intentional)
Transaction type unauthorised (with monetary loss)
Mismarking of position (intentional)
Fraud/ worthless deposits/ false insurance claims
Theft/ extortion/ embezzlement/ robbery
Misappropriation of assets/ insurance premium
Malicious destruction of assets
Forgery
Smuggling
Account take-over/ impersonation etc.
Tax non-compliance/ evasion (wilful)
Bribes/ kickbacks
Insider trading
Theft/ fraud/ robbery
Forgery/ counterfeit (Cover Notes, Policy
Certificates, Currency, Cheque, Security
Documents/Identification documents)
False insurance claims
Misappropriation of insurance premium by agents
Cheque kiting
Hacking damage
Theft of information
Compensation, benefit, termination issues
Organised labour activity
General liability (slip and fall, etc.)
Employee health & safety rules events
Workers compensation
All discrimination types
Fiduciary breaches / guideline violations
Suitability/ disclosure issues (KYC, etc.)
Retail customer disclosure violations
Breach of privacy
Aggressive sales
Account churning
Misuse of confidential information
Lender liability
Mis-selling/ Mis-informing of Shariah contract
Antitrust/ Improper trade/ market practices
Market manipulation
Insider trading (on firms account)
Unlicensed activity
Money laundering
Poor servicing by agents
Product defects (include Shariah non-compliance
products)
Model errors
Failure to investigate client per guidelines
Exceeding client exposure limits
Disputes over performance of advisory activities
Natural disaster losses
Human losses from external sources (terrorism,
vandalism)
Damage to inventory (Islamic finance-related)
Hardware
Software
Telecommunications
Utility outage/ disruptions
Business closure due to external sources
(pandemic, civil unrest)
Miscommunication
Data entry, maintenance or loading error
Missed deadline or responsibility
Model/ system mis-operation
Accounting error/ entity attribution error
Other task mis-performance
Delivery failure
Collateral management failure
Reference Data Maintenance
Failed mandatory reporting obligation
Inaccurate external report (loss incurred)
Client permissions/ disclaimers missing
Legal documents missing/ incomplete
Unapproved access given to accounts
Incorrect client records (loss incurred)
Negligent loss or damage of client assets
Non-client counterparty mis-performance
Miscellaneous non-client counterparty disputes
Outsourcing
Vendor disputes

Operational Risk Management

Uploaded by

Copyright:

Available Formats

Operational Risk Management

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Operational Risk Management

Uploaded by

Copyright:

Available Formats

What are the main components of an operational risk management framework according to this document?

What are the main components of an operational risk management framework according to this document?

What are some examples of operational risk events mentioned in the document?

What are some examples of operational risk events mentioned in the document?

Operational Risk Management

Issued on: 27 June 2014

Prudential Financial Policy