Governance.
The board of directors should regularly review and evaluate the effectiveness of and approve the operational risk management framework to ensure the bank has identified and is managing the operational risks arising from external market changes and other environmental factors, as well as those operational risks associated with new products, activities, processes, or systems, including changes in risk profiles and priorities.
For example, changing business volumes.
The board of directors should also ensure that senior management are implementing the policies, process, and systems effectively at all decision making levels.
The governance principle also applies to the risk, appetite and risk tolerance of the bank.
Risk, appetite, and tolerance. Statements for operational risk should be developed under the authority of the board of directors and linked to the bank's short and long-term strategic and financial plans.
This should be periodically reviewed by the board so that it articulates the nature types and levels of operational risk that the bank is willing to assume and they should regularly review and approve the appropriateness of limits and the overall operational risk, appetite, and tolerance statements.
Senior management is responsible for establishing and maintaining an effective governance structure for operational risk, which is clear, effective, and robust with well-defined, transparent and robust lines of responsibility.
The governance structure should include robust challenge mechanisms and effective issue resolution processes.
These should include systems to report, track, and when necessary, escalate issues to ensure resolution.
Next is risk identification and assessment.
These are fundamental characteristics of an effective operational risk management system and directly contributes to operational resilience capabilities.
Senior management should ensure the comprehensive identification and assessment of all operational risk inherent in material, products, activities, process, and systems of the bank to make sure the risk and incentives are well understood.
Effective risk identification considers both internal factors and external factors.
Sound risk assessments allows the bank to better understand its risk profile and allocate risk management resources and strategies most effectively.
The The next principle to consider is around change management.
In general, a bank's operational risk exposure evolves when a bank initiates change, such as engaging in new activities or developing new products or services entering into unfamiliar markets or jurisdictions, implementing new or modifying business processes or technology systems and or engaging in businesses that are geographically distant from the head office.
The principle here centers around senior management, ensuring that the bank's change management process is comprehensive, appropriately resourced, and adequately articulated between the relevant lines of defense within the organization.
