Roger Mccormick, Chris Stears
Roger McCormick, Chris Stears
Part 1 BCBS Principles1
Fundamental Principles of Operational Risk Management
Principle 1: The board of directors should take the lead in establishing a strong risk management culture. The board of directors and senior management should establish a corporate culture that is guided by strong risk management and that supports and provides appropriate standards and incentives for professional and responsible behaviour. In this regard, it is the responsibility of the board of directors to ensure that a strong operational risk management culture2 exists throughout the whole organisation.
Principle 2: Banks should develop, implement and maintain a Framework that is fully integrated into the bank’s overall risk management processes. The Framework for operational risk management chosen by an individual bank will depend on a range of factors, including its nature, size, complexity and risk profile.
The Board of Directors
Principle 3: The board of directors should establish, approve and periodically review the Framework. The board of directors should oversee senior management to ensure that the policies, processes and systems are implemented effectively at all decision levels.
Principle 4: The board of directors should approve and review a risk appetite and tolerance statement 12 for operational risk that articulates the nature, types, and levels of operational risk that the bank is willing to assume.
Principle 5: Senior management should develop for approval by the board of directors a clear, effective and robust governance structure with well defined, transparent and consistent lines of responsibility. Senior management is responsible for consistently implementing and maintaining throughout the organisation policies, processes and systems for managing operational risk in all of the bank’s material products, activities, processes and systems consistent with the risk appetite and tolerance.
Identification and Assessment
Principle 6: Senior management should ensure the identification and assessment of the operational risk inherent in all material products, activities, processes and systems to make sure the inherent risks and incentives are well understood.
Principle 7: Senior management should ensure that there is an approval process for all new products, activities, processes and systems that fully assesses operational risk.
Monitoring and Reporting
Principle 8: Senior management should implement a process to regularly monitor operational risk profiles and material exposures to losses. Appropriate reporting mechanisms should be in place at the board, senior management, and business line levels that support proactive management of operational risk.
Control and Mitigation
Principle 9: Banks should have a strong control environment that utilises policies, processes and systems; appropriate internal controls; and appropriate risk mitigation and/or transfer strategies.
Part 2 Risk Management Principles for Electronic Banking4
Principle 1: The Board of Directors and senior management should establish effective management oversight over the risks associated with e-banking activities, including the establishment of specific accountability, policies and controls to manage these risks.
Principle 2: The Board of Directors and senior management should review and approve the key aspects of the bank’s security control process.
Principle 3: The Board of Directors and senior management should establish a comprehensive and ongoing due diligence and oversight process for managing the bank’s outsourcing relationships and other third party dependencies supporting e-banking.
Principle 4: Banks should take appropriate measures to authenticate the identity and authorization of customers with whom they conduct business over the Internet.
Principle 5: Banks should use transaction authentication methods that promote non-repudiation and establish accountability for e-banking transactions.
Principle 6: Banks should ensure that appropriate measures are in place to promote adequate segregation of duties within e-banking systems, databases and applications.
Principle 7: Banks should ensure that proper authorization controls and access privileges are in place for e-banking systems, databases and applications.
Principle 8: Banks should ensure that appropriate measures are in place to protect the data integrity of e-banking transactions, records and information.
Principle 9: Banks should ensure that clear audit trails exist for all e-banking transactions.
(p. 625) Principle 10: Banks should take appropriate measures to preserve the confidentiality of key e-banking information. Measures taken to preserve confidentiality should be commensurate with the sensitivity of the information being transmitted and/or being stored in data bases.
Principle 11: Banks should ensure that adequate information is provided on their websites to allow potential customers to make an informed conclusion about the bank’s identity and regulatory status of the bank prior to entering into e-banking transactions.
Principle 12: Banks should take appropriate measures to ensure adherence to customer privacy requirements applicable to the jurisdiction to which the bank is providing e-banking products and services.
Principle 13: Banks should have effective capacity, business continuity and contingency planning processes to help ensure the availability of e-banking systems and services.
Principle 14: Banks should develop appropriate incident response plans to manage, contain and minimise problems arising from unexpected events, including internal and external attacks, that may hamper the provision of e-banking systems and services.
Part 3 Principles Applicable to the Compliance Function in Banks5
Responsibilities of the Board of Directors for Compliance
Principle 1: The bank’s board of directors is responsible for overseeing the management of the bank’s compliance risk. The board should approve the bank’s compliance policy, including a formal document establishing a permanent and effective compliance function. At least once a year, the board or a committee of the board should assess the extent to which the bank is managing its compliance risk effectively.
Responsibilities of Senior Management for Compliance
Principle 2: The bank’s senior management is responsible for the effective management of the bank’s compliance risk.
Principle 3: The bank’s senior management is responsible for establishing and communicating a compliance policy, for ensuring that it is observed, and for reporting to the board of directors on the management of the bank’s compliance risk.
Principle 4: The bank’s senior management is responsible for establishing a permanent and effective compliance function within the bank as part of the bank’s compliance policy.
Compliance Function Principles
Principle 5 (Independence): The bank’s compliance function should be independent.
Principle 6 (Resources): The bank’s compliance function should have the resources to carry out its responsibilities effectively.
Principle 7 (Compliance function responsibilities): The responsibilities of the bank’s compliance function should be to assist senior management in managing effectively the compliance risks faced by the bank. Its specific responsibilities are set out below. If some of these responsibilities are carried out by staff in different departments, the allocation of responsibilities to each department should be clear.
Principle 8 (Relationship with Internal Audit): The scope and breadth of the activities of the compliance function should be subject to periodic review by the internal audit function.
Principle 9 (Cross-border issues): Banks should comply with applicable laws and regulations in all jurisdictions in which they conduct business, and the organisation and structure of the compliance function and its responsibilities should be consistent with local legal and regulatory requirements.
Principle 10 (Outsourcing): Compliance should be regarded as a core risk management activity within the bank. Specific tasks of the compliance function may be outsourced, but they must remain subject to appropriate oversight by the head of compliance.
1 Extract from Basel Committee on Banking Supervision, ‘Principles for the Sound Management of Operational Risk’, June 2011, being the document that replaced the February 2003 BSBC paper, ‘Sound Practices for the Management and Supervision of Operational Risk’. The 2011 document ‘incorporates the evolution of sound practice and details eleven principles of sound operational risk management covering (1) governance, (2) risk management environment and (3) the role of disclosure’.
2 Internal operational risk culture is taken to mean the combined set of individual and corporate values, attitudes, competencies and behaviour that determine a firm’s commitment to and style of operational risk management.
4 These principles are reproduced from the BCBS paper, ‘Risk Management Principles for Electronic Banking’ of July 2003. Principles 11–14 are described as having particular relevance to legal and reputational risk management (banks being encouraged to ensure e-banking services are ‘delivered on a consistent and timely basis in accordance with high customer expectations for constant and rapid availability and potentially high transaction demand’). However, other principles listed here, eg Principle 6, also have some bearing on legal risk management.