• INMA Part S1.3 INMA Part S1.3 Risks to be addressed in managing operational risk

    • INMA S1.3.1 Legal risk

      (1) Legal risk is the risk of loss resulting from:
      (a) regulatory or legal action;
      (b) disputes; or
      (c) failure to comply with, or the inadequate management of, legal or regulatory obligations.
      (2) An INMA firm’s risk management policy should include processes and procedures for identifying, assessing, managing and mitigating legal risk. The policy should include:
      (a) processes for identifying events that might generate legal risk (for example, new products or processes, new documentation), the likelihood of those events occurring and their consequences; and
      (b) procedures to ensure that:
      (i) all contractual, legal, regulatory and other documentation is accurate and complete;
      (ii) the firm complies with all its legal, regulatory, contractual and prudential requirements and obligations; and
      (iii) the firm’s insurances (for example, professional indemnity insurance) are renewed in good time and remain effective.
      Derived from QFCRA RM/2014-4 (as from 1st January 2015).

    • INMA S1.3.2 Fraud risk

      (1) Fraud risk is the risk of loss from:
      (a) unauthorised activities such as those that breach the controls, procedures, limits and other restrictions in an INMA firm’s policies and procedures or legal or regulatory requirements;
      (b) deceptive acts or omissions intended to gain advantage for the parties committing the acts or other parties; or
      (c) intentional acts undertaken for personal gain or to tamper with or manipulate the financial or operational aspects of the firm’s business.
      (2) An INMA firm’s risk management policy should include processes and procedures for identifying, assessing, managing and mitigating fraud risk. The policy should include:
      (a) internal controls and mitigation strategies;
      (b) segregation of duties at an operational level and in relation to functional reporting lines;
      (c) financial accounting controls;
      (d) staff training and awareness; and
      (e) appropriate processes for monitoring compliance with the firm’s procedures, controls, limits and other restrictions.
      Derived from QFCRA RM/2014-4 (as from 1st January 2015).

    • INMA S1.3.3 Economic and political risk

      (1) Economic and political risk is the risk of loss resulting from factors such as the following:
      (a) macroeconomic policy, government regulation and social policy;
      (b) events related to political instability.
      (2) An INMA firm’s risk management policy should include a process for identifying and assessing how political and economic factors might affect its business and its ability to meet its liabilities as they fall due, and procedures for managing and mitigating that risk.
      Derived from QFCRA RM/2014-4 (as from 1st January 2015).

    • INMA S1.3.4 Business continuity risk

      (1) Business continuity risk is the risk of loss (both financial and non-financial) resulting from disruptions to critical business operations. Critical business operations are the business functions, resources and infrastructure that would, if disrupted, have a significant effect on a firm’s business functions, reputation, profitability and customers.

      Note CTRL, rule 3.1.17 (3), requires an INMA firm’s governing body to review its business continuity procedures at least once every 18 months.
      (2) An INMA firm’s risk management policy should include processes and procedures for identifying, assessing, managing and mitigating business continuity risk. The policy should include::
      (a) processes for identifying and analysing:
      (i) events that might lead to a disruption in business continuity;
      (ii) the likelihood of those events occurring;
      (iii) the processes most at risk; and
      (iv) the consequences of those events;
      (b) a plan (business continuity plan or BCP) describing:
      (i) objectives and procedures for crisis management and recovery to minimise the consequences from the disruption of its business;
      (ii) detailed procedures for carrying out the BCP, including manual processes, the activation of an off-site recovery site (if needed), the persons responsible for activating the BCP, and pre-assigned responsibilities of staff;
      (iii) a communications strategy and contact information for relevant staff, suppliers, regulators, market authorities, major customers, the media and other key people;
      (iv) a schedule of critical systems covered by the BCP and the timeframe for restoring those systems;
      (v) procedures for staff awareness and training on all aspects of the BCP; and
      (vi) procedures for regular (at least annual) testing, review and reporting on the BCP to the governing body and senior management; and
      (c) procedures for backing up important data regularly and storing the data off-site.
      Derived from QFCRA RM/2014-4 (as from 1st January 2015)
      Amended by QFCRA RM/2021-1 (as from 1st July 2021).

    • INMA S1.3.5 Technology risk

      (1) Technology risk is the risk of loss resulting from inadequate or failed technology used in business operations, or the unauthorised use of such technology.
      (2) An INMA firm’s risk management policy should include processes and procedures to maintain the secure and effective use of technology in its business operations and for identifying, managing and mitigating technology risk.
      Derived from QFCRA RM/2014-4 (as from 1st January 2015).

    • INMA S1.3.6 Human resources risk

      (1) Human resources risk is the risk of loss resulting from inadequate human resources.
      (2) An INMA firm’s risk management policy should include processes and procedures for identifying, managing and mitigating human resources risk. The policy should include processes and procedures for:
      (a) risk identification and assessment of the firm’s human resources requirements;
      (b) ensuring that it has an appropriate number of suitably qualified and trained staff in accordance with the nature, scale, and complexity of its business;
      (c) managing and mitigating the loss of key personnel; and
      (d) monitoring and supervising its staff.
      Derived from QFCRA RM/2014-4 (as from 1st January 2015).

    • INMA S1.3.7 Outsourcing risk

      (1) Outsourcing risk is the risk of loss resulting from the non-performance, or poor performance, by a service provider of a function outsourced to the service provider under a material outsourcing arrangement (within the meaning of CTRL).

      Note 1 For the meaning of material outsourcing — see CTRL, glossary.

      Note 2 An INMA firm must assess the risks that a material outsourcing arrangement poses to its business (see CTRL, rule 8.2.2 (2) (a)) and the governing body of the firm must review, at least once every year, the firm’s outsourcing arrangements for assessing the feasibility of a proposed outsourcing arrangement and the risks that the outsourcing poses to the firm’s business (see CTRL, rule 8.1.3 (4) (a) (i)).
      (2) Outsourcing can bring significant benefits in terms of efficiency, cost reduction and risk management. However, the process of implementing outsourcing arrangements and the outsourcing relationship itself may expose an INMA firm to additional risk. Therefore, it is important that INMA firms supervise outsourced activities.

      Note CTRL, rule 8.2.4 (1) requires an INMA firm to inform the Regulatory Authority before entering into a material outsourcing arrangement.
      (3) Intra-group outsourcing might be thought to be subject to lower risks than using service providers from outside a corporate group. However, it is not risk-free, and an INMA firm should still assess the associated risks and make appropriate arrangements to manage them.
      (4) An INMA firm’s risk management policy should include processes and procedures for identifying, assessing, managing and mitigating outsourcing risk. The risk management policy should include processes and procedures for:
      (a) negotiating contracts for outsourcing;
      (b) identifying, assessing and managing risks that may arise from the outsourcing;
      (c) procedures for managing the outsourcing service providers; and
      (d) mitigating any associated risks.
      (5) In negotiating a contract with a service provider or in assessing an existing contract, an INMA firm should consider matters that are relevant to risk management, including the following:
      (a) setting and monitoring authority limits and referral requirements;
      (b) the identification and assessment of performance targets;
      (c) procedures for evaluation of performance against targets;
      (d) provisions for remedial action;
      (e) the reporting requirements imposed on the service provider (including the content and frequency of reports);
      (f) the ability of the firm and its external auditors to obtain access to the service provider and their records;
      (g) the protection of intellectual property rights;
      (h) the protection of customers’ and the firm’s confidentiality;
      (i) the adequacy of any guarantees, indemnities or insurance cover that the service provider agrees to provide;
      (j) the ability of the service provider to provide continuity of business;
      (k) the arrangements to change, or terminate, the agreement.
      Derived from QFCRA RM/2014-4 (as from 1st January 2015)
      Amended by QFCRA RM/2021-1 (as from 1st July 2021).

    • INMA S1.3.8 Project management risk

      (1) Project management risk is the risk of loss resulting from projects not achieving the desired objectives or having a negative effect on the adequacy of a firm’s resources.
      (2) If an INMA firm is likely to be exposed to project management risk, its risk management policy should include processes and procedures for identifying, assessing, managing and mitigating that risk. The policy may also set out processes and procedures for:
      (a) establishing and managing a project, including setting a business case, cost-benefit analysis, stakeholder sign-offs, monitoring the project objectives, deliverables, timeframes and post-implementation review;
      (b) clearly defined and appropriate authorities for project approvals and sign-offs; and
      (c) clearly defined and appropriate levels of delegation of authority.
      Derived from QFCRA RM/2014-4 (as from 1st January 2015).

    • INMA S1.3.9 Strategic risk

      (1) Strategic risk is the risk of loss resulting from the pursuit of an unsuccessful business plan. Strategic risk might arise from making poor business decisions, from the substandard execution of decisions, from inadequate resource allocation, or from a failure to respond well to changes in the business environment.
      (2) An INMA firm’s risk management policy should include processes and procedures for identifying, assessing, managing and mitigating strategic risk.
      Derived from QFCRA RM/2014-4 (as from 1st January 2015).