BANK 7.2.2 Principle 2: operational risk management framework

(1) A banking business firm must develop, implement and maintain a framework for the management of operational risk that:
(a) is fully integrated into the firm’s overall risk management processes; and
(b) is appropriate for the firm, taking into account the firm’s nature, size, complexity and risk profile.
Guidance
The fundamental premise of sound risk management is that the authorised firm’s governing body and management understand the nature and complexity of the risks inherent in the firm’s products, services and activities. This is particularly important for operational risk, given that operational risk is inherent in all business products, activities, processes and systems.
(2) The framework must be appropriately integrated into the firm’s risk management processes across all levels of the firm, including those at the group and business line levels, and into new business initiatives’ products, activities, processes and systems. In addition, the results of the firm’s operational risk assessment must be incorporated into the firm’s overall business strategy development processes.
Guidance
The framework is a vital means of understanding the nature and complexity of operational risk.
(3) The framework must be comprehensively and appropriately documented in policies approved by the firm’s governing body, and must include definitions of operational risk and operational loss.
Guidance
A banking business firm that does not adequately describe and classify operational risk and loss exposure may significantly reduce the effectiveness of its framework.
(4) The firm’s framework documentation:
(a) must clearly identify the governance structures used to manage operational risk, including reporting lines and accountabilities;
(b) must clearly describe the risk assessment tools and how they are used;
(c) must clearly describe the firm’s accepted operational risk appetite and tolerance, its thresholds or limits for inherent and residual risk, and its approved risk mitigation strategies and instruments;
(d) must clearly describe the firm’s approach to establishing and monitoring thresholds or limits for inherent and residual risk exposure;
(e) must establish reporting and management information systems in relation to operational risk;
(f) must provide a set of operational risk terms to ensure that risk identification, exposure rating and risk management objectives are consistent throughout the firm;
(g) must provide for appropriate independent review and assessment of operational risk; and
(h) must require the policies to be reviewed, and revised as appropriate, whenever a significant change occurs in the firm’s operational risk profile.
Derived from QFCRA RM/2020-2 (as from 1st January 2021)