BANK 7.2.3 Principle 3: governing body to approve framework

(1) The governing body of a banking business firm must establish, approve and periodically review the firm’s operational risk management framework. The governing body must oversee the firm’s senior management to ensure that the policies, processes and systems are implemented effectively at all decision levels.
(2) The governing body:
(a) must establish a management culture, and supporting processes, to understand the nature and scope of the operational risk inherent in the firm’s strategies and activities;
(b) must develop comprehensive, dynamic oversight and control environments that are fully integrated into or coordinated with the overall framework for managing all risks across the firm;
(c) must provide senior management with clear guidance and direction regarding the principles underlying the framework and must approve the corresponding policies developed by senior management;
(d) must regularly review the framework to ensure that the firm has identified, and is managing, the operational risk arising from external market changes and other environmental factors, and the operational risks associated with new products, activities, processes or systems, including changes in risk profiles and priorities (for example changing business volumes);
(e) must ensure that the framework is subject to effective independent review by audit or other appropriately trained persons; and
(f) must ensure that, as best practice evolves, the firm’s senior management avails themselves of those advances.
Guidance
Strong internal controls are a critical aspect of the management of operational risk, and the governing body should establish clear lines of management responsibility and accountability for implementing a strong control environment. The control environment should provide appropriate independence and separation of duties between operational risk management functions, business lines and support functions.
Derived from QFCRA RM/2020-2 (as from 1st January 2021).