BANK 7.2.5 Principle 5: role of senior management

(1) The senior management of a banking business firm must develop, for approval by the firm’s governing body, a clear, effective and robust governance structure for managing operational risk, with well defined, transparent and consistent lines of responsibility. The firm’s senior management is responsible for consistently implementing and maintaining, throughout the firm, policies, processes and systems for managing operational risk in all of the firm’s products, activities, processes and systems consistently with the firm’s risk appetite and tolerance.
(2) The firm’s senior management is responsible for establishing and maintaining robust challenge mechanisms and effective issue-resolution processes. The mechanisms should include systems to report, track and, when necessary, escalate issues to ensure that they are resolved.
(3) The firm’s senior management must translate the operational risk management framework established by the governing body into specific policies and procedures that can be implemented and verified within the firm’s business units. Senior management must clearly assign authority, responsibility and reporting relationships to encourage and maintain accountability, and to ensure that the necessary resources are available to manage operational risk in line within the firm’s risk appetite and tolerance.
(4) The firm’s senior management must ensure that the management oversight process is appropriate for the risks inherent in each business unit’s activity.
(5) The firm’s senior management must ensure that the staff who are responsible for managing operational risk coordinate and communicate effectively with the staff who are responsible for:
(a) managing other risks (such as credit risk and market risk); and
(b) procuring external services (such as insurance risk transfer) and for making outsourcing arrangements.
Guidance
Failure to do so could result in significant gaps or overlaps in the firm’s overall risk management program.
(6) The managers of the firm’s corporate operational risk function must be of sufficient stature within the firm to perform their duties effectively.
Guidance
The standing within the firm of the managers of operational risk would ideally be evidenced by their titles being similar to those of the managers of other risk management functions such as the management of credit, market and liquidity risk.
(7) The senior management must ensure that the firm’s activities are conducted by staff with the necessary experience, technical capabilities and access to resources. Staff responsible for monitoring and enforcing compliance with the firm’s risk policy must have authority independent from the units they oversee.
Derived from QFCRA RM/2020-2 (as from 1st January 2021)