BANK 7.2.7 Principle 7: approval process for new products etc

(1) The senior management of a banking business firm must ensure that there is an approval process that fully assesses operational risk for all new products, activities, processes and systems.
Guidance
In general, a banking business firm’s operational risk exposure is increased when the firm engages in a new activity, develops a new product, enters an unfamiliar market, implements a new business process or technology system or engages in a business distant from its head office. Moreover, the level of risk may increase when a new product, activity, process, or system transitions from an introductory level to a level that represents a significant source of revenue or a business-critical operation.
(2) A banking business firm must ensure that its risk management control infrastructure is appropriate at inception and that it keeps pace with the rate of growth of, or changes to, products, activities, processes and systems.
(3) A banking business firm must have policies and procedures that address the process for review and approval of new products, activities, processes and systems. The review and approval process must consider:
(a) the risks inherent in the new product, activity, process or system;
(b) changes to the firm’s operational risk profile and appetite and tolerance, including the risk of existing products or activities;
(c) the necessary controls, risk management processes and risk mitigation strategies;
(d) the residual risk;
(e) changes to relevant risk thresholds or limits; and
(f) the procedures and metrics to measure, monitor, and manage the risk of the new product, activity, process or system.
(4) The approval process must also include ensuring that appropriate investment has been made in human resources and technology infrastructure before a new product, activity, process or system is introduced.
(5) The implementation of a new product, activity, process or system must be monitored to identify any significant differences to the expected operational risk profile, and to manage any unexpected risks.
Derived from QFCRA RM/2020-2 (as from 1st January 2021)