BANK 7.2.9 Principle 9: control and mitigation—additional requirements

(1) The requirements of this rule are in addition to those set out in CTRL.
(2) In addition to separation of duties and dual control, a banking business firm must ensure that it has other traditional internal controls as appropriate to address operational risk.
Examples of controls
• clearly established authorities and processes for approval
• close monitoring of adherence to assigned risk thresholds or limits
• safeguards for access to, and use of, bank assets and records
• appropriate staffing level and training to maintain expertise
• ongoing processes to identify business lines or products where returns appear to be out of line with reasonable expectations
• regular verification and reconciliation of transactions and accounts.
(3) A banking business firm must ensure that it has appropriate controls to manage technology risk.
Guidance
1 Effective use and sound implementation of technology can contribute to the control environment. For example, automated processes are less prone to error than manual processes. However, automated processes introduce risks that must be addressed through sound technology governance and infrastructure risk management programs.
2 The use of technology-related products, activities, processes and delivery channels exposes a banking business firm to strategic, operational, and reputational risks and the possibility of significant financial loss.
3 Sound technology risk management uses the same precepts as operational risk management and includes:
• governance and oversight controls that ensure that technology, including outsourcing arrangements, is aligned with, and supportive of, the firm’s business objectives
• policies and procedures that facilitate the identification and assessment of risk
• establishment of a risk appetite and tolerance and performance expectations to assist in controlling and managing risk
• implementation of an effective control environment and the use of risk transfer strategies that mitigate risk
• monitoring processes that test for compliance with policy thresholds or limits.
4 Mergers and acquisitions that result in fragmented and disconnected infrastructure, cost-cutting measures or inadequate investment can undermine the firm’s ability to:
• aggregate and analyse information across risk dimensions or the consolidated enterprise
• manage and report risk on a business line or legal entity basis
• oversee and manage risk in periods of high growth.
5 The firm’s management should make appropriate capital investment or otherwise provide for a robust infrastructure at all times, particularly before mergers are consummated, high growth strategies are initiated, or new products are introduced.
(4) The firm’s governing body must decide the maximum loss exposure that the firm is willing, and has the financial capacity, to assume, and must perform an annual review of the firm’s risk and insurance management programme.
Guidance
If internal controls do not adequately address risk and exiting the risk is not a reasonable option, the firm can complement the controls by seeking to transfer the risk to another party such as through insurance. Risk transfer is an imperfect substitute for sound controls and risk management programs. Therefore, the firm should view risk transfer as complementary to, rather than a replacement for, thorough internal operational risk control. Having mechanisms to quickly identify, recognise and rectify distinct operational risk errors can greatly reduce exposures. Careful consideration also needs to be given to the extent to which risk mitigation tools such as insurance truly reduce risk, transfer the risk to another business sector or area, or create a new risk (for example counterparty risk).
Derived from QFCRA RM/2020-2 (as from 1st January 2021)