Important Circulars
April 30, 2024 - Guidance Note on Operational Risk Management and Operational Resilience (RBI/2024-25/31 DOR.ORG.REC.21/14.10.001/2024-25 April 30, 2024 )
This guidance note updates the “Guidance Note on Management of Operational Risk” dated October 14, 2005.
It has been prepared based on the Basel Committee on Banking Supervision (BCBS) principles documents issued in March 2021, viz., (a) ‘Revisions to the Principles for the Sound Management of Operational Risk’ and (b) ‘Principles for Operational Resilience’ as well as the some of the international best practices.
The Guidance Note has adopted a principle-based and proportionate approach
Objective - To enhance the ability to withstand, adapt and recover from potential operational disruptions and ensure operational resilience
The Basel Committee on Banking Supervision (BCBS) recognized Operational Risk as a distinct class of risk in 2001.
BCBS came out with updated ‘Principles for the Sound Management of Operational Risk’ in 2021.
Additionally, it also came out with ‘Principles on Operational Resilience’ to enhance the ability of banks to withstand, adapt to and recover from potential hazards.
Operation Risk Management vs. Operational Resilience - While Operational Risk Management allows an RE to better identify, assess and mitigate the Operational Risks, Operational Resilience provides it the ability to deliver critical functions in the event of any disruption.
Risk Areas to address
Banking/Financial Products
Services
Activities
Processes
Systems
Impact of Poor Risk Management
Operational Disruption
Financial Stability
Viability of the Bank
Probable Reasons
Man-made causes
Information Technology (IT) Threats
Cyber Attacks
Change in Technology
Technology Failure
Geo-political conflicts
Business Disruptions
Internal and External Frauds
Execution/Delivery Errors
Third Party Dependencies
Natural Causes
Climate Change
Pandemic etc
Actions Required
Setting up Operation Risk Management Framework (ORMF)
Effective and Sound Management of RMF
Factor in the entire gamut of Risks in Risk Assessment Policies/Processes
Identify and assess using appropriate tools
Monitor material operational exposures
Device appropriate Risk Mitigation/Management Strategies using strong internal controls to minimise the operational disruptions
Ensuring continuous delivery of critical operations thus ensuring operational resilience
Guidance Note on Operational Risk Management and Operational Resilience has been built on three pillars
Prepare and Protect
Build Resilience
Learn and Adapt
Across these three pillars, the Guidance Note contains 17 principles
Three lines of defense for management of Operational Risk
First line of Defence
Business Unit Management - Sound Operational Risk governance recognises that business unit management is responsible for identifying and managing the risks inherent in the products, services, activities, processes and systems for which it is accountable
REs should have a policy that defines clear roles and responsibilities of relevant business units.
The responsibilities of an effective first line of defence in promoting a sound Operational Risk Management culture should include:
Identifying and assessing the materiality of Operational Risks inherent in their respective business units through the use of Operational Risk Management tools;
Establishing appropriate controls to mitigate inherent Operational Risks, and assessing the design and effectiveness of these controls through the use of the Operational Risk Management tools;
Reporting whether the business units lack adequate resources, tools and training to ensure identification and assessment of Operational Risks;
Monitoring and reporting the business units’ Operational Risk profiles, and ensuring their adherence to the established Operational Risk appetite and tolerance statement; and
Reporting residual Operational Risks not mitigated by controls, including operational loss events, control deficiencies, process inadequacies, and non-compliance with Operational Risk tolerances.
Second line of defence