Specific aspects of operational risk management

8.1 Change management

8.1.1 Change management should assess the evolution of the risks associated with the change initiatives of the AI (such as those referred to in para.7.4.7(a)) across time, from inception to termination (e.g. throughout the full life cycle of a product). The policies and procedures on change management should define the process for identifying, managing, challenging, approving and monitoring change on the basis of agreed objective criteria. Change implementation should be monitored by specific oversight controls. Change management policies and procedures should be subject to independent and regular review and update, and clearly allocate roles and responsibilities in accordance with the three lines of defence model, in particular:

(a) the first line of defence should perform operational risk and control assessments of new products, activities, processes and systems, including the identification and evaluation of the required change through the decision-making and planning phases

Supervisory Policy Manual

OR-1 Operational Risk Management

to the implementation and post-implementation review.

(b) the second line of defence (i.e. CORF) should challenge the operational risk and control assessments of first line of defence, as well as monitor the implementation of appropriate controls or remediation actions. CORF should cover all phases of this process. In addition, CORF should ensure that all relevant control groups (e.g. finance, compliance, legal, business, ICT, risk management) are involved as appropriate.

8.1.2 An AI should have policies and procedures for the review and approval of its change initiatives, covering:

(a) inherent risks including legal, ICT and model risks (especially when outsourcing is involved);

(b) changes to the AI’s operational risk profile, appetite and tolerance, including changes to the risk of existing products or activities;

(c) necessary controls, risk management processes and risk mitigation strategies;

(d) residual risk;

(e) changes to relevant risk management thresholds or limits; and

(f) the procedures and metrics to assess, monitor and manage risks.

8.1.3 The review and approval process should include ensuring that appropriate investment has been made for human resources and technology infrastructure before changes are introduced. Changes should be monitored, during and after their implementation, to identify any material differences to the expected operational risk profile and manage any unexpected risks. Controls and procedures for identifying and assessing threats/vulnerabilities and operational risk should be assessed to ensure that they remain effective after a change to any underlying components of critical operations.

8.1.4 To facilitate the monitoring of changes, AIs should maintain a central record of their products and services (including outsourced functions or activities) to the extent possible.

8.1.5 AIs should also see section 4.3 of IC-1 “Risk Management Framework” for general guidance on risk management

Supervisory Policy Manual

OR-1 Operational Risk Management

relating to new products and services.

8.2 Information Communication and Technology

8.2.1 There are inherent risks and benefits in the application of ICT in the operations of AIs. While automated processes are less prone to error than manual processes, they introduce risks that must be addressed through sound technology governance and infrastructure risk management programmes. In addition, the use of technology related products, activities, processes and delivery channels exposes an AI to operational risk and possibility of material financial loss. Consequently, AIs should have an integrated approach to ICT risk management under their ORMF. ICT risk management should ensure effective ICT performance and ICT security, contributing to an effective operating and control environment essential for achieving the AIs’ strategic objectives. Sound ICT risk management reduces AIs’

operational risk exposure to direct losses, legal claims, reputational damage, ICT disruption and misuse of technology in alignment with its risk appetite and tolerance statement.

8.2.2 To ensure the confidentiality, integrity and availability of data and system, the Board should regularly oversee the effectiveness of the AI’s ICT risk management and senior management should routinely evaluate the design, implementation and effectiveness of the AI’s ICT risk management. This requires regular alignment of the business, risk management and ICT strategies to ensure consistency with the AI’s risk appetite and tolerance statement as well as with privacy and other applicable laws.

8.2.3 Effective ICT risk management should include the following processes:

(a) defining ICT risk;

(b) identifying the operations which are exposed to ICT risk and assessing the magnitude of the risk exposure (e.g. high, medium, low);

(c) implementing ICT risk mitigation measures consistent with the assessed risk level. Common measures include cybersecurity, response and recovery programmes, ICT change management processes, ICT incident management processes

Supervisory Policy Manual

OR-1 Operational Risk Management

(including relevant information transmission to users on a timely basis);

(d) monitoring the effectiveness of mitigation measures (including regular tests);

(e) regular reporting of ICT risks, controls and events to senior management.

8.2.4 ICT risk management together with complementing processes set by AIs should:

(a) be reviewed on a regular basis for completeness against relevant industry standards and best practices as well as against evolving threats (e.g.

cyber) and evolving or new technologies;

(b) be regularly tested to identify gaps against stated risk tolerance objectives and facilitate improvement of the ICT risk identification, protection, detection and event management; and

(c) make use of actionable intelligence to continuously enhance their situational awareness of vulnerabilities to ICT systems, networks and applications and facilitate effective decision making in risk or change management.

8.2.5 AIs should develop approaches to ICT readiness for stressed scenarios from disruptive external events, such as the need to facilitate the implementation of wide-scale remote-access, rapid deployment of physical assets and/or significant expansion of bandwidth to support remote user connections and customer data protection. In this connection, AIs should ensure that:

(a) appropriate risk mitigation strategies are developed for potential risks associated with a disruption or compromise of ICT systems, networks and applications. AIs should evaluate whether the risks, taken together with these strategies, fall within their risk appetite and risk tolerance;

(b) well defined processes for the management of privileged users and application development are in place; and

(c) regular updates are made to ICT including cyber security in order to maintain an appropriate security posture.

8.2.6 Please also refer to TM-E-1 “Risk Management of

E-Supervisory Policy Manual

OR-1 Operational Risk Management

banking” and TM-G-1 “General Principles for Technology Risk Management” for relevant guidance.

8.3 Business continuity management and disaster recovery plan 8.3.1 All AIs should have in place formal contingency and

business continuity plans (BCP)²¹ to ensure their ability to operate on an ongoing basis and limit losses in the event of severe business disruption. The management should periodically review these plans so that they are consistent with the AI’s current operations and business strategies.

Moreover, these plans should be tested periodically to ensure that the AI would be able to execute the plans in the unlikely event of a severe business disruption. The approval and subsequent reviews of the BCP by the Board should ensure that contingency strategies remain consistent with current operations, risks and threats and the AI’s ORMF. A sound BCP requires the commitment of the first and second lines of defence to its design, strong involvement of senior management and business unit leaders in its implementation and regular review by the third line of defence.

8.3.2 Moreover, the BCP should be forward looking in the disruption scenarios, with relevant impact assessments and recovery procedures:

(a) the BCP should be based on scenario analyses of potential disruptions to the AI’s operations. For the purpose of the analyses, all business units as well as critical service providers and major third parties (e.g. central banks, clearing house) of the AI should be covered, and critical business operations and key internal and external dependencies be identified and categorised;

(b) each scenario should be subject to a quantitative and qualitative impact assessment or business impact analysis with regard to its financial, operational, legal and reputational consequences;

and

(c) disruption scenarios should be subject to thresholds or limits (such as maximum tolerable outage) for the activation of business continuity procedures. These procedures should address resumption aspects, set

21 Business continuity planning should be consistent with and conducted alongside the same and the testing of critical operations as specified in the relevant guidance set out in OR-2.

Supervisory Policy Manual

OR-1 Operational Risk Management

recovery time objectives and recovery point objectives as well as communication guidelines for informing management, employees, regulatory authorities, customers, suppliers and where appropriate, civil authorities.

8.3.3 An AI should provide customised training and awareness programmes to its staff based on their specific roles to ensure that they can effectively execute contingency plans.

Business continuity procedures should be tested periodically to ensure that recovery and resumption objectives and timeframes can be met in the unlikely event of a severe business disruption. Where possible, an AI should participate in business continuity testing with key service providers. Results of formal testing and review activities should be reported to senior management and the Board.

8.3.4 Please also refer to TM-G-2 “Business Continuity Planning” for the sound practices which the HKMA expects AIs to takeadopt in their business continuity planning.

9. Disclosure

9.1 The regulatory disclosure requirements (including in relation to operational risk exposures and operational risk management) that AIs are required to comply with are specified in the Banking (Disclosure) Rules (Cap 155M). These Rules are supplemented by interpretative guidance contained in CA-D-1 “Guideline on the Application of the Banking (Disclosure) Rules”.

9.2 Outlined below are a few general principles that AIs are expected to follow in particular to enable its stakeholders to assess its approach to operational risk management and its operational risk exposure:

(a) an AI should publicly disclose information on its operational risk management. The amount and type of disclosure should be commensurate with the size, risk profile and complexity of the AI’s operations, and should take into account evolving industry practices;

(b) an AI should also disclose relevant operational risk exposure information to its stakeholders (including significant operational loss events²²) while not creating operational risk through this disclosure (e.g. description of unaddressed control vulnerabilities). An AI should disclose its ORMF in a

22 The recommendation to disclose significant operational loss events does not include disclosure of confidential and proprietary information, including information about legal reserves.

Supervisory Policy Manual

OR-1 Operational Risk Management

manner that allows stakeholders to determine whether the AI identifies, assesses, monitors and controls/mitigates operational risk effectively; and

(c) an AI should have a formal disclosure policy that is subject to regular and independent review and approval by the senior management and the Board. The policy should set out the AIs’ approach for determining what operational risk disclosures they will make and the internal controls over the disclosure process. In addition, AIs should implement a process for assessing the appropriateness of their disclosures and disclosure policy.

Supervisory Policy Manual

OR-1 Operational Risk Management