Supervisory Policy Manual

Supervisory Policy Manual

OR-1 Operational Risk Management

This module should be read in conjunction with the Introduction and with the Glossary, which contains an explanation of abbreviations and other terms used in this Manual. If reading on-line, click on blue underlined headings to activate hyperlinks to the relevant module.

—————————

Purpose

To set out the approach which the HKMA will adopt in the supervision of AIs’ operational risk, and to provide guidance to AIs on the key elements of effective operational risk management

Classification

A non-statutory guideline issued by the MA as a guidance note

Previous guidelines superseded

OR-1 “Operational Risk Management” (v.1) dated 28.11.05 This is a new guideline.

Application

To all AIs

Structure

1. Introduction

1.1 Background 1.2 Scope

1.3 Legal framework 1.4 Implementation

1.5 Operational resilience

2. Supervisory approach to operational risk 2.1 Objectives and principles

2.2 Supervisory processes

3. Operational risk management framework

Supervisory Policy Manual

OR-1 Operational Risk Management

3.1 Overview

3.2 An appropriate framework

4. Risk governanceOrganisational structure 4.1 Overview

4.2 Board oversight

4.3 Senior management responsibilities

4.4 Risk CultureAn operational risk management function 4.5 Roles of business line management

4.6 Other operational risk related functions 4.7 Role of internal audit

5. Risk cultureThree lines of defence

5.1 Business unit management (first line of defence)

5.2 Operational risk management function (second line of defence)

5.3 Other operational risk related functions

5.4 Independent assurance (third line of defence)

6. Operational risk management strategy, policies and procedures 6.1 Strategy

6.2 Policies

6.3 Definition of operational risk 7. Operational risk management process

7.1 Overview

7.2 Risk identification and assessment 7.3 Risk monitoring and reporting 7.4 Risk control and mitigation

8. Specific aspects of operational risk management 8.1 Change management

8.2 Information Communication and Technology

8.3 Business continuity management and disaster recovery plan 8. Business continuity management and disaster recovery plan

9. Disclosure

Annex: Detailed loss event type classification

—————————

Supervisory Policy Manual

OR-1 Operational Risk Management

1. Introduction

1.1 Background

1.1.1 As set out in the HKMA’s risk-based supervisory approach under section 2 of SA-1 “Risk-based Supervisory Approach”, AIs are generally subject to eight major types of risks - credit, market, interest rate, liquidity, operational, reputation, legal and strategic. They are expected to establish a sound and effective system to manage each of these risks.

1.1.2 Operational risk is inherentpresent in virtually all banking products, bank transactions and activities, processes and systems. It is defined under the capital standards issued by the Basel Committee under its revised framework on Banking Supervision (BCBS)capital standards for banks (“Basel II”) as “the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events”. This definition includes legal risk but excludes strategic and reputational risks. However, where appropriate, strategic and reputational risks should be considered under an AI’s operational risk management framework (ORMF).

1.1.3 Operational risk has become an increasing issue over the last few years as banks:

(a) rely more on increasingly complex automated technology;

(b) develop more complex products;

(c) are involved in large scale mergers and acquisitions;

(d) initiate consolidation and internal reorganisation;

(e) adopt techniques which are devised to mitigate other forms of risks (e.g. collateralisation, credit derivatives, netting and asset securitisation), but potentially create other forms of risk (e.g. legal risk);

and

(f) outsource some of their functions.

Failure to implement proper processes and procedures to control operational risks has resulted in significant operational losses for some banks in recent years.

1.1.4 In March 2021, the BCBS issued the "Revisions to the

Supervisory Policy Manual

OR-1 Operational Risk Management

Principles for the Sound Management of Operational Risk" ¹ on which this module is primarily based.

Superseding the BCBS "Principles for the Sound Management of Operational Risk" issued in 2003 (and revised in 2011 to address lessons from the Global Financial Crisis of 2007 - 09), the 2021 revisions incorporate further guidance to facilitate banks' implementation of the principles, cover other important sources of operational risk, reflect the new operational risk framework in the Basel III reforms, and emphasize the importance of the principles in ensuring operational resilience of banks ² .In February 2003, the Basel Committee issued a paper entitled “Sound Practices for the Management and Supervision of Operational Risk” for use by banks and supervisory authorities when evaluating operational risk management policies and practices. The Basel Committee believes that the principles outlined in the Paper establish sound practices relevant to banks of any size and scope. Therefore, it recommends compliance with its guidance set out in the Paper for all approaches to measuring an operational risk capital charge under Basel II. It also requires that use of the more advanced measurement approaches i.e. the Standardized (Operational Risk) Approach (STO Approach) (and Alternative Standardized Approach (ASA Approach)) or the Advanced Measurement Approaches (AMA Approach) be conditional upon the fulfilment of specific operational risk management criteria.

1.2 Scope

1.2.1 This module:

(a) sets out the HKMA’s supervisory approach to operational risk; and

(b) provides guidance on the key elements of a sound ORMFoperational risk management framework;

and

(c)(b) provides additional guidance on how the qualitative criteria for using the STO Approach (or ASA Approach) to calculate operational risk capital charge under Basel II may be met by AIs.

1 https://www.bis.org/bcbs/publ/d515.pdf.

2 Please see the “Principles for operational resilience” issued by the Basel Committee in March 2021 (https://www.bis.org/bcbs/publ/d516.htm).

Supervisory Policy Manual

OR-1 Operational Risk Management

1.2.2 In developing this module, the HKMA has made reference to:

(a) the two sets of 2021 BCBS principles Paper issued by the Basel Committee as mentioned under para.

1.1.4 above and footnote 2;

(b) Principle 25 of the “Core Principles for Effective Banking Supervision”³; and

(c) the operational risk management policies and practices adopted by some international banks.

 the qualifying criteria for adopting the STO Approach (or ASA Approach) to calculate operational risk capital charge under Basel II;

 the operational risk management policies and practices adopted by some international banks; and

 Principle 13 of the “Core Principles for Effective Banking Supervision” covering banks’ risk management processes for controlling other material risks (including operational risk) (the relevant information is contained in the Basel Committee paper on “Core Principles Methodology”

(1999)).

1.2.3 For the purpose of this guidance, there is no standard measure of materiality, criticality or significance of an operational event or exposure as it varies among AIs. In determining the relative significance of an operational event or exposure, AIs may take into account both qualitative and quantitative factors that are relevant to their own circumstances and assess both the current and future impact of such factors on their capital, earnings, franchise or reputation.

1.3 Legal framework

1.3.1 Para. 10 of the Seventh Schedule to the Banking Ordinance requires AIs to maintain on and after authorization adequate accounting systems and systems of control. These are essential for ensuring prudent and efficient running of the business, safeguarding the assets of the institution, minimising the risk of fraud, monitoring the risks to which the institution is exposed and complying with legislative and regulatory requirements.

3 https://www.bis.org/basel_framework/standard/BCP.htm.

Supervisory Policy Manual

OR-1 Operational Risk Management

1.3.2 Para. 12 of the Seventh Schedule further requires AIs to conduct their business with integrity, prudence, competence and in a manner which is not detrimental to the interests of depositors or potential depositors. As set out in the “Guide to Authorization”, the HKMA’s assessment of an institution’s compliance with this paragraph will take account of, among other considerations, operational risk issues such as its ability to deal with external shocks and unexpected contingencies, competence in resistance to internal and external fraud and avoidance of operational errors, and quality of information and communication technology (ICT) ⁴ computer systems and staff.

1.3.3 Moreover, under§98 of the Banking (Capital) Rules (BCR), any AIOrdinance requires all AIs incorporated in Hong Kong is required to maintain adequate regulatorya capital calculated in accordance with the BCR, takingadequacy ratio of not less than 8%. The ratio will take into account thean AI’s operational risk in addition to credit risk and market risk when Basel II is implemented in Hong Kong.

1.4 Implementation

1.4.1 The HKMA recognises that operational risk management as a separate discipline remains at an early stage ofdevelopment compared with some other areas of risk management. The various techniques and tools used to identify, assess, monitor and report operational risk exposures are still evolving. The guidance therefore sets out “sound practices” rather than “statutory requirements”

on operational risk management. AIs are expected to develop and implement an ORMFoperational risk management framework consistent with the guidance in this module and commensurate with their nature, size, complexity, and risk profile as soon as practicable. The ORMF should be reviewed regularly and kept up to date in the light of the evolving operating environment and operational risk management techniques.

1.4.2 AIs intending to use the STO Approach (or ASA Approach) to calculate the capital charge for their operational risk need to consider the guidance where appropriate in assessing their compliance with the qualitative criteria for using such approaches.

4ICT refers to the underlying physical and logical design of information technology and communication systems, the individual hardware and software components, data, and the operating environments.

Supervisory Policy Manual

OR-1 Operational Risk Management

1.5 Operational resilience

1.5.1 Operational resilience refers to the ability of an AI to deliver critical operations ⁵ through disruptions. This ability enables an AI to identify and protect itself from threats and potential failures, respond and adapt to, as well as recover and learn from disruptive events, in order to minimize their impact on the delivery of critical operations through disruptions. In considering its operational resilience, an AI should assume that disruptions will occur, and take into account its overall risk appetite and tolerance for disruption ⁶ under a range of severe but plausible scenarios⁷.

1.5.2 Although operational risk management and operational resilience address different goals, they are closely interconnected. An effective operational risk management system and a robust level of operational resilience work together to reduce the frequency and the impact of operational risk events. When implementing the guidance in this module, an AI should also take into account relevant guidance issued by the HKMA in the SPM module OR-2

"Operational Resilience". Specific guidance that links ORMF of an AI to its operational resilience / ability to ensure critical operations delivery through disruptions is set out in paras. 2.2.4, 5.2.1(g), 7.1.1, 7.2.4(f), 7.2.6, 7.4.7(a) & (d), 8.1.3, 8.3.1 (footnote 21) and 8.3.2(a).

2. Supervisory approach to operational risk

2.1 Objectives and principles

2.1.1 Each AI should develop and maintain an appropriate ORMFoperational risk management framework that is effective and efficient in identifying, assessing, monitoring and controlling/mitigating operational risk, taking into account. Each institution will need to consider its complexity, range of products and services, organisational structure, and risk management culture as it develops its operational risk management framework.

2.1.2 The HKMA adopts a risk-based supervisory approach (see

5 The term “critical operations” follows the meaning of the same term as defined in OR-2 “Operational Resilience”.

6 The term “tolerance for disruption” follows the meaning of the same term as defined in OR-2

“Operational Resilience”.

7 The term “severe but plausible scenarios” follows the meaning of the same term as defined in OR-2

“Operational Resilience”.

Supervisory Policy Manual

OR-1 Operational Risk Management

SA-1 “Risk-based Supervisory Approach”) which enables continuous supervision of AIs’ operational risk through a combination of on-site examinations, off-site reviews and prudential meetings. The objective is to assess, among other things, the level and trend of the AI’s operational risk exposures and losses as well as the adequacy and effectiveness of its ORMF, taking into account the guidance set out in this module. operational risk management framework. In the case of a locally incorporated AI, the HKMA will also assess the adequacy of its capital relative to the size of its operational risk exposure.

2.1.3 In assessing an AI’s exposure to and management of operational risk, the HKMA will have particular regard to the following factors:

(a) the appropriateness of the AI’s ORMFoperational risk management framework, including the level of oversight exercised by the Board of Directors (Board) and senior management, and risk culture;

(b) the adequacy of strategies, policies and procedures for managing operational risk, including the definition of operational risk;

(c) the adequacy of the operational risk management processes in identifying, assessing, monitoring and controlling operational risks;

(d) the effectiveness of the AI’s operational risk mitigation efforts;

(e) the adequacy and results of the AI’s internal review and audit of operational risk;

(f) the findings and recommendations made in the management letter issued by the AI’s external auditors;

(g) the causes and impacts of significant operational risk events of the AI;

(h) the AI’s procedures for the timely and effective resolution of operational risk events and vulnerabilities; and

(i) the quality and comprehensiveness of the AI’s disaster recovery and business continuity plans.

2.1.4 Where necessary, the HKMA will coordinate and exchange information with other relevant supervisors to facilitate the

Supervisory Policy Manual

OR-1 Operational Risk Management

evaluation of an AI’s ORMF.

2.1.4 The HKMA will also seek to ensure that AIs make sufficient public disclosure to allow market participants to assess their approach to operational risk management. In this connection, more guidance will be set out in the supervisory guideline on the disclosure requirements for AIs for implementation of Basel II.

2.2 Supervisory processes

2.2.1 Every AI is subject to the examination of the effectiveness of its ORMFoperational risk management framework by the HKMA. In addition, the HKMA has the power under

§59(2) of the Banking Ordinance to require external auditors’ reports to be submitted on an ad hoc basis covering AIs’ internal control systems.

2.2.2 In determining the minimum capital adequacy ratio to be observed by The HKMA also monitors a locally incorporated AI’s compliance with the capital requirementsAI under §98 of the BCR, takingBanking Ordinance, the HKMA currently takes into account the AI’s exposure to operational risk. Methodology for calculating thea specific capital charge for operational risk isof locally incorporated AIs will be set out in the BCRBanking (Capital) Rules prescribed by the MA under the Banking Ordinance.

2.2.3 AIs are expected to notify the HKMA of any event(s) that may have a significant impact on their operations. Such events may include:

(a) a significant operational loss/exposure that has been incurred/identified;

(b) a significant failure in their systems or controls;

(c) an intention to enter into an insourcing/outsourcing arrangement in respect of a banking related business area (including back office activities), or to make changes to or amend the scope of their insourcing/outsourcing of such areas;

(d) any significant changes in organisation, infrastructure or business operating environment;

and

(e) the invocation of a business continuity plan.

2.2.4 Upon receiving notification of the above events, and if the situation as determined by the HKMA warrants, the HKMA

Supervisory Policy Manual

OR-1 Operational Risk Management

may require the reporting AI to submit a report to it analysing the causes/purposes and impacts of the event as well as setting out the action plan to rectify any weaknesses identified or the contingency plan in dealing with failure inarising from an intended change. In any case, after an operational risk incident, an AI should assess threats and vulnerabilities that affect the delivery of its critical operations again, taking into account lessons learned and new threats and vulnerabilities that caused the incident. The HKMA also expects that any controls and procedures implemented to address those threats and vulnerabilities should be reviewed from time to time to ensure their continued effectiveness.

2.2.5 Serious lapses or deficiencies in internal controls of an institution can constitute an unsafe and unsound practice and possibly lead to significant losses or otherwise compromise the financial integrity of the institution. If appropriate, the MA will initiate supervisory actions if material deficiencies or situations that threaten the safe and sound conduct of the institution’s activities are not adequately addressed in a timely manner. Such supervisory actions may include the requirement of an independent special review report on the problem area, attachment of a condition to the consent of authorization limiting the level of business activity involved, or suspension of the activity completely, enforcement actions against the institution or its responsible directors and managers, or both, and would require the immediate implementation of all necessary corrective measures.

2.2.6 An AI should strive to improve its operational risk management framework on an ongoing basis. Where necessary, the HKMA will monitor, compare and evaluate the improvements achieved by an AI and its plans for prospective developments during the course of its risk- based supervision.

3. Operational risk management framework

3.1 Overview

3.1.1 An AI should develop, implement and maintain an ORMF that is fully integrated into its overall risk management processes. The ORMF should be embedded across all levels of the organization including group and business

Supervisory Policy Manual

OR-1 Operational Risk Management

units⁸ as well as new business initiatives, products, activities, processes and systems. In addition, results of the AI’s operational risk assessment should be incorporated into its overall business strategy development process.

3.1.1 In the past, AIs relied primarily on internal control mechanisms within business lines, supplemented by the audit function, to manage operational risk. Recently, sound operational risk management is developing into a functional discipline with dedicated staff using established formal policies and processes. This is driven by a growing recognition by the Boards and senior management of the need to address operational risk as a distinct class of risk such as credit risk and market risk for increased risk awareness, protection of reputation, reduced losses, and ultimately protection and enhancement of shareholder value.

3.2 An appropriate framework

3.2.1 Regardless of its size or complexity, each AI is expected to develop an appropriate framework for managing operational risk. The objective of an ORMFoperational risk management framework is to ensure that operational risks are consistently and comprehensively identified, assessed, mitigated/controlled, monitored and reported.

3.2.2 For the purpose of this moduleguidance, an appropriate ORMF should contain the majoroperational risk management framework is considered to consist of these components set out below:

(a) risk governanceorganisational structure (including Board andoversight, senior management oversight) and risk culture – see section 4;

(a)(b) risk management structure made up of three linesresponsibilities, roles of defence, i.e. business line management (first line of defence), independent corporate an operational risk management function (CORF, second line of defence⁹) and independent assurance (third line of defence) – see section 5;and internal audit);

8 The term “business unit” is meant broadly to include all associated support, corporate and/or shared service functions, e.g. Finance, Human Resources and Operations and Technology. However, Risk Management and Internal Audit are not included unless otherwise specifically indicated.

9 In addition to a CORF, the second line of defence also typically includes a Compliance function.

Supervisory Policy Manual

OR-1 Operational Risk Management

 risk culture;

(b)(c) strategy and policy (operational risk management strategy, policies and procedures – see section 6;);

and

(c)(d) operational risk management process (the processes to identify, assess, monitor, control/mitigate and report operational risk – see section 7;).

(e) specific aspects of operational risk management including change management, ICT and business continuity planning – see section 8; and

(f) disclosure – see section 9.

3.2.3 In practice, an AI’s ORMFoperational risk framework must reflect the scope and complexity of business lines, range of products and services,as well as the corporate organisational structure, and risk management culture.

Each AI’s operational risk profile is unique and requires a tailored risk management approach appropriate for the scale and materiality of the risks present, and size of the institution. There is no single framework that would suit every institution; different approaches will be needed for different institutions. In fact, the banking industry and supervisory authorities continue to develop their organisational models and techniques for operational risk management.

3.2.4 Nevertheless, the three lines of defence model has been widely adopted in the industry with varied degrees of implementation formality. AIs should adopt this model adequately and proportionately to manage every kind of operational risk subcategory, including ICT risk, and be able to demonstrate that the model is operating satisfactorily and to explain how the Board (or an independent committee of the Board) and senior management ensure that the model is implemented and operating in an appropriate manner. They should ensure that each line of defence:

(a) is adequately resourced in terms of budget, tools and staff;

(b) has clearly defined roles and responsibilities;

(c) is continuously and adequately trained;

(d) promotes a sound risk management culture across the AI; and

Supervisory Policy Manual

OR-1 Operational Risk Management

(e) communicates with the other lines of defence to reinforce the ORMF.

3.2.5 The components of the ORMF should be fully integrated into the overall risk management processes of the AI by the first line of defence, adequately reviewed and challenged by the second line of defence, and independently reviewed by the third line of defence.

3.2.6 If in one business unit there are functions of both the first and second line of defence, the AI should document and distinguish the responsibilities of such functions in the first and second line of defence, emphasising the independence of the second line of defence.

4. Risk governance

4. Organisational structure

4.1 Overview

4.1.1 Operational risk management requires the attention and involvement of a wide variety of organisational components, each of which has different responsibilities.

It is essential that each of the organisational components clearly understands its roles, authority levels and accountabilities under the institution’s organisational and risk management structure. All business and support functions should be an integral part of the overall ORMF.

operational risk management framework. The establishment of a CORFan independent centralised risk management function can assist the Board and senior management in meeting their responsibility for understanding and managing operational risk. Moreover, although certain staff may be charged with specific responsibilities in relation to operational risk, all staff of the institution should play a role in the identification and management of operational risk.

4.2 Board oversight

4.2.1 The Rresponsibility for operational risk management ultimately rests with the Board of an AI. To discharge this responsibility, the Board, (or its delegated committee), should approve and periodically review the following:

(a) the ORMF; and

(b) the risk appetite and tolerance statement and risk limits for operational risk.

Supervisory Policy Manual

OR-1 Operational Risk Management

ORMF

4.2.2 To ensure that the ORMF is suitable and will be working effectively for the AI, the Board or its delegated committee(s) should:

(a) understand the nature and complexity of the risks inherent in the portfolio of the AI’s products, services, activities, and systems;

(b) establish a risk culture and ensure that the AI has adequate processes for understanding the nature and scope of the operational risk inherent in its current and planned strategies and activities;

(c) establish clear lines of management responsibility and accountability for implementing a strong internal control environment with appropriate independence/segregation of duties between CORF, business units and support functions;

(d) ensure that the operational risk management processes are subject to comprehensive and dynamic oversight and are fully integrated into, or coordinated with, the overall framework for managing all risks across the AI;

(e) provide senior management with clear guidance regarding the principles underlying the ORMF, and approve the corresponding policies developed by senior management under these principles;

(f) regularly review and evaluate the ORMF’s effectiveness to ensure that the AI has identified and is managing the operational risk arising from external market changes and other environmental factors, as well as those operational risks associated with new products, activities, processes or systems (including in relation to the application of ICT – see section 8.2), including changes in risk profiles and priorities (e.g. changing business volumes);

(g) ensure that the AI’s ORMF is subject to effective independent review by the third line of defence (audit or other appropriately trained independent third parties from external sources); and

(h) ensure that, as best practice evolves, management is availing themselves of these advances.

 understand the major aspects of the AI’s operational

Supervisory Policy Manual

OR-1 Operational Risk Management

risk as a distinct category of risk that should be managed;

 define the operational risk strategy and ensure that the strategy is aligned with the AI’s overall business objectives;

 approve and periodically review the AI’s corporate framework to explicitly manage operational risk, which aims to establish a common definition of operational risk of the AI, the AI’s principles concerning operational risk management and a common risk management framework, and clear governance and reporting structures for operational risk including roles and responsibilities, standards and tools;

 review periodic high-level reports on the institution’s overall operational risk profile, which identify material risks and strategic implications for the institution;

 ensure that the senior management is taking necessary steps to implement appropriate policies, processes and procedures within the institution’s different lines of business, based on the principles under the Board-approved risk management framework;

 review the risk management framework regularly to ensure that the AI is managing the operational risks from external market changes and other environmental factors, as well as the operational risks associated with new products, activities or systems;

 ensure that the AI’s operational risk management framework is subject to effective and comprehensive internal audit by operationally independent, appropriately trained and competent staff; and

 ensure compliance with regulatory disclosure requirements on operational risk.

Risk appetite and tolerance statement and risk limits

4.2.3 The risk appetite and tolerance statement for operational risk should articulate the nature, types and levels of operational risk that the bank is willing to assume. It should be developed under the authority of the Board and linked

Supervisory Policy Manual

OR-1 Operational Risk Management

to the AI’s short- and long-term strategic and financial plans. Taking into account the interests of the AI’s customers and shareholders as well as regulatory requirements, an effective risk appetite and tolerance statement should:

(a) be easy to communicate and therefore easy for all stakeholders to understand;

(b) include key background information and assumptions that informed the AI’s business plans at the time it was approved;

(c) include statements that clearly articulate the motivations for taking on or avoiding certain types of risk, and establish boundaries or indicators (which may be quantitative or not) to enable monitoring of these risks;

(d) ensure that the strategy and risk limits of business units and legal entities, as relevant, align with the bank-wide risk appetite statement; and

(e) be forward-looking and, where applicable, subject to scenario and stress testing to ensure that the AI understands what events might push it outside its risk appetite and tolerance statement.

4.2.4 The Board should review regularly the risk appetite and tolerance statement and the appropriateness of the operational risk limits. This review should consider the current and expected changes in the external environment (including the regulatory context across all jurisdictions where the institution provides services); ongoing or forthcoming material increases in business or activity volumes; the quality of the control environment; the effectiveness of risk management or mitigation strategies;

loss experience; and the frequency, volume or nature of limit breaches. The Board should also monitor management adherence to the risk appetite and tolerance statement and provide for timely detection and remediation of breaches.

4.3 Senior management responsibilities

4.3.1 Senior management should have the responsibility for implementing the operational risk management framework approved by the Board. Specifically, they are responsible for developing specific policies, processes and procedures for managing operational risk in all of the AI’s material

Supervisory Policy Manual

OR-1 Operational Risk Management

products, activities, processes and systems.Senior management should develop for approval by the Board a clear, effective and robust governance structure with well- defined, transparent and consistent lines of responsibility for operational risk management.

4.3.2 An AI’s governance structure should be commensurate with the nature, size, complexity and risk profile of its activities. When designing the operational risk governance structure, an AI should take into account the following sound industry practices:

 Committee structure – A large and more complex AI establishes one or more operational risk management committees which report to the Board level risk management committee. Depending on the nature, size and complexity of the AI, there may be operational risk committees by country, business or functional area. Smaller and less complex AIs may establish just one risk management committee overseeing all risks without a separate operational risk management committee;

 Committee composition – An operational risk management committee (or the risk management committee for a smaller AI) includes members with a variety of expertise, covering business activities, financial activities, legal, technological and regulatory matters and independent risk management;

 Committee operation – Committee meeting should be held at appropriate frequencies with adequate time and resources to permit productive discussion and decision-making. Records of committee operations should be adequate to permit review and evaluation of committee effectiveness.

4.3.3 Senior management is responsible for implementing the ORMF approved by the Board through the development of specific policies, processes and procedures that can be implemented and verified within business units for managing operational risk. Such policies, processes and procedures should be consistently implemented and maintained throughout the organization for the management of operational risk in all of the AI’s material products, activities, processes and systems, in alignment with the AI’s risk appetite and tolerance statement.

Supervisory Policy Manual

OR-1 Operational Risk Management

4.3.4 In order to ensure that operational risk management policies and procedures are clearly understood and executed, senior management should define the AI’s organisational structure for operational risk management and communicate individual roles and responsibilities. It is essential that staff at all levels in the institution clearly understand their individual roles in the operational risk management process.

4.3.5 While each level of management is responsible for the appropriateness and effectiveness of policies, processes, procedures and controls within its purview, senior management should clearly assign authority, responsibility and reporting relationships to encourage and maintain this accountability, and ensure that the necessary resources are available to manage operational risk effectively in line with the AI’s risk appetite and risk tolerance statement.

They should also ensure that staff responsible for monitoring and enforcing compliance with the AI’s operational risk policy have authority independent from the units they oversee. Moreover, senior management should assess and ensure the appropriateness of the operational risk management process in the light of the risks inherent in a business unit’s activities.

4.3.6 Senior management is also responsible for ensuring that sufficient human and technical resources are devoted for operational risk management such that the AI’s activities are conducted by qualified staff with the necessary experience, and technical capabilities and access to resources.

4.3.7 Senior management should ensure that staff responsible for managing operational risk coordinate and communicate effectively with staff responsible for managing other risks such as credit, market, etc., as well as with those responsible for the procurement of external services such as insurance risk transfer and other third-party arrangements (including outsourcing). Failure to do so could result in significant gaps or overlaps in the AI’s overall risk management programme.

4.3.8 Senior management is responsible for establishing and maintaining robust challenge mechanisms and processes for resolving operational issues, including systems to report, track and escalate issues to ensure their resolution.

4.3.9 Since operational risk management is evolving and the business environment is constantly changing, senior

Supervisory Policy Manual

OR-1 Operational Risk Management

management should ensure that the ORMF (in particular policies, processes and systems) remain sufficiently robust to manage and ensure that operational losses are adequately addressed in a timely manner. Improvements in operational risk depend heavily on senior management’s willingness to be proactive and also act promptly and appropriately to address operational risk managers’

concerns.

4.3.10 See also CG-1 “Corporate Governance of Locally Incorporated Authorized Institutions” for general guidance on corporate governance.

4.4 Risk culture

4.4.1 The Board and senior management of an AI also have an important responsibility in fostering a positive risk culture on which a successful ORMF (particularly in respect of the effectiveness of the processes in that framework) depends.

In general, the Board should take the lead in establishing a strong risk management culture for the AI, which should be implemented by the senior management.

4.4.2 A successful operational risk management framework, and in particular, effectiveness of the processes in that framework, is depending on a positive risk culture. An AI’s risk culture encompasses the general awareness, attitude and behaviour of its employees to risk and the management of risk within the organisation. Factors contributing to a positive risk culture include:

(a) An AI’s business objectives and risk appetite, operational risk management framework and the related roles, and responsibilities and authorities of relevant staff in implementing the framework must be clearly set out and communicated by the senior management to staff at all levels, and the staff within the organization in order for them toshould understand their responsibilities with respect to operational risk management.

(b) The Board and senior management should provide strong and consistent support for operational risk management and ethical behavior, convincingly reinforcing codes of conduct and ethics, compensation strategies and training programmes.

Senior management must have an ongoing role throughout the risk management process and send out a consistent message to the whole organisation

Supervisory Policy Manual

OR-1 Operational Risk Management

that the Board and senior managementthey are fully supportive of the risk management framework through their actions and words.

(c) The Board and senior management should communicate a culture emphasising high standards of ethical behaviour and prohibiting conflicts of interest or inappropriate provision of financial services (whether willful or negligent) at all levels of the AI. This can be achieveddemonstrated through the establishment and application to both staff and Board membersadoption of a code of conduct¹⁰, or an ethic policy, and by members of the Board and senior management setting the example of following it. The code or relevant policy should be regularly reviewed and approved by the Board and attested by employees. Its implementation should be overseen by a board level committee and should be made publicly available (e.g. on the AI’s website). A separate code of conduct may be established for specific positions in the AI (e.g.

treasury dealers and senior management).

(d) The AI’s business and risk management activities must be carried out by qualified staff with the necessary experience, technical capabilities and adequate access to resources.

(d) Senior management should ensure that appropriate operational risk management and ethical behavior training is available at all levels throughout the organization, such as heads of business units, heads of internal controls and senior managers.

Training provided should reflect the seniority, role and responsibilities of the individuals for whom it is intended.

(e) The AI’s remuneration policies must be consistent with its appetite and tolerance for risk as well as overall safety and soundness. It must also appropriately balancefor risk and reward ¹¹ . Performance incentives should include

10 For the detailed requirement of a code of conduct please refer to CG-3 “Code of Conduct”.

11 See also BCBS Report on the range of methodologies for the risk and performance alignment of remuneration, May 2011; Financial Stability Forum Principles for sound compensation practices, April 2009; Financial Stability Board FSB principles for sound compensation practices – implementation standards, September 2009 and the Financial Stability Board’s toolkit Strengthening Governance Frameworks to Mitigate Misconduct Risk, April 2018.

Supervisory Policy Manual

OR-1 Operational Risk Management

consideration of risk management and its design should not provide incentives to people to operate contrary to the desired risk management values e.g.

established position limits.

(f) There must be an environment in which staff can speak out and raise operational risk problems openly without fear of negative consequences.

4.4.3 An AI should also refer to the following SPM modules for general guidance relating to sound risk management culture:

(a) CG-1 “Corporate Governance of Locally Incorporated Authorized Institutions”;

(b) IC-1 “Risk Management Framework”;

(c) CG-3 “Code of Conduct”; and

(d) CG-5 “Guideline on a Sound Remuneration System”.

5. Three lines of defence

5.1 Business unit Roles of business line management (first line of defence)

5.1.1 Business unit line management is accountable on a day- to-day basis for identifying, managing and reporting operational risks specific to a business unit. their business units. They must ensure that internal controls and practices within their business line are consistent with the AI’s firm- wide policies and procedures to support the management of the institution’s operational risk. They should ensure that business- specific policies, processes, procedures and staff are in place to manage operational risk for all material products, activities, and processes. Implementation of the ORMFoperational risk management framework within each business unitline should reflect the scope of that business unitline and its inherent operational complexity and operational risk profile ¹² . Business unitline management must be independent of the AI’s firm-wide CORFoperational risk management function.

12 Operational risk profile describes the operational risk exposures and control environment assessments of business units and considers the range of potential impacts that could arise from estimates of expected to severe losses. The profile generally provides management and the Board with a representation of operational risk exposures at a level which supports their decision-making and oversight responsibilities.

Supervisory Policy Manual

OR-1 Operational Risk Management

5.1.2 To facilitate management of operational risk within each business unit, good practice suggests that there should be dedicated operational risk staff at the business units.

These staff members usually have dual reporting lines.

While they have a direct reporting relationship in the business unit, they work closely with the CORFcentral risk management function to assure consistency of policy and tools, as well as to report results and issues. TheTheir responsibilities of the first line of defence may include development of risk indicators, determining escalation triggers and providing management reports. To be effective, such staff should include:be given sufficient empowerment and resources to carry out their responsibilities.

(a) identifying and assessing the materiality of operational risks inherent in their respective business units through the use of operational risk management tools;

(b) establishing appropriate controls to mitigate inherent operational risks, including business- specific policies, processes, procedures and systems, and assessing the design and effectiveness of these controls through the use of the operational risk management tools;

(c) reporting whether the business units lack adequate resources, tools and training to ensure identification and assessment of operational risks;

(d) monitoring and reporting the business units’

operational risk profiles, and ensuring their adherence to the established operational risk appetite and tolerance statement; and

(e) reporting residual operational risks not mitigated by controls, including operational loss events, control deficiencies, process inadequacies, and non- compliance with operational risk tolerances.

5.2 OperationalAn operational risk management function (second line of defence)

5.2.1 It has become a leading practice of banks to establish a CORFcentral operational risk management function (at the group and/or corporate level) in a similar manner to institutional credit and market risk functions. The key role of the function is to assist seniorthe management in

Supervisory Policy Manual

OR-1 Operational Risk Management

meeting their responsibility for understanding and managing operational risk and to ensure the development and consistent application of operational risk policies, processes and procedures (see section 7) throughout the institution. In so doing CORFit performs a number of roles including:

(a) developing and maintainingsetting corporate-level policies, and procedures and guidelines forconcerning operational risk management and controls;

(b) designing and implementing the institution’s operational risk assessment methodology tools and risk reporting system;

(c) developing an independent view regarding business unit’s (i) identified material operational risks, (ii) design and effectiveness of key controls, and (iii) risk tolerance;

challenging the relevance and consistency of the business unit’s implementation of the operationalco-ordinating risk management tools, measurement activities andacross the organisation;

(d) consolidated reporting systems, and providing evidence that such challenge is conducive to the evaluation of its effectiveness;

(e) establishing unified classification, methodology and procedures of operational risk;

(d)(f) reviewing and contributing to the monitoring and reporting of the operational risk profile to the Board and senior management;

(g) working alongside other relevant functions to manage and address any risks that threaten the delivery of critical operations and coordinating business continuity planning, third-party dependency management, recovery and resolution planning and other relevant risk management frameworks to strengthen operational resilience across the institution;

(e)(h) designing and providing operational risk management training, including to instill risk awareness, and advising the business units on operational risk management issues, e.g.

deployment of operational risk tools; and

Supervisory Policy Manual

OR-1 Operational Risk Management

(f)(i) liaising with internal and external audits.

5.2.2 The managers of the CORF should be of sufficient stature within the AI to perform their duties effectively. Ideally, they are assigned a title that is commensurate with other risk management functions such as those on credit, market and liquidity risks.

5.2.3 The HKMA recognises that AIs operate in different ways and are using different operational risk management structures and methodologies. Therefore, it does not propose to prescribe a formal definition forof an independent CORFoperational risk management function.

However, in developing their own organisational structures for operational risk management, AIs should in any case have a policy which clearly defines theconsider how the statures, roles and, responsibilities of the CORF, reflectiveand procedures of different staff functions within the sizestructures can ensure both consistency and complexity of their operations.completeness in their overall operational risk management.

5.2.4 In general, the CORF in larger AIs is expected to have a reporting structure independent of the risk-generating business units and be responsible for the design, maintenance and ongoing development of the ORMF within the AI. For smaller AIs, independence of the ORMF may be achieved through separation of duties and independent review of processes and functions.

5.2.5 In practice, the internal audit function in some AIsThe operational risk management function will be more effective if its role is performed by an independent risk function in a similar vein to that for market and credit risk.

In practice, the audit function at some institutions may have initial responsibility for developing an operational risk management programme. Where this is the case, AIs should see to it that responsibility for day-to-day operational risk management is transferred elsewhere in a timely manner. This is to ensure that the independence of internal audit is maintained.

5.2.6 In the case of a branch, subsidiary, or individual business units of an AIa bank with a CORFcentralised risk management function at the group and/or corporate level, there shouldwill usually be dedicated operational risk staff at the branch, subsidiary or business units to assure consistency of policy and tools, as well as to report results and issues.

Supervisory Policy Manual

OR-1 Operational Risk Management

5.2.7 As appropriate, the ORMF documentation should clearly reference the relevant operational risk management policies and procedures.

5.3 Other operational risk related functions

5.3.1 The CORF typically engages relevant corporate control groups to support its assessment of the operational risks and controls. There are a number of other operational risk related staff functions within an AI that should play a supporting role to CORF in the operational risk management of an AI. These include specialist departments of such as legal and compliance, human resources, ICTinformation technology, and finance, etc., which should be responsible for some specific aspects of operational risk and the related issues, e.g. the human resources function should be a key participant in the management of “people” risk, rather than merely playing the role of sharing of information and providing of expert advice. These other operational risk related functions should on the one hand be responsible for managing the operational risk in their own area, and on the other hand provide support to other parties within the organisational structure for operational risk management.

5.4 Independent assurance (third line of defence)Role of internal audit

5.4.1 Internal auditThe Board should be providedprovide an independent assurance regarding the appropriateness of an AI’s ORMF. The relevant assessment should be performed by parties such as the internal auditors, external auditors or other suitably qualified independent third parties, who are not involved in the development, implementation and day-to-day of the operational risk management processesframework, including or the operationsfunctioning of the other two lines of defence.

central operational risk management function. Therefore, it should not have direct operational risk management responsibilities. AIs should have in place adequate audit coverage to verify that operational risk management policies and procedures have been implemented effectively across the AI. The Board (either directly or indirectly through its audit committee) should ensure that the scope and frequency of the audit programme is appropriate to the risk exposures. Any operational issues identified and reported in the audit process should be

Supervisory Policy Manual

OR-1 Operational Risk Management

addressed by senior management in a timely and effective manner, or raised to the attention of the Board, as appropriate.

5.4.2 An effective independent assessment should:

(a) review the design and implementation of the operational risk management systems and associated governance processes through the first and second lines of defence (including the independence of the second line of defence);

(b) review validation¹³ processes to ensure they are independent and implemented in a manner consistent with established policies;

(c) ensure that business unit management promptly, accurately and adequately respond to the issues raised, and regularly report to the Board or its relevant committees on pending and closed issues;

and

(d) opine on the overall appropriateness and adequacy of the ORMF and the associated governance processes across the AI, including whether the ORMF meets organisational needs and expectations (such as in respect of the corporate risk appetite and tolerance, and adjustment of the framework to changing operating circumstances) and complies with statutory and legislative provisions, contractual arrangements, internal rules and ethical conduct.

5.4.3 Any operational issues identified and reported in the assessment process should be addressed by senior management in a timely and effective manner, or raised to the attention of the Board, as appropriate.

5.4.4 As appropriate, the CORF should assess and propose control measures to manage the operational risk inherent in the third line of defence.

13 Validation is critical for a well-functioning ORMF in that it ensures that the quantification systems used by an AI are sufficiently robust and provide assurance of the integrity of inputs, assumptions, methodologies, processes and outputs, resulting in assessments of operational risk that credibly reflect the operational risk profile of the AI.

Supervisory Policy Manual

OR-1 Operational Risk Management

5. Risk culture

6. Operational risk management strategy, policies and procedures

6.1 Strategy

6.1.1 Operational risk management begins with the determination of the overall strategies and objectives of an institution. Once determined, the institution can identify the associated inherent risks in its strategy and objectives, and thereby establish an operational risk management strategy. Responsibility for defining the operational risk management strategy, and for ensuring it is aligned with overall business objectives, should rest with the Board. In doing so, the Board should provide clear guidance on the AI’s risk appetite or tolerance, i.e. what risks the AI is prepared to take in pursuit of its business objectives and what risks are unacceptable.

6.2 Policies

6.2.1 An AI should document its policies for managing operational risk, setting out its strategy and objectives for operational risk management for all key underlying businesses and support processes and the processes that it intends to adopt to achieve these objectives. An AI’s corporate operational risk policy should be documented and approved by the Board (or its delegated committee) and communicated clearly to staff at all levels.

6.2.2 An AI’s corporate policy for managing operational risk should include:

(a) the definition of operational risk (see section 6.3) and operational loss for the institution, including the types of operational risk that are faced by the AI and its customers that the AI will monitor;

 the AI’s risk appetite and tolerance for operational risks;

 the approach to identifying, assessing, monitoring, and controlling its operational risks;

 an outline of the reporting framework and types of data/information to be included in the risk management reports; and

(b) the organisational governance structure, which defines operational risk management roles,

Supervisory Policy Manual

OR-1 Operational Risk Management

responsibilities and reporting lines of the Board, committees ¹⁴ , senior management, risk management function, business line management and other operational risk related functions;.

(c) the AI’s accepted operational risk appetite and tolerance; the thresholds, material activity triggers or limits for inherent operational risk (i.e. the risk before controls are considered) and residual operational risk (i.e. the risk exposure after controls are considered); and the approved risk mitigation strategies and instruments;

(d) the tools for risk and control identification and assessment and the role and responsibilities of the three lines of defence in using them;

(e) the approach to establishing and monitoring thresholds or limits for inherent and residual risk exposure and ensuring controls are designed, implemented and operating effectively;

(f) the inventory risks and controls implemented by all business units (e.g. in a control library);

(g) a common taxonomy of operational risk terms (see further elaboration in para. 6.3.1);

(h) an outline of the management reporting framework for producing timely and accurate data/information and the types of data/information to be included in the risk management reports;

(i) a mechanism for independent review and challenge of the outcome of the operational risk management process; and

(j) a requirement that the policy will be reviewed and revised as appropriate based on continued assessment of the quality of the control environment addressing internal and external environmental changes or whenever a material change in the operational risk profile of the AI occurs.

6.2.3 The corporate policy should be supported by a set of principles that apply to specific components of operational risk, such as new customer approval, new product approval, ICTnew information technology (IT) systems

14 Mandates and memberships of the relevant committees should also be available.

Supervisory Policy Manual

OR-1 Operational Risk Management

approval, outsourcing, business continuity planning, crisis management, and money laundering (see para. 7.4.7 for further guidance).

6.2.4 Business unitline management isare responsible for managing risks in atheir particular business unit.

Therefore, it isthey are required to develop supplementary policies and procedures specific to itstheir business, based on and in consistence with the corporate operational risk management policy.

6.3 Definition of operational risk

6.3.1 In order to be able to efficiently identify, assess, monitor and report operational risk within an AI, it is necessary to define the underlying components of operational risk for consistent use across the organisation. In this connection, a common taxonomy of operational risk terms should be provided in the policy to ensure consistency of risk identification, exposure rating and risk management objectives across all business units¹⁵. The taxonomy should distinguish operational risk exposures by event types, causes, materiality and business units where they occur. It should also flag those operational exposures that partially or entirely represent legal, conduct, model, ICT (including cyber) risks as well as exposures in the credit or market risk boundary.

6.3.16.3.2 The definition of operational risk should consider the full range of material operational risks facing the institution and capture the most significant causes of severe operational losses. A formal and detailed definition is also essential for improving communications, setting accountability, characterising and accumulating events for modelling and analysis, and consistently sharing experiences and ideas.

6.3.26.3.3 The BCBSBasel Committee defines operational risk by referring to the four underlying causes of operational risk – process, people, systems and external events (or environment) (see para. 1.1.2). The definition seeks to delineate operational risks from other risks by referring to key internal and external aspects of a bank’s operations that, alone or in combination, can cause operational losses.

The following table provides an example of risk cause

15 An inconsistent taxonomy of operational risk terms may increase the likelihood of failure to identify and categorise risks, or failure to allocate responsibility for the assessment, monitoring, control and mitigation of risks.

Supervisory Policy Manual

OR-1 Operational Risk Management

categories under each of the four underlying causes of operational risk:

Risk Cause Factors Risk Cause Categories Process  Inadequate / inappropriate

guidelines, policies &

procedures;

 Inadequate / failure of communication;

 erroneous data entry;

 inadequate reconciliation;

 poor customer / legal documentation;

 inadequate security control;

 breach of regulatory &

statutory provisions / requirements;

 inadequate change

management process; and

 inadequate back up / contingency plan

People  breach of internal guidelines, policies & procedures;

 breach of delegated authority;

 criminal acts (internal);

 inadequate segregation of duties / dual controls;

 inexperienced staff;

 staff oversight; and

 unclear roles & responsibilities System  inadequate hardware /

network / server maintenance External  criminal acts;

 vendor misperformance;

 man-made disaster;

 natural disaster; and

 political / legislative / regulatory causes

6.3.36.3.4 Furthermore, to facilitate managing and measuring operational risks and assessing thetheir potential impact, many banks have adopted definitions with categories of