Operational Risk Management Policy
The following areas are advised to be addressed in the Policy; the list is indicative and not comprehensive; the organisation depending on the priorities and readiness level can evolve new areas to be covered.
- Role of the Board and the Risk Management Committee of the Board in driving the implementation of the framework;
- Setting up an Operational Risk Management Committee comprising of senior management with an outline of the membership, quorum and frequency of meetings;
- Risk assessment of new products and services;
- Risk assessment of existing and new Technology platforms;
- Review of Cyber risk (Information security);
- Review of Business Continuity and Disaster Recovery framework;
- Review of any regulatory development or external events that may impact the operational risk profile of the organisation;
- Management functions may highlight identified process gaps and potential issues discovered by way of routine business or reviews, and include the action being taken on them. The self-awareness of the management functions on highlighting such issues is an evolving process.
- The broad methodology of setting up the Risk & Control Self-Assessment library, the roles and responsibilities of those engaged in performing the control testing, the collation of results and review process need to be outlined in the Policy.
- The constituents of the framework, like RCSAs, KRIs, Loss-Data to be described in detail followed by a brief on roles designated to perform the necessary activities. Each of the policy stipulations is to be ideally backed up with corresponding process notes to detail the granular steps in implementation.
- Operating linkages with the other units such as those manage the policy and process documentation of the organisation, product development, internal audit, regulatory compliance unit, information security officer, business continuity plan etc. need to be outlined since operational risk impacts all these areas.
- Capital computation methodology if applicable, needs to be described in the Policy.
No comments:
Post a Comment