Entire Section
PIB 6.2 PIB 6.2 Risk Management Framework and Governance
PIB 6.2.1
(1) AnAuthorised Firm must implement and maintain anOperational Risk policy which enables it to identify, assess, control and monitorOperational Risk .(2) The policy must be documented and provide for a sound and well-defined risk management framework to address theAuthorised Firm's Operational Risk .(3) AnAuthorised Firm must:(a) ensure that its risk management systems enable it to implement theOperational Risk policy;(b) identify, assess, mitigate, control and monitor the risk; and(c) review and update the policy at intervals that are appropriate to the nature, scale and complexity of its activities.Derived from RM111/2012 (Made 15th October 2012). [VER20/12-12]PIB 6.2.2 PIB 6.2.2
An
Authorised Firm must ensure that itsGoverning Body approves theOperational Risk policy in PIB Rule 6.2.1.Derived from RM111/2012 (Made 15th October 2012). [VER20/12-12]PIB 6.2.2 Guidance
1. Some of the key aspects that anAuthorised Firm should consider in itsOperational Risk policy include:a. the governance structures used to manageOperational Risk , including reporting lines and accountabilities;b. risk assessment tools and how they are used;c. theAuthorised Firm's acceptedOperational Risk appetite, permissible thresholds or tolerances for inherent and residual risk, and approved risk mitigation strategies and instruments;d. theAuthorised Firm's approach to establishing and monitoring thresholds or tolerances for inherent and residual riskExposure ;e. risk reporting and MIS; andf. appropriate independent review and assessment of theAuthorised Firm's Operational Risk framework.2. AnAuthorised Firm's Operational Risk policy should, amongst other things, include consideration ofPrinciples for the Sound Management ofOperational Risk , issued by the Basel Committee onBanking Supervision (BCBS) and the Guidelines on the management ofOperational Risk in market-related activities issued by the EuropeanBanking Authority which are useful in relation to activities other than banking.Governing Body Responsibilities1. TheGEN Module containsRules andGuidance regarding corporate governance requirements forAuthorised Firms , including the responsibilities of anAuthorised Firm regarding risk management.2. In developing, implementing and maintaining an effectiveOperational Risk framework, anAuthorised Firm's Governing Body should:a. approve and review a risk appetite and tolerance forOperational Risk that articulates the nature, types and levels ofOperational Risk that theAuthorised Firm is willing to assume;b. consider all relevant risks, theAuthorised Firm's level of risk appetite, its current financial condition and its strategic direction. TheGoverning Body should monitor management adherence to the risk appetite and tolerance and provide for timely detection and remediation of breaches;c. encourage a management culture, and develop supporting processes, which help to engender within theAuthorised Firm an understanding by relevantEmployees of the nature and scope of theOperational Risk inherent in theAuthorised Firm's strategies and activities;d. provide senior management with clear guidance and direction regarding the principles underlying theAuthorised Firm's Operational Risk management framework and approve the corresponding policies developed by senior management;e. regularly review theAuthorised Firm's Operational Risk policy to ensure that theAuthorised Firm has identified and is managing theOperational Risk arising from external market changes and other environmental factors, as well as thoseOperational Risks associated with new strategies, products, activities, or systems, including changes in risk profiles and priorities (e.g. changing business volumes). Such review should also take into account theOperational Risk loss experience, the frequency, volume or nature of limit breaches, the quality of the control environment and the effectiveness of risk management or mitigation strategies;f. ensure that theAuthorised Firm's Operational Risk policy and framework is subject to effective independent review by audit or other appropriately-trainedPersons ;g. ensure that management is incorporating industry best practice in managingOperational Risk ; andh. establish clear lines of management responsibility and accountability for implementing a strong control environment. The control environment should provide appropriate independence/separation of duties betweenOperational Risk control functions, business lines and support functions.Senior Management Responsibilities
1. GEN 5.2 containsRules andGuidance regarding senior management arrangements forAuthorised Firms .2. In relation to establishing and maintaining a robustOperational Risk framework, anAuthorised Firm's senior management should:a. translate theOperational Risk management framework established by theGoverning Body into specific policies and procedures that can be implemented and verified within the different business units;b. clearly assign authority, responsibility and reporting relationships to encourage and maintain accountability, and to ensure that the necessary resources are available to manageOperational Risk in line within theAuthorised Firm's risk appetite and tolerance; andc. ensure that the management oversight process is appropriate for the risks inherent in a business unit's activity.Derived from RM111/2012 (Made 15th October 2012). [VER20/12-12]