PIB 6.2 PIB 6.2 Risk Management Framework and Governance
PIB 6.2.1(1) An
Authorised Firmmust implement and maintain an Operational Riskpolicy which enables it to identify, assess, control and monitor Operational Risk.(2) The policy must be documented and provide for a sound and well-defined risk management framework to address the Authorised Firm's Operational Risk.(3) An Authorised Firmmust:(a) ensure that its risk management systems enable it to implement the Operational Riskpolicy;(b) identify, assess, mitigate, control and monitor the risk; and(c) review and update the policy at intervals that are appropriate to the nature, scale and complexity of its activities.
PIB 6.2.2 PIB 6.2.2
Authorised Firmmust ensure that its Governing Bodyapproves the Operational Riskpolicy in PIB Rule 6.2.1.
PIB 6.2.2 Guidance1. Some of the key aspects that an
Authorised Firmshould consider in its Operational Riskpolicy include:a. the governance structures used to manage Operational Risk, including reporting lines and accountabilities;b. risk assessment tools and how they are used;c. the Authorised Firm'saccepted Operational Riskappetite, permissible thresholds or tolerances for inherent and residual risk, and approved risk mitigation strategies and instruments;d. the Authorised Firm'sapproach to establishing and monitoring thresholds or tolerances for inherent and residual risk Exposure;e. risk reporting and MIS; andf. appropriate independent review and assessment of the Authorised Firm's Operational Riskframework.2. An Authorised Firm's Operational Riskpolicy should, amongst other things, include consideration of Principlesfor the Sound Management of Operational Risk, issued by the Basel Committee on BankingSupervision (BCBS) and the Guidelines on the management of Operational Riskin market-related activities issued by the European BankingAuthority which are useful in relation to activities other than banking. Governing BodyResponsibilities1. The GENModule contains Rulesand Guidanceregarding corporate governance requirements for Authorised Firms, including the responsibilities of an Authorised Firmregarding risk management.2. In developing, implementing and maintaining an effective Operational Riskframework, an Authorised Firm's Governing Bodyshould:a. approve and review a risk appetite and tolerance for Operational Riskthat articulates the nature, types and levels of Operational Riskthat the Authorised Firmis willing to assume;b. consider all relevant risks, the Authorised Firm'slevel of risk appetite, its current financial condition and its strategic direction. The Governing Bodyshould monitor management adherence to the risk appetite and tolerance and provide for timely detection and remediation of breaches;c. encourage a management culture, and develop supporting processes, which help to engender within the Authorised Firman understanding by relevant Employeesof the nature and scope of the Operational Riskinherent in the Authorised Firm'sstrategies and activities;d. provide senior management with clear guidance and direction regarding the principles underlying the Authorised Firm's Operational Riskmanagement framework and approve the corresponding policies developed by senior management;e. regularly review the Authorised Firm's Operational Riskpolicy to ensure that the Authorised Firmhas identified and is managing the Operational Riskarising from external market changes and other environmental factors, as well as those Operational Risksassociated with new strategies, products, activities, or systems, including changes in risk profiles and priorities (e.g. changing business volumes). Such review should also take into account the Operational Riskloss experience, the frequency, volume or nature of limit breaches, the quality of the control environment and the effectiveness of risk management or mitigation strategies;f. ensure that the Authorised Firm's Operational Riskpolicy and framework is subject to effective independent review by audit or other appropriately-trained Persons;g. ensure that management is incorporating industry best practice in managing Operational Risk; andh. establish clear lines of management responsibility and accountability for implementing a strong control environment. The control environment should provide appropriate independence/separation of duties between Operational Riskcontrol functions, business lines and support functions.
Senior Management Responsibilities1. GEN 5.2 contains
Rulesand Guidanceregarding senior management arrangements for Authorised Firms.2. In relation to establishing and maintaining a robust Operational Riskframework, an Authorised Firm'ssenior management should:a. translate the Operational Riskmanagement framework established by the Governing Bodyinto specific policies and procedures that can be implemented and verified within the different business units;b. clearly assign authority, responsibility and reporting relationships to encourage and maintain accountability, and to ensure that the necessary resources are available to manage Operational Riskin line within the Authorised Firm'srisk appetite and tolerance; andc. ensure that the management oversight process is appropriate for the risks inherent in a business unit's activity.