PIB 6.3.2 Guidance

1. An Authorised Firm should have policies and procedures that address the process for review and approval of new products, activities, processes and systems. The review and approval process should include consideration of:
a. inherent risks in any new product, service, or activity;
b. resulting changes to the Authorised Firm'sOperational Risk profile, appetite and tolerance, including changes to the risk of existing products or activities;
c. necessary controls, risk management processes, and risk mitigation strategies;
d. residual risk;
e. changes to relevant risk limits;
f. procedures and metrics to measure, monitor, and manage the risk of the new product or activity; and
g. appropriate investment in human resources and technology infrastructure.
2. Tools that an Authorised Firm may employ for identifying and assessing Operational Risk include:
a. internal loss data collection and analysis;
b. external data collection and analysis;
c. risk assessments;
d. business process mapping;
e. risk and performance indicators; and
f. scenario analysis.
Derived from RM111/2012 (Made 15th October 2012). [VER20/12-12]