Add to collection(s) Add to saved
  1. Business
  2. Management

Guideline on Operational Risk Management for Commercial Banks

advertisement 
Guidelines on Operational Risk Management of Commercial
Banks
Chapter I General Provisions
Article 1
Pursuant to the Law of the People’s Republic of China on
Banking Regulation and Supervision, the Law of the People’s Republic
of China on Commercial Banks as well as other applicable laws and
regulations, the Guidelines are formulated so as to enhance the
operational risk management of commercial banks.
Article 2
The Guidelines apply to domestic commercial banks,
wholly foreign-funded banks and Chinese-foreign joint venture banks
incorporated within the territory of the People’s Republic of China.
Article 3
The operational risk in the Guidelines refers to the risk of
loss resulting from inadequate or failed internal processes, people and
IT system, or from external events. It includes legal risk but excludes
strategic and reputational risk.
Article 4
The China Banking Regulatory Commission (hereinafter
referred to as the “CBRC”) supervises and regulates the operational
risk management of commercial banks and evaluates the effectiveness
thereof under its authority by law.
Chapter II Operational Risk Management
Article 5
Commercial banks should, in line with the Guidelines, set
up an operational risk management system suitable to their own
business nature, scale and complexity to effectively identify, assess,
monitor and control/mitigate operational risk. This system can be in
any form, but should comprise at least the following basic elements:
1) oversight and control by the board of directors;
2) roles and responsibilities of senior management;
3) appropriate organizational structure;
4) operational risk management policies, methods, and procedures;
and
5) requirements on making capital provisions for operational risk.
Article 6
The board of directors in a commercial bank should treat
operational risk as a major risk and charge the ultimate responsibility
for monitoring the effectiveness of operational risk management. The
responsibilities of the board shall include:
1) developing strategies and general policies for bank-wide
operational risk management that are aligned with the bank’s
strategic goals;
2) reviewing and approving the senior management’s functions,
authorization and reporting arrangement with regard to operational
risk management so as to ensure the effectiveness of the bank’s
decision-making system in operational risk management and
ensure that the operational risk facing the bank’s operations is
controlled within its endurance capacity;
3) reviewing regularly the operational risk reports submitted by the
senior management; fully understanding the bank’s overall
operational risk management and the effectiveness of the senior
management in handling material operational risk events; and
monitoring and evaluating the effectiveness of daily operational
risk management;
4) ensuring that the senior management takes necessary measures to
effectively identify, assess, monitor and control/mitigate
operational risk;
5) ensuring that the bank’s operational risk management system is
effectively audited and overseen by internal audit department; and
6) having in place an appropriate reward-punishment system so as to
effectively promote the development of operational risk
management system in the bank as a whole.
Article 7
The senior management in a commercial bank is
responsible for implementing the operational risk management
strategies, general policies and running the system approved by the
board. It shall:
1) be ultimately responsible to the board regarding daily operational
risk management;
2) lay out and regularly review the operational risk management
policies, procedures and detailed processes in accordance with the
strategies and general policies developed by the board, and
oversee the implementation thereof, and submitting to the board
reports on overall operational risk management in a regular
manner;
3) sufficiently understand the overall situation of the bank’s
operational risk management, particularly the events or programs
with material operational risk;
4) Clearly define each department’s responsibilities in operational risk
management as well as the reporting line, frequency and contents;
urge each department to really charge its responsibilities in a bid to
ensure the sound performance of the operational risk management
system;
5) equip operational risk management with appropriate resources,
including but not limited to providing necessary funds, setting up
necessary positions with eligible staff, offering training courses to
operational risk management personnel, delegating authorizaion to
the said personnel to fulfill their duties, etc.; and
6) make promptly checks and revision on the operational risk
management system so as to effectively respond to operational risk
events brought about by the changes of internal procedures,
products, business activities, IT system, staff, external events or
other factors.
Article 8
Commercial banks should designate a certain department
to be responsible for the construction and implementation of
operational risk management system. This department should be
independent from others in order to ensure the system’s consistency
and effectiveness. Its responsibilities shall mainly include:
1) drafting operational risk management policies, procedures and
specific processes and submitting them to the senior management
and the board for review and approval;
2) assisting other departments to identify, assess, monitor and
control/mitigate operational risk;
3) working out methods to identify, assess, mitigate (including
internal controls) and monitor operational risks, formulating bankwide reporting processes of operational risk and organizing the
implementation thereof;
4) putting in place basic criteria for operational risk control over the
bank, and guiding and coordinating the operational risk
management;
5) providing each department with trainings on operational risk
management, and helping them improve operational risk
management capacity and fulfill their own duties;
6) regularly checking and analyzing the practices of operational risk
management in business departments and other departments;
7) regularly submitting operational risk reports to senior
management; and
8) ensuring that the operational risk management system and
measures are observed.
Article 9
The relevant departments in a commercial bank should be
directly responsible for operational risk management. Major
responsibilities include:
1) appointing designated staff to take charge of operational risk
management, including observing operational risk management
policies, procedures and specific processes;
2) following the assessment methods for operational risk management
to identify and assess the operational risks in the departments, and
to have in place an effective on-going procedure to monitor,
control/mitigate and report operational risks, then organize the
implementation thereof;
3) fully considering the requirements on operational risk management
and internal control when making department specific business
processes and related business policies, with a view to ensuring
operational risk management personnel at all levels participate in
the course of reviewing and approving important procedures,
controls and policies, thus making these aligned with the bank’s
general policy on operational risk management; and
4) monitoring key risk indicators and regularly reporting their own
department’s operational risk management situation to the
department which takes charge of or take the leading role in
operational risk management of the whole bank.
Article 10 The legal office, compliance office, IT office, security office,
and human resource office in a commercial bank should, besides
properly managing their own operational risks, provide relevant
resources and assistance within their strength and respective
responsibilities to other departments for the purpose of operational
risk management.
Article 11 The internal audit department in a commercial bank does
not directly take charge of or participate in other departments’
operational risk management, but it should regularly check and
evaluate how well the bank’s operational risk management system
operates, supervise the implementation of operational risk
management policies, independently evaluate the bank’s new
operational risk management policies, processes and specific
procedures, and report to the board of directors the evaluation results
of operational risk management system.
A commercial bank with high business complexity and large scale is
encouraged to entrust intermediary agencies to audit and evaluate its
operational risk management system on a regular basis.
Article 12 A commercial bank should have in place bank-wide
operational risk management policies that are commensurate with its
nature, scale, complexity and risk profile. Main contents include:
1)
definition of operational risk;
2) appropriate organizational structure, authorization and
responsibilities with regard to operational risk management;
3) procedures to identify, assess, monitor and control/mitigate
operational risks;
4) reporting procedures of operational risk, including reporting
responsibilities, path and frequency, and other specific
requirements on other departments; and
5) requirements on promptly assessing operational risks associated
with existing and newly-developed important products, business
practices, procedures, IT system, human resource management,
external factors and changes thereof.
Article 13 A commercial bank should choose appropriate approaches to
manage operational risks, which may include: assessment of
operational risk and internal control, loss event reporting and data
collection, monitoring of key risk indicators, risk assessment regarding
new products and business practices, testing and audit of internal
control, and operational risk reporting.
Article 14 A commercial bank with high business complexity and large
scale should adopt more sophisticated risk management methods (e.g.
quantitative methods) to assess each department’s operational risk,
collect operational risk loss data, and make arrangements according to
the characteristics of operational risk associated with each line of
business.
Article 15 A commercial bank should develop effective processes to
regularly monitor and report operational risk status and material
losses. As to risks with increasing loss potential, early-warning system
of operational risk should be put in place so as to take timely controls
to mitigate risk and reduce the occurrence and severity of loss events.
Article 16 Material operational risk events should be reported to the
board, senior management and appropriate management personnel
according to the bank’s operational risk management policies.
Article 17 A commercial bank should enhance internal control for
effective operational risk management. Related internal controls
should at least include:
1) clearly defining the roles and responsibilities of each department
and making proper separation among relevant functions so as to
avoid potential conflicts of interests;
2) closely watching how well specified risk limit or authorization is
observed;
3) monitoring the records of access to and use of the bank’s assets;
4) ensuring the staff are appropriately trained and eligible for their
positions;
5) identifying the business activities or products that do not generate
reasonable prospective returns or that contain potential risks;
6) regularly reviewing and checking up transactions and accounts;
7) putting in place a system for the heads and the staff in key
positions to have job rotation and compulsory leaves and setting
up a mechanism of off-job auditing as well;
8) working out a code of conduct to regulate on-job and off-job
behavior particularly for the staff in important positions or at
sensitive links;
9) establishing an incentive and protection system to encourage staff
to report violations on a real-name basis;
10) setting up a dual-appraisal system to investigate and solve bank
fraudulent cases as well as make punishments in a timely and
proper manner;
11) having in place an information disclosure system for the bank case
investigation; and
12)establishing an incentive-restrictive mechanism with regard to the
management and control of operational risk at front line.
Article 18 A commercial bank should establish and gradually improve
the operational risk management information system (MIS) so as to
effectively identify, assess, monitor, control and report operational
risks. The system should at least record and store the date about
operational risk losses and events, support self-assessment on
operational risk and control measures, monitor key risk indicators, and
provide relevant information contained in operational risk reports.
Article 19 To ensure business continuation, a commercial bank should
develop a scheme for emergency response that matches their business
scale and complexity, make a back-up arrangement for service
recovery, and regularly check and test the catastrophe recovery
function and business continuation mechanism so as to make sure that
these actions can go in operation properly in the event of catastrophe
and severe business disruption.
Article 20 A commercial bank should develop risk management policies
with regard to outsourcing practices in order to make sure that
outsourcing is subject to rigorous contracts and service agreements
which clearly specify the obligations of involved parties.
Article 21 A commercial bank may purchase insurance and enter into
contract with a third party, and consider it a way to mitigate
operational risk. But they should by no means neglect the importance
of controls.
A commercial bank that mitigates operational risks by means of
insurance should formulate written policies and procedures
accordingly.
Article 22 A commercial bank should make adequate capital provisions
for the operational risk it undertakes as per the requirements of CBRC
on capital adequacy of commercial banks.
Chapter III Supervision of Operational Risk
Article 23 Commercial banks should submit to the CBRC their
operational risk management policies and processes for filing. They
should submit operational risk related reports to the CBRC or its local
offices as per regulations. Banks that entrust intermediary agencies to
audit their operational risk management system should also submit
audit reports to the CBRC or its local offices.
Article 24 Commercial banks should promptly report to the CBRC or its
local offices about the following material operational risk events if any:
1) banking crimes in which more than RMB300,000 is robbed from a
commercial bank or cash truck or stolen from a banking financial
institution; bank fraud or other cases involving an amount of more
than RMB10 million;
2) events that result in serious damage or loss of the bank’s
important data, books, blank vouchers, or business disruption for
over three hours in two or more provinces (autonomous
regions/municipalities), or business disruption for over six hours in
one province (autonomous region/municipality) and severely affect
the bank’s normal operations;
3) confidential information being stolen, sold, leaked or lost that may
affect financial stability and lead to economic disorder;
4) senior executives severely violating applicable regulations;
5) accident or natural catastrophe caused by force majeure, resulting
in immediate economic loss of more than RMB10 million;
6) other operational risk events that may result in a loss of more than
1‰ of the bank’s net capital; and
7)
other material events as specified by the CBRC.
Article 25 The CBRC should regularly check and assess the operational
risk management policies, processes and practices of commercial
banks. Main items to be checked and assessed include:
1) effectiveness of the bank’s operational risk management processes;
2) the bank’s approaches to monitor and report operational risks,
including key operational risk indicators and operational risk loss
data;
3) the bank’s measures to timely and effectively handle operational
risk events and weak links;
4) the bank’s procedures of internal control, reviewing and auditing
within its operational risk management processes;
5) the quality and comprehensiveness of the bank’s catastrophe
recovery and business continuation plans;
6) adequacy level of capital provisions for operational risks; and
7) other aspects of operational risk management.
Article 26 As to the operational risk management problems discovered
by the CBRC during supervision, the commercial bank should submit
correction plan and take correction actions within the specified time
limit.
When a material operational risk event occurs, if the commercial bank
fails to adopt effective correction measures within the specified time
limit, the CBRC should take appropriate regulatory actions in line with
laws and regulations.
Chapter IV Supplementary Provisions
Article 27 This Guidelines may apply to other banking institutions
including policy banks, financial asset management companies, urban
credit cooperatives, rural credit cooperatives, rural cooperative banks,
trust and investment companies, finance firms, financial leasing
companies, automobile financial companies, money brokers, and post
savings institutions.
Article 28 Banking institutions without the board of directors should
have their operating decision-making bodies perform the
responsibilities of the board with regard to operational risk
management specified herein.
Article 29 Branches set up by foreign banks within the territory of
People’s Republic of China should follow the operational risk
management policies and processes developed by their head offices,
report to the CBRC or its local offices about material operational risk
events, and accept the supervision of the CBRC. Where their head
offices do not lay out operational risk management policies and
processes, such branches should comply with the Guidelines.
Article 30 Relevant terms mentioned herein are defined in the
Appendix.
Article 31 The Guidelines shall become effective as of the date of
promulgation.
Appendix: Definitions of Relevant Terms
1. Operational risk events
Operational risk events refer to the operational events resulting from
inadequate or failed internal processes, people and IT system, or from
external factors, which bring about financial losses or affect the bank’s
reputation, clients and staff. Specific events include: internal fraud,
external fraud, employment practices and workplace safety, clients,
products & business practices, damages to physical assets, business
disruption and system failures, execution, delivery & process
management (see Annex 7 – Detailed Loss Event Type Classification of
The International Convergence of Capital Measurement and Capital
Standards: A Revised Framework or the New Basel Capital Accord).
2. self-assessment on risk, key risk indicators
Tools used by commercial banks to identify and assess operational
risks.
1) self-assessment on risk
Self-assessment on risk is a tool for operational risk management by
commercial banks to identify and assess the control measures and
appropriateness and effectiveness thereof with regard to potential
operational risk and their own business practices.
2) Key Risk Indicator
Key risk indicators refer to the statistical indicators that represent the
changes in a certain area of risk and can be monitored on a regular
basis. These indicators can be used to monitor various risks and
control measures that may result in loss events and to function as
early-warning indicators for risk changes (so that senior management
can take timely actions accordingly). Examples of specific indicators:
loss ratio per RMB100 million asset, number of banking crimes per
10,000 people, ratio of the cases with each involving a cash value of
RMB1 million, number of transactions unconfirmed beyond a certain
time limit, percentage of failed transactions, staff turnover, number of
client complaints, frequency and severity of errors and omissions, etc.
3. Legal Risk
Legal risk includes, but is not limited to, the following: 1) the contract
signed by a commercial bank violating laws or administrative
regulations and therefore being probably cancelled or confirmed invalid
according to law; 2) the bank being sued or in arbitration because of
its breach of contract, infringement or other reasons and held liable for
compensation according to law; 3) the bank’s business practices
violating laws or administrative regulations and therefore being held
liable administratively or criminally.
Related documents
CO 5500 - Loyola College
CO 5500 - Loyola College
Completion of Temporary Reciprocal Currency Arrangements [PDF
Completion of Temporary Reciprocal Currency Arrangements [PDF
Seminar 1
Seminar 1
PowerPoint format - Chesapeake Bay Running Club
PowerPoint format - Chesapeake Bay Running Club
Commercial Bank - IMSciences.net
Commercial Bank - IMSciences.net
Thursday Folder Parent Log - Mrs
Thursday Folder Parent Log - Mrs
Bell Case High Court Decision
Bell Case High Court Decision
What is a Market? - FIU College of Business
What is a Market? - FIU College of Business
Download
advertisement