BSP Circular No. 900: Guidelines on Operational Risk Management

20 January 2016

TO: All Rural Banks

Dear Rural Bankers,

The Monetary Board in its Resolution No. 2115 dated 18 December 2015, approved the following guidelines on operational risk management for BSP supervised financial institutions and amendments in the Manual of Regulations for Banks (MORB) and Manual of Regulations for Non-Bank Financial Institutions (MORNBFI).

Section 1. Sections X179/4179Q/ 4198N/ 4179T are hereby added to the MORB/MORNBFI to read as follows:

Policy Statement. It is the thrust of the Bangko Sentral ng Pilipinas (BSP) to promote the adoption of effective risk management systems to sustain the safe and sound operations of its supervised financial institutions (BSFIs). Cognizant that operational risk is inherent in all activities, products and services, and is closely tied in with other types of risks (e.g., credit, liquidity and market risks), the BSP is issuing these guidelines to clearly set out its expectations and define the minimum prudential requirements on operational risk management. These guidelines align existing regulations to the extent possible, with international standards and best practices. BSP expects its BSFIs to adopt an operation risk management framework, as part of the enterprise-wide risk management system, that is suited to their size, complexity of operations, and risk profile.

Section 2. Subsections Xl79.t/4t79Q.t/4L9BN.L/4L79T.1 shall read as follows:

Definition of Operational Risk. Operational risk refers to the risk of loss resulting from inadequate or failed internal processes, people and systems; or from external events. This definition includes legal risk, but excludes strategic and reputational risk. Operational risk is inherent in all activities, products and services, and cuts across multiple activities and business lines within the financial institution and across the different entities in a banking group or conglomerate where the financial institution belongs.

Section 3. Subsections X179.2/4179Q.2/4198N.2/4179T.2 shall read as follows:

Duties and Responsibilities
a. Board of Directors. Consistent with the principles embodied under Subsection X141.3 of the MORB, the duties and responsibilities of the Board of Directors in relation to the effective management of risk include the establishment of comprehensive and effective operational risk management framework as part of the enterprise-wide risk management system. In this regard, the board of directors shall:

1. Ensure that it is aware of and understands the nature and complexity of the major operational risks in the BSFI’s business and operating environment, including risks arising from transactions or relationships with third parties, vendors, suppliers including outsourced service providers, and clients of services provided. This should include understanding of both the financial and nonfinancial impact of operational risk to which the BSFI is exposed to;

2. Approve the operational risk management framework which shall form part of the BSFI’s enterprise-wide risk management system and shall cover all business lines and functions of the BSFI, including outsourced services and services provided to external parties. The operational risk management framework should include an enterprise-wide definition of operational risk, which should be consistent with the definition under section 2 of this circular, governance, and reporting structures including the roles and responsibilities of all personnel, feedback mechanism, as well as standards and tools for operational risk management. In this respect, the board shall:

a. Define the operational risk management strategy and ensure that it is aligned with the BSFI’s overall business objectives. Relative to this, the board should set and provide clear guidance on the BSFl’s operational risk appetite (i.e. the level of operational risk the BSFI is willing to take and able to manage in pursuit of its business objectives as well as the type of risks that are not acceptable to the board and management), which should consider all material risk exposures as well as the BSFl’s financial condition and strategic direction;

b. Approve appropriate thresholds or limits to ensure that the level of operational risk is maintained within tolerance and at prudent levels and supported by adequate capital. Relative to this, the board shall approve policy on resolving limit breaches which should cover escalation procedures for approving or investigating breaches, approving authorities, and requirements in reporting to the appropriate level of management or the board;

c. Ensure that operational risk is appropriately considered in the capital adequacy assessment process;

d. Ensure that it receives adequate information on material developments in the operational risk profile of the BSFI, including pertinent information on the current and emerging operational risk exposures and vulnerabilities as well as information on the effectiveness of the operational risk management framework. The board must challenge the quality and comprehensiveness of the reliability of the said information and the monitoring system for operational risk;

e. Ensure that business objectives, risk appetite, the operational risk management framework, and the respective roles and responsibilities of personnel and officers at all levels in terms of implementing the operational risk management framework, are properly disseminated, clearly communicated/discussed, and understood by personnel concerned;

f. Provide senior management with clear guidance and direction regarding the principles underlying the operational risk management framework. The board shall ensure that senior management appropriately implements policies, processes and procedures, and provides feedback on the operational risk management process. In this regard, the board shall establish a feedback and reporting system that will allow employees to raise their concerns without fear of negative consequences; and

g. Ensure that the operational risk management framework is subject to effective and comprehensive independent review, on a periodic basis, by operationally independent, appropriately trained, and competent staff to ensure that it remains commensurate with the BSFl’s risk profile and continues to be adequate and effective in managing operational risk. The review should take into account the changes in business and operating environment, material changes in systems, business activity or volume of transactions, quality of control environment, effectiveness of risk management or mitigation strategies, loss experience, and the frequency, volume or nature of breaches in limits or any policy.

3. Provide adequate oversight on all outsourcing activities and ensure effective management of risks arising from these activities. In this regard, the board of directors shall approve a framework governing outsourcing activities, which includes a system to evaluate the risk and materiality of all existing and prospective outsourcing engagements and the policies that apply to such arrangements;

To view full copy of the guidelines, please refer to the attachment.
c900- Guidelines on Operational Risk Management

Thank you.

RBAP Secretariat