The Monetary Board (MB) recently approved the guidelines on operational risk management (ORM) as part of the continuing initiatives of the BSP to strengthen the risk management systems of its supervised financial institutions (BSFIs) and promote their sustained safe and sound operations.
Operational risk is among the top risk exposures of BSFIs, which cuts across all activities, products, and services, and may even come in tandem with the other types of risks, e.g., credit, liquidity, and market. It may result from weak controls, inadequate policies on acceptable behavior and practices, poor working environment, weak sales and marketing practices, system failures, or natural or man-induced disasters, among others. Although operational risk is inherent in all areas of operations, it is more often managed on a fragmented basis, which tends to discount its overall impact on BSFIs’ operations. In this regard, the risk of loss arising from operational risk events may also be potentially underestimated.
The BSP expects BSFIs to be sensitive to sources of operational risk and to adopt a holistic framework that would facilitate identification, assessment, monitoring, and management of said type of risk as part of the enterprise-wide risk management system. The MB-approved ORM guidelines highlight that each personnel has a responsibility in the effective implementation of the ORM framework. It is therefore critical to have personnel who are competent to carry-out their respective duties and responsibilities, and possess a high degree of integrity.
In this view, the board of directors should adopt policies in the areas of recruitment and selection, performance management, training and development, remuneration and compensation, and succession planning to promote a culture of high standards of ethical behavior and consistency of performance in the organization. Said policies should require continuing assessment of the fitness and propriety of personnel, with the results of said assessment considered in the development of individual training and development programs.
The ORM guidelines also emphasize the three lines of defense principle in managing operational risk. Business line management and personnel, as the first line of defense, are expected to ensure that policies and processes in their respective areas of responsibilities are consistent with the organization’s overall ORM framework. The operational risk management function (ORMF), as part of the second line of defense, is expected to recommend to the board of directors appropriate policies and procedures relating to operational risk management and controls, as well as design and implement the operational risk assessment methodology, tools, and risk reporting systems. The compliance function, on the other hand, is expected, among others, to determine inappropriate conduct/behavior of personnel, officers, and the board, that may lead to fraud or any form of business disruption. The internal audit function, as the third line of defense, should conduct an independent assessment of the ORM framework including the implementation of the operational risk management policies and procedures.
Guidance in managing operational risk related to prudential reporting is likewise covered in the guidelines. In particular, BSFIs are expected to adopt a framework that ensures the integrity of information submitted to the BSP and compliance with the standards prescribed on acceptable reporting quality. The ORM guidelines warn that persistent concerns on the integrity and accuracy of prudential reports, including failure to comply with the directives of the BSP, may be considered as unsafe or unsound practice.
In line with the approval of ORM guidelines, the Monetary Board, also approved the amendments to the outsourcing framework to set-out an overarching governance framework, and align expectations on outsourcing activities with the ORM principles.