Page 21 - Risk Management Bulletin Jan- Mar 2022
P. 21
RMAI BULLETIN JANUARY - MARCH 2022
platforms in all areas and has increased the communication technology risk management. AS per
demand for digital financial products. the draft guidelines the Information and
Communication Technology (ICT) principle states:
In this background it needs to be assessed whether
Banks should implement robust ICT governance that
financial firms are prepared and equipped, to deal with
is consistent with their risk appetite and tolerance
these changes they arise. In other words, are they
statement for operational risk and ensure that their ICT
resilient?
fully supports and facilitates their operations.
Requirement to Build Operational
ICT should be subject to proper risk identification,
Resilience: protection, detection, response and recover programs
Every incident should be assessed from two angles that that are regularly tested. This requires incorporating
appropriate situational awareness and conveying
is the strength as well as weaknesses. COVID 19 has
relevant information to users on a timely basis. The
made it necessary to relook at operational resilience
proposed updates in these two consultative
standards and identify critical/important business
documents will enhance the clarity of the document,
services, employees that support these important
guidance on change management and align the
business services, and ensure that they can safely
principles with Operational Risk Framework.
resume their duties. In view of the prevailing
circumstances the Basel Committee on Banking
Supervision (BCBS) in August 2020 issued a Approach to Build Operational
consultative document on Principles for Operational
resilience:
Resilience seeking comments from organizations. The
Organizations risk depends on the nature, size and
basis of this document is in the Principles of Sound
scope of its business. There is no off the shelve
Management of Operational Risk (PSMOR).
solution or a blanket approach to build Operational
These two documents have been designed to work Resilience. Identifying the firm's business risk
together and they draw upon existing guidance and perspective is very important before starting to
current practices. The final guidelines are expected to develop the approach for building resilience.
be issued soon and will serve as an integrated Identification of critical functions: Critical
framework. BCBS in its document defines Operational functions are services provided to external user
Resilience as "the ability to deliver critical operations and disruption could cause damage to consumer,
through disruptions" The document brings about the safety and soundness, integrity of the market or
key features of broad areas: financial stability. For identification of risk it is very
Governance important to go to the root cause of the incidents
that have come to light. Thus, it is very important
Operational Risk Management
that all incidents should be reported and escalated
Business Continuity Planning and Testing
as per the velocity of the incident. The external
Mapping Interconnections and Interdependencies events that is incidents reported by other
organization and failed attempts also need to be
Third Party dependency Management
considered to get the true picture and trend.
Incident Management:
Incident reporting takes care of where we went
Resilient Information and Communication wrong in the past. In addition to this the present
Technology, including cyber security controls need to be continuously assessed and if
required, monitored through key Indicators. The
PSMOR: BCBS has also proposed to update PSMOR in nature of root cause range from change
the areas of Operational Risk. The changes proposed management, third party failure, software issue,
in PSMOR are based on the review done for financial hardware issue, human error, process control
institutions in 2014. One of the highlights of the review failure, capacity management and external factors.
was a need for specific principle on Information and To define the criticality the impact needs to be
19
