Page 34 - Banking Finance April 2022
P. 34
ARTICLE
Y Governance its business. There is no off the shelve solution or a blanket
Y Operational Risk Management approach to build Operational Resilience. Identifying the
firm's business risk perspective is very important before
Y Business Continuity Planning and Testing
starting to develop the approach for building resilience.
Y Mapping Interconnections and Interdependencies Y Identification of critical functions: Critical functions are
Y Third Party dependency Management services provided to external user and disruption could
cause damage to consumer, safety and soundness,
Y Incident Management:
integrity of the market or financial stability. For
Y Resilient Information and Communication Technology, identification of risk it is very important to go to the
including cyber security root cause of the incidents that have come to light. Thus,
it is very important that all incidents should be reported
PSMOR: BCBS has also proposed to update PSMOR in the and escalated as per the velocity of the incident. The
areas of Operational Risk. The changes proposed in PSMOR external events that is incidents reported by other
are based on the review done for financial institutions in organization and failed attempts also need to be
2014. One of the highlights of the review was a need for considered to get the true picture and trend. Incident
specific principle on Information and communication reporting takes care of where we went wrong in the
technology risk management. AS per the draft guidelines the past. In addition to this the present controls need to be
Information and Communication Technology (ICT) principle continuously assessed and if required, monitored
states: Banks should implement robust ICT governance that through key Indicators. The nature of root cause range
is consistent with their risk appetite and tolerance from change management, third party failure, software
statement for operational risk and ensure that their ICT fully issue, hardware issue, human error, process control
supports and facilitates their operations. failure, capacity management and external factors. To
define the criticality the impact needs to be assessed
ICT should be subject to proper risk identification, protection, and monitored against the tolerance limits set.
detection, response and recover programs that are regularly
Y Risk Tolerance: Is setting impact tolerances for each
tested. This requires incorporating appropriate situational
important business service, such as maximum
awareness and conveying relevant information to users on
acceptable outage time of a business service. The firm
a timely basis. The proposed updates in these two while setting the impact tolerance must assume that
consultative documents will enhance the clarity of the the incident has happened, and then set the maximum
document, guidance on change management and align the tolerable level and duration of the disruption. Risk
principles with Operational Risk Framework.
tolerance is different from Risk appetite. Risk appetite
is the level of risk the organization is willing to take for
Approach to Build Operational resilience: example, risk appetite for Return on equity would be
Organizations risk depends on the nature, size and scope of set more than cost of equity.
Y Mapping of systems and processes needed to
support the important business services: While
mapping of systems and processes it needs to be ensured
that the action plan is not complex, substitute resources
are available and no overreliance on a single resource
is there. The mapping and the plan must be well
documented and communicated. The operating people
need to be made aware of the sensitivity and importance
of process.
Y Testing using plausible scenarios: Organizations need
to build a library of severe scenarios considering the
rapid changing environment and external incidents. This
would help in identifying low frequency, high severity
34 | 2022 | APRIL | BANKING FINANCE
