Guidelines on Operational Risk Management of Commercial Banks

Guidelines on Operational Risk Management of Commercial Banks

Chapter I General Provisions

Article 1Pursuant to the Law of the People’s Republic of China on Banking Regulation and Supervision, the Law of the People’s Republic of China on Commercial Banks as well as other applicable laws and regulations, the Guidelines are formulated so as to enhance the operational risk management of commercial banks.

Article 2The Guidelines apply to domestic commercial banks, wholly foreign-funded banks and Chinese-foreign joint venture banks incorporated within the territory of the People’s Republic of China.

Article 3The operational risk in the Guidelines refers to the risk of loss resulting from inadequate or failed internal processes, people and IT system, or from external events. It includes legal risk but excludes strategic and reputational risk.

Article 4The China Banking Regulatory Commission (hereinafter referred to as the “CBRC”) supervises and regulates the operational risk management of commercial banks and evaluates the effectiveness thereof under its authority by law.

Chapter II Operational Risk Management

Article 5Commercial banks should, in line with the Guidelines, set up an operational risk management system suitable to their own business nature, scale and complexity to effectively identify, assess, monitor and control/mitigate operational risk. This system can be in any form, but should comprise at least the following basic elements:

1)oversight and control by the board of directors;

2)roles and responsibilities of senior management;

3)appropriate organizational structure;

4)operational risk management policies, methods, and procedures; and

5)requirements on making capital provisions for operational risk.

Article 6The board of directors in a commercial bank should treat operational risk as a major risk and charge the ultimate responsibility for monitoring the effectiveness of operational risk management. The responsibilities of the board shall include:

1)developing strategies and general policies for bank-wide operational risk management that are aligned with the bank’s strategic goals;

2) reviewing and approving the senior management’s functions, authorization and reporting arrangement with regard to operational risk management so as to ensure the effectiveness of the bank’s decision-making system in operational risk management and ensure that the operational risk facing the bank’s operations is controlled within its endurance capacity;

3)reviewing regularly the operational risk reports submitted by the senior management; fully understanding the bank’s overall operational risk management and the effectiveness of the senior management in handling material operational risk events; and monitoring and evaluating the effectiveness of daily operational risk management;

4)ensuring that the senior management takes necessary measures to effectively identify, assess, monitor and control/mitigate operational risk;

5)ensuring that the bank’s operational risk management system is effectively audited and overseen by internal audit department; and

6)having in place an appropriate reward-punishment system so as to effectively promote the development of operational risk management system in the bank as a whole.

Article 7The senior management in a commercial bank is responsible for implementing the operational risk management strategies, general policies and running the system approved by the board. It shall:

1)be ultimately responsible to the board regarding daily operational risk management;

2)lay out and regularly review the operational risk management policies, procedures and detailed processes in accordance with the strategies and general policies developed by the board, and oversee the implementation thereof, and submitting to the board reports on overall operational risk management in a regular manner;

3)sufficiently understand the overall situation of the bank’s operational risk management, particularly the events or programs with material operational risk;

4)Clearly define each department’s responsibilities in operational risk management as well as the reporting line, frequency and contents; urge each department to really charge its responsibilities in a bid to ensure the sound performance of the operational risk management system;

5)equip operational risk management with appropriate resources, including but not limited to providing necessary funds, setting up necessary positions with eligible staff, offering training courses to operational risk management personnel, delegating authorizaion to the said personnel to fulfill their duties, etc.; and

6)make promptly checks and revision on the operational risk management system so as to effectively respond to operational risk events brought about by the changes of internal procedures, products, business activities, IT system, staff, external events or other factors.

Article 8Commercial banks should designate a certain department to be responsible for the construction and implementation of operational risk management system. This department should be independent from others in order to ensure the system’s consistency and effectiveness. Its responsibilities shall mainly include:

1)drafting operational risk management policies, procedures and specific processes and submitting them to the senior management and the board for review and approval;

2)assisting other departments to identify, assess, monitor and control/mitigate operational risk;

3)working out methods to identify, assess, mitigate (including internal controls) and monitor operational risks, formulating bank-wide reporting processes of operational risk and organizing the implementation thereof;

4)putting in place basic criteria for operational risk control over the bank, and guiding and coordinating the operational risk management;

5)providing each department with trainings on operational risk management, and helping them improve operational risk management capacity and fulfill their own duties;

6)regularly checking and analyzing the practices of operational risk management in business departments and other departments;

7)regularly submitting operational risk reports to senior management; and

8)ensuring that the operational risk management system and measures are observed.

Article 9The relevant departments in a commercial bank should be directly responsible for operational risk management. Major responsibilities include:

1)appointing designated staff to take charge of operational risk management, including observing operational risk management policies, procedures and specific processes;

2)following the assessment methods for operational risk management to identify and assess the operational risks in the departments, and to have in place an effective on-going procedure to monitor, control/mitigate and report operational risks, then organize the implementation thereof;

3)fully considering the requirements on operational risk management and internal control when making department specific business processes and related business policies, with a view to ensuring operational risk management personnel at all levels participate in the course of reviewing and approving important procedures, controls and policies, thus making these aligned with the bank’s general policy on operational risk management; and

4)monitoring key risk indicators and regularly reporting their own department’s operational risk management situation to the department which takes charge of or take the leading role in operational risk management of the whole bank.

Article 10 The legal office, compliance office, IT office, security office, and human resource office in a commercial bank should, besides properly managing their own operational risks, provide relevant resources and assistance within their strength and respective responsibilities to other departments for the purpose of operational risk management.

Article 11 The internal audit department in a commercial bank does not directly take charge of or participate in other departments’ operational risk management, but it should regularly check and evaluate how well the bank’s operational risk management system operates, supervise the implementation of operational risk management policies, independently evaluate the bank’s new operational risk management policies, processes and specific procedures, and report to the board of directors the evaluation results of operational risk management system.

A commercial bank with high business complexity and large scale is encouraged to entrust intermediary agencies to audit and evaluate its operational risk management system on a regular basis.

Article 12 A commercial bank should have in place bank-wide operational risk management policies that are commensurate with its nature, scale, complexity and risk profile. Main contents include:

1)definition of operational risk;

2)appropriate organizational structure, authorization and responsibilities with regard to operational risk management;

3)procedures to identify, assess, monitor and control/mitigate operational risks;

4)reporting procedures of operational risk, including reporting responsibilities, path and frequency, and other specific requirements on other departments; and

5)requirements on promptly assessing operational risks associated with existing and newly-developed important products, business practices, procedures, IT system, human resource management, external factors and changes thereof.

Article 13 A commercial bank should choose appropriate approaches to manage operational risks, which may include: assessment of operational risk and internal control, loss event reporting and data collection, monitoring of key risk indicators, risk assessment regarding new products and business practices, testing and audit of internal control, and operational risk reporting.

Article 14 A commercial bank with high business complexity and large scale should adopt more sophisticated risk management methods (e.g. quantitative methods) to assess each department’s operational risk, collect operational risk loss data, and make arrangements according to the characteristics of operational risk associated with each line of business.

Article 15 A commercial bank should develop effective processes to regularly monitor and report operational risk status and material losses. As to risks with increasing loss potential, early-warning system of operational risk should be put in place so as to take timely controls to mitigate risk and reduce the occurrence and severity of loss events.

Article 16 Material operational risk events should be reported to the board, senior management and appropriate management personnel according to the bank’s operational risk management policies.

Article 17 A commercial bank should enhance internal control for effective operational risk management. Related internal controls should at least include:

1)clearly defining the roles and responsibilities of each department and making proper separation among relevant functions so as to avoid potential conflicts of interests;

2)closely watching how well specified risk limit or authorization is observed;

3)monitoring the records of access to and use of the bank’s assets;

4)ensuring the staff are appropriately trained and eligible for their positions;

5)identifying the business activities or products that do not generate reasonable prospective returns or that contain potential risks;

6)regularly reviewing and checking up transactions and accounts;

7)putting in place a system for the heads and the staff in key positions to have job rotation and compulsory leaves and setting up a mechanism of off-job auditing as well;

8)working out a code of conduct to regulate on-job and off-job behavior particularly for the staff in important positions or at sensitive links;

9)establishing an incentive and protection system to encourage staff to report violations on a real-name basis;

10)setting up a dual-appraisal system to investigate and solve bank fraudulent cases as well as make punishments in a timely and proper manner;

11)having in place an information disclosure system for the bank case investigation; and

12)establishing an incentive-restrictive mechanism with regard to the management and control of operational risk at front line.

Article 18 A commercial bank should establish and gradually improve the operational risk management information system (MIS) so as to effectively identify, assess, monitor, control and report operational risks. The system should at least record and store the date about operational risk losses and events, support self-assessment on operational risk and control measures, monitor key risk indicators, and provide relevant information contained in operational risk reports.

Article 19 To ensure business continuation, a commercial bank should develop a scheme for emergency response that matches their business scale and complexity, make a back-up arrangement for service recovery, and regularly check and test the catastrophe recovery function and business continuation mechanism so as to make sure that these actions can go in operation properly in the event of catastrophe and severe business disruption.

Article 20 A commercial bank should develop risk management policies with regard to outsourcing practices in order to make sure that outsourcing is subject to rigorous contracts and service agreements which clearly specify the obligations of involved parties.

Article 21 A commercial bank may purchase insurance and enter into contract with a third party, and consider it a way to mitigate operational risk. But they should by no means neglect the importance of controls.

A commercial bank that mitigates operational risks by means of insurance should formulate written policies and procedures accordingly.

Article 22 A commercial bank should make adequate capital provisions for the operational risk it undertakes as per the requirements of CBRC on capital adequacy of commercial banks.

Chapter IIISupervision of Operational Risk

Article 23 Commercial banks should submit to the CBRC their operational risk management policies and processes for filing. They should submit operational risk related reports to the CBRC or its local offices as per regulations. Banks that entrust intermediary agencies to audit their operational risk management system should also submit audit reports to the CBRC or its local offices.

Article 24 Commercial banks should promptly report to the CBRC or its local offices about the following material operational risk events if any:

1)banking crimes in which more than RMB300,000 is robbed from a commercial bank or cash truck or stolen from a banking financial institution; bank fraud or other cases involving an amount of more than RMB10 million;

2)events that result in serious damage or loss of the bank’s important data, books, blank vouchers, or business disruption for over three hours in two or more provinces (autonomous regions/municipalities), or business disruption for over six hours in one province (autonomous region/municipality) and severely affect the bank’s normal operations;

3)confidential information being stolen, sold, leaked or lost that may affect financial stability and lead to economic disorder;

4)senior executives severely violating applicable regulations;

5)accident or natural catastrophe caused by force majeure, resulting in immediate economic loss of more than RMB10 million;

6)other operational risk events that may result in a loss of more than 1‰ of the bank’s net capital; and

7)other material events as specified by the CBRC.

Article 25 The CBRC should regularly check and assess the operational risk management policies, processes and practices of commercial banks. Main items to be checked and assessed include:

1)effectiveness of the bank’s operational risk management processes;

2)the bank’s approaches to monitor and report operational risks, including key operational risk indicators and operational risk loss data;

3)the bank’s measures to timely and effectively handle operational risk events and weak links;

4)the bank’s procedures of internal control, reviewing and auditing within its operational risk management processes;

5)the quality and comprehensiveness of the bank’s catastrophe recovery and business continuation plans;

6)adequacy level of capital provisions for operational risks; and

7)other aspects of operational risk management.

Article 26 As to the operational risk management problems discovered by the CBRC during supervision, the commercial bank should submit correction plan and take correction actions within the specified time limit.

When a material operational risk event occurs, if the commercial bank fails to adopt effective correction measures within the specified time limit, the CBRC should take appropriate regulatory actions in line with laws and regulations.

Chapter IV Supplementary Provisions

Article 27 This Guidelines may apply to other banking institutions including policy banks, financial asset management companies, urban credit cooperatives, rural credit cooperatives, rural cooperative banks, trust and investment companies, finance firms, financial leasing companies, automobile financial companies, money brokers, and post savings institutions.

Article 28 Banking institutions without the board of directors should have their operating decision-making bodies perform the responsibilities of the board with regard to operational risk management specified herein.

Article 29 Branches set up by foreign banks within the territory of People’s Republic of China should follow the operational risk management policies and processes developed by their head offices, report to the CBRC or its local offices about material operational risk events, and accept the supervision of the CBRC. Where their head offices do not lay out operational risk management policies and processes, such branches should comply with the Guidelines.

Article 30 Relevant terms mentioned herein are defined in the Appendix.

Article 31 The Guidelines shall become effective as of the date of promulgation.

Appendix: Definitions of Relevant Terms

1.Operational risk events

Operational risk events refer to the operational events resulting from inadequate or failed internal processes, people and IT system, or from external factors, which bring about financial losses or affect the bank’s reputation, clients and staff. Specific events include: internal fraud, external fraud, employment practices and workplace safety, clients, products & business practices, damages to physical assets, business disruption and system failures, execution, delivery & process management (see Annex 7 – Detailed Loss Event Type Classification of The International Convergence of Capital Measurement and Capital Standards: A Revised Framework or the New Basel Capital Accord).

2.self-assessment on risk, key risk indicators

Tools used by commercial banks to identify and assess operational risks.

1) self-assessment on risk

Self-assessment on risk is a tool for operational risk management by commercial banks to identify and assess the control measures and appropriateness and effectiveness thereof with regard to potential operational risk and their own business practices.