Checklist for Operational Risk Management


Download Checklist for Operational Risk Management


Preview text

Checklist for Operational Risk Management
I. Development and Establishment of Comprehensive Operational Risk Management System by Management
ʲCheckpointsʳ - Operational risk is the risk of loss resulting from inadequate operation processes, inadequate activities by officers and employees and inadequate systems or from external events (the type of risk included in the calculation of the capital adequacy ratio) and the risk defined by the financial institution as operational risk (the type of risk not included in the calculation of the capital adequacy ratio).
- Comprehensive Operational Risk Management refers to identification, assessment, monitoring, control and mitigation regarding operational risk in a comprehensive manner as a financial institution as a whole.
- The development and establishment of a system for comprehensive operational risk management is extremely important from the viewpoint of ensuring the soundness and appropriateness of a financial institution’s business. Therefore, the institution’s management is charged with and responsible for taking the initiative in developing and establishing such a system.
- When reviewing a financial institution’s comprehensive operational risk management system, the inspector should examine whether the system is an appropriate one commensurate with the scale and nature of the institution’s business and its risk profile as well as the levels of complexity and sophistication of the operational risk quantification ʢ measurement ʣ technique used by the institution (including The Basic Indicator Approach and The Standardized Approach). It should be noted that the type and level of the operational risk quantification technique to be used by a financial institution should be determined according to the institution’s strategic objectives, the diversity of its business and the level of complexity of the operational risks faced by it and therefore a complex or sophisticated operational risk quantification technique is not necessarily suited to all financial institutions.
- The inspector should determine whether the comprehensive operational risk management system is functioning effectively and whether the roles and responsibilities of the institution’s management are being appropriately performed by way of reviewing, with the use of check items listed in Chapter I., whether management is appropriately implementing (1) policy development, (2)

development of internal rules and organizational frameworks and (3) development of a system for assessment and improvement activities.
- If any problem is recognized as a result of reviews conducted with the use of the check items listed in Chapter II. and later, it is necessary to exhaustively examine which of the elements listed in Chapter I. are absent or insufficient, thus causing the said problem, and review findings thereof through dialogue between the inspector and the financial institution.
- If the institution’s management fails to recognize weaknesses or problems recognized by the inspector, it is also necessary to explore in particular the possibility that the Internal Control System is not functioning effectively and review findings thereof through dialogue.
- The inspector should review the status of improvements with regard to those issues pointed out on the occasion of the last inspection that are not minor and determine whether or not effective improvement measures have been developed and implemented.
1. Policy Development (1) Roles and Responsibilities of Directors
Do directors attach importance to comprehensive operational risk management, fully recognizing that the lack of such an approach could seriously hinder attainment of strategic objectives? In particular, does the director in charge of such risk management examine the policy and specific measures for developing and establishing an adequate comprehensive operational risk management system with a full understanding of the scope, types, and nature of operational risks and the techniques of identification, assessment, monitoring and control regarding operational risks as well as the importance of comprehensive operational risk management, and with precise recognition of the current status of the comprehensive operational risk management system within the financial institution based on such understanding?
(2) Development and Dissemination of Operational Risk Management Policy Has the Board of Directors established a policy regarding operational risk management
(hereinafter referred to as the “Operational Risk Management Policy”) and disseminated it throughout the institution? Is the appropriateness of the Operational Risk Management Policy being secured by way of, for example, clear statements on the following matters?
- The roles and responsibilities of the director in charge and the Board of Directors or equivalent organization to the Board of Directors with regard to comprehensive

operational risk management - The definition of operational risk at the financial institution - The policy on organizational framework, such as establishment of a division concerning
comprehensive operational risk management (hereinafter referred to as the “Comprehensive Operational Risk Management Division”) and the authority assigned thereto - The policy regarding identification, assessment, monitoring, control and mitigation of operational risks
(3) Revision of the Policy Development Process Does the Board of Directors revise the policy development process in a timely manner by
reviewing its effectiveness based on reports and findings on the status of comprehensive operational risk management in a regular and timely manner or on an as needed basis?
2. Development of Internal Rules and Organizational Frameworks (1) Development and Dissemination of Internal Rules
Does the Board of Directors or equivalent organization to the Board of Directors have the Manager of the Comprehensive Operational Risk Management Division (hereinafter simply referred to as the “Manager” in this checklist) develop internal rules that clearly specify the arrangements concerning comprehensive operational risk management (hereinafter referred to as the Operational Risk Management Rules”) and disseminate them throughout the institution in accordance with the Operational Risk Management Policy? Has the Board of Directors or equivalent organization to the Board of Directors approved the Operational Risk Management Rules after determining if they comply with the Operational Risk Management Policy after legal checks, etc.?
(2) Establishment of the System of Comprehensive Operational Risk Management Division (i) Does the Board of Directors or equivalent organization to the Board of Directors have a Comprehensive Operational Risk Management Division established and have the division prepared to undertake appropriate roles in accordance with the Operational Risk Management Policy and the Operational Risk Management Rules.1
1 When the Comprehensive Operational Risk Management Division is not established as an independent division (e.g., when the division is consolidated with another risk management division to form a single division or when a division in charge of other business also takes charge of comprehensive operational risk management or when a Manager or Managers take charge of comprehensive operational risk management instead of a division or a department), the inspector shall review whether or not such a system is sufficiently reasonable and provides the same functions as in the case of establishing an independent division in light of the scale and nature of the institution and its risk profile.

(ii) Has the Board of Directors allocated to the Comprehensive Operational Risk Management Division a Manager with the necessary knowledge and experience to supervise the division and enable the Manager to implement management operations by assigning him/her the necessary authority therefor?
(iii) Has the Board of Directors or equivalent organization to the Board of Directors allocated to the Comprehensive Operational Risk Management Division an adequate number of staff members with the necessary knowledge and experience to execute the relevant operations and assigned such staff the authority necessary for implementing the business?2
(iv) Does the Board of Directors or equivalent organization to the Board of Directors secure a check-and-balance system of the Comprehensive Operational Risk Management Division against operational divisions?
 (3) Development of Comprehensive Operational Risk Management System in Operational Divisions, Sales Branches, etc.
(i) Does the Board of Directors or equivalent organization to the Board of Directors provide a system to fully disseminate the relevant internal rules and operational procedures to operational divisions, sales branches, etc. and have them observe the rules and operational procedures? For example, does the Board of Directors or equivalent organization to the Board of Directors instruct the Manager to identify the internal rules and operational procedures to be observed by operational divisions and sales branches and to carry out specific measures for ensuring observance such as providing effective training on a regular basis?
(ii) Does the Board of Directors or equivalent organization to the Board of Directors provide a system to ensure the effectiveness of comprehensive operational risk management in operational divisions, sales branches, etc. through the Manager or the Comprehensive Operational Risk Management Division? For example, is a person in charge of comprehensive operational risk management assigned to each operational division and sales branch for coordination with the Manager?
(4) System for Reporting to Board of Directors or equivalent organization to Board of Directors and Approval
Has the Board of Directors or equivalent organization to the Board of Directors appropriately specified matters that require reporting and those that require approval and does it have the Manager
2 When a department or a post other than the Board of Directors or equivalent organization to the Board of Directors is empowered to allocate staff and assign them authority, the inspector shall review, in light of the nature of such a department or post, whether or not the structure of the Comprehensive Operational Risk Management Division is reasonable in terms of a check-and-balance system and other aspects.

report the current status to the Board of Directors or equivalent organization to the Board of Directors in a regular and timely manner or on an as needed basis or have the Manager seek the approval of the Board of Directors or equivalent organization to the Board of Directors on the relevant matters? In particular, does it ensure that the Manager reports to the Board of Directors or equivalent organization to the Board of Directors without delay any matters that would seriously affect corporate management or significantly undermine customer interests?
(5) System for Reporting to Corporate Auditor In the case where the Board of Directors has specified matters to be directly reported to a
corporate auditor, has it specified such matters appropriately and do they provide a system to have the Manager directly report such matters to the auditor?3
(6) Development of Internal Audit Guidelines and Internal Audit Plan Does the Board of Directors or equivalent organization to the Board of Directors have the
Internal Audit Division appropriately identify the matters to be audited with regard to comprehensive operational risk management, develop guidelines that specify the matters subject to internal audit and the audit procedure (hereinafter referred to as “Internal Audit Guidelines”) and an internal audit plan, and approve such guidelines and plan?4 For example, does it have the following matters clearly specified in the Internal Audit Guidelines or the internal audit plan and provide a system to have these matters appropriately audited?
- Status of development of the comprehensive operational risk management system - Status of observance of the Operational Risk Management Policy, the Operational Risk
Management Rules, etc. - Appropriateness of the comprehensive operational risk management processes
commensurate with the scale and nature of the business, and its risk profile - Status of improvement of matters pointed out in an internal audit or on the occasion of the
last inspection
(7) Revision of the Development Process of Internal Rules and Organizational Frameworks Does the Board of Directors or equivalent organization to the Board of Directors revise the
development process of internal rules and organizational frameworks in a timely manner by reviewing its effectiveness based on reports and findings on the status of comprehensive operational risk management in a regular and timely manner or on an as needed basis?
3 It should be noted that this shall not preclude a corporate auditor from voluntarily seeking a report and shall not restrict the authority and activities of the auditor in any way. 4 The Board of Directors or equivalent organization to the Board of Directors only needs to have approved the basic matters with regard to an internal audit plan.

3. Assessment and Improvement Activities 1) Analysis and Assessment (1) Analysis and Assessment of Comprehensive Operational Risk Management
Does the Board of Directors or equivalent organization to the Board of Directors appropriately determine whether there are any weaknesses or problems in the comprehensive operational risk management system and the particulars thereof, and appropriately review their causes by precisely analyzing the status of comprehensive operational risk management and assessing the effectiveness of comprehensive operational risk management, based on all information available regarding the status of comprehensive operational risk management, such as the results of audits by corporate auditors, internal audits and external audits, findings of various investigations and reports from various divisions? In addition, if necessary, does it take all possible measures to find the causes by, for example, establishing fact findings committees etc. consisting of non-interested persons?
(2) Revision of Analysis and Assessment Processes Does the Board of Directors or equivalent organization to the Board of Directors revise the
analysis and assessment processes in a timely manner by reviewing their effectiveness based on reports and findings on the status of comprehensive operational risk management in a regular and timely manner or on an as needed basis?
2) Improvement Activities (1) Implementation of Improvements
Does the Board of Directors or equivalent organization to the Board of Directors provide a system to implement improvements in the areas of the problems and weaknesses in the comprehensive operational risk management system identified through the analysis, assessment and examination referred to in 3. 1) above in a timely and appropriate manner based on the results obtained by developing and implementing an improvement plan as required or by other appropriate methods?
(2) Progress Status of Improvement Activities Does the Board of Directors or equivalent organization to the Board of Directors provide a
system to follow up on the efforts for improvement in a timely and appropriate manner by reviewing the progress status in a regular and timely manner or on an as needed basis?

(3) Revision of the Improvement Process Does the Board of Directors or equivalent organization to the Board of Directors revise the
improvement process in a timely manner by reviewing its effectiveness based on reports and findings on the status of comprehensive operational risk management in a regular and timely manner or on an as needed basis?

II. Development and Establishment of Comprehensive Operational Risk Management System by Manager
ʲCheckpointsʳ - This chapter lists the check items to be used when the inspector reviews the roles and responsibilities to be performed by the Manager and the Comprehensive Operational Risk Management Division.
- If any problem is recognized as a result of reviews conducted with the use of the check items listed in Chapter II., it is necessary to exhaustively examine which of the elements listed in Chapter I. are absent or insufficient, thus causing the said problem, and review findings thereof through dialogue between the inspector and the financial institution.
- If the institution’s management fails to recognize problems recognized by the inspector, it is also necessary to strictly explore in particular the possibility that the systems and processes listed in Chapter I. are not functioning appropriately and review findings thereof through dialogue.
- The inspector should review the status of improvements with regard to those issues pointed out on the occasion of the last inspection that are not minor and determine whether or not effective improvement measures have been developed and implemented.
1. Roles and Responsibilities of Manager (1) Development and Dissemination of Operational Risk Management Rules
Has the Manager, in accordance with the Operational Risk Management Policy, identified the risks, decided the methods of assessment and monitoring thereof and developed the Operational Risk Management Rules that clearly define the arrangements on risk control and mitigation, based on a full understanding of the scope, types and nature of risks and the comprehensive operational risk management technique? Have the Operational Risk Management Rules been disseminated throughout the institution upon approval by the Board of Directors or equivalent organization to the Board of Directors?
(2) Operational Risk Management Rules Do the Operational Risk Management Rules exhaustively cover the arrangements necessary
for comprehensive operational risk management and specify the arrangements appropriately in a manner befitting the scale and nature of the financial institution’s business, and its risk profile? Do

the rules specify the following items, for example? - Arrangements on the roles, responsibilities and the organizational framework of the Comprehensive Operational Risk Management Division - Arrangements on the framework for comprehensive management by the Comprehensive Operational Risk Management Division of the Administrative Risk Management Division and the Information Technology Risk Management Division (hereinafter referred to as the “Operational Risk Management Divisions”) - Arrangements on the identification of risks to be subjected to comprehensive operational risk management - Arrangements on the qualitative risk management technique for operational risks - Arrangements on the scope of the quantification of operational risk and the technique thereof - Arrangements on reporting of loss incidents to the Comprehensive Operational Risk Management Division - Arrangements on the method of risk monitoring - Arrangements on reporting to the Board of Directors or equivalent organization to the Board of Directors - Arrangements on the procedures for allocating gross profit to the operation categories listed in Attachment 1 of “Criteria for Judging Whether A Financial Institution’s Capital Is Sufficient in Light of the Assets Held, etc. under the Provision of Article 14-2 of the Banking Law” (Notification No. 19 of 2006, the Financial Services Agency)” (hereinafter referred to as the “Notification”) and on the criteria for revising the procedures. This shall apply to financial institutions that use The Standardized Approach.
 (3) Development of Organizational Frameworks by Manager
(i) Does the Manager, in accordance with the Operational Risk Management Policy and the Operational Risk Management Rules, provide for measures to have the Comprehensive Operational Risk Management Division exercise a check-and-balance system in order to conduct comprehensive operational risk management system appropriately?
(ii) Does the Manager make sure to report without delay to the Comprehensive Risk Management Division when detecting any limitations or weaknesses of the comprehensive operational risk management system that may affect comprehensive risk management?
(iii) Does the Manager provide a system to identify risks inherent in New Products as specified in the Comprehensive Risk Management Policy, etc. in advance and report them to the Comprehensive Risk Management Division when requested to do so by the division?5
5 See “Checklist for Business Management (Governance) (for Basic Elements),” I. 3. (4).

(iv) Does the Manager have in place an operational risk management computer system6 with the high reliability suited to the scale and nature of the financial institution’s business, and its risk profile? (v) Does the Manager ensure the system of training and education to enhance the ability of employees to conduct comprehensive operational risk management in an effective manner, thus developing human resources with relevant expertise? (vi) Does the Manager provide a system to ensure that matters specified by the Board of Directors or equivalent organization to the Board of Directors are reported in a regular and timely manner or on an as needed basis? In particular, does the Manager provide a system to ensure that matters that would seriously affect corporate management are reported to the Board of Directors or equivalent organization to the Board of Directors without delay?
(4) Revision of Operational Risk Management Rules and Organizational Frameworks Does the Manager conduct monitoring on an ongoing basis with regard to the status of
execution of operations at the Comprehensive Operational Risk Management Division? Does the Manager review the effectiveness of the comprehensive operational risk management system in a regular and timely manner or on an as needed basis, and, as necessary, revise the Operational Risk Management Rules and the relevant organizational frameworks or present the Board of Directors or equivalent organization to the Board of Directors with proposals for improvement?
2. Roles and Responsibilities of Comprehensive Operational Risk Management Division 1) Risk Identification and Assessment (1) Identification of Operational Risk
(i) Does the Comprehensive Operational Risk Management Division obtain data collected by operational divisions and sales branches, etc. as necessary to identify operational risk?
(ii) Does the Comprehensive Operational Risk Management Division, in accordance with the Operational Risk Management Policy and the Operational Risk Management Rules, broadly specify internal and external factors that may produce adverse effects on the financial institution’s business based on an understanding of the possibility that operational risk may emerge in any division or department?
(iii) Does the Comprehensive Operational Risk Management Division identify operational risk when the financial institution starts the handling of New Products, introduces a new computer
6 It should be noted that the computer system may be a centralized dataprocessing environment system, distribution processing system, or EUC (end user computing) type.

Preparing to load PDF file. please wait...

0 of 0
100%
Checklist for Operational Risk Management