Operational Risk

财金英语教程参考答案Chapter 1: Introduction to Finance1. What is finance?- Finance is the management of money and includesactivities such as investing, borrowing, lending, budgeting, saving, and forecasting.2. What are the three main functions of finance?- The three main functions of finance are planning, acquiring, and managing financial resources.3. What is the time value of money?- The time value of money is the concept that a sum of money is worth more now than the same sum in the future dueto its potential earning capacity.4. How does inflation affect the value of money?- Inflation erodes the purchasing power of money over time, meaning that the same amount of money will buy fewer goodsand services in the future.5. What is the difference between a bond and a stock?- A bond is a debt instrument where an investor lends money to an entity in exchange for interest payments, while a stock represents ownership in a company and offers thepotential for capital gains and dividends.Chapter 2: Financial Statements1. What are the four main financial statements?- The four main financial statements are the balance sheet, income statement, cash flow statement, and statement of changes in equity.2. What is the purpose of a balance sheet?- The balance sheet provides a snapshot of a company's financial position at a specific point in time, showing its assets, liabilities, and equity.3. How is net income calculated?- Net income is calculated by subtracting all expensesfrom the total revenue of a company during a specific period.4. What does the cash flow statement show?- The cash flow statement shows the inflow and outflow of cash within a business over a period of time, categorizedinto operating, investing, and financing activities.5. What is the statement of changes in equity?- The statement of changes in equity shows the changes in the equity accounts of a company over a period of time, including retained earnings, capital contributions, and other comprehensive income.Chapter 3: Financial Analysis1. What are the main types of financial analysis?- The main types of financial analysis are ratio analysis,horizontal analysis, vertical analysis, and trend analysis.2. What is the purpose of ratio analysis?- Ratio analysis is used to evaluate a company's financial health by comparing various financial ratios such asliquidity, profitability, and leverage ratios.3. What is horizontal analysis?- Horizontal analysis involves comparing financial statement items over multiple periods to identify trends and changes in performance.4. What is vertical analysis?- Vertical analysis, also known as common-size analysis,is a method of financial statement analysis where each itemis expressed as a percentage of a base figure, typicallytotal assets or total revenue.5. What is trend analysis?- Trend analysis involves examining the historical data of financial metrics over time to predict future trends and performance.Chapter 4: Risk Management1. What is risk management?- Risk management is the process of identifying, assessing, and prioritizing potential risks to an investment or project, and taking steps to mitigate or avoid these risks.2. What are the types of risks in finance?- The types of risks in finance include market risk,credit risk, liquidity risk, operational risk, and legal risk.3. What is diversification?- Diversification is a risk management strategy that involves spreading investments across various financial instruments, industries, or geographic regions to reduce overall risk.4. What is hedging?- Hedging is a risk management technique used to reducethe risk of price fluctuations in an asset by taking an offsetting position in a related security.5. What is the role of insurance in risk management?- Insurance is a risk management tool that providesfinancial protection against potential losses or damages by transferring the risk to an insurance company in exchange for a premium.Chapter 5: Investment Strategies1. What are the different types of investment strategies?- Types of investment strategies include passive investing, active investing, value investing, growth investing, and income investing.2. What is the difference between passive and active investing?- Passive investing involves a "set it and forget it" approach, typically using index funds, while active investingrequires regular buying and selling of individual securities based on market research and analysis.3. What is value investing?- Value investing is an investment strategy that involves buying stocks that are considered undervalued by the market, with the expectation that their true value will eventually be recognized.4. What is growth investing?- Growth investing focuses on companies that are expected to grow at an above-average rate compared to the market, often investing in companies with strong competitive advantages and high growth potential.5. What is income investing?- Income investing is an investment strategy aimed at generating a steady stream of income from investments, typically through dividends or interest payments.Chapter 6: International Finance1. What is international。

Guidelines on Operational Risk Management of CommercialBanksChapter I General ProvisionsArticle 1 Pursuant to the Law of the People’s Republic of China on Banking Regulation and Supervision, the Law of the People’s Republic of China on Commercial Banks as well as other applicable laws and regulations, the Guidelines are formulated so as to enhance the operational risk management of commercial banks.Article 2 The Guidelines apply to domestic commercial banks, wholly foreign-funded banks and Chinese-foreign joint venture banks incorporated within the territory of the People’s Republic of China.Article 3 The operational risk in the Guidelines refers to the risk of loss resulting from inadequate or failed internal processes, people and IT system, or from external events. It includes legal risk but excludes strategic and reputational risk.Article 4 The China Banking Regulatory Commission (hereinafter referred to as the “CBRC”) supervises and regulates the operationalrisk management of commercial banks and evaluates the effectiveness thereof under its authority by law.Chapter II Operational Risk ManagementArticle 5 Commercial banks should, in line with the Guidelines, set up an operational risk management system suitable to their own business nature, scale and complexity to effectively identify, assess, monitor and control/mitigate operational risk. This system can be in any form, but should comprise at least the following basic elements:1)oversight and control by the board of directors;2)roles and responsibilities of senior management;3)appropriate organizational structure;4)operational risk management policies, methods, and procedures;and5)requirements on making capital provisions for operational risk.Article 6 The board of directors in a commercial bank should treat operational risk as a major risk and charge the ultimate responsibility for monitoring the effectiveness of operational risk management. The responsibilities of the board shall include:1) developing strategies and general policies for bank-wideoperational risk management that are aligned with the bank’sstrategic goals;2) reviewing and approving the senior management’s functions,authorization and reporting arrangement with regard to operational risk management so as to ensure the effectiveness of the bank’s decision-making system in operational risk management and ensure that the operational risk facing thebank’s operations is controlled within its endurance capacity; 3) reviewing regularly the operational risk reports submitted by thesenior management; fully understanding the bank’s overall operational risk management and the effectiveness of the senior management in handling material operational risk events; and monitoring and evaluating the effectiveness of daily operationalrisk management;4) ensuring that the senior management takes necessary measuresto effectively identify, assess, monitor and control/mitigateoperational risk;5) ensuring that the bank’s operational risk m anagement system iseffectively audited and overseen by internal audit department;and6) having in place an appropriate reward-punishment system so asto effectively promote the development of operational risk management system in the bank as a whole.Article 7 The senior management in a commercial bank isresponsible for implementing the operational risk management strategies, general policies and running the system approved by theboard. It shall:1) be ultimately responsible to the board regarding daily operationalrisk management;2) lay out and regularly review the operational risk managementpolicies, procedures and detailed processes in accordance with the strategies and general policies developed by the board, and oversee the implementation thereof, and submitting to the board reports on overall operational risk management in a regularmanner;3) sufficiently understand the overall situation of the bank’soperational risk management, particularly the events or programswith material operational risk;4) Clearly define each department’s responsibilities in operationalrisk management as well as the reporting line, frequency andcontents; urge each department to really charge its responsibilities in a bid to ensure the sound performance of theoperational risk management system;5) equip operational risk management with appropriate resources,including but not limited to providing necessary funds, setting up necessary positions with eligible staff, offering training courses to operational risk management personnel, delegating authorizaion to the said personnel to fulfill their duties, etc.; and6) make promptly checks and revision on the operational riskmanagement system so as to effectively respond to operational risk events brought about by the changes of internal procedures, products, business activities, IT system, staff, external events orother factors.Article 8 Commercial banks should designate a certain department to be responsible for the construction and implementation of operational risk management system. This department should be independent from others in order to ensure the system’s consistency and effectiveness. Its responsibilities shall mainly include:1) drafting operational risk management policies, procedures andspecific processes and submitting them to the senior management and the board for review and approval;2) assisting other departments to identify, assess, monitor andcontrol/mitigate operational risk;3) working out methods to identify, assess, mitigate (includinginternal controls) and monitor operational risks, formulating bank-wide reporting processes of operational risk and organizingthe implementation thereof;4) putting in place basic criteria for operational risk control over thebank, and guiding and coordinating the operational riskmanagement;5) providing each department with trainings on operational riskmanagement, and helping them improve operational risk management capacity and fulfill their own duties;6) regularly checking and analyzing the practices of operational riskmanagement in business departments and other departments;7) regularly submitting operational risk reports to seniormanagement; and8) ensuring that the operational risk management system andmeasures are observed.Article 9 The relevant departments in a commercial bank should be directly responsible for operational risk management. Majorresponsibilities include:1) appointing designated staff to take charge of operational riskmanagement, including observing operational risk management policies, procedures and specific processes;2) following the assessment methods for operational riskmanagement to identify and assess the operational risks in the departments, and to have in place an effective on-going procedure to monitor, control/mitigate and report operational risks, thenorganize the implementation thereof;3) fully considering the requirements on operational riskmanagement and internal control when making department specific business processes and related business policies, with a view to ensuring operational risk management personnel at alllevels participate in the course of reviewing and approvingimportant procedures, controls and policies, thus making these aligned with the bank’s general policy on operational riskmanagement; and4) monitoring key risk indicators and regularly reporting their owndepartment’s operational risk management situation to thedepartment which takes charge of or take the leading role in operational risk management of the whole bank.Article 10 The legal office, compliance office, IT office, security office, and human resource office in a commercial bank should, besides properly managing their own operational risks, provide relevant resources and assistance within their strength and respective responsibilities to other departments for the purpose of operationalrisk management.Article 11 The internal audit department in a commercial bank does not directly take charge of or participate in other departments’ operational risk management, but it should regularly check and evaluate how well the bank’s operational risk management system operates, supervise the implementation of operational riskmanagement policies, independently evaluate the bank’s newoperational risk management policies, processes and specific procedures, and report to the board of directors the evaluation results of operational risk management system.A commercial bank with high business complexity and large scale is encouraged to entrust intermediary agencies to audit and evaluate its operational risk management system on a regular basis.Article 12 A commercial bank should have in place bank-wide operational risk management policies that are commensurate with its nature, scale, complexity and risk profile. Main contents include:1) definition of operational risk;2) appropriate organizational structure, authorization andresponsibilities with regard to operational risk management;3) procedures to identify, assess, monitor and control/mitigateoperational risks;4) reporting procedures of operational risk, including reportingresponsibilities, path and frequency, and other specificrequirements on other departments; and5) requirements on promptly assessing operational risks associatedwith existing and newly-developed important products, business practices, procedures, IT system, human resource management,external factors and changes thereof.Article 13 A commercial bank should choose appropriate approaches to manage operational risks, which may include: assessment of operational risk and internal control, loss event reporting and data collection, monitoring of key risk indicators, risk assessment regarding new products and business practices, testing and audit of internal control, and operational risk reporting.Article 14 A commercial bank with high business complexity and large scale should adopt more sophisticated risk management methods (e.g. quantitative methods) to assess each department’s operational risk, collect operational risk loss data, and make arrangements according to the characteristics of operational riskassociated with each line of business.Article 15 A commercial bank should develop effective processes to regularly monitor and report operational risk status and material losses. As to risks with increasing loss potential, early-warning system of operational risk should be put in place so as to take timely controls to mitigate risk and reduce the occurrence and severity ofloss events.Article 16 Material operational risk events should be reported to the board, senior management and appropriate management personnel according to the bank’s operational risk management policies.Article 17 A commercial bank should enhance internal control for effective operational risk management. Related internal controlsshould at least include:1) clearly defining the roles and responsibilities of each departmentand making proper separation among relevant functions so as toavoid potential conflicts of interests;2) closely watching how well specified risk limit or authorization isobserved;3) monitoring the records of access to and use of the bank’s assets;4) ensuring the staff are appropriately trained and eligible for theirpositions;5) identifying the business activities or products that do not generatereasonable prospective returns or that contain potential risks;6) regularly reviewing and checking up transactions and accounts;7) putting in place a system for the heads and the staff in keypositions to have job rotation and compulsory leaves and setting up a mechanism of off-job auditing as well;8) working out a code of conduct to regulate on-job and off-jobbehavior particularly for the staff in important positions or atsensitive links;9) establishing an incentive and protection system to encouragestaff to report violations on a real-name basis;10) setting up a dual-appraisal system to investigate and solve bankfraudulent cases as well as make punishments in a timely andproper manner;11) having in place an information disclosure system for the bankcase investigation; and12) e stablishing an incentive-restrictive mechanism with regard to themanagement and control of operational risk at front line.Article 18 A commercial bank should establish and gradually improve the operational risk management information system (MIS) so as to effectively identify, assess, monitor, control and report operational risks. The system should at least record and store the date about operational risk losses and events, support self-assessment on operational risk and control measures, monitor key risk indicators, and provide relevant information contained in operational riskreports.Article 19 To ensure business continuation, a commercial bank should develop a scheme for emergency response that matches their business scale and complexity, make a back-up arrangement for service recovery, and regularly check and test the catastrophe recovery function and business continuation mechanism so as to make sure that these actions can go in operation properly in the event of catastrophe and severe business disruption.Article 20 A commercial bank should develop risk management policies with regard to outsourcing practices in order to make sure that outsourcing is subject to rigorous contracts and service agreements which clearly specify the obligations of involved parties.Article 21 A commercial bank may purchase insurance and enter into contract with a third party, and consider it a way to mitigate operational risk. But they should by no means neglect the importanceof controls.A commercial bank that mitigates operational risks by means ofinsurance should formulate written policies and proceduresaccordingly.Article 22 A commercial bank should make adequate capitalprovisions for the operational risk it undertakes as per the requirements of CBRC on capital adequacy of commercial banks.Chapter III Supervision of Operational RiskArticle 23 Commercial banks should submit to the CBRC their operational risk management policies and processes for filing. They should submit operational risk related reports to the CBRC or its local offices as per regulations. Banks that entrust intermediary agencies to audit their operational risk management system should also submit audit reports to the CBRC or its local offices.Article 24 Commercial banks should promptly report to the CBRC or its local offices about the following material operational risk events ifany:1) banking crimes in which more than RMB300,000 is robbed from acommercial bank or cash truck or stolen from a banking financial institution; bank fraud or other cases involving an amount of morethan RMB10 million;2) events that result in serious damage or loss of the bank’simportant data, books, blank vouchers, or business disruption for over three hours in two or more provinces (autonomous regions/municipalities), or business disruption for over six hours in one province (autonomous region/municipality) and severelyaffect the bank’s normal operations;3) confidential information being stolen, sold, leaked or lost that mayaffect financial stability and lead to economic disorder;4) senior executives severely violating applicable regulations;5) accident or natural catastrophe caused by force majeure, resultingin immediate economic loss of more than RMB10 million;6) other operational risk events that may result in a loss of more than1‰ of the bank’s net capital; and7) other material events as specified by the CBRC.Article 25 The CBRC should regularly check and assess the operational risk management policies, processes and practices of commercial banks. Main items to be checked and assessed include:1) effectiveness of the bank’s operational risk managementprocesses;2) the bank’s approaches to monitor and report operational risks,including key operational risk indicators and operational risk lossdata;3) the bank’s measures to timely and effectively handle operationalrisk events and weak links;4) the bank’s procedures of internal control, reviewing and auditingwithin its operational risk management processes;5) the quality and comprehensiveness of the bank’s catastropherecovery and business continuation plans;6) adequacy level of capital provisions for operational risks; and7) other aspects of operational risk management.Article 26 As to the operational risk management problems discovered by the CBRC during supervision, the commercial bank should submit correction plan and take correction actions within thespecified time limit.When a material operational risk event occurs, if the commercial bank fails to adopt effective correction measures within the specified time limit, the CBRC should take appropriate regulatory actions in line withlaws and regulations.Chapter IV Supplementary ProvisionsArticle 27 This Guidelines may apply to other banking institutions including policy banks, financial asset management companies, urban credit cooperatives, rural credit cooperatives, rural cooperative banks, trust and investment companies, finance firms, financial leasing companies, automobile financial companies, money brokers, and postsavings institutions.Article 28 Banking institutions without the board of directors should have their operating decision-making bodies perform theresponsibilities of the board with regard to operational riskmanagement specified herein.Article 29 Branches set up by foreign banks within the territory of People’s Republic of China should follow the operational risk management policies and processes developed by their head offices, report to the CBRC or its local offices about material operational risk events, and accept the supervision of the CBRC. Where their head offices do not lay out operational risk management policies andprocesses, such branches should comply with the Guidelines.Article 30 Relevant terms mentioned herein are defined in theAppendix.Article 31 The Guidelines shall become effective as of the date ofpromulgation.Appendix: Definitions of Relevant Terms1.Operational risk eventsOperational risk events refer to the operational events resulting from inadequate or failed internal processes, people and IT system, or from external factors, which bring about financial losses or affect the bank’s reputation, clients and staff. Specific events include: internal fraud, external fraud, employment practices and workplace safety, clients, products & business practices, damages to physical assets, business disruption and system failures, execution, delivery & process management (see Annex 7 – Detailed Loss Event Type Classification of The International Convergence of Capital Measurement and Capital Standards: A Revised Framework or the New Basel Capital Accord).2.self-assessment on risk, key risk indicatorsTools used by commercial banks to identify and assess operationalrisks.1) self-assessment on riskSelf-assessment on risk is a tool for operational risk management by commercial banks to identify and assess the control measures and appropriateness and effectiveness thereof with regard to potential operational risk and their own business practices.2) Key Risk IndicatorKey risk indicators refer to the statistical indicators that represent the changes in a certain area of risk and can be monitored on a regular basis. These indicators can be used to monitor various risks and control measures that may result in loss events and to function as early-warning indicators for risk changes (so that senior management can take timely actions accordingly). Examples of specific indicators: loss ratio per RMB100 million asset, number of banking crimes per 10,000 people, ratio of the cases with each involving a cash value of RMB1 million, number of transactions unconfirmed beyond a certaintime limit, percentage of failed transactions, staff turnover, number of client complaints, frequency and severity of errors and omissions, etc.3.Legal RiskLegal risk includes, but is not limited to, the following: 1) the contract signed by a commercial bank violating laws or administrative regulations and therefore being probably cancelled or confirmed invalid according to law; 2) the bank being sued or in arbitration because of its breach of contract, infringement or other reasons and held liable for compensation according to law; 3) the bank’s business practices violating laws or administrative regulations and therefore being held liable administratively or criminally.。

互联网金融下的借贷风险解析互联网金融已经成为当今社会中最具有成长潜力的行业之一。

在互联网金融中，P2P借贷平台是其中最受欢迎的金融产品之一。

越来越多的人开始在P2P平台上进行借贷交易，但这种交易也存在着风险。

在这篇文章中，我们将探讨互联网金融下的借贷风险。

1. Platform Risk 平台风险P2P平台本身存在着风险，这种风险可以被称为平台风险。

这种风险的主要来源是P2P平台的经营和管理。

P2P平台在管理一系列风险时需要有强大的风险控制能力。

但是，一些P2P平台缺乏这种能力，导致它们无法控制风险。

这种风险可能会导致P2P平台的经营困难甚至倒闭。

所以，在选择P2P平台时，你应该选择质量过关的平台，以避免平台风险。

2. Credit Risk 信用风险借贷交易的实质是信用交易。

借款人需要证明自己有偿还借款的信誉和还款能力，而出借人则需要评估借款人的信用和信誉度。

但是，在P2P平台上，要评估借款人的信用和信誉度比在传统金融机构中更加困难。

因此，P2P平台会使用一系列评估工具和技术来评估借款人的信用风险。

但是，在实际操作中，这些工具和技术可能会出现偏差，从而导致信用风险。

3. Operational Risk 经营风险P2P平台的经营和管理也存在着风险，这种风险可以被称为经营风险。

P2P平台需要合理地制定它们的经营策略，包括风险控制和资金管理。

如果P2P平台管理不善，就会陷入经营困境，无法承担债务。

这种风险可能会对平台的资金流动和收益产生严重的影响。

4. Legal and Regulatory Risk 法律和监管风险P2P平台同样需要遵守一系列法律和监管规定，如果平台违反了这些规定，就可能会面临法律和监管风险。

这些规定包括消费者保护、反洗钱等方面的法规。

如果P2P平台违反了这些规定，就有可能会被监管机构惩处。

5. Liquidity Risk 流动性风险P2P借贷交易的流动性也存在着风险。

如果出借人退出P2P平台，那么借款人可能会影响到借款人的资金来源。

国外关于风险计算的书籍以下是几本关于风险计算的国外书籍，每本书籍都超过1200字：1. "Risk Management and Financial Institutions" by John C. Hull:2. "Principles of Risk Management and Insurance" by George E. Rejda and Michael McNamara:这本教材适用于风险管理和保险领域的学生和从业人员。

它介绍了风险管理和保险原理，并提供了对风险评估、风险控制和风险转移的详细解释。

此外，该书还讨论了不同类型的保险产品和契约，并介绍了评估风险的统计模型和方法。

3. "Financial Risk Management: A Practitioner's Guide to Managing Market and Credit Risk" by Steve L. Allen:4. "Quantitative Risk Management: Concepts, Techniques and Tools" by Alexander J. McNeil, Rüdiger Frey, and Paul Embrechts:5. "Operational Risk: Modeling Analytics" by Harry H. Panjer and Gordon Willmot:这些书籍都是关于风险计算和管理的经典著作，提供了广泛且深入的理论和实践知识。

无论是从事金融、保险还是其他行业的风险管理工作，这些书籍都是很好的参考资料，帮助读者了解并应对风险管理挑战。

风险管理术语风险管理术语1、风险风险 risk事件发生的不确定性。

纯粹风险 pure risk只有损失机会没有获利可能的风险。

投机风险 speculative risk既有损失机会又有获利可能的风险财产风险 property risk因发生自然灾害、意外事故而使个人或单位占有、控制或照看的财产遭受损毁、灭失或贬值的风险。

责任风险 liability risk因个人或单位的行为造成他人的财产损失或人身伤害，依法律或合同应承担赔偿责任的风险。

人身风险 personal risk因事故发生造成人的死亡、伤残或疾病的风险。

信用风险 credit risk在经济交往中，因义务人违约或违法致使权利人遭受经济损失的风险。

环境风险 environmental risk因职业、收入、居住环境、工作环境和生活习惯等因素导致人死亡、患病或伤残的风险。

职业风险 occupational risk因工作环境导致人死亡、患病或伤残的风险。

自然风险 natural risk因自然力的不规则变化产生的现象所导致危害经济活动、物质生产或生命安全的风险。

巨灾风险 catastrophic risk; catastrophe因一次重大自然灾害、疾病传播、恐怖主义袭击或人为事故造成巨大损失的风险。

社会风险 social risk因个人或单位的行为，包括过失行为、不当行为及故意行为对社会生产及人们生活造成损失的风险。

政治风险 political risk因种族、宗教、利益集团和国家之间的冲突，或因政策、制度的变革与权力的交替造成损失的风险。

经济风险 economic risk在经营活动中，因受市场供求关系、经济贸易条件等因素变化的影响或经营决策的失误等导致损失的风险。

税收风险 tax risk因税收政策变动导致个人或单位利益受损的风险。

法规风险 legal risk; regulatory risk因国家法律法规变动导致个人或单位利益受损的风险。

Basel Committeeon Banking SupervisionSound Practices for the Management and Supervision of Operational RiskJuly 2002Risk Management Groupof the Basel Committee on Banking SupervisionChairman:Mr Roger Cole – Federal Reserve Board, Washington, D.C.Banque Nationale de Belgique, Brussels Ms Dominique Gressens Commission Bancaire et Financière, Brussels Mr Jos MeulemanOffice of the Superintendent of Financial Institutions,OttawaMr Jeff MillerCommission Bancaire, Paris Mr Laurent Le Mouël Deutsche Bundesbank, Frankfurt am Main Ms Magdalene HeidMs Karin Sagner-Kaiser Bundesanstalt für Finanzdienstleistungsaufsicht, Bonn Ms Kirsten StraussBanca d’Italia, Rome Mr Claudio DauriaMr Fabrizio LeandriMr Sergio SorrentinoBank of Japan, Tokyo Mr Eiji HaradaFinancial Services Agency, Tokyo Mr Hirokazu Matsushima Commission de Surveillance du Secteur Financier,LuxembourgMr Davy ReinardDe Nederlandsche Bank, Amsterdam Mr Klaas KnotBanco de España, Madrid Mr Guillermo Rodriguez-GarciaMr Juan Serrano Finansinspektionen, Stockholm Mr Jan HedquistSveriges Riksbank, Stockholm Mr Thomas FlodénEidgenössische Bankenkommission, Bern Mr Martin SprengerFinancial Services Authority, London Mr Helmut BauerMr Victor DowdMr Jeremy QuickFederal Deposit Insurance Corporation, Washington, D.C. Mr Mark SchmidtFederal Reserve Bank of New York Ms Beverly HirtleMr Stefan WalterFederal Reserve Board, Washington, D.C. Mr Kirk OdegardOffice of the Comptroller of the Currency, Washington, D.C. Mr Kevin Bailey Ms Tanya SmithEuropean Central Bank, Frankfurt am Main Mr Panagiotis Strouzas European Commission, Brussels Mr Michel MartinoMs Melania Savino Secretariat of the Basel Committee on BankingSupervision, Bank for International SettlementsMr Stephen SeniorTable of ContentsIntroduction (1)Background (2)Industry Trends and Practices (3)Sound Practices (4)Developing an Appropriate Risk Management Environment (6)Risk Management: Identification, Assessment, Monitoring and Mitigation/Control (8)Role of Supervisors (12)Role of Disclosure (14)Sound Practices for theManagement and Supervision of Operational RiskThe consultative paper Sound Practices for the Management and Supervisionof Operational Risk, prepared by the Risk Management Group of the Basel Committee on Banking Supervision (the Committee), was originally publishedin December 2001. The Committee is grateful for the many insightful comments received from institutions, industry associations, supervisory authorities, and others, and notes that these comments have played a substantial role in the redrafting of this paper. Due to a number of important changes to the Sound Practices incorporated in this revised draft, the Committee has decided to release the paper for a second, short period of consultation before finalisation.1 The Committee would therefore welcome comments on the revised principles outlined in this paper. These comments should be submittedto relevant national supervisory authorities and central banks and may also be sent to the Secretariat of the Basel Committee on Banking Supervision at the Bank for International Settlements, CH-4002 Basel, Switzerland by September 2002. Comments may be submitted via e-mail: 30BCBS.capital@2 or by fax: + 41 61 280 9100. Comments on this paper will not be posted on the BIS website.Introduction1. The following paper outlines a set of principles that provide a framework for the effective management and supervision of operational risk, for use by banks and supervisory authorities when evaluating operational risk management policies and practices.2. The Committee recognises that the exact approach for operational risk management chosen by an individual bank will depend on a range of factors, including its size and sophistication and the nature and complexity of its activities. However, despite these differences, clear strategies and oversight by the board of directors and senior management,a strong internal control culture (including, among other things, clear lines of responsibility and segregation of duties), effective internal reporting, and contingency planning are all crucial elements of an effective operational risk management framework for banks of any size and scope. The Committee’s previous paper A Framework for Internal Control Systemsin Banking Organisations (September 1998)underpins its current work in the field of operational risk.1Please note that the Committee does not plan to issue a revised version of the second part of the December 2001 Sound Practices paper Supervisory Guidance for a Comprehensive Operational Risk Management Programme.2 Please use this e-mail address only for submitting comments and not for correspondence.1Background3. Deregulation and globalisation of financial services, together with the growing sophistication of financial technology, are making the activities of banks (and thus their risk profiles) more diverse and complex. Developing banking practices suggest that risks other than credit, interest rate risk and market risk can be substantial. Examples of these new and growing risks faced by banks include:• If not properly controlled, the use of more highly automated technology has the potential to transform risks from manual processing errors to system failure risks, asgreater reliance is placed on globally integrated systems;• Growth of e-commerce brings with it potential risks (e.g., external fraud and system security issues) that are not yet fully understood;• Large-scale mergers, de-mergers and consolidations test the viability of new or newly integrated systems;• The emergence of banks acting as very large-volume service providers creates the need for continual maintenance of high-grade internal controls and back-up systems;• Banks may engage in risk mitigation techniques (e.g., collateral, credit derivatives, netting arrangements and asset securitisations) to optimise their exposure to marketrisk and credit risk, but which in turn may produce other forms of risk; and• Growing use of outsourcing arrangements and the participation in clearing and settlement systems can mitigate some risk but can also present significant other risks to banks.4. The diverse set of risks listed above can be grouped under the heading of ‘operational risk’, which for supervisory purposes the Committee has defined as: ‘the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events’.3 The definition includes legal risk but excludes strategic, reputational and systemic risk.5. The Committee recognises that operational risk is a term that has a variety of meanings within the industry, and therefore for internal purposes, banks may choose to adopt their own definitions of operational risk. Whatever the exact definition, a clear understanding by banks of what is meant by operational risk is critical to the effective management and control of this risk category. It is also important that the definition considers the full range of material operational risks facing the bank and captures the most significant causes of severe operational losses. Operational risk event types that the Committee - in co-operation with the industry - has identified as having the potential to result in substantial losses include the following:• Internal fraud. Acts of a type intended to defraud, misappropriate property or circumvent regulations, the law or company policy, excluding diversity/discriminationevents, which involve at least one internal party. Examples include intentional3This definition was adopted from the industry as part of the Committee’s work in developing a minimum regulatory capital charge for operational risk. While this paper is not a formal part of the capital framework, the Committee nevertheless expects that the basic elements of a sound operational risk management framework set out in this paper will inform supervisory expectations when reviewing bank capital adequacy.2misreporting of positions, employee theft, and insider trading on an employee’s ownaccount.• External fraud. Acts by a third party, of a type intended to defraud, misappropriate property or circumvent the law. Examples include robbery, forgery, cheque kiting,and damage from computer hacking.• Employment practices and workplace safety. Acts inconsistent with employment, health or safety laws or agreements, or which result in payment of personal injuryclaims, or claims relating to diversity/discrimination issues. Examples include workers compensation claims, violation of employee health and safety rules, organised labour activities, discrimination claims, and general liability (for example,a customer slipping and falling at a branch office).• Clients, products and business practices. Unintentional or negligent failure to meet a professional obligation to specific clients (including fiduciary and suitabilityrequirements), or from the nature or design of a product. Examples include fiduciarybreaches, misuse of confidential customer information, improper trading activities onthe bank’s account, money laundering, and sale of unauthorised products.• Damage to physical assets. Loss or damage to physical assets from natural disaster or other events. Examples include terrorism, vandalism, earthquakes, firesand floods.• Business disruption and system failures. Disruption of business or system failures. Examples include hardware and software failures, telecommunication problems, and utility outages.• Execution, delivery and process management. Failed transaction processing or process management, and relations with trade counterparties and vendors.Examples include data entry errors, collateral management failures, incomplete legal documentation, unapproved access given to client accounts, non-client counterparty misperformance, and vendor disputes.Industry Trends and Practices6. In its work on the supervision of operational risks, the Committee has aimed to develop a greater understanding of current industry trends and practices for managing operational risk. These efforts have involved numerous meetings with banking organisations, surveys of industry practice, and analyses of the results. Based upon these efforts, the Committee believes that it has a good understanding of the banking industry’s current range of practices, as well as the industry’s efforts to develop methods for managing operational risks.7. The Committee recognises that management of specific operational risks is not a new practice; it has always been important for banks to try to prevent fraud, maintain the integrity of internal controls, reduce errors in transaction processing, and so on. However, what is relatively new is the view of operational risk management as a comprehensive practice comparable to the management of credit and market risk in principle, if not always in form. The trends cited in the introduction to this paper, combined with a growing number of high-profile operational loss events worldwide, have led banks and supervisors to increasingly view operational risk management as an inclusive discipline, as has already been the case in many other industries.38. In the past, banks relied almost exclusively upon internal control mechanisms within business lines, supplemented by the audit function, to manage operational risk. While these remain important, recently there has been an emergence of specific structures and processes aimed at managing operational risk. In this regard, an increasing number of organisations have concluded that an operational risk management programme provides for bank safety and soundness, and are therefore making progress in addressing operational risk as a distinct class of risk similar to their treatment of credit and market risk. The Committee believes an active exchange of ideas between the supervisors and industry is key to ongoing development of appropriate guidance for managing exposures related to operational risk.9. This paper is organised along the following lines: developing an appropriate risk management environment; risk management: identification, assessment, monitoring and control/mitigation; the role of supervisors; and the role of disclosure.Sound Practices10. In developing these sound practices, the Committee has drawn upon its existing work on the management of other significant banking risks, such as credit risk, interest rate risk and liquidity risk, and the Committee believes that similar rigour should be applied to the management of operational risk. Nevertheless, it is clear that operational risk differs from other banking risks in that it is typically not directly taken in return for an expected reward, but exists in the natural course of corporate activity, and that this affects the risk management process.4 At the same time, failure to properly manage operational risk can result in a misstatement of an institution’s risk/return profile and expose the institution to significant losses. Reflecting the different nature of operational risk, for the purposes of this paper, ‘management’ of operational risk is taken to mean the ‘identification, assessment, monitoring and control/mitigation’ of risk. This definition contrasts with the one used by the Committee in previous risk management papers of the ‘identification, measurement, monitoring and control’ of risk. In common with its work on other banking risks, the Committee has structured this sound practice paper around a number of principles. These are:Developing an Appropriate Risk Management EnvironmentPrinciple 1: The board of directors5 should be aware of the major aspects of the bank’s operational risks as a distinct risk category that should be managed, and it should4However, the Committee recognises that in some business lines with minimal credit or market risk (e.g., asset management, and payment and settlement), the decision to incur operational risk, or compete based on the ability to manage and effectively price this risk, is an integral part of a bank’s risk/reward calculus.5This paper refers to a management structure composed of a board of directors and senior management. The Committee is aware that there are significant differences in legislative and regulatory frameworks across countries as regards the functions of the board of directors and senior management. In some countries, the board has the main, if not exclusive, function of supervising the executive body (senior management, general management) so as to ensure that the latter fulfils its tasks. For this reason, in some cases, it is known as a supervisory board. This means that the board has no executive functions. In other countries, the board has a broader competence in that it lays down the general framework for the management of the bank. Owing to these differences, the terms ‘board of directors’ and ‘senior management’ are used in this paper not to identify legal constructs but rather to label two decision-making functions within a bank.4approve and periodically review the bank’s operational risk management framework. The framework should provide a firm-wide definition of operational risk and lay down the principles of how operational risk is to be identified, assessed, monitored, and controlled/mitigated.Principle 2: The board of directors should ensure that the bank’s operational risk management framework is subject to effective and comprehensive internal audit by operationally independent, appropriately trained and competent staff. The internal audit function should not be directly responsible for operational risk management.Principle 3: Senior management should have responsibility for implementing the operational risk management framework approved by the board of directors. The framework should be implemented throughout the whole banking organisation, and all levels of staff should understand their responsibilities with respect to operational risk management. Senior management should also have responsibility for developing policies, processes and procedures for managing operational risk in all of the bank’s products, activities, processes and systems.Risk Management: Identification, Assessment, Monitoring, and Mitigation/Control Principle 4: Banks should identify and assess the operational risk inherent in all material products, activities, processes and systems. Banks should also ensure that before new products, activities, processes and systems are introduced or undertaken, the operational risk inherent in them is subject to adequate assessment procedures.Principle 5: Banks should implement a process to regularly monitor operational risk profiles and material exposure to losses. There should be regular reporting of pertinent information to senior management and the board of directors that supports the proactive management of operational risk.Principle 6: Banks should have policies, processes and procedures to control or mitigate material operational risks. Banks should assess the feasibility of alternative risk limitation and control strategies and should adjust their operational risk profile using appropriate strategies, in light of their overall risk appetite and profile.Principle 7: Banks should have in place contingency and business continuity plans to ensure their ability to operate as going concerns and minimise losses in the event of severe business disruption.Role of SupervisorsPrinciple 8: Banking supervisors should require that all banks, regardless of size, have an effective framework in place to identify, assess, monitor and control or mitigate material operational risks as part of an overall approach to risk management. Principle 9: Supervisors should conduct, directly or indirectly, regular independent evaluation of a bank’s policies, procedures and practices related to operational risks. Supervisors should ensure that there are appropriate reporting mechanisms in place which allow them to remain apprised of developments at banks.Role of DisclosurePrinciple 10: Banks should make sufficient public disclosure to allow market participants to assess their approach to operational risk management.5Developing an Appropriate Risk Management Environment11. Failure to understand and manage operational risk, which is present in virtually all bank transactions and activities, may greatly increase the likelihood that some risks will go unrecognised and uncontrolled. Both the board and senior management are responsible for creating an organisational culture that places a high priority on effective operational risk management and adherence to sound operating controls. Operational risk management is most effective where a bank’s culture emphasises high standards of ethical behaviour at all levels of the bank. The board and senior management should promote an organisational culture which establishes through both actions and words the expectations of integrity for all employees in conducting the business of the bank.Principle 1: The board of directors should be aware of the major aspects of the bank’s operational risks as a distinct risk category that should be managed, and it should approve and periodically review the bank’s operational risk management framework. The framework should provide a firm-wide definition of operational risk and lay down the principles of how operational risk is to be identified, assessed, monitored, and controlled/mitigated.12. The board of directors should approve the implementation of a firm-wide framework to explicitly manage operational risk as a distinct risk to the bank’s safety and soundness. The board should provide senior management with clear guidance and direction regarding the principles underlying the framework and approve the corresponding policies developed by senior management.13. In this paper, an operational risk framework is understood to include an appropriate definition of operational risk which clearly articulates what constitutes operational risk in that bank. The framework should cover the bank’s appetite and tolerance for operational risk, as specified through the policies for managing this risk, including the extent of, and manner in which, operational risk is transferred outside the bank. It should also include policies outlining the bank’s approach to identifying, assessing, monitoring and controlling/mitigating the risk. The formality and sophistication of the bank’s operational risk management framework should be commensurate with the risk incurred by the bank.14. The board is responsible for establishing a management structure capable of implementing the firm’s operational risk management framework. Since a significant aspect of managing operational risk relates to the establishment of strong internal controls, it is particularly important that the board establish clear lines of management responsibility, accountability and reporting. In addition, there must be segregated responsibilities and reporting lines between control functions and the revenue generating business lines. The framework should also articulate the key processes the firm needs to have in place to manage operational risk.15. The board should review the framework regularly to ensure that the bank is managing the operational risks arising from external market changes and other environmental factors, as well as those operational risks associated with new products, activities or systems. This review process should also aim to incorporate industry innovations in operational risk management appropriate for the bank’s activities, systems and processes. If necessary, the board should ensure that the operational risk management framework is revised in light of this analysis, so that material operational risks are captured within the framework.Principle 2: The board of directors should ensure that the bank’s operational risk management framework is subject to effective and comprehensive internal audit by 6operationally independent, appropriately trained and competent staff. The internal audit function should not be directly responsible for operational risk management.16. Banks should have in place adequate internal audit coverage to verify that operating policies and procedures are effectively implemented.6 The board (either directly or indirectly through its audit committee) should ensure that the scope and frequency of the audit programme is appropriate to the risks involved. Audit should periodically validate that the firm’s operational risk management framework is being implemented effectively across the firm.17. To the extent that the audit function is involved in oversight of the operational risk management framework, the board should ensure that the independence of the audit function is maintained. This independence may be compromised if the audit function is directly involved in the operational risk management process. The audit function may provide valuable input to those responsible for operational risk management, but should not itself have direct operational risk management responsibilities. In practice, the Committee recognises that the audit function at some banks (particularly smaller banks) may have initial responsibility for developing an operational risk management programme. Where this is the case, banks should see that responsibility for day-to-day operational risk management is transferred elsewhere in a timely manner.Principle 3: Senior management should have responsibility for implementing the operational risk management framework approved by the board of directors. The framework should be implemented throughout the whole banking organisation, and all levels of staff should understand their responsibilities with respect to operational risk management. Senior management should also have responsibility for developing policies, processes and procedures for managing operational risk in all of the bank’s products, activities, processes and systems.18. Management must translate the operational risk management framework established by the board of directors into more specific policies, processes and procedures that can be implemented and verified within different business units. While each level of management is responsible for the appropriateness and effectiveness of policies, processes, procedures and controls within its purview, senior management must clearly assign authority, responsibility and reporting relationships to encourage this accountability. This responsibility includes ensuring that the necessary resources are available to manage operational risk effectively. Moreover, senior management should assess the appropriateness of the management oversight process in light of the risks inherent in a business unit’s policy and ensure that staff are apprised of their responsibilities.19. Senior management should ensure that bank activities are conducted by qualified staff with the necessary experience and technical capabilities and that staff responsible for monitoring and enforcing the institution’s risk policy have authority independent from the business units they oversee. Management should ensure that the bank’s operational risk management policy has been clearly communicated to staff at all levels in business units that incur material operational risks.20. Senior management should ensure that staff with responsibility for operational risk communicate effectively with staff responsible for credit, market, and other risks, as well as6The Committee’s paper, Internal Audit in Banks and the Supervisor’s Relationship with Auditors (August 2001) describes the role of internal and external audit.7with those in the firm who are responsible for the procurement of external services such as insurance purchasing and outsourcing agreements. Failure to do so may result in significant gaps or overlaps in a bank’s overall risk management programme.21. Senior management should also ensure that the bank’s remuneration policies are consistent with its appetite for risk. Remuneration policies that reward staff that deviate from policies (e.g. by exceeding established limits) weaken the bank’s risk management processes.22. Integrated objectives among managerial levels are particularly crucial for banks using, or in the process of implementing, advanced technologies to support high transaction volumes. Particular attention should be given to the quality of documentation controls and to transaction-handling practices. Policies, processes and procedures related to such technologies should be well documented and disseminated to all relevant personnel.Risk Management: Identification, Assessment, Monitoring and Mitigation/Control Principle 4: Banks should identify and assess the operational risk inherent in all material products, activities, processes and systems. Banks should also ensure that before new products, activities, processes and systems are introduced or undertaken, the operational risk inherent in them is subject to adequate assessment procedures. 23. Risk identification is paramount for the subsequent development of viable operational monitoring and control. Effective risk identification considers both internal factors (such as the complexity of the bank’s structure, the nature of the bank’s activities, the quality of personnel, organisational changes and employee turnover) and external factors (such as changes in the industry and technological advances) that could adversely affect the achievement of the bank’s objectives.24. In addition to identifying the most potentially adverse risks, banks should assess their vulnerability to these risks. Effective risk assessment allows the bank to better understand its risk profile and most effectively target risk management resources.25. There are several processes commonly used by banks to help them identify and assess operational risk:• Self- or Risk Assessment: a bank assesses its operations and activities against a menu of potential operational risk vulnerabilities. This process is internally drivenand often incorporates checklists and/or workshops to identify the strengths andweaknesses of the operational risk environment.• Risk Mapping: in this process, various business units, organisational functions or process flows are mapped by risk type. This exercise can reveal areas of weaknessand help prioritise subsequent management action.• Key Risk Indicators: risk indicators are statistics and/or metrics, often financial, which can provide insight into a bank’s risk position. These indicators tend to bereviewed on a periodic basis (such as monthly or quarterly) to alert banks to changes that may be indicative of risk concerns. Such indicators may include thenumber of failed trades, staff turnover rates and the frequency and/or severity oferrors and omissions.• Scorecards: these provide a means of translating qualitative assessments into quantitative metrics that give a relative ranking of different types of operational risk。