商业银行操作风险管理指引英文

商业银行操作风险管理指引⒈指引目的本指引旨在为商业银行提供操作风险管理方面的指导，以确保银行的业务运作持续稳健，降低操作风险对银行的影响。

⒉管理框架⑴操作风险定义操作风险是指由于内部流程、人员、系统或外部事件引起的损失风险，可能包括错误、失误、违规、技术故障等。

⑵操作风险管理体系商业银行应建立完善的操作风险管理体系，包括以下方面：- 风险识别和评估- 风险控制和监测- 风险报告和沟通- 风险监督和评估⒊风险识别和评估⑴风险分类和归类商业银行应将操作风险进行分类和归类，以便更好地理解和管理不同类型的风险。

⑵风险评估方法商业银行应采用合适的风险评估方法，包括但不限于定性评估和定量评估，来衡量操作风险的严重程度和潜在损失。

⒋风险控制和监测⑴内部流程和控制商业银行应建立健全的内部流程和控制措施，以减少潜在的操作风险。

这包括制定规范、流程和操作手册，以及设置适当的授权和限制。

⑵人员管理和培训商业银行应具备合格的人员，并提供相关培训，以确保员工了解操作风险管理的重要性，并能够按照规定的流程进行操作。

⑶信息系统和技术支持商业银行应投资于先进的信息系统和技术支持，以确保操作风险的准确识别、追踪和监测。

⒌风险报告和沟通商业银行应建立及时和准确的风险报告和沟通机制，以向内外部相关方传递风险信息，并采取必要的行动来应对潜在的操作风险。

⒍风险监督和评估商业银行应定期进行风险监督和评估，以监测操作风险管理体系的有效性，并及时采取改进措施。

附件：- 操作风险识别和评估表格法律名词及注释：⒈《银行法》：指中华人民共和国颁布的有关银行业的法律法规。

⒉《公司法》：指中华人民共和国颁布的有关公司注册和管理的法律法规。

⒊《合同法》：指中华人民共和国颁布的有关合同订立、履行和解除的法律法规。

中国银监会关于印发《商业银行操作风险管理指引》的通知各银监局，各政策性银行、国有商业银行、股份制商业银行，邮政储蓄银行：为加强商业银行的操作风险管理，推动商业银行进一步完善公司治理结构，提升风险管理能力，银监会制定了《商业银行操作风险管理指引》，现印发给你们，请遵照执行。

请各银监局将本通知转发至辖内各城市商业银行、农村商业银行、农村合作银行、农村信用社、城市信用社、外资独资银行、中外合资银行和外国银行分行主报告行。

二○○七年五月十四日商业银行操作风险管理指引第一章总则第一条为加强商业银行的操作风险管理，根据《中华人民共和国银行业监督管理法》、《中华人民共和国商业银行法》以及其他有关法律法规，制定本指引。

第二条在中华人民共和国境内设立的中资商业银行、外商独资银行和中外合资银行适用本指引。

第三条本指引所称操作风险是指由不完善或有问题的内部程序、员工和信息科技系统，以及外部事件所造成损失的风险。

本定义所指操作风险包括法律风险，但不包括策略风险和声誉风险。

第四条中国银行业监督管理委员会（以下简称银监会）依法对商业银行的操作风险管理实施监督检查，评价商业银行操作风险管理的有效性。

第二章操作风险管理第五条商业银行应当按照本指引要求，建立与本行的业务性质、规模和复杂程度相适应的操作风险管理体系，有效地识别、评估、监测和控制/缓释操作风险。

操作风险管理体系的具体形式不要求统一，但至少应包括以下基本要素：（一）董事会的监督控制；（二）高级管理层的职责；（三）适当的组织架构；（四）操作风险管理政策、方法和程序；（五）计提操作风险所需资本的规定。

第六条商业银行董事会应将操作风险作为商业银行面对的一项主要风险，并承担监控操作风险管理有效性的最终责任。

主要职责包括：（一）制定与本行战略目标相一致且适用于全行的操作风险管理战略和总体政策；（二）通过审批及检查高级管理层有关操作风险的职责、权限及报告制度，确保全行的操作风险管理决策体系的有效性，并尽可能地确保将本行从事的各项业务面临的操作风险控制在可以承受的范围内；（三）定期审阅高级管理层提交的操作风险报告，充分了解本行操作风险管理的总体情况、高级管理层处理重大操作风险事件的有效性以及监控和评价日常操作风险管理的有效性；（四）确保高级管理层采取必要的措施有效地识别、评估、监测和控制/缓释操作风险；（五）确保本行操作风险管理体系接受内审部门的有效审查与监督；（六）制定适当的奖惩制度，在全行范围有效地推动操作风险管理体系地建设。

商业银行操作风险管理指引第一章总则第一条为加强商业银行的操作风险管理，根据《中华人民共和国银行业监督管理法》、《中华人民共和国商业银行法》以及其他有关法律法规，制定本指引。

第二条在中华人民共和国境内设立的中资商业银行、外商独资银行和中外合资银行适用本指引。

第三条本指引所称操作风险是指由不完善或有问题的内部程序、员工和信息科技系统，以及外部事件所造成损失的风险。

本定义所指操作风险包括法律风险，但不包括策略风险和声誉风险。

第四条中国银行业监督管理委员会(以下简称银监会)依法对商业银行的操作风险管理实施监督检查，评价商业银行操作风险管理的有效性。

第二章操作风险管理第五条商业银行应当按照本指引要求，建立与本行的业务性质、规模和复杂程度相适应的操作风险管理体系，有效地识别、评估、监测和控制/缓释操作风险。

操作风险管理体系的具体形式不要求统一，但至少应包括以下基本要素：(一)董事会的监督控制；(二)高级管理层的职责；(三)适当的组织架构；(四)操作风险管理政策、方法和程序；(五)计提操作风险所需资本的规定。

第六条商业银行董事会应将操作风险作为商业银行面对的一项主要风险，并承担监控操作风险管理有效性的最终责任。

主要职责包括：(一)制定与本行战略目标相一致且适用于全行的操作风险管理战略和总体政策；(二)通过审批及检查高级管理层有关操作风险的职责、权限及报告制度，确保全行的操作风险管理决策体系的有效性，并尽可能地确保将本行从事的各项业务面临的操作风险控制在可以承受的范围内；(三)定期审阅高级管理层提交的操作风险报告，充分了解本行操作风险管理的总体情况、高级管理层处理重大操作风险事件的有效性以及监控和评价日常操作风险管理的有效性；(四)确保高级管理层采取必要的措施有效地识别、评估、监测和控制/缓释操作风险；(五)确保本行操作风险管理体系接受内审部门的有效审查与监督；(六)制定适当的奖惩制度，在全行范围有效地推动操作风险管理体系地建设。

商业银行操作风险管理指引第一章总则第一条为加强商业银行的操作风险管理，根据《中华人民共和国银行业监督管理法》、《中华人民共和国商业银行法》以及其他有关法律法规，制定本指引。

第二条在中华人民共和国境内设立的中资商业银行、外商独资银行和中外合资银行适用本指引。

第三条本指引所称操作风险是指由不完善或有问题的内部程序、员工和信息科技系统，以及外部事件所造成损失的风险。

本定义所指操作风险包括法律风险，但不包括策略风险和声誉风险。

第四条中国银行业监督管理委员会（以下简称银监会）依法对商业银行的操作风险管理实施监督检查，评价商业银行操作风险管理的有效性。

第二章操作风险管理第五条商业银行应当按照本指引要求，建立与本行的业务性质、规模和复杂程度相适应的操作风险管理体系，有效地识别、评估、监测和控制/缓释操作风险。

操作风险管理体系的具体形式不要求统一，但至少应包括以下基本要素：（一）董事会的监督控制；（二）高级管理层的职责；（三）适当的组织架构；（四）操作风险管理政策、方法和程序；（五）计提操作风险所需资本的规定。

第六条商业银行董事会应将操作风险作为商业银行面对的一项主要风险，并承担监控操作风险管理有效性的最终责任。

主要职责包括：（一）制定与本行战略目标相一致且适用于全行的操作风险管理战略和总体政策；（二）通过审批及检查高级管理层有关操作风险的职责、权限及报告制度，确保全行的操作风险管理决策体系的有效性，并尽可能地确保将本行从事的各项业务面临的操作风险控制在可以承受的范围内；（三）定期审阅高级管理层提交的操作风险报告，充分了解本行操作风险管理的总体情况、高级管理层处理重大操作风险事件的有效性以及监控和评价日常操作风险管理的有效性；（四）确保高级管理层采取必要的措施有效地识别、评估、监测和控制/缓释操作风险；（五）确保本行操作风险管理体系接受内审部门的有效审查与监督；（六）制定适当的奖惩制度，在全行范围有效地推动操作风险管理体系地建设。

中国银监会关于印发《商业银行操作风险管理指引》的通知文章属性•【制定机关】中国银行业监督管理委员会(已撤销)•【公布日期】2007.05.14•【文号】银监发[2007]42号•【施行日期】2007.05.14•【效力等级】部门规范性文件•【时效性】现行有效•【主题分类】银行业监督管理正文中国银监会关于印发《商业银行操作风险管理指引》的通知（银监发〔2007〕42号）各银监局，各政策性银行、国有商业银行、股份制商业银行，邮政储蓄银行：为加强商业银行的操作风险管理，推动商业银行进一步完善公司治理结构，提升风险管理能力，银监会制定了《商业银行操作风险管理指引》，现印发给你们，请遵照执行。

请各银监局将本通知转发至辖内各城市商业银行、农村商业银行、农村合作银行、农村信用社、城市信用社、外资独资银行、中外合资银行和外国银行分行主报告行。

二○○七年五月十四日商业银行操作风险管理指引第一章总则第一条为加强商业银行的操作风险管理，根据《中华人民共和国银行业监督管理法》、《中华人民共和国商业银行法》以及其他有关法律法规，制定本指引。

第二条在中华人民共和国境内设立的中资商业银行、外商独资银行和中外合资银行适用本指引。

第三条本指引所称操作风险是指由不完善或有问题的内部程序、员工和信息科技系统，以及外部事件所造成损失的风险。

本定义所指操作风险包括法律风险，但不包括策略风险和声誉风险。

第四条中国银行业监督管理委员会（以下简称银监会）依法对商业银行的操作风险管理实施监督检查，评价商业银行操作风险管理的有效性。

第二章操作风险管理第五条商业银行应当按照本指引要求，建立与本行的业务性质、规模和复杂程度相适应的操作风险管理体系，有效地识别、评估、监测和控制/缓释操作风险。

操作风险管理体系的具体形式不要求统一，但至少应包括以下基本要素：（一）董事会的监督控制；（二）高级管理层的职责；（三）适当的组织架构；（四）操作风险管理政策、方法和程序；（五）计提操作风险所需资本的规定。

Guidelines for the Compliance Risk Management ofCommercial BanksOctober 25, 2006Chapter I General ProvisionsArticle 1For the purpose of strengthening the compliance risk management of commercial banks and maintaining commercial banks operating safely and stably, these Guidelines are instituted in accordance with the Measures of the People's Republic of China on the Supervision and Administration of the Banking Sector and the Law of the People's Republic of China on Commercial Banks.Article 2A Chinese-funded commercial bank, foreign sole-capital bank, joint venture bank or branch of a foreign bank established within the territory of the People's Republic of China shall be governed by these Guidelines.A policy bank, financial asset management company, urban credit cooperative, rural credit cooperative, trust investment company, enterprise group financial company, financial lease company, automobile financial company, currency brokerage company, postal savings institution or any other financial institution established within the territory of the People's Republic of China and approved by the China Banking Regulatory Commission shall be governed by these Guidelines.Article 3The term "laws, rules and standards" as mentioned in these Guidelines refers to the laws, administrative regulations, departmental rules as well as other regulatory documents, business rules and industrial standards of self-disciplinary organizations, behavioral code and occupation ethnics.The term "compliance" as mentioned in these Guidelines refers to the consistence between the business operations of commercial banks and the related laws, rules and standards.The term "compliance risks" as mentioned in these Guidelines refers to the risks of a commercial bank suffering from legal sanction, supervision punishment, great financial losses or reputation losses when it violates any law, rule or standard.The term "compliance management department" as mentioned in these Guidelines refers to any department, team or position that especially established within a commercial bank to take charge of compliance management.Article 4Compliance management is a core risk management of commercial banks. A commercial bank shall take overall consideration of the relevance between compliance risks and credit risks, market risks, operation risks and other risks so as to ensure the consistence between all the policies and formalities for risk management.Article 5The objective of compliance risk management of a commercial bank is to establish and improve a framework of compliance risk management so as to realize the effective recognition and management of compliance risks, promote the establishment of an overall system of risk management and ensure an operation based on compliance of laws and regulations.Article 6A commercial bank shall enhance the establishment of compliance culture and incorporate the establishment of compliance culture into the whole process of establishing its enterprise culture.The compliance is the joint responsibility of all staff members of a commercial bank and its senior management shall take a lead in the execution thereof.The board of directors and senior management of a commercial bank shall determine the keynote of compliance, set up such compliance philosophies as voluntary compliance by all its staff members and value creation subject to compliance, promote the occupational ethnics and value concept of being creditworthy and upright within the bank, elevate the compliance consciousness of all its staff members and promote an effective interaction between self-compliance of the commercial bank and external supervision.Article 7China Banking Regulatory Commission shall implement supervision over the compliance risk management of commercial banks, examine and evaluate the effectiveness of compliance risk management of commercial banks.Chapter II Compliance Management Functions and Duties of theBoard of Directors,Board of Supervisors and Senior ManagementArticle 8A commercial bank shall establish a system of compliance management in line with its business scope, organizational structure and business scale thereof.The following basic elements shall be included in the compliance management system:(1)Compliance policies;(2)Organizational structure and resources of the compliance management department;(3)Plans of compliance risk management;(4)Recognition of and management formalities for compliance risks; and(5)Training and education system of compliance.Article 9The compliance policies of a commercial bank shall specify the basic principles that all its staff members and operational lines shall comply with and the significant formalities for recognizing and managing compliance risks as well as stipulate the related matters in respect of the functions of compliance management, which shall at least include:(1)Functions and duties of the compliance management department;(2)Power limit of the compliance management department, including the right to communicate with any bank staff member and obtain any record or archival file as required in its duty performance;(3)Functions and duties of compliance management of related persons-in-charge;(4)All the measures that guarantee the independency of the persons-in-charge of compliance as well as the compliance management department, including a guaranty that there is no interest conflict between the functions and duties of compliance management of the persons-in-charge and related persons that engage in the compliance management and the other functions and duties thereof;(5)The coordination relationship between the compliance management department and the risk management department, the internal auditing department as well as other departments; and(6)The establishing of principles of the compliance management departments for the business lines as well as the branches and sub-branches.Article 10The board of directors shall undertake final responsibilities of compliance in the business operation of a commercial bank and perform the following functions and duties of compliance management:(1)Examining and approving of the compliance policies of the commercial bank and supervising its implementation of the compliance policies;(2)Examining and approving the reports on compliance risk management submitted by the senior management of the commercial bank and appraising the effectiveness of compliance risk management of itscommercial bank so as to timely and effectively resolve the compliance defects;(3)Authorizing the risk management commission, auditing commission or specially established compliance management commission under the board of directors to conduct daily supervision over the compliance risk management of commercial bank thereof; and(4)Supervising any other functions and duties of compliance management as stipulated in the constitution of its commercial bank.Article 11The commission under the board of directors of a commercial bank which is responsible for the daily supervision of compliance risk management shall, by means of holding individual talks with the related persons-in-charge of compliance or by any other effective means, know about the implementation of the compliance policies and existing problems, timely put forward corresponding opinions and suggestions to the board of directors or the senior management , supervise and guarantee to implement the compliance policies effectively.Article 12The board of supervisors shall supervise the performance of functions and duties of compliance management by the board of directors and senior management.Article 13The senior management shall manage the compliance risks of its commercial bank effectively and perform the functions and duties of compliance management as follows:(1)Instituting the compliance policies in written form and revising the compliance policies in accordance with the status of compliance risk management as well as the related laws, rules and standards at an appropriate time, reporting them to the board of directors for deliberation and then distributing them to all its staff members after having been approved;(2)Carrying out the compliance policies, guaranteeing that proper measures for correction be timely adopted when any rule-breaking event occurs and investigating the corresponding responsibilities of violators;(3)Designating the persons-in-charge of compliance and guaranteeing their independency;(4)Specifying the compliance management department and their organizational structure, arranging enough and proper personnel of compliance management for its performance of functions and duties, and ensuring the independency of the compliance management department;(5)Recognizing the significant compliance risks that the commercial bank is faced with, examining and approving the plans of compliance risk management and ensuring the work coordination between the compliance management department and the risk management department, the internal auditing department and other relevant departments;(6)Submitting to the board of directors a report of compliance risk management on an annual basis, which shall present sufficient proof and assist the members of the board of directors to judge the effectiveness of compliance risk management by senior managers;(7)Reporting to the board of directors or the commissions thereunder and the board of supervisors any significant rule-breaking event timely; and(8)Performing any other functions and duties as prescribed by the compliance policies.Article 14A person-in-charge of compliance shall coordinate the recognition and management of compliance risks of the commercial bank, supervise the compliance management department to perform its functions and duties in accordance with the related plans of compliance risk management and submit to the senior management an appraisal report about compliance risks periodically. A person-in-charge of compliance must not take charge of the management of any business lines.An appraisal report on compliance risks shall include but be not limited to the following contents: any changeof compliance risk within the reporting period, the recognition of any rule-breaking event or compliance defect and the measures for correction that have been adopted or are advised to be adopted.Article 15A commercial bank shall set up an examination system of compliance performance of managers. The performance examination of a commercial bank shall embody the value concept of promoting compliance and punishing any rule-breaking behavior.Article 16A commercial bank shall establish an effective compliance accountability system, strictly carry out the confirmation and investigation of responsibilities incurred from any rule-breaking behavior, adopt effective measures for correction, improve the formalities for management in time, revise the related policies, formalities and operational guidelines at a proper time.Article 17A commercial bank shall establish a credit accusation system, encourage its staff members to tip off the illegal acts, the act in violation of professional integrity or the suspicious acts, and fully protect any tip-off reporter.Chapter III Functions and Duties of the Compliance ManagementDepartmentArticle 18The compliance management department shall, under the guidance of its person-in-charge, assist the senior management to effectively recognize and manage the compliance risks, if its commercial bank is faced with, and perform the following fundamental functions and duties:(1)Paying continuous attention to the latest development of the related laws, rules and standards, correctly understanding the provisions and spirit of the related laws, rules and standards, accurately understanding the impact of the related laws, rules and standards on the business operation of the commercial bank, and putting forward corresponding suggestions on compliance to its senior management;(2)Instituting and carrying out the plans of compliance management which focus on risks, including the implementation and appraisal of special policies and formalities, appraisal on compliance risks, compliance testing, compliance training and education, etc..(3)Examining and appraising the compliance of all policies, formalities and operational guidelines of the commercial bank, organizing, coordinating and supervising and urging all business lines and the internal control department to sort of and revise the related policies, formalities and operational guidelines, and guaranteeing that all policies, formalities and operational guidelines comply with the requirements of the related laws, rules and standards;(4)Helping the related training and education departments to implement compliance trainings, including the compliance trainings of new staff members as well as the periodic compliance trainings of all its staff members, and functioning as the internal communication department for staff members to consult the related matters of compliance;(5)Organizing the institution of the formalities for compliance management as well as such compliance guidelines as compliance booklets and behavioral code of its staff members, appraising the formalities for compliance management and the appropriateness of compliance guidelines, offering guidance to its staff members on proper implementation of related laws, rules and standards;(6)Recognizing and appraising the compliance risks in relation to the business operation of the commercial bank actively, including conducting the necessary examination and testing for the development of new products and services, recognizing and appraising any compliance risk arising from the development of any new business mode, establishment of new customers' networks or change of nature of the bank's relationshipwith its customers.(7)Collecting and choosing the data that may indicate potential compliance problems, such as increasing index of customers' complaints and abnormal transactions etc., establishing a supervisory index of compliance risks, and determining the preferential sequence of compliance risks to be considered in accordance with the possibility and impact of compliance risk occurrence measured by the risk matrix;(8)Carrying out enough and representative appraisal and testing of compliance risks, including testing through on-the-spot examination on the compliance of all policies and formalities, inquiring the existing defects in the policies and formalities, and making corresponding investigation. The result of a compliance testing shall be reported in accordance with the formalities for internal risk management of commercial banks through the reporting line of compliance risks so as to ensure that all policies and formalities comply with the requirements of related laws, rules and standards; and(9)Keeping daily contact with its supervisory organ, and tracing and appraising the implementation of supervisory opinions and supervisory requirements.Article 19A commercial bank shall allocate the resources for effectively performing the compliance management for its compliance management department. A person who engages in compliance management shall have the qualification, experience, expertise and individual quality corresponding to his/her functions and duties.A commercial bank shall offer systematic and professional technical trainings to its personnel who engage in compliance management, especially technical trainings in such aspects as correct master the latest development of the related laws, rules and standards as well as their impacts on the business operation of the commercial bank.Article 20The persons-in-charge of all business lines or branches or sub-branches of a commercial bank shall take primary responsibility for the business operation of their lines or departments.A commercial bank shall, in accordance with the business scope of its lines of business and the branches and sub-branches as well as the operational scale, set up the corresponding compliance management departments. The compliance management departments of all business lines and the branches and sub-branches of a commercial bank shall, in accordance with the formalities for compliance management, actively recognize and manage the compliance risks and report the related information in time through the reporting lines in accordance with the reporting requirements of compliance risks.Article 21A commercial bank shall establish a coordination mechanism between the compliance management department and the risk management department in respect of compliance management.Article 22A commercial bank shall separate the functions and duties of compliance management from the function of internal auditing, and the performance of compliance management shall be subject to independent appraisal by the internal auditing department periodically.The internal auditing department shall be responsible for the auditing on compliance among all business operations of the commercial bank. An internal auditing plan shall include an auditing appraisal on the appropriateness and effectiveness of the functions and duties of compliance management. An appraisal on compliance risks shall be included in the measures for risk appraisal in the internal auditing.A commercial bank shall specify the functions and duties of compliance risk appraisal and compliance testing between the compliance management department and the internal auditing department. The internal auditing department shall notify the result of compliance auditing to the related persons-in-charge of compliance. Article 23A commercial bank shall specify its reporting lines of compliance risks as well as the elements,format and frequency of a report on compliance risks.Article 24The overseas branches or sub-branches or affiliated institutions of a commercial bank shall strengthen the functions of compliance management. The organizational structure of the compliance management functions shall accord with the local laws and requirements of supervision.Article 25The board of directors and senior management of a commercial bank shall guarantee that the outsourcing of the work of the compliance management department shall comply with local laws, rules and standards.A commercial bank shall guarantee that any outsourcing work of the compliance management department be under a proper supervision of its person-in-charge of compliance and will not hamper an effective supervision by China Banking Regulatory Commission.Chapter IV Supervision over Compliance RisksArticle 26A commercial bank shall report its internal regulations such as compliance policies, formalities for compliance management as well as compliance guidelines to China Banking Regulatory Commission for archival filing.A commercial bank shall timely report its plans of compliance risk management and appraisal reports on compliance risks to China Banking Regulatory Commission.Where a commercial bank finds any significant rule-breaking event, it shall report it to China Banking Regulatory Commission in accordance with the reporting system of significant events.Article 27Where a commercial bank designates a person-in-charge of compliance, it shall report it to China Banking Regulatory Commission in accordance with the related provisions. Where any person-in-charge of compliance of a commercial bank leaves his/her post, the bank shall report related information such as leaving reasons for resignation to China Banking Regulatory Commission within 10 workdays after leaving the post. Article 28China Banking Regulatory Commission shall conduct appraisal on the effectiveness of compliance risk management of commercial banks periodically and the appraisal reports shall be regarded as an important basis for classified supervision.Article 29China Banking Regulatory Commission shall, in accordance with the compliance records of commercial banks and the appraisal reports on compliance risk management, determine the frequency, scope and depth of on-the-spot compliance risk examination, and the contents shall be examined mainly include:(1)The appropriateness and effectiveness of the compliance risk management system of a commercial bank;(2)The functions of the board of directors and senior management of a commercial bank in the compliance risk management;(3)The appropriateness and effectiveness of the performance examination system, the accountability system and the credit accusation system of a commercial bank; and(4)The appropriateness and effectiveness of the functions of compliance management of a commercial bank.Chapter V Supplementary ProvisionsArticle 30The power to interpret these Guidelines shall remain with China Regulatory Banking Commission. Article 31These Guidelines shall enter into force as of the day of promulgation.。

Guidelines on Operational Risk Management of CommercialBanksChapter I General ProvisionsArticle 1 Pursuant to the Law of the People’s Republic of China on Banking Regulation and Supervision, the Law of the People’s Republic of China on Commercial Banks as well as other applicable laws and regulations, the Guidelines are formulated so as to enhance the operational risk management of commercial banks.Article 2 The Guidelines apply to domestic commercial banks, wholly foreign-funded banks and Chinese-foreign joint venture banks incorporated within the territory of the People’s Republic of China.Article 3 The operational risk in the Guidelines refers to the risk of loss resulting from inadequate or failed internal processes, people and IT system, or from external events. It includes legal risk but excludes strategic and reputational risk.Article 4 The China Banking Regulatory Commission (hereinafter referred to as the “CBRC”) supervises and regulates the operationalrisk management of commercial banks and evaluates the effectiveness thereof under its authority by law.Chapter II Operational Risk ManagementArticle 5 Commercial banks should, in line with the Guidelines, set up an operational risk management system suitable to their own business nature, scale and complexity to effectively identify, assess, monitor and control/mitigate operational risk. This system can be in any form, but should comprise at least the following basic elements:1)oversight and control by the board of directors;2)roles and responsibilities of senior management;3)appropriate organizational structure;4)operational risk management policies, methods, and procedures;and5)requirements on making capital provisions for operational risk.Article 6 The board of directors in a commercial bank should treat operational risk as a major risk and charge the ultimate responsibility for monitoring the effectiveness of operational risk management. The responsibilities of the board shall include:1) developing strategies and general policies for bank-wideoperational risk management that are aligned with the bank’sstrategic goals;2) reviewing and approving the senior management’s functions,authorization and reporting arrangement with regard to operational risk management so as to ensure the effectiveness of the bank’s decision-making system in operational risk management and ensure that the operational risk facing thebank’s operations is controlled within its endurance capacity; 3) reviewing regularly the operational risk reports submitted by thesenior management; fully understanding the bank’s overall operational risk management and the effectiveness of the senior management in handling material operational risk events; and monitoring and evaluating the effectiveness of daily operationalrisk management;4) ensuring that the senior management takes necessary measuresto effectively identify, assess, monitor and control/mitigateoperational risk;5) ensuring that the bank’s operational risk m anagement system iseffectively audited and overseen by internal audit department;and6) having in place an appropriate reward-punishment system so asto effectively promote the development of operational risk management system in the bank as a whole.Article 7 The senior management in a commercial bank isresponsible for implementing the operational risk management strategies, general policies and running the system approved by theboard. It shall:1) be ultimately responsible to the board regarding daily operationalrisk management;2) lay out and regularly review the operational risk managementpolicies, procedures and detailed processes in accordance with the strategies and general policies developed by the board, and oversee the implementation thereof, and submitting to the board reports on overall operational risk management in a regularmanner;3) sufficiently understand the overall situation of the bank’soperational risk management, particularly the events or programswith material operational risk;4) Clearly define each department’s responsibilities in operationalrisk management as well as the reporting line, frequency andcontents; urge each department to really charge its responsibilities in a bid to ensure the sound performance of theoperational risk management system;5) equip operational risk management with appropriate resources,including but not limited to providing necessary funds, setting up necessary positions with eligible staff, offering training courses to operational risk management personnel, delegating authorizaion to the said personnel to fulfill their duties, etc.; and6) make promptly checks and revision on the operational riskmanagement system so as to effectively respond to operational risk events brought about by the changes of internal procedures, products, business activities, IT system, staff, external events orother factors.Article 8 Commercial banks should designate a certain department to be responsible for the construction and implementation of operational risk management system. This department should be independent from others in order to ensure the system’s consistency and effectiveness. Its responsibilities shall mainly include:1) drafting operational risk management policies, procedures andspecific processes and submitting them to the senior management and the board for review and approval;2) assisting other departments to identify, assess, monitor andcontrol/mitigate operational risk;3) working out methods to identify, assess, mitigate (includinginternal controls) and monitor operational risks, formulating bank-wide reporting processes of operational risk and organizingthe implementation thereof;4) putting in place basic criteria for operational risk control over thebank, and guiding and coordinating the operational riskmanagement;5) providing each department with trainings on operational riskmanagement, and helping them improve operational risk management capacity and fulfill their own duties;6) regularly checking and analyzing the practices of operational riskmanagement in business departments and other departments;7) regularly submitting operational risk reports to seniormanagement; and8) ensuring that the operational risk management system andmeasures are observed.Article 9 The relevant departments in a commercial bank should be directly responsible for operational risk management. Majorresponsibilities include:1) appointing designated staff to take charge of operational riskmanagement, including observing operational risk management policies, procedures and specific processes;2) following the assessment methods for operational riskmanagement to identify and assess the operational risks in the departments, and to have in place an effective on-going procedure to monitor, control/mitigate and report operational risks, thenorganize the implementation thereof;3) fully considering the requirements on operational riskmanagement and internal control when making department specific business processes and related business policies, with a view to ensuring operational risk management personnel at alllevels participate in the course of reviewing and approvingimportant procedures, controls and policies, thus making these aligned with the bank’s general policy on operational riskmanagement; and4) monitoring key risk indicators and regularly reporting their owndepartment’s operational risk management situation to thedepartment which takes charge of or take the leading role in operational risk management of the whole bank.Article 10 The legal office, compliance office, IT office, security office, and human resource office in a commercial bank should, besides properly managing their own operational risks, provide relevant resources and assistance within their strength and respective responsibilities to other departments for the purpose of operationalrisk management.Article 11 The internal audit department in a commercial bank does not directly take charge of or participate in other departments’ operational risk management, but it should regularly check and evaluate how well the bank’s operational risk management system operates, supervise the implementation of operational riskmanagement policies, independently evaluate the bank’s newoperational risk management policies, processes and specific procedures, and report to the board of directors the evaluation results of operational risk management system.A commercial bank with high business complexity and large scale is encouraged to entrust intermediary agencies to audit and evaluate its operational risk management system on a regular basis.Article 12 A commercial bank should have in place bank-wide operational risk management policies that are commensurate with its nature, scale, complexity and risk profile. Main contents include:1) definition of operational risk;2) appropriate organizational structure, authorization andresponsibilities with regard to operational risk management;3) procedures to identify, assess, monitor and control/mitigateoperational risks;4) reporting procedures of operational risk, including reportingresponsibilities, path and frequency, and other specificrequirements on other departments; and5) requirements on promptly assessing operational risks associatedwith existing and newly-developed important products, business practices, procedures, IT system, human resource management,external factors and changes thereof.Article 13 A commercial bank should choose appropriate approaches to manage operational risks, which may include: assessment of operational risk and internal control, loss event reporting and data collection, monitoring of key risk indicators, risk assessment regarding new products and business practices, testing and audit of internal control, and operational risk reporting.Article 14 A commercial bank with high business complexity and large scale should adopt more sophisticated risk management methods (e.g. quantitative methods) to assess each department’s operational risk, collect operational risk loss data, and make arrangements according to the characteristics of operational riskassociated with each line of business.Article 15 A commercial bank should develop effective processes to regularly monitor and report operational risk status and material losses. As to risks with increasing loss potential, early-warning system of operational risk should be put in place so as to take timely controls to mitigate risk and reduce the occurrence and severity ofloss events.Article 16 Material operational risk events should be reported to the board, senior management and appropriate management personnel according to the bank’s operational risk management policies.Article 17 A commercial bank should enhance internal control for effective operational risk management. Related internal controlsshould at least include:1) clearly defining the roles and responsibilities of each departmentand making proper separation among relevant functions so as toavoid potential conflicts of interests;2) closely watching how well specified risk limit or authorization isobserved;3) monitoring the records of access to and use of the bank’s assets;4) ensuring the staff are appropriately trained and eligible for theirpositions;5) identifying the business activities or products that do not generatereasonable prospective returns or that contain potential risks;6) regularly reviewing and checking up transactions and accounts;7) putting in place a system for the heads and the staff in keypositions to have job rotation and compulsory leaves and setting up a mechanism of off-job auditing as well;8) working out a code of conduct to regulate on-job and off-jobbehavior particularly for the staff in important positions or atsensitive links;9) establishing an incentive and protection system to encouragestaff to report violations on a real-name basis;10) setting up a dual-appraisal system to investigate and solve bankfraudulent cases as well as make punishments in a timely andproper manner;11) having in place an information disclosure system for the bankcase investigation; and12) e stablishing an incentive-restrictive mechanism with regard to themanagement and control of operational risk at front line.Article 18 A commercial bank should establish and gradually improve the operational risk management information system (MIS) so as to effectively identify, assess, monitor, control and report operational risks. The system should at least record and store the date about operational risk losses and events, support self-assessment on operational risk and control measures, monitor key risk indicators, and provide relevant information contained in operational riskreports.Article 19 To ensure business continuation, a commercial bank should develop a scheme for emergency response that matches their business scale and complexity, make a back-up arrangement for service recovery, and regularly check and test the catastrophe recovery function and business continuation mechanism so as to make sure that these actions can go in operation properly in the event of catastrophe and severe business disruption.Article 20 A commercial bank should develop risk management policies with regard to outsourcing practices in order to make sure that outsourcing is subject to rigorous contracts and service agreements which clearly specify the obligations of involved parties.Article 21 A commercial bank may purchase insurance and enter into contract with a third party, and consider it a way to mitigate operational risk. But they should by no means neglect the importanceof controls.A commercial bank that mitigates operational risks by means ofinsurance should formulate written policies and proceduresaccordingly.Article 22 A commercial bank should make adequate capitalprovisions for the operational risk it undertakes as per the requirements of CBRC on capital adequacy of commercial banks.Chapter III Supervision of Operational RiskArticle 23 Commercial banks should submit to the CBRC their operational risk management policies and processes for filing. They should submit operational risk related reports to the CBRC or its local offices as per regulations. Banks that entrust intermediary agencies to audit their operational risk management system should also submit audit reports to the CBRC or its local offices.Article 24 Commercial banks should promptly report to the CBRC or its local offices about the following material operational risk events ifany:1) banking crimes in which more than RMB300,000 is robbed from acommercial bank or cash truck or stolen from a banking financial institution; bank fraud or other cases involving an amount of morethan RMB10 million;2) events that result in serious damage or loss of the bank’simportant data, books, blank vouchers, or business disruption for over three hours in two or more provinces (autonomous regions/municipalities), or business disruption for over six hours in one province (autonomous region/municipality) and severelyaffect the bank’s normal operations;3) confidential information being stolen, sold, leaked or lost that mayaffect financial stability and lead to economic disorder;4) senior executives severely violating applicable regulations;5) accident or natural catastrophe caused by force majeure, resultingin immediate economic loss of more than RMB10 million;6) other operational risk events that may result in a loss of more than1‰ of the bank’s net capital; and7) other material events as specified by the CBRC.Article 25 The CBRC should regularly check and assess the operational risk management policies, processes and practices of commercial banks. Main items to be checked and assessed include:1) effectiveness of the bank’s operational risk managementprocesses;2) the bank’s approaches to monitor and report operational risks,including key operational risk indicators and operational risk lossdata;3) the bank’s measures to timely and effectively handle operationalrisk events and weak links;4) the bank’s procedures of internal control, reviewing and auditingwithin its operational risk management processes;5) the quality and comprehensiveness of the bank’s catastropherecovery and business continuation plans;6) adequacy level of capital provisions for operational risks; and7) other aspects of operational risk management.Article 26 As to the operational risk management problems discovered by the CBRC during supervision, the commercial bank should submit correction plan and take correction actions within thespecified time limit.When a material operational risk event occurs, if the commercial bank fails to adopt effective correction measures within the specified time limit, the CBRC should take appropriate regulatory actions in line withlaws and regulations.Chapter IV Supplementary ProvisionsArticle 27 This Guidelines may apply to other banking institutions including policy banks, financial asset management companies, urban credit cooperatives, rural credit cooperatives, rural cooperative banks, trust and investment companies, finance firms, financial leasing companies, automobile financial companies, money brokers, and postsavings institutions.Article 28 Banking institutions without the board of directors should have their operating decision-making bodies perform theresponsibilities of the board with regard to operational riskmanagement specified herein.Article 29 Branches set up by foreign banks within the territory of People’s Republic of China should follow the operational risk management policies and processes developed by their head offices, report to the CBRC or its local offices about material operational risk events, and accept the supervision of the CBRC. Where their head offices do not lay out operational risk management policies andprocesses, such branches should comply with the Guidelines.Article 30 Relevant terms mentioned herein are defined in theAppendix.Article 31 The Guidelines shall become effective as of the date ofpromulgation.Appendix: Definitions of Relevant Terms1.Operational risk eventsOperational risk events refer to the operational events resulting from inadequate or failed internal processes, people and IT system, or from external factors, which bring about financial losses or affect the bank’s reputation, clients and staff. Specific events include: internal fraud, external fraud, employment practices and workplace safety, clients, products & business practices, damages to physical assets, business disruption and system failures, execution, delivery & process management (see Annex 7 – Detailed Loss Event Type Classification of The International Convergence of Capital Measurement and Capital Standards: A Revised Framework or the New Basel Capital Accord).2.self-assessment on risk, key risk indicatorsTools used by commercial banks to identify and assess operationalrisks.1) self-assessment on riskSelf-assessment on risk is a tool for operational risk management by commercial banks to identify and assess the control measures and appropriateness and effectiveness thereof with regard to potential operational risk and their own business practices.2) Key Risk IndicatorKey risk indicators refer to the statistical indicators that represent the changes in a certain area of risk and can be monitored on a regular basis. These indicators can be used to monitor various risks and control measures that may result in loss events and to function as early-warning indicators for risk changes (so that senior management can take timely actions accordingly). Examples of specific indicators: loss ratio per RMB100 million asset, number of banking crimes per 10,000 people, ratio of the cases with each involving a cash value of RMB1 million, number of transactions unconfirmed beyond a certaintime limit, percentage of failed transactions, staff turnover, number of client complaints, frequency and severity of errors and omissions, etc.3.Legal RiskLegal risk includes, but is not limited to, the following: 1) the contract signed by a commercial bank violating laws or administrative regulations and therefore being probably cancelled or confirmed invalid according to law; 2) the bank being sued or in arbitration because of its breach of contract, infringement or other reasons and held liable for compensation according to law; 3) the bank’s business practices violating laws or administrative regulations and therefore being held liable administratively or criminally.。