操作风险管理指引

商业银行合规风险管理指引范文商业银行合规风险管理指引第一条为加强商业银行合规风险管理，维护商业银行安全稳健运行，根据《中华人民共和国银行业监督管理法》和《中华人民共和国商业银行法》，制定本指引。

第二条在中华人尽共和国境内设立的中资商业银行、外资独资银行、中外合资银行和外国银行分行适用本指引。

在中华人民共和国境内设立的政策性银行、金融资产管理公司、城市信用合作社、农村信用合作社、信托投资公司、企业集团财务公司、金融租赁公司、汽车金融公司，货币经纪公司、邮政储蓄机构以及经银监会批准设立的其他金融机构参照本指引执行。

第三条本指引所称法律、规则和准则，是指适用于银行业经营活动的法律、行政法规、部门规章及其他规范性文件、经营规则、自律性组织的行业准则、行为守则和职业操守。

本指引所称合规，是指使商业银行的经营活动与法律、规则和准则相一致。

本指引所称合规风险，是指商业银行因没有遵循法律、规则和准则可能遭受法律制裁、监管处罚、重大财务损失和声誉损失的风险。

本指引所称合规管理部门，是指商业银行内部设立的专门负责合规管理职能的部门、团队或岗位。

第四条合规管理是商业银行一项核心的风险管理活动。

商业银行应综合考虑合规风险与信用风险、市场风险、操作风险和其他风险的关联性，确保各项风险管理政策和程序的一致性。

第五条商业银行合规风险管理的目标是通过建立健全合规风险管理框架，实现对合规风险的有效识别和管理，促进全面风险管理体系建设于确保依法合规经营。

第六条商业银行应加强合规文化建设，并将合规文化建设融入企业文化建设全过程。

合规是商业银行所有员工的共同责任，并应从商业银行高层做起。

董事会和高级管理层应确定合规的基调，确立全员主动合规、合规创造价值等合规理念，在全行推行诚信与正直的职业操守和价值观念，提高全体员工的合规意识，促进商业银行自身合规与外部监管的有效互动。

第七条银监会依法对商业银行合规风险管理实施监管，检查和评价商业银行合规风险管理的有效性。

Guidelines on Operational Risk Management of CommercialBanksChapter I General ProvisionsArticle 1 Pursuant to the Law of the People’s Republic of China on Banking Regulation and Supervision, the Law of the People’s Republic of China on Commercial Banks as well as other applicable laws and regulations, the Guidelines are formulated so as to enhance the operational risk management of commercial banks.Article 2 The Guidelines apply to domestic commercial banks, wholly foreign-funded banks and Chinese-foreign joint venture banks incorporated within the territory of the People’s Republic of China.Article 3 The operational risk in the Guidelines refers to the risk of loss resulting from inadequate or failed internal processes, people and IT system, or from external events. It includes legal risk but excludes strategic and reputational risk.Article 4 The China Banking Regulatory Commission (hereinafter referred to as the “CBRC”) supervises and regulates the operationalrisk management of commercial banks and evaluates the effectiveness thereof under its authority by law.Chapter II Operational Risk ManagementArticle 5 Commercial banks should, in line with the Guidelines, set up an operational risk management system suitable to their own business nature, scale and complexity to effectively identify, assess, monitor and control/mitigate operational risk. This system can be in any form, but should comprise at least the following basic elements:1)oversight and control by the board of directors;2)roles and responsibilities of senior management;3)appropriate organizational structure;4)operational risk management policies, methods, and procedures;and5)requirements on making capital provisions for operational risk.Article 6 The board of directors in a commercial bank should treat operational risk as a major risk and charge the ultimate responsibility for monitoring the effectiveness of operational risk management. The responsibilities of the board shall include:1) developing strategies and general policies for bank-wideoperational risk management that are aligned with the bank’sstrategic goals;2) reviewing and approving the senior management’s functions,authorization and reporting arrangement with regard to operational risk management so as to ensure the effectiveness of the bank’s decision-making system in operational risk management and ensure that the operational risk facing thebank’s operations is controlled within its endurance capacity; 3) reviewing regularly the operational risk reports submitted by thesenior management; fully understanding the bank’s overall operational risk management and the effectiveness of the senior management in handling material operational risk events; and monitoring and evaluating the effectiveness of daily operationalrisk management;4) ensuring that the senior management takes necessary measuresto effectively identify, assess, monitor and control/mitigateoperational risk;5) ensuring that the bank’s operational risk m anagement system iseffectively audited and overseen by internal audit department;and6) having in place an appropriate reward-punishment system so asto effectively promote the development of operational risk management system in the bank as a whole.Article 7 The senior management in a commercial bank isresponsible for implementing the operational risk management strategies, general policies and running the system approved by theboard. It shall:1) be ultimately responsible to the board regarding daily operationalrisk management;2) lay out and regularly review the operational risk managementpolicies, procedures and detailed processes in accordance with the strategies and general policies developed by the board, and oversee the implementation thereof, and submitting to the board reports on overall operational risk management in a regularmanner;3) sufficiently understand the overall situation of the bank’soperational risk management, particularly the events or programswith material operational risk;4) Clearly define each department’s responsibilities in operationalrisk management as well as the reporting line, frequency andcontents; urge each department to really charge its responsibilities in a bid to ensure the sound performance of theoperational risk management system;5) equip operational risk management with appropriate resources,including but not limited to providing necessary funds, setting up necessary positions with eligible staff, offering training courses to operational risk management personnel, delegating authorizaion to the said personnel to fulfill their duties, etc.; and6) make promptly checks and revision on the operational riskmanagement system so as to effectively respond to operational risk events brought about by the changes of internal procedures, products, business activities, IT system, staff, external events orother factors.Article 8 Commercial banks should designate a certain department to be responsible for the construction and implementation of operational risk management system. This department should be independent from others in order to ensure the system’s consistency and effectiveness. Its responsibilities shall mainly include:1) drafting operational risk management policies, procedures andspecific processes and submitting them to the senior management and the board for review and approval;2) assisting other departments to identify, assess, monitor andcontrol/mitigate operational risk;3) working out methods to identify, assess, mitigate (includinginternal controls) and monitor operational risks, formulating bank-wide reporting processes of operational risk and organizingthe implementation thereof;4) putting in place basic criteria for operational risk control over thebank, and guiding and coordinating the operational riskmanagement;5) providing each department with trainings on operational riskmanagement, and helping them improve operational risk management capacity and fulfill their own duties;6) regularly checking and analyzing the practices of operational riskmanagement in business departments and other departments;7) regularly submitting operational risk reports to seniormanagement; and8) ensuring that the operational risk management system andmeasures are observed.Article 9 The relevant departments in a commercial bank should be directly responsible for operational risk management. Majorresponsibilities include:1) appointing designated staff to take charge of operational riskmanagement, including observing operational risk management policies, procedures and specific processes;2) following the assessment methods for operational riskmanagement to identify and assess the operational risks in the departments, and to have in place an effective on-going procedure to monitor, control/mitigate and report operational risks, thenorganize the implementation thereof;3) fully considering the requirements on operational riskmanagement and internal control when making department specific business processes and related business policies, with a view to ensuring operational risk management personnel at alllevels participate in the course of reviewing and approvingimportant procedures, controls and policies, thus making these aligned with the bank’s general policy on operational riskmanagement; and4) monitoring key risk indicators and regularly reporting their owndepartment’s operational risk management situation to thedepartment which takes charge of or take the leading role in operational risk management of the whole bank.Article 10 The legal office, compliance office, IT office, security office, and human resource office in a commercial bank should, besides properly managing their own operational risks, provide relevant resources and assistance within their strength and respective responsibilities to other departments for the purpose of operationalrisk management.Article 11 The internal audit department in a commercial bank does not directly take charge of or participate in other departments’ operational risk management, but it should regularly check and evaluate how well the bank’s operational risk management system operates, supervise the implementation of operational riskmanagement policies, independently evaluate the bank’s newoperational risk management policies, processes and specific procedures, and report to the board of directors the evaluation results of operational risk management system.A commercial bank with high business complexity and large scale is encouraged to entrust intermediary agencies to audit and evaluate its operational risk management system on a regular basis.Article 12 A commercial bank should have in place bank-wide operational risk management policies that are commensurate with its nature, scale, complexity and risk profile. Main contents include:1) definition of operational risk;2) appropriate organizational structure, authorization andresponsibilities with regard to operational risk management;3) procedures to identify, assess, monitor and control/mitigateoperational risks;4) reporting procedures of operational risk, including reportingresponsibilities, path and frequency, and other specificrequirements on other departments; and5) requirements on promptly assessing operational risks associatedwith existing and newly-developed important products, business practices, procedures, IT system, human resource management,external factors and changes thereof.Article 13 A commercial bank should choose appropriate approaches to manage operational risks, which may include: assessment of operational risk and internal control, loss event reporting and data collection, monitoring of key risk indicators, risk assessment regarding new products and business practices, testing and audit of internal control, and operational risk reporting.Article 14 A commercial bank with high business complexity and large scale should adopt more sophisticated risk management methods (e.g. quantitative methods) to assess each department’s operational risk, collect operational risk loss data, and make arrangements according to the characteristics of operational riskassociated with each line of business.Article 15 A commercial bank should develop effective processes to regularly monitor and report operational risk status and material losses. As to risks with increasing loss potential, early-warning system of operational risk should be put in place so as to take timely controls to mitigate risk and reduce the occurrence and severity ofloss events.Article 16 Material operational risk events should be reported to the board, senior management and appropriate management personnel according to the bank’s operational risk management policies.Article 17 A commercial bank should enhance internal control for effective operational risk management. Related internal controlsshould at least include:1) clearly defining the roles and responsibilities of each departmentand making proper separation among relevant functions so as toavoid potential conflicts of interests;2) closely watching how well specified risk limit or authorization isobserved;3) monitoring the records of access to and use of the bank’s assets;4) ensuring the staff are appropriately trained and eligible for theirpositions;5) identifying the business activities or products that do not generatereasonable prospective returns or that contain potential risks;6) regularly reviewing and checking up transactions and accounts;7) putting in place a system for the heads and the staff in keypositions to have job rotation and compulsory leaves and setting up a mechanism of off-job auditing as well;8) working out a code of conduct to regulate on-job and off-jobbehavior particularly for the staff in important positions or atsensitive links;9) establishing an incentive and protection system to encouragestaff to report violations on a real-name basis;10) setting up a dual-appraisal system to investigate and solve bankfraudulent cases as well as make punishments in a timely andproper manner;11) having in place an information disclosure system for the bankcase investigation; and12) e stablishing an incentive-restrictive mechanism with regard to themanagement and control of operational risk at front line.Article 18 A commercial bank should establish and gradually improve the operational risk management information system (MIS) so as to effectively identify, assess, monitor, control and report operational risks. The system should at least record and store the date about operational risk losses and events, support self-assessment on operational risk and control measures, monitor key risk indicators, and provide relevant information contained in operational riskreports.Article 19 To ensure business continuation, a commercial bank should develop a scheme for emergency response that matches their business scale and complexity, make a back-up arrangement for service recovery, and regularly check and test the catastrophe recovery function and business continuation mechanism so as to make sure that these actions can go in operation properly in the event of catastrophe and severe business disruption.Article 20 A commercial bank should develop risk management policies with regard to outsourcing practices in order to make sure that outsourcing is subject to rigorous contracts and service agreements which clearly specify the obligations of involved parties.Article 21 A commercial bank may purchase insurance and enter into contract with a third party, and consider it a way to mitigate operational risk. But they should by no means neglect the importanceof controls.A commercial bank that mitigates operational risks by means ofinsurance should formulate written policies and proceduresaccordingly.Article 22 A commercial bank should make adequate capitalprovisions for the operational risk it undertakes as per the requirements of CBRC on capital adequacy of commercial banks.Chapter III Supervision of Operational RiskArticle 23 Commercial banks should submit to the CBRC their operational risk management policies and processes for filing. They should submit operational risk related reports to the CBRC or its local offices as per regulations. Banks that entrust intermediary agencies to audit their operational risk management system should also submit audit reports to the CBRC or its local offices.Article 24 Commercial banks should promptly report to the CBRC or its local offices about the following material operational risk events ifany:1) banking crimes in which more than RMB300,000 is robbed from acommercial bank or cash truck or stolen from a banking financial institution; bank fraud or other cases involving an amount of morethan RMB10 million;2) events that result in serious damage or loss of the bank’simportant data, books, blank vouchers, or business disruption for over three hours in two or more provinces (autonomous regions/municipalities), or business disruption for over six hours in one province (autonomous region/municipality) and severelyaffect the bank’s normal operations;3) confidential information being stolen, sold, leaked or lost that mayaffect financial stability and lead to economic disorder;4) senior executives severely violating applicable regulations;5) accident or natural catastrophe caused by force majeure, resultingin immediate economic loss of more than RMB10 million;6) other operational risk events that may result in a loss of more than1‰ of the bank’s net capital; and7) other material events as specified by the CBRC.Article 25 The CBRC should regularly check and assess the operational risk management policies, processes and practices of commercial banks. Main items to be checked and assessed include:1) effectiveness of the bank’s operational risk managementprocesses;2) the bank’s approaches to monitor and report operational risks,including key operational risk indicators and operational risk lossdata;3) the bank’s measures to timely and effectively handle operationalrisk events and weak links;4) the bank’s procedures of internal control, reviewing and auditingwithin its operational risk management processes;5) the quality and comprehensiveness of the bank’s catastropherecovery and business continuation plans;6) adequacy level of capital provisions for operational risks; and7) other aspects of operational risk management.Article 26 As to the operational risk management problems discovered by the CBRC during supervision, the commercial bank should submit correction plan and take correction actions within thespecified time limit.When a material operational risk event occurs, if the commercial bank fails to adopt effective correction measures within the specified time limit, the CBRC should take appropriate regulatory actions in line withlaws and regulations.Chapter IV Supplementary ProvisionsArticle 27 This Guidelines may apply to other banking institutions including policy banks, financial asset management companies, urban credit cooperatives, rural credit cooperatives, rural cooperative banks, trust and investment companies, finance firms, financial leasing companies, automobile financial companies, money brokers, and postsavings institutions.Article 28 Banking institutions without the board of directors should have their operating decision-making bodies perform theresponsibilities of the board with regard to operational riskmanagement specified herein.Article 29 Branches set up by foreign banks within the territory of People’s Republic of China should follow the operational risk management policies and processes developed by their head offices, report to the CBRC or its local offices about material operational risk events, and accept the supervision of the CBRC. Where their head offices do not lay out operational risk management policies andprocesses, such branches should comply with the Guidelines.Article 30 Relevant terms mentioned herein are defined in theAppendix.Article 31 The Guidelines shall become effective as of the date ofpromulgation.Appendix: Definitions of Relevant Terms1.Operational risk eventsOperational risk events refer to the operational events resulting from inadequate or failed internal processes, people and IT system, or from external factors, which bring about financial losses or affect the bank’s reputation, clients and staff. Specific events include: internal fraud, external fraud, employment practices and workplace safety, clients, products & business practices, damages to physical assets, business disruption and system failures, execution, delivery & process management (see Annex 7 – Detailed Loss Event Type Classification of The International Convergence of Capital Measurement and Capital Standards: A Revised Framework or the New Basel Capital Accord).2.self-assessment on risk, key risk indicatorsTools used by commercial banks to identify and assess operationalrisks.1) self-assessment on riskSelf-assessment on risk is a tool for operational risk management by commercial banks to identify and assess the control measures and appropriateness and effectiveness thereof with regard to potential operational risk and their own business practices.2) Key Risk IndicatorKey risk indicators refer to the statistical indicators that represent the changes in a certain area of risk and can be monitored on a regular basis. These indicators can be used to monitor various risks and control measures that may result in loss events and to function as early-warning indicators for risk changes (so that senior management can take timely actions accordingly). Examples of specific indicators: loss ratio per RMB100 million asset, number of banking crimes per 10,000 people, ratio of the cases with each involving a cash value of RMB1 million, number of transactions unconfirmed beyond a certaintime limit, percentage of failed transactions, staff turnover, number of client complaints, frequency and severity of errors and omissions, etc.3.Legal RiskLegal risk includes, but is not limited to, the following: 1) the contract signed by a commercial bank violating laws or administrative regulations and therefore being probably cancelled or confirmed invalid according to law; 2) the bank being sued or in arbitration because of its breach of contract, infringement or other reasons and held liable for compensation according to law; 3) the bank’s business practices violating laws or administrative regulations and therefore being held liable administratively or criminally.。

商业银行个人理财业务风险管理指引一、引言商业银行个人理财业务涉及多种金融产品和服务，为客户提供理财投资和财富管理服务。

个人理财业务也面临着一系列的风险，包括市场风险、信用风险、流动性风险和操作风险等。

为了保护客户利益、确保个人理财业务稳健发展，本指引旨在为商业银行制定个人理财业务风险管理提供指导。

二、风险识别与评估1. 市场风险商业银行应密切关注金融市场的变动，识别并评估市场风险。

应建立风险警示系统，监测市场风险暴露度。

商业银行应确保理财产品具备适当的投资标的、投资方式和风险披露机制，告知客户相关风险。

2. 信用风险商业银行应加强信用风险管理，确保理财产品的发行人和保证人具备良好的信用评级。

应建立有效的风险评估体系，及时评估债券和债务人的信用状况。

商业银行还应要求相关参与方提供充足的担保和抵押物，并核查其有效性。

3. 流动性风险商业银行应建立充足的流动性管理机制，确保个人理财产品的流动性风险可控。

应制定合理的投资限制和资金匹配策略，确保资金流动和偿付能力的平衡。

在产品设计阶段，要考虑资金提前赎回的可能性，并在产品披露材料中明确说明相应约定。

4. 操作风险商业银行应加强操作风险管理，确保个人理财业务的流程和系统安全可靠。

应建立完善的内部控制和风险管理制度，明确职责分工，防范人为失误和操作风险。

要加强技术支持和信息系统的安全保障，防止数据泄露和非法访问。

三、风险控制与监测1. 风险控制商业银行应制定风险管理政策和措施，确保个人理财业务的风险控制在可承受的范围内。

要设立风险限额和风险警示指标，进行实时风险监控和风险度量。

要进行合理的风险分散和资产配置，防范集中风险和系统性风险。

2. 风险监测商业银行应建立风险监测机制，及时识别和评估个人理财业务的风险情况。

要建立定期的风险报告和风险分析，对潜在风险进行预警和预测。

要加强内外部信息的沟通和交流，及时获取市场动态和客户需求变化。

四、风险应对与应急预案1. 风险应对商业银行应建立完善的风险应对机制，制定相应的风险缓释方案。

银行操作风险管理办法(试行）XX操作风险管理办法第一章总则第一条为规范和加强本行的操作风险管理工作～依据《中华人民共和国银行业监督管理法》、《中华人民共和国商业银行法》、《商业银行操作风险管理指引》以及其他有关法律法规~制定本办法。

第二条通过确定本行操作风险管理总体架构～明确操作风险管理职责~并逐步建立起对操作风险损失的测度、分类、统计、分析、考核评价制度～建立和健全操作风险管理体系~加强操作风险管理～有效缓释和控制操作风险～降低操作风险带来的损失。

第三条本办法适用于本行各分支机构、各业务部门及全体员工。

第四条本办法所称操作风险是指由于不完善或有问题的内部程序、人员、系统以及外部事件给本行造成损失的风险~包括法律风险,如商业银行签订的合同因违反法律或行政法规可能被依法撤销或者确认无效，商业银行因违约、侵权或者其他事由被提起诉讼或者申请仲裁~依法可能承担赔偿责任,商业银行的业务活动违反法律或行政法规~依法可能承担刑事责任、行政责任或者民事责任，~但不包括策略风险和声誉风险。

操作风险引发的损失指某一操作风险事件发生后～按照－ 1 －本行适用的法律、法规反映在本行法定财务报表的损失~损失包括所有与该操作风险事件相联系的成本支出～但不包括为避免后续操作风险损失实施的相关成本支出。

第五条本行操作风险管理遵循全面管理、及时调整、有效缓解与控制、成本与效益匹配、责任追究的原则及以下的方针：，一,本行把操作风险作为影响银行安全和效益的重要风险进行专门管理~操作风险管理应符合监管当局的监管要求、与全行发展战略、方针相适应。

，二,操作风险存在于全员、全过程～要确保全员了解操作风险管理文化~形成对操作风险定义的一致性理解并具备良好的操作风险管理意识。

各业务及管理部门的负责人和承担操作风险管理职责的人员是操作风险管理的主要责任人~负责防范和化解风险的各项活动,操作风险管理范围应涵盖所有机构、产品、活动、流程和系统。

,三，合规风险部是全行操作风险管理的牵头部门,各业务部门是操作风险管理的第一道防线～承担着操作风险日常的重要管控职责。

银行业金融机构与风险管理指引银行业金融机构与风险管理指引在金融行业中，银行业金融机构起着至关重要的作用。

而金融机构的风险管理则是确保金融机构稳健发展的关键。

本文将探讨与银行业金融机构风险管理相关的指引和最佳实践。

风险管理是银行业金融机构进行业务决策和资产配置的基础，它可以帮助机构识别、测量、监控和控制风险。

其中包括信用风险、市场风险、操作风险和流动性风险等多种风险类型。

对于风险管理，银行业金融机构应制定一套全面的风险管理框架，其中包括风险评估、风险监测、风险控制、风险报告等环节。

首先，在风险评估方面，银行业金融机构需要根据不同的风险类型进行风险评估。

信用风险评估可以通过客户信用等级、财务报表和贸易对手风险评估等方式进行。

市场风险评估可以通过对各类资产和证券的价格波动和相关性进行评估。

操作风险评估则可以通过对业务流程和内部控制的审查和评估来确定。

其次，在风险监测方面，银行业金融机构应建立起有效的风险监测体系。

通过建立实时监测系统，及时获取和分析风险数据。

同时，通过建立监测指标和限额，能够提前发现异常风险并采取相应措施进行控制。

此外，也需要建立有效的风险报告制度，确保风险数据的准确性和及时性。

第三，在风险控制方面，银行业金融机构应制定相应的风险控制策略和政策。

首先，应设立合理的风险容忍度和风险限额，以确保机构的风险水平不会超过其可承受范围。

其次，应制定风险控制措施和管理流程，包括控制风险暴露、分散风险、建立风险预警系统等。

最后，应建立风险内控机制，包括建立风险管理部门、明确职责和权限，确保风险管理的独立性和有效性。

最后，在风险报告方面，银行业金融机构应及时报告风险情况和风险管理措施。

风险报告应包括风险类型、风险水平和风险控制情况等内容。

通过风险报告，能够向内部和外部相关方通报风险状况，提高信息透明度和公众对金融机构的信任度。

总结起来，银行业金融机构与风险管理指引是确保金融机构稳健发展的关键。

在风险管理中，银行业金融机构应制定全面的风险管理框架，并在风险评估、风险监测、风险控制和风险报告上加强管理。

商业银行操作风险资本计量指引（第二次征求意见稿 2008年4月）第一章总则第一条为规范商业银行操作风险监管资本计量，根据《中华人民共和国银行业监督管理法》、《中华人民共和国商业银行法》及其他有关法律法规，制定本指引。

第二条在中华人民共和国境内设立的实施新资本协议的商业银行法人机构适用本指引。

第三条本指引所称操作风险是指由不完善或有问题的内部程序、员工和信息科技系统，以及外部事件所造成损失的风险。

本定义所指操作风险包括法律风险，但不包括策略风险和声誉风险。

第四条中国银行业监督管理委员会（以下简称银监会）依法对商业银行的操作风险的监管资本计量实施监督检查。

第五条商业银行计量操作风险监管资本的方法包括（按计量复杂程度从低级到高级排序）：基本指标法、标准法（含标准法替代形式）、高级计量法。

银监会鼓励商业银行使用更高级的计量方法。

商业银行初次计量操作风险监管资本，必须事先向银监会申请使用标准法（含标准法替代形式）或高级计量法，经批准后方可实施。

经银监会审查不符合高级计量法资格标准的，应采用标准法（含标准法替代形式）计量操作风险监管资本；不符合标准法（含标准法替代形式）资格标准的，应采用基本指标法计量操作风险监管资本。

第二章基本指标法第六条商业银行采用基本指标法计量操作风险监管资本要求，应按照银监会发布的《商业银行操作风险管理指引》的要求，建立操作风险管理框架，将操作风险管理作为主要风险管理职能纳入全行风险管理体系。

第七条总收入定义为净利息收入与净非利息收入之和。

总收入中不扣除各项损失准备和营业费用，但应扣除银行账户上“持有至到期日”和“可供出售”证券实现的损益、非正常项目收入和保险业务收入（总收入计量参考规则见附录一）。

基本指标法关于总收入的定义同样适用于标准法和标准法替代形式，也适用于标准法和标准法替代形式中各业务条线总收入的定义。

第八条基本指标法下，操作风险监管资本等于银行前三年中各年正的总收入之和乘以15%的算术平均值。

XX银行操作风险管理办法第一章总则第一条为加强操作风险管理，促进业务健康发展，根据《中华人民共和国银行业监督管理法》、《中华人民共和国商业银行法》以及中国银监会《商业银行操作风险管理指引》要求，参照巴塞尔新资本协议的技术标准，结合本行实际，制订本办法。

第二条本办法所称操作风险系指由不完善或有问题的内部程序、人员及系统或外部事件所造成损失的风险。

本定义包括法律风险，但不包括策略风险和声誉风险。

第三条操作风险管理是全面风险管理的重要组成部分，其管理的目标是：（一）降低操作风险的不确定性，避免突发性事件的发生，将操作风险控制在可接受的合理范围内；（二）提高服务效率，实现流程优化，促进全行业务健康发展；（三）降低管理成本，提高收益水平。

第四条本行操作风险管理遵循“全面管理、职责明确、分散控制、奖罚分明”的原则。

“全面管理”系指本行操作风险管理覆盖各级机构、岗位、经营管理活动和操作环节。

“职责明确”系指操作风险管理通过建立完善的制度体系和操作风险防范的责任体系,明确和落实各级机构、部门和员工的具体责任。

“分散控制”系指根据操作风险的特征，在遵循全行统一的操作风险偏好下，实行各业务条线指导与监督下的、分层级控制模式。

“奖罚分明”系指鼓励各级机构和人员主动管理和报告操作风险，对于及时发现报告操作风险，有效避免或降低损失的行为给予奖励；对造成重大操作风险的责任人，按照有关规定严格问责。

第二章操作风险管理的职责分工第五条操作风险管理职责分工董事会承担监控操作风险管理有效性的最终责任。

董事会及其下设的风险管理委员会是本行操作风险管理的最高领导机构，制定适用于本行的操作风险管理战略和总体政策。

（一）高级管理层高级管理层是操作风险管理政策实施的具体组织者，对全行操作风险管理工作负责。

1.总行行长职责：（1）在操作风险的日常管理方面，对董事会负最终责任；（2）根据董事会制定的操作风险管理战略及总体政策，负责批准、定期审查和监督执行操作风险管理的政策、程序和具体的操作规程，并定期向董事会提交操作风险总体情况的报告；（3）明确界定各部门的操作风险管理职责，督促各部门切实履行操作风险管理职责，以确保操作风险管理体系的正常运行；（4）全面掌握本行操作风险管理的总体状况，特别是各项重大的操作风险事件或项目；（5）为操作风险管理配备适当的资源，包括但不限于提供必要的经费、设置必要的岗位、配备合格的人员、为操作风险管理人员提供培训、赋予操作风险管理人员履行职务所必需的权限等。