These policies and processes should be commensurate with the size and complexity of the bank.
Essential criteria
EC1 The supervisor requires individual banks to have in place risk management policies and processes to identify, assess, monitor and mitigate operational risk. These policies and processes are adequate for the size and complexity of the bank’s operations, and the supervisor confirms that they are periodically adjusted in the light of the bank’s changing risk profile and external market developments.
Description and findings re EC1
Resolution 2554 and Resolution 3380 require the implementation of internal control and operational risk management frameworks, commensurate with the complexity and nature of
the operations conducted by financial institutions. The operational risk management framework must identify, evaluate, monitor, control and mitigate the operational risk. Operational risk is defined as, inter alia:
Internal or external fraud
Employment practices and workplace safety
Poor practices concerning customers, products, and services Damage to physical assets
Events that lead to the interruption of institutional activities Gaps in information technology systems
Failure to meet deadlines and manage the activities of the institution
In order to evaluate (onsite) and verify the integrity and soundness of operational risk
management, among other risks, the Supervisor has the following dedicated teams, inter alia: Operational Risk Team, Legal Risk and Tax Accounting Team, IT Team, and Corporate Governance Team.
EC2 The supervisor requires that banks’ strategies, policies and processes for the management of operational risk have been approved and are periodically reviewed by the Board. The
supervisor also requires that the Board oversees management in ensuring that these policies and processes are implemented effectively.
Description and findings re EC2
Resolution 3380 requires that senior management and the board of directors approve and periodically review operational risk management policies. It also requires the appointment of an operational risk management director and defines key elements in the structure of operational risk management. Resolution 2554, assigns to the board of directors the responsibility to implement an effective internal control framework. It also directs that internal controls must be effective and assigns to the senior management the responsibility to implement its framework.
The engagement of the board of directors in the operational risk management is verified during the SRC review (see CP 20). The Supervisor evaluates the capacity of senior
management to recognize operational risks arising from the institutions’ objectives, as well as its knowledge about the main aspects of operational risk.
EC3 The supervisor is satisfied that the approved strategy and significant policies and processes for operational risk are implemented effectively by management.
Description and findings re EC3
Within SRC’s procedures, Supervision evaluates the policies and the roll out of operational risk management. It also examines the responsibility and commitment of the senior
management with the implementation of the approved operational risk management framework and also analyzes the effectiveness of the actions taken by the senior management for implementing and improving the internal control systems.
In addition, the Supervisor can conduct specific examinations regarding operational risk (VE—Special Verification—Operational Risk Management). These procedures are contained in the Supervision Manual and include the assessment of the framework implemented by financial institutions in order to manage operational risk, including legal risk.
The main goals for the VE–Operational Risk Management are: evaluation of internal
corporate governance (oversight) arrangements and how they ensure that risk management policy and procedures are being applied on a day-to-day basis and the actual effectiveness of the internal audit function as the “third line of defense” in the organization.
Other relevant and important elements of the (operational) VE procedures include: The board and senior management involvement in operational risk issues; Internal processes established to identify, assess, monitor, control and mitigate
operational risk and the frequency of reviews;
Documentation and quality of operational risk losses database and its use in the risk management;
Operational risk management reports submitted to the business units, steering committees and to the Board.
Quality of information provided to public regarding operational risk framework. EC4 The supervisor reviews the quality and comprehensiveness of the bank’s business
resumption and contingency plans to satisfy itself that the bank is able to operate as a going concern and minimize losses, including those that may arise from disturbances to payment and settlement systems, in the event of severe business disruption.
Description and findings re EC4
Resolution 3380 requires that the operational risk management framework include
contingency plans to ensure business continuity and to limit extreme losses, including those derived from relevant outsourced services. Resolution 2554 establishes that internal
controls must include periodic security tests on the institution´s information systems. The Supervisor is required to evaluate the quality and reliability of contingency plans, including the development and consistency of regular testing.
Furthermore, the Supervision Manual prescribes the use of the Control Objectives for
Information and Related Technology (Cobit) methodology to assess the aspects related to the continuity of IT services.
EC5 The supervisor determines that banks have established appropriate information technology policies and processes that address areas such as information security and system
development, and have made investments in information technology commensurate with the size and complexity of operations.
Description and findings re EC5
Resolution 2554 and Resolution 3380 do not specifically provide treatment for structuring of IT systems, such as definition of minimum requirements for policies and processes.
However, Resolution 2554 directs banks to periodically conduct security tests, and
Resolution 3380 considers IT system failures as operational risk events. The BCB is in the process of developing a new resolution on IT risk management.
In practice, the Supervisor evaluates the adequacy of the relevant processes, people, systems, equipment and other resources employed in IT risk management relative to the size, complexity, risk level and dependence on technology of all operational, management and administrative activities of the institution. Recently, the inspection of credit quality has also included an evaluation of IT systems used in the relevant areas to ensure accuracy and integrity of the information generated. Also, most of the large banks have recently
significantly upgraded, or are in the process of upgrading, their IT platforms and systems – in part, at the direction of Supervision.
Specialized teams dedicated to specific banking risks are located within the onsite supervision department. There is a team in charge of IT issues, specializing in risk
assessment and control of processes, resources and technological environments based on international best practices as the framework Cobit.
The procedures contained in the Supervision Manual are based on the Cobit methodology and direct evaluation of the institution’s strategic IT plan; the guidelines followed by the institution on technology infrastructure; the investment in technology and the communication of IT policies and guidelines.
EC6 The supervisor requires that appropriate reporting mechanisms are in place to keep the supervisor apprised of developments affecting operational risk at banks in their jurisdictions. Description and
findings re EC6
Resolution no. 3,198/2004, determines the preparation of assessment reports by an external auditor about the quality and adequacy of the internal control system focusing on risks that present potential impact on the institution’s financial statements and operations. Resolution no. 3380/2006 requires that a description of the operational risk management framework must be released to the public at least annually.
The Supervisor evaluates the operational risk related information submitted by the institution and that information released to the market and the adequacy therein. Institutions’ internal audit departments are a main point of contact for the supervisor – for both onsite inspection planning and ongoing supervisory monitoring. As well, the Supervisor is also in periodic contact with the external auditor; both functions provide key inputs to operational risk monitoring.
EC7 The supervisor confirms that legal risk is incorporated into the operational risk management processes of the bank.
Description and findings re EC7
Resolution 3380 classifies legal risk as part of operational risk. Legal risk is defined as the possibility of loss from inadequate or deficient contracts signed by the institution,
noncompliance with legal statements, or from compensation for damages to third parties caused by the institution’s activities.
During SRC procedures, Supervision verifies whether legal risk is included in the corporate definition of operational risk.
EC8 The supervisor determines that banks have established appropriate policies and processes to assess, manage and monitor outsourced activities. The outsourcing risk management
programme should cover:
conducting appropriate due diligence for selecting potential service providers; structuring the outsourcing arrangement;
managing and monitoring the risks associated with the outsourcing arrangement; ensuring an effective control environment; and
establishing viable contingency planning.
Outsourcing policies and processes should require the institution to have comprehensive contracts and/or service level agreements with a clear allocation of responsibilities between the outsourcing provider and the bank.
Description and findings re EC8
Resolution 3380 requires the management of the operational risk to also address outsourced activities. The operational risk management framework should identify and monitor the risk of outsourcing service providers and define their roles, responsibilities and their contingency plans.
Consistent with the Supervisory Manual, during specific examinations regarding operational risk (VE—Special Verification—Operational Risk Management) the Supervisor verifies if policies include outsourcing practices. In addition, Supervision also assesses the quality of procedures and processes of operational risk management regarding outsourcing.
Additional criteria
AC1 The supervisor determines that the risk management policies and processes address the major aspects of operational risk, including an appropriate operational risk framework that is applied on a group-wide basis. The policies and processes should include additional risks prevalent in certain operationally intensive businesses, such as custody and correspondent banking, and should cover periods when operational risk could increase.
Description and findings re AC1
Resolution 3380 requires that the operational risk management framework be capable of controlling risks on an individual institution basis as well as for the financial conglomerate inclusive of identifying and monitoring the operational risk of other companies within the conglomerate.
The Supervision Manual directs the supervisor to evaluate the process of identifying operational risk inherent in relevant products, activities, processes and systems of the institution, of non-financial companies owned by the conglomerate, as well as the operational risks resulting from the merger, acquisition/incorporation, split or sale of companies within the conglomerate.
Assessment of Principle 15
Compliant Comments
Principle 16 Interest rate risk in the banking book. Supervisors must be satisfied that banks have