商业银行操作风险管理指引英文

1、Guidelines on Operational Risk Management of CommercialBanksChapter I General ProvisionsArticle 1Pursuant to the Law of the People s Republic of China onBanking Regulation and Supervision, the Law of the People s Republicof China on Commercial Banks as well as other applicable laws andregulations, t

2、he Guidelines are formulated so as to enhance theoperational risk management of commercial banks.Article 2The Guidelines apply to domestic commercial banks, whollyforeign-funded banks and Chinese-foreign joint venture banksincorporated within the territory of the People s Republic of China.Article 3

3、The operational risk in the Guidelines refers to the risk ofloss resulting from inadequate or failed internal processes, people andIT system, or from external events. It includes legal risk but excludesstrategic and reputational risk.Article 4The China Banking Regulatory Commission (hereinafterrefer

4、red to as the“ CBRC” ) supervises and regulates the operationalrisk management of commercial banks and evaluates theeffectiveness thereof under its authority by law.Chapter II Operational Risk ManagementArticle 5Commercial banks should, in line with the Guidelines, setup an operational risk manageme

5、nt system suitable to their ownbusiness nature, scale and complexity to effectively identify, assess,monitor and control/mitigate operational risk. This system can be inany form, but should comprise at least the following basic elements:1) oversight and control by the board of directors;2) roles and

6、 responsibilities of senior management;3) appropriate organizational structure;4) operational risk management policies, methods, and procedures; and5) requirements on making capital provisions for operational risk.Article 6The board of directors in a commercial bank should treatoperational risk as a

7、 major risk and charge the ultimate responsibilityfor monitoring the effectiveness of operational risk management. Theresponsibilities of the board shall include:1)developing strategies and general policies for bank-wideoperational risk management that are aligned with the bank strategic goals; s2)

8、reviewing and approving the senior management authorization and reporting arrangement with regard to operational risk management so as to ensure the effectiveness of s functions,the bank s decision-making system in operational risk management and ensure that the operational risk facing thebank s ope

9、rations is controlled within its endurance capacity; 3) reviewing regularly the operational risk reports submitted by thesenior management; fully understanding the bank operational risk management and the effectiveness of the senior management in handling material operational risk events; and monito

10、ring and evaluating the effectiveness of daily operational risk management; s overall4) ensuring that the senior management takes necessary measuresto effectively identify, assess, monitor and control/mitigateoperational risk;5)ensuring that the bank s operational risk management system iseffectivel

11、y audited and overseen by internal audit department;and6) having in place an appropriate reward-punishment system so as to effectively promote the development of operational riskmanagement system in the bank as a whole.Article 7The senior management in a commercial bank isresponsible for implementin

12、g the operational risk managementstrategies, general policies and running the system approved by theboard. It shall:1) be ultimately responsible to the board regarding daily operational risk management;2) lay out and regularly review the operational risk managementpolicies, procedures and detailed p

13、rocesses in accordance with thestrategies and general policies developed by the board, and oversee the implementation thereof, and submitting to the board reports on overall operational risk management in a regular manner;3) sufficiently understand the overall situation of the bank operational risk

14、management, particularly the events or programs with material operational risk; s4)Clearly define each department s responsibilities in operationalrisk management as well as the reporting line, frequency andcontents; urge each department to really charge itsresponsibilities in a bid to ensure the so

15、und performance of theoperational risk management system;5) equip operational risk management with appropriate resources, including but not limited to providing necessary funds, setting up necessary positions with eligible staff, offering training courses to operational risk management personnel, de

16、legating authorizaion to the said personnel to fulfill their duties, etc.; and6) make promptly checks and revision on the operational riskmanagement system so as to effectively respond to operationalrisk events brought about by the changes of internal procedures,products, business activities, IT sys

17、tem, staff, external events orother factors.Article 8Commercial banks should designate a certain departmentto be responsible for the construction and implementation ofoperational risk management system. This department should beindependent from others in order to ensure the systemand effectiveness.

18、Its responsibilities shall mainly include: s consistency1) drafting operational risk management policies, procedures and specific processes and submitting them to the senior managementand the board for review and approval;2) assisting other departments to identify, assess, monitor and control/mitiga

19、te operational risk;3) working out methods to identify, assess, mitigate (includinginternal controls) and monitor operational risks, formulatingbank-wide reporting processes of operational risk and organizingthe implementation thereof;4) putting in place basic criteria for operational risk control o

20、ver the bank, and guiding and coordinating the operational riskmanagement;5) providing each department with trainings on operational riskmanagement, and helping them improve operational riskmanagement capacity and fulfill their own duties;6) regularly checking and analyzing the practices of operatio

21、nal riskmanagement in business departments and other departments;7) regularly submitting operational risk reports to seniormanagement; and8) ensuring that the operational risk management system and measures are observed.Article 9The relevant departments in a commercial bank should bedirectly respons

22、ible for operational risk management. Majorresponsibilities include:1) appointing designated staff to take charge of operational risk management, including observing operational risk managementpolicies, procedures and specific processes;2) following the assessment methods for operational risk manage

23、ment to identify and assess the operational risks in thedepartments, and to have in place an effective on-going procedureto monitor, control/mitigate and report operational risks, thenorganize the implementation thereof;3)fully considering the requirements on operational riskmanagement and internal

24、control when making departmentspecific business processes and related business policies, with aview to ensuring operational risk management personnel at alllevels participate in the course of reviewing and approvingimportant procedures, controls and policies, thus making thesealigned with the bank s

25、 general policy on operational riskmanagement; and4) monitoring key risk indicators and regularly reporting their owndepartment s operational risk management situation to thedepartment which takes charge of or take the leading role inoperational risk management of the whole bank.Article 10 The legal

26、 office, compliance office, IT office, security office,and human resource office in a commercial bank should, besidesproperly managing their own operational risks, provide relevantresources and assistance within their strength and respectiveresponsibilities to other departments for the purpose of op

27、erationalrisk management.Article 11 The internal audit department in a commercial bank doesnot directly take charge of or participate in other departments operational risk management, but it should regularly check andevaluate how well the bank s operational risk management system operates, supervise

28、 the implementation of operational riskmanagement policies, independently evaluate the bank operational risk management policies, processes and specific procedures, and report to the board of directors the evaluation results of operational risk management system. s newA commercial bank with high bus

29、iness complexity and large scale isencouraged to entrust intermediary agencies to audit and evaluate itsoperational risk management system on a regular basis.Article 12 A commercial bank should have in place bank-wideoperational risk management policies that are commensurate with itsnature, scale, c

30、omplexity and risk profile. Main contents include:1) definition of operational risk;2) appropriate organizational structure, authorization and responsibilities with regard to operational risk management;3) procedures to identify, assess, monitor and control/mitigate operational risks;4) reporting pr

31、ocedures of operational risk, including reporting responsibilities, path and frequency, and other specificrequirements on other departments; and5) requirements on promptly assessing operational risks associated with existing and newly-developed important products, businesspractices, procedures, IT s

32、ystem, human resource management,external factors and changes thereof.Article 13 A commercial bank should choose appropriate approachesto manage operational risks, which may include: assessment ofoperational risk and internal control, loss event reporting and datacollection, monitoring of key risk i

33、ndicators, risk assessmentregarding new products and business practices, testing and audit ofinternal control, and operational risk reporting.Article 14 A commercial bank with high business complexity and large scale should adopt more sophisticated risk managementmethods (e.g. quantitative methods)

34、to assess each department operational risk, collect operational risk loss data, and make sarrangements according to the characteristics of operational riskassociated with each line of business.Article 15 A commercial bank should develop effective processes toregularly monitor and report operational

35、risk status and materiallosses. As to risks with increasing loss potential, early-warningsystem of operational risk should be put in place so as to take timelycontrols to mitigate risk and reduce the occurrence and severity ofloss events.Article 16 Material operational risk events should be reported

36、 to theboard, senior management and appropriate management personnelaccording to the bank s operational risk management policies.Article 17 A commercial bank should enhance internal control foreffective operational risk management. Related internal controlsshould at least include:1) clearly defining

37、 the roles and responsibilities of each departmentand making proper separation among relevant functions so as toavoid potential conflicts of interests;2) closely watching how well specified risk limit or authorization is observed;3)monitoring the records of access to and use of the bank s assets;4)

38、ensuring the staff are appropriately trained and eligible for their positions;5) identifying the business activities or products that do not generate reasonable prospective returns or that contain potential risks;6) regularly reviewing and checking up transactions and accounts;7) putting in place a

39、system for the heads and the staff in key positions to have job rotation and compulsory leaves and settingup a mechanism of off-job auditing as well;8) working out a code of conduct to regulate on-job and off-job behavior particularly for the staff in important positions or atsensitive links;9) esta

40、blishing an incentive and protection system to encourage staff to report violations on a real-name basis;10) setting up a dual-appraisal system to investigate and solve bank fraudulent cases as well as make punishments in a timely andproper manner;11) having in place an information disclosure system

41、 for the bank case investigation; and12) establishing an incentive-restrictive mechanism with regard to the management and control of operational risk at front line.Article 18 A commercial bank should establish and gradually improvethe operational risk management information system (MIS) so as toeff

42、ectively identify, assess, monitor, control and report operationalrisks. The system should at least record and store the date aboutoperational risk losses and events, support self-assessment onoperational risk and control measures, monitor key risk indicators,and provide relevant information contain

43、ed in operational riskreports.Article 19 To ensure business continuation, a commercial bank shoulddevelop a scheme for emergency response that matches theirbusiness scale and complexity, make a back-up arrangement forservice recovery, and regularly check and test the catastropherecovery function and

44、 business continuation mechanism so as tomake sure that these actions can go in operation properly in the eventof catastrophe and severe business disruption.Article 20 A commercial bank should develop risk managementpolicies with regard to outsourcing practices in order to make surethat outsourcing

45、is subject to rigorous contracts and serviceagreements which clearly specify the obligations of involved parties.Article 21 A commercial bank may purchase insurance and enter intocontract with a third party, and consider it a way to mitigateoperational risk. But they should by no means neglect the i

46、mportanceof controls.A commercial bank that mitigates operational risks by means ofinsurance should formulate written policies and proceduresaccordingly.Article 22 A commercial bank should make adequate capitalprovisions for the operational risk it undertakes as per therequirements of CBRC on capita

47、l adequacy of commercial banks.Chapter IIISupervision of Operational RiskArticle 23 Commercial banks should submit to the CBRC theiroperational risk management policies and processes for filing. Theyshould submit operational risk related reports to the CBRC or its localoffices as per regulations. Ba

48、nks that entrust intermediary agenciesto audit their operational risk management system should also submitaudit reports to the CBRC or its local offices.Article 24 Commercial banks should promptly report to the CBRC or itslocal offices about the following material operational risk events ifany:1) ba

49、nking crimes in which more than RMB300,000 is robbed from acommercial bank or cash truck or stolen from a banking financialinstitution; bank fraud or other cases involving an amount of morethan RMB10 million;2)events that result in serious damage or loss of the bank simportant data, books, blank vou

50、chers, or business disruption forover three hours in two or more provinces (autonomousregions/municipalities), or business disruption for over six hoursin one province (autonomous region/municipality) and severelyaffect the bank s normal operations;3) confidential information being stolen, sold, lea

51、ked or lost that may affect financial stability and lead to economic disorder;4) senior executives severely violating applicable regulations;5) accident or natural catastrophe caused by force majeure, resulting in immediate economic loss of more than RMB10 million;6) other operational risk events th

52、at may result in a loss of more than1 of the bank s net capital; and7)other material events as specified by the CBRC.Article 25 The CBRC should regularly check and assess the operationalrisk management policies, processes and practices of commercialbanks. Main items to be checked and assessed include:1) effectiveness of the bank s operational risk managementprocesses;2) the bank s approaches to monitor and report operational risks, including key operational risk indicators and operational risk lossdata;3) the bank s measures to timely and effectively han