Building Robust Foundations: A Guide to Operational Risk Management and Operational Resilience

The Reserve Bank of India (RBI) issued the guidance note on operational risk management and operational resilience for Regulated Entities (REs) in the financial sector on 30th April 2024. This document underscores the critical importance of robust risk management frameworks, updating earlier guidelines to align with international best practices, particularly from the Basel Committee on Banking Supervision (BCBS). It is tailored for REs of varying sizes and complexities.

Key components highlighted in the guidance include comprehensive risk identification and assessment, robust internal controls, and strategies for maintaining operational resilience amidst disruptions such as technology failures, cyber threats, and pandemics.

Operational Risk Management (ORM) and Operational Resilience are crucial for financial institutions, as emphasized in the guidance note. ORM encompasses identifying, assessing, and mitigating risks influenced by internal processes, regulatory changes, technological advancements, and external factors. Operational Resilience ensures the capability to sustain critical functions during disruptions. Although distinct, ORM and Operational Resilience synergistically reduce the occurrence and impact of operational risks. The RBI's guidance aims to fortify both ORM frameworks and operational resilience across REs in the financial sector.

The structured approach outlined in the guidance note for ORM and Operational Resilience revolves around three pillars: Prepare and Protect, Build Resilience, and Learn and Adapt. These pillars are designed to foster continuous improvement and readiness for operational disruptions within financial institutions (REs).

ORM operates through three lines of defence: the first line (business units) responsible for risk identification and control implementation; the second line (Operational Risk Management Function) providing independent oversight and policy development; and the third line (audit function) ensuring independent assurance and compliance with ORM frameworks.

Overall, the guidance aims to enhance REs' ability to withstand operational disruptions, maintain financial stability, and adhere to regulatory standards, promoting a culture of proactive risk management and operational resilience in alignment with comprehensive international standards.

Key principles include:

1. Governance and Risk Culture: Establishing a strong risk management culture led by the Board of Directors, with clear policies on ethics, conduct, and risk-aligned compensation.
   

2. Operational Risk Management Framework (ORMF) Integration: Integration of ORMF across all business processes, with clear responsibility from senior management and comprehensive documentation.
   

3. Responsibilities of Board of Directors and Senior Management: Oversight of ORMF and operational resilience, ensuring adoption of best practices and independent reviews.
   

4. Risk Appetite and Operational Resilience: Setting and reviewing risk appetite aligned with strategic plans, identifying critical operations, and ensuring resilience strategies.
   

5. Senior Management Responsibilities: Implementing ORMF policies, fostering governance, and coordinating risk management across functions.
   

6. Focus on Risk Identification and Assessment: Proactively identifying and assessing operational risks through tools like self-assessments, event data analysis, and scenario testing.
   

7. Change Management: Structured processes for managing changes to minimize operational risk impacts, integrating changes into resilience strategies.
   

8. Monitoring and Reporting: Establishing mechanisms for regular monitoring and reporting of operational risks and resilience status to senior management and the Board.
   

9. Control and Mitigation: Maintaining a robust control environment through internal controls, risk transfer strategies, and continuous improvement.
   

10. Build Resilience: Developing business continuity plans, managing third-party dependencies, and enhancing ICT and cyber security resilience.
    

11. Mapping of Interconnections and Interdependencies: Identifying critical operations and mapping internal and external dependencies to ensure operational resilience.
    

12. Third-Party Dependency Management: Managing risks associated with third-party relationships through due diligence, contingency planning, and business continuity.
    

13. Business Continuity Planning and Testing: Developing and testing plans to maintain operations during disruptions, aligning with ORMF and recovery plans.
    

14. Incident Management: Implementing response and recovery plans, learning from incidents to improve resilience capabilities.
    

15. ICT and Cyber Security: Establishing robust ICT risk management aligned with ORMF, ensuring resilience through protection, detection, response, and recovery measures.
    

16. Learn and Adapt: Conducting lessons learned exercises post-disruption, promoting continuous improvement through effective feedback systems.
    

17. Disclosure and Reporting: Enhancing transparency through public disclosure of operational risk management approaches and exposure.
    

Each principle aims to strengthen operational resilience across REs, ensuring they can withstand disruptions while maintaining critical functions and financial stability.