Operational risks: RBI updates guidance note, includes NBFCs
The central bank said lenders must apply three lines of defence in operational risk management structure. (Reuters)
he Reserve Bank of India (RBI) on Tuesday updated its “guidance note” on lenders’ operational risk management structure, bringing more lenders such as non-banking financial companies (NBFCs), co-operative banks under its purview.“Operational risk is inherent in all banking/ financial products, services, activities, processes, and systems.
Effective management of operational risk is an integral part of the regulated entities’ risk management framework,” RBI said, adding that the new note is in line with the recommendations of Basel Committee on Banking Supervision (BCBS). The central bank said lenders must apply three lines of defence in operational risk management structure.
The first is business unit management responsible for identifying and managing the risks inherent in the products, services, activities, processes and systems of lenders.
Second is an independent organisational risk management function which develops an independent view on business units’ operational risk, design and effectiveness of key controls and other risk tolerance threshold. And the third line must be the audit function, which should not be involved in development or implementation of the operational risk management processes.Further, the lender’s board of directors should establish a code of conduct to address risk.
It should set clear expectations for “integrity and ethical values of the highest standard”, identify acceptable business practices, and prohibit conflicts of interest.“The senior management should ensure that the lender’s change management process is comprehensive, appropriately resourced and adequately articulated between the relevant lines of defence,” RBI said, adding that lenders must have a strong control environment that utilises policies and controls to implement appropriate risk mitigation strategies.
Once a lender has identified its critical operations, it should map the internal and external interconnections and interdependencies that are necessary for the delivery of critical operations, consistent with its approach to operational resilience. They must also keep in place a business continuity plan in case of an adverse business disruption event.
Lastly, with the advent of third-party tie-ups for additional fees, lenders must ensure that their dependencies on relationships with third parties and other non-related entities must not impact the delivery of critical operations .