Operational risk is defined as the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events. Potential loss may be in the form of financial loss or other damages, for example, loss of reputation and public confidence that will impact the Group's credibility and ability to transact, maintain liquidity and obtain new business.
The Operational Risk & Compliance Committee assists the Executive Committee and the Board of Directors in overseeing the establishment of a sound operational risk management framework and monitoring the operational risk profile of the Group.
Operational risk is managed through a framework of policies, processes and procedures by which business units identify, assess, monitor and control/mitigate their operational risks. The operational risk management processes and procedures include:
- Operational Risk Self Assessments (ORSA)
- Operational Risk Action Plans (ORAP)
- Key Operational Risk Indicators (KORIs)
- Analysis of operational risk events and losses
ORSA involves identifying and assessing inherent risks as well as assessing the effectiveness of controls to mitigate the identified risks. Action plans to address issues are documented and monitored via the ORAP.
KORIs are statistical data collected and monitored by business and support units on an on-going basis to facilitate early detection of potential operational control weaknesses. Trend analysis is carried out to identify systemic issues that need to be addressed.
A database of operational risk events and losses has been established to facilitate the future use of advanced approaches for quantification of operational risks. Additionally, the analysis of loss trends and root causes of loss events helps in strengthening the internal control environment.
The Group's operational risk management framework also incorporates a new product /service programme process which ensures that risks associated with the introduction of new channels, products and services are identified, analysed and addressed prior to launch.
With the increasing need to outsource internal operations to achieve cost and operational efficiency, the Group's Outsourcing Policy and framework ensure that outsourcing risks are adequately identified and managed prior to entering new arrangements and on an on-going basis.
Effective business continuity and crisis management strategies and plans have been developed and tested to ensure prompt recovery of critical business functions in the event of major business and/or system disruptions.
A Group Insurance Programme is in place to effectively mitigate the risk of high impact operational losses.
Legal risk is part of operational risk and arises from unenforceable or unintended contracts, defective documentation, insufficient authority of customers, lawsuits, and non-compliance with applicable laws. Business units work with the Group's legal counsel and external legal counsel to ensure that legal risks arising from the Group's business activities are effectively managed.
An operational risk management training and awareness programme is in place to facilitate and promote an effective risk management culture.