商业银行操作风险管理指引英文

1、Guidelines on Operational Risk Management of Commercial Banks Chapter I General Provisions Article 1Pursuant to the Law of the Peoples Republic of China on Banking Regulation and Supervision, the Law of the Peoples Republic of China on Commercial Banks as well as other applicable laws and

2、regulations, the Guidelines are formulated so as to enhance the operational risk management of commercial banks.  Article 2The Guidelines apply to domestic commercial banks, wholly foreign-funded banks and Chinese-foreign joint venture banks incorporated within the territory of the Peoples Repu

3、blic of China.  Article 3The operational risk in the Guidelines refers to the risk of loss resulting from inadequate or failed internal processes, people and IT system, or from external events. It includes legal risk but excludes strategic and reputational risk. Article 4The China Banking

4、Regulatory Commission (hereinafter referred to as the “CBRC”) supervises and regulates the operational risk management of commercial banks and evaluates the effectiveness thereof under its authority by law. Chapter II Operational Risk Management Article 5Commercial banks should, in line wi

5、th the Guidelines, set up an operational risk management system suitable to their own business nature, scale and complexity to effectively identify, assess, monitor and control/mitigate operational risk. This system can be in any form, but should comprise at least the following basic elements:  

6、;1)      oversight and control by the board of directors;2)      roles and responsibilities of senior management;3)      appropriate organizational structure;4)      operational risk management polici

7、es, methods, and procedures; and5)      requirements on making capital provisions for operational risk.  Article 6The board of directors in a commercial bank should treat operational risk as a major risk and charge the ultimate responsibility for monitoring the effectiv

8、eness of operational risk management. The responsibilities of the board shall include: 1)developing strategies and general policies for bank-wide operational risk management that are aligned with the banks strategic goals; 2) reviewing and approving the senior managements functions, authorizati

9、on and reporting arrangement with regard to operational risk management so as to ensure the effectiveness of the banks decision-making system in operational risk management and ensure that the operational risk facing the banks operations is controlled within its endurance capacity;3)reviewing regula

10、rly the operational risk reports submitted by the senior management; fully understanding the banks overall operational risk management and the effectiveness of the senior management in handling material operational risk events; and monitoring and evaluating the effectiveness of daily operational ris

11、k management; 4)ensuring that the senior management takes necessary measures to effectively identify, assess, monitor and control/mitigate operational risk;5)ensuring that the banks operational risk management system is effectively audited and overseen by internal audit department; and6)having in pl

12、ace an appropriate reward-punishment system so as to effectively promote the development of operational risk management system in the bank as a whole.  Article 7The senior management in a commercial bank is responsible for implementing the operational risk management strategies, general policie

13、s and running the system approved by the board. It shall: 1)be ultimately responsible to the board regarding daily operational risk management; 2)lay out and regularly review the operational risk management policies, procedures and detailed processes in accordance with the strategies and genera

14、l policies developed by the board, and oversee the implementation thereof, and submitting to the board reports on overall operational risk management in a regular manner; 3)sufficiently understand the overall situation of the banks operational risk management, particularly the events or programs wit

15、h material operational risk;4)Clearly define each departments responsibilities in operational risk management as well as the reporting line, frequency and contents; urge each department to really charge its responsibilities in a bid to ensure the sound performance of the operational risk management

16、system;5)equip operational risk management with appropriate resources, including but not limited to providing necessary funds, setting up necessary positions with eligible staff, offering training courses to operational risk management personnel, delegating authorizaion to the said personnel to fulf

17、ill their duties, etc.; and6)make promptly checks and revision on the operational risk management system so as to effectively respond to operational risk events brought about by the changes of internal procedures, products, business activities, IT system, staff, external events or other factors.

18、0;Article 8Commercial banks should designate a certain department to be responsible for the construction and implementation of operational risk management system. This department should be independent from others in order to ensure the systems consistency and effectiveness. Its responsibilities shal

19、l mainly include: 1)drafting operational risk management policies, procedures and specific processes and submitting them to the senior management and the board for review and approval;2)assisting other departments to identify, assess, monitor and control/mitigate operational risk;3)working out

20、methods to identify, assess, mitigate (including internal controls) and monitor operational risks, formulating bank-wide reporting processes of operational risk and organizing the implementation thereof;4)putting in place basic criteria for operational risk control over the bank, and guiding and coo

21、rdinating the operational risk management;5)providing each department with trainings on operational risk management, and helping them improve operational risk management capacity and fulfill their own duties; 6)regularly checking and analyzing the practices of operational risk management in business

22、 departments and other departments;7)regularly submitting operational risk reports to senior management; and8)ensuring that the operational risk management system and measures are observed. Article 9The relevant departments in a commercial bank should be directly responsible for operational ris

23、k management. Major responsibilities include: 1)appointing designated staff to take charge of operational risk management, including observing operational risk management policies, procedures and specific processes;2)following the assessment methods for operational risk management to identify a

24、nd assess the operational risks in the departments, and to have in place an effective on-going procedure to monitor, control/mitigate and report operational risks, then organize the implementation thereof;3)fully considering the requirements on operational risk management and internal control when m

25、aking department specific business processes and related business policies, with a view to ensuring operational risk management personnel at all levels participate in the course of reviewing and approving important procedures, controls and policies, thus making these aligned with the banks general p

26、olicy on operational risk management; and4)monitoring key risk indicators and regularly reporting their own departments operational risk management situation to the department which takes charge of or take the leading role in operational risk management of the whole bank.  Article 10 The legal

27、office, compliance office, IT office, security office, and human resource office in a commercial bank should, besides properly managing their own operational risks, provide relevant resources and assistance within their strength and respective responsibilities to other departments for the purpose of

28、 operational risk management.  Article 11 The internal audit department in a commercial bank does not directly take charge of or participate in other departments operational risk management, but it should regularly check and evaluate how well the banks operational risk management system operate

29、s, supervise the implementation of operational risk management policies, independently evaluate the banks new operational risk management policies, processes and specific procedures, and report to the board of directors the evaluation results of operational risk management system. A commercial bank

30、with high business complexity and large scale is encouraged to entrust intermediary agencies to audit and evaluate its operational risk management system on a regular basis.  Article 12 A commercial bank should have in place bank-wide operational risk management policies that are commensurate w

31、ith its nature, scale, complexity and risk profile. Main contents include:  1)definition of operational risk;2)appropriate organizational structure, authorization and responsibilities with regard to operational risk management;3)procedures to identify, assess, monitor and control/mitigate opera

32、tional risks;4)reporting procedures of operational risk, including reporting responsibilities, path and frequency, and other specific requirements on other departments; and5)requirements on promptly assessing operational risks associated with existing and newly-developed important products, business

33、 practices, procedures, IT system, human resource management, external factors and changes thereof. Article 13 A commercial bank should choose appropriate approaches to manage operational risks, which may include: assessment of operational risk and internal control, loss event reporting and dat

34、a collection, monitoring of key risk indicators, risk assessment regarding new products and business practices, testing and audit of internal control, and operational risk reporting.  Article 14 A commercial bank with high business complexity and large scale should adopt more sophisticated risk

35、 management methods (e.g. quantitative methods) to assess each departments operational risk, collect operational risk loss data, and make arrangements according to the characteristics of operational risk associated with each line of business.  Article 15 A commercial bank should develop effecti

36、ve processes to regularly monitor and report operational risk status and material losses. As to risks with increasing loss potential, early-warning system of operational risk should be put in place so as to take timely controls to mitigate risk and reduce the occurrence and severity of loss events.

37、 Article 16 Material operational risk events should be reported to the board, senior management and appropriate management personnel according to the banks operational risk management policies. Article 17 A commercial bank should enhance internal control for effective operational risk mana

38、gement. Related internal controls should at least include: 1)clearly defining the roles and responsibilities of each department and making proper separation among relevant functions so as to avoid potential conflicts of interests; 2)closely watching how well specified risk limit or authorizatio

39、n is observed;3)monitoring the records of access to and use of the banks assets;4)ensuring the staff are appropriately trained and eligible for their positions;5)identifying the business activities or products that do not generate reasonable prospective returns or that contain potential risks;6)regu

40、larly reviewing and checking up transactions and accounts;7)putting in place a system for the heads and the staff in key positions to have job rotation and compulsory leaves and setting up a mechanism of off-job auditing as well; 8)working out a code of conduct to regulate on-job and off-job behavio

41、r particularly for the staff in important positions or at sensitive links;9)establishing an incentive and protection system to encourage staff to report violations on a real-name basis; 10)setting up a dual-appraisal system to investigate and solve bank fraudulent cases as well as make punishments i

42、n a timely and proper manner; 11)having in place an information disclosure system for the bank case investigation; and12)establishing an incentive-restrictive mechanism with regard to the management and control of operational risk at front line.  Article 18 A commercial bank should establish an

43、d gradually improve the operational risk management information system (MIS) so as to effectively identify, assess, monitor, control and report operational risks. The system should at least record and store the date about operational risk losses and events, support self-assessment on operational ris

44、k and control measures, monitor key risk indicators, and provide relevant information contained in operational risk reports. Article 19 To ensure business continuation, a commercial bank should develop a scheme for emergency response that matches their business scale and complexity, make a back

45、-up arrangement for service recovery, and regularly check and test the catastrophe recovery function and business continuation mechanism so as to make sure that these actions can go in operation properly in the event of catastrophe and severe business disruption.  Article 20 A commercial bank s

46、hould develop risk management policies with regard to outsourcing practices in order to make sure that outsourcing is subject to rigorous contracts and service agreements which clearly specify the obligations of involved parties.  Article 21 A commercial bank may purchase insurance and enter in

47、to contract with a third party, and consider it a way to mitigate operational risk. But they should by no means neglect the importance of controls.  A commercial bank that mitigates operational risks by means of insurance should formulate written policies and procedures accordingly. Articl

48、e 22 A commercial bank should make adequate capital provisions for the operational risk it undertakes as per the requirements of CBRC on capital adequacy of commercial banks.  Chapter IIISupervision of Operational Risk Article 23 Commercial banks should submit to the CBRC their operational

49、 risk management policies and processes for filing. They should submit operational risk related reports to the CBRC or its local offices as per regulations. Banks that entrust intermediary agencies to audit their operational risk management system should also submit audit reports to the CBRC or its

50、local offices. Article 24 Commercial banks should promptly report to the CBRC or its local offices about the following material operational risk events if any:  1)banking crimes in which more than RMB300,000 is robbed from a commercial bank or cash truck or stolen from a banking financial

51、institution; bank fraud or other cases involving an amount of more than RMB10 million;2)events that result in serious damage or loss of the banks important data, books, blank vouchers, or business disruption for over three hours in two or more provinces (autonomous regions/municipalities), or busine

52、ss disruption for over six hours in one province (autonomous region/municipality) and severely affect the banks normal operations; 3)confidential information being stolen, sold, leaked or lost that may affect financial stability and lead to economic disorder;4)senior executives severely violating ap

53、plicable regulations;5)accident or natural catastrophe caused by force majeure, resulting in immediate economic loss of more than RMB10 million;6)other operational risk events that may result in a loss of more than 1 of the banks net capital; and7)other material events as specified by the CBRC. 

54、0;Article 25 The CBRC should regularly check and assess the operational risk management policies, processes and practices of commercial banks. Main items to be checked and assessed include: 1)effectiveness of the banks operational risk management processes;2)the banks approaches to monitor and

55、report operational risks, including key operational risk indicators and operational risk loss data;3)the banks measures to timely and effectively handle operational risk events and weak links;4)the banks procedures of internal control, reviewing and auditing within its operational risk management pr

56、ocesses;5)the quality and comprehensiveness of the banks catastrophe recovery and business continuation plans;6)adequacy level of capital provisions for operational risks; and7)other aspects of operational risk management. Article 26 As to the operational risk management problems discovered by

57、the CBRC during supervision, the commercial bank should submit correction plan and take correction actions within the specified time limit. When a material operational risk event occurs, if the commercial bank fails to adopt effective correction measures within the specified time limit, the CBR

58、C should take appropriate regulatory actions in line with laws and regulations. Chapter IV Supplementary Provisions  Article 27 This Guidelines may apply to other banking institutions including policy banks, financial asset management companies, urban credit cooperatives, rural credit

59、 cooperatives, rural cooperative banks, trust and investment companies, finance firms, financial leasing companies, automobile financial companies, money brokers, and post savings institutions. Article 28 Banking institutions without the board of directors should have their operating decision-m

60、aking bodies perform the responsibilities of the board with regard to operational risk management specified herein.  Article 29 Branches set up by foreign banks within the territory of Peoples Republic of China should follow the operational risk management policies and processes developed by their head