In response to decades of globalisation in the financial sector, financial innovation, and rapid advancements in information technology, the Basel Committee on Banking Supervision incorporated operational risk into capital regulations in its 2004 New Basel Capital Accord. Taking cues from international regulatory practices, the China Banking Regulatory Commission (CBRC) released the Guidelines on Operational Risk Management of Commercial Banks in May 2007 to govern relevant regulatory activities. In recent years, operational risk prevention and control has become increasingly complex, emerging as a prominent concern in risk management for financial institutions. Recognising that the existing regulations no longer adequately address the evolving demands of risk management, the China Banking and Insurance Regulatory Commission (CBIRC) recently issued its draft Measures for Operational Risk Management of Banking and Insurance Institutions.
Whether in the New Basel Capital Accord, the guidelines or the measures, while the wording may differ slightly, the fundamental definition remains consistent. It refers to the risk of losses caused by issues within internal processes, employees, information technology systems, and external events, including legal risks but excluding strategic and reputational risks.
While maintaining the inclusion of legal risks within operational risk, the measures go further than the guidelines by explicitly including administrative or criminal liabilities for violating regulation. Referring to the original description by the CBRC in the guidelines, which states that “commercial banks should comprehensively consider the correlation between compliance risk and credit risk, market risk, operational risk, and other risks to ensure the consistency of risk management policies and procedures”, the new regulations clearly indicate that compliance risk can be part of operational risk. This will further guide financial institutions in the organic and unified management of risks.
Key compliance points
Implement the principles of prudence, comprehensiveness, compatibility and effectiveness. Banking and insurance institutions are urged to integrate a risk-centric approach and effectively manage operational risks based on their own circumstances. While the measures provide clear definitions and explicit regulations regarding operational risk prevention, new challenges are expected to emerge with the development of financial technology and the digital transformation of these institutions. In the future, these institutions should continue to employ the four principles as the basis for successfully preventing and controlling operational risks.
Ensure that the board of directors, board of supervisors and senior management fulfil their risk management responsibilities. The measures further clarify the roles of the board of directors, board of supervisors, and senior management, emphasising the need for collaboration to mitigate operational risks. Specifically, the board of directors bears ultimate responsibility for risk management, the board of supervisors oversees operational risk management, and senior management is responsible for its implementation. Banking and insurance institutions are required to establish an internal annual reporting system based on the measures. Senior management must submit an operational risk management report to the board of directors at least once a year, which is also provided to the board of supervisors. The board of directors should review this report at least annually.
Promptly establish three lines of defence for operational risk management. The measures introduce the three lines of defence theory into operational risk management. In this framework, various business and management departments serve as the first line of defence, directly shouldering and managing operational risks. Leading departments constitute the second line of defence, responsible for managing and measuring operational risks while guiding the risk management of the first line. Internal audit departments at various levels act as the third line of defence, tasked with supervising and evaluating the performance and effectiveness of the first and second lines. Simultaneously, effective risk data and information-sharing mechanisms should be established both between the three lines of defence and within each line.
Introduce external audit and evaluation mechanisms. Since the release of the guidelines, regulatory authorities have actively supported the involvement of third-party entities in operational risk management. They encourage larger commercial banks with complex operations to entrust independent intermediaries to audit their operational risk management systems regularly. There is a direct requirement for larger banking and insurance institutions to engage third-party entities in auditing and evaluating risk management practices. This move aims to ensure the fairness and scientific rigour of operational risk management under third-party supervision.
Strengthen data security management. In recent years, various government departments have issued a series of regulations surrounding data security and personal information protection, including the Data Security Law and the Personal Information Protection Law. Data security and personal information protection have become prominent concerns in the modern era. In line with these demands, the measures call for banking and insurance institutions to classify and grade their data and implement protective measures. Furthermore, the document underscores the issue of personal information protection, emphasising that these institutions should standardise their data handling activities to encourage lawful and reasonable data utilisation.
Embrace regulation proactively. Banking and insurance institutions are expected to proactively co-operate with regulatory authorities in their oversight efforts. This includes, but is not limited to, submitting external audit reports to regulatory authorities or their designated bodies, disclosing operational risk management practices and loss data as per regulatory requirements, and reporting significant operational risk events to regulatory authorities or their designated bodies within five working days of being aware of, or ought to have been aware of, in accordance with the attribution of regulatory responsibilities.
As the new regulations have entered the stage of soliciting opinions, banking and insurance institutions must place a paramount emphasis on the pertinent content delineated within the measures. They should proactively address the novel regulatory provisions and requirements, making advanced preparations for the formal release of the regulations. This proactive stance is aimed at achieving an effective mitigation of operational risks, the reduction of potential losses, and the augmentation of their capacity to respond to both internal and external events, ultimately furnishing a robust safeguard for the stable and secure operation of their institutions.
Jeffery Guan is a senior partner at Joint-Win Law Firm
Joint-Win Law Firm
Room 6101, Shanghai Tower
479 Lujiazui Ring Road, Pudong New Area
Shanghai 200122, China
Tel: +86 21 6037 5888
Fax: +86 21 6037 5899