Principles for the management of operational risk
10. Operational risk [Operational risk is defined as the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events. This definition includes legal risk, but excludes strategic and reputational risk.] is inherent in all banking products, activities, processes and systems, and the effective management of operational risk has always been a fundamental element of a bank’s risk management programme. As a result, sound operational risk management is a reflection of the effectiveness of the board and senior management in administering its portfolio of products, activities, processes, and systems. The Committee, through the publication of this paper, desires to promote and enhance the effectiveness of operational risk management throughout the banking system.
11. Risk management generally encompasses the process of identifying risks to the bank, measuring exposures to those risks (where possible), ensuring that an effective capital planning and monitoring programme is in place, monitoring risk exposures and corresponding capital needs on an ongoing basis, taking steps to control or mitigate risk exposures and reporting to senior management and the board on the bank’s risk exposures and capital positions. Internal controls are typically embedded in a bank’s day-to-day business and are designed to ensure, to the extent possible, that bank activities are efficient and effective, information is reliable, timely and complete and the bank is compliant with applicable laws and regulation. In practice, the two notions are in fact closely related and the distinction between both is less important than achieving the objectives of each.