Skip to main content
Version date: 31 March 2021 - onwards

Operational risk management (Principle 2)

Principle 2: Banks should leverage their respective functions for the management of operational risk to identify external and internal threats and potential failures in people, processes and systems on an ongoing basis, promptly assess the vulnerabilities of critical operations and manage the resulting risks in accordance with their operational resilience approach.

20. The bank's operational risk management function should work alongside other relevant functions to manage and address any risks that threaten the delivery of critical operations. Banks should coordinate their business continuity planning, third-party dependency management, recovery and resolution planning and other relevant risk management frameworks to strengthen operational resilience across the bank.

21. Banks should have sufficient controls and procedures [These controls and procedures should be consistent with and conducted alongside the risk identification process as articulated in Principle 6 in the proposed revisions to the PSMOR.] to identify and assess threats and vulnerabilities, and more generally their operational risk, in a timely manner and, to the extent possible, prevent them from affecting critical operations delivery. The respective functions should regularly assess the effectiveness of the implemented controls and procedures. These assessments should also be conducted in the event of changes to any underlying components of the critical operations, as well as after incidents in order to take into account lessons learned and new threats and vulnerabilities that caused the incident.