GuidelinesonOperationalRiskManagementofCommercial
Banks
ChapterIGeneralProvisions
Article1PursuanttotheLawofthePeople’sRepublicofChinaonBankingRegulationandSupervision,theLawofthePeople’sRepublicofChinaonCommercialBanksaswellasotherapplicablelawsandregulations,theGuidelinesareformulatedsoastoenhancethe
operationalriskmanagementofcommercialbanks.
Article2TheGuidelinesapplytodomesticcommercialbanks,wholly
foreign-fundedbanksandChinese-foreignjointventurebanksincorporatedwithintheterritoryofthePeople’sRepublicofChina.
Article3TheoperationalriskintheGuidelinesreferstotheriskoflossresultingfrominadequateorfailedinternalprocesses,peopleandITsystem,orfromexternalevents.Itincludeslegalriskbutexcludesstrategicandreputationalrisk.
Article4TheChinaBankingRegulatoryCommission(hereinafterreferredtoasthe“CBRC”supervisesandregulatestheoperational
riskmanagementofcommercialbanksandevaluatesthe
effectivenessthereofunderitsauthoritybylaw.
ChapterIIOperationalRiskManagement
Article5Commercialbanksshould,inlinewiththeGuidelines,setupanoperationalriskmanagementsystemsuitabletotheirownbusinessnature,scaleandcomplexitytoeffectivelyidentify,assess,monitorandcontrol/mitigateoperationalrisk.Thissystemcanbeinanyform,butshouldcompriseatleastthefollowingbasicelements:
1oversightandcontrolbytheboardofdirectors;2rolesandresponsibilitiesofseniormanagement;
3appropriateorganizationalstructure;
4operationalriskmanagementpolicies,methods,andprocedures;
and
5requirementsonmakingcapitalprovisionsforoperationalrisk.
Article6Theboardofdirectorsinacommercialbankshouldtreatoperationalriskasamajorriskandchargetheultimateresponsibilityformonitoringtheeffectivenessofoperationalriskmanagement.The
responsibilitiesoftheboardshallinclude:
1developingstrategiesandgeneralpoliciesforbank-wideoperationalriskmanagementthatarealignedwiththebank’s
strategicgoals;
2reviewingandapprovingtheseniormanagement’sfunctions,
authorizationandreportingarrangementwithregardtooperationalriskmanagementsoastoensuretheeffectivenessof
thebank’sdecision-makingsysteminoperationalriskmanagementandensurethattheoperationalriskfacingthebank’soperationsiscontrolledwithinitsendurancecapacity;3reviewingregularlytheoperationalriskreportssubmittedbythe
seniormanagement;fullyunderstandingthebank’soveralloperationalriskmanagementandtheeffectivenessoftheseniormanagementinhandlingmaterialoperationalriskevents;andmonitoringandevaluatingtheeffectivenessofdailyoperational
riskmanagement;
4ensuringthattheseniormanagementtakesnecessarymeasures
toeffectivelyidentify,assess,monitorandcontrol/mitigate
operationalrisk;
5ensuringthatthebank’soperationalriskmanagementsystemis
effectivelyauditedandoverseenbyinternalauditdepartment;
and
6havinginplaceanappropriatereward-punishmentsystemsoas
toeffectivelypromotethedevelopmentofoperationalrisk
managementsysteminthebankasawhole.
Article7Theseniormanagementinacommercialbankisresponsibleforimplementingtheoperationalriskmanagementstrategies,generalpoliciesandrunningthesystemapprovedbythe
board.Itshall:
1beultimatelyresponsibletotheboardregardingdailyoperational
riskmanagement;
2layoutandregularlyreviewtheoperationalriskmanagementpolicies,proceduresanddetailedprocessesinaccordancewiththestrategiesandgeneralpoliciesdevelopedbytheboard,andoverseetheimplementationthereof,andsubmittingtotheboardreportsonoveralloperationalriskmanagementinaregular
manner;
3sufficientlyunderstandtheoverallsituationofthebank’soperationalriskmanagement,particularlytheeventsorprograms
withmaterialoperationalrisk;
4Clearlydefineeachdepartment’sresponsibilitiesinoperational
riskmanagementaswellasthereportingline,frequencyand
contents;urgeeachdepartmenttoreallychargeitsresponsibilitiesinabidtoensurethesoundperformanceofthe
operationalriskmanagementsystem;
5equipoperationalriskmanagementwithappropriateresources,includingbutnotlimitedtoprovidingnecessaryfunds,settingupnecessarypositionswitheligiblestaff,offeringtrainingcoursestooperationalriskmanagementpersonnel,delegatingauthorizaion
tothesaidpersonneltofulfilltheirduties,etc.;and
6makepromptlychecksandrevisionontheoperationalriskmanagementsystemsoastoeffectivelyrespondtooperationalriskeventsbroughtaboutbythechangesofinternalprocedures,products,businessactivities,ITsystem,staff,externaleventsor
otherfactors.
Article8Commercialbanksshoulddesignateacertaindepartment
toberesponsiblefortheconstructionandimplementationofoperationalriskmanagementsystem.Thisdepartmentshouldbeindependentfromothersinordertoensurethesystem’sconsistency
andeffectiveness.Itsresponsibilitiesshallmainlyinclude:
1draftingoperationalriskmanagementpolicies,proceduresandspecificprocessesandsubmittingthemtotheseniormanagement
andtheboardforreviewandapproval;
2assistingotherdepartmentstoidentify,assess,monitorand
control/mitigateoperationalrisk;
3workingoutmethodstoidentify,assess,mitigate(including
internalcontrolsandmonitoroperationalrisks,formulatingbank-widereportingprocessesofoperationalriskandorganizing
theimplementationthereof;
4puttinginplacebasiccriteriaforoperationalriskcontroloverthe
bank,andguidingandcoordinatingtheoperationalrisk
management;
5providingeachdepartmentwithtrainingsonoperationalrisk
management,andhelpingthemimproveoperationalrisk
managementcapacityandfulfilltheirownduties;
6regularlycheckingandanalyzingthepracticesofoperationalrisk
managementinbusinessdepartmentsandotherdepartments;7regularlysubmittingoperationalriskreportstosenior
management;and
8ensuringthattheoperationalriskmanagementsystemand
measuresareobserved.
Article9Therelevantdepartmentsinacommercialbankshouldbe
directlyresponsibleforoperationalriskmanagement.Major
responsibilitiesinclude:
1appointingdesignatedstafftotakechargeofoperationalriskmanagement,includingobservingoperationalriskmanagement
policies,proceduresandspecificprocesses;
2followingtheassessmentmethodsforoperationalriskmanagementtoidentifyandassesstheoperationalrisksinthedepartments,andtohaveinplaceaneffectiveon-goingproceduretomonitor,control/mitigateandreportoperationalrisks,then
organizetheimplementationthereof;
3fullyconsideringtherequirementsonoperationalriskmanagementandinternalcontrolwhenmakingdepartmentspecificbusinessprocessesandrelatedbusinesspolicies,withaviewtoensuringoperationalriskmanagementpersonnelatalllevelsparticipateinthecourseofreviewingandapprovingimportantprocedures,controlsandpolicies,thusmakingthese
alignedwiththebank’sgeneralpolicyonoperationalrisk
management;and