RBI releases updated “Guidance Note on Operational Risk Management and Operational Resilience’’ for lenders
The Reserve Bank of India on Tuesday released an updated “Guidance Note on Operational Risk Management and Operational Resilience’’ to promote and further improve the effectiveness of lenders’ operational risk management.
The note is also aimed at enhancing lenders’ operational resilience given the interconnections and interdependencies, within the financial system, that result from the complex and dynamic environment in which they operate.
This note, which has been prepared based on the Basel Committee on Banking Supervision (BCBS) principles documents issued in March 2021, is applicable to regulated entities/ REs – all commercial banks, all non-banking financial companies (NBFCs), all co-operative banks and All India Financial Institutions (AIFIs).
The earlier “Guidance Note (of October 2005)”, which has now been repealed was applicable only to scheduled commercial banks.
RBI noted that an operational disruption can threaten the viability of a lender, impact its customers and other market participants and ultimately have an impact on financial stability.
The disruption can result from man-made causes, Information Technology (IT) threats (e.g., cyber-attacks, changes in technology, technology failures, etc), geopolitical conflicts, business disruptions, internal/external frauds, execution/ delivery errors, third party dependencies, or natural causes (e.g., climate change, pandemic, etc.).
Operational resilience
RBI observed that until recently, the predominant operational risks that REs faced emanated from vulnerabilities related to increasing dependence and rapid adoption of technology for provision of financial services and intermediation.
However, the financial sector’s growing reliance on third-party providers (including technology service providers) exacerbated by Covid-19 pandemic with greater reliance on virtual working arrangements, has highlighted the increasing importance of operational risk management and operational resilience; which not only benefits the RE by strengthening its ability to remain a viable going concern but also supports the financial system by ensuring continuous delivery of critical operations during any disruption.
The note explicates the ‘Three lines of defence model’ wherein – a Business unit forms the first line of defence; Organisational operational risk management function (including compliance function) forms the second line of defence; and Audit function forms the third line of defence.
Adaptation to changing dynamics
The note has an updated guidance omn change management with a specifically detailed Principle on it. It has separate Principles for mapping of internal and external interconnections and interdependencies, incident management, ICT and disclosures.
The central bank said the note has a focused principle on third-party relationship, which is a broader concept than outsourcing. The repealed note has scattered guidance on outsourcing.