RBI updates guidance note on operational risk management, extends it to NBFCs
The guidance note intends to promote and further improve the effectiveness of operational risk management of the REs
The 2005 guidance note by RBI, repealed, applied to only scheduled commercial banks.
Mumbai: The Reserve Bank on Tuesday updated its "guidance note" on operational risk management for the financial sector, and also extended it to the NBFCs, including housing finance companies. The 2005 'Guidance Note on Management of Operational Risk' covered only commercial banks.
The Reserve Bank of India (RBI) said an operational disruption could threaten the viability of a regulated entity (RE), impact its customers and other market participants, and ultimately impact financial stability.
It can result from man-made causes, Information Technology (IT) threats, geopolitical conflicts, business disruptions, internal/external frauds, execution/delivery errors, third-party dependencies, or natural causes.
The latest 'Guidance Note on Operational Risk Management and Operational Resilience' aligns with the RBI's regulatory guidance with the Basel Committee on Banking Supervision (BCBS) Principles, the central bank said.
The guidance note intends to promote and further improve the effectiveness of operational risk management of the REs, and enhance their operational resilience given the interconnections and interdependencies, within the financial system, that result from the complex and dynamic environment in which the REs operate.
One key change in the updated guidance note is that its applicability has been extended to all non-banking financial companies (NBFCs) -- including housing finance companies -- cooperative banks, and financial institutions, in addition to commercial banks.
The 2005 guidance note, repealed, applied to only scheduled commercial banks.
The new note explains the "three lines of defence model" wherein the business unit forms the first line of defence, the organisational operational risk management function forms the second line, and the audit function forms the third line of defence.
It has separate principles for mapping internal and external interconnections and interdependencies, incident management, ICT, and disclosures.
The note also introduces separate principles on "lessons learned exercise" and continuous feedback mechanism. Until recently, the predominant operational risks that REs faced emanated from vulnerabilities related to increasing dependence and rapid adoption of technology in providing financial services and intermediation.
However, the financial sector's growing reliance on third-party providers exacerbated by the Covid-19 pandemic with greater reliance on virtual working arrangements, has highlighted the increasing importance of operational risk management and operational resilience.