Enhancements to Basel II Operational Risk Principles and CBB Rulebook Revisions

Enhancements to Basel II “Principles for the Sound Management of Operational Risk” and required revisions to the CBB Rulebook Industry Comments and Feedback Volume 1 September 2012 Page 1 of 16 Industry Comments General Comments: Ref CBB’s Response A bank noted that for the sake of consistency, the changes to OM 8.1 and following should also lead to a review / update of the clauses OM 1.1.4 and the following clauses. Also there is a significant overlap between the new OM 8.1 and following and OM 2.1 and the following clauses. A bank noted that as an overall general comment, there appears to be increasing requirement for board of directors‟ involvement in Operational Risk Management and perhaps this degree of involvement should be reviewed. The board should be more involved in oversight, rather than management, of operational risk. A bank emphasised the need for the establishment of a Loss Data Consortium for the Kingdom. This will greatly help in benchmarking an individual bank‟s loss data against industry and will enhance the operational risk frameworks implemented by the banks. A bank noted that the same Basel II principles are being adapted by their Head Office. These principles include definition of Board of Directors' responsibilities, establishment of Operational Risk Management Department and examination of operational risk matrix by external auditors. GR1 GR2 GR3 GR4 Noted, the consultation was aimed at OM-8, other parts will be edited accordingly. The ultimate responsibility of the overall management of the risks of a bank always rests with the board. Proper delegation of responsibilities is allowed. The CBB shall coordinate with Bahrain Association of Banks on this issue. Noted.

Enhancements to Basel II “Principles for the Sound Management of Operational Risk” and required revisions to the CBB Rulebook Industry Comments and Feedback Volume 1 September 2012 Page 2 of 16 A bank noted that the enhancements in the consultation paper refer to the audit and compliance functions responsible for providing independent reviews over the operational risk management framework. The enhancements further detail the scope of work to be carried out by the internal audit function in banks (OM-8.1.6). However, minimal guidance is provided for the scope of work to be carried out by the compliance functions. It is proposed that additional guidelines be introduced for the roles and responsibilities of the compliance functions in order to:  Make clear the difference of testing carried out by the internal audit versus the compliance functions so as to facilitate compliance functions in convincing senior managements in implementing compliance testing programs; and  Provide an outline of the scope, type and frequency of testing and reporting to be carried out. GR5 Compliance function‟s role includes checking whether the operational risk management function is in compliance with the rules and regulations and there would be a clear conflict of interest if the compliance officer is also involved in the development, implementation and operation of the operational risk management framework which they then must check afterwards. But there is no harm if they were consulted on whether the framework is in line with the subject regulation. Further, the CBB will develop rules on compliance function as part of High￾Level module as per Basel principles.

Enhancements to Basel II “Principles for the Sound Management of Operational Risk” and required revisions to the CBB Rulebook Industry Comments and Feedback Volume 1 September 2012 Page 3 of 16 Specific Comments: Reference to the draft Directive: Comments REF CBB’s Response OM-8.1.2 Operational risk is defined as the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events. This definition includes legal risk, but excludes strategic and reputational risk. 1 Legal risk includes, but is not limited to, exposure to fines, penalties, or punitive damages resulting from supervisory actions, as well as private settlements. A bank noted that line three it should be amended to include compliance risk and the amended sentence will state “This definition includes compliance risk and legal risks. But excludes strategic and reputational risk.” The foot note should be also amended to read as: “Compliance Legal risk includes, but is not limited to exposure to fines, penalties or punitive damages resulting from supervisory actions and Legal risk includes actions initiated against the bank as well as private settlements.” SP1 The operational risk definition comes from the Basel Committee. Therefore, the CBB would not propose to amend it. The CBB is working separately on an expanded compliance chapter which will cover this concern. OM-8.1.3A In the context of this Chapter, „independent‟ and „independent review‟ have the following meanings. The review functions must be independent of the risk generating business lines or the process or system under review. An independent review would include the following components: (a)Verification of the Framework is done on a periodic basis and would be typically performed by the bank‟s internal and/or external A bank noted that this rule seems to refer to an Advanced Measurement Approach (independent validation should ensure that the risk management methodology results in an operational risk capital charge that credibly reflects the operational risk profile of the bank. In addition to the quantitative aspects of internal validation (…) etc.) AMA is one of the three methods for calculating operational risk capital charges as per Basel II, the other two being Basic Indicator Approach and Standardized Approach. To elaborate the bank meant that the suggested revisions cater to the requirements of the AMA approach which the SP2 Disagree-the Basel paper and this paper are simply trying to help banks by giving a definition of „independent‟. Neither the Basel paper nor this paper is trying to force banks into the AMA methodology.

Enhancements to Basel II “Principles for the Sound Management of Operational Risk” and required revisions to the CBB Rulebook Industry Comments and Feedback Volume 1 September 2012 Page 4 of 16 audit, but may involve other suitably qualified independent parties from external sources. Verification activities test the effectiveness of the overall Framework, consistent with policies approved by the board of directors, and also test validation processes to ensure that they are independent and implemented in a manner consistent with established bank policies; and (b)Validation ensures that the quantification systems used by the bank are sufficiently robust and provide assurance of the integrity of inputs, assumptions, processes and outputs. Specifically the independent validation process should provide enhanced assurance that the risk management methodology results in an operational risk capital charge that credibly reflects the operational risk profile of the bank. In addition to the quantitative aspects of internal validation, the validation of data inputs, methodology and outputs of operational risk models is important to the overall process. CBB does not allow Banks in Bahrain to follow.

Enhancements to Basel II “Principles for the Sound Management of Operational Risk” and required revisions to the CBB Rulebook Industry Comments and Feedback Volume 1 September 2012 Page 5 of 16 OM 8.1.4 The operational risk management function must be functionally independent of the risk generating business lines and will be responsible for the design, maintenance and ongoing development of the operational risk Framework (“Framework”) within the bank. A bank noted that this rule states that the risk management function must be functionally independent of the risk generating business. There is no definition of what functionally independent means. It should be clear that the risk management function cannot report hierarchically and/or functionally to somebody who is directly responsible for risk taking. SP3 Agree-A new guidance paragraph has been added to define “functionally independent”. OM8.1.6 The independent review functions are the audit and compliance functions and the staff occupying these functions must be competent and appropriately trained and not be involved in the development, implementation and operation of the operational risk Framework (for example, internal audit and compliance must not be involved with the setting of risk appetite or risk tolerance, but internal audit should be reviewing the robustness of the process of how these limits are set and why and how they are adjusted in response to changing circumstances. Internal Audit should A bank noted that this rule states that “… the independent reviews are the audit and compliance functions…. “The bank believes that Compliance is just like Risk Management subject to Internal Audit review. This rule seems to suggest that Compliance officers cannot be involved in the development, implementation and operation of the operational risk framework. In reality, it is believed that there is no conflict of interest between management of risks and management of compliance risk. A bank requested to clarify in more details the role of compliance department in the overall management of the Operational Risk framework. While the responsibilities of the Audit Department are clearly spelt out, those expected of the compliance functions are ambiguous. SP4 SP5 Disagree- the Compliance function role includes checking whether the operational risk management function is in compliance with the rules and regulations and there would be a clear conflict of interest if the compliance officer is also involved in the development, implementation and operation of the operational risk management framework which they then must check afterwards. But there is no harm if they were consulted on whether the framework is in line with the subject regulation. The CBB will develop rules on compliance function as part of Module HC (High-level Controls) as per Basel principles.

Enhancements to Basel II “Principles for the Sound Management of Operational Risk” and required revisions to the CBB Rulebook Industry Comments and Feedback Volume 1 September 2012 Page 6 of 16 independently verify that the Framework has been implemented as intended and is functioning effectively. Internal audit coverage should include opining on the overall appropriateness and adequacy of the Framework and the associated governance processes across the bank. Internal audit should not simply be testing for compliance with board approved policies and procedures, but should be evaluating whether the Framework meets organizational needs and supervisory expectations. More details on the Internal Audit Function and the Role of the Audit Committee are to be found in Chapter HC-3.

Enhancements to Basel II “Principles for the Sound Management of Operational Risk” and required revisions to the CBB Rulebook Industry Comments and Feedback Volume 1 September 2012 Page 7 of 16 OM-8.2.2 Principle 1: The board of directors must take the lead in establishing a strong risk management culture. The board of directors and senior management must establish a corporate culture that is guided by strong risk management and that supports and provides appropriate standards and incentives for professional and responsible behaviour. In this regard, it is the responsibility of the board of directors to ensure that a strong operational risk management culture exists throughout the whole organisation. A bank noted that earlier in this section, responsibility for establishing corporate culture rests with both “board of directors and senior management”. The bank suggests that the requirement above be similarly worded. SP6 Disagree-It is clear in the paragraph that the ultimate responsibility rests with the Board of Directors, sharing this responsibility with the senior management. OM-8.2.6 Compensation policies must be aligned to the bank’s statement of risk appetite and tolerance, long￾term strategic direction, financial goals and overall safety and soundness. They must also appropriately balance risk and reward. A bank noted that the rule is understood, however in practice, the idea that an employee‟s compensation should take account of the risks that employees take on behalf of their organization has proven to be challenging to implement. Considering the stage of development of operational risk frameworks in majority of the banks in Bahrain, aligning it with compensation policies might prove very challenging. While from the regulation perspective, ensuring remuneration is effectively aligned with risk and SP7 The CBB has issued a separate consultation on Basel principles issued on compensation and it is now under internal discussion.

Enhancements to Basel II “Principles for the Sound Management of Operational Risk” and required revisions to the CBB Rulebook Industry Comments and Feedback Volume 1 September 2012 Page 8 of 16 performance is an essential element for safeguarding stakeholders‟ interests, with ultimate goal of reducing incentives that may lead to excessive risk taking. However, it would be prudent to deal with the compensation aspect in the High level Control (HC) section rather than the OM Module. OM- 8.2.11 The Framework must be comprehensively and appropriately documented in board of directors approved policies and must include definitions of operational risk and operational loss. Banks that do not adequately describe and classify operational risk and loss exposure may significantly reduce the effectiveness of their Framework. A bank noted that while this rule and OM-8.2.12 clearly specify certain required elements of the Framework for managing operational risk, e.g. the requirement that banks produce documentation that identifies governance structures used to manage operational risk, it would have been helpful to see the definition of “Framework” in conjunction with assessing the Consultation paper. One question that arises in reading rules such as OM-8.2.11 and OM-8.2.12 is whether the requirement to have a Board-approved Framework is satisfied by having a Board￾approved operational risk management policies and procedures manual that reflects the requirements of the consultation document. If CBB view is that a Framework must encompass more than such a manual, it will be helpful for that to be communicated clearly in revised Module OM. SP8 The term Framework will be defined and included in the Glossary of the Rulebook.

Enhancements to Basel II “Principles for the Sound Management of Operational Risk” and required revisions to the CBB Rulebook Industry Comments and Feedback Volume 1 September 2012 Page 9 of 16 OM-8.2.12 Framework documentation must clearly: (a) Identify the governance structures used to manage operational risk, including reporting lines and accountabilities; (b) Describe the risk assessment tools and how they are used; (c) Describe the bank’s accepted operational risk appetite and tolerance, as well as thresholds or limits for inherent and residual risk, and approved risk mitigation strategies and instruments; (d) Describe the bank’s approach to establishing and monitoring thresholds or limits for inherent and residual risk exposure; (e) Establish risk reporting and Management Information Systems (MIS); (f) Provide for a common taxonomy of operational risk terms to ensure consistency of risk identification, exposure rating and risk management A bank noted that it would be helpful if the revised OM Module contained internal cross￾references. For example, OM-8.2.12 (c), which states that the Framework documentation must clearly describe the bank‟s accepted operational risk appetite and tolerance, as well as limits or thresholds for inherent and residual risk, could cross reference OM-8.2.16 and OM-8.2.17, so that it is clear that those rules expand upon OM￾8.2.12(c) and do not constitute separate and new requirements. “OM-8.2.16 Principle 4: The board of directors must approve and review a risk appetite and tolerance statement for operational risk that articulates the nature, types and levels of operational risk that the bank is willing to assume”, “OM-8.2.17 When approving and reviewing the risk appetite and tolerance statement, the board of directors must consider all relevant risks, the bank’s level of risk aversion, its current financial condition and the bank’s strategic direction. The risk appetite and tolerance statement should encapsulate the various operational risk appetites within a bank and ensure that they are consistent. The board of directors must approve appropriate thresholds or limits for specific operational risks, and an overall operational risk appetite and tolerance”. SP9 Noted. Useful suggestion. Cross reference will be added.

Enhancements to Basel II “Principles for the Sound Management of Operational Risk” and required revisions to the CBB Rulebook Industry Comments and Feedback Volume 1 September 2012 Page 10 of 16 objectives; (g) Provide for appropriate independent review and assessment of operational risk; and (h) Require the policies to be reviewed whenever a material change in the operational risk profile of the bank occurs, and revised as appropriate. A bank noted that the requirement of separate operational risk disclosure policy or statement of risk appetite should not be mandatory. The need should be based on the nature, size and complexity of any bank‟s operations. In many banks, a separate risk appetite statement or risk disclosure policy may not be required, as these can be addressed within the operational risk framework. The nature and extent of operational risk limits or thresholds may also allowed to be set up only where banks perceive added value in terms of risk monitoring and control. For example, many banks which have well developed and properly implemented operating processes and controls, may be operating on zero error policy. They may have a history of virtually nil operational losses; in these instances, setting up limits for operational losses will not make sense. What is more important is to analyze the adequacy of controls and modify these if necessary, to ensure that operational lapses do not recur or potential lapses are identified and rectified through the procedure established. For example, if a bank sets up a limit of BD100,000 for operational losses due to wrong remittances, there could be say 10 remittances which had gone wrong and still the loss is below BD 100,000 or there could be one erroneous transaction of value more than the limit. However, what is more pertinent here is to have strong remittance SP10 Disagree- Disclosing operational risk appetite and tolerance, as well as thresholds or limits for inherent and residual risk, and approved risk mitigation strategies and instruments will show to external stakeholders that a bank is thinking about risk, how to measure it, monitor it and what the acceptable levels of risk are before stronger measures are necessary. Such disclosures will also enhance transparency. Limits should not always necessarily be expressed in term of money. They can be expressed in term of frequency of errors for example as the bank show in their example. Operational risks may also be measured by other means such as „system down time‟ or other ways that the bank deems relevant.

Enhancements to Basel II “Principles for the Sound Management of Operational Risk” and required revisions to the CBB Rulebook Industry Comments and Feedback Volume 1 September 2012 Page 11 of 16 procedure with the proper checks and balances to ensure wrong remittances do not occur at all. OM-8.2.13 Principle 3: The board of directors must establish, approve and periodically review the Framework. The board of directors must oversee senior management to ensure that the policies, processes and systems are implemented effectively at all decision levels A bank suggested removing “establish”. The Board should not “establish” the Operational Risk Management Framework. A bank noted that their assumption is that the Senior Management establishes the framework/ code of conduct, etc and the Board of Directors review it as being fit for purpose and approve it. SP11 SP12 Disagree- it is the ultimate responsibility of the board to ensure the Operational Risk Management Framework is “established”. Such Framework can be legally implemented only once it is signed by the board of directors, who have decided what the acceptable types and extent of risks are in the first place. Please refer to SP11 above. OM-8.2.14 The board of directors must: (a)Establish a management culture, and supporting processes, to understand the nature and scope of the operational risk inherent in the bank’s strategies and activities, and develop comprehensive, dynamic oversight and control environments that are fully integrated into or coordinated with the overall Framework for managing all risks across the A bank suggested replacing “Establish” with “Promote”. SP13 We don‟t agree, “Promote” is a very general phrase. The phrase “Establish” is more specific.

Enhancements to Basel II “Principles for the Sound Management of Operational Risk” and required revisions to the CBB Rulebook Industry Comments and Feedback Volume 1 September 2012 Page 12 of 16 enterprise; (d)Ensure that the bank’s Framework is subject to effective independent review by audit and other appropriately trained parties such as the compliance function; A bank noted that the updated Basel paper states- “ ensure that the bank‟s Framework is subject to effective independent review by audit or other appropriately trained parties”, but the proposed OM Module says that independent review should be by audit and other appropriately trained parties like the compliance function. This will lead to duplication of work within banks. SP14 Agree- To change the word “and” to “or”. OM-8.2.16 Principle 4: The board of directors must approve and review a risk appetite and tolerance statement for operational risk that articulates the nature, types and levels of operational risk that the bank is willing to assume. A bank noted that the requirement for the Board of Directors to approve and review an operational risk appetite and tolerance statement is significant. While it is realistic to expect banks to consider the strategic direction, financial condition and risk aversion it will be difficult to put specific measurable operational risk appetite and tolerance statements in place. Operational risk appetite/tolerance is still evolving. This should be factored into consideration when comparing with risk appetite/tolerance for credit risk/market risk which lend themselves more easily to quantification. There may also be overlap with the ICAAP framework‟s risk appetite statement here. Clarification and guidance on what should be in an appetite statement with respect to operational risk and how it should be used would be helpful. SP15 SP16 This paragraph is directly from the Basel paper and articulates simply the basic role of the board. The ICAAP states what markets the bank wants to be in, and the allocation of capital to each type of market. The operational risk profile of a bank is dependent upon the markets and products that each individual bank is involved in. Therefore general guidance cannot be given by regulatory bodies.

Enhancements to Basel II “Principles for the Sound Management of Operational Risk” and required revisions to the CBB Rulebook Industry Comments and Feedback Volume 1 September 2012 Page 13 of 16 OM-8.2.19 Principle 5: Senior management must develop for approval by the board of directors a clear, effective and robust governance structure with well defined, transparent and consistent lines of responsibility. Senior management is responsible for consistently implementing and maintaining throughout the organisation policies, processes and systems for managing operational risk in all of the bank’s material products, activities, processes and systems consistent with the risk appetite and tolerance. A bank noted that some requirements in this section are contradictory and confusing. For example, OM-8.2.26 allows the Board to delegate operational risk responsibilities to a management level operational risk committee, but at the same time OM 8.2.27 requires the management committee to include independent non-executive Board members. As a general matter, it may not be appropriate to have Board members sit in a management level committee. SP17 Agree- to delete the sentence “Committee membership should include independent or non-executive board members (refer to Module HC for details on committee membership)”. OM-8.2.21 Senior management must translate the operational risk management Framework established by the board of directors into specific policies, processes and procedures that can be implemented and verified within the different business units. Senior management must clearly assign authority, responsibility and reporting relationships to encourage and A bank suggested replacing “established” with “approved”. SP18 Disagree- it is the ultimate responsibility of the board to ensure the Operational Risk Management Framework is “established”. Such Framework can be legally implemented only once it is signed by the board of directors, who have decided what the acceptable types and extent of risks are in the first place.

Enhancements to Basel II “Principles for the Sound Management of Operational Risk” and required revisions to the CBB Rulebook Industry Comments and Feedback Volume 1 September 2012 Page 14 of 16 maintain this accountability, and ensure that the necessary resources are available to manage operational risk in line with the bank’s risk appetite and tolerance statement. Moreover, senior management must ensure that the management oversight process is appropriate for the risks inherent in a business unit’s activity. OM-8.2.27 Sound industry practice is for operational risk committees (or the risk committee in smaller banks) to include a combination of members with expertise in business activities and financial, as well as independent risk management. Committee membership should include independent or non￾executive board members (refer to Module HC for details on committee membership). A bank noted that Operational Risk Committee should be a management committee comprising senior management covering the Bank‟s business lines, governance and control functions. Adequate Board oversight can be ensured by the provision of regular and ad hoc reporting to a Board committee such as the Audit Committee. In addition, the Board would provide strategic policy direction through the operational risk framework and the associated policies. Therefore, it is recommended that the removal of the proposed requirements for the inclusion of the Independent or Non-Executive Board members on the Operational Risk Committee. SP19 Agree- to delete the sentence “Committee membership should include independent or non-executive board members (refer to Module HC for details on committee membership)”.

Enhancements to Basel II “Principles for the Sound Management of Operational Risk” and required revisions to the CBB Rulebook Industry Comments and Feedback Volume 1 September 2012 Page 15 of 16 A bank noted that the Operational Risk Committee would be a management level committee and hence should not include non￾executive board members. Note that the bank has a Board Risk Policy Committee that oversees all risks at the bank. SP20 Please refer to SP19 above. OM-8.2.29 Principle 6: Senior management must ensure the identification and assessment of the operational risk inherent in all material products, activities, processes and systems to make sure the inherent risks and incentives are well understood. OM-8.2.32 The bank must ensure that the internal pricing and performance measurement mechanisms appropriately take into account operational risk. Where operational risk is not considered, risk-taking incentives might not be appropriately aligned with the risk appetite and tolerance. A bank noted that Operational risk is an evolving area and banks are putting up frameworks for different elements to be measured. Identification and measurement of operational costs and its linkage with pricing of products may require substantial past data, history and experience. The bank requests the CBB to provide clarity and basic guidelines by way of examples for incorporation of operational risk into internal pricing and performance measurement mechanisms. SP21 These are high-level principles. Each bank then has to work out how to incorporate operational risk into its internal pricing mechanism.

Enhancements to Basel II “Principles for the Sound Management of Operational Risk” and required revisions to the CBB Rulebook Industry Comments and Feedback Volume 1 September 2012 Page 16 of 16 OM-8.2.37 Principle 8: Senior management must implement a process to regularly monitor operational risk profiles and material exposures to losses. Appropriate reporting mechanisms must be in place at the board, senior management, and business line levels that support proactive management of operational risk. OM-8.2.40 Operational risk reports may contain internal financial, operational, and compliance indicators, as well as external market or environmental information about events and conditions that are relevant to decision making. Operational risk reports should include: (a)Breaches of the bank‟s risk appetite and tolerance statement, as well as thresholds or limits; (b)Details of recent significant internal operational risk events and losses; and (c)Relevant external events and any potential impact on the bank and operational risk capital. A bank noted that the requirement to include relevant external information in operational risk reports may also pose a challenge. Data availability and External information on operational risk is very limited except perhaps on legal events. Moreover, external information on legal events may come with a significant lag that it may no longer pose any potential impact on the bank. SP22 External data may be difficult to apply because different banks are not directly comparable. A well-run bank will have excellent business processes, auditing, and controls that reduce significantly the risk of operational losses. If another bank has incurred a large operational loss, the well￾run bank will want to know whether the loss resulted from bad luck or poor management. To overcome these obstacles, banks have begun to collect data systematically, both internally and externally, and to experiment with techniques for modelling operational risks.