Recommendation M on Operational Risk Management in Banks

Recommendation M Page 1 of 59 Financial Supervision Commission Recommendation M concerning operational risk management in banks Warsaw, January 2013

Recommendation M Page 2 of 59 I. INTRODUCTION General Remarks This Recommendation is issued pursuant to Article 137(5) of the Act of 29 August 1997 on Banking Law (Journal of Laws of 2012, items 1376, 1385, and 1529) (hereinafter referred to as the "Banking Law Act") and constitutes a set of good practice principles regarding prudent and stable operational risk management in banks. It replaces the earlier "Recommendation M concerning operational risk management in banks" prepared and issued in 2004.

Operational risk, due to its comprehensive nature, can have a significant impact on the activities and situation of banks, especially since, alongside the environment and external events, its source is the bank's organization itself. As indicated by available studies, operational risk is the second most significant type of risk in banks after credit risk. Moreover, analyses of spectacular losses in the global financial system indicate that – although they manifested in the area of credit or market risk – their actual source was operational risk.

This Recommendation aims to disseminate good practices in operational risk management in banks, regardless of the complexity of the bank's structure and processes, taking into account the principle of proportionality. It aims to help deepen awareness of the existence of operational risk, its significance and characteristics, and to build an appropriate organizational culture, which forms the basis for developing optimal mechanisms for managing this risk, both in individual organizational units and through an integrated approach to this risk across the entire bank.

The Financial Supervision Commission expects that Recommendation M concerning operational risk management in banks, which constitutes an annex to Resolution No. 8/2013 of the Financial Supervision Commission of 8 January 2013 (Journal of Regulations of the FSC of 2013, item 6), will be implemented no later than 30 June 2013, with the exception of point 17.3, regarding which the Recommendation should be implemented no later than 31 December 2013.

1 In the information referred to in point 17.3, published in 2014, banks should also include information in this regard that they did not publish in 2013 despite the existence of this document.

Recommendation M Page 3 of 59 Scope and Structure of the Recommendation According to the definition contained in § 1 of Annex No. 14 to Resolution No. 76/2010 of the Financial Supervision Commission of 10 March 2010 on the scope and detailed rules for determining capital requirements for various types of risk (Journal of Regulations of the FSC No. 2, item 11, as amended) (hereinafter referred to as the "Resolution on Capital Adequacy"), operational risk shall be understood as the possibility of loss resulting from inadequate or failed internal processes, people, and systems or from external events, including legal risk. This definition does not include reputational risk and strategic risk, which are related to business risk. This definition specifies only the minimum scope of risk, whereas a bank may use its own, broader definition for operational risk management purposes, provided it is consistent with the above. In the context of operational risk, however, one should not forget about the possibility of reputational loss resulting from operational risk events, particularly in the area of legal risk, which may consequently lead to the failure to implement the bank's business strategy, including a reduction in planned revenues (e.g., due to a drop in customer confidence and the termination of cooperation with the bank), or a decline in the value of the firm. Following the recommendations of the Basel Committee and the provisions of Directive 2006/48/EC of the European Parliament and of the Council of 14 June 2006 relating to the taking up and pursuit of the business of credit institutions (recast) (as amended) (OJ L 177 of 30.6.2006, p. 1) (also referred to as the CRD Directive), the provisions of the Resolution on Capital Adequacy require banks applying the Standardized Approach (TSA) and the Advanced Measurement Approach (AMA) for determining capital requirements for operational risk, as referred to in § 2(1) of Annex No. 14 to the Resolution on Capital Adequacy, to distinguish eight business lines in the bank's activities for the purposes of identifying and managing operational risk². When distinguishing business lines, the provisions of the Resolution on Capital Adequacy relating to the rules for assigning activities to specific business lines and the criteria for disaggregating the indicator from the standardized approach for determining capital requirements for operational risk between business lines should be applied.

2 According to the Resolution on Capital Adequacy, for the Advanced Measurement Approach, due to exceptional circumstances, losses affecting the entire bank may be allocated to an additional business line specified as "general bank activities."

The provisions of the aforementioned Resolution also define and systematize the types of operational events (events related to the bank's activities that may result in financial losses due to operational risk). The classification of types of operational events is specified in Annex No. 1 to this Recommendation. Examples of operational events contained in this annex do not exhaust the list of all possible operational events.

The combination of the list of business lines³ with the types of operational events specified in Annex No. 1 creates a matrix of business lines and types of operational risk – also known as the Basel matrix of operational risk – used in the process of operational risk management. The Financial Supervision Commission expects that even banks applying the Basic Indicator Approach (BIA), referred to in § 2(1) of Annex No. 14 to the Resolution on Capital Adequacy, will, in accordance with the principle of proportionality, apply a similar systematization with respect to business lines and types of operational events in order to unify the approach across the entire banking sector and for the potential sharing of information and experience with other banks. Moreover, applying this systematization will facilitate their use of more advanced measurement methods and determination of capital requirements for operational risk over time.

Taking into account best practices in operational risk management, including guidelines from the Basel Committee on Banking Supervision, the European Banking Authority (EBA, formerly the Committee of European Banking Supervisors CEBS), and the desire to show in an integrated manner the stages of the operational risk management process, the following structure of the Recommendation has been adopted in this document:

1. Operational risk management strategy;
2. Internal environment;
3. Risk identification;
4. Risk assessment;
5. Risk mitigation;
6. Control;
7. Monitoring;
8. Reporting and transparency of action.

3 Business lines along with their descriptions are cited in Annex No. 2.

Recommendation M Page 4 of 59 By adopting the following structure of the document content, the Financial Supervision Commission wishes to convey to all banks how to properly handle operational risk, what elements constitute the process of managing this risk, and to draw attention to the fact that the operational risk management process is an integral part of the bank management process. This means, in particular, that information obtained in the operational risk management process should be taken into account in decision-making processes regarding business activities. It is worth emphasizing that the level of operational risk of a bank also depends on the approach to operational risk by employees at the level of individual organizational units or within processes and on the activities undertaken by them, including, among others, risk identification and reporting, and risk control.

Due to the approach adopted in this Recommendation, which shows the individual stages of the operational risk management process, the tasks and roles of the management board and the supervisory board are described at various stages of this process in many places in the document. In particular, the tasks and roles of the management board and the supervisory board are presented in the following Recommendations:

1. Recommendations 1 and 2 – regarding the establishment of operational risk management strategy and its verification;
2. Recommendation 3 – regarding the development of the operational risk management system and ensuring its consistency with the strategy for managing this risk;
3. Recommendation 4, points 4.1, 4.2, 4.6, 4.10, 4.16, 4.17, 4.18, 4.20, and 4.21 – regarding the creation of organizational culture and building the internal environment in the bank;
4. Recommendation 7, point 7.11 – regarding threshold values for collecting information on operational losses;
5. Recommendation 8, point 8.1 – regarding the establishment of formal procedures for measuring operational risk;
6. Recommendation 10, Recommendation 11, Recommendation 12 – regarding risk mitigation;
7. Recommendation 13 – regarding the establishment of rules for controlling operational risk management;
8. Recommendation 14 – regarding ensuring compliance with requirements arising from internal and external regulations, including legal ones;

Recommendation M Page 5 of 59 9. Recommendation 15, points 15.3 and 15.4 – regarding participation in the operational risk monitoring process; 10. Recommendation 16, points 16.1 and 16.5 – regarding the reporting system in the area of operational risk; 11. Recommendation 17, points 17.1, 17.2, and 17.3 – regarding transparency of action and disclosures in the area of operational risk.

These guidelines take into account the principle of proportionality, i.e., they provide that they should be implemented proportionally, taking into account the nature, scale, and complexity of the institution's activities, the significance of processes affecting them, as well as its risk profile. In particular, this principle applies to the adopted methods of measuring operational risk, including the calculation of internal capital for this risk. This does not mean, however, that smaller institutions and/or institutions with less complex structures are less exposed to operational risk. They should also apply this Recommendation, including having a dedicated unit or function for operational risk management, and in very small institutions, at least entrust a designated person with the function responsible for managing this risk. It should be borne in mind that the requirements arising from the content of this document, where room is left for differentiation in the ways banks fulfill them (e.g., in the assessment or control of risk), may be implemented by banks in different ways from each other, but ensuring the achievement of the prudential objective in a given bank, and differences may result especially from the risk profile of a given institution and the scale and complexity of its activities.

The unambiguous determination of whether a solution applied by a bank in a given area is proportional in its case should take place through dialogue between the bank and the supervisor. Each bank should implement solutions that, in its opinion, most fully realize the assumed objective of a given Recommendation (and in case of doubt, it is always possible to seek the supervisor's opinion). On the other hand, it is the supervisor's obligation to assess, in a manner not exceeding the assumed prudential objective of a given Recommendation, whether the solution applied by the bank in a given area fulfills the given prudential objective in its case.

Recommendation M Page 6 of 59 II. GLOSSARY OF TERMS Significant area of bank activity – a part of the bank's activity, distinguishable by subject, entity, territory, or organization, indicated by the bank, having a significant impact on its situation, and in particular constituting a significant source of financing or a significant source of revenue, or associated with significant risk. Bank management – the bank's management board and directors, heads of organizational units, and heads of key processes in the bank. Key processes – processes indicated by the bank within its activities that condition the implementation of the bank's strategy (including business strategy and risk management strategy). Critical processes – processes indicated by the bank within its activities, in the case of which rapid recovery of operational efficiency may have significant importance from the point of view of the institution's business continuity. Operational risk profile – the scale and structure of exposure to operational risk; it determines the degree of exposure to operational risk and may be expressed in structural dimensions chosen by the bank (such as, among others, types of operational events, types of business lines, key processes) and scale dimensions (such as, among others, estimated potential size of loss); for its determination, the bank uses, among others, available information on operational events (including regarding their frequency and severity) and information obtained from the use of operational risk management tools. Operational risk management strategy – a component of the risk management strategy referred to in § 1 of Resolution No. 258/2011 of the Financial Supervision Commission of 4 October 2011 on detailed rules for the functioning of the risk management system and internal control system, and detailed conditions for estimating internal capital by banks and conducting reviews of the process of estimating and maintaining internal capital, and rules for determining the policy of variable components of remuneration of persons holding managerial positions in banks (Journal of Regulations of the FSC No. 11, item 42) (hereinafter referred to as the "Resolution on the functioning of the risk management system and internal control system"); it constitutes a comprehensive program for setting and achieving the institution's objectives in the field of operational risk, in particular, it should reflect the tolerance/appetite for operational risk and an understanding of the specific features of this category of risk; it should also specify the manner in which the institution plans to maintain this risk within the accepted appetite/tolerance, including indicating specific areas of responsibility. Internal control system – according to the Banking Law Act, a system operating within the bank's management system, which includes: risk control mechanisms, examination of the bank's compliance with legal provisions and internal regulations, and internal audit; the purpose of the internal control system is to support decision-making processes contributing to ensuring the effectiveness and efficiency of the bank's activities, the reliability of financial reporting, and the compliance of the bank's activities with legal provisions and internal regulations. Management system – a set of rules and mechanisms relating to decision-making processes occurring in the bank and to the assessment of the bank's conducted activities; according to the Banking Law Act, it is divided into a risk management system and an internal control system; another dimension of the division of the management system is the division according to areas of activity, e.g., human resources management system, information security management system, business continuity management system. Risk management system – according to the Banking Law Act, the second element of the management system in the bank, along with the internal control system; a set of rules, mechanisms, and tools (including, among others, policies and procedures concerning risk identification, measurement, monitoring, and control) relating to processes concerning risk; the task of the risk management system is to identify, measure, or estimate, and monitor risk occurring in the bank's activities, serving to ensure the correctness of the process of determining and implementing specific objectives of the activities conducted by the bank; in the field of operational risk, it is referred to as the operational risk management system – it is the primary means of implementing the adopted strategy for managing this type of risk. Tolerance/appetite for risk – two concepts used in the document jointly to describe both the total risk that the institution is willing and prepared to take ex ante (sometimes called risk appetite), as well as the actual limits within this appetite that the institution sets for itself (sometimes called risk tolerance); a term that by definition covers all definitions in this regard used by different institutions.

Recommendation M Page 7 of 59 III. LIST OF RECOMMENDATIONS Recommendation 1 The management board of the bank is responsible for developing and implementing a written operational risk management strategy.

Recommendation 2 The supervisory board of the bank accepts the operational risk management strategy and (acting within its competencies) assesses its implementation and, if necessary, orders it to be revised.

Recommendation 3 The management board of the bank is responsible for developing the operational risk management system, implementing it, ensuring its consistency with the strategy for managing this risk, and the proper functioning of this system in the organization, including – if necessary – introducing necessary corrections to improve this system.

Recommendation 4 The bank should have a structure, processes, and resources appropriate to the scale and complexity of its conducted activities, allowing for efficient operational risk management.

Recommendation 5 There should be a dedicated unit or function for operational risk management in the bank's structures.

Recommendation 6 The bank, as far as possible, ensures the application of uniform, consistent operational risk management rules in the bank and in dependent entities or entities affiliated with the bank financially, organizationally, or in any other way (e.g., through participation in a holding⁴ or financial conglomerate), if this affiliation may have a significant impact on the bank's situation.

Recommendation M Page 8 of 59 Recommendation 7 The bank should implement and document the process of identifying threats related to operational risk for all significant areas of the bank's activities as well as for the creation of all new and modifications of existing products, processes, and systems.

Recommendation 8 Operational risk management should be based on a reliable risk assessment conducted on the basis of approved procedures.

Recommendation 9 In the framework of operational risk assessment, the bank should conduct stress tests, the programs of which are regularly reviewed and evaluated for effectiveness and suitability to needs, both qualitatively and quantitatively.

Recommendation 10 The bank should define risk mitigation actions, consisting of avoiding, limiting, or transferring risk, which are undertaken depending on the identified level of operational risk relative to the tolerance/appetite for operational risk accepted by the supervisory board.

Recommendation 11 The bank should have a business continuity management system, including business continuity plans and contingency plans, ensuring uninterrupted bank operation at a specified level, taking into account the bank's operational risk profile.

Recommendation 12 The bank should use optimal risk transfer mechanisms, but may not treat them as an alternative to proper risk management.

4 By holding is meant a group of entities referred to in Article 4(1) points 10-11c of the Banking Law Act.

Recommendation M Page 9 of 59 Recommendation 13 The management board of the bank should ensure the existence and functioning of rules for controlling operational risk management and take actions supporting this process.

Recommendation 14 The management board of the bank should ensure that the risk of non-compliance with requirements arising from internal and external regulations (including legal ones) is identified and controlled.

Recommendation 15 The bank should have a system for regular monitoring of operational events and the results of other tools in this area (e.g., KRIs), enabling observation of the operational risk profile and ensuring regular transmission of appropriate information to the management board and the supervisory board.

Recommendation 16 The bank should make every effort to ensure that the data it collects for reporting purposes (especially for managerial needs) are reliable and characterized by high quality, including controlling this quality on an ongoing basis. It should also control the impact of the quality of this data on the risk management process.

Recommendation 17 The bank should regularly publish information on its approach to operational risk serving to reduce information asymmetry between the bank and its environment.

Recommendation M Page 10 of 59 IV. OPERATIONAL RISK MANAGEMENT STRATEGY

1. Recommendation 1 The management board of the bank is responsible for developing and implementing a written operational risk management strategy⁵.

1.1. The operational risk management strategy should specify: – the definition of operational risk adopted in the bank, characterizing operational risk in a clear and unambiguous manner, – the target operational risk profile of the bank, taking into account the scale and structure of operational risk burdening the bank, – the bank's tolerance/appetite for operational risk, including threshold values for sum of losses of a given class of events⁶ within a specified time horizon, and specified actions that the bank will undertake in cases where these values are exceeded, – general principles of operational risk management, including principles of identification, assessment, monitoring, securing, and transfer of operational risk, – assumptions for the internal control system in the field of operational risk.

1.2. The subject matter of this strategy should also specify the basic processes necessary for operational risk management. The degree of formalization and complexity of the operational risk management strategy should be adapted to the specificity of the bank's operation and to the current and target risk profile. The operational risk management strategy should be developed taking into account in particular: – the subject matter of the bank's activity, – priorities of managerial actions (including in the field of identified key processes) and business strategy,

5 The FSC is aware that in the banking sector, the names of documents "policy" and "strategy" are very often used interchangeably. Regardless of the nomenclature adopted by the bank in this regard, it must be ensured that the guidelines indicated in this chapter are realized. The recommended hierarchy and names of its levels are: strategy, policy, principles. 6 The classes of events referred to here may concern, for example, types of events or categories of events referred to in Annex No. 1, but it is possible for the bank to define more and more detailed classes extending beyond the scope presented in the annex.

Recommendation M Page 11 of 59 – availability of funds to cover losses, – the organizational structure of the bank, – the bank's risk profile, and planned changes in the above areas.

2. Recommendation 2 The supervisory board of the bank accepts the operational risk management strategy and (acting within its competencies) assesses its implementation and, if necessary, orders it to be revised.

2.1. Due to rapidly changing external and internal factors affecting operational risk, the strategy and operational risk management system – including the principles of managing this risk – should be regularly