Circular LISOL 1-1102 RUNOR 1-1900 Guidelines for Risk Management in Financial Entities. Operational Risk Management. Operational Resilience.

"Year of the Reconstruction of the Argentine Nation" COMMUNICATION “A” 8249 02/06/2025 TO FINANCIAL ENTITIES: Ref.: Circular LISOL 1-1102, RUNOR 1-1900: Guidelines for Risk Management in Financial Entities. Operational Risk Management. Operational Resilience.

We address you to inform that this Institution has adopted the resolution which, in its pertinent part, establishes: “1- Incorporate into point 6.1 of the consolidated text on Guidelines for Risk Management in Financial Entities the following: “Financial entities generally rely on 3 (three) lines of defense, whose degree of implementation must be proportional to the nature, size of the entity and complexity of their operations and adequate to their risk profile.

• First line: management within business units –such as finance, human resources, technology– whose responsibilities include identifying and evaluating significant operational risks inherent to their respective business units, establishing appropriate controls to mitigate them, and assessing the design and effectiveness of those controls through management tools.
• Second line: independent operational risk management, which develops an independent view of business units regarding identified significant operational risks, the design and effectiveness of key controls, and risk tolerance. Additionally, among other responsibilities, it reviews the relevance and consistency of business units' implementation of operational risk management tools, measurement activities, and reporting systems.
• Third line: independent review that ensures the operational risk management framework is adequate. Generally falls under internal and/or external audit. Among other responsibilities, it must review the design and implementation of operational risk management systems and associated governance processes in the first and second lines of defense, as well as validation processes to guarantee independence and implementation consistent with the entity's policies. If business units have functions of the first and second lines of defense, entities must document and delineate each function's responsibilities, emphasizing the independence of the second line.” 2- Provide that, within the responsibilities of the Board and Senior Management stipulated in points 6.2.1. and 6.2.2., respectively, of the consolidated text on Guidelines for Risk Management in Financial Entities, the following is incorporated: 2- “- Approve and periodically review the definition of operational risk appetite and tolerance in line with the nature, types, and levels of operational risk that the financial entity is willing to assume. The definition of the entity's operational risk appetite and tolerance must be linked to its short- and long-term strategic and financial plans. Taking into account both the interests of the entity's clients and shareholders as well as regulatory requirements, an effective definition of risk appetite and tolerance must: i) be easy to communicate and understand by all stakeholders; ii) include background and assumptions that consider the entity's business plans; iii) include reasons for assuming or avoiding certain types of risks, and limits or indicators (which may be quantitative or non-quantitative) to allow monitoring of these risks; iv) ensure that the strategy and risk limits of business units, other entities forming the entity's economic group, and contracted third parties (outsourced), as applicable, align with the risk appetite established by the financial entity; and v) be prospective and, if possible, subject to scenarios and stress tests that ensure the entity understands which events could lead it to exceed its risk appetite and tolerance. In reviewing the adequacy of limits and the general definition of risk appetite and tolerance, the Board must consider: current and expected changes in the external environment –including the regulatory framework across all jurisdictions where the financial entity provides services–; current or future significant increases in business volumes or activities; control environment quality; effectiveness of risk management or mitigation strategies; loss experiences; and the frequency, volume, or nature of deviations from established limits. The Board must monitor compliance with the risk appetite and tolerance definition and ensure timely detection and correction of deviations.
• Regularly supervise the effectiveness of technology and information security risk management to ensure confidentiality, integrity, and availability of data and systems.” “- Regularly evaluate the design, implementation, and effectiveness of technology and information security risk management.
• Ensure that the entity's change management process is comprehensive, adequately resourced, and appropriately articulated across relevant lines of defense.” 3- Substitute the tools for identifying and evaluating operational risks listed in point 6.3.1 of the consolidated text on Guidelines for Risk Management in Financial Entities with the following: “- Self-assessment of operational risks. Consists of evaluating inherent risk –before implementing controls and mitigation measures–, control environment effectiveness, and residual risk –after implementing controls and mitigation measures– and comprises both quantitative and qualitative elements. Evaluations must use business process mapping to identify key steps in those processes, organizational activities and functions, as well as associated risks and areas with control weaknesses. They must contain sufficiently detailed information on the business environment, operational risks, underlying causes, controls, and control effectiveness assessment. Entities must maintain a register of operational risks to have a meaningful view of overall control effectiveness and facilitate supervision by Senior Management, risk committees, and the Board.
• Operational risk event database. Collection of all significant events occurred used as a basis for operational risk assessments. Includes internal loss data, near-misses, and, where possible, external operational loss event data; the event date –occurrence, discovery, and accounting dates–; financial impact in case of loss events, and any other information on event causes.
• Event management. Includes event analysis to identify new operational risks, understand underlying causes and control weaknesses, and formulate an appropriate response to prevent recurrence of similar events. This information is used for self-assessment and, in particular, for control effectiveness assessment.
• Monitoring and control testing framework. The analysis must consider control sufficiency, including appropriate prevention, detection, and response strategies. Monitoring and control testing must be appropriate for different operational risks and key controls across all business areas.
• Metrics. In developing metrics, risk event data and risk and control assessments must be used to evaluate and monitor exposure to that risk. Metrics provide early warning information to continuously monitor business performance and the control environment, and to report the operational risk profile.
• Scenario analysis. Method for identifying, analyzing, and measuring different scenarios, including low-probability and high-severity events, some of which could cause severe operational risk losses. Scenario analysis generally involves subject matter expert meetings, including Senior Management, middle management, senior operational risk personnel, and other functional areas such as human resources, compliance, and technology and information security risk management, to develop and analyze causes and consequences of potential events. Scenario analysis includes relevant internal and external loss data, self-assessment information, control testing and monitoring framework, prospective metrics, root cause analysis, and process framework, when used. The scenario analysis process could be used to develop a series of potential event consequences, including impact assessments for risk management, complementing other tools based on historical data or current risk assessments. It could also be integrated with business continuity and recovery plans, for use within operational resilience testing.
• Assessment and benchmarking analysis. Comparisons of results from different risk management and measurement tools implemented within the entity. Financial entities must ensure that the results of operational risk assessment tools are: a) based on accurate data, whose integrity is guaranteed by robust governance and verification/validation procedures; b) considered in setting “prices” and measuring performance, as well as in business opportunity assessments; and c) subject to action plans monitored within the operational risk management framework or recovery plans when necessary. These tools can also directly contribute to the entity's operational resilience approach, particularly event management, self-assessment, and scenario analysis procedures, as they allow identifying and monitoring threats and vulnerabilities to critical operations. Entities must use the results of these tools to improve their controls and operational resilience procedures.” 4- Incorporate into point 6.3.1 of the consolidated text on Guidelines for Risk Management in Financial Entities the following: “Financial entities must have change management policies and procedures that define the process to identify, manage, approve, and monitor changes based on agreed objective criteria. Changes may consist of participating in new activities or developing new products or services, entering unknown markets or jurisdictions, implementing new business processes or technological systems, modifying them and/or participating in businesses geographically distant from headquarters. Change management must evaluate the evolution of associated risks over time. Implementation of changes must be monitored by specific controls. Change management policies and procedures must be subject to periodic independent reviews and updates, clearly assigning functions and responsibilities according to the three “lines of defense” model, in particular: i) The first line of defense must perform control and operational risk assessments of new products, activities, processes, and systems, including identification and evaluation of required changes through decision-making phases and planning for implementation and subsequent review. ii) The second line of defense must review the control and operational risk assessments of the first line of defense, as well as monitor implementation of appropriate controls or corrective measures. This line of defense must cover all phases of this process and ensure that all relevant control areas –finance, compliance, legal, commercial, technology, risk management, among others– are involved as applicable. Financial entities must have policies and procedures for reviewing and approving new products, activities, processes, and systems. The review and approval process must consider: a) inherent risks, including legal, technology and information security, and model risks in launching new products, services, activities, and operations in unknown markets, and in implementing new processes, personnel, and systems –especially regarding service outsourcing–; b) changes in the operational risk profile, appetite, and tolerance, including changes in existing product or activity risks; c) necessary controls, risk management processes, and risk mitigation strategies; d) residual risk; e) changes in risk thresholds or limits; and f) procedures and metrics to evaluate, monitor, and manage risks of new products, services, activities, markets, jurisdictions, processes, and systems. The review and approval process must ensure adequate investment in human resources and technological infrastructure before changes are introduced. Changes must be monitored, during and after implementation, to identify any significant difference with respect to the expected operational risk profile and manage any unexpected risks. Financial entities must maintain a central register of their products and services –including outsourced ones– to facilitate tracking of changes.” 5- Substitute point 6.3.3 of the consolidated text on Guidelines for Risk Management in Financial Entities with the following: “Entities must have a robust control environment that uses policies, processes and systems, adequate internal controls, and appropriate risk mitigation and/or transfer strategies. 6.3.3.1. Internal controls must be designed to ensure that the financial entity will have efficient and effective operations, safeguard its assets, produce reliable financial reports, and comply with applicable laws and regulations. An adequate internal control program consists of four components that are integral to the risk management process: a) risk assessment; b) control activities; c) information and communication; and d) monitoring activities. Control processes and procedures must include a system that ensures compliance with policies, regulations, and laws. Compliance assessment of policies includes, among other aspects: i) high-level reviews on progress toward established objectives. ii) verification of management control compliance. iii) review of treatment and resolution of non-compliances. iv) assessment of required approvals and authorizations to ensure accountability according to an appropriate management level. v) monitoring of approved exception reports with respect to thresholds or limits, cancellation management, and other deviations from policies, regulations, and laws. Control processes and procedures must address how the financial entity ensures its operational resilience in both normal situations and disruption cases, reflecting the due diligence of respective functions, in accordance with the entity's operational resilience approach. An effective control environment also requires adequate separation of responsibilities with dual controls. Conflicts of interest must be identified, minimized, and subject to careful independent control and review. Furthermore, financial entities must ensure that other internal controls exist, as applicable, to address operational risk, such as: a) clearly established authorities and/or approval processes; b) monitoring of compliance with established risk thresholds or limits; c) protection for access and use of the entity's assets and records; d) staff competence and training to maintain technical expertise; e) continuous processes to identify business units or products where returns appear not in line with reasonable expectations; f) periodic verification and reconciliation of transactions and accounts; and g) vacation policy stipulating that officials and employees will be absent –without communication with any entity agent (neither remote nor otherwise)– for a period of no less than 2 (two) consecutive weeks. Effective use and robust implementation of technology can contribute to the control environment. Entities must have an integrated approach to identify, evaluate, track, control, and mitigate technology risks in line with operational risk management guidelines. Regarding information technology aspects, applicable specific regulations on technology and information security will apply. In cases where internal controls do not adequately address risk, the entity may seek to transfer risk by using risk coverage tools or programs such as insurance policies, which must be used as a complement to