G6/2014: Application Process for Approval to Adopt the Standardised or Alternative Standardised Approach for Measuring Banks' Operational Risk Exposure

South African Reserve Bank
From the Office of
the Registrar of Banks

Ref: 15/8/2
G6/2014

2014-07-22

To: All banks, branches of foreign institutions, controlling companies, eligible institutions and auditors of banks or controlling companies

Guidance Note G6/2014 issued in terms of section 6(5) of the Banks Act, 1990

Application process for approval to adopt the standardised approach or alternative standardised approach for measuring banks’ operational risk exposure

## Executive summary

In terms of regulation 33(8) of the Regulations relating to Banks (the Regulations), banks, branches of foreign institutions and controlling companies (hereinafter collectively referred to as ‘banks’) are required to obtain prior written approval from the Registrar of Banks to adopt the standardised approach (TSA) or alternative standardised approach (ASA) for measuring their exposure to operational risk.

The purpose of this guidance note is to inform all banks of the process to be followed and the information to be submitted when applying to adopt the TSA or ASA. This guidance note relates to all future applications to obtain the relevant approval from the Registrar and does not require banks that received approval previously to reapply.

1. Guidance on submitting an application to adopt the standardised approach or the alternative standardised approach

1.1 All banks intending to adopt the TSA or ASA are required to submit a duly completed TSA/ASA application pack, attached hereto as Annexure A. This includes the information stipulated in the various sections of the application pack and a duly completed declaration signed by the applicant bank’s chief executive officer.

---

2

1.2 This guidance note relates to all future applications to obtain the relevant approval from the Registrar and does not require banks that received approval previously to reapply.

1.3 Banks should notify this Office of their intention to apply to adopt the TSA/ASA at least six months prior to submitting a formal written application.

1.4 This Office requires a period of up to 12 months to consider the application. Upon instruction by this Office, applicant banks will also be required to perform a BA return reporting parallel run during the above-mentioned application period.

1.5 In accordance with the requirements specified in regulation 33(4) of the Regulations, banks are hereby reminded that once a bank has adopted one of the more sophisticated approaches for the measurement of the bank’s exposure to operational risk, the bank shall not revert to a simpler approach without the prior written approval of the Registrar.

2. Acknowledgement of receipt

Two additional copies of this guidance note are enclosed for use by your institution’s independent auditors. The attached acknowledgement of receipt, duly completed and signed by both the chief executive officer of the institution and the said auditors, should be returned to this Office at the earliest convenience of the aforementioned signatories.

René van Wyk
Registrar of Banks

Encl. 3

The previous guidance note issued was Guidance Note G5/2014, dated 8 July 2014.

---

Annexure A

Application process for approval to adopt the standardised approach or alternative standardised approach for measuring banks’ operational risk exposure

Page 1 of 6

---

1. Introduction

This document sets out the information to be submitted to the Office of the Registrar of Banks (this Office) of the South African Reserve Bank (SARB) by a bank when applying to adopt the standardised approach (TSA) or alternative standardised approach (ASA) for operational risk capital measurement.

A duly completed application should contain the following:

1.1. Responses to requests for information as contained in this paper (further requests for information, including additional documentation, may be required during the process).

1.2. The declarations and signatures form (signed by the chief executive officer of the applicant bank).

> **Note**
> The submission of a signed application by an applicant bank confirms that the applicant bank grants consent for any information provided as part of the application to be shared with other regulators for the purposes of the approval process.

All information is to be submitted both in electronic format (via CD or USB drive), and hard copy.

2. Scope of application

The application process applies to all banks wishing to adopt the TSA/ASA to calculate their operational risk capital requirement.

Where applications are made by banks with international activities, this Office reserves the right to share the information contained in the application pack with other regulators as needed to support the approval process.

3. Application requirements

Banks are required to provide this Office with the following:

a) summary information on its plans for TSA/ASA implementation;

b) explanation of how the TSA/ASA implementation is organised with respect to the division of responsibilities and capacity allocated;

c) list of entities included in the application;

d) the applicant bank’s approach to a number of key areas such as governance;

e) how the applicant bank has met the TSA/ASA qualifying criteria as contained in legislation;

f) the organisational design of the group, including business lines and control functions;

Page 2 of 6

---

g) description of the group and legal entity structures;

h) overview of the management committee structure;

i) processes followed in dividing the applicant bank’s activities into the eight business lines as contained in legislation;

j) design and implementation of an internal operational risk system;

k) role of internal audit;

l) role of external audit;

m) key contact person in the applicant bank for the TSA/ASA application.

4. Overview of the applicant bank’s own self-assessment against relevant standards

The information requested in this section is designed to provide this Office with an overview of the applicant bank’s own self-assessment conducted against the TSA/ASA minimum standards. This Office proposes to take into account the comprehensiveness and quality of the work undertaken as part of the self-assessment when scoping the supervisory review work.

This Office expects that as part of the application requirements above, applicant banks will produce evidence to demonstrate that it has met the required TSA/ASA minimum standards as stipulated in the Regulations.

This Office recommends that applicant banks initially submit the following completed annexures with regard to the work undertaken to meet the TSA/ASA qualifying criteria:

4.1 Confirmation that self-assessments have taken place and been reviewed by signatory.

- Annexure B – Operational risk self-assessment template.
- Annexure C – Principles for the Sound Management of Operational Risk¹ template.

4.2 A brief description of the self-assessment processes applicant banks have undertaken, including how self-assessments against each relevant qualitative and quantitative standard were carried out, and details of any parallel runs undertaken prior to the application, including the results and remedial actions taken for unsatisfactory performance against the relevant standard. This section should also include a description of the governance processes followed in terms of completion of the self-assessments.

4.3 Exception-based results of self-assessments, including an indication of the applicant bank’s view of materiality. Outline the steps being taken to comply with relevant legislation and indicate the expected completion date of such steps.

¹ Available at http://www.bis.org/publ195.htm.

Page 3 of 6

---

5. Summary of the applicant bank’s approach in a number of key areas

This section is designed to give this Office a summary of the applicant bank’s approach in a number of key areas including, but not limited to, governance, internal audit involvement and IT components. This Office is of the opinion that an applicant bank’s approach in these areas will be important in determining whether the TSA/ASA application is ultimately approved. These are areas that this Office intends to pay particular attention to in its supervisory review work; however, this could be expanded to focus on additional areas if this Office considers it necessary.

5.1 Governance

As contained in the application requirements, this Office requested high-level information on the applicant bank’s governance of operational risk. In this section, this Office requires applicant banks to provide more granular information on operational risk governance. Information to be submitted should include:

5.1.1 A summary of the applicant bank’s approach to the governance of operational risk.

5.1.2 A brief explanation of the role of the board (it should be made clear where the board delegates authority to a sub-committee or executive management).

5.1.3 A brief explanation of the role of the operational risk management function and how its independence is ensured; the role of the audit/risk committee; the more general role of senior management in operational risk management; and the role of internal and external audit.

5.1.4 A brief explanation of reporting structures (including how and the frequency with which operational risk committees report upwards to risk management, internal audit and board functions).

5.1.5 A brief explanation of the nature and extent of management information produced at each level within the organisation. Applicant banks should be able to provide a description and example of high-level management information that is produced. Applicant banks should also explain how the nature and content of management information are determined and reviewed, and describe how this is assessed as relevant on an ongoing basis.

5.1.6 A brief overview of the operational risk decision-making process and how it works in practice at different levels within the applicant bank.

Page 4 of 6

---

5.2 Overview of internal audit’s involvement

This Office regards internal audit’s involvement in the implementation of TSA/ASA as crucial. The application should hence detail internal audit’s tasks relating to TSA/ASA. The information on the role of internal audit should at a minimum include:

5.2.1 The tasks, responsibilities and independence of internal audit.

5.2.2 A description of and motivation for both the audit approach and the audit plan.

5.2.3 Details on the available capacity for audit tasks.

5.2.4 An overview of the audit examinations of the progress of the TSA/ASA implementation, roll-out of and compliance with relevant (proposed) legislation, and the allocation of a rating according to the applicant bank’s internal measurement system.

5.2.5 An overview of all unresolved high-risk issues (as per the applicant bank’s internal definition), including action plans and expected timelines to resolve them.

5.3 Information technology components (systems, platforms, network components)

The applicant bank should clarify its policy in relation to the IT components that will be used in the TSA/ASA. It should submit the following as a minimum requirement:

5.3.1 A diagram of the centralised and decentralised IT architecture.

5.3.2 The classification of the IT components relating to confidentiality, integrity and availability.

5.4 Documentation

A list of all the internal documents the applicant bank holds that it considers relevant to the application, including a brief description of their contents.

6. Section E – Sign-off

This section should be signed by the chief executive officer of the applicant bank.

6.1 Declaration

By signing and submitting this application form:

- I declare that I am duly authorised to do so.

Page 5 of 6

---

- I confirm that the information contained within this application is correct, complete, accurate and truthful, and represents a true and fair view to the best of my knowledge and belief and that I have taken all reasonable steps to ensure that this is the case.

- I confirm that I am aware that it may be an offence knowingly or recklessly to give the SARB information that is false or misleading in a material particular.

- I acknowledge that some questions do not require the bank to provide supporting evidence in response. However, the records that demonstrate compliance will be available to the SARB on request.

- I acknowledge that I will notify the SARB immediately if there is a significant change to the information given in the form. If I fail to do so, this may result in a delay in the application process.

- I confirm that I consent to any information provided in relation to this application to be shared with relevant regulators at the SARB’s discretion.

Date: ___________________________

Name of signatory: ___________________________

Position of signatory: ___________________________

Signature: ___________________________

Page 6 of 6