Principles for the Sound Management of Operational Risk

370 Helen Joseph Street Pretoria 0002 +27 12 313 3911 / 0861 12 7272 www.resbank.co.za 1 Ref.: 15/8/1/3 D9/2021 To: All banks, controlling companies, branches of foreign institutions, eligible institutions and auditors of banks or controlling companies Directive issued in terms of section 6(6) of the Banks Act 94 of 1990: Principles for the Sound Management of Operational Risk Executive summary Regulation 39 of the Regulations relating to Banks (the Regulations) requires banks, controlling companies and branches of foreign institutions (hereinafter collectively referred to as ‘banks’) to establish and maintain a process of sound corporate governance. This process includes the maintenance of effective risk and capital management by banks. In order to achieve the objective relating to the maintenance of effective risk and capital management, every bank should have in place the relevant required risk management processes, procedures and board-approved policies. The purpose of this directive is to direct banks to comply with specified international best practices related to operational risk.

1. Introduction 1.1. In March 2021, the Basel Committee on Banking Supervision (BCBS) published a document relating to operational risk, namely “Revisions to the Principles for the Sound Management of Operational Risk”.1 This document replaces the document initially released by the BCBS in June 2011. The principles and related information contained in the aforesaid document establish sound practices applicable to all banks.
2. Revisions to the Principles for the Sound Management of Operational Risk 2.1. Except for operations pertaining to insurance, all banks, branches of foreign institutions, controlling companies, subsidiaries of banks and subsidiaries of controlling companies need to be assessed against the principles contained in the above-mentioned document issued by the BCBS during March 2021. 1 Available at https://www.bis.org/bcbs/publ/d515.htm

2 2.2. Regulation 39 of the Regulations requires all banks to establish and maintain a robust process of corporate governance that is consistent with the nature, complexity and risk inherent in the bank's on-balance sheet and off-balance sheet activities and that responds to changes in the bank's environment and conditions. This process includes the maintenance of effective risk management and capital management by the bank. In order to achieve the objective relating to the maintenance of effective risk management and capital management, every bank is required to have in place comprehensive risk management processes, practices and procedures, and board-approved policies. 2.3. Banks, branches of foreign institutions, controlling companies, subsidiaries of banks and subsidiaries of controlling companies, excluding any subsidiary that conducts insurance business, are accordingly directed to assess their current policies, processes and practices against the principles contained in the aforesaid document related to international best practices for operational risk. 2.4. As an integral part of its supervisory processes, the PA will be reviewing banks’, branches of foreign institutions’, controlling companies’, subsidiaries of banks and subsidiaries of controlling companies’, excluding any subsidiary that conducts insurance business, operational risk policies, processes and practices on a continual basis in order to assess their appropriateness, in line with the principles contained in the aforementioned document issued by the BCBS. In accordance with regulation 38(4) of the Regulations, if the PA is of the opinion that a bank’s policies, processes and procedures relating to operational risk are inadequate, the PA, among other things, may require the said bank: 2.4.1. to maintain additional capital, calculated in such a manner and subject to such conditions as may be specified in writing by the PA; and/or 2.4.2. to duly align the bank’s operational risk policies, processes, or procedures with the bank’s relevant exposure to the risk. 2.5. All banks, branches of foreign institutions, controlling companies, subsidiaries of banks and subsidiaries of controlling companies, excluding any subsidiary that conducts insurance business, must comply with this Directive and complete their respective assessments within 12 months of the publication date of this Directive.

3 3. Acknowledgement of receipt Kindly ensure that a copy of this Directive is made available to your institution’s external auditors. The attached acknowledgement of receipt duly completed and signed by both the chief executive officer of the institution and the said auditors should be returned to the PA at the earliest convenience of the aforementioned signatories. Kuben Naidoo Deputy Governor and CEO: Prudential Authority Date: 2021-11-12 The previous Directive issued was Directive 8/2021, dated 29 October 2021