2020-12-18
Added · Updated
The Hong Kong Monetary Authority issued this guide to establish the Enhanced Competency Framework on Operational Risk Management, aiming to develop a sustainable talent pool and raise professional competence for banking practitioners. The non-statutory framework defines competency and qualification standards for relevant practitioners, offering certification as Associate or Certified Operational Risk Management Professionals through specific training modules and examinations administered by the Hong Kong Institute of Bankers. It also outlines grandfathering provisions for experienced staff, mandatory continuing professional development requirements, and the scope of roles covered within authorized institutions.
Guide to Enhanced Competency Framework on Operational Risk Management Hong Kong Monetary Authority 18 December 2020
1 Basel Committee on Banking Supervision, Principles for the Sound Management of Operational Risk, June 2011
6 - processes and systems, based on the AI’s own defined operational risk management strategy and risk appetite. • Perform operational risk and control selfassessments, including mapping of key risks and identification and quantification of risk indicators. • Perform scenario analysis/assess ment and stress testing to identify potential operational losses, followed by subsequent analysis based on event type. • Perform both qualitative and quantitative monitoring and reporting of the AI’s exposure to all types of operational risk, including trend analysis of risk profiles. • Report outcomes from operational risk assessments to senior management. Assess the quality and appropriateness of remedial actions identified. • Monitor and review the limits of operational risk regulatory and economic capital. • Ensure that adequate monitoring and reporting controls are in place to identify and address operational risks. • Ensure reporting and escalation of operational risk events/incidents occurs in a timely manner, and that periodic monitoring of issue resolution occurs to ensure timely resolution. risks. • Have a system in place for ensuring compliance with internal policies concerning the AI’s operational risk management system. • Assess operational risk control effectiveness, including control design and execution. • Maintain operational risk management system and quality of operational loss data. • Initiate, manage, and execute governance and controls related initiatives/tasks to ensure full compliance of operational risk policies and regulatory requirements. Ensure these tasks are completed in a timely manner. in the event of severe business disruption. • Perform testing of the plans regularly and update the plans regularly to incorporate changes to operations, business requirements, and risks to ensure an efficient response is provided to business interruption events. 3.2 The ECF-ORM is intended to apply to staff whose primary responsibilities are performing operational risk governance, operational risk identification and assessment, operational risk
7 - monitoring and reporting, operational risk control and mitigation, and business resiliency and continuity planning within an AI. 3.3 Specifically, it is aimed at “Relevant Practitioners” (RPs) located in the Hong Kong office of an AI who perform the operational risk management job roles listed in Table 2 below. Table 2 – Job roles of the ECF-ORM Role 1 – Operational Risk Management (i.e. staff in charge of managing operational risks in the second line of defence) Role 2 – Business Function Risk and Control (i.e. staff working at the business units to manage operational risks in the first line of defence) Responsibilities • Assist management in meeting their responsibility for understanding, monitoring and managing operational risks; • Develop and ensure consistent application of operational risk policies, processes, and procedures throughout the AI; • Ensure that the first line of defence activities are compliant with such policies through conformance testing; • Perform and assess stress testing and related scenario analysis; and • Provide training to and advise the business units on operational risk management issues. • Work within the first line of defence alongside management to be accountable for managing operational risk of business activities in the first line of defence; • Escalate operational risk events to senior management and operational risk management staff in the second line of defence, as required; • Work closely with operational risk management staff in the second line of defence to ensure consistency of policies and tools, as well as to report on results and issues; and • Develop risk indicators, determine escalation triggers and provide management reports. 3.4 The definition of RPs has taken into account differences among AIs in how operational risk management practitioners are assigned within different organisational structures. Functional roles rather than the functional titles of staff members should be essential in considering whether the definition of RPs is met. To facilitate the determination of whether a staff member falls under the scope of RPs, please refer to the key tasks outlined in Annex 1. 3.5 It should be noted that the ECF-ORM is not intended to cover staff members performing the following functions: a) Practitioners performing cybersecurity roles within an AI as they are subject to the ECF-
8 - Cybersecurity. Please refer to the HKMA’s Guide to ECF on Cybersecurity for details of these roles. b) Practitioners currently performing corporate and administrative services within an AI, including (but not limited to) human resources, IT, corporate security and marketing. c) Staff in the operational risk management functions within an AI who are performing solely clerical and administrative duties or other incidental functions. d) Staff in the legal/compliance or the internal audit function of an AI (it should be noted that Core Level and Professional Level qualifications and/or grandfathering can be achieved through internal audit experience related to operational risk management and controls within an AI. Please refer to sections 5.1 and 7.1 below for more details). e) Senior management or relevant risk committee members (e.g. operational risk committee members) other than the manager or person-in-charge of the operational risk management department. 3.6 For the avoidance of doubt, a staff member is not required to work full time in the operational risk management function or perform all of the roles specified in the job description in order to be classified as a RP. AIs are expected to adopt a principles-based approach when determining whether a staff member with multiple job roles falls within the definition of RPs for the ECF-ORM by assessing the significance of the operational risk management role performed by the staff member. AIs are expected to justify their decisions made in this regard.
2 In general, the administrator of the ECF-ORM will consider whether the nature of work experience is substantially the same as that described in the operational risk management roles 1 and 2 in Annex 1. Relevant work experience may be obtained from AIs and/or non-bank financial institutions. As for work experiences related to operational risk management gained from other non-banking industries, they will be considered on a case-by-case basis. 3 Please see footnote 2.
4 Please see footnote 2. 5 Please see footnote 2.
6 Please see footnote 2. 7 Please see footnote 2.
8 Please see footnote 2.
15 - (b) For other institutions, they are required to complete the accreditation by HKCAAVQ to confirm that their learning programmes can meet the ECF training objectives and the corresponding QF Level. 11.4 HKCAAVQ will accept applications for ECF accreditation starting 2 January 2021. 11.5 Based on the relevant accreditation or assessment report submitted by the applicant, the ECF Steering Committee will confirm whether the training programme is or is not successful in qualifying as an ECF accredited programme. The route for ECF accreditation mechanism is illustrated at Annex 4.
16 - Annex 1 - ECF-ORM: Key roles and tasks for Relevant Practitioners Role 1 – Operational Risk Management Role 2 – Business Function Risk and Control Core Level (For entry-level and junior-level staff with 0-5 years of experience) Examples of functional title (for reference only) Operational risk analyst, assistant operational risk manager Key Tasks • Assist in conducting operational risk monitoring duties (e.g. monitoring operational risk indicators), reviewing and updating operational risk policies, guidelines and procedures, and handling of operational risk events • Assist in conducting operational risk control self-assessments (i.e. bottom up process to identify and evaluate risks and associated controls) • Design and test controls on operational risks, with oversight and input from line managers • Assist in performing operational risk assessments (i.e. top down assessment of the inherent risk and any controls that may exist) • Assist in developing and implementing operational risk mitigation plans and in the roll-out of strategic level governance • Assist in identifying compliance and internal control issues, and monitor the ongoing progress of remedial actions • Assist in preparing operational risk reports, dashboards and metrics • Assist in promoting positive risk culture and risk awareness across the AI /within business units • Assist in preparing training materials and organising training on operational risk for staff Role 1 – Operational Risk Management Role 2 – Business Function Risk and Control Professional Level (For staff taking up middle-level or senior positions in the risk management function with 5+ years of experience) Examples of functional title (for reference only) Operational risk manager Business risk control manager, in-business control manager, branch operation manager Key Tasks • Manage operational risks and formulate, review and update operational risk policies, guidelines, processes and procedures throughout the AI • Develop and review comprehensive policies and procedures for crisis management, including but not limited to factors triggering a crisis, escalation mechanisms, involvement of relevant functions, and external and internal approaches to handling the crisis • Initiate, manage and execute risk governance, internal controls and processes with the overall objective of operational risk management, control awareness and enhancement to operational efficiency. Ensure full compliance with policies and • Conduct operational risk control selfassessments within business functions (i.e. bottom up process to identify and evaluate risks and associated controls), where applicable • Conduct operational risk assessments to identify, assess, review, monitor and mitigate operational risks within the business function (i.e. top down assessment of the inherent risk and any controls that may exist) • Implement operational risk management and control strategies within the business function as set out by the AI’s global risk and compliance functions. Ensure full compliance with policies and regulatory requirements • Analyse business impact of different kinds of
17 - Role 1 – Operational Risk Management Role 2 – Business Function Risk and Control Professional Level (For staff taking up middle-level or senior positions in the risk management function with 5+ years of experience) regulatory requirements • Maintain oversight and monitoring of the operational risk management system and the quality of the generated operational loss data • Conduct operational risk control selfassessments (i.e. bottom up process to identify and evaluate risks and associated controls), or analyse and challenge the selfassessment results if the self-assessments are conducted by Role 2 (whichever is applicable) • Conduct operational risk assessments to identify, assess, review, monitor and mitigate operational risks (i.e. top down assessment of the inherent risk and any controls that may exist in all existing or new material products, processes and systems) based on the AI’s own defined operational risk strategy and risk appetite • Perform both qualitative and quantitative monitoring and reporting of the AI’s exposure to all types of operational risk, including trend analysis of risk profiles and review of the limits of operational risk regulatory and economic capital • Identify compliance and internal control issues • Execute operational risk monitoring duties and escalate incidents and operational risk events to senior management • Report to senior management the proposed remedial actions of operational risk assessments and monitor the ongoing progress of remedial actions • Report and escalate operational risk events/incidents in a timely manner and monitor issue resolution to ensure timely responses are provided • Compile operational risk reports, dashboards and metrics for management reporting • Undertake scenario analysis/assessment to identify potential operational losses and monitor operational risk profiles and material exposures to losses on an on-going basis • Develop and evaluate effectiveness of business continuity and disaster recovery strategy • Provide practical recommendations on the remedial actions to be taken to address disasters or crisis • Implement and maintain operational risk tools, dashboards and metrics to identify, analyse and mitigate operational risk within the business function • Develop operational risk control measures • Assist management in maintaining oversight on key operational risks, controls and enhancement initiatives and ensure effective and efficient internal controls and practices are in place • Facilitate the testing of relevant controls as a part of the annual test plan and business continuity plan when required • Identify compliance and internal control issues within business functions • Conduct operational risk monitoring duties and escalate incidents and risk events to operational risk management unit and senior management • Report to senior management and operational risk management unit the progress of remedial actions of operational risk assessments • Report and escalate operational risk events/incidents within business functions in a timely manner and monitor issue resolution to ensure timely responses are provided • Manage and provide oversight of completion of follow-up and remedial actions (e.g. further investigation) relating to operational risk events identified during the operational risk assessment process • Assist management in maintaining oversight on key operational risks, controls and enhancement initiatives and ensure effective and efficient internal controls and practices are in place • Liaise and coordinate with other control functions on standards and regulatory interpretation, and operational risk and control activities • Monitor completion of follow-up and remedial actions relating to operational risk incidents and events • Monitor and review the limits of operational risk regulatory and economic capital • Promote positive risk culture and risk awareness in different business units
18 - Role 1 – Operational Risk Management Role 2 – Business Function Risk and Control Professional Level (For staff taking up middle-level or senior positions in the risk management function with 5+ years of experience) operational risk events, assess the quality and appropriateness of remedial actions identified and seek to improve the overall operational risk management process for the AI • Manage completion of follow-up actions (e.g. further investigation) relating to operational risk events identified during the operational risk assessment process • Conduct operational due diligence to ensure that operational risk management has been appropriately considered and implemented for new products and services, including thematic reviews of operational risk management • Advise business units on operational risk management issues • Undertake consistent liaison and collaboration with:
Internal departments such as legal, human resources, information technology and finance on operational risk related topics
Operational risk management subject matter experts (e.g. IT, Conduct, Fraud, Outsourcing, Data Privacy)
Internal audit and external audit • Promote positive risk culture and risk awareness across the AI • Conduct training sessions on operational risk for staff, including content review and training delivery • Play an active role in training sessions on operational risk for staff, including content review and training delivery
19 - Annex 2 - ECF-ORM: Competency framework Role 1 – Operational Risk Management Role 2 – Business Function Risk and Control Core Level Qualification and experience • Completion of Module 1 to Module 3 of the ECF-ORM Core Level training programme (benchmarked at the QF Level 4) Certification title • Associate Operational Risk Management Professional (AORP) Exemption RP who has passed the following related training programme(s) is eligible to apply for exemption on Module 1 of the ECF-Operational Risk Management Core Level training programme: • Certification in Risk Management Assurance of the Institute of Internal Auditors; or • Bachelor’s or higher degree in law; or • Professional Ethics and Compliance module under the Advanced Diploma for Certified Banker (Stage I) of the HKIB; or • Certified Professional Risk Manager of the Asia Risk Management Institute (ARIMI); or • Certified Public Accountant of the Hong Kong Institute of Certified Public Accountants (HKICPA); • Full member of Association of Chartered Certified Accountants (ACCA); or • Members of overseas accountancy bodies which are eligible for full exemption from the qualification programme for membership admission at the HKICPA under the HKICPA’s reciprocal membership and mutual recognition agreements (as listed on its website) RP who has passed the following related training programme(s) is eligible to apply for exemption on Module 3 of the ECF-Operational Risk Management Core Level training programme: • Operational Risk Manager Certificate of the Professional Risk Managers' International Association (PRMIA); or • Professional Risk Manager of the PRMIA; or • Certificate in Operational Risk Management of the Institute of Operational Risk (IOR), which is now a part of the Institute of Risk Management (IRM) Group (Remarks: Other equivalent academic/professional qualifications in operational risk management may be considered for exemption on Module 1 and/or Module 3 on a case-by-case basis. RPs will need to provide detailed information on such qualifications (e.g. training course syllabus, examination syllabus) to the HKIB to facilitate their assessment.) Grandfathering (on a one-off basis) Path (i) • Possessing at least 3 years of relevant work experience in operational risk management, business function risk and control gained from AIs and/or non-bank financial institutions, and/or internal audit (related to operational risk management and controls within an AI); and • Employed by an AI at the time of application. OR Path (ii) • Completion of one of the following training programmes: - Operational Risk Manager Certificate of the PRMIA; or - Professional Risk Manager of the PRMIA; or - Certificate in Operational Risk Management of the IOR, which is now a part of the IRM Group; • Possessing at least 2 years of relevant work experience in operational risk management, business function risk and control gained from AIs and/or non-bank financial institutions, and/or internal audit (related to operational risk management and controls within an AI); and
20 - • Employed by an AI at the time of application. CPD requirements • A minimum of 12 CPD hours is required for each calendar year, of which at least 6 hours should be on topics related to compliance, legal and regulatory requirements, risk management and ethics • Qualified CPD activities include attending seminars or courses provided by AIs, financial services regulators, professional bodies and academic and training institutions and the HKIB; attending e-learning; and delivering training and speeches
21 - Role 1 – Operational Risk Management Role 2 – Business Function Risk and Control Professional Level Qualification and experience • Completion of Module 4 of the ECF-ORM Professional Level training programme (benchmarked at QF Level 5) on top of the Core Level qualification; and • Having at least 5 years of relevant work experience in operational risk management, business function risk and control, and/or internal audit (related to operational risk management and controls within an AI) Certification title • Certified Operational Risk Management Professional (CORP) Grandfathering (on a one-off basis) Path (i) • Possessing at least 8 years of relevant work experience in operational risk management, business function risk and control gained from AIs and/or non-bank financial institutions, and/or internal audit (related to operational risk management and controls within an AI), of which at least 3 years must be gained from Professional Level job roles within an AI; and • Employed by an AI at the time of application OR Path (ii) • Completion of HKIB’s Postgraduate Diploma for Certified Banker (Operations Management Stream); and • Possessing at least 5 years of relevant work experience in operational risk management, business function risk and control gained from AIs and/or non-bank financial institutions, and/or internal audit (related to operational risk management and controls within an AI); and • Employed by an AI at the time of application. CPD requirements • A minimum of 12 CPD hours is required for each calendar year, of which at least 6 hours should be on topics related to compliance, legal and regulatory requirements, risk management and ethics • Qualified CPD activities include attending seminars or courses provided by AIs, financial services regulators, professional bodies and academic and training institutions and the HKIB; attending e-learning; and delivering training and speeches
22 - Annex 3 - ECF-ORM: Learning outcomes and syllabus Learning outcomes Core Level (Benchmarked at QF Level 4) Module 1 – Ethics and Corporate Governance in Banking Industry Module 2 – Regulatory Framework and Compliance in Banking Industry Module 3 – Fundamentals of Operational Risk Management and Risk Governance Learning outcomes - after completing Modules 1 to 3, participants will be able to: • Comply with business ethics and understand their place within modern financial institutions; understand ethical questions encountered in the second line of defence in the context of the broader risk environment • Assess the regulatory landscape as per defined guidelines and procedures and identify operational risks encountered by different business units of the AI • Apply the principles and methodologies of operational risk management for conducting operational risk monitoring duties according to the AI’s policies and guidelines • Analyse operational risks within different business units and effectively measure the likelihood and impact of such risks • Apply appropriate techniques and requirements of operational risk assessments within different business units • Understand the typical types of controls used in the banking industry • Implement appropriate controls that effectively mitigate operational risks within different business units • Examine operational risk matters and report to relevant stakeholders • Analyse operational risk metrics and use operational risk reporting and dashboards to identify the potential operational risks Professional Level (Benchmarked at QF Level 5) Module 4 –Advanced Operational Risk Management Learning outcomes - after completing Module 4, participants will be able to: • Develop and establish operational risk management frameworks and associated policies and procedures • Evaluate the operational risks encountered by different business units of the AI and establish effective mitigating controls • Manage operational risks by using risk management control tools, e.g. risk control self-assessment (RCSA) and key risk indicators (KRIs) • Develop risk control measures by using scenario analysis and stress testing to identify potential operational risk events and assess their potential impact • Review the risk profile of the AI/business function and apply operational risk modelling to quantify and predict operational risks • Compile the dashboards and metrics to measure and analyse operational risks within different business units • Develop business continuity plan and recovery strategy • Build and promote a risk focussed culture within the AI/within the business function • Propose strategic operational risk advice and remedial actions to senior management on findings of operational risk events • Design and deliver operational risk training to business units
23 - Syllabus Core Level (Benchmarked at QF Level 4) Module 1 – Ethics and Corporate Governance in Banking Industry • Business ethics
Understand business ethics, their place within modern financial institutions, ethical questions encountered in the second line of defence in the context of the broader risk environment
Provide understanding of identification and analysis of ethical situations in financial institutions and the management of ethics
Overview of ethical behaviour application and ethical decision making in the second line of defence in the context of the broader risk environment • Understanding governance, risk and compliance
Fundamentals of governance, risk and regulatory compliance and why there is a need to understand the regulatory landscape for financial institutions
Key tenets of governance and culture for effective management of regulatory compliance e.g. why risk management is the key to effective compliance
The role of the compliance department and compliance professionals in Governance, Risk and Compliance • Corporate governance in banking industry and requirements mandated upon AIs
Corporate Governance Code (for listed AIs)
Code of conduct, common policies and procedures
Corporate social responsibility • Case studies, best practices and challenges associated with ethics and corporate governance in the banking industry Module 2 – Regulatory Framework and Compliance in Banking Industry • Overview of the regulatory framework under the Hong Kong Monetary Authority, the Securities and Futures Commission and the Insurance Authority
Overview of the regulatory regimes in Hong Kong, providing an understanding of how regulations and applicable laws impact the operations of financial institutions • HKMA Bank culture reform (Governance, Incentive systems, Assessment and Feedback mechanisms) • Introduction to international regulation (roles of regulator, regulatory powers, different international regulatory models, latest market trends) • Regulatory objectives and relevant mandates
Personal Data (Privacy) Ordinance
EU General Data Protection Regulation (GDPR)
Code of Banking Practice
Code of Conduct for Persons Licensed by or Registered with the Securities and Futures Commission
Common Reporting Standards (CRS) • Supervisory approach and Manager-In-Charge (MIC) Regime
Specific overview of the MIC regime and the compliance implications upon AIs in Hong Kong • Formulation of internal policies, standards and guidelines
An overview of best practices in the implementation of internal governance documents (including internal policies, standards and guidelines) to ensure compliance with regulatory frameworks • Registration and licensing requirements, including listing rules (for listed AIs)
The process that needs to be undertaken to ensure compliance with registration and licensing regulations • Examples of regulatory breaches associated with operational risk incidents • Case studies, best practices and challenges associated with adapting to regulatory changes in the banking industry Module 3 – Fundamentals of Operational Risk Management and Risk Governance • Overview and definition of operational risk • Drivers of operational risk (e.g. processes, people, systems and external events) • Different types of operational risks
Conduct, External events, Financial Crime, Fraud, Legal and Compliance, Information Technology • Operational risk events and their consequences • Relationship between operational risk and other types of risks • Components of the risk framework and governance structure • Overview of three lines of defence model - Roles and responsibilities of risk management and control functions
24 - and their interdependence • Roles and responsibilities of the Board and senior management • Effective risk culture and indicators • Development of risk governance in the market and emerging operational risks • Principles of operational risk management framework and implementation (including risk governance frameworks, risk identification and assessment, risk control and mitigation, risk monitoring and reporting, and business resiliency and continuity planning) • Operational risk management policy and procedures (including principles, application and scope)
Operational risk planning and processes
Operational risk appetite framework
Operational risk impact • Overview of operational risk measurement – frequency and severity
Overview of operational risk assessment
Overview of operational risk reporting and dashboards • Understanding financial products offered in the banking industry and their operational risk implications • Technology risk management, such as cybersecurity, data privacy and protection, IT change and system disruption, including examples of control activities • Overview of disaster recovery and business continuity plans • Enterprise risk management framework • Case studies, best practices and challenges associated with operational risk management and risk governance Professional Level (Benchmarked at QF Level 5) Module 4 – Advanced Operational Risk Management • Operational risk assessment • Scenario modelling and analysis, sensitivity testing
Stress testing (Value at Risk, Extreme Market Conditions) • Key risk indicators (KRIs), Key performance indicators (KPIs), Key control indicators (KCI) and respective metrics • Capital requirements for operational risk – approaches under the Basel framework (including the existing approaches - Basic Indicator Approach (BIA), Standardised Approach (SA), Alternative Standardised Approach (ASA) and Advanced Measurement Approach (AMA), and the Revised Standardised Approach that is scheduled to come into effect from 2022 based on the implementation timetable of the Basel Committee on Banking Supervision (BCBS)) • Risk control self-assessment (RCSA) (e.g. workflow, methodology, toolkits)
Operational risk process and control analysis
Process risk mapping and control, business process management tools
Operational risk reporting and dashboards • Operational due diligence of new products and services • Incident and loss reporting, loss (internal and external) data collection, distribution and analysis • Requirements to ensure adherence to regulatory and supervisory frameworks for Authorised Institutions
Compliance with regulatory standards
Supervisory approach of regulators
On-site examination and prudential meetings • Building contingency, business continuity and recovery planning • Guidelines from the BCBS
Principles for the Sound Management of Operational Risk • Associated operational risks related to the key areas for future banking including green and sustainable banking, and digital banking services • Key components of successful operational risk management implementation
Importance and application of trainings in operational risk management
Communication and engagement plan of operational risk management in the workplace
Communication with senior management on operational risk topics • Oversight, monitoring and understanding of relevant Operational Risk Management processes taken up by subject matter experts (e.g. IT, Conduct, Fraud, Outsourcing, Data Privacy) • Key challenges and the future of operational risk management • Creating a strong risk culture and awareness • Case studies, best practices and challenges associated with operational risk assessment
25 - Annex 4 – Accreditation mechanism for the ECF-ORM Subject to re-accreditation/re-assessment by HKCAAVQ Endorsement by ECF Steering Committee Applicant to notify ECF Steering Committee the intention of obtaining accreditation with programme objectives & learning outcomes, programme syllabus, training materials, and trainers’ profile for record Obtain ECF and QF accreditation through HKCAAVQ Submit proof of ECF and QF accreditation Training programme accredited for ECF Register on the QR Submit proof of ECF assessment