PRU 6.1 1Operational Risk: Prudential Systems and Controls
Application
PRU 6.1 applies to an insurer unless it is:
- (1)
- (2)
an incoming EEA firm; or
- (3)
PRU 6.1 applies to:
- (1)
an EEA-deposit insurer; and
- (2)
only in respect of the activities of the firm carried on from a branch in the United Kingdom.
Purpose
This section provides guidance on how to interpret PRU 1.4.18 R and PRU 1.4.19 R (2) (which relate to the design and documentation of risk management systems) in so far as they relate to the management of operational risk in a prudential context. Operational risk has been described by the Basel Committee on Banking Supervision as "the risk of loss, resulting from inadequate or failed internal processes, people and systems, or from external events". Thus this section covers systems and controls relating to risks concerning any of the firm's operations, whether caused by internal or external matters. However, it does not cover systems and controls as they relate to credit, market, liquidity and insurance risk. Examples of operational risk exposures that the systems and controls covered in this section are meant to address include internal and external fraud; failure to comply with employment law or meet workplace safety standards; damage to physical assets; business disruptions and system failures; and transaction processing failures.
Operational risk concerns the FSA in a prudential context because inappropriate systems and controls for the management of operational risk can adversely affect the solvency or business continuity of a firm, threatening the regulatory objectives of market confidence and consumer protection.
This section contains guidance on how a firm should determine, in a prudential context, its policy for operational risk management and its processes for the identification, assessment, monitoring and control of operational risk. In addition, guidance is provided on record keeping in relation to operational risk.
The guidance contained within this section is not designed to be exhaustive. When establishing and maintaining its systems and controls for operational risk, a firm should have regard to other parts of the Handbook as well as the material that is issued by other industry or regulatory bodies. In particular, a firm should read this section in conjunction with SYSC 3A (Operational Risk Systems and Controls) which contains high level guidance on the management of people, processes and systems, and external events in relation to operational risk. SYSC 3A also outlines some guidance on the areas that are covered by operational risk systems and controls (including the FSA's interpretation of some frequently used risk management terms in relation to operational risk), business continuity management, outsourcing, and the role of insurance in financing operational risk. In addition, a firm should read PRU 1.4, which contains the FSA's general policy on prudential systems and controls. PRU 1.4 contains some rules and guidance on which this section offers additional guidance.
Appropriate systems and controls for the management of operational risk will vary with the scale, nature and complexity of a firm's activities. Therefore the material in this section is guidance. A firm should assess the appropriateness of any particular item of guidance in the light of the scale, nature and complexity of its activities as well as its obligations as set out in Principle 3 to organise and control its affairs responsibly and effectively.
General Requirements
High level rules and guidance for prudential systems and controls including those for operational risk are set out in PRU 1.4. In particular:
- (1)
PRU 1.4.18 R requires a firm to take reasonable steps to ensure that the risk management systems put in place to identify, assess, monitor and control operational risk are adequate for that purpose;
- (2)
PRU 1.4.19 R (2) requires a firm to document its policy for operational risk, including its risk appetite and how it identifies, assesses, monitors and controls that risk; and
- (3)
PRU 1.4.27 R requires a firm to take reasonable steps to establish and maintain adequate internal controls to enable it to assess and monitor the effectiveness and implementation of its business plan and prudential risk management systems.
Operational risk policy
Much of the management of operational risk is about identifying, assessing, monitoring and controlling failures or inadequacies in a firm's systems and controls. As such, a firm may often find that there is no clear boundary between its risk management systems for operational risk and all its other systems and controls. When drafting its operational risk policy, a firm should try to distinguish between its systems and controls for credit, market, liquidity and insurance risk, and its systems and controls for operational risk. Where such a distinction is not possible a firm should still try to identify those systems and controls that are used in the management of operational risk, even when they have other purposes as well.
A firm should document its policy for managing operational risk. This policy should outline a firm's strategy and objectives for operational risk management and the processes that it intends to adopt to achieve these objectives. In complying with PRU 1.4.19 R (2), the documented operational risk policy of a firm should include:
- (1)
an analysis of the firm's operational risk profile (see the FSA's interpretation of this term in SYSC 3A.5.1 G (3)), including where relevant some consideration of the effects that operational risk may have on the firm, including consideration of those operational risks within a firm that may have an adverse impact upon the quality of service afforded to its clients;
- (2)
the operational risks that the firm is prepared to accept and those that it is not prepared to accept, including where relevant some consideration of its appetite or tolerance (see PRU 6.1.13 G) for specific operational risks;
- (3)
how the firm intends to identify, assess, monitor, and control its operational risks, including an overview of the people, processes and systems that are used; and
- (4)
where assessments of the firm's risk exposures are used for internal capital allocation purposes, a description of how operational risk is incorporated into this methodology.
A firm may also wish to set threshold levels in its operational risk policy for particular types of operational risk (based on its risk appetite or tolerance for risk), which when exceeded trigger a response (such as the allocation of more resources to control the risk or a reappraisal of business plans).
Given its association with a willingness to take risk, a firm may wish to replace the term appetite for tolerance when drafting its operational risk policy. Tolerance describes the types and degree of operational risk that a firm is prepared to incur (based on factors such as the adequacy of its resources and the nature of its operating environment). Tolerance may be described in terms of the maximum budgeted (that is, expected) costs of an operational risk that a firm is prepared to bear, or by reference to risk indicators such as the cost or number of system failures, available spare capacity and the number of failed trades.
Risk identification
In order to understand its operational risk profile, a firm should identify the types of operational risk that it is exposed to as far as reasonably possible. This might include, but is not limited to, consideration of:
- (1)
the nature of a firm's customers, products and activities, including sources of business, distribution mechanisms, and the complexity and volumes of transactions;
- (2)
the design, implementation, and operation of the processes and systems used in the end-to-end operating cycle for a firm's products and activities;
- (3)
the risk culture and human resource management practices at a firm; and
- (4)
the business operating environment, including political, legal, socio-demographic, technological, and economic factors as well as the competitive environment and market structure.
A firm should recognise that it may face significant operational exposures from a product or activity that may not be material to its business strategy. A firm should consider the appropriate level of detail at which risk identification is to take place, and may wish to manage the operational risks that it faces in risk categories that are appropriate to its organisational and legal structures.
The FSA's interpretation of the term operational exposure is provided in SYSC 3A.5.1 G (2).
Risk assessment
The FSA recognises that risk management systems for operational risk are still developing, and that it may be neither feasible nor appropriate to measure certain types of operational risk in a quantitative way. A firm may wish to take a qualitative approach to the assessment of its operational risks using, for example, relative estimates (such as high, medium, low) to understand its exposure to them.
In order to understand the effects of its operational exposures a firm should continually assess its operational risks. This might include, but is not limited to, consideration of:
- (1)
actual operational losses that have occurred within a firm, or events that could have resulted in significant operational losses, but were avoided (for example, the waiving of financial penalties by a third party as a gesture of goodwill or where by chance the firm realised profits);
- (2)
internal assessment of risks inherent in its operations and the effectiveness of controls implemented to reduce these risks (through activities such as self-assessment or stress testing and scenario analysis);
- (3)
other risk indicators, such as customer complaints, processing volumes, employee turnover, large numbers of reconciling items, process or system failures, fragmented systems, systems subject to a high degree of manual intervention and transactions processed outside a firm's mainstream systems;
- (4)
reported external (peer) operational losses and exposures; and
- (5)
changes in its business operating environment.
When assessing its operational risks, a firm may be able to differentiate between expected and unexpected operational losses. A firm should consider whether it is appropriate to adopt a more quantitative approach to the assessment of its expected operational losses, for example by defining tolerance, setting thresholds, and measuring and monitoring operational losses and exposures. In contrast, a firm may wish to take a more qualitative approach to assessing its unexpected losses.
Although a firm may currently be unable to assess certain operational risks with a high degree of accuracy or consistency, it should, according to the nature, scale and complexity of its business, consider the use of more sophisticated qualitative and quantitative techniques as they become available.
Risk monitoring
In monitoring its operational risks, a firm should:
- (1)
as appropriate, regularly report to the relevant level of management its operational exposures, loss experience (including if possible cumulative losses), and authorised deviations from the firm's operational risk policy;
- (2)
engage in exception-based escalation to management of:
Risk control
A firm should control its operational risks, as appropriate, through activities for the avoidance, transfer, prevention or reduction of the likelihood of occurrence or potential impact of an operational exposure. This might include, but is not limited to, consideration of:
- (1)
adjusting a firm's risk culture and creating appropriate incentives to facilitate the implementation of its risk control strategy (see SYSC 3A.6 People);
- (2)
adapting internal processes and systems (see SYSC 3A.7 Processes and systems);
- (3)
transferring or changing the operational exposure through mechanisms such as outsourcing (see SYSC 3A.9 Outsourcing) and insurance (see SYSC 3A.10 Insurance);
- (4)
the active acceptance of a given operational risk within the firm's stated risk appetite or tolerance; and
- (5)
providing for expected losses, and maintaining adequate financial resources against unexpected losses that may be encountered in the normal course of a firm's business activities.
Record keeping
The FSA's high level rules and guidance for record keeping are outlined in SYSC 3.2.20 R (Records). Additional rules and guidance in relation to the prudential context are set out in PRU 1.4.51 G to PRU 1.4.64 G (Record keeping). In complying with these rules and all associated guidance, a firm should retain an appropriate record of its operational risk management activities. This may, for example, include records of:
- (1)
the results of risk identification, measurement, and monitoring activities;
- (2)
actions taken to control identified risks;
- (3)
where relevant, any exposure thresholds that have been set for identified operational risks;
- (4)
an assessment of the effectiveness of the risk control tools that are used; and
- (5)
actual exposures against stated risk appetite or tolerance.