RBI's Guidance Note on
Operational Risk Management and Operational Resilience

Decoding RBI's Guidance Note

Operational Risk Management and Operational Resilience

New

The Reserve Bank of India (RBI) has issued a landmark document, the “Guidance Note on Operational Risk Management and Operational Resilience,” on April 30, 2024. This document replaces the 2005 guidance and sets new standards for managing operational risks and resilience among Regulated Entities (REs).

Introduction to Operational Risk Management and Operational Resilience
Operational risk arises from various sources, both internal and external. Events such as the COVID-19 pandemic, financial crises, and technological disruptions have heightened operational risks for banks. The new Guidance Note emphasizes the need for a proactive, comprehensive approach to identifying, assessing, and mitigating these risks.

Difference Between Operational Risk and Operations Risk

Operational Risk: Encompasses risks that stem from internal processes, people, systems, or external events that impact the entire organization. It includes a wide range of factors such as fraud, legal risks, and compliance issues.
Operations Risk: Specifically refers to risks associated with the day-to-day operations of a business, such as errors in processing transactions, system failures, or supply chain disruptions.

The Guidance Note has adopted a principle-based and proportionate approach to ensure smooth implementation across REs of various sizes, nature, complexity, geographic location and risk profile of their businesses.

Significance of Updated Guidance Note

The RBI’s new Guidance Note introduces significant updates and enhancements compared to the previous guidance issued in 2005.

Expands operational risk management to encompass achieving operational resilience.
Expanded applicability from Scheduled Commercial Banks, to all Commercial Banks, NBFCs, Co-operative Banks, and All India Financial Institutions (AIFIs).
Optimal organizational structure depends on the size and operations of each regulated entity.

Key Aspects of Guidance Note
This Guidance Note on Operational Risk Management and Operational Resilience has been built on three pillars.

Prepare and Protect
Build Resilience
Learn and Adapt

Across these pillars, It contains 17 principles designed to facilitate effective implementation by regulated entities.

Operational Risk Management

Entire spectrum of operational risk management activities, including risk identification, measurement, assessment, monitoring, control, mitigation, and reporting.

Operational Resilience

Ability of an RE to deliver critical operations through disruption.

A. Governance & Risk Culture: It involves setting the right tone at the top, establishing clear roles and responsibilities, and ensuring accountability to manage risks effectively across the organization

Strengthening of Governance Structures.
Training and frequent risk communication can foster a risk-aware culture.
Improved internal controls and monitoring systems to ensure compliance

B. Change Management: Structured processes and procedures to manage and implement changes effectively, ensuring minimal disruption.

C. Monitoring & Reporting: Regular assessment and communication of operational risk profiles and material exposures to support proactive risk management.

Standardization of report : Capture key risk metrics, loss events, control effectiveness assessments, and mitigation strategies
Regulatory Compliance: Adhere to relevant regulatory reporting requirements & guidelines for operational risk
Training Programs: Training on operational risk identification, assessment, and reporting procedures.

D. Control & Mitigation: Implementation of robust policies, processes, and systems to manage and reduce operational risks effectively.

Following are the implications for REs:

Strengthen Internal Controls : Streamlined Internal Controls, Continuous Risk Assessments.
Enhanced Operational Resilience: Business continuity plans, Disaster Recovery Solutions.
Segregation of Duties & Controls: Technology & Infrastructure Risk Management, Training Programs.

E. Interdependency & Third Party Dependency: Map internal and external dependencies to ensure REs operational resilience approach effectively supports their delivery.

F. Information & Communication Technology Risks: Manage technology risks and safeguarding information systems to ensure operational resilience and security.

Comprehensive ICT policy
Data Protection and Cyber Security Prioritization
Regulatory Compliance

G. Learning & Adaptability: Learn from past incidents and continuously update their risk management practices based on these insights.

Implement a structured process for collecting feedback and learning from operational incidents.
Integrate lessons learned into the operational risk management framework regularly

Conclusion

The RBI’s updated guidance note sets a robust framework for REs to strengthen their operational risk management and resilience, ensuring stability and security in the financial sector. As your trusted consulting partner, we can help you navigate these changes and achieve compliance with the new guidelines. Our services include Operating Risk Profile Assessment, Compliance Diagnostic Review, and Redesigning Operational Risk Management Frameworks. We assist in identifying, evaluating, and prioritizing risks while ensuring adherence to all relevant laws, regulations, and internal policies.

RBI's Guidance Note on
Operational Risk Management and Operational Resilience