Banks Act, 1990 (Act No. 94 of 1990)RegulationsRegulations relating to BanksChapter III : Corporate Governance39. Process of corporate governanceSubregulation (15) |
(15) | As a minimum, a bank that wishes to adopt the advanced measurement approach for the calculation of the bank's capital requirement relating to operational risk— |
(a) | shall have in place an independent operational risk management function, which operational risk management function shall be responsible for— |
(i) | the development of— |
(A) | policies and procedures relating to operational risk management and control, including policies to address areas of non-compliance, which policies ultimately shall be approved by the bank's board of directors; |
(B) | strategies to identify, measure, monitor and control or mitigate the bank's exposure to operational risk. |
(ii) | the design and implementation of— |
(A) | a methodology for the measurement of the bank's exposure to operational risk; |
(B) | the bank's operational risk management framework; |
(C) | a risk-reporting system relating to operational risk; |
(b) | shall have in place an internal operational risk measurement system— |
(i) | which operational risk measurement system— |
(A) | shall be closely integrated into the day-to-day risk management processes of the bank; |
(B) | shall be subject to regular validation and independent review, which validation and independent review shall include verification that the internal validation processes are operating in a satisfactory manner and that data flows and processes associated with the risk measurement system are transparent and accessible; |
(ii) | the output of which system shall form an integral part of the process to monitor and control the bank's exposure to operational risk, including internal capital allocation and risk analysis; |
(c) | shall have in place techniques— |
(i) | to allocate capital to major business units, which allocation shall be based on operational risk; |
(ii) | to create incentives to improve the management of operational risk throughout the bank; |
(d) | shall on a regular basis report its exposure to operational risk, including material losses suffered in respect of operational risk, to the management of the bank's business units, the senior management of the bank and the bank's board of directors; |
(e) | shall have in place adequate measures to take appropriate action, including in cases of non-compliance with internal policies, controls and procedures; |
(f) | shall duly document the bank's operational risk management system; |
(g) | shall have in place a process to ensure compliance with the bank's documented set of internal policies, controls and procedures concerning the operational risk management system; |
(h) | shall have in place a robust operational risk management process, which operational risk management process shall be subject to regular review by the bank's internal and/or external auditors, which review shall include the activities of— |
(i) | the relevant business units; |
(ii) | the independent operational risk management function. |