On 5 August 2022, the Monetary Authority of Singapore (“ MAS”) published an Information Paper on the operational risk management (“ ORM”) standards and practices. The paper serves to set out its supervisory expectations on the subject, as well as highlight the good practices and shortcomings that MAS had observed from thematic inspections of banks that it had conducted over the course of 2020 and 2021.
This Client Update provides a summary of the key observations and recommendations highlighted by MAS.
With the emergence of large-scale remote working and the adoption of new technologies, financial institutions (“FIs”) have had to rely increasingly on third party outsourcing and non-outsourcing arrangements to carry on their business activities. As such, MAS expects that FIs must ensure that the third parties that they rely on have adequate governance, and sound risk management and internal controls. This is evident from the various MAS’ Guidelines on Outsourcing, Technology Risk Management, and Business Continuity Management, all of which address how FIs ought to manage the various risks associated with reliance on such third party arrangements.
Against this backdrop, MAS conducted thematic inspections on selected banks over 2020 and 2021, focusing on:
- ORM governance and control frameworks; and
- Third party risk management controls.
2. Operational Risk Management Governance and Control Framework
In the Information Paper, MAS has emphasised that an effective and sound internal governance and control framework is critical in managing the operational risks that faces a bank. A bank’s ORM governance function must therefore be fully integrated into its overall risk management governance structure.
The following 3 broad areas were canvassed in the Information Paper.
(A) Governance and Management Oversight
Generally, MAS noted that most banks have established a proper governance structure for oversight and monitoring of operational risk. With one notable exception, the banks that MAS had inspected formed a dedicated ORM committee that is chaired by the Head of ORM or the Chief Risk Officer. In the case of the bank that did not form a dedicated ORM committee, the oversight of operational risk was given to its executive risk committee which already had a broader risk management responsibility. While MAS stated that it did not see the absence of a dedicated committee for ORM to present an issue in itself, it did emphasise that there had to be adequate attention given to operational risk issues. In that particular case, MAS had considered that the flow of operational risk information to the bank’s executive risk committee could have been improved, and that analyses of operational risk trends and root causes for operational risks should also have been presented.
In relation to risk appetite statements, MAS noted that while most banks had a clearly defined operational risk appetite statement that was supported by relevant indicators and thresholds, for several banks, the risk appetite statement took the form of a single broad metric (such as a specified percentage of operating profit or revenue that the bank was willing to accept as loss). MAS considered that framing a risk appetite statement in the form of a single broad metric might be insufficient to support meaningful discussions about the trade-offs involved when assessing operational risks. Hence, MAS said that high level operational risk appetite statements should generally be further translated into more granular metrics and indicators with specified tolerance thresholds, which can be monitored regularly and reported to the management team.
MAS also noted that most banks have established a clear definition of operational risk that was in line with the definition set by the Basel Committee on Banking Supervision, although some have gone even further to include additional elements such as reputational risks. MAS also noted that in general, the banking industry in Singapore have a common operational risk taxonomy and this has helped to ensure that risk identification, assessment, and management are consistent across business units and across the three lines of defence under the three lines of defence model.
Overall, MAS also noted banks have implemented and maintained policies and standards that support the implementation of their ORM frameworks. There were generally regular and comprehensive reports of operational risk profiles and material operational risk events to facilitate the oversight of operational risk by the FI’s Board and senior management team. However, in some cases, bank management were not given detailed analyses of trends in operational risk events or root causes. MAS also felt that some banks did not pay sufficient attention to “near-misses” that ought to be sufficient cause for the bank to consider whether there was a need for enhancements of controls. Furthermore, while most banks performed operational risk analyses to ensure that material risk concerns were adequately assessed, MAS felt that a few banks did not adequately analyse the results of risk and control self-assessments and key risk indicators.
Finally, MAS noted that while all banks did conduct reviews to identify top and emerging risks and reported these to management, the quality of such reviews varied. In one case, the bank did not regularly perform such reviews and report them to its management, and on the occasion when it did perform a review, the review was inadequate because it did not include an assessment of the effectiveness of controls that were intended to address the risks and also did not include a plan for mitigating or addressing identified gaps.
(B) Operating Model
At the outset, MAS noted that banks have generally implemented the Three Lines of Defence model within their risk governance frameworks. Under the Three Lines of Defence model, the business unit that is responsible for the business function must play the role of being the first line of defence, while the second line of defence would be the business function responsible for compliance or risk management and the third line of defence would be provided by the internal audit team.
In one particular instance, MAS commended the approach (taken by one bank) whereby a coordinated effort was made to implement the Three Lines of Defence model by means of having clear communications stipulating the roles and responsibilities of each line of Defence, identifying areas of enhancement, ensuring effective training of all staff, and having a dedicated staff workgroup that focuses on such initiatives and provides updates to management.
MAS also noted that a few banks had in place internal processes that actively encouraged and incentivised staff to identify operational risk issues and flag them up for the attention of management. These could also include e- learning or classroom training programmes that are designed to increase staff competency in matters relating to operational risk generally.
As regards the ORM function, MAS had observed that all banks have generally set up an independent and adequately resourced team to serve as the second line of defence. While accepting that the specific roles, responsibilities, and sizes of the ORM team could vary from bank to bank, MAS stressed that in order for the ORM team to operate effectively, there had to be clear lines of accountability and the ORM team must have a comprehensive view of all operational risk exposures facing the organisation. The ORM team must also be headed by an individual with sufficient seniority and stature.
Finally, MAS also emphasised that the ORM team, being the Second Line of Defence, must also be prepared to provide an effective challenge to the operational risk identification efforts and assessments that have already been undertaken by the business unit as the First Line of Defence.
(C) Control and Monitoring Processes and Tools
In the area of control and monitoring tools, MAS noted that banks generally employ a number of ORM tools to monitor, assess, and report on operational risk profiles and trends. Banks have also put in place systems and databases to facilitate operational risk monitoring and reporting. This might include centralised core systems that house various modules or applications designed to support different facets of operational risk monitoring and management. MAS also made the observation that fragmented systems and tools and manual work-around procedures were more vulnerable to mistakes and this could in turn impact the effectiveness of the bank’s overall ORM controls. Accordingly, MAS emphasised that banks should continue to invest in enhancing system capabilities. In relation to data quality checks, MAS noted that most banks would do this, but emphasised that system-generated reports that flag discrepancies or exceptions have to be independently reviewed and followed up on. Regular attestations also ought to be required from the business units that generate the data.
With regard to thresholds, in some instances, MAS had noted that banks might adopt thresholds that are implemented at the global level when determining the impact rating of operational risk events. MAS cautioned that such thresholds are not always appropriate in the context of Singapore operations and hence, there must be adequate consideration taken of the local operating environment when applying such thresholds.
In relation to the dataset for operational risk events, MAS observed that a few banks have focused only on financial loss events when recording and assessing operational risk, and warned that the inadequate consideration of non-financial loss events might potentially result in a distortion of a bank’s operational risk event dataset. To guide the recording of operational risk events, MAS noted that banks have tended to establish thresholds (typically based on loss amounts where the event is a financial loss event, and on risk impact where the event is a non-financial loss event). Additional thresholds might also be set to determine when management reporting is required and there are timelines (typically within the same day or within 24 hours) to determine when escalation to management is required. MAS also noted that banks would typically log operational risk events into their systems within 3 to 10 business days. However, some banks were noted to have gone well beyond industry norms. In one instance, an operational risk event was logged in the system only 20 calendar days after the event was booked in the bank’s financial records. MAS warned that significant delays in the recording of operational risk events would mean that management would not be notified of them promptly. Timelines for recording operational risk events should be systematically tracked and adhered to.
In relation to risk and control self-assessments, MAS noted that in general, banks have ensured that their self- assessment frameworks adequately covered all relevant processes. However, in some cases, there was still room for improvement. Some banks had only performed testing of control procedures for processes that involved higher inherent risks. MAS cautioned that while a risk-based approach was reasonable when determining whether there should be testing of control procedures, it was also important to ensure that the coverage of the testing was sufficiently large. In one particular case, the number of processes that was actually tested amounted only to 1% of the total population of processes, because most of the bank’s processes were rated as having only medium or low inherent risk. There should also be a structured process to guide staff in determining the impact of a non-financial operational risk event when staff are asked to complete a self-assessment.
In relation to key risk indicators, MAS noted that banks have generally established such risk indicators (such as certain specified events, regulatory breaches, outstanding audit issues or significant staff turnover). Together with relevant thresholds, these have generally been implemented at both the business segment level and at the bank-wide level. MAS emphasised that banks must have robust controls over the establishment, the regular review, and the monitoring of such key risk indicators.
3. Third Party Risk Management
As a preliminary point, MAS observed that banks had adopted different governance approaches in the management of third party risks. Some banks have an integrated governance framework that regulates both outsourcing and non-outsourcing arrangements, while others have separate governance frameworks for each type of arrangement.
(A) Outsourcing Arrangements
Outsourcing arrangements refer to arrangements whereby the bank outsources a process or a function that it would typically perform for itself to reap commercial benefits (such as cost-savings or economies of scale). Common areas being outsourced by banks include middle and back-office operations, archival and storage of data and records, and printing services. Banks are required to observe MAS guidelines when embarking on outsourcing arrangements.
(i) Governance and Management Oversight
Generally, MAS noted that most banks have implemented a proper governance framework for managing the risks arising from outsourcing arrangements.
Typically, outsourcing arrangements are overseen by a dedicated management committee of individuals within the bank. In some banks, the oversight of outsourcing arrangements was left with the ORM committee. While MAS acknowledged that a dedicated outsourcing management committee was not required, it did share its observation that banks who had such a committee were observed to be able to exercise more effective control over outsourcing risks. In most banks, the outsourcing management committee would be chaired by management staff who head the Second Line of Defence (typically the Head of ORM or the Chief Risk Officer). In some cases, MAS had observed that the committee did not include any representatives from the function responsible for the Second Line of Defence. MAS reiterated that this ought not to so. Such an omission would mean that the Second Line of Defence is being subordinated to the First Line of Defence.
As regards when an arrangement requires approval by the outsourcing management committee, MAS highlighted that a risk-based approach might be adopted (so that not all matters must go before the committee). However, there should be nothing that could impede the ability of management to holistically assess and manage the outsourcing risks faced by the bank. Material outsourcing arrangements ought to be required to be approved by the committee. In one instance, MAS pointed to a poor participation rate by members of the outsourcing management committee. This suggested that within the organisation, priority is not being given to the management of outsourcing risks. In some instances, MAS noted that some banks did not have a process in place to track the satisfaction of conditions that were imposed when the outsourcing management committee gave approval.
MAS noted that most banks would report the risk profile of their outsourcing arrangements to the outsourcing management committee, as well as provide regular updates on outsourcing related key risk indicators. However, some inadequacies were also noted. In one case, significant risk issues were unreported due to the absence of clear guidelines on when a matter should be reported by the First Line of Defence, and the lack of an effective challenge by the Second Line of Defence.
(ii) Due Diligence (Onboarding and Periodic Reviews)
MAS has noted that banks have generally specified clear requirements and provided comprehensive guidance on the due diligence and risk assessment processes when embarking on new outsourcing arrangements and for conducting periodic reviews of existing outsourcing arrangements.
In general, banks would evaluate the service provider’s business reputation and financial strength, as well as its abilities in risk management and control in important areas such as physical and information security, business continuity and ability to comply with relevant rules and regulations. Some banks might also involve other internal subject matter experts in the evaluation process.
However, in some instances, there were large time gaps of up to 10 months between the completion of due diligence effort and the approval of the outsourcing arrangement by the relevant approving authority or outsourcing management committee. This is undesirable as the lengthy time gap might mean that any approval is being considered on the basis of outdated information.
(iii) Ongoing Risk Management and Monitoring
MAS noted that banks have generally been proactive in managing relationships with outsourced service providers and have used the risk-based approach to apply more rigorous controls in cases of material outsourcing arrangements that pose higher risks.
However, MAS emphasised that the materiality and complexity of outsourcing arrangements might evolve over time, and consequently, the framework for ongoing monitoring of outsourcing arrangements had to be sufficiently robust to accommodate such developments. Banks must also make sure that they have adequate tools to monitor outsourcing risks and the performance of the outsourced service provider. This could include a structured performance metric dashboard that tracks various indicators (such as reports, audit or risk issues, staff turnover etc.) or a service provider scorecard. MAS also observed a good practice where a bank would require its business unit to identify material changes to the relationship with the service provider when the outsourcing contract comes up for renewal or amendment.
Significant risk trends in outsourcing generally could be identified using key risk indicators and heat map assessments. In regard to the latter, MAS highlighted a good practice which it had observed within one bank where a risk-sensitive assessment framework was implemented by means of applying the colours green, yellow, amber, and red on a sliding scale to compare the different levels of inherent risks of all of the bank’s outsourcing arrangements.
MAS also pointed out that consideration should be given to whether there is concentration risk, where a bank over-depends on a single service provider. A concentration analysis should be performed at the service provider level (to assess if there is reliance on the service provider for multiple services or by multiple business units within the bank). An analysis should also be performed at the bank-wide level to assess if there is excessive reliance on the bank on the service provider (by considering the value of the outsourcing contract or the number of outsourcing contracts).
(B) Non-Outsourcing Arrangements
Under the MAS Guidelines on Outsourcing, the audit and/or expert assessment of an outsourcing arrangements should be conducted by a party that is independent of the business unit involved in the outsourcing arrangement. However, MAS has noted situations where such audits were purported to be performed by the business unit itself.
With third party arrangements that do not constitute outsourcing, while these are not subject to the MAS Guidelines on Outsourcing, nevertheless MAS has, in the Information Paper, emphasised that the risks introduced by such arrangements might be no less material than outsourcing arrangements.
(i) Identification and Risk Categorisation
Banks have generally been noted to have in place a risk management and control framework to manage their non-outsourcing third party dependencies. MAS has noted that banks would typically identify and maintain an inventory of such arrangements and classify them according to their nature or risk characteristics.
(ii) Governance and Management Oversight
In relation to oversight of non-outsourcing arrangements, MAS observed that different banks were at varying stages of establishing governance and management oversight regimes. For those banks that have yet to implement an oversight regime, MAS has stated that they should do so expeditiously.
Broadly speaking, the measures suggested in the Information Paper in relation to the management of risks arising from non-outsourcing arrangements would largely mirror MAS supervisory expectations in relation to the management of outsourcing risks. Thus, the framework should provide for the monitoring and oversight in an adequate and timely manner, taking into account relevant risk information. There must be effective management oversight and regular reporting for this purpose.
(iii) Due Diligence and Ongoing Monitoring
In relation to the selection of third party service providers, MAS noted that most banks do have due diligence processes in place when onboarding third party service providers and to periodically review existing arrangements. Just as is the case with the due diligence and evaluation process for outsourcing arrangements, with non-outsourcing arrangements, banks should similarly take into consideration factors such as the business reputation of the third party, its financial strength, the strength of its internal controls, its business continuity planning arrangements and, where relevant, its physical and information security protocols.
Where the third party is outside Singapore, the cross-border element also makes it necessary for the bank to consider the legal and regulatory risks of dealing with a party who is from a different legal system. This is of particular significance if the arrangement involves the bank providing or sharing confidential information with the third party.
Based on what is stated in the Information Paper, it would appear that overall, some banks still have room for improvement in terms of their internal governance, monitoring and control mechanisms for the management of risks arising from outsourcing and other business arrangements with third parties.
The key message from the MAS is that banks must continue to strive to enhance their internal compliance and risk management processes.
Although the Information Paper summarises the findings of MAS from its inspection of various banks, most of the measures discussed are of equal relevance to other types of financial institutions, and thus the Information Paper also provides much food for thought for all financial institutions that are subject to regulation by the MAS.
A copy of the MAS Information Paper on Operational Risk Management and Third Party Arrangements can be obtained here.