Operational Risk Management Training Guide for Banks

Operational Risk Management

Employee Training Material – In line with RBI Guidelines & Bank Policy

What is Operational Risk?

Operational Risk is the risk of loss from inadequate internal processes, human error, system failures, or external events. It includes financial loss, regulatory impact, and near-misses. Remember: Absence of financial loss does not mean absence of risk.

ORM Framework Pillars

1. Risk Identification: Identifying events, near-misses, control failures, and emerging risks.

2. Risk Measurement: Measuring risks using loss data, potential losses, and aggregating similar events.

3. Risk Monitoring: Ongoing monitoring through Key Risk Indicators (KRIs), trend analysis, and reporting.

4. Risk Control & Mitigation: Implementing controls to reduce risk frequency and impact.

Global Operational Loss Causes

Data indicates that while frequent minor errors occur in execution, significant financial impact is often driven by fraud and system failures. This distribution highlights where control frameworks must be strongest.

Importance of ORM

Effective ORM helps the Bank:<br>• Prevent financial losses<br>• Avoid regulatory penalties<br>• Protect customer interests<br>• Strengthen internal controls<br><br>RBI mandates continuous identification, reporting, and monitoring of risks.

Events & Near-Misses

Operational Risk Event: Any incident causing loss OR potential loss (e.g., system downtime, process lapse). Near-Miss: An incident that did not cause loss but could have (e.g., error blocked by system). Near-misses MUST be reported as they indicate control weaknesses.

Classification of Events

1. Internal Fraud<br>2. External Fraud<br>3. Workplace Safety<br>4. Clients & Products<br>5. Damage to Physical Assets<br>6. Business Disruption & System Failures<br>7. Execution, Delivery & Process Management<br><br>Correct classification ensures proper reporting.

Reporting Thresholds & Zero Tolerance

Financial Threshold: RUB 20,000 (or INR equiv) or more (Actual or Potential Loss).

Zero-Tolerance: Report IMMEDIATELY regardless of amount: Fraud, Data Breach, Regulatory Non-compliance.

Aggregation: Multiple incidents from same root cause must be aggregated to check threshold.

KRI Breaches: Fraud-related KRI breaches are events. Non-fraud breaches are events if threshold met + operational failure.

Key Risk Indicators (KRIs)

KRIs are early warning indicators of increasing risk exposure. Examples: • Reconciliation breaks • Data quality errors • System downtime • Control exceptions KRIs are monitored periodically by business units and reviewed by the Risk Management Department.

Event Reporting Process

Stage 1: Immediate Notification (T)<br>Inform Risk Dept, share basic details. Containment actions.

Stage 2: Initial Assessment (T+2 Days)<br>Description, category, preliminary root cause, loss est.

Stage 3: Detailed Investigation (T+5 Days)<br>RCA, failed controls, correct/preventive action plan.

Stage 4: Closure<br>Loss confirmation, recovery, validation by Risk Dept.

Roles & Responsibilities

<b>1st Line (Business):</b> Own risk, report events, fix issues.<br><b>2nd Line (Risk Dept):</b> Validate data, monitor KRIs, maintain database.<br><b>3rd Line (Audit):</b> Independent assurance.<br><br><b>RCA:</b> Focus on *why* it happened (process) not *who* (person), to prevent recurrence.

Data, Training & Culture

• <b>Data Quality:</b> Accurate recording is vital. Retain records for min 10 years.<br><br>• <b>Training:</b> Regular programs to build risk awareness.<br><br>• <b>Risk Culture:</b> integrity, prompt reporting, and transparent escalation are expected from all employees.<br><br>Incomplete data is itself an operational risk.

Key Takeaways

Operational Risk Management is everyone’s responsibility.

Report incidents and near-misses EARLY. Do not hide errors.

KRIs are tools for prevention, not fault-finding. Follow timelines.

Strong reporting protects the Bank and its employees.