Review of the Principles for the Sound Management of Operational Risk

This paper reviews banks' implementation of the 2011 Principles for the Sound Management of Operational Risk. The principles embody the lessons from the financial crisis and evolving sound practice in operational risk management.

The principles set out the Committee's expectations for the management of operational risk. All internationally active banks should implement policies, procedures and practices to manage operational risk commensurate with their size, complexity, activities and risk exposure, and seek continuous improvement in these areas as industry practice evolves. In order to enhance operational risk management, the principles provide comprehensive guidance regarding the qualitative standards that should be observed to achieve more rigorous and comprehensive operational risk management.

This review of implementation covered 60 systemically important banks (SIBs) in 20 jurisdictions. It took the form of a questionnaire against which banks self-assessed the extent and quality of their implementation.

Progress in implementing the principles varies significantly across banks and, overall, more work is needed to achieve full implementation. In particular, four principles that have been identified as among the least thoroughly implemented are: (i) operational risk identification and assessment; (ii) change management; (iii) operational risk appetite and tolerance; and (iv) disclosure.