For enhancing and improvising risk management practices and to comply with the new capital adequacy framework, RBI has come out with guidance notes and circulars on Operational Risk. It is considered to have set sound principles for effective management and supervision of operational risk by Banks. These are indicative guidelines and therefore differ from bank to bank, depending on size, complexity of business, risk philosophy, market perception and expected level of capital. The main objective of these guidelines is to view the operational risk management as a comprehensive practice comparable to the management of credit and market risk. “Management” of operational risk is taken to mean the identification, assessment, monitoring and control/ mitigation. Operational risk has been defined by the Basel Committee on Banking Supervision as the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events. This definition includes legal risk but excludes strategic and reputational risk. It seeks to identify why a loss happened and at the broadest level includes the breakdown by four causes: people, processes, systems and external factors. Basel committee has identified the following types of operational risk events as having the potential to result in substantial losses: Internal Fraud: For example, intentional misreporting of positions, employee theft and insider trading on an employee’s own account External Fraud: For example, robbery, forgery, cheque kiting and damage from computer hacking. Employment practices and workplace safety: For example, workers compensation claims, violation of employee health and safety rules, organized labour activities, discrimination claims and general liability. Clients, products and business practices: For example, fiduciary breaches, misuse of confidential customer information, improper trading activities on the bank’s account, money laundering and sale of unauthorized products. Damage to physical assets: For example, terrorism, vandalism, earthquakes, fires and floods. Business disruption and system failures: For example, hardware and software failures, telecommunication problems, and utility outages. Execution, delivery and process management: For example, Data entry errors, collateral management failures, incomplete legal documentation and unauthorized access given to client accounts, non- client counterparty misperformance and vendor disputes. The banks need to introduce closer monitoring and tighter controls in the above areas, as also in other such areas where there is typically certain degree of concentration of occurrence. The regulatory, in the recent past has conducted forensic scrutinies at certain identified banks due to occurrence of large value frauds or sharp increase in number of frauds at such banks, for the purpose of identifying policy gaps, adequacy of controls, and identification of systemic factors. During such a scrutiny, it was found that banks do have certain policies and processes in this regard, they are not well structured and systematic to ensure proper focus on typical fraud events. Also, there was lack of consistency in treatment of such transactions having characteristics of fraud as also in their reporting to the “Competent Authority”. Having base to above, RBI advised to suitably modify their policy and streamline the operating framework in the matter keeping in view certain indicative guidelines. The operating framework for tracking frauds and dealing with them should be structured along the following three tracks: (i) Detection and reporting of frauds (ii) Corrective action and (iii) Preventive and punitive action Detection and reporting: The banks should have a set of prescribed procedures and criteria with which the events or transactions having serious irregularities are analyzed and assessed to establish occurrence of fraud. Each bank can define fraud based on the guidelines and clearly demarcate/ distinguish the occurrence of an event on account of negligence ‘in conduct of duty’ from ‘collusion’ by the bank staff (with the borrowers and with an intention to cheat the bank). Also, care may be exercised while dealing with instances of ‘willful default’. Banks may also examine the ‘intent’ to defraud, irrespective of whether or not actual loss takes place. Having detected the fraud, a report must be prepared and submitted to the “Competent Authority”. As a part of their overall policy and operating framework, the banks should identify and designate the Competent Authority to whom such reports should be submitted. The fraud report should be a diagnostic assessment, clearly bringing out the causes of the fraud and identify whether the fraud occurred due to ‘system failure’ or ‘human failure’. Corrective Action: An important corrective step in a fraud is recovery of the amount siphoned off through the fraud, which would lead to expeditious filing of police complaints, blocking/ freezing of accounts and salvaging funds from the blocked/ frozen accounts in due course. Once a set of transactions is explicitly identified as fraudulent, the mandate for seizing and taking possession of related documents, issuance of suspension order/ order to proceed on leave to identified/ suspected employees would be easier thereby preventing them from destroying/ manipulating evidences or obstruction of investigations. Thus, banks are advised to provide singular focus on the “Fraud Prevention and Management Function” to enable among others, effective investigation in fraud cases and prompt as well as accurate reporting of fraud cases to appropriate regulatory and law enforcement agencies. Preventive and Punitive Action : Preventive actions are deemed necessary to address the ‘system failure’ and/ or punitive action as prescribed internally for ‘human failure’ should be initiated immediately and completed expeditiously. As per the current system, wherever transactions occur in breach of/ overriding “Controls”, they get reflected in the “end of day exception report”. Accordingly, all such exception reports should be perused by the designated officials and a post facto authorization for the transactions accorded. In certain cases that the process often does not get duly implemented reflecting the poor internal control mechanisms. Therefore, banks should ensure that they bring in the needed refinement in this process and also specify the levels/ authority to whom the exception reports will be invariably submitted and the manner in which the authority will deal with the exception reports. The entire gamut of the manner in which the exception reports are generated, transactions contained in the reports are examined/ scrutinized, and the reports submitted to higher authorities for necessary authorizations for breaches should be periodically subjected to review and oversight by the bank’s management/ Board of Directors. Apart from these, banks should immediately take steps to put in place following controls and disincentives in their HR processes and internal inspection/ audit processes as part of their fraud risk management framework: a. The banks should draw up a list of critical as well as sensitive positions or areas of operation and evolve well defined “Fit and Proper” criteria for applying them to determine the suitability of the staff/ officers to those posts/ areas of operations. The appropriateness of such postings should be subjected to periodical review. b. The banks should immediately put in place “staff rotation” policy and policy for “mandatory leave” for staff. c. For investigation of frauds, only such officers/ staff having aptitude for investigation, data analysis, and forensic analysis should be deployed through the “fraud investigation unit/ outfit”. d. Working Group on Information Security, Electronic Banking, Technology Risk Management and Cyber Frauds- Implementation of recommendations Banks with extensive leverage of technology to support business processes would be expected to implement all the stipulations outlined in the circular. In the event of any further clarifications in the matter, banks may approach RBI for further guidance. It is suggested that, except where legally required, banks may consider any other equivalent/better and robust technology/methodology based on new developments after carrying out a diligent evaluation exercise. Banks would be required to conduct a formal gap analysis between their current status and stipulations as laid out in the circular and put in place a time-bound action plan to address the gap and comply with the guidelines. However, banks need to ensure implementation of basic organizational framework and put in place policies and procedures which do not require extensive budgetary support, infrastructural or technology changes, by October 31, 2011. The rest of the guidelines need to be implemented within period of one year unless a longer time-frame is indicated in the circular. Banks may also incorporate in their Annual Report from 2011-12 onwards broadly the measures taken in respect of various subject areas indicated in these guidelines. Banks need to pro-actively create/fine-tune/modify their policies, procedures and technologies based on new developments and emerging concerns. It cannot be static. Reserve Bank of India would review the progress in implementation of the guidelines in its Quarterly Discussions with banks and would examine comprehensively the efficacy of implementation of the guidelines commensurate with nature and scope of operations of individual banks from the next AFI cycle (for the period 2011-12) onwards. -------------------------- AUTHOR- Rajarajeswari S +91 9940358662 --------------------------