Indonesia Certificate in Banking Risk and Regulation Training Instructor Course - Level 3

Indonesia Certificate in
Banking Risk and Regulation

Training Instructor Course
Level 3
Part C: Supervision and regulation
Global Association of Risk Professionals, Inc.

9. Supervision of operational risk and other risks
Market risk and treasury risk Part A

management and regulation
1. An introduction to the use of 2. The Internal Models

3. Capital management and
statistics in the measurement Approach to measuring and
treasury risk
of financial risk managing market risk
Credit risk and operational risk Part B

management and regulation
4. Internal Ratings-Based 6. Advanced Measurement

5. Collateral and 7. Managing
approaches to measuring Approach to measuring
securitization operational risk
credit risk operational risk
Supervision and regulation

Part C
8. The supervisory 9. Supervision of operational 10. Basel II disclosure 11. The BI

review process risk and other risks requirements supervisory regime

9.1 Supervision of operational risk
9.1.1 Basel II supervision of operational risk
Chapter 8 discussed the four basic Basel II principles for bank

supervision. While these principles are generic and apply to all
types of risk within a bank, the Accord does make specific
reference to the supervision of operational risk.
The Basel II Accord states that supervisors should ensure
that procedures and systems used to calculate
operational risk capital are a sound reflection of the
underlying risk profile of the bank.
In addition the systems and models used should be
accurate and produce appropriate results. .

The Accord sets out some basic criteria for a bank to meet in order
to use one of the three approaches to calculating operational risk
capital. However, there is one overriding test that is applied to all
banks irrespective of the approach they adopt. This requirement is
the credibility test.
The supervisor will compare a banks operational risk capital

results with those from a peer group that uses the same approach.
It will confirm whether the banks results are consistent and credible
with those produced by its peers,
bank is using the Standardised Approach or the Advanced

Measurement Approach and fails this test, then the supervisor can
insist that the bank reverts to a simpler methodology. The
supervisor can also take disciplinary action against the bank.

In addition to the above supervisory review, for banks using the two
advanced approaches the Standardised Approach and the
Advanced Measurement Approach there is a period of initial
monitoring before the results can be used for regulatory purposes.
For banks adopting the Advanced Measurement Approach the

review period is mandatory, while for the other approaches it is at
the discretion of the local supervisor. The purpose of this review is
to ensure that the results are:
consistent with the banks peer group

appropriate to the risk profile of the bank.

Supervisory guidance
Chapter 8 highlighted that it is not just banks that need to learn

about the operational risk requirements contained in Basel II. In
February 2003 the Basel Committee published Sound Practices
for the Management and Supervision of Operational Risk as a
guide for both banks and local supervisors.
It sets out ten principles that represent its view on how operational
risk should be managed and supervised (see Section 7.1.5).

Supervisory guidance
The two principles relating to supervision are:
Principle 8: Banking supervisors should require that all banks,

regardless of size, have an effective framework in place to identify,
assess, monitor and control/mitigate material operational risks as
part of an overall approach to risk management.
Principle 9: Supervisors should conduct, directly or indirectly,

regular independent evaluation of a banks policies, procedures
and practices related to operational risks. Supervisors should
ensure that there are appropriate mechanisms in place which allow
them to remain apprised of developments at banks.

Principle 8
Principle 8 is intended to ensure that the systems and framework

adopted by banks to manage operational risks (see Section 7.1)
are appropriate to the task.
The sound practices guide also looks to the local supervisor to

encourage banks to continue to develop and adopt more efficient
techniques in managing operational risks.

Principle 9
Under principle 9 the supervisor is charged with undertaking, either

directly or indirectly, regular independent reviews of a banks
operational risk framework. These independent assessments
should review:
the banks operational risk management, mitigation and control

framework (see Section 7.2)
the banks monitoring and reporting procedures (see Section 7.3)
the banks event handling procedures (see Section 7.1.3)
the banks disaster recovery and business continuity plans
the banks operational risk measurement systems

Principle 9
the appropriateness of the banks operational risk capital

allocations to its risk profile
for banks that are part of a larger financial group, whether the
banks operational risk framework is appropriate and integrated
across the group.
The Basel Committee recognizes that for many banks

operational risk management frameworks and techniques
are still being developed.
Thus the guide encourages the supervisor to take this into
account when carrying out the review.

9.1.2 Basel II supervision of electronic banking
It is not just operational risk management techniques that are

changing, but the underlying technology as well.
The last 15 years has seen a rapid change in communication

technologies allowing the introduction of new methods for
customers to interact with a bank.
These new customer channels, e.g. telephone banking and internet

banking, have themselves introduced new and challenging
operational risks.

The Basel Committee recognizes both the scope and changing

nature of operational risk management due to technology
innovation and encourages banks to adopt new operational risk
practices.
Due to the changing nature of operational risk the frequency and

impact of operational risk events are increasing. The move towards
a banking industry that is increasingly dependent on technology
offering services 24 hours a day, 7 days a week has been a major
factor behind this change.
Consequently, in July 2003 the Basel Committee published a guide

entitled Risk Management for Electronic Banking.

While the Committee guide does not set out regulatory

requirements, criteria or even a list of best practice, its executive
summary states:
The principles included in the present report express supervisory

expectations and guidance in the form of Risk Management
Principles in order to promote safety and soundness for e-banking
activities, while preserving the necessary flexibility in
implementation that derives in part from the speed of change in this
area.
The guide sets out 14 principles to assist banks with improving

their existing policies and procedures for this delivery channel. The
principles can be grouped into three broad categories.

Board and management oversight
Effective management oversight of e-banking activities
Establishment of a comprehensive security control process
Comprehensive due diligence and management oversight

process for outsourcing relationships and other third party
dependencies.

Security controls
Authentication of e-banking customers

Non-repudiation and accountability for e-banking transactions
Appropriate measures to ensure segregation of duties
Proper authorization controls within e-banking systems,
databases and applications
Data integrity of e-banking transactions, records and information
Establishment of clear audit trails for e-banking transactions
Confidentiality of key bank information.

Legal and reputational risk management
Appropriate disclosure for e-banking services
Privacy of customer information
Capacity, business continuity and contingency planning to ensure

availability of e-banking systems and services
Incident response planning.

Operational risk is a collection of risk types, such as internal

process risk and systems risk. The guide acknowledges that the
generic concepts behind the principles it set out can be applied to
any computer-based service offered by a bank.
In producing a guide aimed specifically at e-banking the Committee

recognizes:
the speed of change related to technology and service innovation

the global nature of internet-based services
the issues surrounding the integration of e-banking and legacy
systems
the increasing dependence on third parties who supply the
underlying technologies.

In particular the guide highlights that the above e-banking issues

can increase the strategic, operational, reputational and legal risks
faced by a bank. Not only can banks face increased risk from their
own activities, but failures can also affect the entire banking
industry, particularly its reputation.
An example of the increase in risk from e-banking related events is

the case of Cahoot, the UK internet bank. It emphasizes how an
event that resulted in no direct losses, either to Cahoot or its
customers, contributed to the eventual takeover of its parent bank,
Abbey National, by Grupo Santander.


example
Cahoot
Cahoot, the online bank set up by Abbey National Bank of the UK,
ran into technical problems shortly after it was launched in June
2000, as reported in the Financial Times. Early on the system
collapsed and was unavailable for almost two days; it was then
plagued by additional problems for a further three days.
Cahoot's strategy was to offer the first 25,000 customers interest-

free overdrafts and credit cards. A rival of the online bank
questioned whether Cahoot had invested enough in the systems
capacity to cope with the level of demand it subsequently received.


example
It was taking between 10 to14 days to approve customers because

the bank was conducting money laundering checks on potential
clients. In addition to rejecting applicants with a history of excessive
credit, anyone living in an apartment was also likely to have been
turned down as the website could not cope with addresses such as
35a, garden flat or top flat (all common address designations in
the UK).
It is worth noting that the Cahoot system failure wasnt Abbey

Nationals only problem. As a result of its on-going problems, in
2004 it was acquired by Grupo Santander, a Spanish banking
group, in the largest cross-border takeover in European banking
history.

9.1.3 UK supervision of operational risk
FSA ARROW scheme
The UK Financial Services Authority (FSA) approach to

implementing supervision under Pillar 2 of the Basel II Accord is
known as the Advanced Risk Response Operating frameWork
(ARROW) scheme.
The ARROW scheme allows the FSA to evaluate a banks risk in

terms of its likely effect on the FSA statutory objectives. The
ARROW framework includes a risk identification process.
In order to assist supervisors to identify specific risks within

individual banks, the ARROW scheme classifies risk according to
four business risk groups and five control risk groups.

FSA ARROW risk groups

FSA business risk groups FSA control risk groups
Strategy Treatment of customers/users
Market, credit, insurance Organization
underwriting & operational risk
Financial soundness Internal systems and controls
Nature of customers/users and Board, management and staff
products/services
Business and compliance
culture
Each of the above risk groups is further divided into risk elements.
In total the ARROW scheme has 45 risk elements.

FSA handbook
In addition to the ARROW scheme for supervision, the FSA has

published a Compliance Handbook that gives banks guidance on
key aspects of its regulations.
The FSA Handbook provides guidance on operational risk

regulatory reporting and record keeping requirements.

Regulatory reporting
The FSA stipulates that a bank must report to the supervisor any
operational risk matters of which the FSA would reasonably expect
notice immediately they occur. This reporting relates to events that
include significant:
failure in systems
failure in controls
operational loss.

Regulatory reporting
In addition the FSA expects to be notified of:
any significant operational exposures that a bank has identified
the invocation of a business continuity plan, and
any other significant change to a banks organization,

infrastructure or business operating environment.

Record keeping
In order to comply with FSA regulations a bank is expected to

retain an appropriate record of its operational risk management
activities. Included in this record keeping are:
the results of risk identification, measurement and monitoring

activities
actions taken to control identified risks
any exposure thresholds that have been set for identified
operational risks
an assessment of the effectiveness of the risk control tools that
are used
actual exposures compared to stated risk appetite or tolerance.

9.1.4 US supervision of operational risk
In preparation for the implementation of the Basel II Accord, the

four US supervisors published the Advance Notice of Proposed
Rulemaking Regarding Risk-Based Capital Guidelines:
Implementation of New Basel Capital Accord (ANPR). This was
published in 2003 as a proposed framework for implementing the
Basel II Accord and was intended for comment by the US banking
industry.
In July 2003 the four US supervisory agencies jointly published

draft supervisory guidance for operational risk. The document
focuses on the supervision of a banks own internal methods for
calculating operational risk capital and is entitled Joint Supervisory
Guidance on Operational Risk Advanced Measurement
Approaches for Regulatory Capital.

The objective of the guide was to set out the US banking agencies
criteria and supervisory standards. This incorporated both the US
requirements and the criteria defined in the Basel Accord.
The guide provides details of the 33 supervisory standards,

covering seven major areas of a banks operational risk framework.
These are listed below because they provide very clear guidance
as to what US supervisors are seeking from a banks management
of operational risk.

The seven major areas of a banks operational risk framework:
Corporate governance
Operational risk management elements
Elements of an Advanced Measurement Approach framework
Risk quantification
Risk mitigation
Data maintenance
Testing and verification.
Each of these areas is further divided into subsections and

supervisory standards.

S1: The institutions operational risk framework must include an

independent firm-wide operational risk management function, line
of business management oversight, and independent testing and
verification functions.
S2: The board of directors must oversee the development of the

firm-wide operational risk framework, as well as major changes to
the framework. Management roles and accountability must be
clearly established.

S3: The board of directors and management must ensure that

appropriate resources are allocated to support the operational risk
framework.
S4: The institution must have an independent operational risk

management function that is responsible for overseeing the
operational risk framework at the firm level to ensure the
development and consistent application of operational risk policies,
processes, and procedures throughout the institution.

S5: The firm-wide operational risk management function must

ensure appropriate reporting of operational risk exposures and loss
data to the board of directors and senior management.
S6: Line of business management is responsible for the day-to-

day management of operational risk within each business unit.
S7: Line of business management must ensure that internal

controls and practices within their line of business are consistent
with firm-wide policies and procedures to support the management
and measurement of the institutions operational risk.

S8: The institution must have policies and procedures that clearly
describe the major elements of the operational risk management
framework, including identifying, measuring, monitoring and
controlling operational risk.
S9: Operational risk management reports must address both firm-

wide and line of business results. These reports must summarize
operational risk exposure, loss experience, relevant business
environment and internal control assessments, and must be
produced no less often than quarterly.

S10: Operational risk reports must also be provided periodically to

senior management and the board of directors, summarizing
relevant firm-wide operational risk information.
S11: An institutions internal control structure must meet or exceed

minimum regulatory standards established by the agencies.

S12: The institution must demonstrate that it has appropriate

internal loss event data, relevant external loss event data,
assessments of business environment and internal controls factors,
and results from scenario analysis to support its operational risk
management and measurement framework.
S13: The institution must include the regulatory definition of

operational risk as the baseline for capturing the elements of the
Advanced Measurement Approach framework and determining its
operational risk exposure.

S14: The institution must have clear standards for the collection
and modification of the elements of the operational risk Advanced
Measurement Approach framework.
S15: The institution must have at least five years of internal

operational risk loss data captured across all material business
lines, events, product types, and geographic locations.
S16: The institution must be able to map internal operational risk

losses to the seven loss event type categories.

S17: The institution must have a policy that identifies when an

operational risk loss becomes a loss event and must be added to
the loss event database. The policy must provide for consistent
treatment across the institution.
S18: The institution must establish appropriate operational risk

data thresholds.
S19: Losses that have any characteristics of credit risk, including

fraud-related credit losses, must be treated as credit risk for
regulatory capital purposes. The institution must have a clear policy
that allows for the consistent treatment of loss event classifications,
(e.g. credit, market or operational risk) across the organization.
S20: The institution must have policies and procedures that

provide for the use of external loss data in the operational risk
framework.
S21: Management must systematically review external data to

ensure an understanding of industry experience.
S22: The institution must have a system to identify and assess

business environment and internal control factors.

S23: Management must periodically compare the results of their

business environment and internal control factor assessments
against actual operational risk loss experience.
S24: Management must have policies and procedures that

identify how scenario analysis will be incorporated into the
operational risk framework.

Risk quantification
S25: The institution must have a comprehensive operational risk

analytical framework that provides an estimate of the institutions
operational risk exposure, which is the aggregate operational loss
that it faces over a one-year period at a soundness standard
consistent with a 99.9 percent confidence level.
S26: Management must document the rationale for all

assumptions underpinning its chosen analytical framework,
including the choice of inputs, distributional assumptions, and the
weighting across qualitative and quantitative elements.
Management must also document and justify any subsequent
changes to these assumptions.

Risk quantification
S27: The institutions operational risk analytical framework must

use a combination of internal operational loss event data, relevant
external operational loss event data, business environment and
internal control factor assessments, and scenario analysis. The
institution must combine these elements in a manner that most
effectively enables it to quantify its operational risk exposure. The
institution can choose the analytical framework that is most
appropriate to its business model.
S28: The institutions capital requirement for operational risk will

be the sum of expected and unexpected losses unless the
institution can demonstrate, consistent with supervisory standards,
the expected loss offset.
Risk quantification
S29: Management must document how its chosen analytical

framework accounts for dependence, (e.g., correlations) among
operational losses across and within business lines. The institution
must demonstrate that its explicit and embedded dependence
assumptions are appropriate, and where dependence assumptions
are uncertain, the institution must use conservative estimates.

Risk mitigation
S30: Institutions may reduce their operational risk exposure

results by no more than 20% to reflect the impact of risk mitigants.
Institutions must demonstrate that mitigation products are
sufficiently capital-like to warrant inclusion in the adjustment to the
operational risk exposure.
Data maintenance
S31: Institutions using the Advanced Measurement Approach for

regulatory capital purposes must use advanced data management
practices to produce credible and reliable operational risk
estimates.

Testing and verification
S32: The institution must test and verify the accuracy and
appropriateness of the operational risk framework and results.
S33: Testing and verification must be done independently of the

firm-wide operational risk management function and the institutions
lines of business.
The four US supervisors intend to issue the finalized rules in mid-

2006 although there are still differences among supervisors on
some very specific issues of implementation.

9.2 Pillar 2 and other risks
9.2.1 Supervision of other risks
The Basel II Framework includes business risk, strategic

risk and reputational risk under other risks. The Accord
says very little about how banks should manage other
risks or the role of the local supervisor. The Accord states:
Although the Committee recognizes that other risks,

such as reputational and strategic risk, are not easily
measurable, it expects the industry to further develop
techniques for managing all aspects of these risks.

Operational and other risk management is not limited to the

requirements of Basel II. Indeed, there are many influences on the
level and types of control, management and supervision required
that are not covered in Basel II under Pillar 1 (see Section 9.2.3).
To meet the range of regulations many banks have developed their

own risk models and management frameworks. Under Pillar 2
banks are required to disclose these models to their supervisors
with regard to their structure, use and results.
The FSA requires banks to report immediately if certain significant

events happen. The risk to a banks reputation is one of the factors
used to determine if an event is significant.

The US regulatory guidance on supervision when defining

operational risk, explicitly permits banks to include non-Basel
operational risks by stating:
An institutions definition of operational risk may encompass other

risk elements as long as the supervisory definition is met.
It should be noted that the Basel II definition of operational risk

excludes risks that many banks consider are appropriate to include.

9.2.2 Reputational risk
It is not unusual to find major banks incorporating some of the

other risks in their capital assessment calculations. Chief amongst
the other risks included is reputational risk.
Reputational risk is defined as the risk of potential damage to a firm

resulting from negative public opinion.

Reputational risk events can result from many different causes

including:
Misselling of products A display of values not shared by the
customers
Process errors Non-ethical investments
Losses from poor Events & trends in other banks that affect
investments the banking industry as a whole
Control failures Technology failures
Fraud and theft Marketing mistakes
Staff actions Poor business & strategic decisions
Outsourcing Large losses due to credit or market risks

All the above events have one thing in common: they can leave the
customer/general public with a negative opinion of the bank, and
asking questions such as:
is the bank operated correctly?

does senior management know what they are doing?
is my money safe?
A detailed description of each of the causes of reputational risk is

beyond the scope of the Certificate.

Unlike many of the traditional operational risks, for

example fraud, reputational risk is a more modern
phenomenon.
In the past reputational damage generally tended to result
from other risk events, such as credit, market or
operational events.
Today it is becoming more common for banks to suffer
damage to their reputation even without a control failure,
or as a result of a minimal loss/impact event.

9.2.2 Reputational risk example
Barclays Bank
The British bank Barclays suffered a series of public relations

problems during April 2000, according to reports in the Financial
Times.
First, Barclays announced that 172 rural branches were to close on

the same day. The fact that Barclays was the last major UK bank to
announce branch closures, and was no more aggressive than its
competitors, went almost unnoticed. The bank found itself
portrayed as the villain in a wider debate about the demise of rural
banking services.

9.2.2 Reputational risk example
At the same time the Barclays annual report revealed large

increases in the salaries of senior management. There was also
news of a senior executive share incentive scheme to be approved
at the forthcoming annual meeting. The incentive scheme was
based on the banks financial performance and could have led to a
30-fold increase in senior executives total remuneration.
None of these announcements could be considered a bad business

decision. For example, the branch closures reduced the banks
underlying costs. The senior management salaries were in line with
the rest of the industry, and the incentive scheme would only be
realized if the bank showed a significant increase in profit. The
cause of this reputational risk incident was purely down to the
timing of the different announcements and events beyond Barclays
control.

Level 1 discussed the increase in the frequency and impact of

reputational risk partially due to increased globalization and real-
time media coverage.
The above example clearly shows how banks have to be aware of

reputational risks. It is now possible for banks to suffer major
reputational damage from seemingly unconnected events, or even
from the actions of individuals.

The confidence that the general public has in a bank can be

affected by what an individual does or says.
For example, if a banks marketing department used a celebrity to

advertise the bank then the actions of that person could have a
direct impact on the banks reputation.
If the celebrity is arrested for shoplifting, or possession of drugs or

simply falls out of favor the resultant negative publicity could, by
association, have an adverse effect on the banks reputation.

With todays 24-hour media coverage there is another seemingly

small event that could have the potential to cause severe
reputational damage. Employees, particularly senior ones, need to
be careful of what they say in public.
The UK retail industry provides the most powerful example of this.

In 1991 the owner of Ratners, a popular jeweler, joked in a speech
that some of his products were total crap.
As a result of media reporting on his speech, GBP 500 million was

wiped off the value of the company; he was forced to resign and
Ratners was renamed Signet in 1993.

It is now far more likely that banks will suffer some form of
reputational damage as a result of a risk incident than it
was even ten years ago.
This is because a banks brand and brand image are
playing an increasing role in its competitive position. As a
result banks are becoming more:
protective of their reputation

proactively managing their reputation, and
aware of the financial value of their reputation.
Banks now tend to include reputational risk as one of the key

elements in their definition of operational risks. Thus reputational
risk is measured, managed and mitigated using the banks
operational risk strategies and is included in its capital calculations.

9.2.3 Other legal requirements
For many banks, particularly international banks, it is not just the

Basel II Accord that requires them to manage operational risk,
although Basel is the only one that requires them to allocate capital
against those risks. The challenge for many banks is the definition
of operational risk.
For example, what Basel II defines as other risks may be included

in the definition of operational risk by other regulatory regimes.
It is important for banks to have a definition of operational risk that

is broad enough to let them meet all regulatory requirements, but
which is also narrow enough to be manageable. Banks should then
build their operational risk measurement and management
framework around this definition.

Sarbanes-Oxley
In the US banks are required to conform to multiple regulatory

regimes. For example, US supervisors intend to regulate the
international banks using the Basel II Accord.
However, as large corporations these banks are already subject to

the Sarbanes-Oxley Act of 2002, which introduced statutory
requirements for corporate accountability. Section 404 of the Act
requires external auditors to confirm that the corporate has good
working controls over its financial reporting.

Sarbanes-Oxley
Under Basel II internal control failures, including those related to

financial reporting, are managed within the operational risk
framework of the bank.
To assist with their operational risk requirements banks are

adopting standards from other industries, for example The
Committee of Sponsoring Organizations of the Treadway
Commission Enterprise Risk Management Integrated Framework
(COSO/ERM see Section 7.4), for their definitions, management
and reporting processes.

It is important for banks to ensure that they have a single

operational risk framework.
Furthermore, the framework should meet all the
regulations under which the banks operate and should be
capable of managing all the operational and other risks
defined by various supervisors.

Indonesia Certificate in Banking Risk and Regulation Training Instructor Course - Level 3

Încărcat de

Informații document

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

Indonesia Certificate in Banking Risk and Regulation Training Instructor Course - Level 3

Încărcat de

Drepturi de autor:

Formate disponibile

Indonesia Certificate in

Banking Risk and Regulation

Global Association of Risk Professionals, Inc.

Market risk and treasury risk Part A

1. An introduction to the use of 2. The Internal Models

Credit risk and operational risk Part B

4. Internal Ratings-Based 6. Advanced Measurement

Supervision and regulation

8. The supervisory 9. Supervision of operational 10. Basel II disclosure 11. The BI

Global Association of Risk Professionals, Inc.

9.1.1 Basel II supervision of operational risk

Chapter 8 discussed the four basic Basel II principles for bank

Global Association of Risk Professionals, Inc.

9.1.1 Basel II supervision of operational risk

The supervisor will compare a banks operational risk capital

bank is using the Standardised Approach or the Advanced

Global Association of Risk Professionals, Inc.

9.1.1 Basel II supervision of operational risk

For banks adopting the Advanced Measurement Approach the

consistent with the banks peer group

Global Association of Risk Professionals, Inc.

9.1.1 Basel II supervision of operational risk

Chapter 8 highlighted that it is not just banks that need to learn

Global Association of Risk Professionals, Inc.

9.1.1 Basel II supervision of operational risk

The two principles relating to supervision are:

Principle 8: Banking supervisors should require that all banks,

Principle 9: Supervisors should conduct, directly or indirectly,

Global Association of Risk Professionals, Inc.

9.1.1 Basel II supervision of operational risk

Principle 8 is intended to ensure that the systems and framework

The sound practices guide also looks to the local supervisor to

Global Association of Risk Professionals, Inc.

9.1.1 Basel II supervision of operational risk

Under principle 9 the supervisor is charged with undertaking, either

the banks operational risk management, mitigation and control

Global Association of Risk Professionals, Inc.

9.1.1 Basel II supervision of operational risk

the appropriateness of the banks operational risk capital

The Basel Committee recognizes that for many banks

Global Association of Risk Professionals, Inc.

9.1.2 Basel II supervision of electronic banking

It is not just operational risk management techniques that are

The last 15 years has seen a rapid change in communication

These new customer channels, e.g. telephone banking and internet

Global Association of Risk Professionals, Inc.

9.1.2 Basel II supervision of electronic banking

The Basel Committee recognizes both the scope and changing

Due to the changing nature of operational risk the frequency and

Consequently, in July 2003 the Basel Committee published a guide

Global Association of Risk Professionals, Inc.

9.1.2 Basel II supervision of electronic banking

While the Committee guide does not set out regulatory

The principles included in the present report express supervisory

The guide sets out 14 principles to assist banks with improving

Global Association of Risk Professionals, Inc.

9.1.2 Basel II supervision of electronic banking

Board and management oversight

Effective management oversight of e-banking activities

Establishment of a comprehensive security control process

Comprehensive due diligence and management oversight

Global Association of Risk Professionals, Inc.

9.1.2 Basel II supervision of electronic banking