December 2016

Introduction

Operational risk management has been of growing interest in the financial sector for close to two decades. The Basel Committee on Banking Supervision (the “Basel Committee”)Bank for International Settlements. Operational Risk Management, September 1998. was the first in the industry to set out its expectations. The International Association of Insurance Supervisors (IAIS) also recommends the sound management of operational risks.International Association of Insurance Supervisors. Insurance Core Principles, updated November 2015. In response to these increasing concerns of international bodies, several members of the Organisation for Economic Co-operation and Development (OECD) have published guidance regarding operational risk management.

Operational risk is defined as the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events.This definition includes legal risk, but excludes strategic and reputational riskThe risk arising from a negative perception on the part of customers, counterparties, shareholders, investors, creditors, market analysts, other relevant parties or regulators that can adversely affect an institution’s ability to maintain its activities. . Bank for International Settlements. Principles for the Sound Management of Operational Risk, June 2011. The use of new technology and the sustained pace of structural change increase financial institutions’ exposure to such risks.

The AMF therefore considers operational risk to be one of the major risks to which financial institutions are exposed. With the aim of adhering to guiding principles in such matters and in view of the growing importance of this risk, the AMF considers it essential to set out its expectations regarding the necessary management of operational risk. With respect to governance, this guidelineA document that describes the steps that financial institutions can take to satisfy their legal obligation to follow sound and prudent management practices and sound commercial practices. aims to promote the strengthening of the risk cultureThe set of norms, values, attitudes and behaviours that characterizes the way in which a financial institution conducts its activities related to risk awareness, risk taking and risk management and controls. since the identification, assessment, control, mitigation and oversight of operational risk require the commitment of all internal stakeholdersAny individual, group or organization that can affect, be affected by, or perceive itself to be affected by, a result, a decision or an intervention coming from another party. According to ISO 9001: 2015, the expression “stakeholders” includes any person or organization that may be affected by a decision or activity. In addition, Principle 5, adopted by the G7 countries to protect the financial system against cyberattacks, cites examples of both internal and external stakeholders, such as law enforcement, regulators and other public authorities, as well as shareholders, third-party service providers and consumers, as appropriate. [G7, Fundamental Elements of Cybersecurity for the Financial Sector, Principle 5, October 2016]. and primarily the board of directorsA body of elected or appointed individuals ultimately responsible for the governance and oversight of a financial institution. , senior managementThe group of individuals responsible for managing a financial institution on a day-to-day basis in accordance with the strategies and policies set by the board of directors. and the different lines of defence.Autorité des marchés financiers. Governance Guideline.

In addition, the management of risks inherent to people, processes, systems and external events helps determine the level of tolerance to operational risk and the oversight of risks according to business sectorFor the purposes of this guideline, a unit corresponds to the institution’s smallest component to which operational or administrative responsibility is given. A business sector can consist of one or more units., along with the optimization of processes and information systems, as recommended in the Integrated Risk Management Guideline.Autorité des marchés financiers. Integrated Risk Management Guideline.

Given the general nature of this guideline, it will henceforth be the umbrella guideline for more specific guidelines on areas related to operational risk, including business continuityThe capability of an organization to continue delivering products or services at acceptable predefined levels following a disruptive incident. management,Autorité des marchés financiers. Business Continuity Management Guideline. outsourcing risk managementAutorité des marchés financiers. Outsourcing Risk Management Guideline. and financial crime risk management.Autorité des marchés financiers. Financial Crime Risk Management Guideline. As a result, any new prudential frameworkA supervisory approach based on principles rather than the enactment of specific rules, favouring financial institutions’ adoption of best practices through guidelines. regarding the risks inherent to people, processes, systems or external events will clarify the broad principles set forth herein.

It is important to note that this guideline does not consider either the modeling or quantification of operational risk since these issues are specifically discussed in the framework relating to the capital requirements of the various entities referred to above. Furthermore, the prudential orientations regarding operational risk management should be seen as complementary to the calculation of operational risk capital requirements rather than a consequence of that activity, as suggested by the Basel Committee.Bank for International Settlements. Review of the Principles for the Sound Management of Operational Risk, October 2014.

1. Governance of financial institutions

The implementation of a reliable governance structure as set forth in the Governance Guideline and the Integrated Risk Management Guideline is essential to the sound management of operational risk.

1.1 Roles and responsibilities of the board of directors

In keeping with the operational risk management frameworkA set of policies, procedures and controls for managing an organization’s key functions. and the expectations in the Governance Guideline and the Integrated Risk Management Guideline, the board of directors should:

• approve and periodically re-examine the operational risk management framework;

• ensure the promotion of an operational risk management culture within the financial institution;

• ensure the effectiveness of the operational risk management framework and its consistency with the integrated risk managementA set of practices and processes, supported by a risk-aware culture and enabling technologies, that improves decision making and performance through a holistic view of a financial institution’s set of risks. framework;

• supervise senior management to ensure that the operational risk management framework is being applied;

• approve and re-examine the operational risk toleranceRisk tolerance sets boundaries on the level of risks a financial institution is prepared to accept based on its risk appetite. level, supported principally by the work of the internal auditInternal audit ensures the systematic and independent assessment of all risk management, control and governance processes. It constitutes the third line of defense of a financial institution. function.

1.2 Roles and responsibilities of senior management

In keeping with the operational risk management framework and the expectations in the Governance Guideline and the Integrated Risk Management Guideline, senior management should:

• implement and maintain policiesA set of general principles adopted by a financial institution for conducting its activities in a given area. , processes and systems reflecting the operational risk management framework in accordance with operational risk tolerance levels;

• ensure that adequate mechanisms are set up for reporting situations where operational risk tolerance levels are exceeded;

• establish hierarchical responsibilities and reporting in order to delineate the allocation of duties and promote and maintain accountability;

• ensure appropriate co-ordination and effective communicationAutorité des marchés financiers. Integrated Risk Management Guideline. between, on the one hand, the chief risk officer and the operational risk officer and, on the other hand, between these two individuals, business line managers and outsourcing officers;Autorité des marchés financiers. Outsourcing Risk Management Guideline.

• ensure the availability, sufficiency and adequacy of operational risk management resources;

• ensure that targeted risk management training is given to managers and their teams.

The board of directors and senior management has primary responsibility for defining the operational risk management framework and promoting a risk management culture. However, they can rely on the support of the various lines of defence to validate and verify that operational risk management is being applied to all of the institution’s activities, processes and systems. To do this, they must ensure that each line of defence has the necessary resources and that their work is co-ordinated appropriately.

1.3 Roles and responsibilities of the lines of defence

The three lines of defence model delineate between the roles and responsibilities of the various operational risk management stakeholdersAny individual, group or organization that can affect, be affected by, or perceive itself to be affected by, a result, a decision or an intervention coming from another party. . It should be established in light of the financial institution’s nature, size, risk profileA financial institution’s overall level of risk exposure that is based on an evaluation of the risks inherent in the financial institution’s significant activities, its ability to manage risks, its financial condition and its commercial practices. and operational complexity.

This model should also enable the institution to co-ordinate initiatives to improve its operational risk management practices in regard to more subjective factors, such as its culture and values.

The AMF has already articulated its expectations concerning the roles and responsibilities of the lines of defence in its Governance Guideline. Financial institutions should draw on these concepts and adapt them to their operational risk management context.

2. Operational risk management

As recommended by the Integrated Risk Management Guideline, the adequate risk management begins with promoting a sound risk cultureThe set of norms, values, attitudes and behaviours that characterizes the way in which a financial institution conducts its activities related to risk awareness, risk taking and risk management and controls. . In terms of operational risks, the establishment of such a culture must come from the board of directors and senior management and be modeled on the extent of operational risk exposure and, accordingly, the commitment required by all levels of the institution to properly manage these risks.

This awareness should also extend to external stakeholdersAny individual, group or organization that can affect, be affected by, or perceive itself to be affected by, a result, a decision or an intervention coming from another party. , including material third-party service providers, since outsourcing exposes an institution to operational risks (e.g., cyber-risk exposure). In addition, the culture can be strengthened by providing ongoing training on operational risks to individuals in charge of all business sectors.

Although the orientations of the Integrated Risk Management Guideline apply to all types of risk, operational risk calls for special and more comprehensive management since it is inherent in the people, processes, systems and external events of a financial institution and solicits the commitment of those in charge of the financial institution’s activities, processes and systems.

Operational risk management should also bring to light situations where the conduct of stakeholders associated with particular products, activities, processes or systems does not ensure the fair treatment of consumers. For example, a security breach caused by the accidental disclosure of a customer’s personal information or the deliberate leaking of confidential information is a form of operational risk that might affect the fair treatment of consumers, which could ultimately harm an institution’s reputation.

The effectiveness of such management should be validated and verified regularly, based in particular on a significant variation in exposure to operational risk, which could be attributable to factors such as the marketing of new products or changes resulting from organizational transformations affecting people, processes and systems or from external events (e.g., a transfer, acquisition or merger). Such changes can require a review of operational risk tolerance levels.

Operational risk management should serve to validate the effectiveness of the internal controlThe set of control mechanisms implemented in a financial institution to give its decision-making bodies reasonable assurance that the objectives relating to operational effectiveness and efficiency, safeguarding of assets, reliability of information and compliance will be met. mechanisms in place. It is expected that such controls will be established based on the level of operational risk tolerance in order to comply with the risk tolerance levels determined by each business sector and propose other controls better adapted to the situation, as applicable.

2.1 Identification and assessment of operational risk

Several tools are available to financial institutions to facilitate their efforts to identify and assess operational risk. They include:

• risk self-assessment;

• control effectiveness analysis;

• internal and external loss event analysis;

• risk analysis specific to each current product, process and system;

• expert-based scenario analysis;

• exposure quantification modeling.

The AMF does not promote particular tools for identifying or assessing operational risk; it is up to institutions to choose and implement them based on their size, nature, complexity and risk profileA financial institution’s overall level of risk exposure that is based on an evaluation of the risks inherent in the financial institution’s significant activities, its ability to manage risks, its financial condition and its commercial practices. . The chosen tool or set of tools should be used consistently throughout all business sectors in order to arrive at a comprehensive assessment of operational risk exposure.

In view of the expectations set forth by the AMF in its Outsourcing Risk Management Guideline, the operational risks inherent in all material outsourcing arrangementsAn outsourcing arrangement that may have a major impact on an institution’s financial condition, its operations and, ultimately, its reputation. should be identified and assessed. Moreover, financial institutions should ensure that material third-party service providers are able to provide quality service.

In addition, internal proceduresA set series of tasks to be performed. It is generally the result of imperatives that cannot be negotiated by the individual who applies it. for approving new products, activities, processes or systems should encompass the identification and assessment of inherent operational risk by ensuring that the tolerance level for this type of risk is not exceeded.

2.2 Monitoring and reporting

Best practices advocate in favour of setting up a register to record incidents where pre-established operational risk levels are exceeded. An institution should ensure that the procedureA set series of tasks to be performed. It is generally the result of imperatives that cannot be negotiated by the individual who applies it. for updating the register or any other disclosure mechanism is consistent across all business sectors according to pre-established policiesA set of general principles adopted by a financial institution for conducting its activities in a given area. .

Based on an analysis of the most significant incidents in the register, operational risk reports should allow the board of directors and senior management to identify the main sources of unmitigated operational risk. Such reports should include the source, whether internal or external, as well as all potential impacts.The Business Continuity Management Guideline recommends establishing processes for identifying major operational incidentsAn event that disrupts, slows down or interrupts an institution’s critical functions. . They should also incorporate the recommendations made by both the AMF and the audit functions, where applicable, about managing operational risk as well as the corresponding action plans approved by decision-making bodiesThe board of directors, senior management and persons in charge of oversight functions. .

Furthermore, the AMF expects financial institutions to meet the disclosure and transparency expectations set out in the Governance Guideline by implementing the necessary mechanisms for promptly advising internal and external stakeholdersAny individual, group or organization that can affect, be affected by, or perceive itself to be affected by, a result, a decision or an intervention coming from another party. likely to sustain serious harm due to a major operational incident (cyber incident, system failure, etc.).Refer to Principle 5 in G7 Fundamental Elements of Cybersecurity for the Financial Sector, October 2016. Such an approach will enable the AMF, as a stakeholder, to be proactive in identifying practices that can undermine operational risk management.

2.3 Control and mitigation

The AMF has indicated in its Governance Guideline that control mechanisms should give decision-making bodiesThe board of directors, senior management and persons in charge of oversight functions. reasonable assuranceRefers to all of the audit evidence that the auditor may require to be able to conclude that the financial statements taken as a whole do not contain material misstatements. that the objectives relating to the following will be met:

• operational effectiveness and efficiency;

• safeguarding of assets;

• reliability and transparency of internal and external financial and non-financial information;

• compliance with applicable laws, regulations and standards.

The AMF expects these mechanisms to be adaptable to changes in the financial institution’s business and in technology. In addition, financial institutions using insurance to transfer operational risk should ensure that it always complements their own control mechanisms for this type of risk.