RBI: Given that the connection between banks and non-bank entities is becoming more complicated, it is necessary to update operational risk management. After operational risk (OR) was introduced in banks’ risk management frameworks under Basel II in 2003–04, the RBI issued a directive in 2005 for all scheduled commercial banks. In almost 20 years, operational complexity and complexity have changed due to the expansion of core and subsidiary companies, forcing banks to work with many non-bank entities and increasing OR.
Banks thus become vulnerable to RE deterioration by offering insurance, mutual funds and other ancillary services with other REs. With exposure to creative businesses using interoperable technology, RE balances have grown dramatically with GDP and sector expansion. OR have become more complicated due to inter-institutional trust, product diversity and changing tech-savvy clients.
Financial sector reforms based on new technologies, financial inclusion and digital penetration have increased interrelated risks over time. The trinity of Jandhan, Adhaar and Mobile (JAM) has facilitated last mile connectivity with the hinterland and put more pressure on RES to balance business and business risks. The expansion of non-core activities allowed banks to reduce interest income and increase non-recurring fee income. Faster reforms of the insurance sector and more alternative investment alternatives required REs to balance core and non-core businesses with their risk appetite to reduce OR. Handling multiple spin-offs to increase fee income required skill enhancement and strong internal controls to limit OR.
RBI consciously reduces regulatory arbitrage between banks and non-banks and mandates all REs to use the same risk management architecture, but this is an ongoing process.
The recent build-up of risks warranting regulatory action under Section 35A of the Banking Regulation Act 1949 and increasing penalties for non-compliance suggest that REs need to reinvent strategies and institutionalize better internal controls to manage OR and other risks.
-
New OR instructions:
On 30 April 2024, the RBI revised and issued new guidelines on RE and Operational Resilience to (i) support and improve OR management of RE and (ii) enhance operational resilience of RE in the face of a complex and dynamic financial system. Revokes its 2005 OR recommendation.
Although based on the Basel Committee on Banking Supervision (BCBS), which announced in March 2021 that it conforms to the updated OR sound governance principles combining operational resilience and global best practices, the current OR guidelines are suitable for RE.
The instructions will not include methods for calculating OR’s capital. From 1 April 2024, the RBI will govern it under the ‘Master Circular – Basel III Capital Regulations’ (as amended), replacing it with the ‘Main Directive on Minimum Capital Requirements for Operational Risk’ dated 26 June 2023. The ‘Main Directive on Minimum Capital Requirements for Operational Risk’ from 26 June 2023 will also govern the classification of loss event data, which RE can use.This will not be in the operating theater and operational durability guidelines. The calculation of the capital requirement for the collection of OR and loss data will be based on the guidelines and not the guidelines from time to time.
-
Key changes:
The revised instruction is detailed. It can protect RE from current and emerging ORs if properly applied. Fundamental organizational and political adjustments will be interesting.
(a) OR guidelines now cover all REs including cooperative banks and all Indian financial institutions and enhance operational resilience. All RE must implement it with appropriate systems and controls, reduce regulatory arbitrage and strengthen the resilience of the financial system.
(b) The guidance now includes a “three lines of defense” model for risk management, with the business unit as the first line of defense, the organizational management function OR (including the compliance function) as the second line, and the audit function as the third line.
The conventional OR organizational structure for banks was designed earlier. Now that diversity, size, and functional complexity are considered, REs decide on organizational structure.
(d) RE must institutionalize an updated management-specified change management system with comprehensive principles to strengthen transition capabilities in a dynamic business and leadership environment.
(e) Mandatory mapping of internal and external interconnections and interdependencies, incident management, ICT and disclosure.
Connections with third parties and outsourcing advice were inconsistent. RE must now focus on third-party relationships that are broader than outsourcing.
-
The way forward:
The new advice is comprehensive to help restore the risks of restrictions, especially OR. OR management addresses day-to-day risks, while operational resilience is a long-term goal to strengthen system controls and ensure RE resilience to unexpected ORs.
Recent deficiencies and fragility in the governance of the outermost regions in some renewables indicate gaps in risk management. RBI now requires REs to build operational resilience in managing ORs. Res will need to use it to create a long-term OR strategy and build operational resilience to maintain excellent risk management. Thus, Res must strengthen OR implementation and operational resilience over tim