RBI, vide circular dated April 30, 2024, has issued a Guidance Note on Operational Risk Management and Operational Resilience (“Guidance Note”), focusing on operational resilience as an outcome of operational risk management. The Guidance Note is applicable to all commercial banks, non-banking financial companies (“NBFCs”), co-operative banks, and all India financial institutions. With the issuance of this Guidance Note the Guidance Note on Management of Operational Risk dated October 14, 2005, stands repealed. Through this Guidance Note, the RBI intends to:
- bring in place a 3 (three) line defence model for the REs, where business unit will form the first line of defence, followed by organizational operational risk management function (including compliance function) and audit function forms the third line of defence;
- update the guidance on change management with a specifically detailed principle on it;
- keep separate principles for mapping of internal and external interconnections and interdependencies, incident management, Information & communication technology, and disclosures;
- keep a focused principle on third-party relationship, which is a broader concept than outsourcing;
- introduce new principles on lessons learned, exercise and continuous feedback mechanism; and
- drop the approaches for operational risk capital calculation as some REs such as local area banks, small finance banks and payment banks are presently not required to maintain a separate regulatory capital for operational risk.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.