1.1 Operational Risk is inherent in all banking/ financial products, services, activities, processes, and systems. Effective management of Operational Risk is an integral part of the Regulated Entities' (REs) risk management framework. Sound Management of Operational Risk shows the overall effectiveness of the Board of Directors and Senior Management in administering the RE's portfolio of products, services, activities, processes, and systems.
1.2 An operational disruption can threaten the viability of an RE, impact
its customers and other market participants, and ultimately have an impact on
financial stability. It can result from man-made causes, Information
Technology (IT) threats (e.g., cyber-attacks, changes in technology,
technology failures, etc), geopolitical conflicts, business disruptions,
internal/external frauds, execution/ delivery errors, third party
dependencies, or natural causes (e.g., climate change, pandemic, etc.).
1.3 An RE needs to factor in the entire gamut of risks (including the aforesaid risks in its risk assessment policies/ processes), identify and assess them using appropriate tools, monitor its material operational exposures and devise appropriate risk mitigation/management strategies using strong internal controls to minimize operational disruptions and continue to deliver critical operations, thus ensuring operational resilience.
1.4 Until recently, the predominant Operational Risks that REs faced
emanated from vulnerabilities related to increasing dependence and rapid
adoption of technology for provision of financial services and intermediation.
However, the financial sector's growing reliance on third-party providers
(including technology service providers) exacerbated by Covid-19 pandemic with
greater reliance on virtual working arrangements, has highlighted the
increasing importance of Operational Risk Management and Operational
Resilience; which not only benefits the RE by strengthening its ability to
remain a viable going concern but also supports the financial system by
ensuring continuous delivery of critical operations during any disruption.
1.5 In view of the foregoing, the Reserve Bank, through this Guidance Note on Operational Risk Management and Operational Resilience (hereafter 'Guidance Note') intends to:
1.5.1 promote and further improve the effectiveness of Operational Risk Management of the REs, and
1.5.2 enhance their Operational Resilience given the interconnections and interdependencies, within the financial system, that result from the complex and dynamic environment in which the REs operate.
1.6 This Guidance Note updates the "Guidance Note on Management of Operational Risk" dated October 14,
2005. It has been prepared based on the Basel Committee on Banking Supervision (BCBS) principles documents issued in March 2021, viz., (a) 'Revisions to the Principles for the Sound Management of Operational Risk' and (b) 'Principles for Operational Resilience' as well as the some of the international best practices.
1.7 The Guidance Note has adopted a principle-based and proportionate
approach to ensure smooth implementation across REs of various sizes, nature,
complexity, geographic location and risk profile of their businesses. Although
the exact approach may vary from RE to RE, the Guidance Note provides an
overarching guidance to REs for improving and further strengthening their
Operational Risk Management Framework (ORMF). It gives adequate flexibility to
REs for Operational Risk Management to enhance their ability to withstand,
adapt and recover from potential operational disruptions and ensure their
Operational Resilience. The systems, procedures and tools prescribed in this
Guidance Note are indicative in nature and should be read in conjunction with
the relevant instructions issued by Reserve Bank from time to time. In case of
inconsistency, if any, the relevant instructions issued by the Reserve Bank
would prevail.
1.8 The operational risk regulatory capital requirements shall continue to be guided by the applicable guidelines.
1. The approach for operational risk capital calculation for banks is detailed in
"Master Circular - Basel III Capital Regulations" dated April 1,
2024, as amended from time to time. However, REs such as Small Finance Banks, Payments Banks, Regional Rural Banks, Local Area Banks, NBFCs, and Co-operative Banks are not required to maintain separate regulatory capital for operational risk.
2. "Commercial Banks" means all banking companies,
corresponding new banks, Regional Rural Banks and State Bank of India as
defined under subsections (c), (da), (ja) and (nc) of Section 5 of the Banking
Regulation Act, 1949. This also includes banks incorporated outside India and
licensed to operate in India ('Foreign Banks'), Local Area Banks, Payments
Banks, and Small Finance Banks.