MAS Consults on Updated Guidelines on Operational Risk Management to Strengthen Financial Sector Resilience

The Monetary Authority of Singapore (MAS) has issued a consultation paper on the Updated Guidelines on Operational Risk Management (ORMG). These guidelines aim to enhance the resilience of financial institutions (FIs) amid increasing digitalisation, interconnectedness and cyber‑related threats. Once finalised, the updated ORMG will replace the existing 2013 version and take effect after six months.

Operational risk is the risk of loss resulting from inadequate or failed internal processes, actions or omissions of persons, systems, or external events. It is inherent in all business products, activities, processes and systems. External operational risk events can arise from pandemics, natural disasters, cyber-attacks and supply chain disruptions. These disruptions can also have knock-on effects on other firms and may even have larger-scale implications for financial markets.

The ORMG seeks to strengthen governance and improve risk practices. It builds on existing MAS expectations and incorporates key guidance elements by the Basel Committee on Banking Supervision (Revised Principles for the Sound Management of Operational Risk).

While the guidelines apply to all FIs, MAS recognises the need for proportionality. FIs may tailor their implementation based on the scale and complexity of their operations and the materiality of the risks they manage. This approach aims to support practical adoption without imposing undue burdens on smaller players.

FIs with business operations that are not complex (for example, small FMCs, agency brokers, and other boutique FIs) could rely on their current available resources to meet MAS’ Operational Risk Management (ORM) expectations (which are highlighted below). As a start, the Risk Management or Compliance functions of these smaller FIs can take the lead in identifying and mapping potential operational risk in products, activities, processes and systems, with the support of other stakeholders such as the IT team and Operations. For such FIs, a dedicated ORM function may not be required.

Operational Risk Management Framework

The ORM framework should enable an FI to effectively identify, assess, treat, monitor, review and report on operational risk on a timely basis. The framework should cover:

• Governance structures for board and senior management’s oversight.

• A risk appetite and tolerance statement stating the types and levels of operational risk.

• A comprehensive common taxonomy of operational risk terms.  

• Policies, standards and procedures to manage operational risk across all material business products, activities, processes and systems.

• Tools to manage operational risks and controls.

• Thresholds for monitoring inherent and residual risk exposure.

• An inventory of controls implemented by business units to mitigate identified risks.

• Appropriate independent reviews and challenge of the outcomes of the risk management process.

An FI should implement an effective three lines of defence model to manage its operational risks: (1) business units, (2) an independent ORM function and (3) an independent audit. Each line of defence should have clearly defined roles and responsibilities, appropriate segregation of roles, be adequately resourced and communicate with each other to reinforce the ORM framework.

Responsibilities of Board and Senior Management

The board has the ultimate responsibility for the oversight of an FI’s operational risk. An FI should establish a dedicated senior management-level ORM committee to accord adequate attention to operational risk matters. This committee should include members with an adequately diverse expertise, covering business, finance, legal, technology, regulations and risk management.

The board and senior management should establish and maintain an appropriate risk culture, set standards and incentives for responsible behaviour, and ensure staff receive appropriate risk management and ethics training.

Operational Risk Management Process

MAS expects an FI’s ORM process to include the following and should cover all business products, activities, processes and systems.

• Risk identification and assessment – identify the operational risks the FI is exposed to and assess their impact on the FI’s operations.

• Risk treatment – select and implement risk treatment options to manage the FI’s operational risks.

• Risk monitoring and reporting – monitor and report the FI’s operational risks to the board and senior management.

An FI should also have in place appropriate reporting mechanisms to keep MAS apprised of significant developments affecting the FI’s operational risk profile. FIs should notify MAS of significant operational events, including but not limited to significant operational loss, failure in systems or controls, organisational changes, changes in operational risk profile.

Change Management

An FI should establish a robust change management process to identify and assess material incremental risks arising from planned changes in its operations. Policies, standards and procedures should set out the criteria and process for approving changes. This should cover the full lifecycle, from inception to termination (e.g., a business product).

Disclosure

An FI should take reasonable steps to ensure public disclosures allow stakeholders to understand its approach to ORM and its operational risk exposures. The extent of such disclosures should be commensurate with the scale of its operations.

How Ocorian can help

We can help you interpret the guidelines, identify gaps in your current ORM framework, and translate requirements into tailored ORM frameworks and tools aligned with MAS expectations.

To learn more about how we can support your firm, contact us.