Page 35 - 86395_CCB - 2024 Annual Report (web)
P. 35
35
Operational
Description The risk that events arising from inadequate or failed internal processes, people,
and systems, including Fraud, or from external events cause regulatory censure,
reputational damage, financial loss, service disruption and/or customer detriment.
Operational resilience metrics are included within Operational Risk reporting.
Governance Board Risk & Compliance Committee
Risk Management Committee
Operational Risk Policy & Standard
Risk Appetite The Bank maintains a low appetite for Operational Risk and aims to minimise incidents and
Statement losses arising from operational risk issues by maintaining a resilient infrastructure, including
robust systems, employing, and training the right people, minimising the impact of external
events, and having a framework in place to ensure operational risks are captured, monitored,
and mitigated, with root cause understood and lessons learned. This includes clear first
line ownership of operational risks and controls, with oversight, review, challenge, and
assessment by the second line. The third line Internal Audit Function provide independent
assurance to the Board over operational risk management. Focus is maintained on key risks
and the associated control environment, including outsourcing and third‑party suppliers,
operational resilience, people, cyber and technology risks, noting that the Bank has a
lower appetite for risks associated with material outsourcing and critical non‑outsourcing
arrangements. The Bank ensures that its systems and operational capabilities are stable and
resilient, with preventative measures in place to enable the Bank to meet its agreed impact
tolerances, and effective business continuity and disaster recovery plans maintained to
limit the impact of disruption events. A suite of KRIs enable escalation of issues to Senior
Management and the Board, periodic reviews are undertaken via Risk and Control Self
Assessments and Operational Risk Events are captured, recorded, reviewed, and reported
on, with root cause identified, trends reviewed, and actions taken to avoid recurrence.
Key Mitigants Risk and Control Self Assessments Maintaining knowledge of industry
and Risk Registers. standards and changes
Scenario Analysis. Regular training and development of
Monitoring of Operational Risk Events and staff to ensure up to date knowledge
‘deep dive’ analysis, where appropriate. base and embedded Risk and Control
Self‑Assessment process.
Review and challenge on projects and
change management requests. Important business services identified,
and resilience/tolerances set (see separate
Monitoring of the risk posed using Operational Resilience section).
critical and outsourced suppliers.
Horizon scanning to ensure
continued adherence to regulatory
requirements and practices.
Comments Operational Risk is a key risk for the Bank. Operational Risk related losses have
historically been low. The framework has been strengthened during recent years with
the introduction of an Operational Risk Policy and Standards, a Risk Management
System and enhancements continually under review to ensure that the Bank’s
Risk Framework is in line with its regulatory requirements and practices.
