On December 1, the China ** Industry Association issued the "Guidelines for the Operational Risk Management of ** Companies" (hereinafter referred to as the "Guidelines") to improve the comprehensive risk management system of the ** industry, prevent the operation risks of ** companies, and effectively strengthen the prevention, control and response of ** companies to various operational risk events.
The Guidelines aim to implement the requirements of the financial work conference, and the China Industry Association said that the company should implement the spirit of the financial work conference, further improve the operational risk management structure, processes, tools and measures, prevent risks from transmitting resonance across regions, markets and borders, and maintain the stable operation of the financial market. On the basis of the assessment, the association will further improve the construction of the self-discipline rule system for industry risk management, continue to supervise and guide the best companies to improve the level of comprehensive risk management, maintain the steady operation of the industry, and help the high-quality development of industry institutions.
Improve the early correction mechanism of financial risks with hard constraints.
* The financial work conference requires early identification, early warning, early exposure, and early disposal of risks, and improves the early correction mechanism for financial risks with hard constraints. According to the China Industry Association, the formulation of industry guidelines for the company's operational risk management is of great significance for improving the self-discipline rule system for comprehensive risk management in the industry, guiding the company to establish and improve the operational risk management mechanism, and improving the level of comprehensive risk management.
According to the China ** Industry Association, the drafting of the Guidelines follows the principles of comprehensiveness, enforceability and forward-looking.
The first is to cover the company's board of directors, board of supervisors, managers, departments, branches and subsidiaries and other levels, including risk identification and assessment, control and mitigation, monitoring and reporting, etc., covering business continuity operations, outsourcing risk management, employee behavior management, internal control and other special areas related to operational risk management.
The second is to fully consider the current situation of industry operation risk management, emphasize the adaptation to the company's own characteristics, scale and business complexity, focus on establishing a system, guiding the direction, improving the mechanism, laying a good foundation, and avoiding too high, too detailed or too strict requirements. Clarify the basic matters involved in operational risk management; Flexibility is given to management requirements other than basic matters.
The third is to emphasize forward-looking management, combined with the development trend of the industry and the background of digital transformation, emphasize the strengthening of operational risk management and control of new business, new products and key business areas, put forward guidance on operational risk monitoring through the application of information technology and data analysis, and put forward requirements for system construction, data governance and data quality control related to operational risks.
Seven types of business have improved operational risk management measures.
Specifically, the Guidelines combine the current situation of the industry and propose that the construction of the company's operational risk management system should meet regulatory requirements, adapt to its own development strategy, business characteristics, scale and complexity, and control the operational risk loss within its own tolerable range.
At the same time, the Guidelines put forward the principles of full staff, collaborative management, prudent response, and prevention and foresight of operational risk management. The principle of full staff emphasizes the coverage of all employees, the whole organization, and the whole process; The principle of collaborative management emphasizes the role of various professional functional departments and the collaborative development of operational risk management; The prudential response principle emphasizes the prudent treatment of operational risks and the strengthening of management of key areas; The principle of prevention and foresight emphasizes that attention should be paid to the operational risks involved in new businesses and new products, including the operational risks that may be caused by new businesses and new products in existing business processes and information systems.
According to the Guidelines, securities firms should establish and continuously sort out and improve operational risk management measures for their main businesses, including but not limited to:
First, the brokerage business should establish and improve systems and processes such as account real-name system, customer information protection, abnormal transaction monitoring, large-value and suspicious transaction reporting, customer return visits, and customer complaint handling, so as to discover and properly handle risk events in a timely manner;
Second, key positions such as investment decision-making, transaction execution, clearing and settlement, and risk monitoring in proprietary business are responsible for special personnel, and centralized management and authority control of proprietary accounts are strengthened;
Third, the investment banking business should standardize the due diligence process and project tracking management mechanism, clarify the requirements for the preparation of project-related materials and documents and the signature approval system, strengthen the review and control of the content of the preparation or assistance in the preparation of information disclosure documents, and strengthen the management of working papers;
Fourth, the asset management business shall be strictly separated from other businesses in accordance with the regulations, and the registration, valuation, accounting and income distribution of different asset management plan shares shall be handled in accordance with laws and regulations, self-discipline rules and contracts, and information disclosure shall be made to investors in a timely, accurate and complete manner;
Fifth, financing businesses such as margin financing and securities lending, pledge and other financing businesses should establish and improve the management system and business process of due diligence, parameter setting, instruction declaration, fund transfer, default disposal, etc., sign contracts with customers in accordance with regulations, and use appropriate methods to clearly explain, inform and confirm to customers;
Sixth, the OTC derivatives business should establish and improve the management system and process of important links such as customer access, generation and filing of transaction documents, transaction confirmation, transaction bookkeeping and review, valuation and accounting, etc., and the departments and personnel engaged in derivatives trading should be authorized at different levels;
Seventh, cross-border business should establish and improve management processes involving domestic and foreign business process connection, information system or data docking, cross-border flow of sensitive information, data backup, etc.
In terms of operational risk management structure and responsibilities, the Guidelines set out the requirements for co-ordination and coordination in management. The company's chief risk officer is responsible for operational risk management, and other senior management of the company is responsible for operational risk management in their respective areas of responsibility, and provides support for the chief risk officer to manage operational risk as a whole. **The company should clarify the departments and responsibilities responsible for operational risk management, and each functional department shall be responsible for managing the operational risks in its own functional area and provide management support to the lead department.
When the business system is launched, special operational risk identification and assessment needs to be carried out.
The Guidelines clarify the operational risk management mechanism, and propose that the operational risk management mechanism mainly includes risk identification and assessment, control and mitigation, monitoring and reporting.
In terms of risk identification and assessment, the Guidelines require companies to establish and improve a process catalogue of their main business and management. Risk and control self-assessments should be conducted on a regular or occasional basis, with the aim of embedding them into day-to-day business operations as much as possible. **The company shall carry out special operational risk identification and assessment in the event of a major risk event. It is emphasized that the company should establish a management process for new business and new products, fully identify and assess relevant operational risks, and carry out special operational risk identification and assessment in the online business system. It is proposed to carry out risk identification and assessment through the monitoring results of key risk indicators.
In terms of risk control and mitigation, the "Guidelines" make it clear that the company has summarized 13 basic measures based on typical operational risk cases in the industry and relevant regulatory requirements, involving the division of responsibilities, authorization management, personnel management, information system and data, seal management, information disclosure, etc. It puts forward a number of basic operational risk management requirements for brokerage business, proprietary business, investment banking business, asset management business, financing business, over-the-counter derivatives business, and cross-border business.
In terms of risk monitoring and reporting, the Guidelines require the establishment of a key risk indicator system, gradually covering key focus areas and key business processes, and explain the reference direction for the establishment of indicators. Combined with the trend of digital transformation of the industry, it is proposed that operational risk monitoring can be carried out by collecting and analyzing relevant data by means of information technology. Clarify the basic requirements for the company's loss data collection, and propose to actively collect operational risk loss data through internal and external information analysis, internal and external inspections, etc. It puts forward requirements for operational risk reporting mechanism, operational risk rectification tracking, internal information sharing and collaborative rectification.
Clarify the requirements for emergency response.
The Guidelines also clarify the management requirements for special areas such as emergency response to operational risks, business continuity operations, outsourcing risk management, employee behavior management, and internal control.
The Guidelines put forward requirements for operational risk management related systems, data, stress testing, risk measurement, etc.
First, according to the actual situation of the industry, the basic requirements for the construction of the operational risk management system are put forward.
Second, in combination with the trend of digital transformation of the industry, the classification standards, data governance and quality control mechanisms of operational risk-related data are put forward, aiming to make full use of data to improve the efficiency and effectiveness of operational risk management.
The third is to put forward specific requirements for operational risk stress testing and principled requirements for operational risk measurement.