PRU 6
Operational risk
PRU 6.1
Operational Risk: Prudential Systems and Controls
- 31/12/2004
Application
PRU 6.1.1
See Notes
PRU 6.1 applies to an insurer unless it is:
- (1) a non-directive friendly society; or
- (2) an incoming EEA firm; or
- (3) an incoming Treaty firm.
- 31/12/2004
PRU 6.1.2
See Notes
PRU 6.1 applies to:
- (1) an EEA-deposit insurer; and
- (2) a Swiss general insurer;
only in respect of the activities of the firm carried on from a branch in the United Kingdom.
- 31/12/2004
Purpose
PRU 6.1.3
See Notes
- 31/12/2004
PRU 6.1.4
See Notes
- 31/12/2004
PRU 6.1.5
See Notes
- 31/12/2004
PRU 6.1.6
See Notes
- 31/12/2004
PRU 6.1.7
See Notes
- 31/12/2004
PRU 6.1.8
See Notes
- 31/12/2004
General Requirements
PRU 6.1.9
See Notes
High level rules and guidance for prudential systems and controls including those for operational risk are set out in PRU 1.4. In particular:
- (1) PRU 1.4.18 R requires a firm to take reasonable steps to ensure that the risk management systems put in place to identify, assess, monitor and control operational risk are adequate for that purpose;
- (2) PRU 1.4.19 R (2) requires a firm to document its policy for operational risk, including its risk appetite and how it identifies, assesses, monitors and controls that risk; and
- (3) PRU 1.4.27 R requires a firm to take reasonable steps to establish and maintain adequate internal controls to enable it to assess and monitor the effectiveness and implementation of its business plan and prudential risk management systems.
- 31/12/2004
Operational risk policy
PRU 6.1.10
See Notes
- 31/12/2004
PRU 6.1.11
See Notes
A firm should document its policy for managing operational risk. This policy should outline a firm's strategy and objectives for operational risk management and the processes that it intends to adopt to achieve these objectives. In complying with PRU 1.4.19 R (2), the documented operational risk policy of a firm should include:
- (1) an analysis of the firm's operational risk profile (see the FSA's interpretation of this term in SYSC 3A.5.1 G (3)), including where relevant some consideration of the effects that operational risk may have on the firm, including consideration of those operational risks within a firm that may have an adverse impact upon the quality of service afforded to its clients;
- (2) the operational risks that the firm is prepared to accept and those that it is not prepared to accept, including where relevant some consideration of its appetite or tolerance (see PRU 6.1.13 G) for specific operational risks;
- (3) how the firm intends to identify, assess, monitor, and control its operational risks, including an overview of the people, processes and systems that are used; and
- (4) where assessments of the firm's risk exposures are used for internal capital allocation purposes, a description of how operational risk is incorporated into this methodology.
- 31/12/2004
PRU 6.1.12
See Notes
- 31/12/2004
PRU 6.1.13
See Notes
- 31/12/2004
PRU 6.1.14
See Notes
- 31/12/2004
Risk identification
PRU 6.1.15
See Notes
In order to understand its operational risk profile, a firm should identify the types of operational risk that it is exposed to as far as reasonably possible. This might include, but is not limited to, consideration of:
- (1) the nature of a firm's customers, products and activities, including sources of business, distribution mechanisms, and the complexity and volumes of transactions;
- (2) the design, implementation, and operation of the processes and systems used in the end-to-end operating cycle for a firm's products and activities;
- (3) the risk culture and human resource management practices at a firm; and
- (4) the business operating environment, including political, legal, socio-demographic, technological, and economic factors as well as the competitive environment and market structure.
- 31/12/2004
PRU 6.1.16
See Notes
- 31/12/2004
PRU 6.1.17
See Notes
- 31/12/2004
Risk assessment
PRU 6.1.18
See Notes
- 31/12/2004
PRU 6.1.19
See Notes
In order to understand the effects of its operational exposures a firm should continually assess its operational risks. This might include, but is not limited to, consideration of:
- (1) actual operational losses that have occurred within a firm, or events that could have resulted in significant operational losses, but were avoided (for example, the waiving of financial penalties by a third party as a gesture of goodwill or where by chance the firm realised profits);
- (2) internal assessment of risks inherent in its operations and the effectiveness of controls implemented to reduce these risks (through activities such as self-assessment or stress testing and scenario analysis);
- (3) other risk indicators, such as customer complaints, processing volumes, employee turnover, large numbers of reconciling items, process or system failures, fragmented systems, systems subject to a high degree of manual intervention and transactions processed outside a firm's mainstream systems;
- (4) reported external (peer) operational losses and exposures; and
- (5) changes in its business operating environment.
- 31/12/2004
PRU 6.1.20
See Notes
- 31/12/2004
PRU 6.1.21
See Notes
- 31/12/2004
Risk monitoring
PRU 6.1.22
See Notes
In monitoring its operational risks, a firm should:
- (1) as appropriate, regularly report to the relevant level of management its operational exposures, loss experience (including if possible cumulative losses), and authorised deviations from the firm's operational risk policy;
- (2) engage in exception-based escalation to management of:
- 31/12/2004
Risk control
PRU 6.1.23
See Notes
A firm should control its operational risks, as appropriate, through activities for the avoidance, transfer, prevention or reduction of the likelihood of occurrence or potential impact of an operational exposure. This might include, but is not limited to, consideration of:
- (1) adjusting a firm's risk culture and creating appropriate incentives to facilitate the implementation of its risk control strategy (see SYSC 3A.6 People);
- (2) adapting internal processes and systems (see SYSC 3A.7 Processes and systems);
- (3) transferring or changing the operational exposure through mechanisms such as outsourcing (see SYSC 3A.9 Outsourcing) and insurance (see SYSC 3A.10 Insurance);
- (4) the active acceptance of a given operational risk within the firm's stated risk appetite or tolerance; and
- (5) providing for expected losses, and maintaining adequate financial resources against unexpected losses that may be encountered in the normal course of a firm's business activities.
- 31/12/2004
Record keeping
PRU 6.1.24
See Notes
The FSA's high level rules and guidance for record keeping are outlined in SYSC 3.2.20 R (Records). Additional rules and guidance in relation to the prudential context are set out in PRU 1.4.51 G to PRU 1.4.64 G (Record keeping). In complying with these rules and all associated guidance, a firm should retain an appropriate record of its operational risk management activities. This may, for example, include records of:
- (1) the results of risk identification, measurement, and monitoring activities;
- (2) actions taken to control identified risks;
- (3) where relevant, any exposure thresholds that have been set for identified operational risks;
- (4) an assessment of the effectiveness of the risk control tools that are used; and
- (5) actual exposures against stated risk appetite or tolerance.
- 31/12/2004