|Title of the PPR
||Operational And Compliance Risk Management Policy |
|Board of Directors|
13 June 2007
Current Document: The Board of Directors’ Decision No. BD2007-04-04, dated 13 June 2007
Amended Document: Necessary amendments related to Internal Audit Charter approved by the Board of Directors Decision No. BD2008-13-01, dated 6 August 2008
OPERATIONAL AND COMPLIANCE RISK MANAGEMENT POLICY
This Policy aims to establish a general framework for the compliance and operational risk management functions of the ECO Trade and Development Bank (the Bank).
Compliance risk is defined as the risk of legal sanctions, material financial loss, or loss to reputation the Bank may suffer as a result of its failure to comply with laws, its own regulations, code of conduct, and standards of best/good practice.
Compliance risk is sometimes also referred to as integrity risk, because a Bank’s reputation is closely connected with its adherence to principles of integrity and fair dealing.
As per the Basel Committee on Banking Supervision “The compliance function should have a formal status within the bank to give it the appropriate standing, authority and independence. This may be set out in the bank’s compliance policy or in any other formal document. The document should be communicated to all staff throughout the bank.”
Operational risk is defined as the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events. The definition includes legal risk but excludes strategic and reputational risk.
Operational risk can be created by a wide range of different external events ranging from power failures to floods or earthquakes to terrorist attacks. Similarly, operational risk can arise due to internal events such as the potential for failures or inadequacies in any of the Bank’s processes and systems (e.g. its IT, risk management or human resources management processes and systems), or those of its outsourced service providers. Operational risk arising from human resources management may refer to a range of issues such as mismanaged or poorly trained employees; the potential of employees for negligence, willful misconduct; conflict of interests; fraud; and so on. Therefore the emergence of mistrust, failure to communicate, low morale and cynicism among staff members, as well as increased turnover of staff, should be regarded as indicative for potential increase in operational risk.
Outsourcing arrangements require careful management if they are to yield benefits, and where they are not managed adequately the degree of operational risk faced by the Bank may increase, as is also the case of excessive use and dependency upon the use of consultants for activities that may be more effectively developed internally. In particular, an issue for concern is the loss of control over processes. This could create a serious threat to the continuity of its operations if these providers were to fail.
Establishment of the Compliance and Operational Risk Management Functions
The Bank gives paramount importance to identifying, measuring and mitigating risks inherent in its activity. To this end, the Financial Policies of the Bank place high importance on a Comprehensive Risk Management system.
Status of the Internal Audit & Compliance Department– Reporting Relationships
The Internal Audit & Compliance Department is a unit independent of the business activities of the Bank. However, a co-operative working relationship between Internal Audit & Compliance Department and other departments shall be established to identify and manage compliance and operational risks at an early stage.
The Internal Audit & Compliance Department is directly and functionally reporting to the Audit Committee and administratively to the President on the Bank’s compliance and operational risk management efforts.
Representatives from each of the Bank’s Divisions and operating units, as appointed by the respective Directors or Heads of the Departments with the approval of the respective supervising member of the Management Committee, at the Head of the Internal Audit & Compliance Department’s request, shall assist from time to time the Head of the Internal Audit & Compliance Department in carrying out his responsibilities in areas of their expertise.
Specific tasks of the Internal Audit & Compliance Department requiring technical skills not available within the Bank or of confidential nature may be outsourced, in conformity with the Bank’s applicable rules and regulations, however, provided the outsourcing arrangement is overseen by the Head of the Internal Audit & Compliance Department.
Role of the Internal Audit & Compliance Department
The Internal Audit & Compliance Department performs two sets of activities/functions:
a. Assists Management Committee in managing effectively the compliance risks faced by the Bank. To this end, it identifies, assesses, advises on, monitors and reports accordingly on the Bank’s compliance risk,
b. Assists the Bank in managing the operational risk. The office shall identify, assess, monitor and control/mitigate the operational risk inherent in all material products, activities, processes and systems.
Authority granted to the Internal Audit & Compliance Department
The Head of the Internal Audit & Compliance Department has direct authority to exert control over the entire compliance and operational risk management process performed by the Office, from program design to enforcement.
Under the guidance of the Audit Committee and/or President, the Head of the Internal Audit & Compliance Department has the right to i) conduct special investigations in relation to the Office’s responsibilities, ii) request for contribution to such investigations from other units of the Bank, as per their expertise, and iii) appoint outside experts, if appropriate.
On every compliance and operational risk management assignment, the accountable management is expected to allow unrestricted right of access to the Internal Audit & Compliance Department staff: on its own initiative to communicate with any staff member and obtain access to any records or files necessary to enable it to carry out its responsibilities.
Documents and information given to Internal Audit & Compliance Department’s staff members are handled in the same prudent manner as by those employees normally accountable for them.
The related Departments and Vice Presidents are responsible for controls and risks and for action to correct deficiencies in systems of control.
a. Compliance Risk Management function main responsibilities
• On a pro-active basis, to identify, document and assess the compliance risks associated with the Bank’s business activities, including the development of new products and business practices, the proposed establishment of new types of business or customer relationships, or material changes in the nature of such relationships;
• To assist and advise all committees on operations related integrity and reputational issues, including -among others- checks on borrowing clients, project sponsors and other partners, upon request;
• Under the guidance of the President the Head of the Internal Audit & Compliance Department shall lead and co-ordinate investigations into alleged unsatisfactory conduct or misconduct of Bank employees or consultants, and, where appropriate, recommend disciplinary or corrective action;
• To deal with and lead and co-ordinate investigations into issues of conflict of interest (of the Bank, staff, etc), cases of alleged corruption, money laundering, terrorist financing, and complaints received with regard to Bank-financed operations;
• To consider ways to measure compliance risk and use such measurements to enhance compliance risk assessment;
• To assess the appropriateness and consistency of the Bank’s regulatory framework (statutory documents, policies, strategies, guidelines, rules, regulations and procedures in force) related to compliance issues, promptly following up any identified deficiencies in the policies and procedures and, where necessary, formulating proposals for amendments;
• To ascertain compliance with the provisions of the Bank’s Code of Conduct, to review and propose amendments to the Bank’s Code of Conduct and other policies and procedures, as necessary, to reflect ethical standards in all areas;
• The responsibilities of the compliance function shall be carried out under a risk based annual compliance program that sets out its planned activities, subject to oversight by the head of compliance to ensure appropriate coverage and co-ordination among risk management functions.
• To report on a regular basis to the Audit Committee and President of the Bank. The reports shall refer to the compliance risk assessment and testing which has taken place during the reporting period, any identified breaches and/or deficiencies, the corrective action taken; any compliance matters that should be brought to their attention for information or action purposes, and shall contain information about compliance training provided to compliance function and other bank staff;
Compliance responsibilities carried out by staff in different units are allocated among the units as per their expertise. A close co-operation will be established between the Internal Audit & Compliance Department and such units with respect to the provision and exchange of relevant advice and information and the cumulative reporting of the compliance risks.
b. Operational Risk Management function main responsibilities
• To review the Bank’s policies and procedures and place operational risk within the Bank’s overall risk management and strategic framework, thereby enhancing and promoting the Bank’s risk and control awareness culture.
• To implement and maintain the Bank’s operational risk monitoring and control system, including also the regular monitoring of operational risk profiles and material exposures to losses, and detecting and making proposals for the correction of deficiencies in the related policies, procedures and processes. To report regularly pertinent information, including recommendations made, to the President of the Bank and the Board of Directors that support the proactive management of operational risk.
• To quantify operational risk for the Bank’s activities as necessary, according to best standards and practices utilizing internationally accepted methodologies.
• To advise all staff members on operational risk matters and facilitate reporting of relevant risk information up, down and across the Bank by framing accountability and authority for operational risk management in the business units.
• To deal with and lead and co-ordinate investigations into cases of internal and external fraud;
• To participate in the new products approval process, in order to identify and assess the operational risk related to each new product, activity, process and system, or their amended versions, to be introduced or undertaken, and present operational risk mitigation proposals.
Relationship with other risk management functions
Every effort will be made to enable communication and coordination between the compliance and operational risk management functions, and credit risk management and Assets & Liabilities Management functions in relation to issues of compliance and operational risk management, aiming at ensuring appropriate coverage of these areas and avoidance of overlapping of tasks or responsibilities.