• PRU 6 PRU 6 OPERATIONAL RISK

    • Introduction

      • Guidance

        1. This Chapter includes the detailed Rules and associated guidance in respect of a firm's obligation to manage effectively its Exposures to Operational Risk. Operational Risk refers to the risk of incurring losses due to the failure of systems, processes, and personnel to perform expected tasks. Operational Risk losses also include losses arising out of legal risk. This Chapter aims to ensure that an Authorised Person has a robust Operational Risk management framework commensurate with the nature, scale and complexity of its operations and that it holds sufficient regulatory capital against Operational Risk Exposures.
        2. This Chapter requires an Authorised Person to:
        a. design and implement an effective Operational Risk management system complete with appropriate systems and controls;
        b. calculate the Operational Risk Capital Requirement and hold the same; and
        c. hold adequate professional indemnity insurance cover.
        3. This Chapter includes, among others, specific Operational Risk management requirements relating to IT systems, information security, outsourcing, business continuity and disaster recovery and the management of Operational Risks in trading rooms.
        4. App6 provides the detailed requirements, parameters, calculation methodologies and formulae for calculating the Operational Risk Capital Requirement specified in Chapter 6.

    • PRU 6.1 PRU 6.1 Application

      • PRU 6.1.1 PRU 6.1.1

        This Chapter applies to an Authorised Person as follows:

        (a) Sections 6.1 to 6.9 apply to an Authorised Person in any Category;
        (b) Sections 6.10 and 6.11 apply only to an Authorised Person in Category 1, 2, 3A or 5;
        (c) Section 6.12 applies only to an Authorised Person in Category 3B, 3C or 4 which undertakes one or more of the following Regulated Activities:
        (i) Arranging Credit;
        (ii) Arranging Deals in Investments;
        (iii) Managing Assets;
        (iv) Advising on Investments or Credit;
        (v) Managing a Collective Investment Fund;
        (vi) Providing Custody;
        (vii) Insurance Intermediation;
        (viii) Insurance Management;
        (ix) Managing a Profit Sharing Investment Account (unrestricted);
        (x) Providing Trust Services;
        (xi) Acting as the Administrator of a Collective Investment Fund;
        (xii) Acting as the Trustee of an Investment Trust;
        (xiii) Operating a Multilateral Trading Facility or Organised Trading Facility; or
        (xiv) Providing Money Services; or
        (xv) Operating a Private Financing Platform.

        • Guidance

          The GEN rules contain Rules and Guidance in relation to Systems and Controls, some of which may relate to the management of Operational Risk. The Corporate Governance rules in the GEN rules set out overarching requirements in relation to Board responsibilities, including risk management. The Rules and Guidance in this Section seek to complement the aforementioned requirements, while providing for a framework to address matters which directly relate to Operational Risk management.

    • PRU 6.2 PRU 6.2 Risk management framework and governance

      • PRU 6.2.1

        (1) An Authorised Person must implement and maintain an Operational Risk policy which enables it to identify, assess, control and monitor Operational Risk.
        (2) The policy must be documented and provide for a sound and well-defined risk management framework to address the Authorised Person's Operational Risk.
        (3) An Authorised Person must:
        (a) ensure that its risk management systems enable it to implement the Operational Risk policy;
        (b) identify, assess, mitigate, control and monitor the risk; and
        (c) review and update the policy at intervals that are appropriate to the nature, scale and complexity of its activities.

      • PRU 6.2.2 PRU 6.2.2

        An Authorised Person must ensure that its Governing Body approves the Operational Risk policy in Rule 6.2.1.

        • Guidance

          1. Some of the key aspects that an Authorised Person should consider in its Operational Risk policy include:
          a. the governance structures used to manage Operational Risk, including reporting lines and accountabilities;
          b. risk assessment tools and how they are used;
          c. the Authorised Person's accepted Operational Risk appetite, permissible thresholds or tolerances for inherent and residual risk, and approved risk mitigation strategies and instruments;
          d. the Authorised Person's approach to establishing and monitoring thresholds or tolerances for inherent and residual risk Exposure;
          e. risk reporting and MIS; and
          f. appropriate independent review and assessment of the Authorised Person's Operational Risk framework.
          2. An Authorised Person's Operational Risk policy should, amongst other things, include consideration of Principles for the Sound Management of Operational Risk, issued by the BCBS and the Guidelines on the management of Operational Risk in market-related activities issued by the European Banking Authority which are useful in relation to activities other than banking.

        • Governing Body responsibilities

          1. The GEN rules contain Rules and Guidance regarding corporate governance requirements for Authorised Persons, including the responsibilities of an Authorised Person regarding risk management.
          2. In developing, implementing and maintaining an effective Operational Risk framework, an Authorised Person's Governing Body should:
          a. approve and review a risk appetite and tolerance for Operational Risk that articulates the nature, types and levels of Operational Risk that the Authorised Person is willing to assume;
          b. consider all relevant risks, the Authorised Person's level of risk appetite, its current financial condition and its strategic direction. The Governing Body should monitor management adherence to the risk appetite and tolerance and provide for timely detection and remediation of breaches;
          c. encourage a management culture, and develop supporting processes, which help to engender within the Authorised Person an understanding by relevant Employees of the nature and scope of the Operational Risk inherent in the Authorised Person's strategies and activities;
          d. provide senior management with clear guidance and direction regarding the principles underlying the Authorised Person's Operational Risk management framework and approve the corresponding policies developed by senior management;
          e. regularly review the Authorised Person's Operational Risk policy to ensure that the Authorised Person has identified and is managing the Operational Risk arising from external market changes and other environmental factors, as well as those Operational Risks associated with new strategies, products, activities, or systems, including changes in risk profiles and priorities (e.g. changing business volumes). Such review should also take into account the Operational Risk loss experience, the frequency, volume or nature of limit breaches, the quality of the control environment and the effectiveness of risk management or mitigation strategies;
          f. ensure that the Authorised Person's Operational Risk policy and framework is subject to effective independent review by audit or other appropriately-trained Persons;
          g. ensure that management is incorporating industry best practice in managing Operational Risk; and
          h. establish clear lines of management responsibility and accountability for implementing a strong control environment. The control environment should provide appropriate independence/separation of duties between Operational Risk control functions, business lines and support functions.

        • Senior Management Responsibilities

          1. The GEN rules contain Rules and Guidance regarding senior management arrangements for Authorised Persons.
          2. In relation to establishing and maintaining a robust Operational Risk framework, an Authorised Person's senior management should:
          a. translate the Operational Risk management framework established by the Governing Body into specific policies and procedures that can be implemented and verified within the different business units;
          b. clearly assign authority, responsibility and reporting relationships to encourage and maintain accountability, and to ensure that the necessary resources are available to manage Operational Risk in line within the Authorised Person's risk appetite and tolerance; and
          c. ensure that the management oversight process is appropriate for the risks inherent in a business unit's activity.

    • PRU 6.3 PRU 6.3 Risk identification and assessment

      • PRU 6.3.1 PRU 6.3.1

        An Authorised Person must:

        (a) ensure that it identifies and assesses the Operational Risks inherent in all the Authorised Person's products, activities, processes and systems;
        (b) ensure the inherent risks in (a) are understood by relevant Employees of the Authorised Person;
        (c) systematically track Operational Risk events and any financial impact associated with such events; and
        (d) ensure that the tracking in (c) is consistent with the Operational Risk event types described in the Basel III framework.

        • Guidance

          1. An Authorised Person should record all Operational Risk events, including near misses and events which result in a positive financial outcome.
          2. These Rules complement related Rules in the GEN rules relating to risk management systems and controls. For example, GEN requires an Authorised Person to appoint an individual to advise its Governing Body and senior management as to risks.

      • PRU 6.3.2 PRU 6.3.2

        An Authorised Person must ensure that its Operational Risk policy in Rule 6.2.1:

        (a) includes an approval process for all new products, activities, processes and systems; and
        (b) incorporates the requirement in Rule 6.3.1(a).

        • Guidance

          1. An Authorised Person should have policies and procedures that address the process for review and approval of new products, activities, processes and systems. The review and approval process should include consideration of:
          a. inherent risks in any new product, service, or activity;
          b. resulting changes to the Authorised Person's Operational Risk profile, appetite and tolerance, including changes to the risk of existing products or activities;
          c. necessary controls, risk management processes, and risk mitigation strategies;
          d. residual risk;
          e. changes to relevant risk limits;
          f. procedures and metrics to measure, monitor, and manage the risk of the new product or activity; and
          g. appropriate investment in human resources and technology infrastructure.
          2. Tools that an Authorised Person may employ for identifying and assessing Operational Risk include:
          a. internal loss data collection and analysis;
          b. external data collection and analysis;
          c. risk assessments;
          d. business process mapping;
          e. risk and performance indicators; and
          f. scenario analysis.

    • PRU 6.4 PRU 6.4 Risk monitoring and reporting

      • PRU 6.4.1 PRU 6.4.1

        An Authorised Person must:

        (a) regularly monitor material Exposures to Operational Risk losses;
        (b) ensure that appropriate reporting mechanisms are in place at its Governing Body, senior management, and business line levels to support effective management of the Authorised Person's Operational Risk; and
        (c) immediately notify the Regulator of any material Operational Risk event including notification of any resulting financial impact, positive or negative, associated with such event.

        • Guidance

          1. The GEN rules require an Authorised Person or Recognised Body to establish and maintain arrangements to provide its Governing Body and senior management with the information necessary to organise and control its activities, to comply with legislation applicable in the ADGM and to manage risks.
          2. Rule 6.4.1 is intended to complement GEN and requires Authorised Persons to establish and maintain reporting mechanisms specifically addressing the Operational Risk matters.
          3. The frequency of internal reporting of Operational Risks required by Rule 6.4.1(b) should reflect the risks involved and the pace and nature of changes in the Authorised Person's operating environment.
          4. The following lists some of the items that an Authorised Person should consider including in its internal reporting of Operational Risks:
          a. the results of monitoring activities;
          b. assessments of the Operational Risk framework performed by control functions such as internal audit, compliance, risk management and/or external audit;
          c. reports generated by (and/or for) supervisory authorities;
          d. material breaches of the Authorised Person's risk appetite and tolerance with respect to Operational Risk;
          e. details of recent significant internal Operational Risk events and losses, including near misses or events that resulted in a positive return; and
          f. relevant external events and any potential impact on the Authorised Person and its Operational Risk framework, including Operational Risk capital.

    • PRU 6.5 PRU 6.5 Control and mitigation

      • Guidance

        1. The GEN rules require an Authorised Person or Recognised Body to establish and maintain systems and controls, including but not limited to financial and risk systems and controls that ensure that its affairs are managed effectively and responsibly by its senior management.
        2. In complying with the GEN rules, an Authorised Person should establish and maintain a strong control environment that uses policies, processes and systems, appropriate internal controls and appropriate risk mitigation and/or transfer strategies.
        3. In establishing systems and controls to address Operational Risk an Authorised Person should consider the following:
        a. clear segregation of duties and dual control;
        b. clearly established authorities and/or processes for approval;
        c. close monitoring of adherence to assigned risk limits or thresholds;
        d. safeguards for access to, and use of, the Authorised Person's assets and records;
        e. appropriate staffing level and training to maintain expertise;
        f. ongoing processes to identify business lines or products where returns appear to be out of line with reasonable expectations; and
        g. regular verification and reconciliation of transactions and accounts.

    • PRU 6.6 PRU 6.6 Information Technology (IT) systems

      An Authorised Person must establish and maintain:

      (a) appropriate information technology policies and processes to identify, assess, monitor and manage technology risks; and
      (b) appropriate and sound information technology infrastructure to meet its current and projected business requirements, under normal circumstances and in periods of stress, which ensures data and system integrity, security and availability and supports integrated and comprehensive risk management.

      • PRU 6.6.1

        An Authorised Person must establish and maintain:

        (a) appropriate information technology policies and processes to identify, assess, monitor and manage technology risks; and
        (b) appropriate and sound information technology infrastructure to meet its current and projected business requirements, under normal circumstances and in periods of stress, which ensures data and system integrity, security and availability and supports integrated and comprehensive risk management.

      • Guidance

        1. IT systems include the computer systems and information technology infrastructure required for the automation of processes and systems, such as application software, operating system software, network infrastructure, and desktop, server and mainframe hardware.
        2. An Authorised Person should consider the following in establishing its systems and controls for the management of IT system risks:
        a. governance and oversight controls that ensure technology, including outsourcing arrangements, is aligned with and supportive of the Authorised Person's business objectives;
        b. an Authorised Person's organisation and reporting structure for technology operations, including adequacy of senior management oversight; and
        c. the appropriateness of the systems acquisition, development and maintenance activities, including the allocation of responsibilities between IT development and operational areas.

    • PRU 6.7 PRU 6.7 Information security

      • PRU 6.7.1 PRU 6.7.1

        An Authorised Person must establish and maintain appropriate systems and controls to manage its information security risk.

        • Guidance

          In establishing its systems and controls to address information security risks, an Authorised Person should have regard to:

          a. confidentiality: information should be accessible only to Persons or systems with appropriate authority, which may require firewalls within a system, as well as entry restrictions;
          b. the risk of loss or theft of customer data;
          c. integrity: safeguarding the accuracy and completeness of information and its processing;
          d. non-repudiation and accountability: ensuring that the Person or system that processed the information cannot deny their actions; and
          e. internal security: including premises security, staff vetting; access rights and portable media, staff internet and email access, encryption, safe disposal of customer data, and training and awareness.

    • PRU 6.8 PRU 6.8 Outsourcing

      • PRU 6.8.1 PRU 6.8.1

        An Authorised Person must establish and maintain appropriate systems and controls to manage its outsourcing risk.

        • Guidance

          1. The GEN rules set out the Regulator requirements on outsourcing by Authorised Persons. This Section complements the requirements in the GEN rules and contains guidance on managing the Operational Risk associated with outsourcing arrangements.
          2. The assessment of outsourcing risk at an Authorised Person may depend on several factors, including the scope and materiality of the outsourced activity, how well the Authorised Person manages, monitors and controls outsourcing risk (including its general management of Operational Risk), and how well the service provider manages and controls the potential risks of the operation.
          3. Factors that an Authorised Person should consider in establishing outsourcing arrangements include the following:
          a. the financial, reputational and operational impact on the Authorised Person of the failure of a service provider to perform adequately the activity;
          b. potential losses to an Authorised Person's customers and counterparts in the event of a service provider failure;
          c. the consequences of outsourcing the activity on the ability and capacity of the Authorised Person to conform with regulatory requirements and changes in such requirements;
          d. the interrelationship of the outsourced activity with other activities within the Authorised Person;
          e. the cost associated with the outsourcing;
          f. any affiliation or other relationship between the Authorised Person and the service provider;
          g. the regulatory status of the service provider;
          h. the degree of difficulty and time required to select an alternative service provider or to bring the business activity in-house, if necessary;
          i. the complexity of the outsourcing arrangement. For example, the ability to control the risks where more than one service provider collaborates to deliver an end-to-end outsourcing solution; and
          j. any data protection, security and other risks which may be adversely affected by the geographical location of an outsourcing service provider. To this end, Specific Risk management expertise in assessing country risk related, for example, to political or legal conditions, could be required when entering into and managing outsourcing arrangements that are taken outside of the home country.

    • PRU 6.9 PRU 6.9 Business continuity and disaster recovery

      • Guidance

        See GEN regarding requirements relating to an Authorised Person's business continuity and disaster recovery arrangements.

    • PRU 6.10 PRU 6.10 Management of Operational Risks in trading activities

      • Guidance

        This Section complements the Rules and Guidance set out in other sections of this Chapter with more specific guidance for the identification, assessment, control and monitoring of Operational Risks in trading activities. In this Guidance, reference to "trading activities" should be construed in its natural sense in the context of Regulated Activities and should include an Authorised Person's activities in Dealing in Investments as Principal and Dealing in Investments as Agent. In addressing the Operational Risks arising from trading activities, an Authorised Person should consider the following:

        a. staff members in support and control functions, comprising functions such as operations, settlement, finance, risk management, legal, compliance, internal and external audit, should have adequate representation and authority within the Authorised Person's overall governance framework so as to be able to effectively challenge the activities undertaken by the front office;
        b. Operational Risk management systems should set criteria, indicators and thresholds enabling the identification of material incidents detected by internal control procedures. This should include tracking of Operational Risk losses in trading activities and analysis of those losses for possible interconnections (i.e. losses based on one event or root cause);
        c. high professional standards and a sound risk culture should be promoted within the Authorised Person, particularly in the front office, in a way that supports professional and responsible behaviour. This should include, but is not limited to, developing and implementing appropriate policies and procedures, setting standards (often in the form of a "code of conduct") for relations between traders and their counterparts, and training procedures;
        d. there should be adequate segregation of duties between front office and the support and controls functions in charge of supporting, verifying and monitoring trade transactions;
        e. appropriate policies and procedures relating to leave requirements and staff movements should be developed, implemented and regularly monitored; in particular:
        i. procedures establishing a minimum absence requirement of at least two consecutive weeks' leave for traders (via a vacation, "desk holiday" or other absence from the office or trading) so that traders are physically unable to mark or value their own books, this responsibility being carried out by a different Person during those periods; and
        ii. Employees changing job positions between front, middle and back offices or IT should be properly tracked.
        f. terms of reference describing the activity of each trader or group of traders should be established. Adherence to these terms should be subject to monitoring by support and control functions;
        g. documentation requirements for trading activities should be properly defined so as to minimise legal uncertainties in enforceability of contracts with clients and Counterparties. This should include consideration of using contracts that are standardised as far as possible, particularly in OTC transactions;
        h. all trading positions, profits and losses, cash flows and calculations associated with a transaction should be clearly recorded in the Authorised Person's management information systems with a documented audit trail. The audit trail should allow for the tracing of cash flows at a sufficiently granular level (e.g. traders, books, products and portfolios);
        i. appropriate procedures for confirmation of the terms and conditions of transactions with external Counterparties/clients should be established;
        j. appropriate processes and procedures should be implemented for the settlement of transactions. This should include consideration of the following elements:
        i. the authorisation of inputs by the back office;
        ii. payment/settlements carried out against independent documents;
        iii. reconciliation between front office and back office systems; and
        iv. reconciliation procedures independent of the processing functions.
        k. controls should include daily reconciliation of positions and cash flows across various internal systems and external parties. The reconciliations should include all events attached to the transactions including amendments, cancellation, exercises, resets and expiries;
        l. procedures and processes should be established to ensure accurate and timely monitoring and follow up of margin or Collateral calls;
        m. profit attribution is a key control for understanding the risk in a trading operation and therefore the control and support functions should have a good understanding of the various aspects that lead to P&L generation, particularly in relation to more complex products. Major implausiblities discovered within the P&L in the context of the trading mandate and market developments should be further analysed to see if they are caused by Operational Risk events; and
        n. control procedures should be established to monitor and escalate unusual transactions, anomalies in confirmation and reconciliation processes, errors in recording, processing and settling transactions, along with cancellations, amendments, late trades and off-market rates.

    • PRU 6.11 PRU 6.11 Operational Risk Capital Requirement

      • PRU 6.11.1

        This Section applies to an Authorised Person in Category 1, 2, 3A or 5.

      • PRU 6.11.2

        (1) An Authorised Person must, subject to (2), use the Basic Indicator Approach as prescribed in App6 to calculate its Operational Risk Capital Requirement.
        (2) An Authorised Person may, with the written approval of the Regulator, use the Standardised Approach or the Alternative Standardised Approach, both as prescribed in App6, to calculate its Operational Risk Capital Requirement if the Regulator is satisfied that:
        (a) its Governing Body and senior management, as appropriate, are actively involved in the oversight of its Operational Risk framework;
        (b) it has, in accordance with the requirements set out in this Chapter, implemented and maintains an Operational Risk policy which provides for a sound and well-defined risk management framework to address the Authorised Person's Operational Risk; and
        (c) it has dedicated sufficient resources in the use of the relevant approach in its major business lines and its control and audit functions.

      • PRU 6.11.3

        An Authorised Person seeking to apply the Standardised Approach or the Alternative Standardised Approach must develop specific policies and have documented criteria for mapping gross income for current business lines and activities into the Standardised Approach or the Alternative Standardised Approach, as prescribed in App6. The criteria must be reviewed and adjusted for new or changing business activities as appropriate.

      • PRU 6.11.4

        Once an Authorised Person has obtained from the Regulator its written approval to apply the Standardised Approach or the Alternative Standardised Approach, the Authorised Person must not revert to the Basic Indicator Approach without prior written approval of the Regulator.

      • PRU 6.11.5

        (1) The Regulator may at any time by written notice require an Authorised Person to adopt a specified approach to calculating its Operational Risk Capital Requirement where the Regulator considers that this is:
        (a) appropriate given the nature, size, complexity and risk profile of the Authorised Person's business; or
        (b) necessary in the prevailing economic circumstances and it is in the interests of the ADGM.
        (2) An Authorised Person must comply with a requirement made under (1).

    • PRU 6.12 PRU 6.12 Professional indemnity insurance

      • PRU 6.12.1

        This Section applies to an Authorised Person in Category 3B, 3C or 4 which undertake one or more of the Regulated Activities prescribed in Rule 6.1.1(c).

      • PRU 6.12.2 PRU 6.12.2

        An Authorised Person must:

        (a) take out and maintain professional indemnity insurance cover appropriate to the nature, size, complexity and risk profile of the Authorised Person's business;
        (b) at least annually, provide the Regulator with a copy of the professional indemnity insurance cover in (a) covering the following 12 month period; and
        (c) notify the Regulator of any material changes to the cover in (a), including the level of cover, its renewal or termination.

        • Guidance

          1. In complying with Rule 6.12.2, an Authorised Person should take out and maintain a contract for professional indemnity insurance (PII) from a reputable and well-capitalised Insurer and such contract should include cover in respect of claims for which the Authorised Person may be liable as a result of the conduct of itself and its Employees and appropriate cover in respect of legal costs arising from a claim.
          2. Pursuant to Rule 6.4.1(c), an Authorised Person should notify the Regulator of any significant PII claim made. What amounts to a significant claim will depend on the nature size and complexity of the Authorised Person and the Regulator would expect the Authorised Person to treat a series of small single claims which are significant in aggregate as significant for the purposes of Rule 6.4.1(c).
          3. An Authorised Person can fulfil the requirements under this Section by ensuring coverage of its activities under a group-wide PII policy, provided that policy covers the Authorised Person and its activities and that policy meets the conditions specified in this Section. Where the Authorised Person's group PII cover does not meet the requirements specified under this Section, the Authorised Person will be required to obtain PII cover that meets those requirements.