{"id":567,"date":"2019-06-26T12:36:00","date_gmt":"2019-06-26T12:36:00","guid":{"rendered":"https:\/\/analystprep.com\/study-notes\/?p=567"},"modified":"2026-01-20T14:59:23","modified_gmt":"2026-01-20T14:59:23","slug":"principles-for-the-sound-management-of-operational-risk","status":"publish","type":"post","link":"https:\/\/analystprep.com\/study-notes\/frm\/part-2\/operational-and-integrated-risk-management\/principles-for-the-sound-management-of-operational-risk\/","title":{"rendered":"Principles for the Sound Management of Operational Risk"},"content":{"rendered":"<p><script type=\"application\/ld+json\">\n{\n  \"@context\": \"https:\/\/schema.org\",\n  \"@type\": \"QAPage\",\n  \"mainEntity\": {\n    \"@type\": \"Question\",\n    \"name\": \"Basel Committee principles for operating a new bank\",\n    \"text\": \"A new bank is to be established in New York City. According to the Basel Committee, three of the following are principles that should be considered in the operation of the new bank. Which one does NOT fit with Basel\u2019s principles?\\n\\nA. The board of directors should establish, approve, and periodically review the framework.\\n\\nB. The board of directors should take a strong lead in establishing a powerful risk management culture.\\n\\nC. The bank should develop, implement, and maintain a framework that is fully integrated into the bank\u2019s overall risk management processes.\\n\\nD. The bank should establish the optimal number of customer loans that best fits its risk profile.\",\n    \"answerCount\": 4,\n    \"acceptedAnswer\": {\n      \"@type\": \"Answer\",\n      \"text\": \"D. The bank should establish the optimal number of customer loans that best fits its risk profile.\\n\\nThe Basel Committee\u2019s principles focus on governance, risk culture, and the integration of risk management frameworks. They do not prescribe operational targets such as the number of customer loans, which can vary widely across institutions while still adhering to the same overarching principles.\"\n    },\n    \"suggestedAnswer\": [\n      {\n        \"@type\": \"Answer\",\n        \"text\": \"A. The board of directors should establish, approve, and periodically review the framework.\"\n      },\n      {\n        \"@type\": \"Answer\",\n        \"text\": \"B. The board of directors should take a strong lead in establishing a powerful risk management culture.\"\n      },\n      {\n        \"@type\": \"Answer\",\n        \"text\": \"C. The bank should develop, implement, and maintain a framework that is fully integrated into the bank\u2019s overall risk management processes.\"\n      }\n    ]\n  }\n}\n<\/script><\/p>\n<p><script type=\"application\/ld+json\">\n{\n  \"@context\": \"https:\/\/schema.org\",\n  \"@type\": \"ImageObject\",\n  \"@id\": \"https:\/\/analystprep.com\/study-notes\/images\/jpmorgan-chase-business-lines\",\n  \"url\": \"https:\/\/cdn.analystprep.com\/study-notes\/wp-content\/uploads\/2019\/06\/11065947\/page-5.jpg\",\n  \"contentUrl\": \"https:\/\/cdn.analystprep.com\/study-notes\/wp-content\/uploads\/2019\/06\/11065947\/page-5.jpg\",\n  \"caption\": \"JPMorgan Chase business lines\",\n  \"width\": 1024,\n  \"height\": 711,\n  \"copyrightNotice\": \"\u00a9 2024 AnalystPrep\",\n  \"acquireLicensePage\": \"https:\/\/analystprep.com\/license-info\",\n  \"creditText\": \"AnalystPrep Design Team\",\n  \"creator\": {\n    \"@type\": \"Organization\",\n    \"name\": \"AnalystPrep\",\n    \"url\": \"https:\/\/analystprep.com\/\"\n  }\n}\n<\/script><\/p>\n<p><iframe loading=\"lazy\" src=\"\/\/www.youtube.com\/embed\/7UmaX_g-7eg\" width=\"611\" height=\"343\" allowfullscreen=\"allowfullscreen\"><\/iframe><\/p>\n<p><strong>After completing this reading you should be able to:<\/strong><\/p>\n<ul>\n<li>Describe the three \u201clines of defense\u201d in the Basel model for operational risk governance.<\/li>\n<li>Summarize the fundamental principles of operational risk management as suggested by the Basel Committee.<\/li>\n<li>Explain guidelines for strong governance of operational risk and evaluate the role of the board of directors and senior management in implementing an effective operational risk framework.<\/li>\n<li>Describe tools and processes that can be used to identify and assess operational risk.<\/li>\n<li>Describe features of an effective control environment and identify specific controls that should be in place to address operational risk.<\/li>\n<li>Explain the Basel Committee\u2019s suggestions for managing technology risk and outsourcing risk.<\/li>\n<\/ul>\n<h2>The three \u201cLines of Defense\u201d in the Basel Model for Operational Risk Governance<\/h2>\n<p>The\u00a0Basel\u00a0Committee\u00a0defines\u00a0<strong>operational risk<\/strong>\u00a0as \u201cthe\u00a0risk\u00a0of loss resulting from inadequate or failed internal processes, people and systems or from external events.\u201d It includes <strong>legal\u00a0risk<\/strong>\u00a0but excludes <strong>strategic<\/strong> and <strong>reputational\u00a0risk<\/strong>.<\/p>\n<p>Many programs that manage risks in banks take effective management of operational risk as a fundamental element that is inherent in all banking products, systems, activities, and processes. Therefore, sound operational risk management reflects the effectiveness of the board and senior management in the administration of portfolio products, activities, processes, and systems.<\/p>\n<p>Firms often employ 3 lines of defense to be able to control operational risks:<\/p>\n<h3>First Line of Defense: Business\u00a0Line Management<\/h3>\n<p>In modern banking, banks have established several business lines that work with some level of independence, but they all work towards the attainment of a set of institution-wide goals. Each business line is faced with its own set of operational risks and is responsible and accountable for assessing, controlling, and mitigating these risks. \u00a0<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"711\" class=\"aligncenter size-full wp-image-8979\" style=\"max-width: 100%;\" src=\"https:\/\/cdn.analystprep.com\/study-notes\/wp-content\/uploads\/2019\/06\/11065947\/page-5.jpg\" alt=\"JPMorgan Chase Business Lines\" \/><\/p>\n<h4>Second Line of Defense: An Independent Corporate Operational Risk Management Function<\/h4>\n<p>This is a functionally independent corporate operational risk function (CORF) involved in policy setting and provides assurance over first-line activities. The CORF generally complements the operational risk management activities of individual business lines.<\/p>\n<p>Responsibilities of the CORF may include:<\/p>\n<ul>\n<li>Measuring the\u00a0operational risks;<\/li>\n<li>Establishing the\u00a0reporting processes for operational risks;<\/li>\n<li>Establishing the risk committees to measure and monitor operational risks; and<\/li>\n<li>Reporting operational risk issues to the Board of Directors.<\/li>\n<\/ul>\n<p>Although the CORF enjoys some level of independence in all banks, the actual degree of independence differs among banks. The CORF function in small banks achieves independence often through the separation of duties and independent review of processes and functions. For larger banks, the CORF enjoys a reporting structure that\u2019s independent of the risk generating business lines. The CORF has the mandate to design, maintain, and continually develop the operational risk framework within the bank. A key function of the CORF is to challenge the business lines\u2019 risk management activities so as to ensure that all decisions and actions taken align with the bank\u2019s risk measurement and reporting framework. To ensure that the CORF is effective in its work, it should have a sufficient number of personnel skilled in the management of operational risk.<\/p>\n<h3>Third Line of Defense: Independent Review\/Audit<\/h3>\n<p>The third line of defense consists of the bank\u2019s audit function, which performs independent oversight of the first two lines. Everyone involved in the auditing process must not be a participant in the process under review.<\/p>\n<p>The review can also be conducted by an external party. The independent review team usually reports directly to the Audit Committee (a committee made up of members of the board of directors) on matters of internal control, compliance, and governance.<\/p>\n<h2>The Fundamental Principles of Operational Risk Management as Suggested by the Basel Committee<\/h2>\n<p>The Basel Committee requires banks to have a proactive operational risk management framework where the Board of Directors, senior managers, business line managers, and employees all play a role. The committee has suggested 11 fundamental principles that should form the bedrock of operational risk management across banks:<\/p>\n<p><strong><em>Principle 1 &#8211; The bank should maintain a strong risk management culture spearheaded by the bank\u2019s board of directors and senior managers. The bank should strive to propagate a culture of operational risk resilience where every individual understands the need to manage risk.<\/em><\/strong><\/p>\n<p>The board of directors and senior management plays a starring role in any operational risk management framework.<\/p>\n<p>With respect to Principle 1, the board of directors and\/or senior management should:<\/p>\n<ul>\n<li>Provide a sound foundation for a strong risk management culture within the bank. With a strong culture of risk management and ethical business practices, the bank is less likely to experience potentially damaging operational risk events. If the bank ends up experiencing such an event, it would be better placed to deal effectively with the outcome.<\/li>\n<li>Establish a code of conduct (or ethics policy) for all employees that outlines expectations for ethical behavior. The code of conduct should identify acceptable business practices and prohibited conflicts.<\/li>\n<li>Provide risk training throughout all levels of the bank. Training should take into account the level of seniority, roles, and responsibilities of the trainee.<\/li>\n<\/ul>\n<p><strong><em>Principle 2 &#8211; The operational risk framework must be developed and fully integrated into the overall risk management processes of the bank.<\/em><\/strong><\/p>\n<p>With respect to Principle 2, the board of directors and\/or senior management should:<\/p>\n<ul>\n<li>Have a thorough understanding of both the nature and complexity of the risks inherent in the products, lines of business, processes, and systems in the bank. Only then can they be able to craft and approve appropriate risk management measures that are effective against the various risks.<\/li>\n<li>Ensure that the Framework is fully integrated with the bank\u2019s overall risk management plan across all levels of the firm including those at the group and business line levels, as well as into new business initiatives\u2019 products, activities, processes, and systems.<\/li>\n<\/ul>\n<p><strong><em>Principle 3 &#8211; The board of directors has the mandate to establish, approve, and periodically review the operational risk management framework. The board should oversee senior management to ensure that the policies, processes, and systems are implemented effectively at all decision levels<\/em><\/strong><\/p>\n<p>With respect to Principle 3, the board of directors and\/or senior management should:<\/p>\n<ul>\n<li>Establish a culture and processes that help everyone \u2013 including board members, managers, and employees &#8211; understand the nature and scope of operational risks.<\/li>\n<li>Regularly review the Framework to ensure that it takes into account emerging\/evolving risks.<\/li>\n<li>Provide senior management with guidance regarding operational risk management and approve policies developed by senior management aimed at managing operational risk.<\/li>\n<li>Ensure that the Framework is subject to independent review by sufficiently skilled personnel.<\/li>\n<li>Ensure that management follows the evolution of best practices and avails themselves to these changes<\/li>\n<li>Establish strong internal controls marked by a clear designation of roles and responsibilities.<\/li>\n<\/ul>\n<p><strong><em>Principle 4 &#8211; The board must identify the types and levels of operational risks the bank is willing to assume as well as approve risk appetite and risk tolerance statements. These statements should be worded in a clear manner to ensure fast and efficient implementation<\/em><\/strong><\/p>\n<p>With respect to Principle 4, the board of directors and\/or senior management should:<\/p>\n<ul>\n<li>Ensure that they consider all risks when approving the bank\u2019s risk appetite and tolerance statements which provide details on risk limits and thresholds. They should also consider the bank&#8217;s strategic direction.<\/li>\n<li>Regularly review the bank\u2019s risk appetite and tolerance statements appropriateness. During the review process, some of the factors that should be considered include changes in the external environment, changes in business or activity volumes, the effectiveness of risk management or mitigation strategies, loss experience, and the frequency, volume, or nature of limit breaches.<\/li>\n<\/ul>\n<p><strong><em>Principle 5 &#8211; Consistent with the bank\u2019s risk appetite and risk tolerance, senior management must develop a well-defined governance structure within the bank. The governance structure is subject to approval by the board of directors.<\/em><\/strong><\/p>\n<p>With respect to Principle 5, the board of directors and\/or senior management should:<\/p>\n<ul>\n<li>Establish and maintain robust challenge mechanisms and effective dispute resolution processes. There should be guidelines that dictate tracking and reporting of issues and when necessary, establish to whom an issue can be escalated to ensure resolution.<\/li>\n<li>Translate the Framework approved by the board into specific policies and procedures that can be adopted by specific business lines.<\/li>\n<li>Ensure that there\u2019s proper communication between the operational risk management team and other teams tasked with keeping an eye on other risks such as credit risk and market risks.<\/li>\n<li>Ensure that managers of the CORF have sufficient stature within the bank commensurate with other risk management functions such as credit, market, and liquidity risk<\/li>\n<li>Ensure that bank activities are only carried out by members of staff who have the necessary experience and technical skills. Staff tasked with monitoring and evaluating compliance with the established risk policy should have authority independent from the units they oversee.<\/li>\n<li>Develop a governance structure that\u2019s commensurate with the nature, size, complexity, and risk profile of the bank\u2019s activities.<\/li>\n<\/ul>\n<p><strong><em>Principle 6 &#8211; Senior management must understand the risks inherent in the bank\u2019s business lines and processes. They must also understand the incentives associated with those risks so as to be able to put in place effective countermeasures<\/em><\/strong><\/p>\n<p>With respect to Principle 6, the board of directors and\/or senior management should consider both internal and external factors to identify and assess operational risk<\/p>\n<p>Examples of tools that may be used for identifying and assessing operational risk include:<\/p>\n<ul>\n<li>Audit findings<\/li>\n<li>Internal loss data collection and analysis<\/li>\n<li>External loss of data collection and analysis<\/li>\n<li>Risk and Performance Indicators<\/li>\n<li>Scenario Analysis<\/li>\n<li>Comparative analysis<\/li>\n<\/ul>\n<p><strong><em>Principle 7 &#8211; New lines of business, products, processes, and systems should require an approval process that assesses the potential operational risks<\/em><\/strong><\/p>\n<p>With respect to Principle 7, the board of directors and\/or senior management should:<\/p>\n<ul>\n<li>Ensure that the risk management framework keeps pace with new products and processes which usually come with increased exposure to operational risk.<\/li>\n<li>Thoroughly review new activities and product lines. Some of the factors that should be considered during this process include:<\/li>\n<li>Inherent risks in the new product, service, or activity;<\/li>\n<li>Changes to the bank\u2019s operational risk profile and appetite and tolerance, including the risk of existing products or activities;<\/li>\n<li>The necessary controls, risk management processes, and risk mitigation strategies;<\/li>\n<li>The residual risk;<\/li>\n<li>Changes to relevant risk thresholds or limits; and<\/li>\n<li>The procedures and metrics to measure, monitor, and manage the risk of the new product or activity.<\/li>\n<li>Ensure that appropriate investment has been made for human resources and technology infrastructure before new products are introduced.<\/li>\n<\/ul>\n<p><strong><em>Principle 8 &#8211; A process for monitoring operational risks and material exposures to losses should be put in place by senior management with support from the board of directors and business line employees<\/em><\/strong><\/p>\n<p>With respect to Principle 8, the board of directors and\/or senior management should:<\/p>\n<ul>\n<li>Continuously improve the quality of operational risk reporting. All of a bank\u2019s reports should be comprehensive, accurate, consistent, and implementable across business lines and products.<\/li>\n<li>Ensure that operational risk reports are timely and generated during normal as well as stressed market conditions. All reports must be furnished to the board and senior management<\/li>\n<li>Ensure that all risk reports contain internal financial, operational, and compliance indicators, as well as external market or environmental information about events and conditions relevant to decision making.<\/li>\n<\/ul>\n<p>Operational risk reports should lay down:<\/p>\n<ul>\n<li>Breaches of the bank\u2019s risk appetite and tolerance statement, thresholds or limits;<\/li>\n<li>Details of recent significant internal operational risk events and losses; and<\/li>\n<li>Relevant external events and any potential impact they could have on the bank<\/li>\n<li>Ensure that data capture and risk reporting processes should be analyzed periodically with a view to continuously enhancing risk management performance<\/li>\n<\/ul>\n<p><strong><em>Principle 9 &#8211; The bank must come up with strong internal controls, risk mitigation, and risk transfer strategies in place to manage operational risks.<\/em><\/strong><\/p>\n<p>With respect to Principle 9, the board of directors and\/or senior management should:<\/p>\n<ul>\n<li>Establish internal controls that safeguard the bank\u2019s assets, produce reliable financial reports, and provide reasonable assurance that the bank will have efficient and effective operations;<\/li>\n<li>Ensure that Control processes and procedures always include a system for ensuring compliance with policies;<\/li>\n<li>Ensure that there\u2019s segregation of duties to avoid a situation where it\u2019s difficult to pinpoint the individual responsible for the concealment of losses, errors, or other inappropriate actions;<\/li>\n<li>Ensure effective use and sound implementation of technology. Automation, for example, reduces most of the errors associated with manual processes;<\/li>\n<li>Ensure that they understand the operational risks associated with outsourcing arrangements and ensuring that effective risk management policies and practices are in place to manage the risk in outsourcing activities; and<\/li>\n<li>Ensure the bank has a sound technology infrastructure that meets current and long-term business requirements by providing sufficient capacity for normal activity levels as well as peaks during periods.<\/li>\n<\/ul>\n<p><strong><em>Principle 10 &#8211; The bank must have plans that guarantee survival and continuity in the event of a major business disruption. All business operations must be resilient.<\/em><\/strong><\/p>\n<p>Banks are exposed to disruptive events, some of which may be severe and result in an inability to fulfill some or all of their business obligations. With respect to Principle 10, the board of directors and\/or senior management should:<\/p>\n<ul>\n<li>Establish continuity plans to handle unforeseen disruptive events (e.g., disruptions in technology, damaged facilities, pandemic illnesses that affect personnel, and so on).<\/li>\n<li>Periodically review continuity plans.<\/li>\n<\/ul>\n<p><strong><em>Principle 11 &#8211; <\/em><\/strong><strong><em>The bank should make disclosures that are clear enough to ensure that all stakeholders can conduct their own assessment of the bank\u2019s approach to operational risk management.<\/em><\/strong><\/p>\n<p>Public disclosure of relevant operational risk management information instills confidence and ensures transparency and the development of a better industry. With respect to Principle 11, the board of directors and\/or senior management should:<\/p>\n<ul>\n<li>Ensure that amount and type of disclosure is commensurate with the size, risk profile, and complexity of a bank\u2019s operations.<\/li>\n<li>Ensure that the bank discloses its operational risk management framework in a manner that allows stakeholders to independently determine whether the bank identifies, assesses, monitors, and controls\/mitigates operational risk in an effective manner.<\/li>\n<li>Ensure that disclosures reflect the methodology adopted by the senior management and the board of directors while assessing and managing the operational risk of the bank<\/li>\n<li>Ensure that there\u2019s a formal, approved disclosure policy that dictates the elements of the bank\u2019s operational risk framework that can be disclosed.<\/li>\n<\/ul>\n<h2>Tools and Processes That Can Be Used To Identify and Assess Operational Risk<\/h2>\n<p>An effective operational risk management system excels in risk identification and assessment. The former considers both internal factors and external factors. Sound risk assessment, on the other hand, allows the bank to better understand its risk profile and allocate risk management resources and strategies most effectively.<\/p>\n<p>Tools that may be used to identify and assess operational risk include:<\/p>\n<h3>Audit Findings<\/h3>\n<p>Audit findings primarily focus on control weaknesses and vulnerabilities and can also provide insight into inherent risk due to internal or external factors.<\/p>\n<h3>Risk Assessments<\/h3>\n<p>In a risk assessment, often referred to as a Risk Self Assessment (RSA), a bank assesses the processes underlying its operations against a library of potential threats and vulnerabilities and considers their potential impact. Closely related are Risk Control Self Assessments (RCSA), which typically evaluate inherent risk (the risk before controls are considered), the effectiveness of the control environment, and residual risk (the risk exposure after controls are considered).<\/p>\n<h3>Internal Loss Data Collection and Analysis<\/h3>\n<p>Analysis of internal operational loss data can provide meaningful information for assessing a bank\u2019s exposure to operational risk. In particular, the analysis can provide insight into the triggers of large losses. Banks can also monitor the contribution of operational risk to credit and market risk-related losses. That way, a more complete view of their operational risk exposure is obtained.<\/p>\n<h3>External Data Collection and Analysis<\/h3>\n<p>A bank may be able to gather external loss data related to operational risks. That includes causal information, gross operational loss amounts, dates, and recoveries. By comparing external loss data with internal loss data, the bank can be able to assess whether its risk management policies are effective. External data can also help explore possible weaknesses in the control environment or being to the fore previously unidentified risk exposures.<\/p>\n<h3>Risk and Performance Indicators<\/h3>\n<p>Risk and performance indicators are risk metrics that provide insight into a bank\u2019s risk exposure.<\/p>\n<p>Risk indicators, often referred to as Key Risk Indicators (KRIs), specify the main drivers of key risks.<\/p>\n<p>Key Performance Indicators (KPIs), provide insight into the status of operational processes, which may in turn provide insight into operational weaknesses, failures, and potential loss.<\/p>\n<h3>Business Process Mapping<\/h3>\n<p>Business process mappings identify the key steps in business processes, activities, and organizational functions and the risks associated with each of the activities. Detailed process maps can reveal individual risks, risk interdependencies, and risk management weaknesses.<\/p>\n<h3>Measurement<\/h3>\n<p>This involves the use of outputs of risk assessment tools as inputs for operational risk exposure models. The results can then be used to allocate economic capital to various business units based on return and risk.<\/p>\n<h3>Scenario Analysis<\/h3>\n<p>In operational risk management, scenario analysis entails seeking the opinion of business line and risk managers about all potential operational risk events and what each event would lead to. However, the process is highly subjective, and a robust governance framework is needed to ensure that integrity and consistency are upheld.<\/p>\n<h3>Comparative Analysis<\/h3>\n<p>The comparative analysis consists of comparing the results of different assessment tools to provide a more comprehensive picture of the bank\u2019s operational risk profile. For example, the bank can combine the frequency and severity of internal data with RCSAs and then be able to gauge the functioning of self-assessment processes.<\/p>\n<h2>Features of an Effective Control Environment<\/h2>\n<p>Control environment refers to\u00a0is the foundation on which an effective system of internal control is built and operated in a bank that intends to:<\/p>\n<ul>\n<li>Provide reliable financial reporting to internal and external stakeholders;<\/li>\n<li>Comply with all applicable laws and regulations;<\/li>\n<li>Operate its business efficiently and effectively;<\/li>\n<li>Achieve its strategic objectives; and<\/li>\n<li>Safeguard its assets.<\/li>\n<\/ul>\n<p>The Board of Directors and senior management have an obligation to instill into other employees the importance of internal control, including expected standards of conduct<\/p>\n<p>There are five key components of internal control:<\/p>\n<ol>\n<li><strong>Control Environment:\u00a0<\/strong>This refers to a set of standards, structures, and processes that provide the bedrock for performing internal control within the entity.<\/li>\n<li><strong>Risk Assessment:\u00a0<\/strong>Risk assessment is a process used to identify, assess, and manage risks the bank is faced with as it works toward the achievement of its objectives.<\/li>\n<li><strong>Control Activities:\u00a0<\/strong>These are actions taken to mitigate the risks to the achievement of the entity\u2019s objectives. These actions are subject to management approval. The approval process looks at the bank\u2019s policies and procedures. \u00a0<\/li>\n<li><strong>Information and communication:\u00a0<\/strong>Information and communication is the distribution of information needed to perform control activities and to understand internal control responsibilities to personnel internal and external to the entity.<\/li>\n<li><strong>Monitoring<\/strong>:\u00a0Monitoring has much to do with continuous evaluations of the implementation and operation of operational risk policies.<\/li>\n<\/ol>\n<h3>A Note on Traditional Internal Controls<\/h3>\n<p>All banks should ensure that traditional internal controls are in place as appropriate to address operational risk. These controls include:<\/p>\n<ul>\n<li>A vacation policy that relieves officers and employees of their duties for a period of not less than two consecutive weeks;<\/li>\n<li>Appropriate staffing level and training to maintain expertise;<\/li>\n<li>Clearly established authorities and processes for approval;<\/li>\n<li>Close monitoring of adherence to pre-established risk thresholds or limits;<\/li>\n<li>Safeguards for access to, and use of, bank assets;<\/li>\n<li>Regular verification and reconciliation of transactions and accounts; and<\/li>\n<li>Ongoing processes to identify business lines or products where returns appear to be out of line with reasonable expectations.<\/li>\n<\/ul>\n<h2>The Basel Committee\u2019s Suggestions for Managing Technology Risk and Outsourcing Risk<\/h2>\n<h3>Technology Risk<\/h3>\n<p>Modern banking is heavily invested in tech, with products, activities, processes and delivery channels all reliant on one or more forms of digital technology. The use of technology, however, leaves banks vulnerable to strategic, operational, and reputational risks. Technology risks also raise the specter of material financial loss that can have a devastating effect even on well-established banks. Consequently, it is important for banks to have an integrated approach that identifies, measures, monitors, and manages technology risks.<\/p>\n<p>Sound technology risk management uses the same precepts as operational risk management and includes:<\/p>\n<ul>\n<li>Establishment of risk transfer strategies to mitigate technology risks;<\/li>\n<li>Governance and oversight controls;<\/li>\n<li>Implementation of a risk control environment;<\/li>\n<li>Coming up with policies and procedures to identify and assess technology risks;<\/li>\n<li>Working with a written risk appetite and tolerance statements;<\/li>\n<li>Monitoring of technology risks and violations of thresholds and risk limits; and<\/li>\n<li>Create a sound technology infrastructure (i.e., the hardware and software components, data, and operating environments).<\/li>\n<\/ul>\n<h3>Outsourcing Risk<\/h3>\n<p>Outsourcing can be defined as a process in which a bank delegates some of its in-house operations\/processes to a third party. Instead of dedicating internal resources from their Legal and Risk functions, for example, smaller US operations of global European commercial banks often turn to external providers to help them comply with local anti-Money laundering laws and KYC (Know Your Customer) requirements.<\/p>\n<p>On one hand, outsourcing helps banks manage costs, provide expertise, expand product offerings, and improve services. On the other hand, it introduces risks that should not be ignored by management.<\/p>\n<p>The Board and senior management must understand the operational risks associated with outsourcing arrangements and ensure that effective risk management policies and practices are developed. Outsourcing policies and risk management activities should encompass:<\/p>\n<ul>\n<li>Establishment of an effective control environment at the bank and the service provider;<\/li>\n<li>Procedures for determining whether and how activities can be outsourced;<\/li>\n<li>Sound structuring of the outsourcing arrangement, including ownership and confidentiality of data, as well as termination rights;<\/li>\n<li>Mechanisms for managing and monitoring the risks associated with the outsourcing, including the financial condition of the service provider;<\/li>\n<li>Procedures that emphasize on due diligence in the selection of potential service providers;<\/li>\n<li>Development of viable contingency plans; and<\/li>\n<li>Execution of comprehensive contracts and\/or service level agreements with a clear allocation of responsibilities between the outsourcing provider and the bank.<\/li>\n<\/ul>\n<blockquote>\n<h2>Practice Question<\/h2>\n<p>A new bank is to be established in New York City. According to the Basel Committee, three of the following are principles that should be considered in the operation of the new bank. Which one is does NOT fit with Basel\u2019s principles?<\/p>\n<p>A. The board of directors should establish, approve, and periodically review the framework<\/p>\n<p>B. The board of directors should take a strong lead in establishing a powerful risk management culture<\/p>\n<p>C. The bank should develop, implement and maintain a framework that is fully integrated into the bank\u2019s overall risks management processes<\/p>\n<p>D. The bank should establish the optimal number of customer loans that best fits its risk profile<\/p>\n<p>The correct answer is <strong>D<\/strong>.<\/p>\n<p>The Basel Committee highlighted three principles which are necessary during the operation of an organization, and it does not include the number of customer loans the organization is supposed to handle as different organizations have different numbers of customers and yet they follow the same principles.<\/p>\n<\/blockquote>\n\n            <div \n                class=\"elfsight-widget-pricing-table elfsight-widget\" \n                data-elfsight-pricing-table-options=\"%7B%22layout%22%3A%22grid%22%2C%22skin%22%3A%22skin5%22%2C%22mainColor%22%3A%22rgb%2851%2C%20129%2C%20234%29%22%2C%22styleColumnBorderRadius%22%3Atrue%2C%22styleColumnBorderWidth%22%3Atrue%2C%22useHorizontalScroll%22%3Afalse%2C%22headTitle%22%3A%22Plan%20name%22%2C%22headFeatures%22%3A%5B%7B%22text%22%3A%22Feature%201%22%7D%2C%7B%22text%22%3A%22Feature%202%22%7D%5D%2C%22headTextColor%22%3A%22rgb%2823%2C%2025%2C%2026%29%22%2C%22headBackgroundColor%22%3A%22rgb%28247%2C%20247%2C%20247%29%22%2C%22toggleVisible%22%3Afalse%2C%22toggleItems%22%3A%5B%5D%2C%22toggleDefaultItem%22%3A%22%22%2C%22toggleColor%22%3A%22%22%2C%22columns%22%3A%5B%7B%22title%22%3A%22Practice%20Package%22%2C%22titleCaption%22%3A%22For%20FRM%20Part%20II%22%2C%22features%22%3A%5B%7B%22text%22%3A%22%22%2C%22icon%22%3A%22none%22%2C%22hint%22%3A%22%22%7D%2C%7B%22text%22%3A%22%22%2C%22icon%22%3A%22none%22%2C%22hint%22%3A%22%22%7D%2C%7B%22text%22%3A%22Question%20Bank%22%2C%22icon%22%3A%22none%22%2C%22hint%22%3A%222%2C300%20FRM%20Part%20II%20practice%20questions%20organized%20by%20chapter%22%7D%2C%7B%22text%22%3A%22Printable%20Mock%20Exams%22%2C%22icon%22%3A%22none%22%2C%22hint%22%3A%222%20mock%20exams%20for%20a%20total%20of%20160%20extra%20practice%20questions%22%7D%2C%7B%22text%22%3A%22Performance%20Tracking%20Tools%22%2C%22icon%22%3A%22none%22%2C%22hint%22%3A%22View%20your%20performance%20in%20attractive%20charts%22%7D%2C%7B%22text%22%3A%225%26nbsp%3BAsk-a-tutor%20Questions%22%2C%22icon%22%3A%22none%22%2C%22hint%22%3A%22Ask%20five%20questions%20to%20our%20tutors%20via%20live%20chat%22%7D%5D%2C%22price%22%3A%22249%22%2C%22priceCurrency%22%3A%22USD%22%2C%22button%22%3A%22Buy%20Now%22%2C%22buttonLink%22%3A%22https%3A%5C%2F%5C%2Fanalystprep.com%5C%2Fshop%5C%2Fpractice-package-for-frm-part-ii%5C%2F%22%2C%22buttonCaption%22%3A%22%22%2C%22mainColor%22%3A%22rgb%2851%2C%20129%2C%20234%29%22%2C%22priceOptions%22%3A%5B%5D%2C%22buttonOptions%22%3A%5B%5D%2C%22isFeatured%22%3Afalse%2C%22contentDivider%22%3Anull%2C%22pricePrefix%22%3A%22%22%2C%22pricePostfix%22%3A%22%22%2C%22priceCaption%22%3A%22for%20a%2012-month%20access%22%2C%22picture%22%3A%22https%3A%5C%2F%5C%2Felfsight.com%5C%2Fassets%5C%2Fpricing-table%5C%2Fexample-grid-1.jpg%22%2C%22buttonTargetBlank%22%3Afalse%2C%22ribbonText%22%3A%22%22%2C%22ribbonBackgroundColor%22%3A%22%22%2C%22ribbonTextColor%22%3A%22%22%7D%2C%7B%22title%22%3A%22Learn%20%2B%20Practice%20Package%22%2C%22titleCaption%22%3A%22For%20FRM%20Part%20II%22%2C%22features%22%3A%5B%7B%22text%22%3A%22%22%2C%22icon%22%3A%22none%22%2C%22hint%22%3A%22%22%7D%2C%7B%22text%22%3A%22%3Cb%3EStudy%20Notes%3C%5C%2Fb%3E%22%2C%22icon%22%3A%22none%22%2C%22hint%22%3A%22Over%201%2C000%20pages%20worth%20of%20study%20notes%20covering%20each%20chapter%22%7D%2C%7B%22text%22%3A%22%3Cb%3EQuestion%20Bank%3C%5C%2Fb%3E%22%2C%22icon%22%3A%22none%22%2C%22hint%22%3A%222%2C300%20FRM%20Part%20II%20practice%20questions%20organized%20by%20chapter%22%7D%2C%7B%22text%22%3A%22%3Cb%3EPrintable%20Mock%20Exams%3C%5C%2Fb%3E%22%2C%22icon%22%3A%22none%22%2C%22hint%22%3A%222%20mock%20exams%20for%20a%20total%20of%20160%20extra%20practice%20questions%22%7D%2C%7B%22text%22%3A%22%3Cb%3EPerformance%20Tracking%20Tools%3C%5C%2Fb%3E%22%2C%22icon%22%3A%22none%22%2C%22hint%22%3A%22View%20your%20performance%20in%20attractive%20charts%22%7D%2C%7B%22text%22%3A%22%3Cb%3E5%26nbsp%3BAsk-a-tutor%20Questions%3C%5C%2Fb%3E%22%2C%22icon%22%3A%22none%22%2C%22hint%22%3A%22Ask%20five%20questions%20to%20our%20tutors%20via%20live%20chat%22%7D%5D%2C%22price%22%3A%22399%22%2C%22priceCurrency%22%3A%22USD%22%2C%22button%22%3A%22Buy%20Now%22%2C%22buttonLink%22%3A%22https%3A%5C%2F%5C%2Fanalystprep.com%5C%2Fshop%5C%2Fpractice-package-for-frm-part-ii-2%5C%2F%22%2C%22buttonCaption%22%3A%22%22%2C%22mainColor%22%3A%22rgb%2851%2C%20129%2C%20234%29%22%2C%22priceOptions%22%3A%5B%5D%2C%22buttonOptions%22%3A%5B%5D%2C%22isFeatured%22%3Atrue%2C%22contentDivider%22%3Anull%2C%22pricePrefix%22%3A%22%22%2C%22pricePostfix%22%3A%22%22%2C%22priceCaption%22%3A%22for%20a%2012-month%20access%22%2C%22buttonTargetBlank%22%3Afalse%2C%22picture%22%3A%22https%3A%5C%2F%5C%2Felfsight.com%5C%2Fassets%5C%2Fpricing-table%5C%2Fexample-grid-2.jpg%22%2C%22ribbonText%22%3A%22Most%20Popular%22%2C%22ribbonBackgroundColor%22%3A%22%22%2C%22ribbonTextColor%22%3A%22%22%7D%2C%7B%22title%22%3A%22Unlimited%20Package%22%2C%22titleCaption%22%3A%22For%20FRM%20Part%20I%20%26%20Part%20II%22%2C%22features%22%3A%5B%7B%22text%22%3A%22FRM%20Part%20I%20%26amp%3B%20Part%20II%20Video%20Lessons%22%2C%22icon%22%3A%22none%22%2C%22hint%22%3A%2296%20hours%5Cu2019%20worth%20of%20video%20lessons%20by%20Prof.%20James%20Forjan%2C%20Ph.D.%22%7D%2C%7B%22text%22%3A%22FRM%20Part%20I%20%26amp%3B%20II%26nbsp%3BStudy%20Notes%22%2C%22icon%22%3A%22none%22%2C%22hint%22%3A%22Over%202%2C000%20pages%20worth%20of%20study%20notes%20covering%20each%20chapter%22%7D%2C%7B%22text%22%3A%22FRM%20Part%20I%20%26amp%3B%20II%26nbsp%3BQuestion%20Banks%22%2C%22icon%22%3A%22none%22%2C%22hint%22%3A%224%2C100%20practice%20questions%20organized%20by%20chapter%22%7D%2C%7B%22text%22%3A%22FRM%20Part%20I%20%26amp%3B%20II%26nbsp%3BPrintable%20Mock%20Exams%22%2C%22icon%22%3A%22none%22%2C%22hint%22%3A%224%20mock%20exams%20for%20a%20total%20of%20360%20extra%20practice%20questions%22%7D%2C%7B%22text%22%3A%22Performance%20Tracking%20Tools%22%2C%22icon%22%3A%22none%22%2C%22hint%22%3A%22View%20your%20performance%20in%20attractive%20charts%22%7D%2C%7B%22text%22%3A%22Unlimited%26nbsp%3BAsk-a-tutor%20Questions%22%2C%22icon%22%3A%22none%22%2C%22hint%22%3A%22Ask%20questions%20to%20our%20tutors%20via%20live%20chat%22%7D%5D%2C%22price%22%3A%22699%22%2C%22priceCurrency%22%3A%22USD%22%2C%22button%22%3A%22Buy%20Now%22%2C%22buttonLink%22%3A%22https%3A%5C%2F%5C%2Fanalystprep.com%5C%2Fshop%5C%2Funlimited-package-for-frm-part-i-part-ii%5C%2F%22%2C%22buttonCaption%22%3A%22%22%2C%22mainColor%22%3A%22rgb%2851%2C%20129%2C%20234%29%22%2C%22priceOptions%22%3A%5B%5D%2C%22buttonOptions%22%3A%5B%5D%2C%22isFeatured%22%3Afalse%2C%22contentDivider%22%3Anull%2C%22pricePrefix%22%3A%22%22%2C%22pricePostfix%22%3A%22%22%2C%22priceCaption%22%3A%22for%20lifetime%20access%22%2C%22buttonTargetBlank%22%3Afalse%2C%22picture%22%3A%22https%3A%5C%2F%5C%2Felfsight.com%5C%2Fassets%5C%2Fpricing-table%5C%2Fexample-grid-3.jpg%22%2C%22ribbonText%22%3A%22%22%2C%22ribbonBackgroundColor%22%3A%22%22%2C%22ribbonTextColor%22%3A%22%22%7D%5D%2C%22elements%22%3A%5B%7B%22complexGroup%22%3A%22picture%22%2C%22name%22%3A%22Picture%22%2C%22pictureEnable%22%3Atrue%7D%2C%7B%22complexGroup%22%3A%22title%22%2C%22name%22%3A%22Title%22%2C%22titleEnable%22%3Atrue%2C%22titleCaptionColor%22%3A%22%22%2C%22titleTextColor%22%3A%22%22%2C%22titleFontSize%22%3A24%2C%22titleFontWeight%22%3A400%7D%2C%7B%22complexGroup%22%3A%22features%22%2C%22name%22%3A%22Features%22%2C%22featuresEnable%22%3Atrue%2C%22featuresStyle%22%3A%22striped%22%2C%22featuresIconColor%22%3A%22%22%2C%22featuresTextColor%22%3A%22%22%2C%22featuresAlign%22%3A%22center%22%2C%22featuresFontSize%22%3A13%7D%2C%7B%22complexGroup%22%3A%22price%22%2C%22name%22%3A%22Price%22%2C%22priceEnable%22%3Atrue%2C%22priceCaptionColor%22%3A%22%22%2C%22priceTextColor%22%3A%22%22%2C%22priceFontSize%22%3A32%2C%22priceFontWeight%22%3A600%7D%2C%7B%22complexGroup%22%3A%22button%22%2C%22name%22%3A%22Button%22%2C%22buttonEnable%22%3Atrue%2C%22buttonType%22%3A%22outline%22%2C%22buttonColor%22%3A%22%22%2C%22buttonTextColor%22%3A%22%22%2C%22buttonSize%22%3A%22medium%22%2C%22buttonCaptionColor%22%3A%22%22%7D%5D%2C%22widgetId%22%3A%222%22%7D\" \n                data-elfsight-pricing-table-version=\"2.6.1\"\n                data-elfsight-widget-id=\"elfsight-pricing-table-2\">\n            <\/div>\n            \n","protected":false},"excerpt":{"rendered":"<p>After completing this reading you should be able to: Describe the three \u201clines of defense\u201d in the Basel model for operational risk governance. Summarize the fundamental principles of operational risk management as suggested by the Basel Committee. Explain guidelines for&#8230;<\/p>\n","protected":false},"author":3,"featured_media":1539,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[12,9],"tags":[],"class_list":["post-567","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-operational-and-integrated-risk-management","category-part-2","blog-post","animate"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v26.9 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Sound Management of Operational Risk | FRM Part 2 Notes<\/title>\n<meta name=\"description\" content=\"Learn the Basel Committee\u2019s principles for operational risk management, including the three lines of defense and governance practices used by banks.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/analystprep.com\/study-notes\/frm\/part-2\/operational-and-integrated-risk-management\/principles-for-the-sound-management-of-operational-risk\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Sound Management of Operational Risk | FRM Part 2 Notes\" \/>\n<meta property=\"og:description\" content=\"Learn the Basel Committee\u2019s principles for operational risk management, including the three lines of defense and governance practices used by banks.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/analystprep.com\/study-notes\/frm\/part-2\/operational-and-integrated-risk-management\/principles-for-the-sound-management-of-operational-risk\/\" \/>\n<meta property=\"og:site_name\" content=\"CFA, FRM, and Actuarial Exams Study Notes\" \/>\n<meta property=\"article:published_time\" content=\"2019-06-26T12:36:00+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2026-01-20T14:59:23+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/analystprep.com\/study-notes\/wp-content\/uploads\/2018\/09\/marten-bjork-707746-unsplash-1-1024x683.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1024\" \/>\n\t<meta property=\"og:image:height\" content=\"683\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Nicolas Joyce\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Nicolas Joyce\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"17 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/analystprep.com\/study-notes\/frm\/part-2\/operational-and-integrated-risk-management\/principles-for-the-sound-management-of-operational-risk\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/analystprep.com\/study-notes\/frm\/part-2\/operational-and-integrated-risk-management\/principles-for-the-sound-management-of-operational-risk\/\"},\"author\":{\"name\":\"Nicolas Joyce\",\"@id\":\"https:\/\/analystprep.com\/study-notes\/#\/schema\/person\/393e8b0a7757cde1d197fb0c060af25f\"},\"headline\":\"Principles for the Sound Management of Operational Risk\",\"datePublished\":\"2019-06-26T12:36:00+00:00\",\"dateModified\":\"2026-01-20T14:59:23+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/analystprep.com\/study-notes\/frm\/part-2\/operational-and-integrated-risk-management\/principles-for-the-sound-management-of-operational-risk\/\"},\"wordCount\":3830,\"commentCount\":0,\"image\":{\"@id\":\"https:\/\/analystprep.com\/study-notes\/frm\/part-2\/operational-and-integrated-risk-management\/principles-for-the-sound-management-of-operational-risk\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/analystprep.com\/study-notes\/wp-content\/uploads\/2018\/09\/marten-bjork-707746-unsplash-1.jpg\",\"articleSection\":[\"Operational and Integrated Risk Management\",\"Part 2\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/analystprep.com\/study-notes\/frm\/part-2\/operational-and-integrated-risk-management\/principles-for-the-sound-management-of-operational-risk\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/analystprep.com\/study-notes\/frm\/part-2\/operational-and-integrated-risk-management\/principles-for-the-sound-management-of-operational-risk\/\",\"url\":\"https:\/\/analystprep.com\/study-notes\/frm\/part-2\/operational-and-integrated-risk-management\/principles-for-the-sound-management-of-operational-risk\/\",\"name\":\"Sound Management of Operational Risk | FRM Part 2 Notes\",\"isPartOf\":{\"@id\":\"https:\/\/analystprep.com\/study-notes\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/analystprep.com\/study-notes\/frm\/part-2\/operational-and-integrated-risk-management\/principles-for-the-sound-management-of-operational-risk\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/analystprep.com\/study-notes\/frm\/part-2\/operational-and-integrated-risk-management\/principles-for-the-sound-management-of-operational-risk\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/analystprep.com\/study-notes\/wp-content\/uploads\/2018\/09\/marten-bjork-707746-unsplash-1.jpg\",\"datePublished\":\"2019-06-26T12:36:00+00:00\",\"dateModified\":\"2026-01-20T14:59:23+00:00\",\"author\":{\"@id\":\"https:\/\/analystprep.com\/study-notes\/#\/schema\/person\/393e8b0a7757cde1d197fb0c060af25f\"},\"description\":\"Learn the Basel Committee\u2019s principles for operational risk management, including the three lines of defense and governance practices used by banks.\",\"breadcrumb\":{\"@id\":\"https:\/\/analystprep.com\/study-notes\/frm\/part-2\/operational-and-integrated-risk-management\/principles-for-the-sound-management-of-operational-risk\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/analystprep.com\/study-notes\/frm\/part-2\/operational-and-integrated-risk-management\/principles-for-the-sound-management-of-operational-risk\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/analystprep.com\/study-notes\/frm\/part-2\/operational-and-integrated-risk-management\/principles-for-the-sound-management-of-operational-risk\/#primaryimage\",\"url\":\"https:\/\/analystprep.com\/study-notes\/wp-content\/uploads\/2018\/09\/marten-bjork-707746-unsplash-1.jpg\",\"contentUrl\":\"https:\/\/analystprep.com\/study-notes\/wp-content\/uploads\/2018\/09\/marten-bjork-707746-unsplash-1.jpg\",\"width\":5760,\"height\":3840},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/analystprep.com\/study-notes\/frm\/part-2\/operational-and-integrated-risk-management\/principles-for-the-sound-management-of-operational-risk\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/analystprep.com\/study-notes\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Principles for the Sound Management of Operational Risk\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/analystprep.com\/study-notes\/#website\",\"url\":\"https:\/\/analystprep.com\/study-notes\/\",\"name\":\"CFA, FRM, and Actuarial Exams Study Notes\",\"description\":\"Question Bank and Study Notes for the CFA, FRM, and Actuarial exams\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/analystprep.com\/study-notes\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\/\/analystprep.com\/study-notes\/#\/schema\/person\/393e8b0a7757cde1d197fb0c060af25f\",\"name\":\"Nicolas Joyce\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/analystprep.com\/study-notes\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/684508c19e959bb01da12a9dc741428f559e4e5df43fc41ed68efa7f2d3b2b9d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/684508c19e959bb01da12a9dc741428f559e4e5df43fc41ed68efa7f2d3b2b9d?s=96&d=mm&r=g\",\"caption\":\"Nicolas Joyce\"},\"url\":\"https:\/\/analystprep.com\/study-notes\/author\/kajal\/\"}]}<\/script>\n<meta property=\"og:video\" content=\"https:\/\/www.youtube.com\/embed\/7UmaX_g-7eg\" \/>\n<meta property=\"og:video:type\" content=\"text\/html\" \/>\n<meta property=\"og:video:duration\" content=\"2670\" \/>\n<meta property=\"og:video:width\" content=\"480\" \/>\n<meta property=\"og:video:height\" content=\"270\" \/>\n<meta property=\"ya:ovs:adult\" content=\"false\" \/>\n<meta property=\"ya:ovs:upload_date\" content=\"2019-06-26T12:36:00+00:00\" \/>\n<meta property=\"ya:ovs:allow_embed\" content=\"true\" \/>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Sound Management of Operational Risk | FRM Part 2 Notes","description":"Learn the Basel Committee\u2019s principles for operational risk management, including the three lines of defense and governance practices used by banks.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/analystprep.com\/study-notes\/frm\/part-2\/operational-and-integrated-risk-management\/principles-for-the-sound-management-of-operational-risk\/","og_locale":"en_US","og_type":"article","og_title":"Sound Management of Operational Risk | FRM Part 2 Notes","og_description":"Learn the Basel Committee\u2019s principles for operational risk management, including the three lines of defense and governance practices used by banks.","og_url":"https:\/\/analystprep.com\/study-notes\/frm\/part-2\/operational-and-integrated-risk-management\/principles-for-the-sound-management-of-operational-risk\/","og_site_name":"CFA, FRM, and Actuarial Exams Study Notes","article_published_time":"2019-06-26T12:36:00+00:00","article_modified_time":"2026-01-20T14:59:23+00:00","og_image":[{"width":1024,"height":683,"url":"https:\/\/analystprep.com\/study-notes\/wp-content\/uploads\/2018\/09\/marten-bjork-707746-unsplash-1-1024x683.jpg","type":"image\/jpeg"}],"author":"Nicolas Joyce","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Nicolas Joyce","Est. reading time":"17 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/analystprep.com\/study-notes\/frm\/part-2\/operational-and-integrated-risk-management\/principles-for-the-sound-management-of-operational-risk\/#article","isPartOf":{"@id":"https:\/\/analystprep.com\/study-notes\/frm\/part-2\/operational-and-integrated-risk-management\/principles-for-the-sound-management-of-operational-risk\/"},"author":{"name":"Nicolas Joyce","@id":"https:\/\/analystprep.com\/study-notes\/#\/schema\/person\/393e8b0a7757cde1d197fb0c060af25f"},"headline":"Principles for the Sound Management of Operational Risk","datePublished":"2019-06-26T12:36:00+00:00","dateModified":"2026-01-20T14:59:23+00:00","mainEntityOfPage":{"@id":"https:\/\/analystprep.com\/study-notes\/frm\/part-2\/operational-and-integrated-risk-management\/principles-for-the-sound-management-of-operational-risk\/"},"wordCount":3830,"commentCount":0,"image":{"@id":"https:\/\/analystprep.com\/study-notes\/frm\/part-2\/operational-and-integrated-risk-management\/principles-for-the-sound-management-of-operational-risk\/#primaryimage"},"thumbnailUrl":"https:\/\/analystprep.com\/study-notes\/wp-content\/uploads\/2018\/09\/marten-bjork-707746-unsplash-1.jpg","articleSection":["Operational and Integrated Risk Management","Part 2"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/analystprep.com\/study-notes\/frm\/part-2\/operational-and-integrated-risk-management\/principles-for-the-sound-management-of-operational-risk\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/analystprep.com\/study-notes\/frm\/part-2\/operational-and-integrated-risk-management\/principles-for-the-sound-management-of-operational-risk\/","url":"https:\/\/analystprep.com\/study-notes\/frm\/part-2\/operational-and-integrated-risk-management\/principles-for-the-sound-management-of-operational-risk\/","name":"Sound Management of Operational Risk | FRM Part 2 Notes","isPartOf":{"@id":"https:\/\/analystprep.com\/study-notes\/#website"},"primaryImageOfPage":{"@id":"https:\/\/analystprep.com\/study-notes\/frm\/part-2\/operational-and-integrated-risk-management\/principles-for-the-sound-management-of-operational-risk\/#primaryimage"},"image":{"@id":"https:\/\/analystprep.com\/study-notes\/frm\/part-2\/operational-and-integrated-risk-management\/principles-for-the-sound-management-of-operational-risk\/#primaryimage"},"thumbnailUrl":"https:\/\/analystprep.com\/study-notes\/wp-content\/uploads\/2018\/09\/marten-bjork-707746-unsplash-1.jpg","datePublished":"2019-06-26T12:36:00+00:00","dateModified":"2026-01-20T14:59:23+00:00","author":{"@id":"https:\/\/analystprep.com\/study-notes\/#\/schema\/person\/393e8b0a7757cde1d197fb0c060af25f"},"description":"Learn the Basel Committee\u2019s principles for operational risk management, including the three lines of defense and governance practices used by banks.","breadcrumb":{"@id":"https:\/\/analystprep.com\/study-notes\/frm\/part-2\/operational-and-integrated-risk-management\/principles-for-the-sound-management-of-operational-risk\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/analystprep.com\/study-notes\/frm\/part-2\/operational-and-integrated-risk-management\/principles-for-the-sound-management-of-operational-risk\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/analystprep.com\/study-notes\/frm\/part-2\/operational-and-integrated-risk-management\/principles-for-the-sound-management-of-operational-risk\/#primaryimage","url":"https:\/\/analystprep.com\/study-notes\/wp-content\/uploads\/2018\/09\/marten-bjork-707746-unsplash-1.jpg","contentUrl":"https:\/\/analystprep.com\/study-notes\/wp-content\/uploads\/2018\/09\/marten-bjork-707746-unsplash-1.jpg","width":5760,"height":3840},{"@type":"BreadcrumbList","@id":"https:\/\/analystprep.com\/study-notes\/frm\/part-2\/operational-and-integrated-risk-management\/principles-for-the-sound-management-of-operational-risk\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/analystprep.com\/study-notes\/"},{"@type":"ListItem","position":2,"name":"Principles for the Sound Management of Operational Risk"}]},{"@type":"WebSite","@id":"https:\/\/analystprep.com\/study-notes\/#website","url":"https:\/\/analystprep.com\/study-notes\/","name":"CFA, FRM, and Actuarial Exams Study Notes","description":"Question Bank and Study Notes for the CFA, FRM, and Actuarial exams","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/analystprep.com\/study-notes\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/analystprep.com\/study-notes\/#\/schema\/person\/393e8b0a7757cde1d197fb0c060af25f","name":"Nicolas Joyce","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/analystprep.com\/study-notes\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/684508c19e959bb01da12a9dc741428f559e4e5df43fc41ed68efa7f2d3b2b9d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/684508c19e959bb01da12a9dc741428f559e4e5df43fc41ed68efa7f2d3b2b9d?s=96&d=mm&r=g","caption":"Nicolas Joyce"},"url":"https:\/\/analystprep.com\/study-notes\/author\/kajal\/"}]},"og_video":"https:\/\/www.youtube.com\/embed\/7UmaX_g-7eg","og_video_type":"text\/html","og_video_duration":"2670","og_video_width":"480","og_video_height":"270","ya_ovs_adult":"false","ya_ovs_upload_date":"2019-06-26T12:36:00+00:00","ya_ovs_allow_embed":"true"},"_links":{"self":[{"href":"https:\/\/analystprep.com\/study-notes\/wp-json\/wp\/v2\/posts\/567","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/analystprep.com\/study-notes\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/analystprep.com\/study-notes\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/analystprep.com\/study-notes\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/analystprep.com\/study-notes\/wp-json\/wp\/v2\/comments?post=567"}],"version-history":[{"count":38,"href":"https:\/\/analystprep.com\/study-notes\/wp-json\/wp\/v2\/posts\/567\/revisions"}],"predecessor-version":[{"id":42086,"href":"https:\/\/analystprep.com\/study-notes\/wp-json\/wp\/v2\/posts\/567\/revisions\/42086"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/analystprep.com\/study-notes\/wp-json\/wp\/v2\/media\/1539"}],"wp:attachment":[{"href":"https:\/\/analystprep.com\/study-notes\/wp-json\/wp\/v2\/media?parent=567"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/analystprep.com\/study-notes\/wp-json\/wp\/v2\/categories?post=567"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/analystprep.com\/study-notes\/wp-json\/wp\/v2\/tags?post=567"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}