Issued 15 December 2008
Last updated 6 June 2018
This policy aims to ensure a systematic and uniform approach to Operational Risk Management throughout Norges Bank Investment Management (NBIM) to ensure that operational risk factors are identified, assessed, mitigated, monitored and reported according to the Executive Board’s risk tolerance.
The policy covers operational risk management for all areas and processes in NBIM. It covers requirements for all operational risk assessments conducted, including project risk and risks related to outsourced services and processes.
The purpose of operational risk management is to systematically identify risk across the organisation, and to initiate necessary risk reducing measures to prevent unnecessary loss. Operational risk management is a tool for prioritizing resources, and to balance the costs of risk and risk mitigating activities.
The Chief Executive Officer (CEO) has the overall responsibility for operational risk management and internal control. All employees have an individual responsibility to report operational risks and incidents, and to execute necessary risk mitigation activities as needed or requested. NBIM shall have a central operational risk function that shall support operational risk related activities and monitor the NBIM wide operational risk picture, including incidents and internal control activities.
- Operational risk is defined as the risk of an unwanted event with financial or reputation impact. The unwanted event may arise from a breakdown of internal processes, human error, system failure or other events caused by third parties or other external factors.
- Compliance risk is an operational risk defined as failure to comply with laws, regulations, international best standards, internal rules and conduct of business applicable to NBIM's activities.
- Fraud risk is an operational risk defined as a deliberate, deceptive act in order to achieve personal gain, unjust or illegal advantage.
- Risk Factor is a potential unwanted future event.
- Risk Level is the combination of the probability / frequency of occurrence and the consequence of a risk factor. Four risk levels are defined: Critical, Significant, Moderate and Insignificant. Inherent Risk Level is defined as the risk level in the absence of risk mitigating controls. Current Risk Level is defined as the risk level after the currently implemented actions or controls. Future Risk Level is defined as an estimated future risk level based on actions or controls that are planned, but not yet implemented.
- Internal control is all measures and systems established and implemented by the Executive Board, administration, and employees, in order to achieve Norges Bank’s objectives and mission.
- Control is a recurring measure (activity and system) established to mitigate inherent risks.
- Action is a one-time activity to reduce probability/frequency or consequence of an operational risk factor.
- Incident is an unwanted event that has occurred.
Risk tolerance levels
- Significant and critical individual risk factors are in general not tolerable, and risk mitigation shall be implemented.
- Only the Executive Board may accept critical operational risk factors without additional risk mitigation.
- Only Chief Executive Officer may accept significant operational risk factors without additional risk mitigation. The Executive Board shall be informed of such decisions.
- The central operational risk function shall monitor and measure the overall risk exposure based on an NBIM wide risk picture, and compare the risk exposure and actual loss from incidents to Executive Board’s total operational risk tolerance.
- All operational risk factors shall be reduced to a level as low as reasonable practicable. NBIM shall seek a balance between risk exposure and the cost of risk reducing measures.
Risk identification and assessment
- Individual risk factors shall be identified from the processes. Each risk factor shall be allocated to a risk owner, who has a direct follow-up responsibility for the risk factor.
- Probability/frequency and consequence shall be assessed for each identified risk factor according to defined scales. Operational risks shall be assessed against financial and reputational consequence. Project risks shall be identified and assessed against cost, schedule and quality of the project.
- Chiefs shall identify and assess all risk factors within their area.
- The central operational risk function shall facilitate cross department risk identification and risk aggregation, and identify and maintain an NBIM wide risk picture.
- When incidents occur, the priority shall be to resolve the incident and return to normal operations, regardless of incident severity.
- All incident reporting shall be encouraged, and no employees shall in any way receive negative attention for reporting incidents.
- Sensitive incidents that may have an impact on specific individuals shall be reported with care. This includes fraud related incidents.
- Cases of Whistleblowing shall follow the NBIM Policy for Whistleblowing, and not be reported as regular incidents.
- In cases where incidents may cause severe disruptions to NBIM’s core processes, Business Continuity Procedures shall be assessed and initiated by the responsible persons.
- All reported incidents shall be related to relevant operational risk factors. If necessary, specific mitigation actions shall be identified and executed to prevent incidents from reoccurring.
Risk mitigation and escalation
- Critical risks are unacceptable, and risk mitigating actions shall be initiated immediately.
- Significant risks are unacceptable, and risk mitigating actions shall be initiated and followed up within reasonable time.
- Moderate risks are at the outset acceptable, and risk mitigating actions shall be considered based on cost/benefit.
- Risk mitigating actions shall be initiated for risks which in the long-term may reach an unacceptable risk level.
- Business contingency plans and procedures shall be made and maintained for moderate risks with potentially very high consequence.
- Insignificant risks are acceptable, and risk mitigating actions may be initiated in order to improve the effectiveness of the daily operations.
- The central operational risk function shall monitor operational risks and incidents on an NBIM level and ensure necessary escalation.
- NBIM shall have a sound and adequate internal control environment, as aligned with the Internal Control Regulation for Norges Bank.
- NBIM shall have in place systematic measures such as reviews, checks and balances, methods and procedures, to conduct daily operations in an orderly and efficient manner.
- Controls shall be set up to manage inherent risks in accordance with the defined risk tolerance.
- Operational risks shall be reviewed at regular intervals and be updated in NBIM’s operational risk register.
- Incidents shall be followed-up by those designated this responsibility and may only be closed when necessary investigation has been completed and actions decided.
- An annual self-assessment of the key controls shall be performed.
- A long-term plan shall be prepared to ensure review of high-risk processes and areas, and be aligned with the three-year strategy plan.
- From the long-term plan, an annual risk based plan shall be prepared. Processes and risks shall be subject to review and key controls shall be verified for operational effectiveness. Risk assurance shall be given on selected topics and areas, including assessment of compliance with external and internal rules.
- Chiefs shall report the operational risk picture to the CEO through the monthly management reporting.
- The Chief Compliance and Control Officer shall report significant operational risk factors to the CEO on a monthly basis.
- A report on operational risk and internal control shall be delivered to the Executive Board on a quarterly basis.
- A statement about NBIM’s overall status for operational risk and internal control shall be delivered to the Executive Board annually.