Operational Risk Management
Issued 15 December 2008
Last updated 21 December 2021
The purpose of this policy is to provide principles for uniform and systematic operational risk management throughout Norges Bank Investment Management (NBIM). Operational risk and internal control management shall adhere to the Internal Control Regulation for Norges Bank, the relevant principles for risk management and internal control laid down by the Executive Board and be aligned with best practise standards.
The policy covers operational risk management and internal control for all processes within the responsibility of the NBIM CEO, including projects and outsourced services.
Operational risks shall systematically be identified, assessed, mitigated, monitored, and reported to provide reasonable assurance that objectives will be achieved in accordance with the Executive Board’s operational risk tolerance. Business continuity and crisis management shall ensure priorities according to the Executive Board principles for emergency preparedness and crisis management.
The CEO NBIM has the overall responsibility for operational risk management and internal control. All personnel have an individual responsibility to report operational risks and incidents. NBIM shall have a second-line operational risk function to advise and assist the organisation in the management of operational risk. The second-line risk function shall maintain an NBIM wide operational risk picture.
- NBIM shall maintain a sound and adequate internal control environment, seeking a balance between operational risk exposure and the costs of implementation and maintenance of risk mitigating measures.
- NBIM shall establish and maintain a business continuity and crisis management framework to prepare the organisation to handle business disruptions and crisis events. Business continuity and crisis management in NBIM shall be aligned with Norges Bank’s crisis management framework. The framework shall include crisis response structure, individual plans which describes emergency preparedness, business continuity and crisis management for critical processes as well as a program with annual training and exercises to ensure plans and response structures are trained and updated.
Risk identification and assessment
- Operational risks shall be identified and regularly assessed. Each operational risk shall be assigned an owner.
- Identified risks shall be assessed in inherent and current state with the current state reflecting the assessment of implemented risk mitigating measures.
- Operational risks shall be assessed according to probability / frequency of occurrence and potential financial and reputation consequence.
Risk tolerance and escalation
- The risk level (Critical, Significant, Moderate, and Insignificant) is the combination of the probability / frequency of occurrence of a risk and the potential consequences.
- Critical operational risks are not normally tolerable and risk mitigating measures shall be initiated immediately. The Executive Board may accept critical risk without additional risk mitigation.
- The NBIM CEO may accept significant risks without additional risk mitigation. The Executive Board shall be informed of significant operational risks.
Risk mitigation and internal control
- Operational risks shall be managed by reducing the probability of and event and / or its expected impact, whilst seeking to balance risk exposure with the cost of mitigating measures.
- Business continuity plans and incident response structures shall be in place to help manage business disruption and crisis events across NBIM’s critical business processes and functions.
- The plans and response structures shall be verified through an annual programme of training and exercises. The training programme shall be coordinated with other training activities within Norges Bank
- Controls mitigating critical or significant operational risk shall be regularly reviewed for their design and operational effectiveness with changes systematically managed.
- When incidents occur, the priority shall be to resolve and return to normal operations.
- Reporting of incidents shall be encouraged with a no blame culture practised.
- Incidents shall be followed up in a structured manner and new risk mitigating measures shall be considered/assessed to avoid reoccurrence or consequences of the event.
- Incidents which are defined as a severe business disruption or crisis event shall be escalated and managed according to the business continuity and crisis management framework.
- Crisis management shall ensure that appropriate actions are taken based on assessed potential consequences of the event and that events are handled according to the methodology set out in Norges Bank’s internal framework. The crisis organisation shall be flexible and ensure appropriate support from strategic, operational and tactical levels as established and agreed in Norges Bank.
- The second-line risk function shall report critical and significant operational risks and incidents to the CEO monthly.
- A report on operational risk and internal control shall be delivered to the Executive Board quarterly and shall include critical and significant operational risks and incidents.
- A statement about NBIM's overall assessment for operational risk and internal control shall be delivered to the Executive Board annually.