Operational Risk Policy¶
| Code | OPS-004 |
| Domain | Operational Resilience |
| Owner | Chief Risk Officer |
| Status | Draft |
| Applicability | Platform |
| Jurisdiction | NZ + AU |
| Business domain | BD08 |
| Review date | 2027-03-25 |
Regulations: CPS 230 Operational Risk Management¶
Purpose¶
Govern the platform's operational risk framework, including risk appetite, operational risk event capture, Risk and Control Self-Assessment (RCSA) process, key risk indicator (KRI) monitoring, and scenario analysis. Establishes the controls required to identify, assess, and respond to operational risks — including those arising from financial processing failures, suspense backlogs, and system incidents.
Scope¶
All operational risks arising from people, processes, systems, and external events across the banking platform in NZ and AU, including operational risks with a direct financial impact on the ledger.
Policy statements¶
The platform SHALL maintain a documented operational risk appetite statement approved by the Board. The appetite statement SHALL include quantitative thresholds for operational loss, customer impact events, and regulatory breach frequency.
All operational risk events SHALL be captured in the operational risk register within one business day of identification. Events with a financial impact SHALL be linked to the corresponding ledger entries or suspense records.
Suspense balances arising from failed financial processing SHALL be monitored in real time. Suspense items that remain unresolved beyond the defined ageing threshold SHALL trigger an escalation alert to the operations function and, for material amounts, to the Chief Financial Officer.
A formal RCSA process SHALL be conducted at least annually for each business domain. RCSA outcomes SHALL inform control prioritisation and SHALL be reported to the Risk Committee.
Key risk indicators SHALL be defined for all material operational risk categories. KRI breaches SHALL trigger documented management responses. KRIs in the amber zone for more than the defined period SHALL be escalated as a formal risk issue.
Scenario analysis SHALL be conducted at least annually covering severe but plausible operational loss scenarios. Scenario outputs SHALL be used to test capital adequacy and business continuity assumptions.
The platform SHALL maintain a documented financial incident response procedure covering: detection, containment, ledger impact assessment, customer impact assessment, regulatory notification obligations, and post-incident review.
All operational risk events, KRI readings, RCSA records, and incident reports SHALL be retained per the applicable retention schedule and SHALL be available for regulatory inspection.
Satisfying modules¶
| Module | Name | Mode | Description |
|---|---|---|---|
| MOD-150 | Risk management platform | AUTO |
Risk events from all system domains are auto-classified against the risk taxonomy and written to the operational risk register continuously — no manual entry. |
Part of Operational Resilience · Governance overview
Compiled 2026-05-22 from source/entities/policies/OPS-004.yaml