【中英文对照版】银行保险机构操作风险管理办法.docx
银行保险机构操作风险管理办法(2023年12月27日国家金融监 督管理总局令2023年第5号公布 自2024年7月1日起施行)第一章总则第一条为提高银行保险机构 操作风险管理水平,根据中华人 民共和国银行业监督管理法中 华人民共和国商业银行法中华 人民共和国保险法等法律法规, 制定本办法。银行保险机构操作风险管理办法MeasuresfortheAdministrationofOperationalRiskofBankingandInsuranceInstitutions制定机关:国家金融监督管理总局发文字号:国家金融监督管理总局令2023年第5号公布日期:2023.12.27施行日期:2024.07.01效力位阶:部门规章法规类别:银行监管保险监管IssuingAuthority:NationalAdministrationofFinancialRegulationDocumentNumber:OrderNo.5oftheNationalFinancialRegulatoryAdministrationDateIssued:12-27-2023EffectiveDate:07-01-20241.evelofAuthority:DepartmentalRulesAreaofLawBankingSupervisionInsuranceSupervisionMeasuresfortheAdministrationofOperationalRiskofBankingandInsuranceInstitutions(IssuedbyOrderNo.52023oftheNationalFinancialRegulatoryAdministrationonDecember27,2023,comingintoforceonJuly1,2024)ChapterIGeneralProvisionsArticle1Forthepurposesofimprovingtheoperationalriskmanagementofbankingandinsuranceinstitutions,theseMeasuresareformulatedinaccordancewiththeBankingSupervisionLawofthePeople'sRepublicofChina,theCommercialBankLawofthePeople'sRepublicofChina,theInsuranceLawofthePeople'sRepublicofChina,andotherlawsandregulations.Article2ForthepurposesoftheseMeasures,operationalrisknmeanstheriskoflossstemmingfromfailedinternalprocesses,people,andinformationtechnologysystems,orexternalevents,includinglegalriskbutexcludingstrategicriskandreputationalrisk.Article3Operationalriskmanagement,integraltothecomprehensiveriskmanagementsystem,aimstopreventoperationalrisk,reducelosses,enhancetheabilitytorespondtointernalandexternalevents,andensurestablebusinessoperations.Article4Operationalriskmanagementshallfollowthefollowingbasicprinciples:(1) Principleofprudence.Operationalriskmanagementshallusearisk-basedapproach,payfullattentiontoearlysignsofrisksandhazards,effectivelyidentifyadversefactorsthataffectriskmanagement,allocatesufficientresources,taketimelymeasures,andimproveforesight.(2) Principleofcomprehensiveness.Operationalriskmanagementshallcoverallbusinesslines,branches,departments,positions,employees,andproducts,underpintheentiredecision-making,execution,andsupervisionprocess,andfullyconsidertherelevanceandcontagionofotherinternalandexternalrisks.第二条本办法所称操作风险 是指由于内部程序、员工、信息科 技系统存在问题以及外部事件造成 损失的风险,包括法律风险,但不 包括战略风险和声誉风险。第三条操作风险管理是全面 风险管理体系的重要组成部分,目 标是有效防范操作风险,降低损 失,提升对内外部事件冲击的应对 能力,为业务稳健运营提供保障。第四条 操作风险管理应当遵 循以下基本原则:(一)审慎性原则。操作风险管理 应当坚持风险为本的理念,充分重 视风险苗头和潜在隐患,有效识别 影响风险管理的不利因素,配置充 足资源,及时采取措施,提升前瞻 性。(二)全面性原则。操作风险管理 应当覆盖各业务条线、各分支机 构,覆盖所有部门、岗位、员工和 产品,贯穿决策、执行和监督全部 过程,充分考量其他内外部风险的 相关性和传染性。(三)匹配性原则。操作风险管理 应当体现多层次、差异化的要求, 管理体系、管理资源应当与机构发 展战略、经营规模、复杂性和风险(3) Principleoffitness.Operationalriskmanagementshallreflectmulti-levelanddifferentiatedrequirements.Themanagementsystemandmanagementresourcesshallbefitfortheinstitutionaldevelopmentstrategy,businessscale,complexity,andriskconditionandbepromptlyadjustedaccordingtochangesincircumstances.(4) Principleofeffectiveness.Aninstitutionshall,basedonitsriskappetite,effectivelyidentify,assess,measure,control,mitigate,monitor,andreporttheoperationalriskitfaces,andholdoperationalriskwithinatolerablerange.Article 5 Alargebankingorinsuranceinstitutionshall,basedonagoodgovernancestructure,strengthenoperationalriskmanagement,connectitwithbusinesscontinuity,outsourcingriskmanagement,cybersecurity,datasecurity,emergencyresponse,recoveryanddisposalplans,andothersystemsandmechanisms,improveoperationalresilience,andhavetheabilitytocontinueperformingkeybusinessandservicesintheeventofmaterialrisksandexternalevents.Article 6 TheNationalFinancialRegulatoryAdministration(NFRA)anditslocalofficesshallregulatetheoperationalriskmanagementofbankingandinsuranceinstitutionsinaccordancewiththelaw.状况相适应,并根据情况变化及时 调整。(四)有效性原则。机构应当以风 险偏好为导向,有效识别、评估、 计量、控制、缓释、监测、报告所 面临的操作风险,将操作风险控制 在可承受范围之内。第五条规模较大的银行保险 机构应当基于良好的治理架构,加 强操作风险管理,做好与业务连续 性、外包风险管理、网络安全、数 据安全、突发事件应对、恢复与处 置计划等体系机制的有机衔接,提 升运营韧性,具备在发生重大风险 和外部事件时持续提供关键业务和 服务的能力。第六条国家金融监督管理总 局及其派出机构依法对银行保险机 构操作风险管理实施监管。风险治理和管理责任ChapterIlRiskGovernanceandManagement第一看Responsibilities第七条银行保险机构董事会 应当将操作风险作为本机构面对的 主要风险之一,承担操作风险管理 的最终责任。主要职责包括:Article7Theboardofdirectorsofabankingorinsuranceinstitutionshallregardoperationalriskasoneofthemainrisksfacedbytheinstitutionandhavetheultimateresponsibilityforoperationalriskmanagement.Itsmainresponsibilitiesareto:(一)审批操作风险管理基本制 度,确保与战略目标一致;(1) Approvethebasicoperationalriskmanagementsystemtoensureitsalignmentwithstrategicobjectives.appetite and its hold operational(2) Approveoperationalrisktransmissionmechanismtoriskwithinatolerablerange.(二)审批操作风险偏好及其传导机制,将操作风险控制在可承受范围之内;(3)Approvetheseniormanagementsoperationalriskmanagementresponsibilities,authorities,reporting,andothermechanismstoensuretheeffectivenessoftheoperationalriskmanagementsystem.(三)审批高级管理层有关操作风险管理职责、权限、报告等机制,确保操作风险管理体系的有效性;(4)Deliberatetheoperationalriskmanagementreportssubmittedbytheseniormanagementatleastonceayeartofullyunderstandandassessoveralloperationalriskmanagementandtheworkoftheseniormanagement.(四)每年至少审议一次高级管理层提交的操作风险管理报告,充分了解、评估操作风险管理总体情况以及高级管理层工作;(5)Ensurethatseniormanagementestablishesanecessarymechanismforidentifying,assessing,measuring,controlling,mitigating,monitoring,andreportingoperationalrisk.(五)确保高级管理层建立必要的识别、评估、计量、控制、缓释、监测、报告操作风险的机制;(6)Ensurethattheoperationalriskmanagementsystemsubmitstoeffectiveexaminationandsupervisionbytheinternalauditdepartment.(六)确保操作风险管理体系接受内部审计部门的有效审查与监督;(7)Approvesystemsrelatedtoinformationdisclosuresconcerningoperationalrisk.(七)审批操作风险信息披露相关制度;(8)Ensurethedevelopmentofariskculturethatmeetsoperationalriskmanagementrequirements.(八)确保建立与操作风险管理要求匹配的风险文化;(九)其他相关职责。(9)Otherrelatedresponsibilities.第八条 设立监事(会)的银 行保险机构,其监事(会)应当承 担操作风险管理的监督责任,负责 监督检查董事会和高级管理层的履 职尽责情况,及时督促整改,并纳 入监事(会)工作报告。Article8Ifabankingorinsuranceinstitutionhassupervisorsoraboardofsupervisors,thesupervisorsorboardofsupervisorsshallhavetheresponsibilityforsupervisingoperationalriskmanagement,supervisingandinspectingtheperformanceofdutybytheboardofdirectorsandseniormanagement,urgingtimelycorrectiveaction,andincludingtheresponsibilityintheworkreport.第九条银行保险机构高级管 理层应当承担操作风险管理的实施 责任。主要职责包括:Article9Theseniormanagementofabankingorinsuranceinstitutionshallhavetheresponsibilityfortheimplementationofoperationalriskmanagement.Itsmainresponsibilitiesareto:(一)制定操作风险管理基本制度 和管理办法;(1) Developbasicsystemsandmeasuresforoperationalriskmanagement.(二)明确界定各部门、各级机构 的操作风险管理职责和报告要求, 督促各部门、各级机构履行操作风 险管理职责,确保操作风险管理体 系正常运行;(2) Definetheoperationalriskmanagementresponsibilitiesandreportingrequirementsfordepartmentsandbranches,urgealldepartmentsandbranchestofulfiltheirresponsibilitiesforoperationalriskmanagement,andensurethefunctioningoftheoperationalriskmanagementsystem.(三)设置操作风险偏好及其传导 机制,督促各部门、各级机构执行 操作风险管理制度、风险偏好并定 期审查,及时处理突破风险偏好以 及其他违反操作风险管理要求的情 况;(3) Establishanoperationalriskappetiteanditstransmissionmechanism,urgealldepartmentsandbranchestoimplementtheoperationalriskmanagementsystemandriskappetite,conductregularexaminations,andpromptlyaddressbreachesofriskappetiteandotherviolationsofoperationalriskmanagementrequirements.(四)全面掌握操作风险管理总体 状况,特别是重大操作风险事件;(4) Comprehensivelyunderstandoveralloperationalriskmanagement,especiallymaterialoperationalriskevents.(五)每年至少向董事会提交一次 操作风险管理报告,并报送监事(会);(5) Submitanoperationalriskmanagementreporttotheboardofdirectorsatleastonceayearandfileitwithsupervisorsortheboardofsupervisors.(六)为操作风险管理配备充足财 务、人力和信息科技系统等资源;(6) Allocatesufficientfinancial,human,andinformationtechnologysystemandotherresourcesforoperationalriskmanagement.(七)完善操作风险管理体系,有 效应对操作风险事件;(7) Improvetheoperationalriskmanagementsystemtoeffectivelyrespondtooperationalriskevents.(A)制定操作风险管理考核评价 与奖惩机制;(8) Developanevaluation,reward,andpunishmentmechanismforoperationalriskmanagement.(九)其他相关职责。(9) Otherrelatedresponsibilities.第十条银行保险机构应当建 立操作风险管理的三道防线,三道 防线之间及各防线内部应当建立完 善风险数据和信息共享机制。第一道防线包括各级业务和管理部 门,是操作风险的直接承担者和管 理者,负责各自领域内的操作风险 管理工作。第二道防线包括各级负 责操作风险管理和计量的牵头部 门,指导、监督第一道防线的操作 风险管理工作。第三道防线包括各Article 10 Abankingorinsuranceinstitutionshallestablishthreelinesofdefenseforoperationalriskmanagementandestablishandimproveriskdataandinformationsharingmechanismsamongthethreelinesofdefenseandwithineachlineofdefense.Thefirstlineofdefense,includingbusinessandmanagementdepartments,arethedirectbearersandmanagersofoperationalriskresponsibleforoperationalriskmanagementintheirrespectivefields.Thesecondlineofdefense,includingleaddepartmentsresponsibleforoperationalriskmanagementandmeasurement,guidesandsupervisestheoperationalriskmanagementbythefirstlineofdefense.Thethirdlineofdefense,includinginternalauditdepartments,supervisesandevaluatestheperformanceofdutybythefirstandsecondlinesofdefenseanditseffectiveness.级内部审计部门,对第一、二道防 线履职情况及有效性进行监督评 价。Article 11 Themainresponsibilitiesofthefirstlineofdefenseareto:第十一条第一道防线部门主 要职责包括:(1) Designatepersonstoberesponsibleforoperationalriskmanagementandinvestsufficientresources.(2) Identifyandassessoperationalriskusingriskmanagementandassessmentmethods.(一)指定专人负责操作风险管理 工作,投入充足资源;(二)按照风险管理评估方法,识 别、评估自身操作风险;(三)建立控制、缓释措施,定期 评估措施的有效性;(4) Continuously monitor risks to ensure compliance with operational risk appetite.(5) Regularly filing operational risk management reports and promptly reporting material operational risk events.(6) Developing business processes and systems that comply with the requirements for operational risk management and internal control.(四)持续监测风险,确保符合操 作风险偏好;(五)定期报送操作风险管理报 告,及时报告重大操作风险事件;(六)制定业务流程和制度时充分 体现操作风险管理和内部控制的要 求;(3) Developcontrolandmitigationmeasuresandregularlyevaluatetheeffectivenessofthemeasures.(七)其他相关职责。(7)Otherrelatedresponsibilities.第十二条第二道防线部门应Article12Thesecondlineofdefenseshall当保持独立性,持续提升操作风险 管理的一致性和有效性。主要职责 包括:remainindependentandcontinueimprovingtheconsistencyandeffectivenessofoperationalriskmanagement.Itsmainresponsibilitiesareto:(一)在一级分行(省级分公司)及以上设立操作风险管理专岗或指定专人,为其配备充足的资源;(1) Establishapostordesignateapersonforoperationalriskmanagementatbranchesatorabovethefirstorprovinciallevelandallocatesufficientresources.(二)跟踪操作风险管理监管政策 规定并组织落实;(2) Trackoperationalriskmanagementregulatorypoliciesandorganizetheirimplementation.(三)拟定操作风险管理基本制 度、管理办法,制定操作风险识 别、评估、计量、监测、报告的方 法和具体规定;(3) Formulatebasicsystemsandmeasuresforoperationalriskmanagementanddevelopmeasuresandspecificprovisionsforidentifying,assessing,measuring,monitoring,andreportingoperationalrisk.(四)指导、协助第一道防线识 别、评估、监测、控制、缓释和报 告操作风险,并定期开展监督;(4) Guideandassistthefirstlineofdefenseinidentifying,assessing,monitoring,controlling,mitigating,andreportingoperationalriskandconductregularsupervision.(五)每年至少向高级管理层提交 一次操作风险管理报告;(5) Submitanoperationalriskmanagementreporttotheseniormanagementatleastonceayear.(六)负责操作风险资本计量;(6) Measurecapitalforoperationalrisk.(七)开展操作风险管理培训;(7) Providingoperationalriskmanagementtraining.()其他相关职责。(8) Otherrelatedresponsibilities.国家金融监督管理总局或其派出机 构按照监管职责归属,可以豁免规 模较小的银行保险机构在一级分行 (省级分公司)设立操作风险管理 专岗或专人的要求。TheNFRAoritslocalofficemay,withinitsregulatorypurview,exemptsmallbankingandinsuranceinstitutionsfromtherequirementtoestablishapostordesignateapersonforoperationalriskmanagementatbranchesatorabovethefirstorprovinciallevel.第十三条法律、合规、信息 科技、数据管理、消费者权益保 护、安全保卫、财务会计、人力资 源、精算等部门在承担本部门操作 风险管理职责的同时,应当在职责 范围内为其他部门操作风险管理提 供充足资源和支持。Article13Legal,compliance,informationtechnology,datamanagement,consumerprotection,security,accounting,humanresources,actuarial,andotherdepartmentsshall,whileassumingtheiroperationalriskmanagementresponsibilities,providesufficientresourcesandsupportforoperationalriskmanagementbyotherdepartments,withintheirpurview.第十四条内部审计部门应当 至少每三年开展一次操作风险管理 专项审计,覆盖第一道防线、第二 道防线操作风险管理情况,审计评 价操作风险管理体系运行情况,并 向董事会报告。Article 14 Aninternalauditdepartmentshallconductaspecialauditofoperationalriskmanagementatleastonceeverythreeyears,coveringthefirstandsecondlinesofdefense,evaluatingtheoperationoftheoperationalriskmanagementsystem,andreporttotheboardofdirectors.内部审计部门在开展其他审计项目 时,应当充分关注操作风险管理情 况。Theinternalauditdepartmentshallpayfullattentiontooperationalriskmanagementwhencarryingoutotherauditprojects.第十五条规模较大的银行保 险机构应当定期委托第三方机构对 其操作风险管理情况进行审计和评 价,并向国家金融监督管理总局或 其派出机构报送外部审计报告。Article 15 Alargebankingorinsuranceinstitutionshallregularlycommissionathird-partyinstitutiontoauditandevaluateitsoperationalriskmanagement,andsubmitanexternalauditreporttotheNFRAoritslocaloffice.第十六条 银行保险机构境内 分支机构、直接经营业务的部门应Article 16 Thedomesticbranchesanddepartmentsdirectlyengagedinbusinessofabankingorinsuranceinstitutionshallhavethemain responsibility for operational risk management and perform the responsibilities to:当承担操作风险管理主体责任,并 履行以下职责:(1) Allocate sufficient resources to the operational risk management departments at the same level and business line.(一)为本级、本条线操作风险管 理部门配备充足资源;(2) Strictly implement operational risk management systems, risk appetite, management processes, and other requirements.(二)严格执行操作风险管理制 度、风险偏好以及管理流程等要 求;(3) Improve operational risk management in accordance with internal and external audit results and regulatory requirements.(4) Other related responsibilities.In addition to the requirements of the preceding paragraph, overseas branches shall comply with local regulatory requirements.(三)按照内外部审计结果和监管 要求改进操作风险管理;(四)其他相关职责。境外分支机构除满足前款要求外, 还应当符合所在地监管要求。Article 17 Abankingorinsuranceinstitutionshallrequiretheirdomesticfinancialaffiliatesandfinancialtechnologyaffiliateswithinthescopeofconsolidationtoestablishanoperationalriskmanagementsystemalignedwiththegroup'sriskappetiteandfitfortheirbusinessscope,riskcharacteristics,businessscale,andregulatoryrequirements,establishandimprovethreelinesofdefense,anddevelopanoperationalriskmanagementsystem.第十七条银行保险机构应当 要求其并表管理范围内的境内金融 附属机构、金融科技类附属机构建 立符合集团风险偏好,与其业务范 围、风险特征、经营规模及监管要 求相适应的操作风险管理体系,建 立健全三道防线,制定操作风险管 理制度。境外附属机构除满足前款要求外, 还应当符合所在地监管要求。Inadditiontotherequirementsoftheprecedingparagraph,anoverseasaffiliateshallalsocomplywithlocalregulatoryrequirements.第三章风险管理基本要求ChapterIIIBasicRequirementsforRiskManagement第十八条操作风险管理基本 制度应当与机构业务性质、规模、 复杂程度和风险特征相适应,至少 包括以下内容:Article18Thebasicoperationalriskmanagementsystemshallfitthenature,scale,complexity,andriskcharacteristicsoftheinstitution'sbusiness,atleastincluding:(一)操作风险定义;(1) Definitionofoperationalrisk.(二)操作风险管理组织架构、权 限和责任;(2) Theorganizationalstructure,authority,andresponsibilitiesforoperationalriskmanagement.(三)操作风险识别、评估、计 量、监测、控制、缓释程序;(3) Operationalriskidentification,assessment,measurement,monitoring,control,andmitigationprocedures.(四)操作风险报告机制,包括报 告主体、责任、路径、频率、时限 等。(4) Anoperationalriskreportingmechanism,includingreportingentity,responsibilities,pathway,frequency,andtimelimits.银行保险机构应当在操作风险管理 基本制度制定或者修订后15个工 作日内,按照监管职责归属报送国 家金融监督管理总局或其派出机 构。Abankingorinsuranceinstitutionshall,within15workingdaysafterthedevelopmentorrevisionofthebasicoperationalriskmanagementsystem,fileareportwiththeNFRAoritslocalofficeaccordingtotheregulatoryresponsibilit