RBI Updates Operational Risk Management Guidelines Extending to NBFCs and Housing Finance Companies

Overview of the RBI’s Updated Guidance Note on Operational Risk and Resilience On April 30, 2024, the Reserve Bank of India (RBI) released an updated “Guidance Note on Operational Risk Management and Operational Resilience,” expanding its coverage to include Non-Banking Financial Companies (NBFCs) and Housing Finance Companies. This update revises the earlier guidelines from October 14, 2005, aligning with the Basel Committee on Banking Supervision’s revised documents from March 2021 on managing operational risks and enhancing operational resilience.

Key Features of the Updated Guidance Note:

1. Applicability: The guidance now applies to a broader spectrum of regulated entities (REs), including all commercial banks, urban and state cooperative banks, central cooperative banks, and all-India financial institutions such as Exim Bank, NABARD, NHB, SIDBI, and NaBFID.
2. Three Lines of Defence Model: The note introduces a structured operational framework:
   1. Business Unit: Manages risks in products, services, and systems.
   1. Organizational Operational Risk Management (OORF): Analyzes operational risk across units, assessing controls and risk tolerance.
   1. Audit Function: Offers independent assurance on the effectiveness of the Operational Risk Management Framework (ORMF) to the Board.
3. Principles for Enhanced Resilience: Includes guidelines for managing internal and external connections, incident management, ICT, and third-party relationships, ensuring all entities conduct risk assessments before entering agreements to maintain operational resilience.
4. Regulatory Capital for Operational Risk: The guidance specifies that Local Area Banks, Small Finance Banks, Payments Banks, and NBFCs no longer need a separate regulatory capital for operational risk. In contrast, Public Sector Banks, Private Banks, and Foreign Banks must follow the approach defined in the recent “Master Circular-Basel III Capital Regulations.”

Implementation and ICT Risk Management: The updated note stresses the importance of a robust ICT risk management program that aligns with the overall operational risk framework. All regulated entities are mandated to integrate these practices to safeguard critical operations and ensure resilience against operational disruptions.