Requirements for operational risk and information security risk management elaborated for banks

A draft regulation ‘On the Requirements for Operational Risk Management in Credit Institutions and Banking Groups’, elaborated by the Bank of Russia, establishes requirements for a credit institution’s IT policy, as well as operational risk, information security risk (including cyberrisk) and information system risk management. It also determines approaches to the requirements under the internal capital adequacy assessment process for additional capital to cover losses from materialisation of operational risk, including cyberrisk.

The document requires that credit institutions should keep a database of operational risk events, including information security risk, which is needed to introduce a new standardised approach to operational risk assessment and calculate capital adequacy requirements (Basel III) in future.

Furthermore, the draft regulation determines the Bank of Russia procedure for quality assessment of operational risk management in credit institutions, as well as that for the assessment of completeness and quality of the database of operational risk events, including information security risk in credit institutions.

The Bank of Russia is supposed to launch quality assessment of operational risk management in 2020. By that time, credit institutions should bring their operational risk management systems, including databases of operational risk events, into compliance with the new requirements.