Operational Risk impacts all Authorised Firms. Where a Firm employs staff or engages in financial services activities, it exposes itself to risk from people, processes, systems/business technologies, and external events.  The level of risk will vary from Firm to Firm and is a function of the nature, scale, and complexity of each Authorised Firm’s business activities.  

Technological innovations bring the promise of efficient back office operations and reduced Operational Risk such as human process errors, but also present the risk of systems disruptions and errors due to change management failures, system integration and update errors, or cyber incidents. Effective management of these emerging risks can require new risk management methods, resources, and skills. In turn, these demands can challenge Firms’ ability to identify and control risk and remain resilient in an ever evolving and advancing financial services environment. 

In recognition of the impact of innovation on Operational Risk, the DFSA has dedicated resources to the supervision of Operational Risk within Authorised Firms.


We direct our Operational Risk Supervision activities at all DFSA Authorised Firms, Registered Auditors, Credit Rating Agencies and Authorised Market Institutions.

Overview of DFSA Expectations

The DFSA expects Authorised Firms to understand their Operational Risk exposures and take necessary steps to effectively mitigate the risks. The DFSA does not require Authorised Firms to follow any particular Operational Risk framework. However, Authorised Firms are expected to establish an appropriate and effective Operational Risk management framework to identify, assess, monitor, report and control or mitigate Operational Risk. The framework should be consistent with the Firm’s risk appetite and the nature, scale, and complexity of the Firm’s business activities. 

The Firm’s framework is expected to be approved and subjected to regular review by the Firm’s Board of Directors. The Board is expected to ensure the framework is implemented by management and effectively embedded across the Firm’s Operational Risk management processes. Finally, the framework should support a top down and bottom up approach to risk identification.  

We will assess a Firm’s overall Operational Risk framework against 11 principles. The 11 principles are adopted from the Basel Committee on Banking Supervision’s Principles for the Sound Management of Operational Risk. Though prepared by the Basel Committee, the principles are applicable to all types of financial institutions. A summary of the principles is as follows:   

  • Principle 1: Culture
    The Board of Directors and senior management should establish a corporate culture that is guided by strong risk management and that supports and provides appropriate standards and incentives for professional and responsible behaviour.
  • Principle 2: Framework
    Firms should adopt an Operational Risk framework that is appropriate for the nature, scale, complexity, and risk profile of the Firm.
  • Principle 3: Board of Directors oversight
    The Board should establish, approve, and periodically review the framework; and ensure that senior management effectively implements the framework.
  • Principle 4: Board risk appetite
    The Board should approve and review an Operational Risk appetite and tolerance statement that articulates the nature, types, and levels of Operational Risk that the bank is willing to assume. 
  • Principle 5: Senior Management Structure / Responsibility
    The Firm should have a clear and effective, Board approved, governance structure with well-defined, transparent and consistent lines of reporting.
  • Principle 6: Risk identification & assessment
    Senior management should ensure the Operational Risks inherent in all material products, services, activities, processes and systems are identified and assessed and well understood.
  • Principle 7: Approval process
    Firms should have an approval process for all new products, activities, processes and systems that fully assesses Operational Risk. 
  • Principle 8: Monitoring & reporting
    Firms should have a process(es) to regularly monitor Operational Risk and material exposure to losses with an appropriate reporting framework.
  • Principle 9: Control & mitigation
    Firms should have appropriate internal controls and appropriate risk mitigation and/or transfer strategies. 
  • Principle 10: Business resilience & continuity
    Firms should have business resiliency and continuity plans in place.
  • Principle 11: Disclosure
    Where an Authorised Firm is required to make public disclosures, its disclosures should allow stakeholders to assess the Firm’s approach to Operational Risk management.

For better web experience, please use the website in portrait mode