APRA Chairman John Laker has outlined prudential issues relating to operational risk management.

In particular he discussed the role of the board and senior management:

We expect the board to be aware of the institution’s major operational risks and how they are controlled. The board should set the institution’s tolerance for risk or “risk appetite”, through its approval of policies for managing operational risk.

These policies should outline the institution’s approach to the identification, assessment, monitoring, control and mitigation of this risk. The board is also responsible for regular review of the institution’s operational risk management framework and for ensuring that senior management is actively monitoring the effectiveness of risk controls. Accordingly, the board should establish a
management structure for operational risk based on clear lines of responsibility, accountability and reporting.

He identifed information technology, outsourcing, business continuity management, and project management and product development as key operational risk areas.