Operational Risk Management

The purpose of this policy is to provide principles for uniform and systematic operational risk management throughout Norges Bank Investment Management (NBIM). Operational risk and internal control management shall adhere to the Internal Control Regulation for Norges Bank, the relevant principles for risk management and internal control laid down by the Executive Board and be aligned with best practise standards.

Issued 15 December 2008
Last updated 12 June 2024

The policy covers operational risk management and internal control for all processes within the responsibility of the NBIM CEO, including projects and outsourced services.

Policy

Operational risks shall systematically be identified, assessed, mitigated, monitored, and reported to provide reasonable assurance that objectives will be achieved in accordance with the Executive Board’s operational risk tolerance. Business continuity and crisis management shall ensure priorities according to the Executive Board principles for emergency preparedness and crisis management.

NBIM shall have a second-line operational risk function to advise and assist the organisation in the management of operational risk. The second-line risk function shall maintain an NBIM wide operational risk picture.

General

NBIM shall maintain a sound and adequate internal control environment, seeking a balance between operational risk exposure and the costs of implementation and maintenance of risk mitigating measures.
Security and compliance risk management and incident handling shall be integrated within the NBIM framework for operational risk and control.
NBIM shall establish and maintain a business continuity and crisis management framework to prepare the organisation to handle business disruptions and crisis events. Business continuity and crisis management in NBIM shall be aligned with Norges Bank’s crisis management framework. The framework shall include crisis response structure, individual plans which describes emergency preparedness, business continuity and crisis management for critical processes as well as a program with annual training and exercises to ensure plans and response structures are trained and updated.

Risk tolerance

Operational risk shall be managed within the tolerance limit set by the Executive Board.
The risk level (Critical, Significant, Moderate, and Insignificant) is the combination of the probability/frequency of occurence of a risk and the potential consequences.
Critical operational risks are not normally tolerable and risk mitigating measures shall be initiated immediately. The Executive Board may accept critical risk without additional risk mitigation.
The NBIM CEO may accept significant risks without additional risk mitigation. The Executive Board shall be informed of significant operational risks.

Risk identification and assessment

Operational risks shall be identified and regularly assessed.
Identified risks shall be assessed in inherent and current state with the current state reflecting the assessment of implemented risk mitigating measures.
Operational risks shall be assessed according to probability / frequency of occurrence and potential financial and reputation consequence.

Risk response

Operational risks shall be managed by reducing the probability of and event and / or its expected impact, whilst seeking to balance risk exposure with the cost of mitigating measures.
Business continuity plans and incident response structures shall be in place to help manage business disruption and crisis events across NBIM’s critical business processes and functions.

Risk review and control assurance

Operational risk shall be reviewed and updated quarterly in the enterprise risk management registry.
An annual control and process self-assessment shall be performed.
Business contunuity plans and response structures shall be verified through an annual programme of training and exercises. The training programme shall be coordinated with other training activities within Norges Bank.
Controls mitigating critical or significant operational risk shall be regularly reviewed for their design and operational effectiveness with changes systematically managed.
A long-term assurance plan shall be prepared taking account of high-risk processes and the three-year strategy plan. From the long-term plan, an annual programme shall be executed by the second-line risk function to review processes and test controls.
The second-line risk function shall monitor and measure the overall NBIM wide risk exposure against the Executive Board's total operational risk limit.

Incident management

When incidents occur, the priority shall be to resolve and return to normal operations.
Reporting of incidents shall be encouraged with a no blame culture practised.
Incidents shall be followed up in a structured manner and new risk mitigating measures shall be considered/assessed to avoid reoccurrence or consequences of the event.
Incidents which are defined as a severe business disruption or crisis event shall be escalated and managed according to the business continuity and crisis management framework.
Crisis management shall ensure that appropriate actions are taken based on assessed potential consequences of the event and that events are handled according to the methodology set out in Norges Bank’s internal framework. The crisis organisation shall be flexible and ensure appropriate support from strategic, operational and tactical levels as established and agreed in Norges Bank.
If a crisis event has the potential to impact both NBIM and the Central Bank Operations, the crisis leaders shall ensure appropriate information sharing and coordination across the two business areas.

Reporting and escalation

The second-line risk function shall report critical and significant operational risks and incidents to the CEO monthly.
A report on operational risk and internal control shall be delivered to the Executive Board quarterly and shall include critical and significant operational risks and incidents.
A statement about NBIM's overall assessment for operational risk and internal control shall be delivered to the Executive Board annually.