Investor Presentaiton
MORGAN STANLEY BANK ASIA LIMITED
NOTES TO THE FINANCIAL STATEMENTS
Year ended 31 December 2020
26.
OPERATIONAL RISK
Operational risk refers to the risk of loss, or of damage to the Company's reputation, resulting from
inadequate or failed processes or systems, from human factors or from external events (e.g. fraud, theft,
legal and compliance risks, cyber-attacks or damage to physical assets). Operational risk relates to the
following risk event categories as defined by Basel Capital Standards: internal fraud; external fraud;
employment practices and workplace safety; clients, products and business practices; business disruption
and system failure; damage to physical assets; and execution, delivery and process management.
The Company may incur operational risk across the full scope of its business activities, including
revenue-generating activities (e.g., private wealth management) and support and control groups (e.g.,
information technology and trade processing).
The Company has established an operational risk framework to identify, measure, monitor and control
risk across the Company. This framework is consistent with the framework established by the Morgan
Stanley Group and includes escalation to the Company's Board of Directors and appropriate senior
management personnel. Effective operational risk management is essential to reducing the impact of
operational risk incidents and mitigating legal and reputational risks. The framework is continually
evolving to reflect changes in the Company and to respond to the changing regulatory and business
environment.
The Company has implemented operational risk data and assessment systems to monitor and analyse
internal and external operational risk events, to assess business environment and internal control factors
and to perform scenario analysis. The collected data elements are incorporated in the operational risk
capital model. The model encompasses both quantitative and qualitative elements. Internal loss data and
scenario analysis results are direct inputs to the capital model, while external operational incidents,
business environment and internal control factors are evaluated as part of the scenario analysis process.
In addition, the Company employs a variety of risk processes and mitigants to manage its operational
risk exposures. These include a governance framework, a comprehensive risk management program and
insurance. Operational risks and associated risk exposures are assessed relative to the risk tolerance
established by the Board and are prioritised accordingly.
The breadth and variety of operational risk are such that the types of mitigating activities are wide-
ranging. Examples of such activities include continuous enhancement of defences against cyber-attacks;
use of legal agreements and contracts to transfer and/or limit operational risk exposures; due diligence;
implementation of enhanced policies and procedures; exception management processing controls; and
segregation of duties.
Primary responsibility for the management of operational risk is with the business segments, the control
groups and the business managers therein. The business managers maintain processes and controls
designed to identify, assess, manage, mitigate and report operational risk. Each of the business segments
has a designated operational risk coordinator. The operational risk coordinator regularly reviews
operational risk issues and reports to the Company's senior management within each business. Each
control group o also has a designated operational risk coordinator and a forum for discussing operational
risk matters with the Company's senior management. Oversight of operational risk is provided by the
Operational Risk Oversight Committee, regional risk committees and senior management. In the event
of a merger; joint venture; divestiture; reorganisation; or creation of a new legal entity, a new product or
a business activity, operational risks are considered, and any necessary changes in processes or controls
are implemented.
48
48View entire presentation