Singapore: MAS proposes updated Operational Risk Management Guidelines

MAS has launched a consultation on updated Guidelines on Operational Risk Management (ORMG), proposing to modernise the supervisory framework governing how financial institutions (FIs) identify, assess and manage operational risks. The updated ORMG, which will supersede the previous 2013 guidelines on operational risk, introduce new obligations relating to public disclosure and change management and align Singapore’s framework with international standards. 

We expect FIs will already have risk management processes in place, so they will need to consider undertaking a gap analysis to determine what key uplifts may be required to implement the ORMG in due course.

Background

The existing guidelines on operational risk management are principles-based and fairly short, and MAS has been driven to update the previous guidelines, in light of greater reliance by FIs on third parties (particularly in the digital space and due to increased cyber-related risks). The updated ORMG therefore set out MAS’ existing expectations in more detail, while incorporating key elements of the Basel Committee on Banking Supervision’s guidance.

Application

The ORMG apply to all FIs. An FI with a branch or subsidiary that is subject to consolidated supervision by MAS, or that owns critical information infrastructure (as defined in the Cybersecurity Act 2018), must also consider the operational risk posed by its branches and subsidiaries – including those located outside Singapore – to its consolidated operations. Such FIs should ensure that the ORMG are observed by their branches and subsidiaries by applying an ORM framework consistent with the updated ORMG.

Helpfully, the ORMG apply on a proportionate basis to FIs, meaning there may be scope to take a lighter-touch approach to implementation of the ORMG, where appropriate.

Key proposals

1. New public disclosure requirements

FIs in general must “take reasonable steps” to have public disclosures that allow stakeholders to understand its approach to ORM. This will mean all FIs will need to consider what public disclosures should be made, although the ORMG allow some flexibility over those disclosures.

However, domestic systemically important banks and insurers (D-SIBs and D-SIIs) are subject to specific disclosure requirements under the ORMG. Under the ORMG, they must publicly disclose:

1. their approach to operational risk management and their operational risk exposures; and

2. their code of conduct (already required under the Guidelines on Risk Management Practices – Internal Controls).

FIs must also have a formal disclosure policy that is subject to regular and independent review and approval by the board and senior management, demonstrating that MAS expects the public risk disclosures to be updated when relevant.

The purposive intention of these requirements is to enable industry benchmarking and comparative analysis, and also to enable customers and stakeholders to understand the approach of the relevant entities to risk management. However, we expect industry may feel some unease at putting such information in the public domain, and there may be some pushback on this proposal.

2. Change management

MAS has proposed introducing formalised change management expectations as a distinct component of the updated framework. FIs must establish a robust change management process to identify and assess material incremental operational risks arising from planned changes, including new products, entry into new markets, process changes and IT system modifications. Changes must be monitored during and after implementation to identify and manage any unexpected risks that arise.

FIs will likely already consider operational risk in the context of certain strategic changes, however this new requirement means that FIs will need to ensure operational risk procedures are followed more systemically. MAS gives the example of when new products transition from an introductory level to a level that represents material sources of revenue, and this should trigger an assessment of any operational risks arising with this transition. 

3. Other key requirements

Other key requirements in the ORMG include:

• operational risk management framework: an FI must maintain an effective ORM framework enabling it to identify, assess, treat, monitor, review and report on operational risk on a timely basis. The ORMG contain detailed requirements for the ORM framework, including thresholds for monitoring inherent and residual risk exposure and an inventory of controls implemented by all business units to mitigate identified risks;

• governance: FIs must ensure the board and senior management understand the operational risks of the business and there should be governance structures for the oversight of operational risk. Notably, the FI must have a dedicated senior management-level ORM committee, which may require an uplift to existing governance procedures for many FIs; and

• risk appetite and tolerance statement: FIs must have a clearly defined risk appetite and tolerance statement articulating the types and levels of operational risk that an FI is willing to assume in achieving its strategic objectives and business plans. MAS may request sight of such a document, and therefore careful thought will need to go into determining the FI’s tolerance levels and how to monitor whether they are breached.

Next steps

The consultation closes on 20 April 2026, and MAS has proposed a transition period of six months after the updated ORMG are issued. In the meantime, FIs may wish to benchmark their current ORM frameworks against the updated expectations to determine what uplifts may be required.