Baker McKenzie Baker McKenzie
How Can We Help?
  • Home
  • Insight
  • Publications
  • Singapore: MAS Proposes Updated Guidelines on Operational Risk Management
17 March 2026

Singapore: MAS Proposes Updated Guidelines on Operational Risk Management

In brief

On 6 March 2026, the Monetary Authority of Singapore (MAS) issued a Consultation Paper on the proposed Updated Guidelines on Operational Risk Management ("Updated GORM") for Financial Institutions (FIs) which aims to promote effective operational risk management (ORM) amidst the increasing digitalization of financial services, reliance on third‑party service providers, and heightened cyber threats.

The Updated GORM builds on MAS' existing expectations and incorporates key elements of guidance by the Basel Committee on Banking Supervision. The Updated GORM will supersede the 2013 Guidelines on Risk Management Practices – Operational Risk.

If you have any feedback or comments for the MAS in relation to the proposals relating to the Updated GORM, please reach out to the MAS via this link. The consultation will close on 20 April 2026.

Alternatively, if you have any questions on how this may impact your business or operations, please feel free to reach out to us.

Overview – Key features of the Updated GORM

Updated Guidelines on Operational Risk Management

The Updated GORM contains several key features to be applied across all FIs.

1. Risk Proportionate Implementation

The Updated GORM proposes to implement MAS' expectations in a risk proportionate manner commensurate with the size and complexity of the FI and the nature and materiality of risks in their business. This approach balances the operational burden with the operational risks arising from the FI's products, activities, processes, and systems.

2. Public Disclosure of Operational Risk Management Information and Code of Conduct

MAS proposes new disclosure obligations for domestic systemically important banks and insurers ("D-SIBs" and "D-SIIs"), which includes (1) disclosure of their ORM framework and operational risk exposures, including significant operational loss events; and (2) public disclosure of their code of conduct, enabling stakeholders to understand how the FI manages conduct related risks.

3. Establishing a Robust Change Management Process

MAS proposes for FIs to adopt a robust change management process that includes implementing the relevant policies and standards/procedures for approving changes to identify and assess material incremental operational risks arising from planned changes in its operations.

4. Oversight over an FI's Branches and Subsidiaries

FIs are expected to implement appropriate governance structures and processes with well-defined roles, responsibilities and clear reporting lines across its various organizational functions. FIs that are (i) subject to consolidated supervision by MAS or (ii) is an owner of critical information infrastructure will be expected to consider the operational risk of its branch/subsidiary and ensure that the Updated GORM are implemented by them.

ORM expectations under the Updated Guidelines

The consultation paper also features the full Updated GORM that MAS expects to implement. We set out MAS' expectations on the key requirements under the Updated GORM in further detail below.

Operational Risk Management Framework

FIs are expected to maintain an effective ORM Framework that enables timely identification, assessment, treatment, monitoring, review and reporting of operational risks across the institution.

An effective ORM Framework should include:

  1. Robust governance structures for board and senior management oversight
  2. A clearly defined risk appetite and tolerance statement that should explain the rationale for acceptable risk levels, define the indicators for risk monitoring and be regularly reviewed to account for changes1
  3. A comprehensive common taxonomy of operational risk terms
  4. Policies, standards and procedures for ORM in all material business products, activities, processes and systems which include an effective three lines of defence model that synergizes (i) business units2, (ii) independent ORM function, and (iii) independent audit
  5. established tools for identifying, measuring, and controlling operational risk
  6. thresholds for monitoring inherent and residual risks
  7. an inventory of controls implemented by all business units to mitigate risk
  8. periodic independent reviews of the ORM processes.

Responsibilities of the Board and senior management

The Board holds ultimate responsibility for oversight of the FI's operational risk, although it may delegate oversight to a board-level committee. The board, or the committee delegated by it, is responsible for:

  1. Approving and ensuring regular review of the FI's operational risk appetite and tolerance statement
  2. Approving and ensuring regular review of the ORM framework
  3. Assessing and implementing ORM policies, standards and procedures that are commensurate with the nature, scope and complexity of business operations
  4. Regularly evaluating the effectiveness of the ORM framework against external events
  5. Ensuring independent review is periodically performed to assess effectiveness of the FI's ORM.

Senior management is responsible for designing, implementing and maintaining the ORM Framework. This includes:

  1. Establishing the ORM framework and managing operational risks based on the framework
  2. Establishing a sufficiently resourced ORM function independent from business units
  3. Addressing audit and review findings in a timely manner
  4. Ensuring robust policies, standards, and procedures for ORM are effective and within the FI's risk appetite and tolerance statement
  5. Ensuring roles and responsibilities are clearly defined
  6. Ensuring staff have adequate training, competencies and authority
  7. Ensuring timely reporting of significant operational risk developments to the Board.

Operational Risk Management process

FIs must maintain an ongoing operational risk management process comprising three key components:

  1. Risk Identification and Assessment – identifying internal and external operational risks, assessing vulnerabilities, and determining whether risk acceptance or treatment is required
  2. Risk Treatment – implementing risk mitigation measures (controls, risk avoidance, or risk transfer such as insurance) and ensuring residual risks remain within the FI's risk appetite
  3. Risk Monitoring and Reporting – monitoring the operational effectiveness of risk mitigation measures, maintaining a comprehensive risk register, and escalating significant operational risk concerns to senior management and MAS where required.

The MAS has included a list of suggested tools that FIs may use to identify and assess operational risk at Annex 3 of the consultation paper. These tools include risk and control assessments, key risk indicators, operational risk event data analysis, scenario analysis, and benchmarking and comparative analysis.

Change management

MAS expects FIs to establish comprehensive and forward-looking change management process that identifies and assesses material incremental operational risks from planned changes in operations throughout the full life cycle of a business product. The review and approval process should consider the FI's operational risk profile, incorporate procedures and metrics to assess operational risk from the change, and ensure adequate resourcing before changes are introduced. FIs should also monitor changes during and after implementation to manage any unexpected risks.

Disclosure

To enhance market discipline and stakeholder confidence, MAS expects FIs to take reasonable steps to have public disclosures commensurate with the scale of their operations to allow stakeholders to understand its approach to ORM and its operational risk exposures.

For D-SIBs and D-SIIs, MAS expects:

  1. Disclosures on their ORM framework to allow stakeholders to determine whether they identify, assess, monitor and mitigate operational risk effectively
  2. Meaningful public disclosure on relevant operational risk exposure information to stakeholders while not creating operational risk through this disclosure (such as alerting bad actors to an unaddressed control vulnerability)
  3. Establishing formal disclosure policies that are subject to regular and independent review by the board/senior management, and a process for assessing such disclosure policies.

Transition period

MAS proposes providing a transition period of 6 months after the Updated GORM is issued, for FIs to meet the expectations set out.

1 A detailed description of MAS' expectation of such a statement is found at Annex 1 of the consultation paper.

2 Business units refer to all associated support, corporate and/or shared service functions such as Finance, Human Resources, and Operations and Technology that are relevant for the ORM of the business. A detailed description of the three lines of defense model is found at Annex 2 of the consultation paper.

* * * * *

© 2026 Baker & McKenzie. Wong & Leow. All rights reserved. Baker & McKenzie. Wong & Leow is incorporated with limited liability and is a member firm of Baker & McKenzie International, a global law firm with member law firms around the world. In accordance with the common terminology used in professional service organizations, reference to a "principal" means a person who is a partner, or equivalent, in such a law firm. Similarly, reference to an "office" means an office of any such law firm. This may qualify as "Attorney Advertising" requiring notice in some jurisdictions. Prior results do not guarantee a similar outcome.

Explore More Insight
View All