Risk management and business continuity
Operational risks are managed following a methodological approach called MARIO (Operational Risk Control and Analysis), covering risks of a human, organizational and operational nature as well as those related to information systems or external factors.
This approach is based on international standards and practices recommended by the COSO, IIA, the Basel Committee and benchmarks with other central banks, particularly in the context of the International Operational Risk Working Group (IORWG).
Since 2006, a consolidated risk map is developed annually and constitutes a real decision-making tool, especially for internal audit and budget and strategic planning. It is reviewed by the Board, after consulting the Audit Committee.
On an organizational level, the Bank has appointed in each of its units a Risk Manager to assess the risks surrounding the unit’s processes and ensure the implementation of actions to control them. A central risk management structure keeps a methodological watch and provides assistance, support and consolidated risk reporting. Finally, an Operational Risk Committee, chaired by the Director General and composed of all directors, validates the relevant guidelines before being approved by the Governor and submitted to the Board.
The Bank has also put in place a comprehensive incident database to enhance the quality of operational risk mapping by fine-tuning the analysis of risks and preventive actions.
Financial risks inherent in the management of foreign exchange reserves (notably liquidity, credit, foreign exchange and interest rate risks) are managed by the Monetary and Foreign Exchange Operations Department. The Bank has established a proper governance framework so that its investments meet its main objectives of safety and liquidity. To this end, the investment guidelines and the strategic asset allocation are determined by the Monetary and Financial Committee at the beginning of each year, and are then presented to the Board. A risk committee monitors compliance with these guidelines and examines monthly change in risks and performance before presenting it to the Monetary and Financial Committee.
Strategic risks relate to risks that may impede the attainment of strategic objectives set in the three-year plan, in particular because of exogenous factors, significant operational risks or inadequate specification of strategic priorities into goals. They are monitored jointly with stakeholders, reviewed by the Coordination and Internal Management Committee and then submitted to the Governor and the Board.
The implementation of the Business Continuity Plan (BCP) aims to provide the Bank with the organization, procedures and means to cope with major operational disruptions.
Such disturbances may be caused by natural, technical or human factors (floods, earthquakes, pandemics, prolonged power cuts, breakdowns of critical information systems, vandalism, fires, etc.).
The main objectives of the Bank are to ensure the continuity of the most critical activities, possibly in a degraded mode, and minimize the impact on:
- persons : staff members, contractors, customers
- property : information, money, works of art
- the Moroccan financial system and the Moroccan economy
- the Bank’s reputation.
The Bank’s BCP consists of business continuity plans for all units, an IT continuity plan, a crisis management plan and an operational condition maintenance organization with a testing plan and crisis simulation exercises.