Scribd Logo
Upload

Welcome to Scribd!

  • Eng IRP

    Uploaded by

    Wajahat Ali
    28 views9 pages
    Eng-IRP

    Original Title

    Eng-IRP

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    Eng-IRP

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    28 views9 pages

    Eng IRP

    Uploaded by

    Wajahat Ali
    Eng-IRP

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 9

    Risk Management Department Incident Reporting Policy

    Incident Reporting Policy

    Policy: RMD-02 Title: Approval Date:


    21st November, 2016
    Incident Reporting Policy

    Revision No: - Effective Date:


    1st January, 2017

    Prepared by: Reviewed by: Approved by:

    Risk Management Management Committee


    Department on ERM (MC-ERM)

    ___-Sd/-____ _______-Sd/- __________ ________-Sd/-_________


    Director Deputy Governor (Policy) / Governor
    Chairman MC–ERM
    _________-Sd.-_________
    Executive Director – FRM
    Risk Management Department Incident Reporting Policy

    Team Members

    Muhammad Haroon Rasheed Malik, Executive Director – Financial Resources


    Management Group
    haroon.rasheed@sbp.org.pk

    Mohsin Rasheed, Director - Risk Management Department (RMD)


    mohsin.rasheed@sbp.org.pk

    Harris Alam Siddiqui, Sr. Joint Director - RMD


    harrisalam@sbp.org.pk

    Abdul Basit, Joint Director - RMD


    abdul.basit@sbp.org.pk

    Shahid Abbas, Deputy Director - RMD


    shahid.abbas@sbp.org.pk

    Page a
    Risk Management Department Incident Reporting Policy

    Table of Contents

    1. PURPOSE 1

    2. INCIDENT REPORTING POLICY 1

    3. REVIEW OF THE POLICY 1

    4. DEFINITIONS 1
    4.1. INCIDENT 1
    4.2. NEAR MISSES 2

    5. INCIDENT REPORTING PROCEDURE 3

    6. RESPONSIBILITIES OF LINE DEPARTMENTS 3

    7. TREATMENT OF THE INCIDENT 3

    8. INCIDENT REPORTING COMMITTEE 4

    9. REPORTING OF INCIDENTS 4

    10. APPENDIX A: INCIDENT REPORTING FORM 5


    10.1. DESCRIPTIONS OF INCIDENT REPORTING FORM 6

    Page b
    Risk Management Department Incident Reporting Policy

    Incident Reporting Policy

    1. Purpose
    This policy defines mechanism for incident reporting at SBP and its subsidiaries. Incident
    reporting plays a major role in helping SBP maintain a safe and secure working environment. It
    helps protect the confidentiality, integrity and availability of the information and systems and is
    an essential element for effective risk management. Trend analysis of reported incidents enables
    the organization to highlight areas of weakness and, if necessary, take appropriate action to
    reduce specific threats and vulnerabilities.

    2. Incident Reporting Policy


    Enterprise Risk Management (ERM) – Incident Reporting Policy outlines the minimum
    standards and guidelines for timely identification, recording, management, monitoring and
    escalation of incidents and near misses.

    SBP recognizes the importance of information of incidents and near misses. This policy will give
    departments and senior management of SBP greater confidence in understanding of incidents,
    their risks to SBP and the appropriateness of response to the incidents.

    This document has been developed to ensure that:


     All incidents and near misses across SBP are identified, recorded, monitored, managed
    and escalated appropriately.
     Incidents and near misses are analyzed, managed, and resolved in a way that minimizes
    any negative impact on the department and the organization as a whole.
     Appropriate actions are taken to minimize the exposure and ensure similar incidents do
    not occur in the future.
     Incidents and near misses are formally reviewed prior to closure.

    3. Review of the Policy


    This policy is subject to review on annual basis.

    4. Definitions

    4.1. Incident
    An incident is defined as being a breakdown or adverse effect of controls and operations in the
    business processes. It will be an event (or series of linked events) that has a negative impact (or
    the potential to cause a negative impact i.e. near misses) for SBP. Negative impact can be
    financial or non-financial e.g. reputational incidents may be symptomatic of an underlying
    operational risk that could potentially be mitigated in future by improving internal processes,
    systems or capacity building.

    Page 1 of 6
    Risk Management Department Incident Reporting Policy

    Examples of possible incidents are:

     A failure of a control, system or process, for example a control was not applied or did not
    work.
     Recurring events or combination of events that considered together indicate a potential
    internal control failure.
     Fraud, corruption or similar irregularity
     A breach of the confidentiality in relation to the organization’s specific information.
     Breach or breakdown of security control that result in, or could create, a risk to the
    confidentiality, integrity or availability of SBP systems and the information resident upon
    such systems.

    For prompt and better handling of the situations arising from incidents, it is mandatory that all
    incidents be reported using the Incident Report Form (Appendix-A). Incident reporting is not a
    substitute for disciplinary action process. Similarly, reporting the incident may not necessarily
    constitute acceptance of responsibility or admission of liability.

    If there is doubt as to whether the event or situation qualifies as an incident under this policy, the
    employee may contact Director, RMD for advice.

    4.2. Near misses


    Sometimes events do not result in a financial or non-financial impact as a result of the
    circumstances or good fortune. These should be captured as ‘Near Misses’. This allows for an
    assessment of why the event occurred and what action should be taken to avoid / minimize such
    events.

    Page 2 of 6
    Risk Management Department Incident Reporting Policy

    5. Incident Reporting Procedure


    Incident reporting procedure outlines the main requirements for incident reporting and is
    designed to ensure that incident is recorded, event is properly reviewed and corrective actions are
    taken where necessary to minimize the risk of re-occurrence and to provide clarity over
    accountability and responsibility for the actions.

    Each department must ensure that incidents and near misses must be captured and reported to
    Risk Management Department (RMD) preferably within three working days of the event being
    discovered. This can be done by completing incident reporting form attached at Appendix-A, or
    online (http://sbpweb) or alternatively email the completed form to Risk Management
    Department (ERM.Incident@sbp.org.pk).

    Any employee can inform about incidents and near misses by completing the incident reporting
    form. Identity of the person, who reports the incident, is not required and his / her anonymity will
    be ensured.

    6. Responsibilities of Line Departments


    Every Director is responsible to ensure that:

    1. Every employees should be aware of the procedure to report incidents and near misses
    2. Minimum reporting requirement are met; and
    3. Appropriate processes and controls are in place to identify incidents, ensure that they are
    appropriately recorded and resolved.

    7. Treatment of the Incident


    Risk Management Department is responsible for reviewing and analysis of the incidents reported
    across SBP and its subsidiaries. The analysis will be used to identify any potential systemic risks
    in the bank and its subsequent possible remediation. Further, the highlighted issues will also be
    helpful in risk assessment phase of ERM framework.

    An incident will not be closed until all actions have been completed and subsequently any one of
    the following actions has been taken:

    1. Rectification, where applicable.


    2. Root cause analysis of the incident.
    3. Reviewing and when considered necessary, updating relevant controls, procedures,
    processes and policies to mitigate against the potential for similar incidents to reoccur,
    and when appropriate.
    The incident will be closed in consultation with the Executive Director of the concerned
    department.

    Page 3 of 6
    Risk Management Department Incident Reporting Policy

    8. Incident Reporting Committee


    Incident Reporting Committee (IRC) will review all reported incidents from SBP and its
    subsidiaries. IRC will hold meeting preferably on monthly basis and decide which incidents to be
    reported to Management Committee on ERM (MC-ERM). IRC will be comprised of the
    following members:

    1. Director, Risk Management Department (Chairman)


    2. Director, Strategic Planning Department
    3. Focal ERM Risk Coordinator, SBP-BSC.

    9. Reporting of Incidents
    Summary of all reported incidents is to be presented to MC-ERM on quarterly basis.
    Furthermore, all significant incidents will be reported to MC-ERM immediately.

    Page 4 of 6
    Risk Management Department Incident Reporting Policy – Appendix A

    10. Appendix A: Incident Reporting Form


    The following information about the incident may be filled in and completed form may be sent to
    Risk Management Department, or email to (ERM.Incident@sbp.org.pk ) or fill out online
    incident reporting form at the website (http://sbpweb).

    Identity of the person who submits incident reporting form will remain confidential and
    anonymous.
    Incident Description

    Individual / Entity Involved Date of Incident (DD-MM-YYYY)

    Status of Incident (Open / Ongoing / Closed) Date of Identification (DD-MM-YYYY)

    Possible Incident Location


    (SBP / SBP-BSC/ NIBAF / SBP-BSC Field Office/ External)

    Possible Incident cause:

    Amount at Risk (Optional)

    Suggestion / Resolution

    Page 5 of 6
    10.1. Descriptions of Incident Reporting
    Form Possible Incident cause:
    Incident Description Please write details of the analysis of the
    An explanation of the incident or near underlying cause (i.e. reason and
    misses. This description must be sufficiently contributing factors) of the incident. This
    clear, concise and accurately describe allows management to better understand the
    circumstances of the incident to enable mitigating actions that should be put in
    someone not familiar with the incident to place.
    obtain a reasonable understanding of what
    has happened. Include who (employee Incidents are often the result of a
    name(s)), what, where, when and how of the combination of the events. This may include
    incident. Use additional sheet if required. process failure (e.g. inadequate training) and
    people related failures (e.g. failure to follow
    Individual / Entity Involved controls; lack of due diligence; poor
    Name of individual involved in the incident, judgment). Employees should therefore
    if any. Otherwise, mention the process or consider documenting all possible causes
    name of the entity involved in the incident. and contributing factors.

    Status of Incident (Open / Ongoing / Amount at Risk (Optional)


    Closed) Please write details of possible amount at
    Please mention current status of the incident risk because of this incident.
    either open, closed or ongoing.
    Suggestion / Resolution
    Date of Incident Please provide details of possible suggestion
    The date on which incident occurred. The / resolution of the incident.
    format of the date is DD-MM-YYYY.
    Near misses
    Date of Identification Sometimes events do not result in a financial
    The date on which incident identified. The or non-financial impact as a result of the
    circumstances or good fortune. These should
    format of the date is DD-MM-YYYY
    be captured as ‘Near Misses’. This allows
    for an assessment of why the event occurred
    Possible Incident Location and what action should be taken to avoid /
    (SBP / SBP-BSC/ NIBAF / SBP-BSC minimize such events.
    Field Office/ External)
    Please write location where the incident took
    place.

    Page 6 of 6

    You might also like