Background
MAS issued a consultation paper in March 2026 to update the 2013 Guidelines on Operational Risk Management, entitled Updated Guidelines on Operational Risk Management (“updated ORMG”). The update reflects increasing digitalization, reliance on third parties, and escalating cyber threats. It incorporates Basel Committee (“BCBS”) guidance and applies to all financial institutions (“FIs”). The guidelines aim to promote effective operational risk management through a risk-proportionate approach, ensuring FIs maintain resilience in an evolving and increasingly complex risk and volatile landscape.
Key Observations
The proposed guidelines emphasise a shift toward transparency, accountability, and adaptability in managing operational risks.
1. Existing Gaps
Outdated Frameworks: Existing 2013 guidelines do not adequately address risks from rapid digitalization and complex third-party ecosystems.
Transparency Deficits: Lack of public disclosure regarding operational risk management and codes of conduct, particularly for systemically important institutions (“D-SIBs/D-SIIs”).
Change Management Weaknesses: Inadequate processes to identify and assess material incremental risks arising from new products, markets, or IT system modifications.
Inconsistent Subsidiary Oversight: Gaps in ensuring that branches and subsidiaries, especially those outside Singapore, observe consistent operational risk management standards.
2. Improvements proposed
Risk Proportionate Implementation: FIs must implement guidelines commensurate with their size, complexity, and risk profile, allowing for streamlined approaches for smaller entities.
Public Disclosure Mandates: D-SIBs and D-SIIs are expected to publicly disclose their operational risk management approach, significant loss events, and codes of conduct to enhance market discipline.
Robust Change Management: FIs must establish formal processes to assess the evolution of risks across the lifecycle of new activities or system changes.
Consolidated Oversight: FIs with branches or subsidiaries must ensure their entire group observes these guidelines, maintaining clear reporting lines and governance structures.
MAS is seeking public feedback on 7 questions:
- Where FIs envisage challenges in observing specific expectations on a proportional basis.
- The proposed expectation for a D-SIB / D-SII to publicly disclose its approach to operational risk management and operational risk exposures, and its code of conduct, including suggestions on other FIs which should be subject to the guidelines.
- Enhanced disclosure requirements.
- Proposed expectations over change management.
- Proposed expectations applicable to FIs with branches or subsidiaries under them and, which: i) are subject to consolidated supervision by MAS or ii) are owners of critical information infrastructure.
- Any other aspects of the updated ORMG that have not been covered in earlier questions.
- Proposed transition period of 6 months.
What’s next?
MAS proposes to apply the expectations in the updated ORMG to all FIs, on a risk and scale-adjusted basis.
The consultation period ends on 20 April 2026, with the updated guidelines expected to take effect six months after final MAS consultation response, possibly late 2026.
FIs face a “readiness gap” as they must transition from legacy 2013 frameworks to these more stringent, disclosure-heavy standards. FIs should immediately begin gap analyses to align their change management and third-party oversight with the new expectations to avoid implementation delays.
How can we help?
Capital Governance assists FIs by:
Conducting Gap Analysis: Auditing existing ORM frameworks against the 2026 updated guidelines.
Disclosure Strategy: Developing public disclosure policies and codes of conduct
Subsidiary Oversight: Strengthening group-wide governance and reporting structures.
And much more …
capital-governance.com 