[OR] [MAS] [E1] [C5] Governance and Accountability

eBook 1: Chapter 5

 Monetary Authority of Singapore's (MAS) Governance and Accountability

Purpose of the Chapter

This chapter examines the governance and accountability structures required to support operational resilience in Singapore’s financial institutions, guided by the Monetary Authority of Singapore's (MAS) expectations.

Operational resilience is not merely a technical or operational function—it is fundamentally a leadership and governance responsibility.

MAS emphasises that effective resilience depends on clear accountability, strong oversight, and well-defined roles across the organisation.

This chapter covers:

• The role of the Board and Senior Management
• The application of the Three Lines of Defence model
• Risk ownership and accountability structures
• MAS regulatory expectations on governance and oversight

Role of Board and Senior Management

Strategic Oversight by the Board

MAS places ultimate accountability for operational resilience on the Board of Directors. The Board is responsible for:

• Setting the strategic direction for operational resilience
• Approving the risk appetite and resilience framework
• Ensuring alignment with regulatory expectations and business objectives
• Providing oversight of critical business services and resilience capabilities

The MAS BCM Guidelines emphasise that the Board must ensure that adequate resources, policies, and governance structures are in place to support resilience initiatives.

Execution by Senior Management

Senior Management is responsible for translating strategy into execution, including:

• Implementing the operational resilience framework
• Establishing policies, procedures, and controls
• Ensuring effective monitoring and reporting mechanisms
• Managing incident response and recovery efforts

MAS expects senior management to maintain active oversight of operational risks and resilience performance, ensuring that risks are identified, assessed, and mitigated effectively.

Continuous Reporting and Escalation

Governance requires:

• Regular reporting to the Board on:
• Resilience metrics
• Incident performance
• Testing outcomes
• Clear escalation protocols during disruptions

This ensures that leadership can make timely and informed decisions during crises.

Three Lines of Defence Model

Overview of the Model

The Three Lines of Defence (3LoD) model is a foundational governance structure for managing operational risk and resilience.

First Line of Defence (Business Units)

The first line is responsible for:

• Ownership and management of risks
• Ensuring continuity of critical business services
• Implementing controls and resilience measures

Operational resilience must be embedded into day-to-day operations, not treated as a separate function.

Second Line of Defence (Risk & Compliance)

The second line provides:

• Independent oversight and challenge
• Development of risk frameworks and policies
• Monitoring of risk exposure and compliance

This ensures that resilience practices are consistent, robust, and aligned with MAS expectations.

Third Line of Defence (Internal Audit)

The third line ensures:

• Independent assessment of the resilience framework
• Validation of controls, processes, and effectiveness
• Identification of gaps and improvement areas

MAS requires financial institutions to conduct regular BCM audits to ensure the adequacy and effectiveness of resilience frameworks.

Integration Across the Three Lines

Effective governance requires:

• Clear segregation of duties
• Strong coordination and communication
• Consistent accountability across all lines

This integrated model ensures that operational resilience is managed, monitored, and validated comprehensively.

Risk Ownership and Accountability Structures

Clear Assignment of Responsibility

MAS expects financial institutions to establish clear accountability for operational resilience, including:

• Ownership of Critical Business Services (CBS)
• Responsibility for risk identification and mitigation
• Accountability for incident response and recovery

Each CBS should have a designated owner responsible for ensuring its resilience.

Accountability Across the Organisation

Accountability must be defined at multiple levels:

• Board → Strategic oversight
• Senior Management → Execution and control
• Business Units → Operational ownership
• Risk Functions → Oversight and governance

This ensures that resilience is embedded across the organisation, rather than centralised in a single function.

Ownership of Third-Party Risks

MAS emphasises that:

• Financial institutions remain fully accountable for outsourced services
• Third-party risks must be actively managed and monitored

Outsourcing does not transfer accountability—it requires enhanced governance and oversight.

Regulatory Expectations on Oversight

Strong Governance Frameworks

MAS expects financial institutions to establish robust governance frameworks that include:

• Clearly defined roles and responsibilities
• Documented policies and procedures
• Effective risk management and control mechanisms

These frameworks must support the continuous delivery of critical business services.

Active Oversight and Monitoring

Institutions must demonstrate:

• Continuous monitoring of operational risks
• Regular testing and validation of resilience capabilities
• Ongoing review and improvement of frameworks

Governance is not static—it requires active engagement and continuous enhancement.

Audit and Assurance

MAS mandates:

• Regular internal and external audits
• Independent validation of:
• BCM frameworks
• Recovery capabilities
• Dependency management

Audits provide assurance that resilience measures are effective and compliant.

Alignment with Risk Appetite

Governance must ensure that:

• Operational resilience aligns with the institution’s risk appetite
• Decisions are supported by risk-based analysis
• Investments in resilience are adequate and justified

This reinforces the integration of resilience into enterprise risk management.

Governance as a Pillar of Operational Resilience

The MAS framework highlights governance as a core pillar of operational resilience, ensuring that:

• Leadership is accountable and engaged
• Risks are owned and managed effectively
• Controls are independently validated
• Continuous improvement is institutionalised

Without strong governance, even well-designed resilience frameworks will fail in execution.

Governance and accountability are central to achieving operational resilience in Singapore’s financial sector.

Under the guidance of the Monetary Authority of Singapore, financial institutions are required to establish clear leadership ownership, structured risk management frameworks, and robust oversight mechanisms.

The active involvement of the Board and Senior Management, supported by the Three Lines of Defence model and clearly defined accountability structures, ensures that operational resilience is embedded across all levels of the organisation.

Ultimately, strong governance transforms operational resilience from a compliance requirement into a strategic capability, enabling financial institutions to anticipate disruptions, respond effectively, and sustain critical services in an increasingly complex environment.

Gain Competency: For organisations looking to accelerate their journey, BCM Institute’s training and certification programs, including the OR-5000 Operational Resilience Expert Implementer course, provide in-depth insights and practical toolkits for effectively embedding this model.