On 6 March 2026, the Monetary Authority of Singapore (MAS) issued its consultation paper on the Updated Guidelines on Operational Risk Management (updated ORMG). MAS ORMG Singapore introduces clearer expectations for operational risk management across Regulated Financial Institutions (RFIs)

Although presented as an update to the 2013 guidelines, the proposed revisions reflect a broader recalibration of regulatory expectations. MAS is responding to the way operational risk has evolved within Regulated Financial Institutions (RFIs), particularly with increased reliance on digital infrastructure, third-party service providers, and greater exposure to cyber-related disruptions.

In this context, the updated ORMG introduces a more structured and internationally aligned framework, incorporating key principles from the Basel Committee on Banking Supervision (BCBS). The objective is to ensure that Operational Risk Management (ORM) frameworks remain aligned to the scale and complexity of each RFI.

MAS has proposed a six-month transition period following finalisation of the guidelines. For many RFIs, this is unlikely to be a procedural exercise, particularly where existing frameworks have not kept pace with operational developments.

Key Areas of Focus

The proposed updates do not introduce new concepts but sharpen expectations around how operational risk frameworks operate in practice. For many RFIs, the gap is less in policy design and more in implementation and the ability to demonstrate effectiveness.

1. Risk-Proportionate Implementation  

MAS has reiterated that ORM frameworks should be proportionate to the nature, scale, and complexity of each RFI’s activities.

In practice, this is often where inconsistencies arise. Many firms adopt standardised frameworks that are not sufficiently tailored to their actual risk exposure, particularly where business models have evolved or where there is significant reliance on outsourcing. The updated ORMG is likely to place greater scrutiny on whether controls are appropriately calibrated, rather than whether they exist in form.

2. Enhanced Transparency for Systemically Important Institutions

For domestic systemically important banks and insurers (D-SIBs and D-SIIs), the introduction of disclosure expectations reflects a broader move towards market discipline.

While this may not apply directly to all RFIs, it signals the direction of travel. There is increasing emphasis on transparency around how operational risk is managed, including conduct-related risks. RFIs should expect greater scrutiny not only from regulators, but also from stakeholders, particularly where operational failures have wider impact.

3. Change Management

The explicit focus on change management is notable. Operational risk is often introduced or amplified during periods of change, whether through new products, system implementations, or expansion into new markets.

In many RFIs, change-related risk assessments are performed at the point of approval but are not consistently revisited as the initiative evolves. MAS’ expectations suggest a more structured and continuous approach, with risk assessment extending across the full lifecycle of the activity.

4. Group-Level Oversight

For RFIs operating across multiple entities or jurisdictions, the expectation of consolidated oversight is not new, but it is being reinforced.

This is particularly relevant where there are dependencies on group entities or third-party providers. In practice, RFIs may have limited visibility over how risks are managed outside the immediate entity. The updated ORMG is likely to require a more integrated view, with clearer accountability for risks arising across the RFI’s wider operating structure.

MAS ORMG Singapore: Core Framework Expectations

In practice, MAS ORMG Singapore requires RFIs to reassess governance structures, change management processes, and third-party risk oversight. The updated ORMG also reinforces foundational elements of ORM, with greater emphasis on effectiveness in practice.

1. Governance and Responsibilities

The Board retains ultimate responsibility for the oversight of an RFI’s operational risk, including approval of the risk appetite and tolerance statement and oversight of the ORM framework.

Senior management is responsible for implementation, including establishing and maintaining an independent and sufficiently resourced ORM function. The focus is increasingly on whether governance arrangements are functioning as intended, rather than whether they are formally in place.

2. The Three Lines of Defence

MAS continues to expect a functioning three lines of defence model, comprising:

 

• • Business units responsible for managing risk

• • An independent risk management function providing oversight

• • Internal audit providing assurance

For many RFIs, the challenge lies not in establishing the structure, but in ensuring that roles are clearly defined and that independent challenge is effective in practice.

3. Risk Management Process and Tools

ORM should be supported by structured processes covering risk identification, assessment, treatment, and monitoring.

MAS recognises a range of tools, including risk and control self-assessments (RCSAs), key risk indicators (KRIs), scenario analysis, and operational risk event data. The key consideration is whether these tools provide meaningful insight into the RFI’s risk profile, rather than becoming routine or compliance-driven exercises.

Conclusion

The updated ORMG does not fundamentally change the principles of ORM. Its significance lies in the level of clarity around how those principles are expected to be applied. 

For many RFIs, the priority will be to assess whether existing frameworks remain aligned with their current operating model, particularly in areas such as change management, governance, and oversight of outsourced or group-level activities.

How Curia Regis Can Support

Curia Regis works with MAS-regulated entities across capital markets, fund management, and payment services, supporting the design and implementation of operational risk and compliance frameworks.

In practice, RFIs often require support in translating regulatory expectations into workable frameworks, particularly where implementation goes beyond policy design. We typically support RFIs across the following areas:

 

• • ORM Framework & Documentation: Development and refinement of policies, risk assessments, and operational risk manuals.

• • Corporate Governance Enhancements: Strengthening Board and management oversight structures.

• • Regulatory Monitoring & Gap Analysis: Identifying misalignment with updated ORMG expectations.

• • Risk Proportionate Implementation: Tailoring frameworks to the RFI’s size, complexity, and risk profile.

• • Third Line of Defence (Internal Audit): Independent assessment of ORM framework effectiveness.

Support is generally aimed at ensuring that frameworks are aligned with MAS expectations and are operationally effective in practice.

In the context of the updated ORMG, the focus for many RFIs will be on whether existing frameworks remain fit for purpose and capable of meeting heightened supervisory expectations.

For more information on how we can help your RFI prepare for the updated ORMG, please contact us at admin@thecuriaregis.com.