OM-8.3.4
Past version: Effective from 01 Apr 2008 to 30 Sep 2012
To view other versions open the versions tab on the right
A bank using the standardised approach must meet the following additional criteria:
(a) The bank must have an operational risk management system with clear responsibilities assigned to an operational risk management function. The operational risk management function is responsible for developing strategies to identify, assess, monitor and control/mitigate operational risk; for codifying bank-level policies and procedures concerning operational risk management and controls; for the design and implementation of the bank’s operational risk assessment methodology; and for the design and implementation of a risk-reporting system for operational risk.
(b) As part of the bank’s internal operational risk assessment system, the bank must systematically track relevant operational risk data including material losses by business line. Its operational risk assessment system must be closely integrated into the risk management processes of the bank. Its output must be an integral part of the process of monitoring and controlling the banks operational risk profile. For instance, this information must play a prominent role in risk reporting, management reporting, and risk analysis. The bank must have techniques for creating incentives to improve the management of operational risk throughout the bank.
(c) There must be regular reporting of operational risk exposures, including material operational losses, to business unit management, senior management, and to the board of directors. The bank must have procedures for taking appropriate action according to the information within the management reports.
(d) The bank’s operational risk management system must be well documented. The bank must have a routine in place for ensuring compliance with a documented set of internal policies, controls and procedures concerning the operational risk management system, which must include policies for the treatment of noncompliance issues.
(e) The bank’s operational risk management processes and assessment system must be subject to validation and regular independent review. These reviews must include both the activities of the business units and of the operational risk management function.
(f) The bank’s operational risk assessment system (including the internal validation processes) must be subject to regular review by external auditors and /or the CBB.
Added: April 08