OM-1.1.10
At minimum, the ORMF documentation must:
(a) Identify the governance structures used to manage operational risk, including roles, responsibilities, reporting lines and accountabilities;
(b) Identify policy for approval of policies by the Board;
(c) Describe the risk assessment processes and tools and how they are used;
(d) Describe the bank's accepted operational risk appetite and tolerance (see Paragraphs OM-1.2.2 to OM-1.2.4), and the approach to setting thresholds or limits for inherent and residual risk, and approved risk mitigation strategies;
(e) Establish risk reporting and Management Information Systems ('MIS');
(f) Provide a common taxonomy of operational risk terms to ensure consistency of risk identification, exposure rating and risk management objectives; and
(g) Provide for appropriate independent review and assessment of operational risk.
Added: January 2020