(a) Self- or Risk Assessment: a licensee assesses its operations and activities against a menu of potential operational risk vulnerabilities. This process is internally driven and often incorporates checklists and/or workshops to identify the strengths and weaknesses of the operational risk environment. Scorecards, for example, provide a means of translating qualitative assessments into quantitative metrics that give a relative ranking of different types of operational risk exposures. Some scores may relate to risks unique to a specific business line while others may rank risks that cut across business lines. Scores may address inherent risks, as well as the controls to mitigate them;

(b) Risk Mapping: in this process, various business units, organisational functions or process flows are mapped by risk type. This exercise can reveal areas of weakness and help prioritise subsequent management action;

(c) Risk Indicators: risk indicators are statistics and/or metrics, often financial, which can provide insight into a licensee's risk position. These indicators tend to be reviewed on a periodic basis (such as monthly or quarterly) to alert licensees to changes that may be indicative of risk concerns. Such indicators may include the number of failed trades, staff turnover rates and the frequency and/or severity of errors and omissions; and

(d) Measurement: some licensees have begun to quantify their exposure to operational risk using a variety of approaches. For example, data on a licensee's historical loss experience could provide meaningful information for assessing the licensee's exposure to operational risk and developing a policy to mitigate/control the risk. An effective way of making good use of this information is to establish a framework for systematically tracking and recording the frequency, severity and other relevant information on individual loss events. Some licensees have also combined internal loss data with external loss data, scenario analyses, and risk assessment factors.