Content Options:

Content Options

CHAPTER 2 QUALITATIVE STANDARDS

SECTION 1 Governance

Article 7 Operational risk management process

  1. (1)

    Competent authorities shall assess the efficacy of an institution's AMA framework for the governance and management of operational risk and that a clear organisational structure with well-defined, transparent and consistent lines of responsibility exists by confirming at least the following:

    1. (a)

      that the institution's management body discusses and approves the governance of operational risk, the operational risk management process and the operational risk measurement system;

    2. (b)

      that the institution's management body clearly defines and determines the following on at least an annual basis:

      1. (i)

        the institution's operational risk tolerance;

      2. (ii)

        the institution's operational risk tolerance written statement on the aggregate level of operational risk loss and event types, containing both qualitative and quantitative measures including thresholds and limits based on operational risk loss metrics that the institution is willing or prepared to incur in order to achieve its strategic objectives and business plan, ensuring that it is available and understood throughout the institution;

    3. (c)

      that the institution's management body monitors the institution's compliance with the operational risk tolerance statement referred to in point (b) (ii) on a continuous basis;

    4. (d)

      that the institution applies an on-going operational risk management process to identify, assess and measure, monitor and report operational risk, including misconduct events, and is able to identify the staff responsible for the management of operational risk process;

    5. (e)

      that the information resulting from the process referred to in point (d) is transmitted to the relevant committees and executive bodies of the institution, and that the decisions arising from those committees are communicated to those responsible within the institution for the collection, control, monitoring and management of operational risk and to those responsible for managing activities that give rise to operational risk;

    6. (f)

      that the institution evaluates the effectiveness of its operational risk governance, operational risk management process and operational risk measurement system on at least an annual basis;

    7. (g)

      that the institution notifies the relevant competent authority of the findings of the evaluation referred to in point (f) on at least an annual basis.

  2. (2)

    For the purposes of the assessment referred to in paragraph 1, competent authorities shall take into account the impact of the operational risk governance structure on the level of engagement in operational risk management and culture by the staff of the institution, including at least the following:

    1. (a)

      the level of awareness, on behalf of the staff of the institution, of operational risk policies and procedures;

    2. (b)

      the institution's internal process for challenging the design and the effectiveness of the AMA framework.

Article 8 Independent operational risk management function

  1. (1)

    Competent authorities shall assess the independence of the operational risk management function from the institution's business units by confirming at least the following:

    1. (a)

      that the operational risk management function undertakes the following tasks separately from the institution's business lines:

      1. (i)

        the design, development, implementation, maintenance and oversight of the operational risk management process and the operational risk measurement system;

      2. (ii)

        the analysis of the operational risk associated with the introduction and development of new products, markets, lines of business, processes, systems and significant changes to existing products;

      3. (iii)

        the oversight of business activities that may give rise to an operational risk exposure that could breach the institution's risk tolerance;

    2. (b)

      that the operational risk management function receives appropriate commitment by the management body and senior management and is of adequate stature within the organization for fulfilling its tasks;

    3. (c)

      that the operational risk management function is not also responsible for the internal audit function;

    4. (d)

      that the head of the operational risk management function meets at least the following requirements:

      1. (i)

        an appropriate level of experience to manage the actual and prospective operational risk, as indicated by the operational risk profile;

      2. (ii)

        regular communication with the management body and its committees as mandated by the risk management structure of the institution;

      3. (iii)

        active involvement in the elaboration of the institution's operational risk tolerance and strategy for its management and mitigation;

      4. (iv)

        independence from the operational units and functions reviewed by the operational risk management function;

      5. (v)

        allocation of a budget for the operational risk management function by the head of risk management referred to in the fourth subparagraph of Article 76(5) of Directive 2013/36/EU or a member of the management body in a supervisory capacity and not by a business unit or executive function.

Article 9 Senior management involvement

Competent authorities shall assess the degree of involvement of senior management of an institution by confirming at least the following:

  1. (a)

    that senior management is responsible for implementing the operational risk governance and management framework approved by the management body;

  2. (b)

    that senior management has been empowered by the management body to develop policies, processes and procedures for managing operational risk;

  3. (c)

    that senior management is implementing the policies, processes and procedures for managing operational risk referred to in point (b).

Article 10 Reporting

Competent authorities shall assess whether the reporting of an institution's operational risk profile and management of operational risk is sufficiently regular, timely and robust by confirming at least the following:

  1. (a)

    that problems relating to the institution's reporting systems and internal controls are identified quickly and accurately;

  2. (b)

    that the institution's operational risk reports are distributed to appropriate levels of management and to areas of the institution which the reports have identified as an area of concern;

  3. (c)

    that the institution's senior management receives at least quarterly reports on the latest status of the institution's operational risk profile and uses these reports in the decision making process;

  4. (d)

    that the institution's operational risk reports contain relevant management information and at least a high-level summary of the top operational risks of the institution and of the relevant subsidiaries as well as business units;

  5. (e)

    that the institution uses ad hoc reports in case of certain deficiencies in the policies, processes and procedures for managing operational risk to promptly detect and address these deficiencies and therefore substantially reduce the potential frequency and severity of a loss event.’