Content Options

Add to favourites

View Options

More Resources:

External link Handbook Publications

CHAPTER 2 QUALITATIVE STANDARDS

SECTION 1 Governance

Article 7 Operational risk management process

  1. (1)

    Competent authorities shall assess the efficacy of an institution's AMA framework for the governance and management of operational risk and that a clear organisational structure with well-defined, transparent and consistent lines of responsibility exists by confirming at least the following:

    1. (a)

      that the institution's management body discusses and approves the governance of operational risk, the operational risk management process and the operational risk measurement system;

    2. (b)

      that the institution's management body clearly defines and determines the following on at least an annual basis:

      1. (i)

        the institution's operational risk tolerance;

      2. (ii)

        the institution's operational risk tolerance written statement on the aggregate level of operational risk loss and event types, containing both qualitative and quantitative measures including thresholds and limits based on operational risk loss metrics that the institution is willing or prepared to incur in order to achieve its strategic objectives and business plan, ensuring that it is available and understood throughout the institution;

    3. (c)

      that the institution's management body monitors the institution's compliance with the operational risk tolerance statement referred to in point (b) (ii) on a continuous basis;

    4. (d)

      that the institution applies an on-going operational risk management process to identify, assess and measure, monitor and report operational risk, including misconduct events, and is able to identify the staff responsible for the management of operational risk process;

    5. (e)

      that the information resulting from the process referred to in point (d) is transmitted to the relevant committees and executive bodies of the institution, and that the decisions arising from those committees are communicated to those responsible within the institution for the collection, control, monitoring and management of operational risk and to those responsible for managing activities that give rise to operational risk;

    6. (f)

      that the institution evaluates the effectiveness of its operational risk governance, operational risk management process and operational risk measurement system on at least an annual basis;

    7. (g)

      that the institution notifies the relevant competent authority of the findings of the evaluation referred to in point (f) on at least an annual basis.

  2. (2)

    For the purposes of the assessment referred to in paragraph 1, competent authorities shall take into account the impact of the operational risk governance structure on the level of engagement in operational risk management and culture by the staff of the institution, including at least the following:

    1. (a)

      the level of awareness, on behalf of the staff of the institution, of operational risk policies and procedures;

    2. (b)

      the institution's internal process for challenging the design and the effectiveness of the AMA framework.

Article 8 Independent operational risk management function

  1. (1)

    Competent authorities shall assess the independence of the operational risk management function from the institution's business units by confirming at least the following:

    1. (a)

      that the operational risk management function undertakes the following tasks separately from the institution's business lines:

      1. (i)

        the design, development, implementation, maintenance and oversight of the operational risk management process and the operational risk measurement system;

      2. (ii)

        the analysis of the operational risk associated with the introduction and development of new products, markets, lines of business, processes, systems and significant changes to existing products;

      3. (iii)

        the oversight of business activities that may give rise to an operational risk exposure that could breach the institution's risk tolerance;

    2. (b)

      that the operational risk management function receives appropriate commitment by the management body and senior management and is of adequate stature within the organization for fulfilling its tasks;

    3. (c)

      that the operational risk management function is not also responsible for the internal audit function;

    4. (d)

      that the head of the operational risk management function meets at least the following requirements:

      1. (i)

        an appropriate level of experience to manage the actual and prospective operational risk, as indicated by the operational risk profile;

      2. (ii)

        regular communication with the management body and its committees as mandated by the risk management structure of the institution;

      3. (iii)

        active involvement in the elaboration of the institution's operational risk tolerance and strategy for its management and mitigation;

      4. (iv)

        independence from the operational units and functions reviewed by the operational risk management function;

      5. (v)

        allocation of a budget for the operational risk management function by the head of risk management referred to in the fourth subparagraph of Article 76(5) of Directive 2013/36/EU or a member of the management body in a supervisory capacity and not by a business unit or executive function.

Article 9 Senior management involvement

Competent authorities shall assess the degree of involvement of senior management of an institution by confirming at least the following:

  1. (a)

    that senior management is responsible for implementing the operational risk governance and management framework approved by the management body;

  2. (b)

    that senior management has been empowered by the management body to develop policies, processes and procedures for managing operational risk;

  3. (c)

    that senior management is implementing the policies, processes and procedures for managing operational risk referred to in point (b).

Article 10 Reporting

Competent authorities shall assess whether the reporting of an institution's operational risk profile and management of operational risk is sufficiently regular, timely and robust by confirming at least the following:

  1. (a)

    that problems relating to the institution's reporting systems and internal controls are identified quickly and accurately;

  2. (b)

    that the institution's operational risk reports are distributed to appropriate levels of management and to areas of the institution which the reports have identified as an area of concern;

  3. (c)

    that the institution's senior management receives at least quarterly reports on the latest status of the institution's operational risk profile and uses these reports in the decision making process;

  4. (d)

    that the institution's operational risk reports contain relevant management information and at least a high-level summary of the top operational risks of the institution and of the relevant subsidiaries as well as business units;

  5. (e)

    that the institution uses ad hoc reports in case of certain deficiencies in the policies, processes and procedures for managing operational risk to promptly detect and address these deficiencies and therefore substantially reduce the potential frequency and severity of a loss event.’

SECTION 2 Use test

Article 11 Use of the AMA

Competent authorities shall assess that an institution uses the AMA for internal purposes by confirming at least the following:

  1. (a)

    that the institution's operational risk measurement system is used to manage operational risks across different business lines, units or legal entities within the organisation structure;

  2. (b)

    that the operational risk measurement system is embedded within the various entities of the group and, where it is used at a consolidated level, that the parent institution's AMA framework is extended to the subsidiaries, and that those subsidiaries' operational risk and business environment and internal control factors (BEICF) referred to in Articles 322(1) and 322(6) of Regulation (EU) No 575/2013 are incorporated in the group-wide AMA calculations;

  3. (c)

    that the operational risk measurement system is used also for the purposes of the institution's internal capital adequacy assessment process referred to in Article 73 of Directive 2013/36/EU.

Article 12 Continuous integration of the AMA

Competent authorities shall assess that an institution ensures the continuous integration of its operational risk management system into its day-to-day risk management processes by confirming at least the following:

  1. (a)

    that the operational risk measurement system is updated on a regular basis and is further developed as more experience and sophistication in management and quantification of operational risk is gained;

  2. (b)

    that the nature and balance of inputs into the operational risk measurement system are relevant and reflect the nature of the institution's business, strategy, organisation and operational risk exposure at all times.

Article 13 AMA used to support the operational risk management of the institution

Competent authorities shall assess that an institution uses the AMA to support its operational risk management, by confirming at least the following:

  1. (a)

    that the operational risk measurement system is effectively used for the regular and prompt reporting of consistent information that accurately reflects the nature of the business and the operational risk profile of the institution;

  2. (b)

    that the institution takes remedial actions to improve internal processes upon receipt of information about findings from the operational risk measurement system.

Article 14 AMA used to enhance the operational risk organization and control of the institution

Competent authorities shall assess that an institution uses the AMA to further enhance its operational risk organization and control, by confirming at least the following:

  1. (a)

    that the institution's definition of operational risk tolerance and its associated operational risk management objectives and activities are clearly communicated within the institution;

  2. (b)

    that the relationship between the institution's business strategy and its operational risk management, including with regard to the approval of new products, systems and processes, is clearly communicated within the institution;

  3. (c)

    that the operational risk measurement system increases transparency, risk awareness and operational risk management expertise and creates incentives to improve the management of operational risk throughout the institution;

  4. (d)

    that the inputs and the outputs of the operational risk measurement system are used in relevant decisions and plans, including in the institution's action plans, business continuity plans, internal audit working plans, capital assignment decisions, insurance plans and budgeting decisions.

Article 15 Comparison of the AMA with the less sophisticated approaches

  1. (1)

    Competent authorities shall assess that an institution demonstrates the stability and robustness of the AMA output by confirming at least the following:

    1. (a)

      that before granting the permission to use the AMA for regulatory purposes, the institution calculated its own funds requirements for operational risk under both the AMA and the less sophisticated approach previously applicable to it, and that it performed that calculation:

      1. (i)

        on a reasonably regular basis, and at least quarterly;

      2. (ii)

        covering all relevant legal entities that would use the AMA at the date of the initial implementation;

      3. (iii)

        covering all the operational risks that would be covered by the AMA at the date of the initial implementation.

    2. (b)

      that the institution complies with at least the following:

      1. (i)

        the operational risk management process and the operational risk measurement system have been developed and tested;

      2. (ii)

        any problems have been resolved and the system and attendant process have been fine-tuned;

      3. (iii)

        it has ensured that the operational risk measurement system generates results which conform to the institution's expectations, including taking account of information from both the institution's existing and previous systems;

      4. (iv)

        it has demonstrated it can quickly vary model parameters to understand the impact of changed assumptions with minimal systems adjustments or manual interventions;

      5. (v)

        it is able to make appropriate capital adjustments to the own funds requirements before the first "live use" of the AMA;

      6. (vi)

        it has demonstrated over a reasonable period that the new systems and reporting processes are robust and generate management information that the institution can use to identify and manage operational risk.

    For the purposes of point (a), the assessment of the calculation performed shall cover at least two consecutive quarters.

  2. (2)

    Competent authorities may grant permission to use the AMA where the institution demonstrates its continuous comparison of the calculation of its own funds requirements for operational risk under the AMA against the less sophisticated approach previously applicable to it, for one year after the permission is granted.

SECTION 3 Audit and internal validation

Article 16 Audit and internal validation functioning

  1. (1)

    Competent authorities shall assess the degree to which an institution's audit and internal validation functions confirm that the operational risk management and measurement processes implemented for AMA purposes are reliable and effective in managing and measuring operational risk within the organization by verifying at least the following:

    1. (a)

      that the internal validation function provides a reasoned and well-informed opinion on whether the operational risk measurement system works as predicted, and that the outcome of the model is suitable for its various internal and supervisory purposes, at least on annual basis;

    2. (b)

      that the audit function verifies the integrity of the operational risk policies, processes and procedures, assessing whether these comply with regulatory requirements as well with established controls, at least on annual basis and in particular, that the audit function assesses the quality of the sources and data used for operational risk management and measurement purposes;

    3. (c)

      that the functions of audit and internal validation have a review program in place that covers the aspects of the AMA included in this Regulation and is regularly updated with regard to:

      1. (i)

        the development of internal processes for identifying, measuring and assessing, monitoring, controlling and mitigating operational risk;

      2. (ii)

        the implementation of new products, processes and systems which expose the institution to material operational risk.

    4. (d)

      that the internal validation is carried out by qualified resources, which are independent of the validated units;

    5. (e)

      that where audit activities are carried out by internal or external audit functions or qualified external parties, these are independent of the process or system being reviewed and, where these are outsourced, that the management body and senior management of the institution remain accountable for ensuring that outsourced functions are performed in accordance with the institutions' approved audit plan;

    6. (f)

      that the audit and internal validation reviews on the AMA framework are properly documented and their output is distributed to the appropriate recipients within the institutions, including, where appropriate, the risk committees, operational risk management function, business line management and other relevant staff;

    7. (g)

      that the results of the audit and internal validation reviews are summarised and reported on at least an annual basis to the institution's management body or to a committee designated by it for approval;

    8. (h)

      that the review and approval of the effectiveness of the institution's AMA framework is undertaken at least on an annual basis.

Article 17 Audit and internal validation governance

Competent authorities shall assess that an institution's audit and internal validation governance is of a high quality by confirming at least the following:

  1. (a)

    that audit programs for reviewing the AMA framework cover all significant activities that could expose the institution to material operational risk, including outsourced activities;

  2. (b)

    that the internal validation techniques are proportionate to changing market and operating conditions, and that their outcomes are subject to audit review.

SECTION 4 Data quality and IT infrastructure

Article 18 Data quality

  1. (1)

    Competent authorities shall assess the degree to which the quality of the data used by an institution's in the AMA framework is maintained, and that the building and maintenance procedures are regularly analysed by that institution, by verifying that the institution has at least the following sets of data at its disposal:

    1. (a)

      data to build and track its operational risk history, made up of internal and external data, scenario analysis, and BEICF;

    2. (b)

      complementary data, including model parameters, model outputs and reports.

  2. (2)

    For the purposes of paragraph 1, competent authorities shall confirm that the institution has defined appropriate data quality dimensions to provide effective support to its operational risk management process and measurement system, and that it complies on a regular basis with the set dimensions.

  3. (3)

    For the purposes of paragraph 1, competent authorities shall confirm that the institution's data quality dimensions meet at least the following conditions:

    1. (a)

      they are of sufficient breadth, depth, and scope for the task at hand;

    2. (b)

      they meet current and potential user needs;

    3. (c)

      they are updated promptly;

    4. (d)

      they are appropriate for, and consistent with, the extent of their usage;

    5. (e)

      they accurately represent the real-life phenomenon that they aim to represent;

    6. (f)

      they do not violate any business rule in a database that has to be statically and dynamically maintained.

  4. (4)

    For the purposes of paragraph 1, competent authorities shall confirm that the institution has appropriate documentation for the design and maintenance of the databases used in the institution's AMA framework, and that the documentation contains at least the following:

    1. (a)

      a global map of databases involved in the operational risk measurement system with their descriptions;

    2. (b)

      a data policy and a statement of responsibility;

    3. (c)

      descriptions of work-flows and procedures related to data collection and data storage;

    4. (d)

      a statement of weaknesses with all the weaknesses identified in the databases of the validation and review processes and a statement on how the institution plans to correct or reduce the weaknesses identified.

  5. (5)

    Competent authorities shall confirm that the policies on the SDLC for AMA are approved by the institution's management body and senior management.

  6. (6)

    Where the institution uses external data sources, the institution shall ensure that the provisions in this Article are satisfied.

Article 19 Supervisory assessment of IT infrastructure

  1. (1)

    Competent authorities shall assess the degree to which an institution ensures the soundness, robustness and performance of the IT infrastructure used for AMA purposes by confirming at least the following:

    1. (a)

      that the IT systems and infrastructure of the institution for AMA purposes are sound and resilient and that these features can be maintained on a continuous basis;

    2. (b)

      that the SDLC for AMA purposes is sound and proper with reference to:

      1. (i)

        project management, risk management, and governance;

      2. (ii)

        engineering, quality assurance and test planning;

      3. (iii)

        systems' modelling and development;

      4. (iv)

        quality assurance in all activities, including code reviews and where appropriate, code verification;

      5. (v)

        testing, including user acceptance.

    3. (c)

      that the institution's IT infrastructure implemented for AMA purposes is subject to configuration management, change management and release management processes;

    4. (d)

      that SDLC and contingency plans for AMA purposes are approved by the institution's management body or senior management and that the management body and senior management are periodically informed about the IT infrastructure performance for AMA purposes.

  2. (2)

    Where the institution outsources parts of the IT infrastructure maintenance for AMA purposes, the institution shall ensure that the provisions in this Article are satisfied.