Status: Please note you should read all Brexit changes to the FCA Handbook and BTS alongside the main FCA transitional directions. Where these directions apply the 'standstill', firms have the choice between complying with the pre-IP completion day rules, or the post-IP completion day rules. To see a full list of Handbook modules affected, please see Annex B to the main FCA transitional directions.

CHAPTER 2 QUALITATIVE STANDARDS

SECTION 1 Governance

Article 7 Operational risk management process

  1. (1)

    Competent authorities shall assess the efficacy of an institution's AMA framework for the governance and management of operational risk and that a clear organisational structure with well-defined, transparent and consistent lines of responsibility exists by confirming at least the following:

    1. (a)

      that the institution's management body discusses and approves the governance of operational risk, the operational risk management process and the operational risk measurement system;

    2. (b)

      that the institution's management body clearly defines and determines the following on at least an annual basis:

      1. (i)

        the institution's operational risk tolerance;

      2. (ii)

        the institution's operational risk tolerance written statement on the aggregate level of operational risk loss and event types, containing both qualitative and quantitative measures including thresholds and limits based on operational risk loss metrics that the institution is willing or prepared to incur in order to achieve its strategic objectives and business plan, ensuring that it is available and understood throughout the institution;

    3. (c)

      that the institution's management body monitors the institution's compliance with the operational risk tolerance statement referred to in point (b) (ii) on a continuous basis;

    4. (d)

      that the institution applies an on-going operational risk management process to identify, assess and measure, monitor and report operational risk, including misconduct events, and is able to identify the staff responsible for the management of operational risk process;

    5. (e)

      that the information resulting from the process referred to in point (d) is transmitted to the relevant committees and executive bodies of the institution, and that the decisions arising from those committees are communicated to those responsible within the institution for the collection, control, monitoring and management of operational risk and to those responsible for managing activities that give rise to operational risk;

    6. (f)

      that the institution evaluates the effectiveness of its operational risk governance, operational risk management process and operational risk measurement system on at least an annual basis;

    7. (g)

      that the institution notifies the relevant competent authority of the findings of the evaluation referred to in point (f) on at least an annual basis.

  2. (2)

    For the purposes of the assessment referred to in paragraph 1, competent authorities shall take into account the impact of the operational risk governance structure on the level of engagement in operational risk management and culture by the staff of the institution, including at least the following:

    1. (a)

      the level of awareness, on behalf of the staff of the institution, of operational risk policies and procedures;

    2. (b)

      the institution's internal process for challenging the design and the effectiveness of the AMA framework.