Status: Please note you should read all Brexit changes to the FCA Handbook and BTS alongside the main FCA transitional directions. Where these directions apply the 'standstill', firms have the choice between complying with the pre-IP completion day rules, or the post-IP completion day rules. To see a full list of Handbook modules affected, please see Annex B to the main FCA transitional directions.

Article 8 Independent operational risk management function

  1. (1)

    Competent authorities shall assess the independence of the operational risk management function from the institution's business units by confirming at least the following:

    1. (a)

      that the operational risk management function undertakes the following tasks separately from the institution's business lines:

      1. (i)

        the design, development, implementation, maintenance and oversight of the operational risk management process and the operational risk measurement system;

      2. (ii)

        the analysis of the operational risk associated with the introduction and development of new products, markets, lines of business, processes, systems and significant changes to existing products;

      3. (iii)

        the oversight of business activities that may give rise to an operational risk exposure that could breach the institution's risk tolerance;

    2. (b)

      that the operational risk management function receives appropriate commitment by the management body and senior management and is of adequate stature within the organization for fulfilling its tasks;

    3. (c)

      that the operational risk management function is not also responsible for the internal audit function;

    4. (d)

      that the head of the operational risk management function meets at least the following requirements:

      1. (i)

        an appropriate level of experience to manage the actual and prospective operational risk, as indicated by the operational risk profile;

      2. (ii)

        regular communication with the management body and its committees as mandated by the risk management structure of the institution;

      3. (iii)

        active involvement in the elaboration of the institution's operational risk tolerance and strategy for its management and mitigation;

      4. (iv)

        independence from the operational units and functions reviewed by the operational risk management function;

      5. (v)

        allocation of a budget for the operational risk management function by the head of risk management referred to in the fourth subparagraph of Article 76(5) of Directive 2013/36/EU or a member of the management body in a supervisory capacity and not by a business unit or executive function.