Article 8 Independent operational risk management function

  1. (1)

    Competent authorities shall assess the independence of the operational risk management function from the institution's business units by confirming at least the following:

    1. (a)

      that the operational risk management function undertakes the following tasks separately from the institution's business lines:

      1. (i)

        the design, development, implementation, maintenance and oversight of the operational risk management process and the operational risk measurement system;

      2. (ii)

        the analysis of the operational risk associated with the introduction and development of new products, markets, lines of business, processes, systems and significant changes to existing products;

      3. (iii)

        the oversight of business activities that may give rise to an operational risk exposure that could breach the institution's risk tolerance;

    2. (b)

      that the operational risk management function receives appropriate commitment by the management body and senior management and is of adequate stature within the organization for fulfilling its tasks;

    3. (c)

      that the operational risk management function is not also responsible for the internal audit function;

    4. (d)

      that the head of the operational risk management function meets at least the following requirements:

      1. (i)

        an appropriate level of experience to manage the actual and prospective operational risk, as indicated by the operational risk profile;

      2. (ii)

        regular communication with the management body and its committees as mandated by the risk management structure of the institution;

      3. (iii)

        active involvement in the elaboration of the institution's operational risk tolerance and strategy for its management and mitigation;

      4. (iv)

        independence from the operational units and functions reviewed by the operational risk management function;

      5. (v)

        allocation of a budget for the operational risk management function by the head of risk management referred to in the fourth subparagraph of Article 76(5) of Directive 2013/36/EU or a member of the management body in a supervisory capacity and not by a business unit or executive function.