Article 10 Reporting

Competent authorities shall assess whether the reporting of an institution's operational risk profile and management of operational risk is sufficiently regular, timely and robust by confirming at least the following:

  1. (a)

    that problems relating to the institution's reporting systems and internal controls are identified quickly and accurately;

  2. (b)

    that the institution's operational risk reports are distributed to appropriate levels of management and to areas of the institution which the reports have identified as an area of concern;

  3. (c)

    that the institution's senior management receives at least quarterly reports on the latest status of the institution's operational risk profile and uses these reports in the decision making process;

  4. (d)

    that the institution's operational risk reports contain relevant management information and at least a high-level summary of the top operational risks of the institution and of the relevant subsidiaries as well as business units;

  5. (e)

    that the institution uses ad hoc reports in case of certain deficiencies in the policies, processes and procedures for managing operational risk to promptly detect and address these deficiencies and therefore substantially reduce the potential frequency and severity of a loss event.’