Competent authorities shall assess that an institution uses the AMA for internal purposes by confirming at least the following:

1. (a)

   that the institution's operational risk measurement system is used to manage operational risks across different business lines, units or legal entities within the organisation structure;

2. (b)

   that the operational risk measurement system is embedded within the various entities of the group and, where it is used at a consolidated level, that the parent institution's AMA framework is extended to the subsidiaries, and that those subsidiaries' operational risk and business environment and internal control factors (BEICF) referred to in Articles 322(1) and 322(6) of Regulation (EU) No 575/2013 are incorporated in the group-wide AMA calculations;

3. (c)

   that the operational risk measurement system is used also for the purposes of the institution's internal capital adequacy assessment process referred to in Article 73 of Directive 2013/36/EU.

Competent authorities shall assess that an institution ensures the continuous integration of its operational risk management system into its day-to-day risk management processes by confirming at least the following:

1. (a)

   that the operational risk measurement system is updated on a regular basis and is further developed as more experience and sophistication in management and quantification of operational risk is gained;

2. (b)

   that the nature and balance of inputs into the operational risk measurement system are relevant and reflect the nature of the institution's business, strategy, organisation and operational risk exposure at all times.

Competent authorities shall assess that an institution uses the AMA to support its operational risk management, by confirming at least the following:

1. (a)

   that the operational risk measurement system is effectively used for the regular and prompt reporting of consistent information that accurately reflects the nature of the business and the operational risk profile of the institution;

2. (b)

   that the institution takes remedial actions to improve internal processes upon receipt of information about findings from the operational risk measurement system.

Competent authorities shall assess that an institution uses the AMA to further enhance its operational risk organization and control, by confirming at least the following:

1. (a)

   that the institution's definition of operational risk tolerance and its associated operational risk management objectives and activities are clearly communicated within the institution;

2. (b)

   that the relationship between the institution's business strategy and its operational risk management, including with regard to the approval of new products, systems and processes, is clearly communicated within the institution;

3. (c)

   that the operational risk measurement system increases transparency, risk awareness and operational risk management expertise and creates incentives to improve the management of operational risk throughout the institution;

4. (d)

   that the inputs and the outputs of the operational risk measurement system are used in relevant decisions and plans, including in the institution's action plans, business continuity plans, internal audit working plans, capital assignment decisions, insurance plans and budgeting decisions.

1. (1)

   Competent authorities shall assess that an institution demonstrates the stability and robustness of the AMA output by confirming at least the following:

   1. (a)

      that before granting the permission to use the AMA for regulatory purposes, the institution calculated its own funds requirements for operational risk under both the AMA and the less sophisticated approach previously applicable to it, and that it performed that calculation:

      1. (i)

         on a reasonably regular basis, and at least quarterly;

      2. (ii)

         covering all relevant legal entities that would use the AMA at the date of the initial implementation;

      3. (iii)

         covering all the operational risks that would be covered by the AMA at the date of the initial implementation.

   2. (b)

      that the institution complies with at least the following:

      1. (i)

         the operational risk management process and the operational risk measurement system have been developed and tested;

      2. (ii)

         any problems have been resolved and the system and attendant process have been fine-tuned;

      3. (iii)

         it has ensured that the operational risk measurement system generates results which conform to the institution's expectations, including taking account of information from both the institution's existing and previous systems;

      4. (iv)

         it has demonstrated it can quickly vary model parameters to understand the impact of changed assumptions with minimal systems adjustments or manual interventions;

      5. (v)

         it is able to make appropriate capital adjustments to the own funds requirements before the first "live use" of the AMA;

      6. (vi)

         it has demonstrated over a reasonable period that the new systems and reporting processes are robust and generate management information that the institution can use to identify and manage operational risk.

   For the purposes of point (a), the assessment of the calculation performed shall cover at least two consecutive quarters.

2. (2)

   Competent authorities may grant permission to use the AMA where the institution demonstrates its continuous comparison of the calculation of its own funds requirements for operational risk under the AMA against the less sophisticated approach previously applicable to it, for one year after the permission is granted.