PROTECTED B WHEN COMPLET
BASEL II OPERATIONAL RISK Self-Assessment Template for TSA & AMA Institutions
INSTITUTION:
DATE:
A. OPERATIONAL RISK GOVERNANCE Area of Assessment
Reference
#
Criteria
Information Request
Board of Directors
1. Board of Director approvals
2. Regular review of framework by Board of Directors
3. Operational risk strategy
CAR Ch 6 (660) & Ch 7 (664) SP (12)
SP (15)
CAR Ch 6 (660) & Ch 7 (664) SP (13)
1.1 The board board of of directors directors are are actively actively involve involved d in the oversight of the operational risk management framework. 1.2 The Board Board has has approv approved ed a firm-w firm-wide ide framework to manage operational risk as a distinct risk to the bank's safety and soundness. 1.3 The Board Board has provid provided ed senior senior manage management ment with clear guidance and direction regarding the principles underlying the framework. 1.4 The Board Board has review reviewed ed policies policies develo developed ped by senior management. 2.1 The Board Board has has reviewe reviewed d framewo framework rk regularly to ensure that the bank is managing the operational operational risks arising from external market changes and other environmental environmental factors, as well as those operational operational risks associated with new products, activities or systems. 2.2 The Board Board has has assessed assessed industry industry best best practices in operational operational risk management, management, appropriate appropriate of the bank's activities, systems and processes. 3.1 The bank bank has an oper operatio ational nal risk risk management management system that is conceptually sound and is implemented with integrity. 3.1 The bank' bank's s operatio operational nal risk risk framewo framework rk should be based on an appropriate definition of operational risk that clearly articulates what constitutes operational operational risk in that bank. 3.2 The bank has established its appetite and tolerance for operational operational risk, specified through policies for managing this risk and the bank's prioritization of operational risk management management activities, including operational risk transferred outside the bank.
3.3 The bank bank has has establishe established d policies policies outlinin outlining g its approach to identifying, assessing, monitoring and controlling/mitigating the risk.
(a) Frequency of Board review of firm-wide framework to operational risk management. None
None
(a) List operational operational risk policies developed by senior management and provide approval/review status of each. (a) Identify how the bank assesses external operational operational risk factors and operational risks associated with new products.
(a) Identify how the Board is educated and kept up to date on Basel II operational risk, including industry best practices in operational risk management and industry issues. None
(a) Provide the enterprise wide definition of operational operational risk.
(a) Provide details on the bank's risk appetite and operational risk tolerance. (b) Identify how the bank's appetite and tolerance for operational operational risk is communicated throughout the bank. (c) Describe the bank's management of operational operational risks transferred transferred outside the bank. (a) List all operational operational risk policies.
Assessment Rating
A. OPERATIONAL RISK GOVERNANCE Area of Assessment
4. Board of Director's establishment of a management structure
Reference
SP (14)
#
Criteria
3.4 The bank has ensured that the level of formality and sophistication of its operational risk management framework is commensurate with its risk profile. 4.1 The Board has established a management structure capable of implementing the firm's operational risk management framework. 4.2 The bank has established separation of responsibilities and reporting lines between operational risk control functions, business lines and support functions. 4.3 The bank has articulated key processes necessary to have in place to manage operational ris k.
Information Request None
(a) Provide the bank's organization chart that describes the lines of management responsibility, accountability and reporting for operational risk. None
None
Senior Management
5. Role of senior management
CAR Ch 6 (660) & Ch 7 (664) SP (18)
5.1 Senior management is actively involved in the oversight of the operational risk management framework. 5.2 Senior management has translated the operational risk management framework into specific policies, processes and D64procedures. 5.3 Senior management has implemented the operational risk management framework consistently across the whole bank. 5.4 Senior management has assigned authority, responsibility and reporting relationships to encourage and maintain accountability.
None
None
None
None
5.5. The bank has ensured the availability of None necessary resources to manage operational risk effectively. 5.6 The bank has assessed the appropriateness None of management oversight process in light of risks inherent in a business unit's policy. 6. Effective communication of risk management
SP (20)
6.1 Senior management has ensured that staff None responsible for managing operational risk communicate effectively with staff responsible for managing credit, market and other risks, as well as those in the firm responsible for the procurement of external services such as insurance purchasing and outsourcing agreements.
Assessment Rating
A. OPERATIONAL RISK GOVERNANCE Area of Assessment
Reference
#
Criteria
Information Request
Operational Risk Management Function
7. Operational risk management function
CAR Ch 6 (663a)
CAR Ch 7 (666a)
7.1 The bank has an operational risk None management system with clear responsibilities assigned to an operational risk management function. 7.2 The operational risk management function None develops strategies to identify, assess, monitor and control/mitigate operational risk. 7.3 The operational risk management function codifies firm-level policies and procedures concerning operational risk management and controls. 7.4 The operational risk management function designs and implements the firm's operational risk assessment methodology. 7.5 The operational risk management function designs and implements the risk-reporting system for operational risk. 7.6 AMA banks only : The operational risk management function is independent and responsible for the design and implementation of the bank's operational risk management framework.
None
8.1 The bank has an operational risk management system that is well documented. 8.2 The bank has a routine in place for ensuring compliance with a documented set of internal policies, controls and procedures concerning the operational risk management system, which includes policies for the treatment of non-compliance issues. 8.3 AMA Banks only: The internal operational risk measurement system is closely integrated into the day-to-day risk management processes of the bank. Its output is an integral part of the process of monitoring and controlling the bank's operational risk profile. 8.4 The bank has decided between using appropriate procedures to control/mitigate identified operational risks, or bear the risk s.
None
None
None
(a) Explain how the operational risk management function is independent and identify its key responsibilities.
Risk Management - Operational Risk
8. Operational Risk control and mitigation
CAR Ch 6 (663d) & Ch 7 (666d)
CAR Ch 7 (666d)
SP (31)
(a) Describe how the bank ensures compliance with its internal policies, controls and procedures for operational risk.
(a) Identify how and where the operational risk measurement system is integrated into the bank's risk management processes.
(a) Identify how the bank decides on its risk appetite and tolerance.
Assessment Rating
A. OPERATIONAL RISK GOVERNANCE Area of Assessment
Reference
9. Strong internal control culture SP (32)
10. Staffing
CAR Ch 6 (660) & Ch 7 (664) SP (19)
11. Segregation of duties
SP (33)
12. Other internal practices
SP (34)
13. Operational risk assessments of new business
SP (35)
#
Criteria
Information Request
8.5 For risks that cannot be controlled, the bank has decided how it will approach the operational risks (e.g., accept the risk, reduce the level of business activity or withdraw from the activity completely). 8.6 The bank has a routine for ensuring compliance with documented internal policies concerning operational risk management systems, including verifying compliance with management controls. 9.1 Board of directors and senior management are responsible for establishing a s trong internal control culture in which control activities are an integral part of the regular activities of a bank. 10.1 The bank has sufficient resources in the major business lines to implement the adopted approach to operational risk, including control and audit areas. 10.2 Bank activities are conducted by staff that is qualified with the necessary experience and technical capabilities. 10.3 Staff responsible for monitoring and enforcing compliance have authority independent from the units they oversee.
(a) Describe how the bank manages operational risks that cannot be controlled.
10.4 Clear communication of operational risk management policy to staff at all unit l evels incurring material operational risks. 11.1 Effective internal control system requires that there be appropriate segregation of duties and that personnel are not assigned responsibilities that may create a conflict of interest. 11.2 Areas of conflicts of interest are identified and minimized, and are subject to careful independent monitoring and review. 12.1 In additi on to segregati on of duti es, the bank has ensured that other internal practices are in place as appropriate to control operational risk. 13.1 The bank has paid s pecial attenti on to internal control activities where it engages in new activities, develops new products, enters unfamiliar markets, and/or engages in unfamiliar geographic regions.
(a) Identify how the Bank's operational risk management policy is communicated throughout the bank. None
(a) Identify the staff (or function) responsible for monitoring and enforcing compliance and identify how it maintains its independence.
None
None
(a) Provide a description of current resources in both internal audit and risk management functions. (a) Identify the staff (or function) responsible for monitoring and enforcing compliance and identify how it maintains its independence.
None
(a) Identify other internal practices in place to control operational risk.
(a) Identify the bank's operational risk assessment process for new business.
Assessment Rating
A. OPERATIONAL RISK GOVERNANCE Area of Assessment 14. Operational risk mitigation tools for low frequency/high severity losses
Reference SP (36)
SP (37)
15. Information technology as operational risk mitigation tools
SP (38)
16. Documentation controls and transaction-handling practices
SP (22)
17. Remuneration pol icies
SP (21)
#
Criteria
Information Request
14.1 Operational ris k mitigati on tool s or programmes are used to reduce the exposure to, or frequency and/or severity of, such events that cannot be controlled. 14.2 Operational ris k mitigati on tool s are complementary to thorough internal operational risk control. 15.1 Investments in appropriate processi ng technology and information technology security have been utilized. 16.1 The bank has well doc umented poli cies , processes and procedures related to advanced technologies supporting high transactions volumes. 17.1 Remuneration pol ici es are c onsistent with the bank's operational risk appetite.
(a) Identify any risk mitigation tools or programmes used to reduce exposure to high frequency/low severity events.
18.1 The bank's operational risk management processes and assessment system are subject to validation and regular independent review (these reviews include the activities of both the business units and of the operational risk management function). 18.2 There has been adequate internal audit coverage to verify effective implementation of policies and procedures (including activities of business units and operational risk management function). 18.3 There is Board assurance that the scope and frequency of audit programme is appropriate to the risk exposures. 18.4 Audit has performed a periodic validation that the firm's operational risk management framework is being implemented effectively across the firm. 19.1 The internal audit function does not have direct operational risk management responsibilities. [Note: The internal audit function at some banks (particularly smaller banks) may have initial responsibility for developing an operational risk management programme. Where this is the case, banks should see that responsibility for day-to-day operational risk management is transferred elsewhere in a timely manner.
(a) Describe the responsibilities of the audit function with respect to operational risk.
None
None
(a) List documented policies, processes and procedures related to advanced technologies supporting high transaction volumes. (a) Identify any remuneration policies.
Internal Audit Func tion
18. Internal audit coverage
CAR Ch 6 (663e)
SP (16)
19. Independence of Internal Audit
SP (17)
(a) Describe the audit plan, scope and work completed with respect to operational risk management.
None
None
(a) Describe how the internal audit function maintains its independence from operational risk management.
Assessment Rating
A. OPERATIONAL RISK GOVERNANCE Area of Assessment
Reference
#
Criteria
Information Request
Operational Risk Reporting
20. Regular and effective monitoring of operational risk profile
CAR Ch 6 (663c) & Ch 7 (666c)
SP (26)
SP (27)
21. Frequency of monitoring
22. Reporting to senior management
SP (28)
SP (29)
20.1 The bank has regular reporting of operational risk exposures, including material operational losses, to business unit management, senior management, and to the board of directors. 20.2 The bank has procedures for taking appropriate action according to the information within the management reports.
(a) Identify operational risk reporting activities directed at senior management and the board of directors and indicate the frequency.
20.3 There are practic es in place for prompt detection and management of deficiencies in policies, processes and procedures for managing operational risk. 20.4 The bank has established poli cies for identification of appropriate indicators that provide early warning of an increased risk of future losses. 21.1 Frequency of monitoring reflects operational risks involved and frequency and nature of changes in the operating environment.
(a) Describe monitoring process of policies, processes and procedures.
21.2 Reports are included in regular management and Board reports. 22.1 Senior management has received regular reports from appropriate areas such as business units, group functions, the operational risk management office and internal audit. 22.2 Operational risk reports contain internal financial, operational, and compliance data, and other information relevant to decision making. 22.3 Reports reflect identified problem areas and motivate timely corrective action on outstanding issues.
None
(a) Describe how the bank uses the information within operational risk management reports.
(a) Identify early warning indicators used for operational risk in reporting activities.
None
(a) Provide a list of regular reports from business units, group functions, operational risk management office and internal audit reviewed by senior management and indicate the reporting frequency. None
(a) Describe how reports are used to ensure that problem areas receive appropriate corrective action.
Assessment Rating
PROTECTED B WHEN COMPLETED
Rating Rationale
PROTECTED B WHEN COMPLETED
Rating Rationale
PROTECTED B WHEN COMPLETED
Rating Rationale
PROTECTED B WHEN COMPLETED
Rating Rationale
PROTECTED B WHEN COMPLETED
Rating Rationale
PROTECTED B WHEN COMPLETED
Rating Rationale
B. GROSS INCOME MAPPING Area of Assessment 1. Gross income mapping policies and documentation
Reference CAR 6 (662) 7 (662)
Ch Ch
# 1.1
Criteria
Criteria must be reviewed and adjusted for new or changing business activities as appropriate. 2.1 All activities are mapped into the eight level 1 business lines in a mutually exclusive and jointly exhaustive manner. 1.2
2. Principles of business line mapping
CAR Ch 6 Annex 6(a) Ch 7 Annex 6(a)
CAR Ch 6 Annex 6(b) Ch 7 Annex 6(b)
CAR Ch 6 Annex 6(c) Ch 7 Annex 6(c)
CAR
Ch 6 Annex 6(d) Ch 7 Annex 6(d)
CAR Ch 6 Annex 6(e) Ch 7 Annex 6(e)
CAR Ch 6 Annex 6(f) Ch 7 Annex 6(f)
2.2 Any banking/non-banking activity that cannot be readily mapped into the business line framework, but which represents an ancillary function to an activity included in the framework, are allocated to the business line it supports. 2.3 If more than one business line is supported through the ancillary activity, an objective mapping criteria is used. 2.4 If an activity cannot be mapped into a particular business line then the business line yielding the highest charge is used. The same business line equally applies to any associated ancillary activity. 2.5 Internal pricing methods are used to allocate gross income between business lines provided that total gross income for the bank still equals the sum of gross income for the eight business lines. 2.6 Mapping activities into business lines for operational risk capital purposes are consistent with the definitions of business lines used for regulatory capital calculations in other risk categories. Any deviations must be clearly motivated and documented. 2.7
Information Request
Specific policies and documentation of (a) Provide all policies and documentation of criteria have been developed for mapping criteria developed for mapping gross gross income for current business lines and income. activities into the s tandardised framework.
The mapping process is clearly documented. More specifically, business line definitions are sufficiently documented to allow for business line mapping replication.
None
(a) Identify if all activities have been mapped into the eight level 1 business lines in a mutually exclusive and jointly exhaustive manner. (b) Identify any existing gaps and the action plans to close them. None
(a) If appropriate, describe the objective mapping criteria being used. (a) Identify any activities that could not be mapped into a particular business line and provide the charge used.
(a) Discuss the pricing methods used to allocate gross income.
(a) Identify any activities that are inconsistent with Basel business line definitions. (b) Identify motivations for any existing deviations.
(a) Identify documentation for mapping process and assess its allowance for business line mapping replication.
Assessment Rating
B. GROSS INCOME MAPPING Area of Assessment
Reference
# 2.8
CAR Ch 6 Annex 6(g) Ch 7 Annex 6(g)
CAR Ch 6 Annex 6(h) Ch 7 Annex 6(h)
CAR Ch 6 Annex 6(i) Ch 7 Annex 6(i)
2.9
Criteria Documentation clearly motivate any exceptions or overrides and be kept on record. Processes are in place to define the mapping of any new activities or products.
2.10 Senior management is responsible for the mapping policy.
2.11 The mapping process to business lines is subject to independent review.
Information Request (a) Identify how documentation addresses exceptions and overrides. (a) Identify processes in place to define the mapping of any new activities or products. (a) Identify who is responsible for the mapping policy. (b) Identify the format in which the mapping policy has been presented and approved by the Board (a) Identify if the mapping process has been subject to independent review (and by whom). If independent review has not taken place, identify future plans to do so.
Assessment Rating
PROTECTED B WHEN COMPLETED
Rating Rationale
PROTECTED B WHEN COMPLETED
Rating Rationale
C. LOSS DATA COLLECTION Area of Assessment
Reference
1. Bank's internal operational risk CAR assessment system using Ch 6 (663b) operational loss data
#
Criteria
1.1 The bank has a systematic tracking of relevant operational risk data including material losses by business line.
1.2 There is close integration of the operational risk assessment system into the risk management process of the bank. 1.3 Output is an integral part of the process of monitoring controlling the banks operational risk profile. 1.4 Operational risk data (including loss data) has a role in risk reporting, management reporting, and risk analysis. 1.5 There are techniques for creating incentives to improve the management of operational risk throughout the firm.
Information Request (a) Provide details on the operational loss data collection process (centralized vs. decentralized). (b) List the source systems used and provide detail on how they are used in the loss collection process. (c) Identify the function responsible for the data collection. (d) List the criteria for collection of operational losses. (e) Identify the status of data collection on an enterprise wide level. (f) Provide the historical length of operational loss data. (g) Identify how the bank ensures that data is collected in a complete and consistent manner. (h) Identify whether operational losses are mapped to Basel II lines of business and event types. (i) List the data fields populated in the collection of loss data. (j) Describe how the bank distinguishes credit and market risk losses that are a result of operational events. (k) Provide details on how the bank collects multiple operational losses resulting from one event. (l) List all policies & procedure documents relating to loss data collection. (a) Explain how the bank uses the operational risk assessment system in its risk management process. (a) Describe how the bank uses operational risk data (including loss data) to monitor the banks operational risk profile. (a) List all reports using operational risk data (including loss data), identifying how the reports are distributed. (a) Identify any techniques the bank uses for creating incentives to improve the management of operational risk throughout the firm.
Assessment Rating
C. LOSS DATA COLLECTION Area of Assessment 2. Regular reporting of operational risk exposures
Reference CAR Ch 6 (663c)
#
Criteria
2.1 There is regular reporting of operational risk exposures, including material operational losses, to business unit management, senior management, and to the board of directors. 2.2 There are procedures for taking appropriate action according to the information within the management reports.
Information Request (a) List all reports that include operational risk exposures (including material losses), identifying frequency, owners of report and audience of the report. (a) Describe how the operational risk exposure reports are used to respond to operational risk and the management of the risk.
Assessment Rating
PROTECTED B WHEN COMPLETED
Rating Rationale
PROTECTED B WHEN COMPLETED
Rating Rationale
D. RISK AND CONTROL SELF-ASSESSMENT / KEY RISK INDICATORS Area of Assessment 1. Risk identification
Reference SP (23)
2. Assessment of identified risks SP (24)
3. Tools for assessment of operational risk
SP (25)
#
Criteria
1.1 The bank has an effective risk identification process of both internal and external factors that could adversely affect the achievement of the bank's objectives. 2.1 The bank assesses the vulnerability of potentially adverse risks to better understand risk profile and target risk management resources. 3.1 Self- or risk assessment - The bank completes an internal assessment of its operations and activities against a menu of potential operational risk vulnerabilities.
3.2 Self- or risk assessment - This process is internally driven and often incorporates checklists and/or workshops to identify the strengths and weaknesses of the operational risk environment. 3.3 Risk mapping - The bank has mapped various business units, organizational functions or process flows by risk types.
3.4 Risk indicators - The bank uses statistics and/or metrics to provide a bank's risk position.
3.4 Measurement - The bank has established practises for quantification of exposure to operational risk using a variety of approaches. 4. Reporting
n/a
4.1 Operational risk results from risk assessment tools are reported and used in the management of operational risk.
Information Request (a) Describe the bank's processes for identification of both internal and external risk factors. None
(a) Identify if the bank is using a Risk Control Self-Assessment process. (b) Describe the process and state if it is an enterprise wide process. (c) Describe how RCSA results are used in risk identification as well as mitigation. (d) Describe the effectiveness of the risk control self-assessment process. (a) Describe how the process identifies the strengths and weaknesses of the operational risk environment.
(a) Identify if the bank is risk mapping business units, organizational functions or process flow by risk types. (b) Describe this risk mapping process. (c) Describe how risk mapping is used for risk identification and mitigation. (a) Identify if the bank is using key risk indicators to assess operational risk. (b) Provide list of key risk indicators used by the bank. (c) Describe how the key risk indicators were developed. (d) Identify how key risk indicators are used. (e) Describe how key risk indic ators reported to senior management and the board are used. (a) Identify if the bank has established practices for quantification of operational risk exposure. (b) Describe the quantification approaches used. (a) List all reports of risk assessment tools and indicate how they are used.
Assessment Rating
D. RISK AND CONTROL SELF-ASSESSMENT / KEY RISK INDICATORS Area of Assessment
Reference
#
Criteria
4.2 There is appropriate reporting of results from risk assessments tools to the Board, senior management and business units.
Information Request None
Assessment Rating
PROTECTED B WHEN COMPLETED
Rating Rationale
PROTECTED B WHEN COMPLETED
Rating Rationale
E. OUTSOURCING, DISASTER RECOVERY PLAN AND BUSINESS CONTINUITY PLAN Area of Assessment 1. Outsourcing activities
Reference SP (39)
SP (40)
#
Criteria
Information Request
1.1 The bank has established policies for managing the risks associated with outsourcing activities. 1.2 The board of directors and senior management have ensured that third-party activity is conducted in a safe and sound manner and in compliance with applicable laws. 1.3 Outsourcing arrangements have been based on robust contracts and/or service level agreements that ensure a clear allocation of responsibilities between external service providers and the outsourcing banks.
(a) Identify all outsourcing policies.
1.4 The bank is managing residual risks associated with outsourcing arrangements, including disruption of services.
(a) Describe the bank's process for determining the materiality of outsourcing arrangements.
1.5 The Board and management have ensured that the expectations and obligations of each party are clearly defined, understood and enforceable. 1.6 The bank carries out initial due diligence test and monitor third-party activities on a regular basis.
None
(a) Describe the Board and senior management oversight of third-party activity.
None
(a) Describe the initial due diligence test and indicate how third-party activities are regularly monitored. (b) Describe the bank's program for managing and monitoring risks of the outsourcing arrangements. None
1.7 For critical activities, the bank has considered contingency plans, including availability of alternative external parties and costs and resources required to switch external parties. None 2.1 The bank's decision to retain or self-insure the risk is transparent within the organization and consistent with the bank's overall business strategy and risk appetite. 2. Self-insure or retain operational risk
SP (41)
None 3.1 The bank is required to establish disaster recovery and business continuity plans that take into account different types of plausible scenarios to which the bank may be vulnerable, commensurate with the size and complexity of the bank's operations.
Assessment Rating
E. OUTSOURCING, DISASTER RECOVERY PLAN AND BUSINESS CONTINUITY PLAN Area of Assessment
4. Disaster recovery and business continuity plans
Reference
#
Criteria
Information Request
SP (42)
3.2 The bank has identified critical business processes, including dependence on external vendors or third parties, for which rapid resumption of service would be most essential.
SP (43)
3.3 The bank has identified alternative None mechanisms for resuming service in the event of an outage. 3.4 The off-site facilities where back-ups of (a) Identify the location of off-site facilities. records are stored are an adequate distance away from the impacted operations. 3.5 There is a periodic review of DRP/BCP to ensure consistency with the bank's current operations and business strategies.
SP (44)
Assessment Rating
(a) Describe the bank's process for identifying critical business processes.
(a) Describe the bank's process for reviewing DRP/BCP.
3.6 Plans are tested periodically to ensure that (a) Identify the frequency for testing plans. the bank would be able to execute the plans in the unlikely event of a severe business disruption.
Note: In addition to the BIS Sound Practices, institutions are required to comply with the "OSFI Guideline B-10: Outsourcing of Business Activities, Functions and Processes"
PROTECTED B WHEN COMPLETED
Rating Rationale
PROTECTED B WHEN COMPLETED
Rating Rationale
F. Advanced Measurement Approach Methodology Area of Assessment
1. AMA Model
Reference CAR Ch 7 (667a)
CAR Ch 7 (669b)
CAR Ch 7 (669c)
2. Correlation
3. Four fundamental elements: - Internal data - External data - Scenario analysis - Business environment and internal controls
CAR Ch 7 (669d)
CAR Ch 7 (669e)
CAR Ch 7 (669f)
#
Criteria
Information Request
1.1 The bank's AMA model captures potentially severe tail loss estimates. 1.2 The bank's AMA model is comparable to a one year holding period and a 99.9 percentile confidence interval. 1.3 The bank is calculating the operational risk regulatory capital requirement as the sum of expected loss and unexpected loss.
(a) Provide a description of assumptions and inputs used to construct the model. None
1.4 The bank is adequately capturing EL in its internal business practices.
(a) Provide the bank's documentation on how operational risk EL is measured and accounted for.
1.5 The bank's AMA model captures the major drivers of the operational risk affecting the shape of the tail loss estimates. 2.1 Internally determined correlations are used in operational risk modelling. The bank can demonstrate that its systems for determining correlations are sound and implemented with integrity and take into account the uncertainty surrounding any such correlation estimates (particularly in periods of stress).
None
2.2 The bank validates its correlation assumptions using appropriate quantitative and qualitative techniques. 3.1 Key elements of the bank's operational risk measurement system include the use of internal data, relevant external data, scenario analysis and factors reflecting the business environment and internal control system. 3.2 Weighting of the 4 fundamental elements is credible, transparent, well-documented and verifiable approach. 3.3 The approach for weighting the 4 fundamental elements is internally consistent. 3.4 Double counting of qualitative assessments or risk mitigants already recognised in other elements of the framework is avoided in the approach for weighting the 4 fundamental elements.
(a) Identify how the bank is validating its correlation assumptions.
None
(a) Provide details on how correlation is integrated into the model and the rationale for its use in calculating the capital requirement. (b) For internally determined correlations, identify the assumptions used and discuss the methods used for estimating correlation.
(a) Provide a brief summary of how these 4 elements are used in the operational risk measurement system.
(a) Provide documentation and rationale for the approach taken in weighting of each fundamental element. None
None
Assessment Rating
F. Advanced Measurement Approach Methodology Area of Assessment
4. Internal Data
Reference CAR Ch 7 (671)
CAR Ch 7 (672)
CAR Ch 7 (673)
5. External Data
CAR Ch 7 (674)
6. Scenario Analysis
CAR Ch 7 (675)
7. Business Environment and Internal Control Factors
CAR Ch 7 (676)
#
Criteria
4.1 The bank has documented procedures for assessing the historical internal loss data for its relevance and use in the operational risk measurement system. 4.2 The bank is using at least 3 years of historical internal loss data if internal loss data is being used to either build or validate the operational risk measurement system. 4.3 The bank has documented its criteria for mapping historical internal loss data to Basel business lines and event types. 4.4 The internal loss data is comprehensive and captures appropriate sub-systems and geographic locations. 4.5 The bank has an appropriate gross loss threshold for internal loss data collection. 4.6 The bank has specific criteria for allocating operational losses that span across business lines or occur in a centralized function. 4.7 All material operational losses related to the definition of operational risk are identified in the loss data collection. 5.1 The bank's system uses relevant external loss data in its operational risk measurement system. 5.2 The bank has a systematic process for determining how and when external loss data is used in its operational risk measurement system. 5.3 The conditions and practices for using external loss data are regularly reviewed, documented and subject to periodic independent review. 6.1 The bank uses scenario analysis of expert opinion in conjunction with external data to evaluate its exposure to high-severity events. 7.1 Factors used in the operational risk measurement system are meaningful risk drivers and were chosen based on experience and expert judgement.
7.2 The framework and each instance of its application must be documented and
Information Request
(a) Provide the documented procedures.
None
(a) Provide the documented criteria.
(a) Provide rationale for excluding loss activities and exposures, if any, from the loss collection process. None (a) Provide the specific criteria.
(a) Identify the bank's approach to collecting operational losses related to credit and market risk. (a) Identify the sources of external loss data used in the bank's operational risk measurement system. None
(a) Provide the documentation discussing the conditions and practices for using external loss data. (a) Describe how scenario analysis is used in the operational risk measurement system.
(a) Identify the rationale used for choosing business environment and internal control factors and provide a brief description of how they are used. (b) Indicate if factors are translatable into quantitative measures. None
Assessment Rating
F. Advanced Measurement Approach Methodology Area of Assessment 8. Risk Mitigation
Reference CAR Ch 7 (677) CAR Ch 7 (678)
9. Allocation Methodology
CAR Ch 7 (656)
10. Partial Use
CAR Ch 7 (680)
#
Criteria
Information Request
8.1 The recognition of insurance mitigation is less than 20% of the total operational risk regulatory capital charge. 8.2 The insurance provider has a minimum claims paying ability rating of A. 8.3 The insurance policy has an initial term of no less than one year. 8.4 The insurance policy has a minimum notice period for cancellation of 90 days. 8.5 The insurance policy has no exclusions or limitations triggered by supervisory actions.
(a) Provide the documented framework developed for mitigating operational risk through the use of insurance. None
8.6 The risk mitigation calculations reflect the insurance coverage. 8.7 The insurance is provided by a third-party entity. 8.8 The bank discloses a description of its use of insurance for the purpose of mitigating operational risk. 9.1 The bank intends, with supervisory approval, to use an allocation mechanism for the purpose of determining the operational risk capital requirement for its subsidiaries.
None
None None None
None (a) Indicate how the bank plans to disclose information about the use of insurance. (a) For banks applying the stand-alone approach, indicate if it is applying a capital allocation methodology for its subsidiaries and provide details on the allocation methodology used. (b) For subsidiaries using the allocated capital approach, provide a description of the methodology used for capital allocation and the rationale for applying an allocation approach versus a stand alone approach.
10.1 All operational risks of the bank's global, None consolidated operations are captured. AMA qualitative criteria are met for areas of None the bank covered by the AMA, and those parts of the operations covered by one of the simpler approaches meets the qualifying criteria for that approach. On the date of implementation of an AMA, a None significant part of the bank's operational risks are captured by the AMA.
Assessment Rating
PROTECTED B WHEN COMPLETED
Rating Rationale
PROTECTED B WHEN COMPLETED
Rating Rationale