Basel II Operational Risk Self-Assessment Template

BASEL II OPERATIONAL RISK
Self-Assessment Template for Financial Institutions
INSTITUTION:
DATE:
The Basel II Operational Risk Self-Assessment Template for Financial Institutions Document map
1
2
3
4
5
6
7
SP
SG
CAR
CG I-Note
DM I-Note
RCap I-Note
SSG
Basel Committee on Banking Supervision. Principles for the Sound Management of Operational Risk. June 2011.
Basel Committee on Banking Supervision. Operational Risk - Supervisory Guidelines for Advanced Measurement Approaches. June 2011.
Office of the Superintendent of Financial Institutions Canada. Guideline. Capital Adequacy Requirements. January 2012.
Office of the Superintendent of Financial Institutions Canada. Implementation Note. Corporate Governance at TSA & AMA Institutions. May 2006.
Office of the Superintendent of Financial Institutions Canada. Implementation Note. Data Maintenance at TSA & AMA Institutions. May 2006.
Office of the Superintendent of Financial Institutions Canada. Implementation Note. Approval of Regulatory Capital models for Deposit-Taking Institutions. December 2009.
Senior Supervisors Group. Observations on Developments in Risk Appetite Frameworks and IT Infrastructure. December 2010.
Column Heading
Definition
Drop Down Options
Compliance Rating
Compliance rating refers to the Federally Regulated Financial Institutions (FRFIs)

compliance with OSFI criteria.
N/A
Full Compliance
Substantial Compliance
Partial Compliance
Non-Compliance
Target Compliance Date
Expected date to achieve full compliance status or date full compliance was attained
Internal Audit (Audit Status)
Internal Audit (Audit Status) refers to the independent audit assessment of the FRFIs
responses to OSFI criteria.
N/A
Audit Work Completed
Audit Work in Progress
No Audit Work Planned
Validation
The validation responses reflect the status of work done by the institutions independent
validation function to establish whether the AMA model is sound or whether improvements
are required. Validation should encompass both quantitative and qualitative elements, and
assess the appropriateness of the risk management processes to ensure that the
framework remains fit for purpose.
N/A
Validation Work Completed
Validation Work in Progress
No Validation Work Planned
Comments, including names of

supporting documents
Commentary regarding evidence and supporting documentation.
PROTECTED B WHEN COMPLETED
A. Operational Risk Management Framework

Area of Assessment
Reference
1. Operational Risk Framework

SP (P2)
Criteria
Compliance Rating
Fundamentals of Operational Risk Framework

1.01 A formally documented operational risk
management framework has been approved
by Senior Management and Board.
1.02 The framework is reviewed and updated on a
regular basis
1.03 The framework makes reference to the
underlying policies which govern operational
risk management practices
1.04 The framework is applied enterprise-wide
and covers all material operations, including
geographies, corporate functions and
material subsidiaries and joint ventures
CAR (664)
1.05 The FRFI has an operational risk

management system that is conceptually
sound and is implemented with integrity.
CAR (644)
1.06 The FRFI defines operational risk as the risk

of loss resulting from inadequate or failed
internal processes, people and systems or
from external events. This definition includes
legal risk, but excludes strategic and
reputational risk.
SP (25)
1.07 Risks are defined within the framework and

has clearly articulated in granular terms,
exceeding those defined within Basel II for
operational risk event types
SP (26)
1.08 The Operational Risk Framework is

comprehensively and appropriately
documented in board of directors approved
policies and should include definitions of
operational risk and operational loss
SP (27b)
1.09 Policy identifying the Operational Risk

Framework clearly describes the risk
assessment tools and how they are used
SP (27c)

Framework clearly describes the FRFIs
accepted operational risk profile, permissible
thresholds or tolerances for inherent and
residual risk, and approved risk mitigation
strategies and instruments
SP (27d)

Framework clearly describes the FRFIs
approach to establishing and monitoring
thresholds or tolerances for inherent and
residual risk exposure
SP (27e)

Framework clearly establishes risk reporting
and Management Information System (MIS)
SP (27f)

Framework clearly provides for a common
taxonomy of operational risk terms to ensure
consistency of risk identification, exposure
rating and risk management objectives
SP (27g)

Framework clearly provide for appropriate
independent review and assessment of
operational risk
Page 6 of 87
Validation
Comments, Including Names of Supporting Documents

Area of Assessment
Reference
SP (27h)
Criteria
Compliance Rating

Framework clearly require the policies to be
revised whenever a material change in the
operational risk profile of the FRFI occurs
Page 7 of 87
Validation

Area of Assessment
Reference
Criteria
SP (25)
1.16 Framework has clearly articulated the roles

and responsibilities of the three lines of
defence (1) the business (2) the Corporate
Operational Risk Management Function, (3)
independent review or Internal Audit
SP (27a)

Framework clearly identifies the governance
structures used to manage operational risk,
including reporting lines and accountabilities
SP (25)
1.18 Framework and polices clearly articulate

operational risk and loss definitions
Compliance Rating
1.19 Governance structure, including reporting

lines, accountabilities and committees should
be clearly articulated, including solid and
dotted lines of defence
1.20 Risk assessment tools are clearly articulated
within the framework
Page 8 of 87
Validation
B. Identification and Assessment

Area of Assessment
1. Risk Identification and
Assessment
Reference
SP (40)
Criteria
Compliance Rating
Inherent Risks and Comparative Analysis

1.01 Risk identification and assessments are
clearly linked to the inherent risks
documented in the operational risk
management framework
1.02 Results of the FRFIs operational risk
assessment have been incorporated into the
overall FRFI business strategy development
processes.
1.03 Comparative analyses are completed over
the independent operational risk
assessments conducted to ensure lessons
learned
2. Data Collection and

Processing
DM I-Note
Section II
Principle 2
Data Collection
2.01 Data collection establishes clear and
comprehensive documentation for data
definition, collection and aggregation,
including data mapping to CAR business
lines, data schematics where necessary, and
other identifiers, if any
2.02 Data collection establishes standards for
data accuracy, completeness, timeliness and
reliability
2.03 Data collection identifies and documents
gaps and, where applicable, documents the
manual or automated workarounds used to
close data gaps and meet data requirements
2.04 Data collection establishes standards,
policies and procedures around the
cleansing of data through reconciliation, field
validation, reformatting, decomposing or use
of consistent standards, as appropriate
2.05 Data collection establishes procedures for
identifying and reporting on data errors and
data linkage breaks to source, downstream
and/or external systems
2.06 An independent challenge is in place to
ensure accuracy, completeness, timeliness
and reliability of the internal operational risk
event collected. Specifically processes in
place to confirm that data is comprehensive,
accurate, timely, etc.
DM I-Note
Section II
Principle 3
Data Processing
2.07 Data processing limits reliance on
workarounds and manual data manipulation
in order to mitigate the operational risk
related to human error and dilution of data
integrity
Page 9 of 87
Validation
B. Identification and
Area of Assessment
DM I-Note
Section II
Assessment
Principle 3
Reference
Criteria
Compliance Rating
2.08 Data processing ensures appropriate levels

of validation, data cleansing and
reconciliation for each process, as applicable
2.09 Data processing establishes adequate
controls to ensure processing by authorized
staff acting within designated roles and
established authorities
2.10 Data processing institutes appropriate
change control procedures for changes to
the processing environment, including, where
applicable, change initiation, authorization,
program modifications, testing, parallel
processing, sign-offs, release, library controls
2.11 Data processing provides appropriate levels
of disaster back-up, process resumption and
recovery capabilities to mitigate loss of data
and/or data integrity
3. Data Maintenance and
Reporting
DM I-Note
Section II
Principle 4
Data Access/Retrieval
3.01 Data repositories and underlying extract,
query and retrieval routines are designed and
built to support the institutions own data
requirements as well as ongoing needs for
supervisory assessments of various data as
appropriate
3.02 Access controls and data/information
distribution are based on user roles/
responsibilities and industry sound practices
in the context of effective segregation of
duties, and is in conformance with the need
to know principle, which is assessed by the
institutions internal compliance and audit
functions for overall effectiveness of the
internal controls designed to ensure this
conformance and compliance
3.03 Access to data/information is not restricted in

any arrangements where data maintenance
is outsourced to external service provider(s).
Notwithstanding these arrangements, an
institution should be able to provide
data/information at no additional cost
DM I-Note
Section II
Principle 5
Data Storage/Retention
3.04 The institution has established documented
policies and procedures addressing storage,
retention and archiving, including, where
applicable, the procedures for
logical/physical deletion of data and
destruction of data storage media and
peripherals
3.05 The institution maintains back-ups of relevant
data files, data stores and databases in a
manner that can allow for data/information to
be readily available
Page 10 of 87
Validation
DM I-Note
Section II
Principle 5

Area of Assessment
Reference
Criteria
Compliance Rating
3.06 The institution ensures that availability of

electronic versions for all relevant and
material data/information is in a machinereadable format and can be made accessible
DM I-Note
Section III
Principle 3
Other Operational Risk Data

3.07 Standards and processes for determining the
scope and criteria for any other operational
risk data utilized have been established
3.08 The use of additional data in the institution's
operational risk methodology is documented
3.09 Other Operational Risk Data used has been
incorporated into operational risk reporting, in
a complete and timely manner as appropriate
3.10 The processes of collecting Other
Operational Risk Data are subject to periodic
independent review
Data Reporting and Analysis
3.11 Reporting thresholds for internal operational
risk events are in place and monitored to
ensure that they are being adhered to
SG (67)
3.12 Results from verification and validation work

should be documented and distributed to
appropriate business line management,
internal audit, the corporate operational risk
management function and appropriate risk
committees.
3.13 Root cause analysis is completed for
significant internal loss events and corrective
actions identified and taken, including
applying lessons learned to other business
units.
4. Internal Loss Data

Collection and Analysis
CAR (663b)
DM I-Note
Section III
Principle 2
Internal Operational Loss Data

4.01 The FRFI has a systematic tracking of
relevant operational risk data including
material losses by business line.
4.02 There is close integration of the operational
risk assessment system into the risk
management process of the FRFI.
4.03 Operational risk data (including loss data)
has a role in risk reporting, management
reporting, and risk analysis.
4.04 There are techniques for creating incentives
to improve the management of operational
risk throughout the firm.
Page 11 of 87
Validation

Area of Assessment
Reference
SG (30a)
Criteria
Compliance Rating
4.05 a) A FRFIs internal loss data policy includes

guidelines for deciding the circumstances,
documenting the scope, types of data and
methodology for grouping data as
appropriate for their business, risk
management and capital modelling needs.
b) A FRFI should also clarify and document
its individual judgements in applying these
guidelines.
c) The FRFIs policy regarding the threshold
and dates for single losses should also be
applied to grouped losses.
DM I Note Section III,

Principle 2,
CAR 673
4.06 Ensure that the maintenance of internal loss

data aligns with the established enterprisewide data management framework
4.07 Ensuring periodic independent reviews of the
processes involved in the collection of loss
data
4.08 Incorporating internal loss data, in a
complete and timely manner, into the
operational risk reporting for both operational
risk management purposes and capital
impact analysis
Page 12 of 87
Validation

Area of Assessment
5. External Loss Data
Collection and Analysis
Reference
Principle 2
Criteria
Compliance Rating
External Operational Loss Data

5.01 Policy and procedures are in place for
external loss data collection and analysis
5.02 Multiple sources are used and are
appropriately scrubbed, using a wellestablished process for adding, changing,
and removing data points

Principle 2 /
CAR (674)

appropriately scale/apply external operational
event to the FRFI based on relevance and
materiality to the business
5.04 Potential emerging risks are tracked and
monitored at enterprise wide level and
applied to all other businesses and corporate
control functions to mitigate potential system
events

Principle 2
6. Risk and Control (Self)

Assessment

Principle 3
5.05 Significant industry events are incorporated

in the control environment, including other
identification and assessment tools such as
RCA and KRI, etc.
RCSA Policy
6.01 Policy and procedures are in place for the
risk and control (self) assessment process,
setting out expectations and requirements,
scope and criteria for data collection
6.02 Risk and control (self) assessments process
have been implemented in all operations of
the enterprise, including corporate functions
and significant subsidiaries and joint
ventures
CAR (676)
6.03 Risk and control (self) assessment design is

to be reflective of the current environment as
well as forward looking
6.04 Risk and control (self) assessment is
designed to ensure it is updated on a regular
(i.e. at least annually) frequency
CAR (676)
6.05 Risk and control self assessments are

aligned to other oversight functions (i.e.
Internal Audit Universe and Compliance
Universe)
RCSA Tracking
6.06 Actions taken to address issues and gaps is
documented and are timely resolved
CAR (663)

ensure the accuracy, completeness,
timeliness and reliability of the risk and
controls assessments and the actions taken
to address issues/gaps identified
6.08 Emerging risks are tracked and monitored at
an enterprise wide level and applied to all
other business and corporate control
functions to mitigate potential systemic risks
Page 13 of 87
Validation

Area of Assessment
Reference
SP (38)
Criteria
Compliance Rating
Risk Identification and Assessment

6.09 The FRFI has an effective risk identification
process of both internal and external factors
that could adversely affect the achievement
of the FRFIs objectives.
SP (38)
6.10 The FRFI assesses the vulnerability of

potentially adverse risks to better understand
risk profile and target risk management
resources.
SP (39c)
6.11 The FRFI completes an internal assessment

(RCSA) that evaluates inherent risk (the risk
before controls are considered), the
effectiveness of the control environment, and
residual risk (the risk exposure after controls
are considered).
6.12 There is a regular process to review and
update these risk assessments
6.13 Scorecards build on RCSAs by weighting
residual risks to provide a means of
translating the RCSA output into metrics that
give a relative ranking of the control
environment
SP (39d)
6.14 Risk mapping - The FRFI has mapped

various business units, organizational
functions or process flows by risk types.
SP (39g)
6.15 Measurement - The FRFI quantifies its

exposure to operational risk by using the
output of its risk assessment tools as inputs
into a model that estimates operational risk
exposure.
SP (39h)
6.16 Comparative Analysis - The FRFI compares

the results of the various assessment tools to
provide a more comprehensive view of the
FRFIs operational risk profile.
Page 14 of 87
Validation

Area of Assessment
7. Data Mapping
Reference
Criteria
Compliance Rating
Business Process Mapping Policies and Principles

CAR Annex
7.01 Business units and operational risk
8(a)
management use business process mapping
as one of its tools within the program
7.02 Policy and procedures are in place over the
business process mapping practices
7.03 An Independent challenge is completed to
identify business processes which cut across
multiple groups
CAR Annex
8(a)
7.04 All activities are mapped into the eight level 1

business lines in a mutually exclusive and
jointly exhaustive manner.
CAR Annex
8(b)
7.05 Any FRFI activity that cannot be readily

mapped into the business line framework,
but which represents an ancillary function to
an activity included in the framework, are
allocated to the business line it supports.
7.06 If more than one business line is supported
through the ancillary activity, an objective
mapping criteria is used.
CAR Annex
8(c)
7.07 If an activity cannot be mapped into a

particular business line then the business
line yielding the highest charge is used. The
same business line equally applies to any
associated ancillary activity.
CAR Annex
8(e)
7.08 Mapping activities into business lines for

operational risk capital purposes are
consistent with the definitions of business
lines used for regulatory capital calculations
in other risk categories. Any deviations must
be clearly motivated and documented.
CAR Annex
8(f)
7.09 The mapping process is clearly documented.

More specifically, business line definitions
are sufficiently documented to allow for
business line mapping replication.
7.10 Documentation clearly highlights reasoning
for exception or overrides and for this
information to be kept on record for evidence
purposes.
CAR Annex
8(g)
CAR Annex
8(h)
CAR Annex
8(i)
7.11 Processes are in place to define the mapping

of any new activities or products.
7.12 Senior management is responsible for the
mapping policy.
7.13 The mapping process to business lines is
subject to independent review.
Page 15 of 87
Validation

Area of Assessment
Reference
Criteria
Compliance Rating
Gross Income Mapping: Policies and Documentation

DM I-Note
7.14 The institution has documented the mapping
Section III
process to provide for the consistent
Principle 1
mapping of gross income data
7.15 The institution has established a system or
process that facilitates the reconciliation of
gross income reported in CAR reporting
forms to the firms reported financial results
7.16 The institution ensures that the robustness is
commensurate with the complexity of the
gross income mapping process
CAR Annex
8(d)
8. Key Risk and Performance

Indicators
SP (39f)
7.17 Internal pricing methods are used to allocate

gross income between business lines
provided that total gross income for the FRFI
still equals the sum of gross income for the
eight business lines.
Policies & Implementation
8.01 Policy and procedures are in place for the
risk and performance indicator (KRI)
processes
8.02 KRIs are aligned with the inherent
operational risks to the business
8.03 KRI limits and thresholds are in place, which
are approved by Senior Management and/or
Board (if there are hundreds/thousands this
may not be possible but ok if approved by
segment of first line, and challenged by
second line)
8.04 Selection of indicators and limits is reviewed
on a regular basis
8.05 First line of defence has identified risk and
performance indicators, both qualitative and
quantitative and is actively monitoring these
risks
8.06 KRI process should be action oriented, and
drive action plans when breaches occur Processes are in place to escalate breaches
in Risk and Performance indicators to
established limits and thresholds to Senior
Management and Board
SP (39f)
8.07 Risk and Performance indicators - The FRFI

uses statistics and/or metrics to provide
insight into operational processes.
8.08 Risk indicators - The FRFI uses statistics
and/or metrics to provide a FRFIs risk
position.
timeliness and reliability of the KRI identified
by the 1st line of defence
Page 16 of 87
Validation

Area of Assessment
Reference
Criteria
Compliance Rating
8.10 Risk and performance indicators are paired

with escalation triggers to warn when risk
levels exceed acceptable ranges and prompt
mitigation plans
9. Scenario Analysis and
Stress Testing
Principles of Scenario Analysis and Stress Testing

SP (39g)
9.01 Policy and procedures are in place for
scenario and stress testing of operational risk
9.02 Where quantitative models, including
statistical model, are used for operational
risk measurement, stress testing should be in
place to determine the validity of models
9.03 The robustness of individual components of
a stress testing program should be
independently verified
9.04 Scenario Analysis - The FRFI uses expert
opinions of business line and risk managers
to identify potential operational risk events
and assess their potential outcome
10. Operational Risk Control

and Mitigation
CAR 666d
Operational Risk Control

10.01 The FRFI has an operational risk
management system that is well
documented.
10.02
The FRFI has a routine in place for ensuring
compliance with a documented set of internal
policies, controls and procedures concerning
the operational risk management system,
which includes policies for the treatment of
non-compliance issues.
CAR (666d)
SP (47)
10.03
The internal operational risk measurement

system is closely integrated into the day-today risk management processes of the FRFI.
Its output is an integral part of the process of
monitoring and controlling the FRFIs
operational risk profile.
10.04 Internal controls are designed to provide
reasonable assurance that a FRFI will have
efficient and effective operations; safeguard
its assets; produce reliable financial reports;
and comply with applicable laws and
regulations.
10.05 The internal control programme consists of
five components that are integral to the risk
management process: control environment,
risk assessment, control activities,
information and communication, and
monitoring activities.
SP (48)
10.06 Control processes and procedures include a

system for ensuring compliance with policies
Page 17 of 87
Validation

Area of Assessment
Reference
Criteria
SP (48a)
10.07 The policy compliance assessment includes

top-level reviews of progress towards stated
objectives
SP (48b)

verifying compliance with management
controls
SP (48c)

review of the treatment and resolution of
instances of non-compliance
SP (48d)

evaluation of the required approvals and
authorisations to ensure accountability to an
appropriate level of management
SP (48e)

tracking reports for approved exceptions to
thresholds, management overrides and other
deviations from policy
CAR (664)
10.12 The FRFI has sufficient resources in the

major business lines to implement the
adopted approach to operational risk,
including control and audit areas.
SP (49)
10.13 Areas of potential conflicts of interest are

identified, minimised, and are subject to
careful independent monitoring and review.
SP (50)
10.14 The FRFI has implemented segregation of

duties and dual control
10.15 Internal controls for operational risk include
clearly established authorities and/or
processes for approval
SP (50a)
SP (50b)

close monitoring of adherence to assigned
risk limits or thresholds
SP (50c)

safeguards for access to, and use of, FRFI
assets and records
SP (50d)

appropriate staffing level and training to
maintain expertise
SP (50e)

ongoing processes to identify business lines
or products where returns appear to be out of
line with reasonable expectations
SP (50f)

regular verification and reconciliation of
transactions and accounts
SP (50g)
10.21 Internal controls for operational risk include a

vacation policy that provides for officers and
employees being absent from their duties for
a period of not less than two consecutive
weeks.
Compliance Rating
Mitigation
Page 18 of 87
Validation

Area of Assessment
Reference
Criteria
SP (52)
10.22 The FRFI has an integrated approach to

identifying, measuring, monitoring and
managing technology risks.
SP (52a)
10.23 Technology risk management includes

governance and oversight controls that
ensure technology, including outsourcing
arrangements, is aligned with and supportive
of the FRFIs business objectives
SP (52b)

policies and procedures that facilitate
identification and assessment of risk
SP (52c)

establishment of risk tolerances and
performance expectations to assist in
controlling and managing risk
SP (52d)

implementation of an effective control
environment and the use of risk transfer
strategies that mitigate risk
SP (52e)

monitoring processes that test for
compliance with policy thresholds
11. Outsourcing Activities and

Risk Management
SP (54)
Compliance Rating
Outsourcing
11.01 The FRFI has established policies for
managing the risks associated with
outsourcing activities aligned with OSFI - B10
Guidelines
11.02 The board of directors and senior
management understand the operational
risks associated with outsourcing
arrangements and ensuring that effective risk
management policies and practices are in
place to manage the risk in outsourcing
activities
SP (54a)
11.03 Outsourcing policies and risk management

activities encompass procedures for
determining whether and how activities can
be outsourced
SP (54b)

activities encompass processes for
conducting due diligence in the selection of
potential service providers
SP (54c)

activities encompass sound structuring of the
outsourcing arrangement, including
ownership and confidentiality of data, as well
as termination rights
SP (54d)

activities encompass programmes for
managing and monitoring the risks
associated with the outsourcing
arrangement, including the financial condition
of the service provider
Page 19 of 87
Validation

Area of Assessment
Reference
Criteria
SP (54e)

activities encompass the establishment of an
effective control environment at the FRFI and
the service provider
SP (54f)

activities encompass development of viable
contingency plans
SP (54g)

activities encompass execution of
comprehensive contracts and/or service level
agreements with a clear allocation of
responsibilities between the outsourcing
provider and the FRFI
SP (55)
SP (56)
12. Business Resiliency and

Continuity
SP (57)
SP (58)
Compliance Rating
Self-insure or retain operational risk

11.10 The Board has determined the maximum
loss exposure the FRFI is willing and has the
financial capacity to assume, and should
perform an annual review of the FRFIs risk
and insurance management programme
11.11 The FRFI uses risk transfer tools as a
complement, rather than a replacement, to
internal operational risk control
Policies and Activities
12.01 The FRFI has established business
continuity plans, taking into account different
types of likely or plausible scenarios to which
the FRFI may be vulnerable.
12.02 Continuity management incorporates
business impact analysis, recovery
strategies, testing including call tree
exercises, training and awareness
programmes, and communication and crisis
management programmes
12.03 The FRFI identifies critical business
operations, key internal and external
dependencies, and appropriate resilience
levels.
12.04 Plausible disruptive scenarios are assessed
for their financial, operational and
reputational impact, and the resulting risk
assessment should be the foundation for
recovery priorities and objectives.
12.05 Continuity plans should establish
contingency strategies, recovery and
resumption procedures, and communication
plans for informing management, employees,
regulatory authorities, customer, suppliers,
and where appropriate civil authorities
Page 20 of 87
Validation

Area of Assessment
Reference
SP (59)
Criteria
Compliance Rating
12.06 FRFI periodically reviews its continuity plans

to ensure contingency strategies remain
consistent with current operations, risks and
threats, resiliency requirements, and
recovery priorities.
12.07 Training and awareness programmes are
implemented to ensure that staff can
effectively execute contingency plans.
12.08 Plans should be tested periodically to ensure
that recovery and resumption objectives and
timeframes can be met.
12.09 The FRFI participates in disaster recovery
and business continuity testing with key
service providers (where possible)
12.10 Results of formal testing activity should be
reported to management and the board.
Page 21 of 87
Validation
C. Change Management Processes

Area of Assessment
Reference
1. Change
Management and
Approvals for New
Initiatives
SP Principle 7
(42)
Criteria
Compliance Rating
Robust Risk Assessment Procedure

1.01 Policies and procedures address the process
for review and approval of new and changes
to products, processes, activities, and
systems including mergers & acquisitions,
joint ventures etc.
1.02 An assessment of each of the operational
risk sub-types should occur within the new
product or initiative approval process.
1.03 These assessments should identify controls
required to be implemented within the
development and implementation phase and
be action oriented.
timeliness and reliability of the risk
assessment of new products, process,
activities and systems and to ensure required
controls have been identified and are being
monitored through implementation
1.05 All relevant stakeholders are involved in
providing inputs to the risk assessment
SP Principle 7
(42)
Approval Process
1.06 An approval process is tiered based on
financial or business impact, and risk
1.07 Approval process has considered all inherent
operational risk categories and includes an
assessment of existing and required controls
1.08 An assessment of the resulting change of an
FRFIs organizations risk profile is completed
1.09 Corporate Operational Risk Management
monitors the new product and approval
process identifying any material differences
to the operational risk profile and unexpected
risks
SP (41)
Risk Assessments of New Businesses

1.10 The FRFI ensures that its risk management
control infrastructure is appropriate at
inception and that it keeps pace with the rate
of growth of, or changes to, products,
services or activities.
SP (42)
1.11 The FRFI should have policies and

procedures that address the process for
review and approval of new products,
activities, processes and systems.
SP (42a)
1.12 The FRFIs review and approval process

considers inherent risks in the new product,
service, or activity
Page 22 of 87
Validation
C. Change Management Processes

Area of Assessment
Reference
Criteria
SP (42b)

considers resulting changes to the FRFIs
operational risk profile and appetite and
tolerance, including the risk of existing
products or activities
SP (42c)

considers the necessary controls, risk
management processes, and risk mitigation
strategies
SP (42d)

considers the residual risk
considers changes to relevant risk limits
considers the procedures and metrics to
measure, monitor, and manage the risk of
the new product or activity.
SP (42e)
SP (42f)
SP (42)
1.18 The FRFIs approval process ensures that

appropriate investment has been made for
human resources and technology
infrastructure before new products, material
change to existing products, processes,
including joint ventures, mergers &
acquisitions are introduced
SP (42)
1.19 The implementation of new products,

activities, processes and systems is
monitored in order to identify any material
differences to the expected operational risk
profile, and to manage any unexpected risks.
Compliance Rating
Page 23 of 87
Validation
D. Risk Appetite and Tolerance Statement

Area of Assessment
Reference
1. Risk Appetite and

Tolerance
SP (30)
Criteria
Compliance Rating
Operational Risk Strategy

determination and management of risk
appetite and tolerance statements
1.02 All relevant risks, the FRFIs level of risk
aversion, its current financial condition and
the FRFIs strategic direction are considered
when establishing and approving the FRFIs
risk appetite
1.03 The risk appetite and tolerance statement
encapsulates the various operational risk
appetites within a FRFI and ensures that
they are consistent
Senior management, Board and Corporate
Operational Risk Management monitor risk
appetite and tolerance and ensure it reflects
the current enterprise financial condition and
strategic direction
1.04 The FRFI has clearly articulated the nature,
types (e.g. internal fraud, external fraud, etc.)
and levels of operational risks that the FRFI
is willing to assume, and provided
measurable risk limits (could also include
differences by product type or geography)
SP (31)
1.05 Operational risk appetite and tolerance

statement considers the following:
Changes in the external environment
Material increase in business or activity
volumes
The quality of the control environment
The effectiveness of risk management or
mitigation strategies
Loss experience
The frequency, volume or nature of limit
breaches
Board has approved and reviewed an
enterprise wide risk appetite and tolerance
statement
Breaches
1.06 Corporate Operational Risk Management
has a process in place to monitor breaches
and escalates breaches to Senior
Management and Board in a timely manner
Page 24 of 87
Validation
E. Corporate Operational Risk Management Function

Area of Assessment
1. Corporate
Operational Risk
Management
Function (CORMF)
Reference
(Corporate Operational Risk Management & Operational Risk Management terms are synonymous)
Criteria
Compliance Rating
Operational Risk Management Function

CAR (663) /
CG I Note - 3
roles, responsibilities and mandate of the
corporate operational risk function, the
second line of defence
CG I Note - 3
1.02 CORMF provides an independent challenge

to the business lines inputs to and outputs
from the FRFIs risk management,
measurement and reporting systems
CAR (666a) /
(SP) 15
1.03
(SP) 15
1.04 First and second lines of defence are clearly

defined and understood. Roles and
responsibilities of the corporate operational
risk officers and operational risk officers
within the business unit are clearly
delineated.
(SP) 35
1.05 Framework clearly articulates roles and

responsibilities of CORMF and ensures
authority has been delegated from Senior
Management and Board
The operational risk management function is

independent and responsible for the design
and implementation of the FRFIs operational
risk management framework.
1.06 CORMF appropriately and timely escalates

breaches in the limits to risk appetite and
tolerance to Senior Management and Board
1.07 CORMF should provide regular updates on
the adherence to risk appetite and tolerance
CG I-Note
(3.1)
1.08 Operational Risk Management (ORM) is

responsible for developing strategies to
identify, assess/measure, monitor and
control/mitigate operational risk
CG I-Note
(3.2)
1.09 ORM is responsible for establishing and

documenting firm-wide policies and
procedures relating to the FRFIs operational
risk management framework and
management of operational risk exposures,
as appropriate
CG I-Note
(3.3)
1.10 ORM is responsible for ensuring that there is

a means to systematically track relevant
operational risk data, including material
losses
CG I-Note
(3.4)
1.11 ORM is responsible for designing and

implementing a risk-reporting system for
operational risk
CG I-Note
(3.5)
1.12 ORM is responsible for ensuring that

adequate processes and procedures exist to
provide appropriate oversight of the
institutions operational risk management
practices
Page 25 of 87
Validation
E. Corporate Operational Risk Management Function

Area of Assessment
Reference
(Corporate Operational Risk Management & Operational Risk Management terms are synonymous)
Criteria
CG I-Note
(3.6)
1.13 ORM is responsible for designing and

implementing the firms operational risk
measurement methodology
CG I-Note
(3.7)
1.14 ORM is responsible for ensuring that the

operational risk measurement processes are
closely integrated into the risk management
processes of the institution
CG I-Note
(3.8)
1.15 ORM is responsible for defining the roles of

model development and validation, ensuring
there is separation between the two roles.
CAR (664) / SP
15
Compliance Rating
Resources & Training

1.16 The group is appropriately staffed with
resources that have sufficient experience to
fulfill its mandate and responsibilities
1.17 Roles are of sufficient level and seniority to
attract required expertise
1.18 Appropriate level of training is provided over
operational risk management framework for
the FRFI throughout the enterprise
1.19 CORMF provides enterprise wide training for
the first line of defence on the operational
risk management framework, all inherent
operational risks, mitigating controls, loss
event reporting, RCSA, KRIs, etc.
Page 26 of 87
Validation
F. Monitoring and Reporting

Area of Assessment
1. Operational Risk Reporting
Reference
Criteria
Compliance Rating
Regular and Effective Monitoring of Operational Risk Profile

CAR (666c)
1.01 The FRFI has regular reporting of operational
risk exposures, including material operational
losses, to business unit management, senior
management, and to the board of directors.
1.02 Operational risk reports contain internal
financial, operational, and compliance
indicators as well as external market or
environmental information and events and
conditions that are relevant to decision
making
1.03 The FRFI has procedures for taking
appropriate action according to the
information within the management reports.
SP (43)
1.04 The FRFI continuously improves the quality

of operational risk reporting
1.05 The FRFI ensures that its reports are
comprehensive, accurate, consistent and
actionable across business lines and
products.
1.06 The FRFIs reports should be manageable in
scope and volume.
1.07 Operational Risk reporting results in
consistent and documented actions,
including actions oriented towards mitigating
and escalation of risks.
SP (46)
SP (44)
1.08 Data capture and risk reporting processes

are analysed periodically with a view to
continuously enhancing risk management
performance as well as advancing risk
management policies, procedures and
practices.
Operational Risk Reporting
1.09 Reporting is timely and the FRFI is able to
produce reports in both normal and stressed
market conditions.
1.10 The frequency of reporting reflects the risks
involved and the pace and nature of changes
in the operating environment.
1.11 Reports generated by (and/or for)
supervisory authorities are also reported
internally to senior management and the
board, where appropriate.
SP (45a)
1.12 Operational Risk reporting includes breaches

of the FRFIs risk appetite and tolerance
statement;
SP (45b) /
CG I-Note
(4.2)
1.13 Operational Risk reporting includes details of

recent significant internal operational risk
events and losses
SP (45c)
1.14 Operational Risk reporting includes relevant

external events and any potential impact on
the FRFI and operational risk capital
CG I-Note
(4.1)
1.15 Operational Risk reporting includes

information on operational risk capital charge
1.16 Reporting should consider both current
operational risk and control issues as well as
emerging operational risk issues
Page 27 of 87
Validation
F. Monitoring and Reporting

Area of Assessment
Reference
CG I-Note
(4.3)
Criteria
Compliance Rating
1.17 Operational Risk reporting includes results of

relevant assessments of business
environment factors, risk and control self
assessments or other internal control factors.
1.18 Dashboard is created to summarize key
information and highlight major events for
efficient communication to senior
management and other stakeholders
SP (44)
1.19 Operational risk results from risk assessment

tools are reported and used in the
management of operational risk.
1.20 The results of monitoring activities are
included in regular management and board
reports, as well as assessments of the
Framework performed by the internal audit
and/or risk management functions.
1.21 There is appropriate reporting of results from
risk assessments tools to the Board, senior
management and business units.
1.22 Reporting also considers key risk
assessments and key issues, the state of the
operational risk program, etc.
1.23 Findings in operational risk reports are
appropriately assigned and associated with
action items to address deficiencies
2. Disclosure
SP (60)
SP (61)
Public Disclosure
2.01 The FRFI publicly discloses relevant
operational risk management information
2.02 The FRFI discloses its operational risk
management framework in a manner that
allows investors and counterparties to
determine whether the FRFI identifies,
assesses, monitors and controls/mitigates
operational risk effectively.
Page 28 of 87
Validation
G. Oversight Functions
Area of Assessment
Reference
1. Board Oversight
CAR (664) / SP
(21)
Criteria
Compliance Rating
Role of Board of Directors

1.01 Board should oversee senior management to
ensure that policies, process, systems are
implemented effectively at all decision levels
1.02 Board should regularly review the framework to
ensure the FRFI has identified and is managing
operational risk arising from external
environmental factors and internal changes to
strategy, products, activities or systems
1.03 Board should be provided and review updates
on relevant operational risk types on a regular
basis
SP (22)
1.04 The Board has established a code of conduct or

an ethics policy that sets clear expectations for
integrity and ethical values of the highest
standard and identify acceptable business
practices and prohibited conflicts.
1.05 Compensation policies approved are in line with
FRFIs statement of risk appetite and tolerance,
long-term strategic direction, financial goals and
overall safety and soundness.
SP (24)
1.06 The Board understands the nature and

complexity of the risks inherent in the portfolio of
FRFI products, services and activities
SP (28a)
1.07 The Board has established a management

culture, and supporting processes, to
understand the nature and scope of the
operational risk inherent in the FRFIs strategies
and activities, and develop dynamic oversight
and control environments that are fully
integrated into or coordinated with the overall
framework for managing all risks across the
enterprise
SP (28b)
1.08 The Board provides senior management with

clear guidance and direction regarding the
principles underlying the Framework and
approves the corresponding policies developed
by senior management
SP (28c)
1.09 The Board regularly reviews the Operational

Risk Framework to ensure that the FRFI has
identified and is managing the operational risk
arising from external market changes and other
environmental factors, as well as those
operational risks associated with new products,
activities, processes or systems, including
changes in risk profiles and priorities (e.g.
changing business volumes)
Page 29 of 87
Validation
Area of Assessment
Reference
Criteria
SP (28d)
1.10 The Board ensures that the FRFIs Framework is

subject to effective independent review by audit
or other appropriately trained parties
SP (28e)
1.11 The Board ensures that management is

incorporating industry best practice in managing
operational risk
CG I-Note
(1.1)
1.12 The Board has a clear understanding of the

institutions operational risk profile, including the
internal and external sources of operational risk
to the institution
SP (30) /
CG I-Note (1.2)
1.13 The Board has established an appropriate

tolerance or appetite, which may include a range
of qualitative and/or subjective statements, as
appropriate, for the types and/or level of
operational risk the institution may take on
SP (30)
1.14 The Board has approved appropriate thresholds

or limits for specific operational risks, and an
overall operational risk appetite and tolerance
CG I-Note
(1.7)
1.15 The Board is notified and reviews any material

strategic changes to the institutions operational
risk profile.
CG I-Note
(1.3)
1.16 The Board has a clear understanding of the

impact of applying the operational risk approach
at the institution
CG I-Note
(1.6)
1.17 The Board must satisfy itself that the operational

risk management and measurement processes
and systems are sound and remain effective
over time
Compliance Rating
Board of Director's Establishment of a Management Structure

SP (29)
1.18 The Board establishes clear lines of
management responsibility and accountability
for implementing a strong control environment.
SP (30) /
CG I-Note (1.5)
1.19 The Board reviews management adherence to

the risk appetite and tolerance statement and
provides for timely detection and remediation of
breaches.
1.20 The control environment provides appropriate
independence/separation of duties between
operational risk control functions, business lines
and support functions.
2. Senior
Management
Oversight
SP (P5)
CAR (664)
Role of Senior Management

2.01 Senior Management has developed a clear,
effective and robust governance structure which
is conducive to transparent and consistent lines
of responsibilities
2.02 Senior management is actively involved in the
oversight of the operational risk management
framework.
Page 30 of 87
Validation
2. Senior
Management
Oversight
Area of Assessment
Reference
Criteria
SP (23)
2.03 Senior management ensures that an appropriate

level of operational risk training is available at all
levels throughout the organisation. Training that
is provided should reflect the seniority, role and
responsibilities of the individuals for whom it is
intended
SP (24)
2.04 Senior Management understands the nature and

complexity of the risks inherent in the portfolio of
FRFI products, services and activities
SP (32)
2.05 Senior Management establishes and maintains

robust challenge mechanisms and effective
issue-resolution processes (including
mechanisms to report, track and escalate issues
when necessary).
SP (33) /
CG I-Note (2.6)
2.06 Senior Management translates the Operational

Risk Management Framework established by
the Board of Directors into specific policies and
procedures that can be implemented and
verified within the different business units.
SP (33) /
CG I-Note (2.4)
2.07 Senior Management clearly assigns authority,

responsibility and reporting relationships to
encourage and maintain accountability
SP (33) /
CG I-Note (2.2)
2.08 Senior Management ensures that the necessary

resources are available to manage operational
risk in line within the FRFIs risk appetite and
tolerance statement
SP (33) /
SP (20) /
CG I-Note (2.5)
2.09 Senior management ensures that the

management oversight process is appropriate
for the risks inherent in a business units activity
SP (36)
2.10 Senior management ensures that FRFI activities

are conducted by staff with the necessary
experience, technical capabilities and access to
resources.
SP (53)
2.11 Senior Management ensures the FRFI has a

sound technology infrastructure that meets
current and long-term business requirements by
providing sufficient capacity for normal activity
levels as well as peaks during periods of market
stress; ensuring data and system integrity,
security, and availability; and supporting
integrated and comprehensive risk management
Compliance Rating
2.12 Senior Management makes appropriate capital

investment or otherwise provide for a robust
infrastructure at all times, particularly before
mergers are consummated, high growth
strategies are initiated, or new products are
introduced
CG I-Note
(2.1)
2.13 Senior Management has a clear understanding

of the institutions operational risk profile,
including the internal and external sources of
operational risk to the institution
Page 31 of 87
Validation
Area of Assessment
Reference
Criteria
CG I-Note
(2.3)
2.14 Senior Management has a clear understanding

of the impact of applying the operational risk
approach at the institution
CG I-Note
(2.9)
2.15 Senior Management clearly understands the

measurement systems and processes affecting
the operational risk management framework and
its impact on operational risk capital
CG I-Note
(2.10)
2.16 Senior Management must be satisfied that the

measurement systems and processes include
the key elements, including the use of internal
data, relevant external data, scenario analysis
and factors reflecting the business environment
and internal control systems
CG I-Note
(2.11)
2.17 Senior Management must satisfy itself and

assure the Board that the operational risk
management framework and measurement
systems are conceptually sound and meet the
use test, such that the system is closely
integrated with the institutions day-to-day risk
management processes
CG I-Note
(2.7)
Compliance Rating
Senior Management Accountabilities

2.18 Senior Management is accountable for
reviewing reports on the status of the
institutions operational risk exposures and
management activities, including the status of
significant operational risk events
CG I-Note
(2.8)
2.19 Senior Management is accountable for ensuring

the operational risk management framework,
and adherence to it, is subject to regular
independent reviews
CG I-Note
(2.12)
2.20 Senior management must be aware of emerging

industry operational risk measurement and
management practices
DM I-Note (1.1) 2.21 Senior Management is accountable for

reviewing and approving organizational structure
and functions to facilitate development of
appropriate data architecture
establishing an enterprise-wide data
management framework defining, where
appropriate, the institutions policies,
governance, technology, standards and
processes to support the data collection and
maintenance.
DM I-Note (1.3) 2.23 Senior Management is accountable for ensuring
data maintenance processes provide security,
integrity and auditability of the data from its
inception through to its archival and/or logical
destruction
Page 32 of 87
Validation
Area of Assessment
Reference
Criteria
Compliance Rating

instituting internal audit testing, as appropriate,
to provide for periodic independent assessment
of the effectiveness of controls over data
maintenance processes and functions
DM I-Note (1.5) 2.25 Senior Management is accountable for ensuring
that appropriate policies, procedures and
accountabilities are in place to monitor the
enterprise-wide observance of the data
management framework, including ongoing
updates to procedures and documentation, as
necessary
SP (34)
2.26 Senior management has ensured that staff

responsible for managing operational risk
coordinate and communicate effectively with
staff responsible for managing credit, market,
and other risks, as well as with those in the FRFI
who are responsible for the procurement of
external services such as insurance risk transfer
and outsourcing arrangements.
3. Operational Risk
Committee and
SP (37a)
Structure
Operational Risk Committee and Structure

3.01 The FRFI utilises a board-created enterprise
level risk committee for overseeing all risks, to
which a management level operational risk
committee reports.
SP (37b)
3.02 The FRFIs operational risk committee includes a

combination of senior members with expertise
in business activities, financial or risk
management expertise and independent nonexecutive board members
SP (37c)
3.03 Committee meetings are be held at appropriate

frequencies with adequate time and resources
to permit productive discussion and decisionmaking.
3.04 Records of committee operations are adequate
to permit review and evaluation of committee
effectiveness
4. Oversight: The
Three Lines of
Defence Model
SP (14)
Business Line Responsibilities (1st Line of Defence)*

4.01 Business line management is responsible for
identifying and managing the risks inherent in
the products, activities, processes and systems
for which it is accountable
Operational Risk Management Function (2nd Line of Defence)**

CAR
4.02 The operational risk management function is
666a /
independent and responsible for the design and
(SP) 15 /
implementation of the FRFIs operational risk
(SP) 36
management framework.
(SP) 35
4.03 Operational risk managers are of equal stature,

ideally evidenced by title, to other risk
management functions such as credit, market
and liquidity risk.
Audit Function (3rd Line of Defence)
Page 33 of 87
Validation
Area of Assessment
Reference
Criteria
SP (16)
4.04 The FRFIs operational risk management

controls, processes and systems are subject to
independent review and challenge.
SP (19)
4.05 Internal audit coverage includes opining on the

overall appropriateness and adequacy of the
Framework and the associated governance
processes across the FRFI. Internal audit also
evaluates whether the Framework meets
organisational needs and supervisory
expectations
SG (14)
4.06 Independent validation and verification is a

component of the third line of defence in the
governance structure used to manage
operational risk, and serve as a challenge
function to the other two lines of defence.
Compliance Rating
4.07 The effectiveness of both the Corporate

Operational Risk Management Function (CORF)
and Operational Risk Measurement System
(ORMS) should be reviewed by appropriately
qualified independent internal or external
auditors, qualified external and/or other
independent parties
CG I-Note
(5.1)
4.08 Internal Audit's activities includes assessing the

effectiveness of the institutions internal controls,
including the design elements of internal
controls, intended to ensure adherence to the
Principles for the Sound Management of
Operational Risk
SG (14)
4.09 Verification and validation activities should

encompass all of the components of the FRFIs
Operational Risk Management Framework
(ORMF) and ORMS. The depth and extent of
the validation and verification efforts should be
consistent with the materiality and complexity of
the risk being managed.
CG I-Note
(5.4)
4.10
CG I-Note
(5.2)
4.11 Internal Audit's activities includes determining

scope and frequency of Internal Audit activities
in a manner consistent with its audit
methodology and principles
CG I-Note
(5.3)

adequacy of resources and skills required to
perform this audit work
Conducting periodic assessments of the

effectiveness of the institutions internal controls
over the operational risk management
processes on an institution-wide basis. These
assessments must include both the activities of
the business units and of the operational risk
management function.
Page 34 of 87
Validation
Area of Assessment
Reference
CG I-Note
(5.5)
Criteria
Compliance Rating

effectiveness of the institutions internal controls
over the operational risk models and risk
measurement systems of the operational risk
management framework, including data integrity
and validation processes
4.14 3rd Line of Defence should proactively manage

the closure of issues and ensure that
management response accurately, timely and
adequately addresses the nature of the issues
raised.
4.15 3rd Line of Defence should escalate issues in a
timely manner to Senior Management/Audit
Committee, as appropriate.
Note:
* Please refer to section B (Identification & Assessment), C (Change

Management Process) and F (Monitoring & Reporting) for detailed
criteria relating to Business Line Responsibilities
** Please refer to section E for detailed CORMF criteria
Page 35 of 87
Validation
H. Advanced Measurement Approach Methodology

Area of Assessment
Reference
1. AMA Model
CAR
Ch. 7 (667)
Criteria
Compliance Rating
AMA Soundness Standards

1.01 The FRFIs AMA model captures potentially
severe tail loss estimates.
1.02 The FRFIs AMA model is comparable to a
one year holding period and a 99.9
percentile confidence interval.
Detailed Criteria CAR Ch. 7 (669b) & Ch. 7 (669c)

CAR
1.03 The FRFI is calculating the operational risk
Ch. 7 (669b)
regulatory capital requirement as the sum
of expected loss and unexpected loss.
1.04 The FRFI is adequately capturing the
expected loss in its internal business
practices.
CAR
Ch. 7 (669c)
SG 160
SG 161
1.05 The FRFIs AMA model captures the major

drivers of the operational risk affecting the
shape of the tail loss estimates.
Granularity
1.06 The FRFIs risk measurement system is
sufficiently granular to capture the major
drivers of operational risk affecting the
shape of the tail of the loss estimates.
1.07 The FRFI clearly defines operational risk
categories (ORC) and ensures that ORCs
reflect the unique nature of its business
models and risk profiles.
1.08 The FRFI uses comparable standards when
selecting ORCs for modelling operational
risk.
Page 36 of 87

Area of Assessment
Reference
Criteria
Compliance Rating
SG 162
1.09 The FRFI takes into account the nature and

complexity of business activities and the
operational risks to which they are exposed
when choosing their operational risk
categories.
SG 163
1.10 The FRFI ensures that:

- the model takes into account the FRFIs
idiosyncrasies. These may include the
business profile, risk profile, history of
operational losses, business environment
and other factors.
- for modelling purposes, it is important that
risks sharing common factors are grouped
together.
SG 164
1.11 The FRFI has in place a procedure or a

policy to ensure that the choice of
granularity remains valid when major
change in the organisational or risk profile
of the FRFI occurs.
SG 165
1.12 The FRFI has determined the optimum

balance between granularity of the classes
and volume of historical data for each class.
SG 166
1.13 The FRFIs choice of operational risk

categories is reasonable and does not
adversely impact other factors of the
operational risk model, such as
diversification assumptions, correlations
and capital allocation.
SG 167
1.14 The FRFIs choice of granularity is

supported by qualitative and quantitative
means.
Page 37 of 87
H. Advanced Measurement
Approach Methodology
SG 167
Area of Assessment
Reference
Criteria
Compliance Rating
1.15 With respect to the choice of granularity, the

FRFI has quantified its impact on capital
charge and its reasonableness.
SG 168
1.16 The FRFI has in place documentation to

support the choice of the number of ORCs.
1.17 The FRFI has a robust process in place and
statistical means to validate correlation
assumptions.
SG 169
1.18 The FRFIs capital allocation to internal

business lines is considered when choosing
ORCs.
1.19 When using an allocation method that is
very different in nature from the choice of
ORCs, the FRFI ensures that its choice of
ORCs and allocation method was
reasonable in the first place.
SG 170
Distributional Assumptions
1.20 The FRFIs distributional assumptions
underpin most, if not all, operational risk
modelling approaches and are generally
made for both the frequency and severity of
operational risk loss events.
1.21
SG 171
The FRFIs choice of distributions considers

the existence and size of the threshold
above which data are captured and
modelled.
1.22 The FRFI is able to demonstrate that its

approach captures potentially severe tail
loss events.
Page 38 of 87
SG 171
Area of Assessment
Reference
Criteria
Compliance Rating
1.23
The FRFIs operational risk measure meets

a soundness standard comparable to that
of the internal ratings-based approach for
credit risk (i.e. comparable to a one year
holding period and a 99.9th percentile
confidence interval).
SG 172
1.24 The FRFI has an appropriate de minimis

gross loss threshold for internal loss data
collection
SG 173
1.25 The FRFIs distributions are fitted to the

calculation dataset, which represents the
portion of gathered data, either actual or
constructed, that fulfils the necessary
conditions to serve as inputs into the AMA
model. Such necessary conditions include
perimeter of application (i.e. AMA compliant
parts only, observation period, reference
date, modelling threshold and data
treatment).
SG 174
1.26 The FRFI has a comprehensive set of

distributions to be used in the modeling of
frequencies and the supported rationale.
SG 175
1.27 The FRFI has a comprehensive set of

distributions to be used in the modeling of
severity and the supported rationale.
SG 176
1.28 The FRFI has identified principles for

determining whether the chosen
approaches for modelling operational risk
losses are inconsistent with the underlying
data or supervisory expectations.
Page 39 of 87

Area of Assessment
Reference
SG 177
Criteria
Compliance Rating
1.29
A FRFI closely follows the evolution and

development of best practices surrounding
the basic principles and pertinent criteria
related to distributional assumptions.
1.30
The FRFI updates and improves its

measurement system as appropriate in
accordance with the current best practices.
Distributional Assumptions: Building Of The Calculation

Dataset
SG 178
1.31 The FRFI has a policy to identify when a
loss or an event recorded in the internal (or
external) loss event database is also to be
included in the calculation dataset.
1.32 The FRFI has a policy to provide a
consistent treatment for loss data across
the institution. Exceptions to the policy are
limited, duly documented and properly
addressed to prevent undue reduction of
the capital charge.
SG 179
1.33 The FRFI has developed policies and

procedures for the building of a proper
calculation dataset. This addresses several
features (i.e. perimeter of application,
observation period, reference date, de
minimis modelling thresholds and data
treatment).
SG 180
1.34 The FRFIs internally generated operational

risk measures are based on a minimum
historical observation period of five years.
Page 40 of 87
SG 180
Area of Assessment
Reference
Criteria
Compliance Rating
1.35 For certain ORCs with low frequency of

events, the FRFI uses an observation
period greater than five years, collects
sufficient data to generate reliable
operational risk measures and ensures that
all material losses are included in the
calculation dataset.
1.36 For data series with long observation
periods, the FRFI considers the
heterogeneity arising from changes in the
risk profile through time.
1.37 The FRFI discards older data only as last
resort for ORCs where loss experience is
sparse.
SG 181
1.38 The FRFI uses one of the reference dates

(occurrence date, discovery date,
contingent liability date or accounting date)
for building the calculation dataset, as long
as material loss data are not omitted. No
other dates are used for building the
calculation dataset.
SG 182
1.39 The FRFI uses the occurrence date for

building the calculation dataset if the FRFI
has not constrained or limited the
observation period.
SG 183
1.40
SG 184
1.41 A FRFI has established a de minimis

modelling threshold for an ORC, so that
frequency and severity distributions in each
ORC are fitted to the data only in excess of
the threshold.
The FRFI uses a date no later than the

date of reserve for including legal related
losses/exposures in the calculation dataset.
Page 41 of 87
SG 184

Area of Assessment
Reference
Criteria
Compliance Rating
1.42 The FRFI has confirmed that the choice of

threshold for modelling does not adversely
impact the credibility and accuracy of the
operational risk capital charge.
SG 185
1.43 The FRFI has a specific technique for the

treatment of data from abandoned business
lines.
1.44 The FRFI has justified and has clearly
documented the identification and
treatment of these data points and has
provided estimates of the capital
requirements with and without this
treatment.
SG 186
1.45 The FRFIs use of de minimis modelling

thresholds that are much higher than the
data collection thresholds are limited and
properly justified by sensitivity analysis at
various thresholds.
1.46 The FRFI ensures that changes in the de
minimis modelling thresholds, when not
embedded in the model engine and driven
by specific reasons (e.g. discount rates),
are limited in number and duly motivated by
the need to better capture the risk profile of
the ORC.
1.47 The FRFI uses all operational losses above
the set de minimis modelling threshold,
whatever their amounts, for generating the
regulatory measures.
Page 42 of 87

Area of Assessment
Reference
SG 188
Criteria
Compliance Rating
1.48 The FRFI groups losses caused by a

common operational loss event and enters
them into the calculation dataset as a single
loss, unless a FRFI chooses to model
causality or dependence among those
losses in a different manner.
1.49 The FRFI has established policy guidelines
for internal loss data for deciding the
circumstances, types of data and
methodology for grouping data as
appropriate for their business, risk
management and capital charge modelling
needs.
1.50 The FRFI has clarified and documented its
judgement in applying the established
policy guidelines.
1.51 The FRFIs policy regarding the threshold
and dates for single losses is also applied
to grouped losses.
SG 189
1.52 The FRFIs calculation dataset excludes

grouping of small losses above the
threshold for modelling with no causal
relations for data collection and registration
purposes.
SG 190
1.53 The FRFI considers applying appropriate

adjustment rates on data when inflation or
deflation effects are material.
SG 191
1.54 The FRFI does not use loss net of

insurance recoveries as an input for its AMA
models.
Page 43 of 87

Area of Assessment
Reference
SG 192
Criteria
Compliance Rating
1.55 The FRFI calculates the total operational

risk capital charge gross of insurance
recovery in order to determine the 20% limit
and isolate the FRFIs methodology for
modelling insurance mitigation.
Distributional Assumptions: Identification Of The Probability

Distributions
SG 193
1.56 A FRFI follows a well specified,
documented and traceable process for the
selection, update and review of probability
distributions and the estimate of their
parameters. This process results in
consistent and clear choices and is finalised
to properly capture the risk profile in the tail.
SG 195
1.57 The FRFIs selection of probability

distributions is consistent with all elements
of the AMA model.
1.58 The FRFI has performed statistical
goodness of fit tests to assess the model's
suitability.
1.59 The model is realistic (e.g. it generates a
loss distribution with a realistic capital
requirements estimate, without the need to
implement corrective adjustments such as
caps).
1.60 The model is well specified (e.g. the
characteristics of the fitted data are similar
to the loss data and logically consistent).
1.61 The model is flexible (e.g. the method is
able to reasonably accommodate a wide
variety of empirical data).
Page 44 of 87

Area of Assessment
Reference
Criteria
Compliance Rating
1.62 The model is simple (e.g. it is easy to

implement and it is easy to generate
random numbers for the purpose of loss
simulation).
SG 196
1.63 The FRFIs process of selecting the

probability distribution is well-documented,
verifiable and lead to a clear and consistent
choice.
1.64 The FRFI has performed exploratory data
analysis (EDA) for each ORC
1.65 The FRFI uses appropriate techniques for
the estimation of the distributional
parameters
1.66 The FRFI uses appropriate diagnostic tools
for evaluating the quality of the fit of the
distributions to the data, giving preference
to those most sensitive to the tail.
SG 197
1.67 The FRFI makes use of statistical tools

which include, but are not limited to, scatter
plots, time series autocorrelation plots,
empirical distribution plots, histograms and
regression analysis in order to examine the
statistical properties of each ORC (i.e.
homogeneity, independence, stationarity).
1.68 Where applicable, the FRFI uses other

tools, such as p-p plots, q-q plots and mean
excess plots to provide preliminary
evidence on the type and shape of the
probability distributions.
Page 45 of 87

Area of Assessment
Reference
SG 200
Criteria
Compliance Rating
1.69 The FRFI pays particular attention to the

positive skewness and, above all,
leptokurtosis of the data when selecting a
severity distribution.
1.70 The FRFI does not use the empirical curve
to estimate the tail region when the data are
medium/heavy tailed.
SG 202
1.71 The FRFI has carefully considered the

choice of the body-tail modelling threshold
that distinguishes the two regions, when
separate distributions for the body and tail
are used.
1.72 The FRFI has a documented statistical
support, supplemented as appropriate by
qualitative elements, for the selected
threshold.
1.73 The FRFIs estimate of the body-tail
modelling threshold is made conjunctly with
the parameters of the distribution.
1.74 The FRFI supports the determination of the
threshold with graphical and visual
techniques, including but not limited to
exploratory data analysis (e.g. hill plot,
mean excess function plot).
1.75 The FRFI employs sound methods to
connect the body and tail distributions.
1.76 A FRFI does not allow jumps in the
probability mass function when attaching
the body and tail of the distributions, in
order to guarantee that the Low Frequency
High Impact (LFHI) and High Frequency
Low Impact (HFLI) regions are mutually
exclusive and are properly reflected in the
aggregated distribution.
Page 46 of 87

Area of Assessment
Reference
SG 203
Criteria
Compliance Rating
1.77 The FRFI takes into account the

incompleteness of the calculation dataset in
the model when estimating the parameters
of the distribution.
1.78 The FRFI provides evidence that an
incomplete calculation dataset does not
adversely impact the credibility and
accuracy of the parameter estimates and
capital requirements.
SG 204
1.79 The FRFI pays particular attention to the

estimate of the kurtosis-related parameters,
which describe the tail region of the losses.
1.80 The FRFI has in place methodologies to
reduce estimate variability and provides
measures of the error around the estimates
(e.g. confidence intervals, p-values).
SG 205
1.81 The FRFI uses robust estimation methods

(such as alternatives to classical methods
as the Maximum Likelihood and the
Probability Weighted Moments), which are
reasonably efficient under small deviations
from the assumed model. These methods
also highlight which observations or
deviating substructures have the greatest
influence on the statistic to be estimated.
1.82 The FRFI has demonstrated that risk in the

tail is not underestimated if it uses
alternatives to classic estimators.
Page 47 of 87

Area of Assessment
Reference
SG 206
Criteria
Compliance Rating
1.83 The FRFI assesses the quality of fit

between the data and the selected
distribution.
1.84 The FRFI gives preference to graphical
methods and goodness-of-fit tests that are
more sensitive to the tail than to the body of
the data (e.g. the Anderson Darling upper
tail test) in selecting the tools.
SG 207
1.85 The FRFI considers selection methods that

use the relative performance of the
distributions at different confidence levels.
SG 208
1.86 The FRFI has a regular cycle to verify

assumptions underlying the probability
distributions it has selected.
Distributional Assumptions: Considerations For AMA Models

Based On Scenario Analysis
SG 210
1.87 The FRFI generally uses the same curve

for modelling the severity of the scenario
data across all ORCs, regardless of its
business, size and complexity.
SG 211
1.88 The FRFI ensures that the loss

distribution(s) chosen to model scenario
analysis estimates adequately represents
the risk profile of the ORCs.
1.89
The FRFI considers the potential

differences with an LDA in terms of level of
granularity and dependence across the
ORCs while using loss distribution to model
scenario data.
Distributional assumptions: Determination of aggregated loss

distributions and risk measures
Page 48 of 87

Area of Assessment
Reference
Criteria
Compliance Rating
SG 212
1.90 The FRFIs techniques to determine the

aggregated loss distributions ensure
adequate levels of precision and stability of
the risk measures. The risk measures are
monotonic, reasonable and supplemented
with information on their level of accuracy.
SG 213
1.91 The FRFI uses several statistical

techniques to generate the aggregated loss
distributions from frequency and severity
curves and parameter estimates.
SG 214
1.92 The FRFI adopts criteria that mitigate

sample and/or numerical errors and provide
a measure of the magnitude of these
errors, regardless of the techniques used to
aggregate frequency and severity
distributions.
SG 215
1.93 The FRFI has proved that wherever Monte

Carlo Simulation is used, the number of
steps to be performed is sufficient to reduce
sampling variability.
SG 216
1.94 The FRFI ensures that where Fourier

Transform or other numerical methods are
used, it pays attention to algorithm stability
and error propagation issues.
SG 217
1.95 The FRFIs has a single statistical risk

measure extracted from the aggregated
loss distribution which can be computed at
any confidence level.
Page 49 of 87

Area of Assessment
Reference
Criteria
Compliance Rating
SG 218
1.96 The FRFI ensures that its risk measure

(and the overall AMA model) fulfils the
monotonic principle of risk, which can be
seen in the generation of higher capital
requirements when the underlying risk
profile increases.
SG 219
1.97 The FRFI ensures the risk measures (while

using conservative criteria and assumptions
for prudential purposes) are realistic from a
managerial and economical perspective.
SG 220
1.98 The FRFI recognises that the estimated

capital charge is inherently uncertain due to
the heaviness and scarcity of operational
risk losses in the tail region. As such, the
FRFI explicitly recognises this variability in
their estimates and provides measures of
the error around these estimates.
SG 221
1.99 The FRFI gathers information on the

expected loss, median and trimmed mean
and their sensitivity to extreme losses.
2. Correlation and Dependence CAR

Ch. 7 (669d)
2.01 Internally determined correlations are used

in operational risk modelling. The FRFI can
demonstrate that its systems for
determining correlations are sound and
implemented with integrity and take into
account the uncertainty surrounding any
such correlation estimates (particularly in
periods of stress).
Page 50 of 87
2. Correlation and Dependence CAR

Ch. 7 (669d)

Area of Assessment
Reference
Criteria
Compliance Rating
2.02 The FRFI validates its correlation

assumptions using appropriate quantitative
and qualitative techniques.
SG 223
2.03 The FRFI has the capacity to identify the

influence of dependence in the observed
frequency and severity of losses with the
FRFI.
SG 224
2.04 The FRFI ensures that cross-FRFI

differences in dependence approach do not
lead to spurious differences in exposure
estimates.
SG 228
2.05 The FRFI has performed, to the greatest

extent possible, an appropriate combination
of empirical data analysis and expert
judgment to support the dependence
assumptions.
2.06 The FRFIs expert judgement on the
correlation assumption is defendable with
empirical evidence.
SG 229
2.07 The FRFIs assumptions regarding

dependence are conservative and the
dependence structures considered are not
limited to those based on Normal or
Normal-like (e.g. T-Student distributions
with many degrees of freedom)
distributions, as normality may
underestimate the amount of dependence
between tail events.
Page 51 of 87

Area of Assessment
Reference
SG 230
Criteria
Compliance Rating
2.08 The FRFI acknowledges the limitation of

the trade-off between rigor and
conservatism, i.e. The degree of
conservatism should increase as the rigor
of the dependence model and the reliability
of the resulting capital requirements
estimates decrease.
2.09 The FRFI has not adopted a high degree of
conservatism to compensate for an
approach to dependence that suffered from
fundamental deficiencies.
SG 231
2.10 The FRFI confirms that when losses within

each ORC are not independent of each
other then, either within-ORC dependence
is modelled explicitly or the input data is
modified to achieve independence across
individual losses.
SG 232
2.11 The FRFIs dependence is not

inappropriately affected by the choice of
granularity.
SG 233
2.12 The FRFI has performed sensitivity

analyses and stress testing (e.g. different
parameter values and different correlation
models) on the effect of alternative
dependence assumptions on its operational
risk capital charge estimate.
2.13 The FRFI has put a rigorous process in
place specifying the conditions under which
the results based on alternative
dependence assumptions would lead to a
revision of the operational risk capital
requirements estimate.
Page 52 of 87

Area of Assessment
3. Internal Data
Reference
Criteria
Compliance Rating
CAR
Ch. 7 (671)
3.01 The FRFI has documented procedures for

assessing the historical internal loss data
for its relevance and use in the operational
risk measurement system.
CAR
Ch. 7 (672)
3.02 The FRFI is using at least 3 years of

historical internal loss data if internal loss
data is being used to either build or validate
the operational risk measurement system.
CAR
Ch. 7 (673)
3.03 The FRFI has documented its criteria for

mapping historical internal loss data to
Basel business lines and event types.
3.04 The internal loss data is comprehensive
and captures appropriate sub-systems and
geographic locations.
3.05 The FRFI has an appropriate gross loss
threshold for internal loss data collection.
3.06 The FRFI has specific criteria for allocating
operational losses that span across
business lines or occur in a centralized
function.
3.07 All material operational losses related to the
definition of operational risk are identified in
the loss data collection.
SG 247
3.08 The inputs to the AMA model are based on

data that represent the FRFIs business risk
profile and risk management practices.
Page 53 of 87
SG 247

Area of Assessment
Reference
Criteria
Compliance Rating
3.09 The FRFI uses ILD in the operational risk

measurement system (ORMS) to assist in
the estimation of loss frequencies; to inform
the severity distribution(s) to the extent
possible; and to serve as an input into
scenario analysis.
3.10 In instances where the FRFI has limited
high severity internal loss events to inform
the tail of the distribution(s) for their capital
charge modeling, the FRFI considers the
impact of relevant ED and/or scenarios for
producing meaningful estimates of capital
requirements.
4. External Data
CAR
Ch. 7 (674)
4.01 The FRFIs system uses relevant external

loss data in its operational risk
measurement system.
4.02 The FRFI has a systematic process for
determining how and when external loss
data is used in its operational risk
measurement system.
4.03 The conditions and practices for using
external loss data are regularly reviewed,
documented and subject to periodic
independent review.
SG 248
4.04 The FRFI uses ED in the estimation of loss

severity as ED contains valuable
information to inform the tail of the loss
distribution(s).
SG 249
4.05 The FRFI has addressed biases in the

methodology to incorporate ED into the
capital model.
Page 54 of 87

Area of Assessment
Reference
SG 250
Criteria
Compliance Rating
4.06 The FRFIs ED filtering process results in a

consistent selection of data regardless of
loss amount.
4.07 The FRFI has a policy which outlines
criteria for exceptions and documentation
supporting the rationale for any exceptions.
4.08 The FRFI has a scaling process which is
systematic, statistically supported and
which provides output that is consistent with
the FRFIs risk profile.
5. Scenario Analysis
SG 251
4.09 The FRFI relies mainly on other datasets

when little or no relevant ED exists.
CAR
Ch. 7 (675)
5.01 The FRFI uses scenario analysis of expert

opinion in conjunction with external data to
evaluate its exposure to high-severity
events.
5.02 The FRFI uses scenario analysis to assess
the impact of deviations from the correlation
assumptions embedded in the FRFIs
operational risk measurement framework, in
particular, to evaluate potential losses
arising from multiple simultaneous
operational risk loss events.
SG 253
5.03 The FRFI has robust scenario process

which provide inputs for estimating an
appropriate level of conservatism in the
choice of the final regulatory capital charge.
SG 254
5.04 The FRFIs scenario data provides a

forward-looking view of potential operational
risk exposures.
Page 55 of 87
SG 254
Area of Assessment
Reference
Criteria
Compliance Rating
5.05 The FRFI has a robust governance

framework surrounding the scenario
process in order to ensure the integrity and
consistency of the estimates produced.
5.06 The FRFI has a clearly defined and
repeatable process.
5.07 The FRFI ensures that there is a good
quality background preparation of the
participants in the scenario generation
process.
5.08 The FRFI has qualified and experienced
facilitators with consistency in the
facilitation process.
5.09 The FRFI has confirmed that the
appropriate representatives of the business,
subject matter experts and the corporate
operational risk management function are
participants involved in the process.
5.10 The FRFI has a structured process for the
selection of data used in developing
scenario estimates.
5.11 The FRFI has in place a high quality
documentation which provides clear
reasoning and evidence supporting the
scenario output.
5.12 The FRFI has put in place a robust
independent challenge process and
oversight by the corporate operational risk
management function to ensure the
appropriateness of scenario estimates.
Page 56 of 87

Area of Assessment
Reference
Criteria
Compliance Rating
5.13 The FRFI has put in place a process that is

responsive to changes in both the internal
and external environment.
5.14 The FRFI has put in place a mechanisms
for mitigating biases inherent in scenario
processes. Such biases include anchoring,
availability and motivational biases.
6. Business Environment and CAR
Internal Control Factors
Ch. 7 (676)
6.01 Factors used in the operational risk

measurement system are meaningful risk
drivers and were chosen based on
experience and expert judgement.
6.02 The framework and each instance of its
application must be documented and
subject to independent review.
SG 255
6.03 The FRFI continues to investigate and

refine measures of BEICFs and explore
methods for incorporating them into the
capital model.
SG 256
6.04
The FRFI has in place a document to

support the use of BEICFs as either direct
input into the quantification framework or as
indirect input into the quantification
framework and ex-post adjustment to model
output.
6.05 The FRFI has clear policy guidelines that

limit the magnitude of either positive or
negative adjustments.
6.06 The FRFI has a policy in place to handle
situations where the adjustments actually
exceed these limits based on the current
BEICFs.
6.07 The FRFIs BEICF adjustments are wellsupported.
Page 57 of 87

Area of Assessment
7. Use of the Four Data
Elements
Reference
Criteria
Compliance Rating
Detailed Criteria CAR Ch. 7 (669a), Ch. 7 (669e) & Ch. 7 (669f)
CAR
7.01 Any internal operational risk measurement
Ch. 7 (669a)
system must be consistent with the scope
of operational risk defined by the
Committee in paragraph 644 and the loss
event types defined in Annex 9.
CAR
Ch. 7 (669e)
7.02 Key elements of the FRFIs operational risk

measurement system include the use of
internal data, relevant external data,
scenario analysis and factors reflecting the
business environment and internal control
system.
CAR
Ch. 7 (669f)
7.03 Weighting of the 4 fundamental elements is

credible, transparent, well-documented and
verifiable.
7.04 The approach for weighting the 4
fundamental elements is internally
consistent.
7.05 Double counting of qualitative assessments
or risk mitigants already recognised in other
elements of the framework is avoided in the
approach for weighting the 4 fundamental
elements.
SG 235
Use of Data Elements Within the AMA Model

7.06 The FRFIs AMA model makes use of four
data elements which are: internal loss data
(ILD); external data (ED); scenario analysis
(SA) and business environment and internal
control factors (BEICFs).
Page 58 of 87

Area of Assessment
Reference
SG 236
Criteria
Compliance Rating
7.07 The FRFI confirms the use of the four data

elements which include the internal data,
relevant external data, scenario analysis
and factors reflecting the business
environment and internal control systems.
7.08 The FRFI has a credible, transparent, welldocumented and verifiable approach for
weighting these fundamental elements in its
overall operational risk measurement
system.
7.09 The FRFI has the ability to demonstrate
that its approach captures potentially
severe tail loss events.
SG 237
SG 257
7.10 The FRFI has clearly illustrated that its

combination of the four data element is
sufficient for the purpose of estimating high
percentiles.
Combining the elements
7.11 The FRFI considers how the data elements
are combined and used to ensure that the
operational risk capital charge is
commensurate with its level of risk
exposure.
7.12 The FRFI provides a clearly articulated
rationale for the modelling choices and
assumptions and conducts sufficient
research and analysis to support the
decisions. The approach adopted
encourages ownership of the outcomes and
is readily understood by the business.
Page 59 of 87

Area of Assessment
Reference
Criteria
Compliance Rating
7.13 The FRFI demonstrates that there is

sufficient connection between the
measurement and the management of
operational risk within the FRFI.
7.14 The FRFI undertakes ongoing investigation
into the combination of the four data
elements within AMA models.
SG 258
Mixing of outcomes from AMA sub-models

7.15 The FRFI demonstrates a clear
understanding of the influence of each
dataset in the capital model.
SG 259
7.16 The FRFI has a clear understanding of how

each of the four data elements influences
the capital charge.
SG 260
7.17 The FRFI avoids arbitrary decision when

combining the results from different submodels within the AMA model.
Combining data elements with the capital model

SG 261
7.18 The FRFIs combination of data elements
within the capital model is based on a
sound statistical methodology.
8. Risk Mitigation
CAR
Ch. 7 (677)
8.01 The FRFI recognizes the risk mitigating

impact of the insurance in the measures of
operational risk used for regulatory
capitalofrequirements.
8.02 minimum
The recognition
insurance mitigation is
less than 20% of the total operational risk
regulatory capital charge.
CAR
Ch. 7 (678)
8.03 The insurance provider has a minimum

claims paying ability rating of A.
8.04 The insurance policy has an initial term of
no less than one year.
8.05 The insurance policy has a minimum notice
period for cancellation of 90 days.
Page 60 of 87
CAR
Ch. 7 (678)

Area of Assessment
Reference
Criteria
Compliance Rating
8.06 The insurance policy has no exclusions or

limitations triggered by supervisory actions.
8.07 The risk mitigation calculations reflect the
insurance coverage.
8.08 The insurance is provided by a third-party
entity.
8.09 The FRFI discloses a description of its use
of insurance for the purpose of mitigating
operational risk.
9. Allocation Methodology
CAR
Ch. 7 (656)
9.01 The FRFI intends, with supervisory

approval, to use an allocation mechanism
for the purpose of determining the
operational risk capital requirement for its
subsidiaries.
10. Partial Use
CAR
Ch. 7 (680)
10.01 All operational risks of the FRFIs global,

consolidated operations are captured.
10.02 AMA qualitative criteria are met for areas of
the FRFI covered by the AMA, and those
parts of the operations covered by one of
the simpler approaches meets the
qualifying criteria for that approach.
10.03 On the date of implementation of an AMA, a
significant part( defined as75% or more) of
the FRFIs operational risks are captured by
the AMA.
10.04 Five years after the date of implementation
of an AMA, a material part( defined as 90%
or more) of the FRFIs operational risks are
captured by the AMA.
Page 61 of 87
Validation
Page 62 of 87
Validation
Page 63 of 87
Validation
Page 64 of 87
Validation
Page 65 of 87
Validation
Page 66 of 87
Validation
Page 67 of 87
Validation
Page 68 of 87
Validation
Page 69 of 87
Validation
Page 70 of 87
Validation
Page 71 of 87
Validation
Page 72 of 87
Validation
Page 73 of 87
Validation
Page 74 of 87
Validation
Page 75 of 87
Validation
Page 76 of 87
Validation
Page 77 of 87
Validation
Page 78 of 87
Validation
Page 79 of 87
Validation
Page 80 of 87
Validation
Page 81 of 87
Validation
Page 82 of 87
Validation
Page 83 of 87
Validation
Page 84 of 87
Validation
Page 85 of 87
Validation
Page 86 of 87
Validation
Page 87 of 87

Basel II Operational Risk Self-Assessment Template

Caricato da

Informazioni sul documento

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

Basel II Operational Risk Self-Assessment Template

Caricato da

Copyright:

Formati disponibili

BASEL II OPERATIONAL RISK

Self-Assessment Template for Financial Institutions

Drop Down Options

Compliance rating refers to the Federally Regulated Financial Institutions (FRFIs)

Target Compliance Date

Internal Audit (Audit Status)

Comments, including names of

Commentary regarding evidence and supporting documentation.

PROTECTED B WHEN COMPLETED

PROTECTED B WHEN COMPLETED

A. Operational Risk Management Framework

1. Operational Risk Framework

Target Compliance Date

Fundamentals of Operational Risk Framework

1.05 The FRFI has an operational risk

1.06 The FRFI defines operational risk as the risk

1.07 Risks are defined within the framework and

1.08 The Operational Risk Framework is

1.09 Policy identifying the Operational Risk

1.10 Policy identifying the Operational Risk

1.11 Policy identifying the Operational Risk

1.12 Policy identifying the Operational Risk

1.13 Policy identifying the Operational Risk

1.14 Policy identifying the Operational Risk

Internal Audit (Audit Status)

Comments, Including Names of Supporting Documents

PROTECTED B WHEN COMPLETED

A. Operational Risk Management Framework

Target Compliance Date

1.15 Policy identifying the Operational Risk

Internal Audit (Audit Status)

Comments, Including Names of Supporting Documents

PROTECTED B WHEN COMPLETED

A. Operational Risk Management Framework

1.16 Framework has clearly articulated the roles

1.17 Policy identifying the Operational Risk

1.18 Framework and polices clearly articulate

Target Compliance Date

1.19 Governance structure, including reporting

Internal Audit (Audit Status)

Comments, Including Names of Supporting Documents

PROTECTED B WHEN COMPLETED

B. Identification and Assessment

Target Compliance Date

Internal Audit (Audit Status)

Inherent Risks and Comparative Analysis

2. Data Collection and

Comments, Including Names of Supporting Documents

Target Compliance Date

Internal Audit (Audit Status)

2.08 Data processing ensures appropriate levels

3.03 Access to data/information is not restricted in

Comments, Including Names of Supporting Documents

B. Identification and Assessment

Target Compliance Date

Internal Audit (Audit Status)

3.06 The institution ensures that availability of

Other Operational Risk Data

3.12 Results from verification and validation work

4. Internal Loss Data

Internal Operational Loss Data

Comments, Including Names of Supporting Documents

B. Identification and Assessment