Basel II Operational Risk

PROTECTED B WHEN COMPLETED
BASEL II OPERATIONAL RISK

Self-Assessment Template for TSA & AMA Institutions
INSTITUTION:
DATE:
A. OPERATIONAL RISK GOVERNANCE

Area of Assessment Board of Directors 1. Board of Director approvals Reference CAR Ch 6 (660) & Ch 7 (664) SP (12) # Criteria Information Request (a) Frequency of Board review of firm-wide framework to operational risk management. None Assessment Rating
1.1 The board of directors are actively involved in the oversight of the operational risk management framework. 1.2 The Board has approved a firm-wide framework to manage operational risk as a distinct risk to the bank's safety and soundness. 1.3 The Board has provided senior management with clear guidance and direction regarding the principles underlying the framework. 1.4 The Board has reviewed policies developed by senior management. 2.1 The Board has reviewed framework regularly to ensure that the bank is managing the operational risks arising from external market changes and other environmental factors, as well as those operational risks associated with new products, activities or systems. 2.2 The Board has assessed industry best practices in operational risk management, appropriate of the bank's activities, systems and processes. 3.1 The bank has an operational risk management system that is conceptually sound and is implemented with integrity. 3.1 The bank's operational risk framework should be based on an appropriate definition of operational risk that clearly articulates what constitutes operational risk in that bank. 3.2 The bank has established its appetite and tolerance for operational risk, specified through policies for managing this risk and the bank's prioritization of operational risk management activities, including operational risk transferred outside the bank.
None
2. Regular review of framework by Board of Directors
SP (15)
(a) List operational risk policies developed by senior management and provide approval/review status of each. (a) Identify how the bank assesses external operational risk factors and operational risks associated with new products.
3. Operational risk strategy
CAR Ch 6 (660) & Ch 7 (664) SP (13)
(a) Identify how the Board is educated and kept up to date on Basel II operational risk, including industry best practices in operational risk management and industry issues. None
(a) Provide the enterprise wide definition of operational risk.
3.3 The bank has established policies outlining its approach to identifying, assessing, monitoring and controlling/mitigating the risk. Operational Risk Governance
(a) Provide details on the bank's risk appetite and operational risk tolerance. (b) Identify how the bank's appetite and tolerance for operational risk is communicated throughout the bank. (c) Describe the bank's management of operational risks transferred outside the bank. (a) List all operational risk policies.
Page 3 of 36

Area of Assessment Reference # Criteria None Information Request Assessment Rating
4. Board of Director's SP (14) establishment of a management structure
3.4 The bank has ensured that the level of formality and sophistication of its operational risk management framework is commensurate with its risk profile. 4.1 The Board has established a management structure capable of implementing the firm's operational risk management framework. 4.2 The bank has established separation of responsibilities and reporting lines between operational risk control functions, business lines and support functions. 4.3 The bank has articulated key processes necessary to have in place to manage operational risk.
(a) Provide the bank's organization chart that describes the lines of management responsibility, accountability and reporting for operational risk. None
None
Senior Management 5. Role of senior management
CAR Ch 6 (660) & Ch 7 (664) SP (18)
5.1 Senior management is actively involved in the oversight of the operational risk management framework. 5.2 Senior management has translated the operational risk management framework into specific policies, processes and D64procedures. 5.3 Senior management has implemented the operational risk management framework consistently across the whole bank. 5.4 Senior management has assigned authority, responsibility and reporting relationships to encourage and maintain accountability.
None
None
None
None
5.5. The bank has ensured the availability of None necessary resources to manage operational risk effectively. 5.6 The bank has assessed the appropriateness None of management oversight process in light of risks inherent in a business unit's policy. 6. Effective communication of risk management SP (20) 6.1 Senior management has ensured that staff None responsible for managing operational risk communicate effectively with staff responsible for managing credit, market and other risks, as well as those in the firm responsible for the procurement of external services such as insurance purchasing and outsourcing agreements. Page 4 of 36
Operational Risk Governance

Area of Assessment Reference # Criteria Information Request Assessment Rating
Operational Risk Management Function 7. Operational risk management CAR function Ch 6 (663a)
7.1 The bank has an operational risk None management system with clear responsibilities assigned to an operational risk management function. 7.2 The operational risk management function None develops strategies to identify, assess, monitor and control/mitigate operational risk. 7.3 The operational risk management function codifies firm-level policies and procedures concerning operational risk management and controls. 7.4 The operational risk management function designs and implements the firm's operational risk assessment methodology. 7.5 The operational risk management function designs and implements the risk-reporting system for operational risk. 7.6 AMA banks only : The operational risk management function is independent and responsible for the design and implementation of the bank's operational risk management framework. 8.1 The bank has an operational risk management system that is well documented. 8.2 The bank has a routine in place for ensuring compliance with a documented set of internal policies, controls and procedures concerning the operational risk management system, which includes policies for the treatment of non-compliance issues. 8.3 AMA Banks only: The internal operational risk measurement system is closely integrated into the day-to-day risk management processes of the bank. Its output is an integral part of the process of monitoring and controlling the bank's operational risk profile. 8.4 The bank has decided between using appropriate procedures to control/mitigate identified operational risks, or bear the risks. None
None
None
CAR Ch 7 (666a)
(a) Explain how the operational risk management function is independent and identify its key responsibilities.
Risk Management - Operational Risk 8. Operational Risk control and CAR mitigation Ch 6 (663d) & Ch 7 (666d)
None
(a) Describe how the bank ensures compliance with its internal policies, controls and procedures for operational risk.
CAR Ch 7 (666d)
(a) Identify how and where the operational risk measurement system is integrated into the bank's risk management processes.
SP (31)
(a) Identify how the bank decides on its risk appetite and tolerance.
Page 5 of 36
SP (31) A. OPERATIONAL RISK GOVERNANCE Area of Assessment Reference # Criteria Information Request (a) Describe how the bank manages operational risks that cannot be controlled. Assessment Rating
9. Strong internal control culture SP (32)
10. Staffing
CAR Ch 6 (660) & Ch 7 (664) SP (19)
8.5 For risks that cannot be controlled, the bank has decided how it will approach the operational risks (e.g., accept the risk, reduce the level of business activity or withdraw from the activity completely). 8.6 The bank has a routine for ensuring compliance with documented internal policies concerning operational risk management systems, including verifying compliance with management controls. 9.1 Board of directors and senior management are responsible for establishing a strong internal control culture in which control activities are an integral part of the regular activities of a bank. 10.1 The bank has sufficient resources in the major business lines to implement the adopted approach to operational risk, including control and audit areas. 10.2 Bank activities are conducted by staff that is qualified with the necessary experience and technical capabilities. 10.3 Staff responsible for monitoring and enforcing compliance have authority independent from the units they oversee. 10.4 Clear communication of operational risk management policy to staff at all unit levels incurring material operational risks. 11.1 Effective internal control system requires that there be appropriate segregation of duties and that personnel are not assigned responsibilities that may create a conflict of interest. 11.2 Areas of conflicts of interest are identified and minimized, and are subject to careful independent monitoring and review. 12.1 In addition to segregation of duties, the bank has ensured that other internal practices are in place as appropriate to control operational risk. 13.1 The bank has paid special attention to internal control activities where it engages in new activities, develops new products, enters unfamiliar markets, and/or engages in unfamiliar geographic regions.
(a) Identify the staff (or function) responsible for monitoring and enforcing compliance and identify how it maintains its independence.
None
None
(a) Provide a description of current resources in both internal audit and risk management functions. (a) Identify the staff (or function) responsible for monitoring and enforcing compliance and identify how it maintains its independence. (a) Identify how the Bank's operational risk management policy is communicated throughout the bank. None
11. Segregation of duties
SP (33)
None
12. Other internal practices
SP (34)
(a) Identify other internal practices in place to control operational risk.
13. Operational risk assessments of new business
SP (35)
(a) Identify the bank's operational risk assessment process for new business.
Page 6 of 36

Area of Assessment 14. Operational risk mitigation tools for low frequency/high severity losses Reference SP (36) # Criteria Information Request (a) Identify any risk mitigation tools or programmes used to reduce exposure to high frequency/low severity events. None Assessment Rating
SP (37)
15. Information technology as operational risk mitigation tools 16. Documentation controls and transaction-handling practices
SP (38)
SP (22)
17. Remuneration policies Internal Audit Function 18. Internal audit coverage
SP (21)
14.1 Operational risk mitigation tools or programmes are used to reduce the exposure to, or frequency and/or severity of, such events that cannot be controlled. 14.2 Operational risk mitigation tools are complementary to thorough internal operational risk control. 15.1 Investments in appropriate processing technology and information technology security have been utilized. 16.1 The bank has well documented policies, processes and procedures related to advanced technologies supporting high transactions volumes. 17.1 Remuneration policies are consistent with the bank's operational risk appetite. 18.1 The bank's operational risk management processes and assessment system are subject to validation and regular independent review (these reviews include the activities of both the business units and of the operational risk management function). 18.2 There has been adequate internal audit coverage to verify effective implementation of policies and procedures (including activities of business units and operational risk management function). 18.3 There is Board assurance that the scope and frequency of audit programme is appropriate to the risk exposures. 18.4 Audit has performed a periodic validation that the firm's operational risk management framework is being implemented effectively across the firm. 19.1 The internal audit function does not have direct operational risk management responsibilities. [Note: The internal audit function at some banks (particularly smaller banks) may have initial responsibility for developing an operational risk management programme. Where this is the case, banks should see that responsibility for day-to-day operational risk management is transferred elsewhere in a timely manner.
None
(a) List documented policies, processes and procedures related to advanced technologies supporting high transaction volumes. (a) Identify any remuneration policies.
CAR Ch 6 (663e)
(a) Describe the responsibilities of the audit function with respect to operational risk.
SP (16)
(a) Describe the audit plan, scope and work completed with respect to operational risk management.
None
None
19. Independence of Internal Audit
SP (17)
(a) Describe how the internal audit function maintains its independence from operational risk management.
Page 7 of 36

Area of Assessment Operational Risk Reporting 20. Regular and effective monitoring of operational risk profile Reference # Criteria Information Request (a) Identify operational risk reporting activities directed at senior management and the board of directors and indicate the frequency. (a) Describe how the bank uses the information within operational risk management reports. (a) Describe monitoring process of policies, processes and procedures. Assessment Rating
20.1 The bank has regular reporting of CAR operational risk exposures, including Ch 6 (663c) & material operational losses, to business unit Ch 7 (666c) management, senior management, and to the board of directors. 20.2 The bank has procedures for taking appropriate action according to the information within the management reports. SP (26) 20.3 There are practices in place for prompt detection and management of deficiencies in policies, processes and procedures for managing operational risk. 20.4 The bank has established policies for identification of appropriate indicators that provide early warning of an increased risk of future losses. 21.1 Frequency of monitoring reflects operational risks involved and frequency and nature of changes in the operating environment. 21.2 Reports are included in regular management and Board reports. 22.1 Senior management has received regular reports from appropriate areas such as business units, group functions, the operational risk management office and internal audit. 22.2 Operational risk reports contain internal financial, operational, and compliance data, and other information relevant to decision making. 22.3 Reports reflect identified problem areas and motivate timely corrective action on outstanding issues.
SP (27)
(a) Identify early warning indicators used for operational risk in reporting activities.
21. Frequency of monitoring
SP (28)
None
None (a) Provide a list of regular reports from business units, group functions, operational risk management office and internal audit reviewed by senior management and indicate the reporting frequency. None
22. Reporting to senior management
SP (29)
(a) Describe how reports are used to ensure that problem areas receive appropriate corrective action.
Page 8 of 36
Rating Rationale
Page 9 of 36
Rating Rationale
Page 10 of 36
Rating Rationale
Page 11 of 36
Rating Rationale
Page 12 of 36
Rating Rationale
Page 13 of 36
Rating Rationale
Page 14 of 36
B. GROSS INCOME MAPPING

Area of Assessment 1. Gross income mapping policies and documentation Reference CAR 6 (662) 7 (662) Ch Ch # 1.1 Criteria Information Request Assessment Rating
Specific policies and documentation of (a) Provide all policies and documentation of criteria have been developed for mapping criteria developed for mapping gross gross income for current business lines and income. activities into the standardised framework. Criteria must be reviewed and adjusted for new or changing business activities as appropriate. All activities are mapped into the eight level 1 business lines in a mutually exclusive and jointly exhaustive manner. None
1.2
2. Principles of business line mapping
CAR
Ch 6 Annex 6(a) Ch 7 Annex 6(a)
2.1
CAR
Ch 6 Annex 6(b) Ch 7 Annex 6(b)
2.2
2.3
CAR
Ch 6 Annex 6(c) Ch 7 Annex 6(c)
2.4
CAR
Ch 6 Annex 6(d) Ch 7 Annex 6(d)
2.5
CAR
Ch 6 Annex 6(e) Ch 7 Annex 6(e)
2.6
Any banking/non-banking activity that cannot be readily mapped into the business line framework, but which represents an ancillary function to an activity included in the framework, are allocated to the business line it supports. If more than one business line is supported through the ancillary activity, an objective mapping criteria is used. If an activity cannot be mapped into a particular business line then the business line yielding the highest charge is used. The same business line equally applies to any associated ancillary activity. Internal pricing methods are used to allocate gross income between business lines provided that total gross income for the bank still equals the sum of gross income for the eight business lines. Mapping activities into business lines for operational risk capital purposes are consistent with the definitions of business lines used for regulatory capital calculations in other risk categories. Any deviations must be clearly motivated and documented. The mapping process is clearly documented. More specifically, business line definitions are sufficiently documented to allow for business line mapping replication.
(a) Identify if all activities have been mapped into the eight level 1 business lines in a mutually exclusive and jointly exhaustive manner. (b) Identify any existing gaps and the action plans to close them. None
(a) If appropriate, describe the objective mapping criteria being used. (a) Identify any activities that could not be mapped into a particular business line and provide the charge used.
(a) Discuss the pricing methods used to allocate gross income.
(a) Identify any activities that are inconsistent with Basel business line definitions. (b) Identify motivations for any existing deviations.
CAR
Ch 6 Annex 6(f) Ch 7 Annex 6(f)
2.7
(a) Identify documentation for mapping process and assess its allowance for business line mapping replication.
Gross Income Mapping
Page 15 of 36
B. GROSS INCOME MAPPING

Area of Assessment Reference # 2.8 Criteria Documentation clearly motivate any exceptions or overrides and be kept on record. Processes are in place to define the mapping of any new activities or products. Information Request (a) Identify how documentation addresses exceptions and overrides. (a) Identify processes in place to define the mapping of any new activities or products. (a) Identify who is responsible for the mapping policy. (b) Identify the format in which the mapping policy has been presented and approved by the Board (a) Identify if the mapping process has been subject to independent review (and by whom). If independent review has not taken place, identify future plans to do so. Assessment Rating
CAR
Ch 6 Annex 6(g) Ch 7 Annex 6(g)
2.9
CAR
Ch 6 Annex 6(h) Ch 7 Annex 6(h)
2.10 Senior management is responsible for the mapping policy.
CAR
Ch 6 Annex 6(i) Ch 7 Annex 6(i)
2.11 The mapping process to business lines is subject to independent review.
Page 16 of 36
Rating Rationale
Page 17 of 36
Rating Rationale
Page 18 of 36
C. LOSS DATA COLLECTION

Area of Assessment Reference # Criteria Information Request Assessment Rating
1. Bank's internal operational risk CAR assessment system using Ch 6 (663b) operational loss data
1.1 The bank has a systematic tracking of relevant operational risk data including material losses by business line.
1.2
1.3
1.4
1.5
(a) Provide details on the operational loss data collection process (centralized vs. decentralized). (b) List the source systems used and provide detail on how they are used in the loss collection process. (c) Identify the function responsible for the data collection. (d) List the criteria for collection of operational losses. (e) Identify the status of data collection on an enterprise wide level. (f) Provide the historical length of operational loss data. (g) Identify how the bank ensures that data is collected in a complete and consistent manner. (h) Identify whether operational losses are mapped to Basel II lines of business and event types. (i) List the data fields populated in the collection of loss data. (j) Describe how the bank distinguishes credit and market risk losses that are a result of operational events. (k) Provide details on how the bank collects multiple operational losses resulting from one event. (l) List all policies & procedure documents relating to loss data collection. There is close integration of the operational (a) Explain how the bank uses the risk assessment system into the risk operational risk assessment system in its management process of the bank. risk management process. Output is an integral part of the process of (a) Describe how the bank uses operational monitoring controlling the banks operational risk data (including loss data) to monitor the risk profile. banks operational risk profile. Operational risk data (including loss data) (a) List all reports using operational risk data has a role in risk reporting, management (including loss data), identifying how the reporting, and risk analysis. reports are distributed. There are techniques for creating incentives (a) Identify any techniques the bank uses for to improve the management of operational creating incentives to improve the risk throughout the firm. management of operational risk throughout the firm.
Loss Data Collection
Page 19 of 36
C. LOSS DATA COLLECTION

Area of Assessment 2. Regular reporting of operational risk exposures Reference CAR Ch 6 (663c) # Criteria Information Request (a) List all reports that include operational risk exposures (including material losses), identifying frequency, owners of report and audience of the report. (a) Describe how the operational risk exposure reports are used to respond to operational risk and the management of the risk. Assessment Rating
2.1 There is regular reporting of operational risk exposures, including material operational losses, to business unit management, senior management, and to the board of directors. 2.2 There are procedures for taking appropriate action according to the information within the management reports.
Page 20 of 36
Rating Rationale
Page 21 of 36
Rating Rationale
Page 22 of 36
D. RISK AND CONTROL SELF-ASSESSMENT / KEY RISK INDICATORS

Area of Assessment 1. Risk identification Reference SP (23) # Criteria Information Request (a) Describe the bank's processes for identification of both internal and external risk factors. None Assessment Rating
2. Assessment of identified risks SP (24)
3. Tools for assessment of operational risk
SP (25)
1.1 The bank has an effective risk identification process of both internal and external factors that could adversely affect the achievement of the bank's objectives. 2.1 The bank assesses the vulnerability of potentially adverse risks to better understand risk profile and target risk management resources. 3.1 Self- or risk assessment - The bank completes an internal assessment of its operations and activities against a menu of potential operational risk vulnerabilities.
3.2 Self- or risk assessment - This process is internally driven and often incorporates checklists and/or workshops to identify the strengths and weaknesses of the operational risk environment. 3.3 Risk mapping - The bank has mapped various business units, organizational functions or process flows by risk types.
(a) Identify if the bank is using a Risk Control Self-Assessment process. (b) Describe the process and state if it is an enterprise wide process. (c) Describe how RCSA results are used in risk identification as well as mitigation. (d) Describe the effectiveness of the risk control self-assessment process. (a) Describe how the process identifies the strengths and weaknesses of the operational risk environment.
3.4 Risk indicators - The bank uses statistics and/or metrics to provide a bank's risk position.
(a) Identify if the bank is risk mapping business units, organizational functions or process flow by risk types. (b) Describe this risk mapping process. (c) Describe how risk mapping is used for risk identification and mitigation. (a) Identify if the bank is using key risk indicators to assess operational risk. (b) Provide list of key risk indicators used by the bank. (c) Describe how the key risk indicators were developed. (d) Identify how key risk indicators are used. (e) Describe how key risk indicators reported to senior management and the board are used. (a) Identify if the bank has established practices for quantification of operational risk exposure. (b) Describe the quantification approaches used. (a) List all reports of risk assessment tools and indicate how they are used. Page 23 of 36
3.4 Measurement - The bank has established practises for quantification of exposure to operational risk using a variety of approaches. 4. Reporting n/a 4.1 Operational risk results from risk assessment tools are reported and used in the management of operational risk.
Risk and Control Self-Assessment / Key Risk Indicators
4. Reporting
D. RISK AND CONTROL SELF-ASSESSMENT / KEY RISK INDICATORS

n/a Area of Assessment Reference # Criteria None Information Request Assessment Rating
4.2 There is appropriate reporting of results from risk assessments tools to the Board, senior management and business units.
Page 24 of 36
Rating Rationale
Page 25 of 36
Rating Rationale
Page 26 of 36
E. OUTSOURCING, DISASTER RECOVERY PLAN AND BUSINESS CONTINUITY PLAN

Area of Assessment 1. Outsourcing activities Reference SP (39) # Criteria Information Request (a) Identify all outsourcing policies. Assessment Rating
1.1 The bank has established policies for managing the risks associated with outsourcing activities. 1.2 The board of directors and senior management have ensured that third-party activity is conducted in a safe and sound manner and in compliance with applicable laws. 1.3 Outsourcing arrangements have been based on robust contracts and/or service level agreements that ensure a clear allocation of responsibilities between external service providers and the outsourcing banks. 1.4 The bank is managing residual risks associated with outsourcing arrangements, including disruption of services. 1.5 The Board and management have ensured that the expectations and obligations of each party are clearly defined, understood and enforceable. 1.6 The bank carries out initial due diligence test and monitor third-party activities on a regular basis.
(a) Describe the Board and senior management oversight of third-party activity.
None
SP (40)
(a) Describe the bank's process for determining the materiality of outsourcing arrangements. None
1.7 For critical activities, the bank has considered contingency plans, including availability of alternative external parties and costs and resources required to switch external parties. 2.1 The bank's decision to retain or self-insure None the risk is transparent within the organization and consistent with the bank's overall business strategy and risk appetite. 2. Self-insure or retain operational risk SP (41) None 3.1 The bank is required to establish disaster recovery and business continuity plans that take into account different types of plausible scenarios to which the bank may be vulnerable, commensurate with the size and complexity of the bank's operations.
(a) Describe the initial due diligence test and indicate how third-party activities are regularly monitored. (b) Describe the bank's program for managing and monitoring risks of the outsourcing arrangements. None
Outsourcing, Disaster Recovery Plan and Business Continuity Plan
Page 27 of 36
E. OUTSOURCING, DISASTER RECOVERY PLAN AND BUSINESS CONTINUITY PLAN

Area of Assessment 4. Disaster recovery and business continuity plans Reference SP (42) # Criteria Information Request (a) Describe the bank's process for identifying critical business processes. Assessment Rating
3.2 The bank has identified critical business processes, including dependence on external vendors or third parties, for which rapid resumption of service would be most essential.
SP (43)
None 3.3 The bank has identified alternative mechanisms for resuming service in the event of an outage. (a) Identify the location of off-site facilities. 3.4 The off-site facilities where back-ups of records are stored are an adequate distance away from the impacted operations. 3.5 There is a periodic review of DRP/BCP to ensure consistency with the bank's current operations and business strategies. (a) Describe the bank's process for reviewing DRP/BCP.
SP (44)
3.6 Plans are tested periodically to ensure that (a) Identify the frequency for testing plans. the bank would be able to execute the plans in the unlikely event of a severe business disruption.
Note: In addition to the BIS Sound Practices, institutions are required to comply with the "OSFI Guideline B-10: Outsourcing of Business Activities, Functions and Processes"
Page 28 of 36
Rating Rationale
Page 29 of 36
Rating Rationale
Page 30 of 36
F. Advanced Measurement Approach Methodology

Area of Assessment 1. AMA Model Reference CAR Ch 7 (667a) # Criteria Information Request (a) Provide a description of assumptions and inputs used to construct the model. None Assessment Rating
CAR Ch 7 (669b)
1.1 The bank's AMA model captures potentially severe tail loss estimates. 1.2 The bank's AMA model is comparable to a one year holding period and a 99.9 percentile confidence interval. 1.3 The bank is calculating the operational risk regulatory capital requirement as the sum of expected loss and unexpected loss. 1.4 The bank is adequately capturing EL in its internal business practices.
None
(a) Provide the bank's documentation on how operational risk EL is measured and accounted for. None
CAR Ch 7 (669c) 2. Correlation CAR Ch 7 (669d)
1.5 The bank's AMA model captures the major drivers of the operational risk affecting the shape of the tail loss estimates. 2.1 Internally determined correlations are used in operational risk modelling. The bank can demonstrate that its systems for determining correlations are sound and implemented with integrity and take into account the uncertainty surrounding any such correlation estimates (particularly in periods of stress). 2.2 The bank validates its correlation assumptions using appropriate quantitative and qualitative techniques. 3.1 Key elements of the bank's operational risk measurement system include the use of internal data, relevant external data, scenario analysis and factors reflecting the business environment and internal control system. 3.2 Weighting of the 4 fundamental elements is credible, transparent, well-documented and verifiable approach. 3.3 The approach for weighting the 4 fundamental elements is internally consistent. 3.4 Double counting of qualitative assessments or risk mitigants already recognised in other elements of the framework is avoided in the approach for weighting the 4 fundamental elements.
(a) Provide details on how correlation is integrated into the model and the rationale for its use in calculating the capital requirement. (b) For internally determined correlations, identify the assumptions used and discuss the methods used for estimating correlation. (a) Identify how the bank is validating its correlation assumptions. (a) Provide a brief summary of how these 4 elements are used in the operational risk measurement system.
3. Four fundamental elements: - Internal data - External data - Scenario analysis - Business environment and internal controls
CAR Ch 7 (669e)
CAR Ch 7 (669f)
(a) Provide documentation and rationale for the approach taken in weighting of each fundamental element. None
None
Advanced Measurement Approach Methodology
Page 31 of 36

Area of Assessment 4. Internal Data Reference CAR Ch 7 (671) # Criteria Information Request (a) Provide the documented procedures. Assessment Rating
CAR Ch 7 (672)
CAR Ch 7 (673)
5. External Data
CAR Ch 7 (674)
6. Scenario Analysis
CAR Ch 7 (675)
7. Business Environment and Internal Control Factors
CAR Ch 7 (676)
4.1 The bank has documented procedures for assessing the historical internal loss data for its relevance and use in the operational risk measurement system. 4.2 The bank is using at least 3 years of historical internal loss data if internal loss data is being used to either build or validate the operational risk measurement system. 4.3 The bank has documented its criteria for mapping historical internal loss data to Basel business lines and event types. 4.4 The internal loss data is comprehensive and captures appropriate sub-systems and geographic locations. 4.5 The bank has an appropriate gross loss threshold for internal loss data collection. 4.6 The bank has specific criteria for allocating operational losses that span across business lines or occur in a centralized function. 4.7 All material operational losses related to the definition of operational risk are identified in the loss data collection. 5.1 The bank's system uses relevant external loss data in its operational risk measurement system. 5.2 The bank has a systematic process for determining how and when external loss data is used in its operational risk measurement system. 5.3 The conditions and practices for using external loss data are regularly reviewed, documented and subject to periodic independent review. 6.1 The bank uses scenario analysis of expert opinion in conjunction with external data to evaluate its exposure to high-severity events. 7.1 Factors used in the operational risk measurement system are meaningful risk drivers and were chosen based on experience and expert judgement.
None
(a) Provide the documented criteria.
(a) Provide rationale for excluding loss activities and exposures, if any, from the loss collection process. None (a) Provide the specific criteria.
(a) Identify the bank's approach to collecting operational losses related to credit and market risk. (a) Identify the sources of external loss data used in the bank's operational risk measurement system. None
(a) Provide the documentation discussing the conditions and practices for using external loss data. (a) Describe how scenario analysis is used in the operational risk measurement system.
7.2 The framework and each instance of its application must be documented and subject to independent review.
(a) Identify the rationale used for choosing business environment and internal control factors and provide a brief description of how they are used. (b) Indicate if factors are translatable into quantitative measures. None Page 32 of 36

Area of Assessment 8. Risk Mitigation Reference CAR Ch 7 (677) CAR Ch 7 (678) # Criteria Information Request (a) Provide the documented framework developed for mitigating operational risk through the use of insurance. None None None None None None (a) Indicate how the bank plans to disclose information about the use of insurance. (a) For banks applying the stand-alone approach, indicate if it is applying a capital allocation methodology for its subsidiaries and provide details on the allocation methodology used. (b) For subsidiaries using the allocated capital approach, provide a description of the methodology used for capital allocation and the rationale for applying an allocation approach versus a stand alone approach. Assessment Rating
9. Allocation Methodology
CAR Ch 7 (656)
8.1 The recognition of insurance mitigation is less than 20% of the total operational risk regulatory capital charge. 8.2 The insurance provider has a minimum claims paying ability rating of A. 8.3 The insurance policy has an initial term of no less than one year. 8.4 The insurance policy has a minimum notice period for cancellation of 90 days. 8.5 The insurance policy has no exclusions or limitations triggered by supervisory actions. 8.6 The risk mitigation calculations reflect the insurance coverage. 8.7 The insurance is provided by a third-party entity. 8.8 The bank discloses a description of its use of insurance for the purpose of mitigating operational risk. 9.1 The bank intends, with supervisory approval, to use an allocation mechanism for the purpose of determining the operational risk capital requirement for its subsidiaries.
10. Partial Use
CAR Ch 7 (680)
10.1 All operational risks of the bank's global, None consolidated operations are captured. AMA qualitative criteria are met for areas of None the bank covered by the AMA, and those parts of the operations covered by one of the simpler approaches meets the qualifying criteria for that approach. On the date of implementation of an AMA, a None significant part of the bank's operational risks are captured by the AMA.
Page 33 of 36
Rating Rationale
Page 34 of 36
Rating Rationale
Page 35 of 36
Rating Rationale
Page 36 of 36

Basel II Operational Risk

Încărcat de

Informații document

Titlu original

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

Basel II Operational Risk

Încărcat de

Drepturi de autor:

Formate disponibile

PROTECTED B WHEN COMPLETED