Msi Basel II Operational Risk

8/6/2019 Msi Basel II Operational Risk

1/17

Operational Risk Governance

PROTECTED B W

A. OPERATIONAL RISK GOVERNANCE

Area of Assessment # Criteria Information Request Rating Rationale

Board of Directors1. Board of Director approvals 1.1

1.2 None

1.3 None

1.4

2.1

2.2

3. Operational risk strategy 3.1 None

3.1

3.2

3.3 (a) List all operational risk policies.

AssessmentRating

The board of directors are actively involvedin the oversight of the operational riskmanagement framework.

(a) Frequency of Board review of firm-wideframework to operational risk management.

The Board has approved a firm-wideframework to manage operational risk as adistinct risk to the bank's safety andsoundness.

The Board has provided senior managementwith clear guidance and direction regardingthe principles underlying the framework.

The Board has reviewed policies developedby senior management.

(a) List operational risk policies developed bysenior management and provideapproval/review status of each.

2. Regular review of frameworkby Board of Directors

The Board has reviewed framework regularlyto ensure that the bank is managing theoperational risks arising from external marketchanges and other environmental factors, aswell as those operational risks associatedwith new products, activities or systems.

(a) Identify how the bank assesses externaloperational risk factors and operational risksassociated with new products.

The Board has assessed industry bestpractices in operational risk management,appropriate of the bank's activities, systemsand processes.

(a) Identify how the Board is educated andkept up to date on Basel II operational risk,including industry best practices inoperational risk management and industryissues.

The bank has an operational riskmanagement system that is conceptuallysound and is implemented with integrity.

The bank's operational risk frameworkshould be based on an appropriate definitionof operational risk that clearly articulates

what constitutes operational risk in that bank.

(a) Provide the enterprise wide definition ofoperational risk.

The bank has established its appetite andtolerance for operational risk, specifiedthrough policies for managing this risk andthe bank's prioritization of operational riskmanagement activities, including operationalrisk transferred outside the bank.

(a) Provide details on the bank's risk appetiteand operational risk tolerance.

(b) Identify how the bank's appetite andtolerance for operational risk iscommunicated throughout the bank.

(c) Describe the bank's management ofoperational risks transferred outside thebank.

The bank has established policies outliningits approach to identifying, assessing,monitoring and controlling/mitigating the risk.


2/17


PROTECTED B W


Area of Assessment # Criteria Information Request Rating RationaleAssessment

Rating

3.4 None

4.1

4.2 None

4.3 None

Senior Management

5. Role of senior management 5.1 None

5.2 None

5.3 None

5.4 None

5.5. None

5.6 None

6.1 None

The bank has ensured that the level offormality and sophistication of its operationalrisk management framework iscommensurate with its risk profile.

4. Board of Director'sestablishment of a managementstructure

The Board has established a managementstructure capable of implementing the firm'soperational risk management framework.

(a) Provide the bank's organization chart thatdescribes the lines of managementresponsibility, accountability and reporting foroperational risk.

The bank has established separation ofresponsibilities and reporting lines betweenoperational risk control functions, business

lines and support functions.The bank has articulated key processesnecessary to have in place to manageoperational risk.

Senior management is actively involved inthe oversight of the operational riskmanagement framework.

Senior management has translated theoperational risk management framework intospecific policies, processes andD64procedures.

Senior management has implemented theoperational risk management frameworkconsistently across the whole bank.

Senior management has assigned authority,responsibility and reporting relationships toencourage and maintain accountability.

The bank has ensured the availability ofnecessary resources to manage operational

risk effectively.

The bank has assessed the appropriatenessof management oversight process in l ight ofrisks inherent in a business unit's policy.

6. Effective communication of riskmanagement

Senior management has ensured that staffresponsible for managing operational riskcommunicate effectively with staffresponsible for managing credit, market andother risks, as well as those in the firmresponsible for the procurement of external

services such as insurance purchasing andoutsourcing agreements.


3/17


PROTECTED B W



Rating

Operational Risk Management Function7.1 None

7.2 None

7.3 None

7.4 None

7.5 None

7.6

Risk Management - Operational Risk

8.1 None

8.2

8.3

8.4

7. Operational risk managementfunction

The bank has an operational riskmanagement system with clearresponsibilities assigned to an operationalrisk management function.

The operational risk management functiondevelops strategies to identify, assess,monitor and control/mitigate operational risk.

The operational risk management functioncodifies firm-level policies and procedures

concerning operational risk management andcontrols.

The operational risk management functiondesigns and implements the firm'soperational risk assessment methodology.

The operational risk management functiondesigns and implements the risk-reportingsystem for operational risk.

AMA banks only: The operational riskmanagement function is independent andresponsible for the design andimplementation of the bank's operational riskmanagement framework.

(a) Explain how the operational riskmanagement function is independent andidentify its key responsibilities.

8. Operational Risk control andmitigation

The bank has an operational riskmanagement system that is welldocumented.

The bank has a routine in place for ensuringcompliance with a documented set of internal

policies, controls and procedures concerningthe operational risk management system,which includes policies for the treatment ofnon-compliance issues.

(a) Describe how the bank ensurescompliance with its internal policies, controlsand procedures for operational risk.

AMA Banks only: The internal operationalrisk measurement system is closelyintegrated into the day-to-day riskmanagement processes of the bank. Itsoutput is an integral part of the process ofmonitoring and controlling the bank'soperational risk profile.

(a) Identify how and where the operationalrisk measurement system is integrated intothe bank's risk management processes.

The bank has decided between usingappropriate procedures to control/mitigateidentified operational risks, or bear the risks.

(a) Identify how the bank decides on its riskappetite and tolerance.


4/17Operational Risk Governance

PROTECTED B W



Rating

8.5

8.6

9. Strong internal control culture 9.1 None

10. Staffing 10.1 None

10.2

10.3

10.4

11. Segregation of duties 11.1 None

11.2 None

12. Other internal practices 12.1

13.1

For risks that cannot be controlled, the bankhas decided how it will approach theoperational risks (e.g., accept the risk,reduce the level of business activity orwithdraw from the activity completely).

(a) Describe how the bank managesoperational risks that cannot be controlled.

The bank has a routine for ensuringcompliance with documented internalpolicies concerning operational riskmanagement systems, including verifyingcompliance with management controls.

(a) Identify the staff (or function) responsiblefor monitoring and enforcing compliance andidentify how it maintains its independence.

Board of directors and senior management

are responsible for establishing a stronginternal control culture in which controlactivities are an integral part of the regularactivities of a bank.

The bank has sufficient resources in themajor business lines to implement theadopted approach to operational risk,including control and audit areas.

Bank activities are conducted by staff that isqualified with the necessary experience and

technical capabilities.

(a) Provide a description of current resourcesin both internal audit and risk management

functions.Staff responsible for monitoring andenforcing compliance have authorityindependent from the units they oversee.

(a) Identify the staff (or function) responsiblefor monitoring and enforcing compliance andidentify how it maintains its independence.

Clear communication of operational riskmanagement policy to staff at all unit levelsincurring material operational risks.

(a) Identify how the Bank's operational riskmanagement policy is communicatedthroughout the bank.

Effective internal control system requires thatthere be appropriate segregation of dutiesand that personnel are not assigned

responsibilities that may create a conflict ofinterest.

Areas of conflicts of interest are identifiedand minimized, and are subject to carefulindependent monitoring and review.

In addition to segregation of duties, the bankhas ensured that other internal practices arein place as appropriate to control operationalrisk.

(a) Identify other internal practices in place tocontrol operational risk.

13. Operational risk assessments

of new business

The bank has paid special attention to

internal control activities where it engages innew activities, develops new products,enters unfamiliar markets, and/or engages inunfamiliar geographic regions.

(a) Identify the bank's operational risk

assessment process for new business.



PROTECTED B W



Rating

14.1

14.2 None

15.1 None

16.1

17. Remuneration policies 17.1 (a) Identify any remuneration policies.

Internal Audit Function

18. Internal audit coverage 18.1

18.2

18.3 None

18.4 None

19.1

14. Operational risk mitigationtools for low frequency/highseverity losses

Operational risk mitigation tools orprogrammes are used to reduce theexposure to, or frequency and/or severity of,such events that cannot be controlled.

(a) Identify any risk mitigation tools orprogrammes used to reduce exposure tohigh frequency/low severity events.

Operational risk mitigation tools arecomplementary to thorough internaloperational risk control.

15. Information technology asoperational risk mitigation tools

Investments in appropriate processingtechnology and information technologysecurity have been utilized.

16. Documentation controls and

transaction-handling practices

The bank has well documented policies,

processes and procedures related toadvanced technologies supporting hightransactions volumes.

(a) List documented policies, processes and

procedures related to advanced technologiessupporting high transaction volumes.

Remuneration policies are consistent withthe bank's operational risk appetite.

The bank's operational risk managementprocesses and assessment system aresubject to validation and regular independentreview (these reviews include the activities ofboth the business units and of the

operational risk management function).

(a) Describe the responsibilities of the auditfunction with respect to operational risk.

There has been adequate internal auditcoverage to verify effective implementationof policies and procedures (includingactivities of business units and operationalrisk management function).

(a) Describe the audit plan, scope and workcompleted with respect to operational riskmanagement.

There is Board assurance that the scope andfrequency of audit programme is appropriateto the risk exposures.

Audit has performed a periodic validationthat the firm's operational risk managementframework is being implemented effectivelyacross the firm.

19. Independence of InternalAudit

The internal audit function does not havedirect operational risk managementresponsibilities. [Note: The internal auditfunction at some banks (particularly smallerbanks) may have initial responsibility fordeveloping an operational risk managementprogramme. Where this is the case, banks

should see that responsibility for day-to-dayoperational risk management is transferredelsewhere in a timely manner.

(a) Describe how the internal audit functionmaintains its independence from operationalrisk management.



PROTECTED B W



Rating

Operational Risk Reporting

20.1

20.2

20.3

20.4

21. Frequency of monitoring 21.1 None

21.2 None

22.1

22.2 None

22.3

20. Regular and effectivemonitoring of operational riskprofile

The bank has regular reporting ofoperational risk exposures, including materialoperational losses, to business unitmanagement, senior management, and tothe board of directors.

(a) Identify operational risk reportingactivities directed at senior management andthe board of directors and indicate thefrequency.

The bank has procedures for takingappropriate action according to theinformation within the management reports.

(a) Describe how the bank uses theinformation within operational riskmanagement reports.

There are practices in place for promptdetection and management of deficiencies in

policies, processes and procedures formanaging operational risk.

(a) Describe monitoring process of policies,processes and procedures.

The bank has established policies foridentification of appropriate indicators thatprovide early warning of an increased risk offuture losses.

(a) Identify early warning indicators used foroperational risk in reporting activities.

Frequency of monitoring reflects operationalrisks involved and frequency and nature ofchanges in the operating environment.

Reports are included in regular management

and Board reports.22. Reporting to seniormanagement

Senior management has received regularreports from appropriate areas such asbusiness units, group functions, theoperational risk management office andinternal audit.

(a) Provide a list of regular reports frombusiness units, group functions, operationalrisk management office and internal auditreviewed by senior management andindicate the reporting frequency.

Operational risk reports contain internalfinancial, operational, and compliance data,and other information relevant to decisionmaking.

Reports reflect identified problem areas andmotivate timely corrective action onoutstanding issues.

(a) Describe how reports are used to ensurethat problem areas receive appropriatecorrective action.


7/17

Gross Income Ma in

PROTECTED B WHEN C

B. GROSS INCOME MAPPING


1.1

1.2 None

2.1

2.2 None

2.3

2.4

2.5

2.6

2.7

2.8

AssessmentRating

1. Gross income mappingpolicies and documentation Specific policies and documentation ofcriteria have been developed for mappinggross income for current business lines andactivities into the standardised framework.

(a) Provide all policies and documentation ofcriteria developed for mapping gross income.

Criteria must be reviewed and adjusted fornew or changing business activities asappropriate.

2. Principles of business linemapping

All activities are mapped into the eight level 1business lines in a mutually exclusive and

jointly exhaustive manner.

(a) Identify if all activities have been mappedinto the eight level 1 business lines in amutually exclusive and jointly exhaustivemanner.

(b) Identify any existing gaps and the actionplans to close them.

Any banking/non-banking activity that cannotbe readily mapped into the business lineframework, but which represents an ancillaryfunction to an activity included in theframework, are allocated to the business lineit supports.

If more than one business line is supportedthrough the ancillary activity, an objective

mapping criteria is used.

(a) If appropriate, describe the objectivemapping criteria being used.

If an activity cannot be mapped into aparticular business line then the businessline yielding the highest charge is used. Thesame business line equally applies to anyassociated ancillary activity.

(a) Identify any activities that could not bemapped into a particular business line andprovide the charge used.

Internal pricing methods are used to allocategross income between business linesprovided that total gross income for the bankstill equals the sum of gross income for theeight business lines.

(a) Discuss the pricing methods used toallocate gross income.

Mapping activities into business lines foroperational risk capital purposes areconsistent with the definitions of businesslines used for regulatory capital calculationsin other risk categories. Any deviations mustbe clearly motivated and documented.

(a) Identify any activities that are inconsistentwith Basel business line definitions.

(b) Identify motivations for any existingdeviations.

The mapping process is clearly documented.More specifically, business line definitionsare sufficiently documented to allow for

business line mapping replication.

(a) Identify documentation for mappingprocess and assess its allowance forbusiness line mapping replication.

Documentation clearly motivate anyexceptions or overrides and be kept onrecord.

(a) Identify how documentation addressesexceptions and overrides.


8/17

Gross Income Ma in

PROTECTED B WHEN CO

B. GROSS INCOME MAPPING


Rating

2.9

2.10

2.11

Processes are in place to define themapping of any new activities or products. (a) Identify processes in place to define themapping of any new activities or products.

Senior management is responsible for themapping policy.

(a) Identify who is responsible for themapping policy.

(b) Identify the format in which the mappingpolicy has been presented and approved bythe Board

The mapping process to business lines issubject to independent review.

(a) Identify if the mapping process has beensubject to independent review (and bywhom). If independent review has not taken

place, identify future plans to do so.


9/17

Loss Data Collection

PROTECTED B WHEN

C. LOSS DATA COLLECTION


1.1

1.2

1.3

1.4

1.5

AssessmentRating

1. Bank's internal operational riskassessment system usingoperational loss data

The bank has a systematic tracking ofrelevant operational risk data includingmaterial losses by business line.

(a) Provide details on the operational lossdata collection process (centralized vs.decentralized).

(b) List the source systems used and providedetail on how they are used in the losscollection process.

(c) Identify the function responsible for thedata collection.

(d) List the criteria for collection ofoperational losses.

(e) Identify the status of data collection on an

enterprise wide level.(f) Provide the historical length of operationalloss data.

(g) Identify how the bank ensures that data iscollected in a complete and consistentmanner.

(h) Identify whether operational losses aremapped to Basel II lines of business andevent types.

(i) List the data fields populated in the

collection of loss data.(j) Describe how the bank distinguishescredit and market risk losses that are a resultof operational events.

(k) Provide details on how the bank collectsmultiple operational losses resulting fromone event.

(l) List all policies & procedure documentsrelating to loss data collection.

There is close integration of the operationalrisk assessment system into the risk

management process of the bank.

(a) Explain how the bank uses theoperational risk assessment system in its risk

management process.

Output is an integral part of the process ofmonitoring controlling the banks operationalrisk profile.

(a) Describe how the bank uses operationalrisk data (including loss data) to monitor thebanks operational risk profile.

Operational risk data (including loss data)has a role in risk reporting, managementreporting, and risk analysis.

(a) List all reports using operational risk data(including loss data), identifying how thereports are distributed.

There are techniques for creating incentivesto improve the management of operationalrisk throughout the firm.

(a) Identify any techniques the bank uses forcreating incentives to improve themanagement of operational risk throughout

the firm.


10/17

Loss Data Collection

PROTECTED B WHEN C

C. LOSS DATA COLLECTION


Rating

2.1

2.2

2. Regular reporting ofoperational risk exposures

There is regular reporting of operational riskexposures, including material operationallosses, to business unit management, seniormanagement, and to the board of directors.

(a) List all reports that include operationalrisk exposures (including material losses),identifying frequency, owners of report andaudience of the report.

There are procedures for taking appropriateaction according to the information within themanagement reports.

(a) Describe how the operational riskexposure reports are used to respond tooperational risk and the management of therisk.


11/17

Risk and Control Self-Assessment / Key Risk Indicators

PROTECTED B WHEN

D. RISK AND CONTROL SELF-ASSESSMENT / KEY RISK INDICATORS


1. Risk identification 1.1

2. Assessment of identified risks 2.1 None

3.1

3.2

3.3

(b) Describe this risk mapping process.

3.4

(d) Identify how key risk indicators are used.

3.4

4. Reporting 4.1

AssessmentRating

The bank has an effective risk identificationprocess of both internal and external factorsthat could adversely affect the achievementof the bank's objectives.

(a) Describe the bank's processes foridentification of both internal and externalrisk factors.

The bank assesses the vulnerability ofpotentially adverse risks to better understandrisk profile and target risk managementresources.

3. Tools for assessment ofoperational risk

Self- or risk assessment - The bankcompletes aninternal assessment of itsoperations and activities against a menu of

potential operational risk vulnerabilities.

(a) Identify if the bank is using a RiskControl Self-Assessment process.

(b) Describe the process and state if it is an

enterprise wide process.(c) Describe how RCSA results are used inrisk identification as well as mitigation.

(d) Describe the effectiveness of the riskcontrol self-assessment process.

Self- or risk assessment - This process isinternally driven and often incorporateschecklists and/or workshops to identify thestrengths and weaknesses of the operationalrisk environment.

(a) Describe how the process identifies thestrengths and weaknesses of the operationalrisk environment.

Risk mapping - The bank has mappedvarious business units, organizationalfunctions or process flows by risk types.

(a) Identify if the bank is risk mappingbusiness units, organizational functions orprocess flow by risk types.

(c) Describe how risk mapping is used forrisk identification and mitigation.

Risk indicators - The bank uses statisticsand/or metrics to provide a bank's riskposition.

(a) Identify if the bank is using key riskindicators to assess operational risk.

(b) Provide list of key risk indicators used bythe bank.

(c) Describe how the key risk indicators were

developed.

(e) Describe how key risk indicators reportedto senior management and the board areused.

Measurement - The bank has establishedpractises forquantification of exposure tooperational risk using a variety ofapproaches.

(a) Identify if the bank has establishedpractices for quantification of operational riskexposure.

(b) Describe the quantification approachesused.

Operational risk results from risk assessmenttools are reported and used in themanagement of operational risk.

(a) List all reports of risk assessment toolsand indicate how they are used.


12/17

Risk and Control Self-Assessment / Key Risk Indicators P

PROTECTED B WHEN COMPLETE

D. RISK AND CONTROL SELF-ASSESSMENT / KEY RISK INDICATORS


Rating

4.2 NoneThere is appropriate reporting of results from

risk assessments tools to the Board, seniormanagement and business units.


13/17

Outsourcin Disaster Recover Plan and Business Continuit Plan

PROTECTED B WHEN C

E. OUTSOURCING, DISASTER RECOVERY PLAN AND BUSINESS CONTINUITY PLAN


1. Outsourcing activities 1.1 (a) Identify all outsourcing policies.

1.2

1.3 None

1.4

1.5 None

1.6

1.7 None

2.1 None

3.1 None

AssessmentRating

The bank has established policies formanaging the risks associated withoutsourcing activities.

The board of directors and seniormanagement have ensured that third-partyactivity is conducted in a safe and soundmanner and in compliance with applicablelaws.

(a) Describe the Board and seniormanagement oversight of third-party activity.

Outsourcing arrangements have been basedon robust contracts and/or service levelagreements that ensure a clear allocation of

responsibilities between external serviceproviders and the outsourcing banks.

The bank is managing residual risksassociated with outsourcing arrangements,including disruption of services.

(a) Describe the bank's process fordetermining the materiality of outsourcingarrangements.

The Board and management have ensuredthat the expectations and obligations of eachparty are clearly defined, understood andenforceable.

The bank carries out initial due diligence testand monitor third-party activities on a regularbasis.

(a) Describe the initial due diligence test andindicate how third-party activities areregularly monitored.

(b) Describe the bank's program formanaging and monitoring risks of theoutsourcing arrangements.

For critical activities, the bank hasconsidered contingency plans, includingavailability of alternative external parties andcosts and resources required to switchexternal parties.

The bank's decision to retain or self-insurethe risk is transparent within the organizationand consistent with the bank's overallbusiness strategy and risk appetite.

2. Self-insure or retainoperational risk

The bank is required to establish disasterrecovery and business continuity plans thattake into account different types of plausiblescenarios to which the bank may bevulnerable, commensurate with the size andcomplexity of the bank's operations.


14/17

Outsourcin Disaster Recover Plan and Business Continuit Plan

PROTECTED B WHEN

E. OUTSOURCING, DISASTER RECOVERY PLAN AND BUSINESS CONTINUITY PLAN


Rating

3.2

3.3 None

3.4 (a) Identify the location of off-site facilities.

3.5

3.6 (a) Identify the frequency for testing plans.

Note: In addition to the BIS Sound Practices, institutions are required to comply with the "OSFI Guideline B-10: Outsourcing of Business Activities, Functions and Processes"

4. Disaster recovery andbusiness continuity plans

The bank has identified critical businessprocesses, including dependence onexternal vendors or third parties, for whichrapid resumption of service would be mostessential.

(a) Describe the bank's process foridentifying critical business processes.

The bank has identified alternativemechanisms for resuming service in theevent of an outage.

The off-site facilities where back-ups ofrecords are stored are an adequate distance

away from the impacted operations.

There is a periodic review of DRP/BCP toensure consistency with the bank's currentoperations and business strategies.

(a) Describe the bank's process for reviewingDRP/BCP.

Plans are tested periodically to ensure thatthe bank would be able to execute the plansin the unlikely event of a severe businessdisruption.


15/17

Advanced Measurement A roach Methodolo

PROTECTED B WHEN

F. Advanced Measurement Approach Methodology


1. AMA Model 1.1

1.2 None

1.3 None

1.4

1.5 None

2. Correlation 2.1

2.2

3.1

3.2

3.3 None

3.4 None

AssessmentRating

The bank's AMA model captures potentiallysevere tail loss estimates.

(a) Provide a description of assumptions andinputs used to construct the model.

The bank's AMA model is comparable to aone year holding period and a 99.9percentile confidence interval.

The bank is calculating the operational riskregulatory capital requirement as the sum ofexpected loss and unexpected loss.

The bank is adequately capturing EL in itsinternal business practices.

(a) Provide the bank's documentation onhow operational risk EL is measured and

accounted for.

The bank's AMA model captures the majordrivers of the operational risk affecting theshape of the tail loss estimates.

Internally determined correlations are usedin operational risk modelling. The bank candemonstrate that i ts systems for determiningcorrelations are sound and implemented withintegrity and take into account theuncertainty surrounding any such correlationestimates (particularly in periods of stress).

(a) Provide details on how correlation isintegrated into the model and the rationalefor its use in calculating the capitalrequirement.

(b) For internally determined correlations,identify the assumptions used and discuss

the methods used for estimating correlation.

The bank validates its correlationassumptions using appropriate quantitativeand qualitative techniques.

(a) Identify how the bank is validating itscorrelation assumptions.

3. Four fundamental elements:- Internal data

- External data- Scenario analysis

- Businessenvironment and internal controls

Key elements of the bank's operational riskmeasurement system include the use ofinternal data, relevant external data,scenario analysis and factors reflecting thebusiness environment and internal controlsystem.

(a) Provide a brief summary of how these 4elements are used in the operational riskmeasurement system.

Weighting of the 4 fundamental elements iscredible, transparent, well-documented andverifiable approach.

(a) Provide documentation and rationale forthe approach taken in weighting of eachfundamental element.

The approach for weighting the 4fundamental elements is internallyconsistent.

Double counting of qualitative assessmentsor risk mitigants already recognised in otherelements of the framework is avoided in theapproach for weighting the 4 fundamental

elements.


16/17


PROTECTED B WHEN



Rating

4. Internal Data 4.1 (a) Provide the documented procedures.

4.2 None

4.3 (a) Provide the documented criteria.

4.4

4.5 None

4.6 (a) Provide the specific criteria.

4.7

5. External Data 5.1

5.2 None

5.3

6. Scenario Analysis 6.1

7.1

7.2 None

The bank has documented procedures forassessing the historical internal loss data forits relevance and use in the operational riskmeasurement system.

The bank is using at least 3 years ofhistorical internal loss data if internal lossdata is being used to either build or validatethe operational risk measurement system.

The bank has documented its criteria formapping historical internal loss data to Baselbusiness lines and event types.

The internal loss data is comprehensive andcaptures appropriate sub-systems andgeographic locations.

(a) Provide rationale for excluding lossactivities and exposures, if any, from the losscollection process.

The bank has an appropriate gross lossthreshold for internal loss data collection.

The bank has specific criteria for allocatingoperational losses that span across businesslines or occur in a centralized function.

All material operational losses related to thedefinition of operational risk are identified inthe loss data collection.

(a) Identify the bank's approach to collectingoperational losses related to credit andmarket risk.

The bank's system uses relevant externalloss data in its operational risk measurementsystem.

(a) Identify the sources of external loss dataused in the bank's operational riskmeasurement system.

The bank has a systematic process fordetermining how and when external lossdata is used in its operational riskmeasurement system.

The conditions and practices for usingexternal loss data are regularly reviewed,

documented and subject to periodicindependent review.

(a) Provide the documentation discussing theconditions and practices for using external

loss data.

The bank uses scenario analysis of expertopinion in conjunction with external data toevaluate its exposure to high-severity events.

(a) Describe how scenario analysis is used inthe operational risk measurement system.

7. Business Environment andInternal Control Factors

Factors used in the operational riskmeasurement system are meaningful riskdrivers and were chosen based onexperience and expert judgement.

(a) Identify the rationale used for choosingbusiness environment and internal controlfactors and provide a brief description of howthey are used.

(b) Indicate if factors are translatable intoquantitative measures.

The framework and each instance of itsapplication must be documented and subjectto independent review.


17/17


PROTECTED B WHEN



Rating

8. Risk Mitigation 8.1

8.2 None

8.3 None

8.4 None

8.5 None

8.6 None

8.7 None

8.8

9. Allocation Methodology 9.1

10. Partial Use 10.1 None

None

None

The recognition of insurance mitigation isless than 20% of the total operational riskregulatory capital charge.

(a) Provide the documented frameworkdeveloped for mitigating operational riskthrough the use of insurance.

The insurance provider has a minimumclaims paying ability rating of A.

The insurance policy has an initial term of noless than one year.

The insurance policy has a minimum noticeperiod for cancellation of 90 days.

The insurance policy has no exclusions orlimitations triggered by supervisory actions.

The risk mitigation calculations reflect theinsurance coverage.

The insurance is provided by a third-partyentity.

The bank discloses a description of its use ofinsurance for the purpose of mitigatingoperational risk.

(a) Indicate how the bank plans to discloseinformation about the use of insurance.

The bank intends, with supervisory approval,to use an allocation mechanism for thepurpose of determining the operational riskcapital requirement for its subsidiaries.

(a) For banks applying the stand-aloneapproach, indicate if it is applying a capitalallocation methodology for its subsidiariesand provide details on the allocation

methodology used.

(b) For subsidiaries using the allocatedcapital approach, provide a description of themethodology used for capital allocation andthe rationale for applying an allocationapproach versus a stand alone approach.

All operational risks of the bank's global,consolidated operations are captured.

AMA qualitative criteria are met for areas ofthe bank covered by the AMA, and those

parts of the operations covered by one of thesimpler approaches meets the qualifyingcriteria for that approach.

On the date of implementation of an AMA, asignificant part of the bank's operational risksare captured by the AMA.

Documents

Msi Basel II Operational Risk