basel-ii-operational-risk.xls

PROTECTED B WHEN COMPLETED

BASEL II OPERATIONAL RISK Self-Assessment Template for TSA & AMA Institutions

INSTITUTION:

DATE:

Operational Risk Governance Page 3 of 34

A. OPERATIONAL RISK GOVERNANCE

Area of Assessment Reference # Criteria Information Request

Board of Directors

1. Board of Director approvals 1.1

SP (12) 1.2 None

1.3 None

1.4

SP (15) 2.1

2.2

3. Operational risk strategy 3.1 None

3.1

3.2

3.3 (a) List all operational risk policies.

Assessment Rating

CAR Ch 6 (660) & Ch 7 (664)

The board of directors are actively involved in the oversight of the operational risk management framework.

(a) Frequency of Board review of firm-wide framework to operational risk management.

The Board has approved a firm-wide framework to manage operational risk as a distinct risk to the bank's safety and soundness.

The Board has provided senior management with clear guidance and direction regarding the principles underlying the framework.

The Board has reviewed policies developed by senior management.

(a) List operational risk policies developed by senior management and provide approval/review status of each.

2. Regular review of framework by Board of Directors

The Board has reviewed framework regularly to ensure that the bank is managing the operational risks arising from external market changes and other environmental factors, as well as those operational risks associated with new products, activities or systems.

(a) Identify how the bank assesses external operational risk factors and operational risks associated with new products.

The Board has assessed industry best practices in operational risk management, appropriate of the bank's activities, systems and processes.

(a) Identify how the Board is educated and kept up to date on Basel II operational risk, including industry best practices in operational risk management and industry issues.

CAR Ch 6 (660) & Ch 7 (664)

The bank has an operational risk management system that is conceptually sound and is implemented with integrity.

SP (13)

The bank's operational risk framework should be based on an appropriate definition of operational risk that clearly articulates what constitutes operational risk in that bank.

(a) Provide the enterprise wide definition of operational risk.

The bank has established its appetite and tolerance for operational risk, specified through policies for managing this risk and the bank's prioritization of operational risk management activities, including operational risk transferred outside the bank.

(a) Provide details on the bank's risk appetite and operational risk tolerance.

(b) Identify how the bank's appetite and tolerance for operational risk is communicated throughout the bank.

(c) Describe the bank's management of operational risks transferred outside the bank.

The bank has established policies outlining its approach to identifying, assessing, monitoring and controlling/mitigating the risk.



Area of Assessment Reference # Criteria Information Request Assessment Rating

3. Operational risk strategy

3.4 None

SP (14) 4.1

4.2 None

4.3 None

Senior Management5. Role of senior management 5.1 None

SP (18) 5.2 None

5.3 None

5.4 None

5.5. None

5.6 None

SP (20) 6.1 None

SP (13)

The bank has ensured that the level of formality and sophistication of its operational risk management framework is commensurate with its risk profile.

4. Board of Director's establishment of a management structure

The Board has established a management structure capable of implementing the firm's operational risk management framework.

(a) Provide the bank's organization chart that describes the lines of management responsibility, accountability and reporting for operational risk.

The bank has established separation of responsibilities and reporting lines between operational risk control functions, business lines and support functions.

The bank has articulated key processes necessary to have in place to manage operational risk.

CAR Ch 6 (660) & Ch 7 (664)

Senior management is actively involved in the oversight of the operational risk management framework.

Senior management has translated the operational risk management framework into specific policies, processes and D64procedures.

Senior management has implemented the operational risk management framework consistently across the whole bank.

Senior management has assigned authority, responsibility and reporting relationships to encourage and maintain accountability.

The bank has ensured the availability of necessary resources to manage operational risk effectively.

The bank has assessed the appropriateness of management oversight process in light of risks inherent in a business unit's policy.

6. Effective communication of risk management

Senior management has ensured that staff responsible for managing operational risk communicate effectively with staff responsible for managing credit, market and other risks, as well as those in the firm responsible for the procurement of external services such as insurance purchasing and outsourcing agreements.




Operational Risk Management Function7.1 None

7.2 None

7.3 None

7.4 None

7.5 None

7.6

Risk Management - Operational Risk8.1 None

8.2

8.3

8.4

7. Operational risk management function

CAR Ch 6 (663a)

The bank has an operational risk management system with clear responsibilities assigned to an operational risk management function.

The operational risk management function develops strategies to identify, assess, monitor and control/mitigate operational risk.

The operational risk management function codifies firm-level policies and procedures concerning operational risk management and controls.

The operational risk management function designs and implements the firm's operational risk assessment methodology.

The operational risk management function designs and implements the risk-reporting system for operational risk.

CAR Ch 7 (666a)

AMA banks only: The operational risk management function is independent and responsible for the design and implementation of the bank's operational risk management framework.

(a) Explain how the operational risk management function is independent and identify its key responsibilities.

8. Operational Risk control and mitigation

CAR Ch 6 (663d) & Ch 7 (666d)

The bank has an operational risk management system that is well documented.

The bank has a routine in place for ensuring compliance with a documented set of internal policies, controls and procedures concerning the operational risk management system, which includes policies for the treatment of non-compliance issues.

(a) Describe how the bank ensures compliance with its internal policies, controls and procedures for operational risk.

CAR Ch 7 (666d) AMA Banks only: The internal operational

risk measurement system is closely integrated into the day-to-day risk management processes of the bank. Its output is an integral part of the process of monitoring and controlling the bank's operational risk profile.

(a) Identify how and where the operational risk measurement system is integrated into the bank's risk management processes.

SP (31)

The bank has decided between using appropriate procedures to control/mitigate identified operational risks, or bear the risks.

(a) Identify how the bank decides on its risk appetite and tolerance.




8.5

8.6

9. Strong internal control culture SP (32) 9.1 None

10. Staffing 10.1 None

SP (19) 10.2

10.3

10.4

11. Segregation of duties SP (33) 11.1 None

11.2 None

12. Other internal practices SP (34) 12.1

SP (35) 13.1

8. Operational Risk control and mitigation

SP (31)

For risks that cannot be controlled, the bank has decided how it will approach the operational risks (e.g., accept the risk, reduce the level of business activity or withdraw from the activity completely).

(a) Describe how the bank manages operational risks that cannot be controlled.

The bank has a routine for ensuring compliance with documented internal policies concerning operational risk management systems, including verifying compliance with management controls.

(a) Identify the staff (or function) responsible for monitoring and enforcing compliance and identify how it maintains its independence.

Board of directors and senior management are responsible for establishing a strong internal control culture in which control activities are an integral part of the regular activities of a bank.

CAR Ch 6 (660) & Ch 7 (664)

The bank has sufficient resources in the major business lines to implement the adopted approach to operational risk, including control and audit areas.

Bank activities are conducted by staff that is qualified with the necessary experience and technical capabilities.

(a) Provide a description of current resources in both internal audit and risk management functions.

Staff responsible for monitoring and enforcing compliance have authority independent from the units they oversee.

(a) Identify the staff (or function) responsible for monitoring and enforcing compliance and identify how it maintains its independence.

Clear communication of operational risk management policy to staff at all unit levels incurring material operational risks.

(a) Identify how the Bank's operational risk management policy is communicated throughout the bank.

Effective internal control system requires that there be appropriate segregation of duties and that personnel are not assigned responsibilities that may create a conflict of interest.

Areas of conflicts of interest are identified and minimized, and are subject to careful independent monitoring and review.

In addition to segregation of duties, the bank has ensured that other internal practices are in place as appropriate to control operational risk.

(a) Identify other internal practices in place to control operational risk.

13. Operational risk assessments of new business

The bank has paid special attention to internal control activities where it engages in new activities, develops new products, enters unfamiliar markets, and/or engages in unfamiliar geographic regions.

(a) Identify the bank's operational risk assessment process for new business.




SP (36) 14.1

SP (37) 14.2 None

SP (38) 15.1 None

SP (22) 16.1

17. Remuneration policies SP (21) 17.1 (a) Identify any remuneration policies.

Internal Audit Function18. Internal audit coverage 18.1

SP (16) 18.2

18.3 None

18.4 None

SP (17) 19.1

14. Operational risk mitigation tools for low frequency/high severity losses

Operational risk mitigation tools or programmes are used to reduce the exposure to, or frequency and/or severity of, such events that cannot be controlled.

(a) Identify any risk mitigation tools or programmes used to reduce exposure to high frequency/low severity events.

Operational risk mitigation tools are complementary to thorough internal operational risk control.

15. Information technology as operational risk mitigation tools

Investments in appropriate processing technology and information technology security have been utilized.

16. Documentation controls and transaction-handling practices

The bank has well documented policies, processes and procedures related to advanced technologies supporting high transactions volumes.

(a) List documented policies, processes and procedures related to advanced technologies supporting high transaction volumes.

Remuneration policies are consistent with the bank's operational risk appetite.

CAR Ch 6 (663e)

The bank's operational risk management processes and assessment system are subject to validation and regular independent review (these reviews include the activities of both the business units and of the operational risk management function).

(a) Describe the responsibilities of the audit function with respect to operational risk.

There has been adequate internal audit coverage to verify effective implementation of policies and procedures (including activities of business units and operational risk management function).

(a) Describe the audit plan, scope and work completed with respect to operational risk management.

There is Board assurance that the scope and frequency of audit programme is appropriate to the risk exposures.

Audit has performed a periodic validation that the firm's operational risk management framework is being implemented effectively across the firm.

19. Independence of Internal Audit

The internal audit function does not have direct operational risk management responsibilities. [Note: The internal audit function at some banks (particularly smaller banks) may have initial responsibility for developing an operational risk management programme. Where this is the case, banks should see that responsibility for day-to-day operational risk management is transferred elsewhere in a timely manner.

(a) Describe how the internal audit function maintains its independence from operational risk management.




Operational Risk Reporting20.1

20.2

SP (26) 20.3

SP (27) 20.4

21. Frequency of monitoring SP (28) 21.1 None

21.2 None

SP (29) 22.1

22.2 None

22.3

20. Regular and effective monitoring of operational risk profile

CAR Ch 6 (663c) & Ch 7 (666c)

The bank has regular reporting of operational risk exposures, including material operational losses, to business unit management, senior management, and to the board of directors.

(a) Identify operational risk reporting activities directed at senior management and the board of directors and indicate the frequency.

The bank has procedures for taking appropriate action according to the information within the management reports.

(a) Describe how the bank uses the information within operational risk management reports.

There are practices in place for prompt detection and management of deficiencies in policies, processes and procedures for managing operational risk.

(a) Describe monitoring process of policies, processes and procedures.

The bank has established policies for identification of appropriate indicators that provide early warning of an increased risk of future losses.

(a) Identify early warning indicators used for operational risk in reporting activities.

Frequency of monitoring reflects operational risks involved and frequency and nature of changes in the operating environment.

Reports are included in regular management and Board reports.

22. Reporting to senior management

Senior management has received regular reports from appropriate areas such as business units, group functions, the operational risk management office and internal audit.

(a) Provide a list of regular reports from business units, group functions, operational risk management office and internal audit reviewed by senior management and indicate the reporting frequency.

Operational risk reports contain internal financial, operational, and compliance data, and other information relevant to decision making.

Reports reflect identified problem areas and motivate timely corrective action on outstanding issues.

(a) Describe how reports are used to ensure that problem areas receive appropriate corrective action.




Rating Rationale

Board of Directors




Rating Rationale

Senior Management




Rating Rationale

Operational Risk Management Function

Risk Management - Operational Risk




Rating Rationale




Rating Rationale

Internal Audit Function




Rating Rationale

Operational Risk Reporting

Gross Income Mapping Page 15 of 34


B. GROSS INCOME MAPPING

Area of Assessment Reference # Criteria Information Request Rating Rationale

1.1

1.2 None

2.1

2.2 None

2.3

2.4

2.5

2.6

2.7

2.8

Assessment Rating

1. Gross income mapping policies and documentation

CAR Ch 6 (662) Ch 7 (662)

Specific policies and documentation of criteria have been developed for mapping gross income for current business lines and activities into the standardised framework.

(a) Provide all policies and documentation of criteria developed for mapping gross income.

Criteria must be reviewed and adjusted for new or changing business activities as appropriate.

2. Principles of business line mapping

CAR Ch 6 Annex 6(a) Ch 7 Annex 6(a)

All activities are mapped into the eight level 1 business lines in a mutually exclusive and jointly exhaustive manner.

(a) Identify if all activities have been mapped into the eight level 1 business lines in a mutually exclusive and jointly exhaustive manner.

(b) Identify any existing gaps and the action plans to close them.

CAR Ch 6 Annex 6(b) Ch 7 Annex 6(b)

Any banking/non-banking activity that cannot be readily mapped into the business line framework, but which represents an ancillary function to an activity included in the framework, are allocated to the business line it supports.

If more than one business line is supported through the ancillary activity, an objective mapping criteria is used.

(a) If appropriate, describe the objective mapping criteria being used.

CAR Ch 6 Annex 6(c) Ch 7 Annex 6(c)

If an activity cannot be mapped into a particular business line then the business line yielding the highest charge is used. The same business line equally applies to any associated ancillary activity.

(a) Identify any activities that could not be mapped into a particular business line and provide the charge used.

CAR Ch 6 Annex 6(d) Ch 7 Annex 6(d)

Internal pricing methods are used to allocate gross income between business lines provided that total gross income for the bank still equals the sum of gross income for the eight business lines.

(a) Discuss the pricing methods used to allocate gross income.

CAR Ch 6 Annex 6(e) Ch 7 Annex 6(e)

Mapping activities into business lines for operational risk capital purposes are consistent with the definitions of business lines used for regulatory capital calculations in other risk categories. Any deviations must be clearly motivated and documented.

(a) Identify any activities that are inconsistent with Basel business line definitions.

(b) Identify motivations for any existing deviations.

CAR Ch 6 Annex 6(f) Ch 7 Annex 6(f)

The mapping process is clearly documented. More specifically, business line definitions are sufficiently documented to allow for business line mapping replication.

(a) Identify documentation for mapping process and assess its allowance for business line mapping replication.

Documentation clearly motivate any exceptions or overrides and be kept on record.

(a) Identify how documentation addresses exceptions and overrides.

Gross Income Mapping Page 16 of 34


B. GROSS INCOME MAPPING

Area of Assessment Reference # Criteria Information Request Rating RationaleAssessment Rating

2.9

2.10

2.11

2. Principles of business line mapping

CAR Ch 6 Annex 6(g) Ch 7 Annex 6(g)

Processes are in place to define the mapping of any new activities or products.

(a) Identify processes in place to define the mapping of any new activities or products.

CAR Ch 6 Annex 6(h) Ch 7 Annex 6(h)

Senior management is responsible for the mapping policy.

(a) Identify who is responsible for the mapping policy.

(b) Identify the format in which the mapping policy has been presented and approved by the Board

CAR Ch 6 Annex 6(i) Ch 7 Annex 6(i)

The mapping process to business lines is subject to independent review.

(a) Identify if the mapping process has been subject to independent review (and by whom). If independent review has not taken place, identify future plans to do so.

Loss Data Collection Page 17 of 34

C. LOSS DATA COLLECTION


1.1

1.2

1.3

1.4

1.5

Assessment Rating

1. Bank's internal operational risk assessment system using operational loss data

CAR Ch 6 (663b)

The bank has a systematic tracking of relevant operational risk data including material losses by business line.

(a) Provide details on the operational loss data collection process (centralized vs. decentralized).

(b) List the source systems used and provide detail on how they are used in the loss collection process.

(c) Identify the function responsible for the data collection.

(d) List the criteria for collection of operational losses.

(e) Identify the status of data collection on an enterprise wide level.

(f) Provide the historical length of operational loss data.

(g) Identify how the bank ensures that data is collected in a complete and consistent manner.

(h) Identify whether operational losses are mapped to Basel II lines of business and event types.

(i) List the data fields populated in the collection of loss data.

(j) Describe how the bank distinguishes credit and market risk losses that are a result of operational events.

(k) Provide details on how the bank collects multiple operational losses resulting from one event.

(l) List all policies & procedure documents relating to loss data collection.

There is close integration of the operational risk assessment system into the risk management process of the bank.

(a) Explain how the bank uses the operational risk assessment system in its risk management process.

Output is an integral part of the process of monitoring controlling the banks operational risk profile.

(a) Describe how the bank uses operational risk data (including loss data) to monitor the banks operational risk profile.

Operational risk data (including loss data) has a role in risk reporting, management reporting, and risk analysis.

(a) List all reports using operational risk data (including loss data), identifying how the reports are distributed.

There are techniques for creating incentives to improve the management of operational risk throughout the firm.

(a) Identify any techniques the bank uses for creating incentives to improve the management of operational risk throughout the firm.




2.1

2.2

2. Regular reporting of operational risk exposures

CAR Ch 6 (663c)

There is regular reporting of operational risk exposures, including material operational losses, to business unit management, senior management, and to the board of directors.

(a) List all reports that include operational risk exposures (including material losses), identifying frequency, owners of report and audience of the report.

There are procedures for taking appropriate action according to the information within the management reports.

(a) Describe how the operational risk exposure reports are used to respond to operational risk and the management of the risk.




Rating Rationale




Rating Rationale

Risk and Control Self-Assessment / Key Risk Indicators Page 21 of 34

D. RISK AND CONTROL SELF-ASSESSMENT / KEY RISK INDICATORS


1. Risk identification SP (23) 1.1

2. Assessment of identified risks SP (24) 2.1 None

SP (25) 3.1

3.2

3.3

(b) Describe this risk mapping process.

3.4

(d) Identify how key risk indicators are used.

3.4

4. Reporting n/a 4.1

Assessment Rating

The bank has an effective risk identification process of both internal and external factors that could adversely affect the achievement of the bank's objectives.

(a) Describe the bank's processes for identification of both internal and external risk factors.

The bank assesses the vulnerability of potentially adverse risks to better understand risk profile and target risk management resources.

3. Tools for assessment of operational risk

Self- or risk assessment - The bank completes an internal assessment of its operations and activities against a menu of potential operational risk vulnerabilities.

(a) Identify if the bank is using a Risk Control Self-Assessment process.

(b) Describe the process and state if it is an enterprise wide process.

(c) Describe how RCSA results are used in risk identification as well as mitigation.

(d) Describe the effectiveness of the risk control self-assessment process.

Self- or risk assessment - This process is internally driven and often incorporates checklists and/or workshops to identify the strengths and weaknesses of the operational risk environment.

(a) Describe how the process identifies the strengths and weaknesses of the operational risk environment.

Risk mapping - The bank has mapped various business units, organizational functions or process flows by risk types.

(a) Identify if the bank is risk mapping business units, organizational functions or process flow by risk types.

(c) Describe how risk mapping is used for risk identification and mitigation.

Risk indicators - The bank uses statistics and/or metrics to provide a bank's risk position.

(a) Identify if the bank is using key risk indicators to assess operational risk.

(b) Provide list of key risk indicators used by the bank.

(c) Describe how the key risk indicators were developed.

(e) Describe how key risk indicators reported to senior management and the board are used.

Measurement - The bank has established practises for quantification of exposure to operational risk using a variety of approaches.

(a) Identify if the bank has established practices for quantification of operational risk exposure.

(b) Describe the quantification approaches used.

Operational risk results from risk assessment tools are reported and used in the management of operational risk.

(a) List all reports of risk assessment tools and indicate how they are used.




4. Reporting n/a

4.2 NoneThere is appropriate reporting of results from risk assessments tools to the Board, senior management and business units.




Rating Rationale




Rating Rationale

Outsourcing, Disaster Recovery Plan and Business Continuity Plan Page 25 of 34

E. OUTSOURCING, DISASTER RECOVERY PLAN AND BUSINESS CONTINUITY PLAN


1. Outsourcing activities SP (39) 1.1 (a) Identify all outsourcing policies.

1.2

1.3 None

1.4

SP (40) 1.5 None

1.6

1.7 None

2.1 None

SP (41) 3.1 None

Assessment Rating

The bank has established policies for managing the risks associated with outsourcing activities.

The board of directors and senior management have ensured that third-party activity is conducted in a safe and sound manner and in compliance with applicable laws.

(a) Describe the Board and senior management oversight of third-party activity.

Outsourcing arrangements have been based on robust contracts and/or service level agreements that ensure a clear allocation of responsibilities between external service providers and the outsourcing banks.

The bank is managing residual risks associated with outsourcing arrangements, including disruption of services.

(a) Describe the bank's process for determining the materiality of outsourcing arrangements.

The Board and management have ensured that the expectations and obligations of each party are clearly defined, understood and enforceable.

The bank carries out initial due diligence test and monitor third-party activities on a regular basis.

(a) Describe the initial due diligence test and indicate how third-party activities are regularly monitored.

(b) Describe the bank's program for managing and monitoring risks of the outsourcing arrangements.

For critical activities, the bank has considered contingency plans, including availability of alternative external parties and costs and resources required to switch external parties.

The bank's decision to retain or self-insure the risk is transparent within the organization and consistent with the bank's overall business strategy and risk appetite.

2. Self-insure or retain operational risk

The bank is required to establish disaster recovery and business continuity plans that take into account different types of plausible scenarios to which the bank may be vulnerable, commensurate with the size and complexity of the bank's operations.




SP (42) 3.2

SP (43) 3.3 None

3.4 (a) Identify the location of off-site facilities.

3.5

SP (44) 3.6 (a) Identify the frequency for testing plans.

Note: In addition to the BIS Sound Practices, institutions are required to comply with the "OSFI Guideline B-10: Outsourcing of Business Activities, Functions and Processes"

4. Disaster recovery and business continuity plans

The bank has identified critical business processes, including dependence on external vendors or third parties, for which rapid resumption of service would be most essential.

(a) Describe the bank's process for identifying critical business processes.

The bank has identified alternative mechanisms for resuming service in the event of an outage.

The off-site facilities where back-ups of records are stored are an adequate distance away from the impacted operations.

There is a periodic review of DRP/BCP to ensure consistency with the bank's current operations and business strategies.

(a) Describe the bank's process for reviewing DRP/BCP.

Plans are tested periodically to ensure that the bank would be able to execute the plans in the unlikely event of a severe business disruption.




Rating Rationale




Rating Rationale

Advanced Measurement Approach Methodology Page 29 of 34

F. Advanced Measurement Approach Methodology


1. AMA Model 1.1

1.2 None

1.3 None

1.4

1.5 None

2. Correlation 2.1

2.2

3.1

3.2

3.3 None

3.4 None

Assessment Rating

CAR Ch 7 (667a)

The bank's AMA model captures potentially severe tail loss estimates.

(a) Provide a description of assumptions and inputs used to construct the model.

The bank's AMA model is comparable to a one year holding period and a 99.9 percentile confidence interval.

CAR Ch 7 (669b)

The bank is calculating the operational risk regulatory capital requirement as the sum of expected loss and unexpected loss.

The bank is adequately capturing EL in its internal business practices.

(a) Provide the bank's documentation on how operational risk EL is measured and accounted for.

CAR Ch 7 (669c)

The bank's AMA model captures the major drivers of the operational risk affecting the shape of the tail loss estimates.

CAR Ch 7 (669d)

Internally determined correlations are used in operational risk modelling. The bank can demonstrate that its systems for determining correlations are sound and implemented with integrity and take into account the uncertainty surrounding any such correlation estimates (particularly in periods of stress).

(a) Provide details on how correlation is integrated into the model and the rationale for its use in calculating the capital requirement.

(b) For internally determined correlations, identify the assumptions used and discuss the methods used for estimating correlation.

The bank validates its correlation assumptions using appropriate quantitative and qualitative techniques.

(a) Identify how the bank is validating its correlation assumptions.

3. Four fundamental elements: - Internal data - External data - Scenario analysis - Business environment and internal controls

CAR Ch 7 (669e)

Key elements of the bank's operational risk measurement system include the use of internal data, relevant external data, scenario analysis and factors reflecting the business environment and internal control system.

(a) Provide a brief summary of how these 4 elements are used in the operational risk measurement system.

CAR Ch 7 (669f)

Weighting of the 4 fundamental elements is credible, transparent, well-documented and verifiable approach.

(a) Provide documentation and rationale for the approach taken in weighting of each fundamental element.

The approach for weighting the 4 fundamental elements is internally consistent.

Double counting of qualitative assessments or risk mitigants already recognised in other elements of the framework is avoided in the approach for weighting the 4 fundamental elements.




4. Internal Data 4.1 (a) Provide the documented procedures.

4.2 None

4.3 (a) Provide the documented criteria.

4.4

4.5 None

4.6 (a) Provide the specific criteria.

4.7

5. External Data 5.1

5.2 None

5.3

6. Scenario Analysis 6.1

7.1

7.2 None

CAR Ch 7 (671)

The bank has documented procedures for assessing the historical internal loss data for its relevance and use in the operational risk measurement system.

CAR Ch 7 (672)

The bank is using at least 3 years of historical internal loss data if internal loss data is being used to either build or validate the operational risk measurement system.

CAR Ch 7 (673)

The bank has documented its criteria for mapping historical internal loss data to Basel business lines and event types.

The internal loss data is comprehensive and captures appropriate sub-systems and geographic locations.

(a) Provide rationale for excluding loss activities and exposures, if any, from the loss collection process.

The bank has an appropriate gross loss threshold for internal loss data collection.

The bank has specific criteria for allocating operational losses that span across business lines or occur in a centralized function.

All material operational losses related to the definition of operational risk are identified in the loss data collection.

(a) Identify the bank's approach to collecting operational losses related to credit and market risk.

CAR Ch 7 (674)

The bank's system uses relevant external loss data in its operational risk measurement system.

(a) Identify the sources of external loss data used in the bank's operational risk measurement system.

The bank has a systematic process for determining how and when external loss data is used in its operational risk measurement system.

The conditions and practices for using external loss data are regularly reviewed, documented and subject to periodic independent review.

(a) Provide the documentation discussing the conditions and practices for using external loss data.

CAR Ch 7 (675)

The bank uses scenario analysis of expert opinion in conjunction with external data to evaluate its exposure to high-severity events.

(a) Describe how scenario analysis is used in the operational risk measurement system.

7. Business Environment and Internal Control Factors

CAR Ch 7 (676)

Factors used in the operational risk measurement system are meaningful risk drivers and were chosen based on experience and expert judgement.

(a) Identify the rationale used for choosing business environment and internal control factors and provide a brief description of how they are used.

(b) Indicate if factors are translatable into quantitative measures.

The framework and each instance of its application must be documented and subject to independent review.




8. Risk Mitigation 8.1

8.2 None

8.3 None

8.4 None

8.5 None

8.6 None

8.7 None

8.8

9. Allocation Methodology 9.1

10. Partial Use 10.1 None

None

None

CAR Ch 7 (677)

The recognition of insurance mitigation is less than 20% of the total operational risk regulatory capital charge.

(a) Provide the documented framework developed for mitigating operational risk through the use of insurance.

CAR Ch 7 (678)

The insurance provider has a minimum claims paying ability rating of A.

The insurance policy has an initial term of no less than one year.

The insurance policy has a minimum notice period for cancellation of 90 days.

The insurance policy has no exclusions or limitations triggered by supervisory actions.

The risk mitigation calculations reflect the insurance coverage.

The insurance is provided by a third-party entity.

The bank discloses a description of its use of insurance for the purpose of mitigating operational risk.

(a) Indicate how the bank plans to disclose information about the use of insurance.

CAR Ch 7 (656)

The bank intends, with supervisory approval, to use an allocation mechanism for the purpose of determining the operational risk capital requirement for its subsidiaries.

(a) For banks applying the stand-alone approach, indicate if it is applying a capital allocation methodology for its subsidiaries and provide details on the allocation methodology used.

(b) For subsidiaries using the allocated capital approach, provide a description of the methodology used for capital allocation and the rationale for applying an allocation approach versus a stand alone approach.

CAR Ch 7 (680)

All operational risks of the bank's global, consolidated operations are captured.

AMA qualitative criteria are met for areas of the bank covered by the AMA, and those parts of the operations covered by one of the simpler approaches meets the qualifying criteria for that approach.

On the date of implementation of an AMA, a significant part of the bank's operational risks are captured by the AMA.




Rating Rationale




Rating Rationale




Rating Rationale

Date post:	21-Oct-2015
Category:	Documents
Upload:	angelwings79
View:	107 times
Download:	0 times

basel-ii-operational-risk.xls

Documents