The standards relating to process are the following:
an institution shall calculate its own funds requirement as comprising both expected loss and unexpected loss, unless expected loss is adequately captured in its internal business practices. The operational risk measure shall capture potentially severe tail events, achieving a soundness standard comparable to a 99,9 % confidence interval over a one year period;
an institution's operational risk measurement system shall include the use of internal data, external data, scenario analysis and factors reflecting the business environment and internal control systems as set out in paragraphs 3 to 6. An institution shall have in place a well documented approach for weighting the use of these four elements in its overall operational risk measurement system;
an institution's risk measurement system shall capture the major drivers of risk affecting the shape of the tail of the estimated distribution of losses;
an institution may recognise correlations in operational risk losses across individual operational risk estimates only where its systems for measuring correlations are sound, implemented with integrity, and take into account the uncertainty surrounding any such correlation estimates, particularly in periods of stress. An institution shall validate its correlation assumptions using appropriate quantitative and qualitative techniques;
an institution's risk measurement system shall be internally consistent and shall avoid the multiple counting of qualitative assessments or risk mitigation techniques recognised in other areas of this Regulation.
The standards relating to internal data are the following:
an institution shall base its internally generated operational risk measures on a minimum historical observation period of five years. When an institution first moves to an Advanced Measurement Approach, it may use a three-year historical observation period;
an institution shall be able to map their historical internal loss data into the business lines defined in Article 317 and into the event types defined in Article 324, and to provide these data to competent authorities upon request. In exceptional circumstances, an institution may allocate loss events which affect the entire institution to an additional business line ‘corporate items’. An institution shall have in place documented, objective criteria for allocating losses to the specified business lines and event types. An institution shall record the operational risk losses that are related to credit risk and that the institution has historically included in the internal credit risk databases in the operational risk databases and shall identify them separately. Such losses shall not be subject to the operational risk charge, provided that the institution is required to continue to treat them as credit risk for the purposes of calculating own funds requirements. An institution shall include operational risk losses that are related to market risks in the scope of the own funds requirement for operational risk;
an institution's internal loss data shall be comprehensive in that it captures all material activities and exposures from all appropriate sub-systems and geographic locations. An institution shall be able to justify that any excluded activities or exposures, both individually and in combination, would not have a material impact on the overall risk estimates. An institution shall define appropriate minimum loss thresholds for internal loss data collection;
aside from information on gross loss amounts, an institution shall collect information about the date of the loss event, any recoveries of gross loss amounts, as well as descriptive information about the drivers or causes of the loss event;
an institution shall have in place specific criteria for assigning loss data arising from a loss event in a centralised function or an activity that spans more than one business line, as well as from related loss events over time;
an institution shall have in place documented procedures for assessing the on-going relevance of historical loss data, including those situations in which judgement overrides, scaling, or other adjustments may be used, to what extent they may be used and who is authorised to make such decisions.
The qualifying standards relating to external data are the following:
an institution's operational risk measurement system shall use relevant external data, especially when there is reason to believe that the institution is exposed to infrequent, yet potentially severe, losses. An institution shall have a systematic process for determining the situations for which external data shall be used and the methodologies used to incorporate the data in its measurement system;
an institution shall regularly review the conditions and practices for external data and shall document them and subject them to periodic independent review.
The qualifying standards relating to business environment and internal control factors are the following:
an institution's firm-wide risk assessment methodology shall capture key business environment and internal control factors that can change the institutions operational risk profile;
an institution shall justify the choice of each factor as a meaningful driver of risk, based on experience and involving the expert judgment of the affected business areas;
an institution shall be able to justify to competent authorities the sensitivity of risk estimates to changes in the factors and the relative weighting of the various factors. In addition to capturing changes in risk due to improvements in risk controls, an institution's risk measurement framework shall also capture potential increases in risk due to greater complexity of activities or increased business volume;
an institution shall document its risk measurement framework and shall subject it to independent review within the institution and by competent authorities. Over time, an institution shall validate and reassess the process and the outcomes through comparison to actual internal loss experience and relevant external data.