The standards relating to process are the following:
an institution shall calculate its own funds requirement as comprising both expected loss and unexpected loss, unless expected loss is adequately captured in its internal business practices. The operational risk measure shall capture potentially severe tail events, achieving a soundness standard comparable to a 99,9 % confidence interval over a one year period;
an institution's operational risk measurement system shall include the use of internal data, external data, scenario analysis and factors reflecting the business environment and internal control systems as set out in paragraphs 3 to 6. An institution shall have in place a well documented approach for weighting the use of these four elements in its overall operational risk measurement system;
an institution may recognise correlations in operational risk losses across individual operational risk estimates only where its systems for measuring correlations are sound, implemented with integrity, and take into account the uncertainty surrounding any such correlation estimates, particularly in periods of stress. An institution shall validate its correlation assumptions using appropriate quantitative and qualitative techniques;
an institution's risk measurement system shall be internally consistent and shall avoid the multiple counting of qualitative assessments or risk mitigation techniques recognised in other areas of this Regulation.
The standards relating to internal data are the following:
an institution shall be able to map their historical internal loss data into the business lines defined in Article 317 and into the event types defined in Article 324, and to provide these data to competent authorities upon request. In exceptional circumstances, an institution may allocate loss events which affect the entire institution to an additional business line ‘corporate items’. An institution shall have in place documented, objective criteria for allocating losses to the specified business lines and event types. An institution shall record the operational risk losses that are related to credit risk and that the institution has historically included in the internal credit risk databases in the operational risk databases and shall identify them separately. Such losses shall not be subject to the operational risk charge, provided that the institution is required to continue to treat them as credit risk for the purposes of calculating own funds requirements. An institution shall include operational risk losses that are related to market risks in the scope of the own funds requirement for operational risk;
an institution's internal loss data shall be comprehensive in that it captures all material activities and exposures from all appropriate sub-systems and geographic locations. An institution shall be able to justify that any excluded activities or exposures, both individually and in combination, would not have a material impact on the overall risk estimates. An institution shall define appropriate minimum loss thresholds for internal loss data collection;
The qualifying standards relating to external data are the following:
an institution's operational risk measurement system shall use relevant external data, especially when there is reason to believe that the institution is exposed to infrequent, yet potentially severe, losses. An institution shall have a systematic process for determining the situations for which external data shall be used and the methodologies used to incorporate the data in its measurement system;
an institution shall regularly review the conditions and practices for external data and shall document them and subject them to periodic independent review.
The qualifying standards relating to business environment and internal control factors are the following:
an institution shall justify the choice of each factor as a meaningful driver of risk, based on experience and involving the expert judgment of the affected business areas;
an institution shall be able to justify to competent authorities the sensitivity of risk estimates to changes in the factors and the relative weighting of the various factors. In addition to capturing changes in risk due to improvements in risk controls, an institution's risk measurement framework shall also capture potential increases in risk due to greater complexity of activities or increased business volume;
an institution shall document its risk measurement framework and shall subject it to independent review within the institution and by competent authorities. Over time, an institution shall validate and reassess the process and the outcomes through comparison to actual internal loss experience and relevant external data.