Article 323
Operational risk management framework
1.
Institutions shall have in place:
(a)
a well-documented assessment and management system for operational risk which is closely integrated into day-to-day risk management processes, forms an integral part of the process of monitoring and controlling the institution’s operational risk profile, and for which clear responsibilities have been assigned; the assessment and management system for operational risk shall identify the institution’s exposures to operational risk and track relevant operational risk data, including material loss data;
(b)
an operational risk management function that is independent from the institution’s business and operational units;
(c)
a system of reporting to senior management that provides operational risk reports to relevant functions within the institution;
(d)
a system of regular monitoring and reporting of operational risk exposures and loss experience, and procedures for taking appropriate corrective actions;
(e)
routines for ensuring compliance, and policies for the treatment of non-compliance;
(f)
regular reviews of the institution’s operational risk assessment and management processes and systems, carried out by internal or external auditors that possess the necessary knowledge;
(g)
internal validation processes that operate in a sound and effective manner;
(h)
transparent and accessible data flows and processes associated with the institution’s operational risk assessment system.
2.
EBA shall develop draft regulatory technical standards to specify the obligations under paragraph 1, points (a) to (h), taking into consideration the size and complexity of the institution.
EBA shall submit those draft regulatory technical standards to the Commission by 10 January 2027.
Power is delegated to the Commission to supplement this Regulation by adopting the regulatory technical standards referred to in the first subparagraph of this paragraph in accordance with Articles 10 to 14 of Regulation (EU) No 1093/2010.