(a)

an institution's internal operational risk measurement system shall be closely integrated into its day-to-day risk management processes;

(b)

an institution shall have an independent risk management function for operational risk;

(c)

an institution shall have in place regular reporting of operational risk exposures and loss experience and shall have in place procedures for taking appropriate corrective action;

(d)

an institution's risk management system shall be well documented. An institution shall have in place routines for ensuring compliance and policies for the treatment of non-compliance;

(e)

an institution shall subject its operational risk management processes and measurement systems to regular reviews performed by internal or external auditors;

(f)

an institution's internal validation processes shall operate in a sound and effective manner;

(g)

data flows and processes associated with an institution's risk measurement system shall be transparent and accessible.