Updated 21/12/2024
In force

Initial Legal Act
Amendments
Search within this legal act

Article 8 - Independent operational risk management function

Article 8

Independent operational risk management function

1.   Competent authorities shall assess the independence of the operational risk management function from the institution's business units by confirming at least the following:

(a)

that the operational risk management function undertakes the following tasks separately from the institution's business lines:

(i)

the design, development, implementation, maintenance and oversight of the operational risk management process and the operational risk measurement system;

(ii)

the analysis of the operational risk associated with the introduction and development of new products, markets, lines of business, processes, systems and significant changes to existing products;

(iii)

the oversight of business activities that may give rise to an operational risk exposure that could breach the institution's risk tolerance;

(b)

that the operational risk management function receives appropriate commitment by the management body and senior management and is of adequate stature within the organization for fulfilling its tasks;

(c)

that the operational risk management function is not also responsible for the internal audit function;

(d)

that the head of the operational risk management function meets at least the following requirements:

(i)

an appropriate level of experience to manage the actual and prospective operational risk, as indicated by the operational risk profile;

(ii)

regular communication with the management body and its committees as mandated by the risk management structure of the institution;

(iii)

active involvement in the elaboration of the institution's operational risk tolerance and strategy for its management and mitigation;

(iv)

independence from the operational units and functions reviewed by the operational risk management function;

(v)

allocation of a budget for the operational risk management function by the head of risk management referred to in the fourth subparagraph of Article 76(5) of Directive 2013/36/EU or a member of the management body in a supervisory capacity and not by a business unit or executive function.