1.   A CSD shall ensure that its operational risk-management system is part of its day-to-day risk-management processes and that their results are taken into account in the process of determining, monitoring and controlling the CSD's operational risk profile.

2.   A CSD shall have in place mechanisms for regular reporting to the senior management of operational risk exposures and losses experienced from operational risks, and procedures for taking appropriate corrective action to mitigate those exposures and losses.

3.   A CSD shall have in place procedures for ensuring compliance with the operational risk-management system, including internal rules on the treatment of failures in the application of that system.

4.   A CSD shall have comprehensive and well-documented procedures to record, monitor and resolve all operational incidents, including:

(a)	a system to classify the incidents taking into account their impact on the smooth provision of services by the CSD;

(b)	a system for reporting material operational incidents to the senior management, the management body and the competent authority;

(c)

a ‘post-incident’ review after any material disruption in the CSD's activities, to identify the causes and required improvements to the operations or business continuity policy and disaster recovery plan, including to the policies and plans of the users of the CSD. The result of that review shall be communicated to the competent authority and relevant authorities without delay.