1.To be eligible for an Advanced Measurement Approach, credit institutions must satisfy the competent authorities that they meet the qualifying criteria below, in addition to the general risk management standards in Article 22 and Annex V.
1.1.Qualitative Standards
2.The credit institution's internal operational risk measurement system shall be closely integrated into its day-to-day risk management processes.
3.The credit institution must have an independent risk management function for operational risk.
4.There must be regular reporting of operational risk exposures and loss experience. The credit institution shall have procedures for taking appropriate corrective action.
5.The credit institution's risk management system must be well documented. The credit institution shall have routines in place for ensuring compliance and policies for the treatment of non-compliance.
6.The operational risk management processes and measurement systems shall be subject to regular reviews performed by internal and/or external auditors.
7.The validation of the operational risk measurement system by the competent authorities shall include the following elements:
(a)
verifying that the internal validation processes are operating in a satisfactory manner;
(b)
making sure that data flows and processes associated with the risk measurement system are transparent and accessible.
1.2.Quantitative Standards
1.2.1.Process
8.Credit institutions shall calculate their capital requirement as comprising both expected loss and unexpected loss, unless they can demonstrate that expected loss is adequately captured in their internal business practices. The operational risk measure must capture potentially severe tail events, achieving a soundness standard comparable to a 99,9 % confidence interval over a one year period.
9.The operational risk measurement system of a credit institution must have certain key elements to meet the soundness standard set out in point 8. These elements must include the use of internal data, external data, scenario analysis and factors reflecting the business environment and internal control systems as set out in points 13 to 24. A credit institution needs to have a well documented approach for weighting the use of these four elements in its overall operational risk measurement system.
10.The risk measurement system shall capture the major drivers of risk affecting the shape of the tail of the loss estimates.
11.Correlations in operational risk losses across individual operational risk estimates may be recognised only if credit institutions can demonstrate to the satisfaction of the competent authorities that their systems for measuring correlations are sound, implemented with integrity, and take into account the uncertainty surrounding any such correlation estimates, particularly in periods of stress. The credit institution must validate its correlation assumptions using appropriate quantitative and qualitative techniques.
12.The risk measurement system shall be internally consistent and shall avoid the multiple counting of qualitative assessments or risk mitigation techniques recognised in other areas of the capital adequacy framework.
1.2.2.Internal data
13.Internally generated operational risk measures shall be based on a minimum historical observation period of five years. When a credit institution first moves to an Advanced Measurement Approach, a three-year historical observation period is acceptable.
14.Credit institutions must be able to map their historical internal loss data into the business lines defined in Part 2 and into the event types defined in Part 5, and to provide these data to competent authorities upon request. There must be documented, objective criteria for allocating losses to the specified business lines and event types. The operational risk losses that are related to credit risk and have historically been included in the internal credit risk databases must be recorded in the operational risk databases and be separately identified. Such losses will not be subject to the operational risk charge, as long as they continue to be treated as credit risk for the purposes of calculating minimum capital requirements. Operational risk losses that are related to market risks shall be included in the scope of the capital requirement for operational risk.
15.The credit institution's internal loss data must be comprehensive in that it captures all material activities and exposures from all appropriate sub-systems and geographic locations. Credit institutions must be able to justify that any excluded activities or exposures, both individually and in combination, would not have a material impact on the overall risk estimates. Appropriate minimum loss thresholds for internal loss data collection must be defined.
16.Aside from information on gross loss amounts, credit institutions shall collect information about the date of the event, any recoveries of gross loss amounts, as well as some descriptive information about the drivers or causes of the loss event.
17.There shall be specific criteria for assigning loss data arising from an event in a centralised function or an activity that spans more than one business line, as well as from related events over time.
18.Credit institutions must have documented procedures for assessing the on-going relevance of historical loss data, including those situations in which judgement overrides, scaling, or other adjustments may be used, to what extent they may be used and who is authorised to make such decisions.
1.2.3.External data
19.The credit institution's operational risk measurement system shall use relevant external data, especially when there is reason to believe that the credit institution is exposed to infrequent, yet potentially severe, losses. A credit institution must have a systematic process for determining the situations for which external data must be used and the methodologies used to incorporate the data in its measurement system. The conditions and practices for external data use must be regularly reviewed, documented and subject to periodic independent review.
1.2.4.Scenario analysis
20.The credit institution shall use scenario analysis of expert opinion in conjunction with external data to evaluate its exposure to high severity events. Over time, such assessments need to be validated and re-assessed through comparison to actual loss experience to ensure their reasonableness.
1.2.5.Business environment and internal control factors
21.The credit institution's firm-wide risk assessment methodology must capture key business environment and internal control factors that can change its operational risk profile.
22.The choice of each factor needs to be justified as a meaningful driver of risk, based on experience and involving the expert judgment of the affected business areas.
23.The sensitivity of risk estimates to changes in the factors and the relative weighting of the various factors need to be well reasoned. In addition to capturing changes in risk due to improvements in risk controls, the framework must also capture potential increases in risk due to greater complexity of activities or increased business volume.
24.This framework must be documented and subject to independent review within the credit institution and by competent authorities. Over time, the process and the outcomes need to be validated and re-assessed through comparison to actual internal loss experience and relevant external data.