- Latest available (Revised)
- Original (As adopted by EU)
Commission Delegated Regulation (EU) 2018/959Show full title
Commission Delegated Regulation (EU) 2018/959of 14 March 2018supplementing Regulation (EU) No 575/2013 of the European Parliament and of the Council with regard to regulatory technical standards of the specification of the assessment methodology under which competent authorities permit institutions to use Advanced Measurement Approaches for operational risk(Text with EEA relevance)
You are here:
What Version
Advanced Features
- Show Geographical Extent(e.g. England, Wales, Scotland and Northern Ireland)
- Show Timeline of Changes
Opening Options
More Resources
Legislation originating from the EU
When the UK left the EU, legislation.gov.uk published EU legislation that had been published by the EU up to IP completion day (31 December 2020 11.00 p.m.). On legislation.gov.uk, these items of legislation are kept up-to-date with any amendments made by the UK since then.
This item of legislation originated from the EU
Legislation.gov.uk publishes the UK version. EUR-Lex publishes the EU version. The EU Exit Web Archive holds a snapshot of EUR-Lex’s version from IP completion day (31 December 2020 11.00 p.m.).
Changes over time for: CHAPTER 2
Changes to legislation:
Commission Delegated Regulation (EU) 2018/959, CHAPTER 2 is up to date with all changes known to be in force on or before 28 January 2026. There are changes that may be brought into force at a future date. Changes that have been made appear in the content and are referenced with annotations.
EUR 2018 No. 959 may be subject to amendment by EU Exit Instruments made by both the Prudential Regulation Authority and the Financial Conduct Authority under powers set out in The Financial Regulators’ Powers (Technical Standards etc.) (Amendment etc.) (EU Exit) Regulations 2018 (S.I. 2018/1115), regs. 2, 3, Sch. Pt. 4. These amendments are not currently available on legislation.gov.uk. Details of relevant amending instruments can be found on their website/s.
Changes to Legislation
Revised legislation carried on this site may not be fully up to date. Changes and effects are recorded by our editorial team in lists which can be found in the ‘Changes to Legislation’ area. Where those effects have yet to be applied to the text of the legislation by the editorial team they are also listed alongside the legislation in the affected provisions. Use the ‘more’ link to open the changes and effects relevant to the provision you are viewing.
Changes and effects yet to be applied to Chapter 2:
- Regulation revoked by 2023 c. 29 Sch. 1 Pt. 1 3
CHAPTER 2U.K. QUALITATIVE STANDARDS
SECTION 1 U.K. Governance
Article 7U.K.Operational risk management process
1.Competent authorities shall assess the efficacy of an institution's AMA framework for the governance and management of operational risk and that a clear organisational structure with well-defined, transparent and consistent lines of responsibility exists by confirming at least the following:
(a)that the institution's management body discusses and approves the governance of operational risk, the operational risk management process and the operational risk measurement system;
(b)that the institution's management body clearly defines and determines the following on at least an annual basis:
(i)
the institution's operational risk tolerance;
(ii)
the institution's operational risk tolerance written statement on the aggregate level of operational risk loss and event types, containing both qualitative and quantitative measures including thresholds and limits based on operational risk loss metrics that the institution is willing or prepared to incur in order to achieve its strategic objectives and business plan, ensuring that it is available and understood throughout the institution;
(c)that the institution's management body monitors the institution's compliance with the operational risk tolerance statement referred to in point (b) (ii) on a continuous basis;
(d)that the institution applies an on-going operational risk management process to identify, assess and measure, monitor and report operational risk, including misconduct events, and is able to identify the staff responsible for the management of operational risk process;
(e)that the information resulting from the process referred to in point (d) is transmitted to the relevant committees and executive bodies of the institution, and that the decisions arising from those committees are communicated to those responsible within the institution for the collection, control, monitoring and management of operational risk and to those responsible for managing activities that give rise to operational risk;
(f)that the institution evaluates the effectiveness of its operational risk governance, operational risk management process and operational risk measurement system on at least an annual basis;
(g)that the institution notifies the relevant competent authority of the findings of the evaluation referred to in point (f) on at least an annual basis.
2.For the purposes of the assessment referred to in paragraph 1, competent authorities shall take into account the impact of the operational risk governance structure on the level of engagement in operational risk management and culture by the staff of the institution, including at least the following:
(a)the level of awareness, on behalf of the staff of the institution, of operational risk policies and procedures;
(b)the institution's internal process for challenging the design and the effectiveness of the AMA framework.
Article 8U.K.Independent operational risk management function
1.Competent authorities shall assess the independence of the operational risk management function from the institution's business units by confirming at least the following:
(a)that the operational risk management function undertakes the following tasks separately from the institution's business lines:
(i)
the design, development, implementation, maintenance and oversight of the operational risk management process and the operational risk measurement system;
(ii)
the analysis of the operational risk associated with the introduction and development of new products, markets, lines of business, processes, systems and significant changes to existing products;
(iii)
the oversight of business activities that may give rise to an operational risk exposure that could breach the institution's risk tolerance;
(b)that the operational risk management function receives appropriate commitment by the management body and senior management and is of adequate stature within the organization for fulfilling its tasks;
(c)that the operational risk management function is not also responsible for the internal audit function;
(d)that the head of the operational risk management function meets at least the following requirements:
(i)
an appropriate level of experience to manage the actual and prospective operational risk, as indicated by the operational risk profile;
(ii)
regular communication with the management body and its committees as mandated by the risk management structure of the institution;
(iii)
active involvement in the elaboration of the institution's operational risk tolerance and strategy for its management and mitigation;
(iv)
independence from the operational units and functions reviewed by the operational risk management function;
(v)
allocation of a budget for the operational risk management function by the head of risk management referred to in the fourth subparagraph of Article 76(5) of Directive 2013/36/EU or a member of the management body in a supervisory capacity and not by a business unit or executive function.
Article 9U.K.Senior management involvement
Competent authorities shall assess the degree of involvement of senior management of an institution by confirming at least the following:
(a)
that senior management is responsible for implementing the operational risk governance and management framework approved by the management body;
(b)
that senior management has been empowered by the management body to develop policies, processes and procedures for managing operational risk;
(c)
that senior management is implementing the policies, processes and procedures for managing operational risk referred to in point (b).
Article 10U.K.Reporting
Competent authorities shall assess whether the reporting of an institution's operational risk profile and management of operational risk is sufficiently regular, timely and robust by confirming at least the following:
(a)
that problems relating to the institution's reporting systems and internal controls are identified quickly and accurately;
(b)
that the institution's operational risk reports are distributed to appropriate levels of management and to areas of the institution which the reports have identified as an area of concern;
(c)
that the institution's senior management receives at least quarterly reports on the latest status of the institution's operational risk profile and uses these reports in the decision making process;
(d)
that the institution's operational risk reports contain relevant management information and at least a high-level summary of the top operational risks of the institution and of the relevant subsidiaries as well as business units;
(e)
that the institution uses ad hoc reports in case of certain deficiencies in the policies, processes and procedures for managing operational risk to promptly detect and address these deficiencies and therefore substantially reduce the potential frequency and severity of a loss event.’
SECTION 2 U.K. Use test
Article 11U.K.Use of the AMA
Competent authorities shall assess that an institution uses the AMA for internal purposes by confirming at least the following:
(a)
that the institution's operational risk measurement system is used to manage operational risks across different business lines, units or legal entities within the organisation structure;
(b)
that the operational risk measurement system is embedded within the various entities of the group and, where it is used at a consolidated level, that the parent institution's AMA framework is extended to the subsidiaries, and that those subsidiaries' operational risk and business environment and internal control factors (BEICF) referred to in Articles 322(1) and 322(6) of Regulation (EU) No 575/2013 are incorporated in the group-wide AMA calculations;
(c)
that the operational risk measurement system is used also for the purposes of the institution's internal capital adequacy assessment process referred to in Article 73 of Directive 2013/36/EU.
Article 12U.K.Continuous integration of the AMA
Competent authorities shall assess that an institution ensures the continuous integration of its operational risk management system into its day-to-day risk management processes by confirming at least the following:
(a)
that the operational risk measurement system is updated on a regular basis and is further developed as more experience and sophistication in management and quantification of operational risk is gained;
(b)
that the nature and balance of inputs into the operational risk measurement system are relevant and reflect the nature of the institution's business, strategy, organisation and operational risk exposure at all times.
Article 13U.K.AMA used to support the operational risk management of the institution
Competent authorities shall assess that an institution uses the AMA to support its operational risk management, by confirming at least the following:
(a)
that the operational risk measurement system is effectively used for the regular and prompt reporting of consistent information that accurately reflects the nature of the business and the operational risk profile of the institution;
(b)
that the institution takes remedial actions to improve internal processes upon receipt of information about findings from the operational risk measurement system.
Article 14U.K.AMA used to enhance the operational risk organization and control of the institution
Competent authorities shall assess that an institution uses the AMA to further enhance its operational risk organization and control, by confirming at least the following:
(a)
that the institution's definition of operational risk tolerance and its associated operational risk management objectives and activities are clearly communicated within the institution;
(b)
that the relationship between the institution's business strategy and its operational risk management, including with regard to the approval of new products, systems and processes, is clearly communicated within the institution;
(c)
that the operational risk measurement system increases transparency, risk awareness and operational risk management expertise and creates incentives to improve the management of operational risk throughout the institution;
(d)
that the inputs and the outputs of the operational risk measurement system are used in relevant decisions and plans, including in the institution's action plans, business continuity plans, internal audit working plans, capital assignment decisions, insurance plans and budgeting decisions.
Article 15U.K.Comparison of the AMA with the less sophisticated approaches
1.Competent authorities shall assess that an institution demonstrates the stability and robustness of the AMA output by confirming at least the following:
(a)that before granting the permission to use the AMA for regulatory purposes, the institution calculated its own funds requirements for operational risk under both the AMA and the less sophisticated approach previously applicable to it, and that it performed that calculation:
(i)
on a reasonably regular basis, and at least quarterly;
(ii)
covering all relevant legal entities that would use the AMA at the date of the initial implementation;
(iii)
covering all the operational risks that would be covered by the AMA at the date of the initial implementation.
(b)that the institution complies with at least the following:
(i)
the operational risk management process and the operational risk measurement system have been developed and tested;
(ii)
any problems have been resolved and the system and attendant process have been fine-tuned;
(iii)
it has ensured that the operational risk measurement system generates results which conform to the institution's expectations, including taking account of information from both the institution's existing and previous systems;
(iv)
it has demonstrated it can quickly vary model parameters to understand the impact of changed assumptions with minimal systems adjustments or manual interventions;
(v)
it is able to make appropriate capital adjustments to the own funds requirements before the first ‘live use’ of the AMA;
(vi)
it has demonstrated over a reasonable period that the new systems and reporting processes are robust and generate management information that the institution can use to identify and manage operational risk.
For the purposes of point (a), the assessment of the calculation performed shall cover at least two consecutive quarters.
2.Competent authorities may grant permission to use the AMA where the institution demonstrates its continuous comparison of the calculation of its own funds requirements for operational risk under the AMA against the less sophisticated approach previously applicable to it, for one year after the permission is granted.
SECTION 3 U.K. Audit and internal validation
Article 16U.K.Audit and internal validation functioning
1.Competent authorities shall assess the degree to which an institution's audit and internal validation functions confirm that the operational risk management and measurement processes implemented for AMA purposes are reliable and effective in managing and measuring operational risk within the organization by verifying at least the following:
(a)that the internal validation function provides a reasoned and well-informed opinion on whether the operational risk measurement system works as predicted, and that the outcome of the model is suitable for its various internal and supervisory purposes, at least on annual basis;
(b)that the audit function verifies the integrity of the operational risk policies, processes and procedures, assessing whether these comply with regulatory requirements as well with established controls, at least on annual basis and in particular, that the audit function assesses the quality of the sources and data used for operational risk management and measurement purposes;
(c)that the functions of audit and internal validation have a review program in place that covers the aspects of the AMA included in this Regulation and is regularly updated with regard to:
(i)
the development of internal processes for identifying, measuring and assessing, monitoring, controlling and mitigating operational risk;
(ii)
the implementation of new products, processes and systems which expose the institution to material operational risk.
(d)that the internal validation is carried out by qualified resources, which are independent of the validated units;
(e)that where audit activities are carried out by internal or external audit functions or qualified external parties, these are independent of the process or system being reviewed and, where these are outsourced, that the management body and senior management of the institution remain accountable for ensuring that outsourced functions are performed in accordance with the institutions' approved audit plan;
(f)that the audit and internal validation reviews on the AMA framework are properly documented and their output is distributed to the appropriate recipients within the institutions, including, where appropriate, the risk committees, operational risk management function, business line management and other relevant staff;
(g)that the results of the audit and internal validation reviews are summarised and reported on at least an annual basis to the institution's management body or to a committee designated by it for approval;
(h)that the review and approval of the effectiveness of the institution's AMA framework is undertaken at least on an annual basis.
Article 17U.K.Audit and internal validation governance
Competent authorities shall assess that an institution's audit and internal validation governance is of a high quality by confirming at least the following:
(a)
that audit programs for reviewing the AMA framework cover all significant activities that could expose the institution to material operational risk, including outsourced activities;
(b)
that the internal validation techniques are proportionate to changing market and operating conditions, and that their outcomes are subject to audit review.
SECTION 4 U.K. Data quality and IT infrastructure
Article 18U.K.Data quality
1.Competent authorities shall assess the degree to which the quality of the data used by an institution's in the AMA framework is maintained, and that the building and maintenance procedures are regularly analysed by that institution, by verifying that the institution has at least the following sets of data at its disposal:
(a)data to build and track its operational risk history, made up of internal and external data, scenario analysis, and BEICF;
(b)complementary data, including model parameters, model outputs and reports.
2.For the purposes of paragraph 1, competent authorities shall confirm that the institution has defined appropriate data quality dimensions to provide effective support to its operational risk management process and measurement system, and that it complies on a regular basis with the set dimensions.
3.For the purposes of paragraph 1, competent authorities shall confirm that the institution's data quality dimensions meet at least the following conditions:
(a)they are of sufficient breadth, depth, and scope for the task at hand;
(b)they meet current and potential user needs;
(c)they are updated promptly;
(d)they are appropriate for, and consistent with, the extent of their usage;
(e)they accurately represent the real-life phenomenon that they aim to represent;
(f)they do not violate any business rule in a database that has to be statically and dynamically maintained.
4.For the purposes of paragraph 1, competent authorities shall confirm that the institution has appropriate documentation for the design and maintenance of the databases used in the institution's AMA framework, and that the documentation contains at least the following:
(a)a global map of databases involved in the operational risk measurement system with their descriptions;
(b)a data policy and a statement of responsibility;
(c)descriptions of work-flows and procedures related to data collection and data storage;
(d)a statement of weaknesses with all the weaknesses identified in the databases of the validation and review processes and a statement on how the institution plans to correct or reduce the weaknesses identified.
5.Competent authorities shall confirm that the policies on the SDLC for AMA are approved by the institution's management body and senior management.
6.Where the institution uses external data sources, the institution shall ensure that the provisions in this Article are satisfied.
Article 19U.K.Supervisory assessment of IT infrastructure
1.Competent authorities shall assess the degree to which an institution ensures the soundness, robustness and performance of the IT infrastructure used for AMA purposes by confirming at least the following:
(a)that the IT systems and infrastructure of the institution for AMA purposes are sound and resilient and that these features can be maintained on a continuous basis;
(b)that the SDLC for AMA purposes is sound and proper with reference to:
(i)
project management, risk management, and governance;
(ii)
engineering, quality assurance and test planning;
(iii)
systems' modelling and development;
(iv)
quality assurance in all activities, including code reviews and where appropriate, code verification;
(v)
testing, including user acceptance.
(c)that the institution's IT infrastructure implemented for AMA purposes is subject to configuration management, change management and release management processes;
(d)that SDLC and contingency plans for AMA purposes are approved by the institution's management body or senior management and that the management body and senior management are periodically informed about the IT infrastructure performance for AMA purposes.
2.Where the institution outsources parts of the IT infrastructure maintenance for AMA purposes, the institution shall ensure that the provisions in this Article are satisfied.
Options/Help
Print Options
PrintThe Whole Regulation
PrintThis Chapter only
Legislation is available in different versions:
Latest Available (revised):The latest available updated version of the legislation incorporating changes made by subsequent legislation and applied by our editorial team. Changes we have not yet applied to the text, can be found in the ‘Changes to Legislation’ area.
Original (As adopted by EU): The original version of the legislation as it stood when it was first adopted in the EU. No changes have been applied to the text.
See additional information alongside the content
Geographical Extent: Indicates the geographical area that this provision applies to. For further information see ‘Frequently Asked Questions’.
Show Timeline of Changes: See how this legislation has or could change over time. Turning this feature on will show extra navigation options to go to these specific points in time. Return to the latest available version by using the controls above in the What Version box.
Opening Options
Different options to open legislation in order to view more content on screen at once
More Resources
Access essential accompanying documents and information for this legislation item from this tab. Dependent on the legislation item being viewed this may include:
- the original print PDF of the as adopted version that was used for the EU Official Journal
- lists of changes made by and/or affecting this legislation item
- all formats of all associated documents
- correction slips
- links to related legislation and further information resources
Timeline of Changes
This timeline shows the different versions taken from EUR-Lex before exit day and during the implementation period as well as any subsequent versions created after the implementation period as a result of changes made by UK legislation.
The dates for the EU versions are taken from the document dates on EUR-Lex and may not always coincide with when the changes came into force for the document.
For any versions created after the implementation period as a result of changes made by UK legislation the date will coincide with the earliest date on which the change (e.g an insertion, a repeal or a substitution) that was applied came into force. For further information see our guide to revised legislation on Understanding Legislation.
More Resources
Use this menu to access essential accompanying documents and information for this legislation item. Dependent on the legislation item being viewed this may include:
- the original print PDF of the as adopted version that was used for the print copy
- correction slips
Click 'View More' or select 'More Resources' tab for additional information including:
- lists of changes made by and/or affecting this legislation item
- confers power and blanket amendment details
- all formats of all associated documents
- links to related legislation and further information resources
All content is available under the Open Government Licence v3.0 except where otherwise stated. This site additionally contains content derived from EUR-Lex, reused under the terms of the Commission Decision 2011/833/EU on the reuse of documents from the EU institutions. For more information see the EUR-Lex public statement on re-use.