CP10 (Full Document) - European Banking Authority
CP10 (Full Document) - European Banking Authority
CP10 (Full Document) - European Banking Authority
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
· Defining the content of reporting to the management body<br />
(supervisory function) or to different delegated bodies thereof<br />
(e.g., the Risk Committee) and<br />
· Examining reports from Internal Audit on operational risk<br />
management and measurement processes and systems.<br />
475. Expectations concerning the level of understanding on the part of the<br />
management body (both supervisory and management functions)<br />
should not be lowered because of the underlying complexity of the<br />
subject. It is the responsibility of these bodies to have a complete<br />
understanding of the matters they are voting on or managing.<br />
476. However, while the management function of the management body<br />
is expected to have a clear understanding of the management and<br />
measurement systems and processes and all factors affecting the<br />
operational risk management framework, the supervisory function of<br />
the management body should focus on assessing the impacts of<br />
potential failures in the operational risk management and<br />
measurement processes and systems on the institution’s operations.<br />
Internal reporting<br />
477. Operational risk reporting should be an essential part of the internal<br />
reporting system and should support the proactive management of<br />
Operational risk. The recipient of the reporting should be the<br />
management body (both supervisory and management function), the<br />
Internal Audit, the Risk Committee and/or the Internal Control<br />
Committees (where established), and, where appropriate, the<br />
internal functions responsible for the identifying, assessing,<br />
monitoring, mitigating, and controlling operational risks. These<br />
internal functions could include, for example, business functions,<br />
central functions (such as IT, Plan and Management control, and<br />
accounting), risk functions. Internal reporting may also be made<br />
available to the institution’s Regulators.<br />
478. The frequency and content of reporting should be formally approved<br />
by the management body (both supervisory and management<br />
functions). The management function should ensure the ongoing<br />
appropriateness of the reporting framework.<br />
479. The frequency, content, and format of reporting should depend on<br />
the recipient and how the information will be used. Possible uses<br />
include strategic and financial planning, daytoday management,<br />
operational risk management and measurement, market disclosure,<br />
etc.<br />
480. The scope of information included in internal reporting may vary<br />
according to the nature, size, and degree of complexity of the<br />
business, as well as of the institution. As a general rule, the riskier<br />
the business, the more detailed the information to be provided. The<br />
Page 112 of 123