VISUALIZACIÓN DE LA NORMA

Chapter 8 of Banco de España Circular 3/2008 of 22 May 2008 on determination and control of minimum own funds, relating to capital requirements for operational risk[1] establishes in point 1 of Rule ninety-five that credit institutions must calculate those requirements by either the Basic Indicator Approach, Standardized Approach or Advanced Measurement Approach.

This document gives guidelines for those credit institutions that have opted to apply the Standardized Approach and is intended to help them comply more adequately with the criteria and requirements for use of this method, which are contained in Rule ninety-seven of Circular 3/2008. These Guidelines exclude Section 3 of that Rule relating to the Alternative Standardized Approach, the use of which requires the prior authorisation of the Banco de España.

For this purpose, these Guidelines contain a set of indications and, in some cases, practical examples, prepared by the Banco de España to explain and clarify certain essential points for the application of this method, with the ultimate objective of enhancing the quality, homogeneity and consistency of the information provided by credit institutions.

The use of the Standardized Approach to calculate minimum capital requirements for operational risk should be decided by the Board of Directors or equivalent body of the institution. This decision should be notified to the Directorate General Banking Supervision of the Banco de España by the Managing Director or General Manager of the credit institution not later than the remittance date of the first own funds returns in which this method is applied.

This notification should indicate that the criteria and requirements set out in Rule ninetyseven of Circular 3/2008 for application of the Standardized Approach are being complied with, and the documentation evidencing compliance with those criteria and requirements should be made available to the Directorate General Banking Supervision, in accordance with Section 1 of said Rule. For that purpose, attached to these Guidelines as Annex 1 is a document setting out the minimum information that the Banco de España considers necessary to be made available to it for the accreditation of the aforementioned criteria and requirements. Also attached, as Annex 2, is another document detailing the structure and minimum content of the audit report in which the periodic review referred to in Sections 3d) and 3e vii) of Rule ninety-seven of Circular 3/2008 will be reflected.

Finally, Annex 3 lists the sections of Circular 3/2008 serving as a reference for this method.

As established in Section 1.1 of Rule ninety-seven, credit institutions applying the Standardized Approach must design and document specific policies and criteria for mapping their activities to the following eight business lines:

1) Corporate finance:

This business line shall include the following activities:

i) Underwriting of financial instruments and/or placing of financial instruments on a firm commitment basis.

ii) Services related to underwriting.

iii) Investment advice.

iv) Advice to undertakings on capital structure, industrial strategy and related matters, and advice and services relating to the mergers and the purchase of undertakings.

v) Investment research and financial analysis and other forms of general recommendation relating to transactions in financial instruments.

2) Trading and sales:

This business line shall include the following activities:

i) Dealing on own account.

ii) Money broking.

iii) Reception and transmission of orders in relation to one or more financial instruments.

iv) Execution of orders on behalf of clients.

v) Placing of financial instruments without a firm commitment basis.

vi) Operation of multilateral trading facilities.

3) Retail brokerage:

This business line shall include the following activities carried out with individual physical persons or with SMEs meeting the criteria set out in the regulations for the retail exposure class:

i) Reception and transmission of orders in relation to one or more financial instruments.

ii) Execution of orders on behalf of clients.

iii) Placing of financial instruments without a firm commitment basis.

4) Commercial banking:

This business line shall include the following activities, provided they do not meet the criteria for classifying them as retail banking:

i) Acceptance of deposits and other repayable funds.

ii) Lending.

iii) Financial leasing.

iv) Guarantees and commitments.

5) Retail banking:

This business line shall include the following activities conducted with individual physical persons or with SMEs meeting the criteria set out in the regulations for the retail exposure class:

i) Acceptance of deposits and other repayable funds.

ii) Lending.

iii) Financial leasing.

iv) Guarantees and commitments.

6) Payment and settlement:

This business line shall include the following activities:

i) Money transmission services.

ii) Issuing and administering means of payment.

7) Agency services:

This business line shall include the following activities:

i) Safekeeping and administration of financial instruments for the account of clients, including custodianship and related services such as cash/collateral management.

8) Asset management:

This business line shall include the following activities

i) Portfolio management.

ii) Managing of collective investment institutions (UCITS).

iii) Other forms of asset management.

The following table lists the aforementioned business lines and their respective weights for the purposes of determining regulatory capital requirements for operational risk, as set out in Section IV of these Guidelines:

Business line Weight

Section 2 of Rule ninety-seven stipulates that Senior Management shall be responsible for mapping policies, which shall be under the control of the management bodies.

It also specifies that such policies and criteria must be reviewed and adjusted, as appropriate, to any new risks and economic activities that may arise, and to the changes resulting from developments in existing ones. Also, the process of mapping to business lines shall be reviewed at least annually by the internal audit unit.

Finally, it establishes that this mapping must be made as follows:

1) All activities must be mapped to one and only one business line, such that no activity is left unassigned and no activity is assigned to more than one business line.

2) Activities which cannot readily be mapped to a business line but which represent an ancillary function to an activity included in some business line shall be allocated to the business line they support. If more than one business line is supported through the ancillary activity, an objective mapping criterion must be used.

3) If an activity cannot be mapped to a particular business line by following the instructions set out above, then it shall be mapped to the business line yielding the highest weight.

Any associated ancillary activity must also be mapped to that business line.

For the purposes of Section 3e) of Rule ninety-seven of Circular 3/2008, set forth below are practical examples and indications on the means of mapping which best meets the requirements and criteria stipulated to this end in the Circular. The application of these criteria should in all cases be commensurate with the size and scale of credit institutions’ activities.

A) Mapping of the components of compound activities

Regardless of how they are internally defined and organised by credit institutions, compound activities should be broken up into their various components whenever these are significant in terms of Relevant Income.

For mapping purposes, compound activities should be ignored, while their components should be assigned to the most suitable business lines based on their nature and characteristics, such that the most appropriate weights are applied.

The Relevant Income from compound activities should be assigned to business lines according to the criteria established in Section III.2 of these Guidelines.

Examples:

− The activities of Merchant Banking and Private Equity are usually compound activities whose relevant components may, for example, be advisory and financial research underwriting, corporate lending and asset management.

In these cases, credit institutions should assign the relevant components of these activities to the most suitable business lines: for example, advisory and financial research and underwriting could be allocated to the Corporate Finance line; corporate lending to the Commercial Banking line; and asset management to the Asset Management line.

− Private banking is usually a compound activity whose components may be advisory, lending, placing of financial instruments and asset management.

In this case, retail lending should be mapped to the Retail Banking line; the placing of financial instruments could be allocated to the Retail Brokerage line; and asset management to the Asset Management line.

B) Activities relating to more than one business line

Activities relating to more than one business line should be assigned to the most predominant business line or, if none predominates, to the most suitable one/s in accordance with its/their nature and characteristics (for example, based on the counterparty and on the legal instrument used).

Examples of predominant business lines:

− The activities of financial leasing and factoring should be assigned to the Retail Banking line or to the Commercial Banking line, depending on whether or not the main transactions are with customers meeting the criteria set out in the regulations for the retail exposure class.

− Debit and credit cards could be assigned in full to the Retail Banking line because it is an activity whose customers are predominantly retail (even in the case of a contract with a customer not meeting the criteria set out in the regulations for the retail exposure class, cards are generally used by retail customers).

− If prime brokerage services are provided under an agency contract and thus consist predominantly of cash management and custody services, they should be assigned to the Agency Services line. Otherwise they should be assigned to the Trading and Sales line.

Examples of no predominant business lines:

− The securitisation activity should be assigned to the Corporate Finance line if the services are for third-party account of (i.e. when the institution acts as an investment firm) and to the Trading And Sales line if they are on own account (if the institution acts as the originator). The activities of management companies of securitisation SPEs shall be assigned to the Asset Management line.

− Bad loans management should be assigned to the Retail Banking or Commercial Banking lines according to the underlying composition of the loan portfolio.

C) Supporting activities and dedicated activities

When an activity strongly supports, forms part of or is ancillary to another activity, it follows the business line assignment of the latter.

However, if the activity is carried out as a specific business (dedicated activities), it should be mapped to the most suitable business line based on its nature and characteristics.

Examples:

− The securities lending activity, when it supports the prime brokerage activity, should follow the mapping criterion of the latter (see examples in point B below).

− Investment advice may be considered a supporting activity when it is aimed, for instance, to place financial or insurance instruments with institutional investors or other customers, regardless of whether or not these meet the criteria set out in the regulations for the retail exposure class. In these cases it should follow the business line assignment adopted for the placing of financial/insurance instruments (see below).

On the other hand, if Investment Advice is a specific, dedicated, business provided for corporate customers, it should be mapped into 'Corporate Finance.

− Activities such as payment services, funds transfer, etc., which cannot be readily map ped into the business line framework and are ancillary to retail or corporate clients, shou ld be assigned to 'Retail Banking' or 'Commercial Banking', depending on whether or not the customers meet the criteria set out in the regulations for the retail exposure class.

However, if such activities represent a specific, dedicated, business of the credit institution (for example, debit/credit card clearing, fund transfer as a specific business, correspondent banking, etc.), they should be assigned to 'Payment and Settlement'.

− Activities such as custodianship or cash or collateral management, which cannot be readily mapped into the business line framew ork and are ancillary services to customers, should be assigned to 'Retail Banking' or 'Commercial Banking' according to whether or not the customers meet the criteria set out in the regulations for the retail exposure class.

However, if these activities constitute a specific, dedicated, business of the credit institution (for example, global custody, depositary bank, etc.), they should be assigned to 'Agency Services'.

− If their nature and characteristics make them closer to dedicated than supporting activiti es, reception/transmission/execution of orders and placing of financial/insurance instruments should be assigned to 'Retail Brokerage' if the counterparts are customers meeting the criteria set out in the regulations for the retail exposure class and to 'Trading & Sales' if the counterparts are institutional investors or are customers not meeting the criteria set out in the regulations for the retail exposure class.

Taking into account the general principles set out in Section II.1 and the additional mapping guidance in Section II.2, the schema for mapping a list of activities to business lines would be as follows:

Section 2 of Rule ninety-seven of Circular 3/2008 establishes that Relevant Income under the Standardized Approach shall be determined as specified for the Basic Indicator Approach in Sections 2 and 3 of Rule ninety-six. To make this definition more specific, these Guidelines take account of the indications set out by the Banco de España in the Technical Applications for preparation of returns relating to capital requirements for operational risk, adopting two basic principles:

- To calculate the requirements for operational risk, an accounting value shall be taken as a reference point. This makes for easier implementation and makes the data more reliable, auditable and comparable between different credit institutions.

- This value should be similar to that normally used by credit institutions in management to reflect income from their typical, customary activities. This would coincide with the objective of the new solvency rules in seeking an indicator to assess operational risk.

Accordingly, Relevant Income shall be derived from the following captions established by Banco de España Circular 4/2004 in the confidential consolidated income statement, Return C.3-1, for calculation at consolidated level, and in the confidential income statement, Return T.1-1, for calculation at individual level:

1. Interest and similar income

2. Interest expenses and similar charges

3. Return on equity instruments

5. Fee and commission income

6. Fee and commission expenses

8. Gains or losses on financial assets and liabilities (net)

9. Exchange differences (net)

12. Other operating income

Section 2 of Rule ninety-seven establishes that credit institutions applying the Standardized Approach shall design and document specific policies and criteria for mapping the Relevant Income components to the respective business lines, which must be consistent with the activity mapping described in Section II.1. Senior management shall be responsible for these mapping policies, which shall be under the control of the management bodies.

In a manner analogous to that indicated in Section II.1, such policies and criteria should be reviewed and adjusted, as appropriate, to any new risks and economic activities that may arise, and to the changes resulting from developments in existing ones. Also, the process of Relevant Income mapping shall be reviewed at least annually by the internal audit unit.

It also establishes that credit institutions may use their management data to assign Relevant Income to each business line. The income and costs generated in a business line that are allocable to another different business line shall be reassigned to the business line to which they belong.

Also, the asset financing costs assigned to each business line that arise from liabilities allocable to other business lines shall be identified, keeping in mind that:

a) The procedures for carrying out this allocation should be duly approved, documented, updated and integrated in the internal management systems.

b) The financial parameters to be used shall be in consonance with the market conditions.

c) The procedures shall be applied consistently at all times and over time.

In any event, the redistribution of income and costs among business lines may not alter the overall amount of credit institutions’ Relevant Income.

As established in Section 1.2 of Rule ninety-seven, under the Standardized Approach the capital requirements for operational risk are calculated as the simple average over the last three years of the summation of each year’s Relevant Income from each of the eight business lines comprising credit institutions’ activity multiplied by the respective weight, provided that this sum may not be negative.

The mathematical expression is:

The Standardized Approach thus allows offsetting between the requirements attributable to the various business lines in each year. Accordingly, for each year, the negative capital requirements in any business line may offset positive requirements in other business lines, subject to the limit that such offsetting may not give rise to a negative overall amount, in which case it would be deemed to be zero.

The calculation procedure under the Standardized Approach is clarified in the following

Example:

The following table shows the Relevant Income for 3 years of the 8 business lines. Weighted values are calculated by multiplying each amount of Relevant Income by the related weight. Summation for each year then gives an annual weighted income:

In calculating the capital requirements for operational risk, there are legal limits on offsetting between the requirements in the various business lines.

Hence, in determining the annual weighted Relevant Income values used to calculate the required capital, the amount for year 2, which is negative, must be replaced by zero. Then the required capital is calculated as the simple average for the three years of the amounts in question, as shown in the following table, which also gives the calculation of requirements by the Basic Indicator Approach, so as to illustrate the different treatments of negative Relevant Income in the two methods.

Note that under the Basic Indicator Approach, only the positive Relevant Income in the last three years is considered, so the capital requirements for operational risk are calculated as the simple average for the two years with positive Relevant Income, multiplied by 15%.

One of the basic features that distinguishes the Standardized Approach from the Basic Indicator Approach is that credit institutions seeking to apply it must provide evidence to the Banco de España accrediting that they comply with the qualitative requirements set in Section 2 of Rule ninety-seven. These requirements are very similar to those set in Section 2 of Rule Ninety-eight for credit institutions seeking to apply Advanced Measurement Approaches (AMA).

Credit institutions which decide to apply the Standardized Approach must provide evidence that they have in place an integrated operational risk management system. It is not acceptable to have a system which limits itself to simply carrying out the procedure for calculating capital requirements for operational risk under this Approach.

Annex 1 sets out the minimum information that the Banco de España considers must be made available to it to accredit compliance with the requirements set in Circular 3/2008 for application of the Standardized Approach.

The qualitative requirements are:

1. Senior management is responsible for approving the operational risk management framework.

2. As indicated in Sections II.1 and III.2 of these Guidelines, credit institutions have to define, implement and review policies, instructions and criteria for mapping their activities and Relevant Income components to the respective business lines, with Senior management having responsibility for mapping policies. These policies, instructions and criteria shall be under the control of the management bodies.

The criteria defined shall be clear and detailed, so as to enable a third party to replicate the mapping carried out. Credit institutions shall register and duly justify any exception from the defined mapping process.

3. Credit institutions must have an operational risk management system with clearly defined responsibilities. For this purpose, it is recommendable that they have a specific unit for operational risk management.

4. Credit institutions shall register the significant operational risk data, including the losses derived from operational risk that exceed the internally established threshold and, in addition, identify the type of operational risk loss event, which shall coincide with one of the seven categories defined in Rule one hundred, namely:

1) Internal fraud: Losses due to acts of a type intended to defraud, misappropriate property or circumvent regulations, the law or company policy, excluding diversity/discrimination events, which involve at least one senior management representative, manager or employee of the credit institution.

2) External fraud: Losses due to acts of a type intended to defraud, misappropriate property or circumvent the law, by a third party outside the credit institution.

3) Employment practices and workplace safety: Losses arising from acts inconsistent with employment, health or safety laws or agreements, from payment of personal injury claims, or from diversity/discrimination events.

4) Clients, products and business practices: Losses arising from an unintentional or negligent failure to meet a professional obligation to specific clients (including fiduciary and suitability requirements), or from the nature or design of a product.

5) Damage to physical assets: Losses arising from loss or damage to physical assets from natural disaster or other events.

6) Business disruption and system failures: Losses arising from disruption of business or system failures.

7) Execution, delivery & process management: Losses from failed transaction processing or process management, from relations with trade counterparties and vendors.

It would be recommendable for credit institutions to gather information about the date the event occurred, the date it was recorded in the loss database, any recovery with respect to gross amounts and any information of a descriptive nature about the triggering factors or causes of the event that gave rise to the loss.

It would be recommendable for credit institutions to have specific allocation criteria for the losses arising from events occurring in a centralised unit or in an activity including more than one business line and for those arising from events recorded over time.

5. Credit institutions should have an assessment system to identify significant exposures to operational risk.

6. Credit institutions should have an assessment system that is fully integrated in their risk management processes, and its results should be used actively in the operational risk profile monitoring and control process.

7. Credit institutions should have a system to provide operational risk reports to the persons responsible for the pertinent functions in the organisation and should have procedures enabling them to take any required action in view of the information contained in those reports.

8. The operational risk management system and the operational risk assessment system should be well documented.

9. The operational risk management and assessment system should be reviewed periodically, at least annually, by the internal audit unit. That review should address the process of mapping activities and Relevant Income to business lines, as set out in Sections II.1 and V of these Guidelines. Annex 2 describes the structure and mínimum content of the audit report in which the periodic review referred to in Sections 3d) and 3e vii) of Rule ninety-seven of Circular 3/2008 will be reflected.

10. Also, as established generally in Rule one hundred and five.2.d)(vii), credit institutions should have written emergency and business continuity plans enabling them to continue their activity and limit losses in the even of serious business disruption.

11. Credit institutions should assess their compliance with requirements 1 to 10. This assessment should take into account the size and scale of their activities, taking into account the principle of proportionality between the costs incurred and the income earned in marginal improvements in the level of compliance with those requirements.

The use of the Standardized Approach to calculate minimum capital requirements for operational risk should be decided by the Board of Directors or equivalent body of the credit institution. This decision should be notified to the Directorate General Banking Supervision of the Banco de España by the Managing Director or General Manager of the credit institution indicating that the criteria and requirements set in Circular 3/2008 are being complied with and that the Directorate General Banking Supervision has available to it the information set out in this document[2] and any information additional to that listed herein that may be considered relevant for the purpose of being able to assess compliance with the minimum requirements for using the Standardized Approach.

The information made available to the Banco de España should clearly distinguish between the state of implementation at the current time and the plans for envisaged improvements. The information should be made available preferably in electronic format and structured in the following sections:

A. Calculation of capital requirements

B. Mapping of activities and of Relevant Income

C. Other qualitative requirements

C.1. Senior management

C.2. Internal management structure

C.3. Operational risk loss database

C.4. Operational risk management system

C.5. Management information

C.6. Technological support

C.7. Independent review

C.8. Contingency plans

C.9. Internal assessment

A. Calculation of capital requirements

1. Group organisation chart. List of entities comprising it, with specification of their activity, hierarchical position and relative importance in terms of total assets, gross income, net income for the year and number of employees.

2. The entities and/or units included in the calculation of capital requirements under the Standardized Approach. For the entities not included, in which the Basic Indicator Approach will be applied, state the following:

a. evidence of compliance with the requirements set in point 10 of Rule ninetyfive, so as to be able to apply a combination of the two approaches

b. detailed roll-out plan for application of the Standardized Approach

3. Results of the calculation of regulatory capital requirements for operational risk.

Distribution among the various group entities.

B. Mapping of activities and of Relevant Income

4. Definition and description of internal business lines and mapping to the business lines defined in Circular 3/2008.

5. Definition and description of event types and assignment to those defined in Circular 3/2008.

6. Specific policies and criteria developed for the mapping of activities and of Relevant Income to business lines.

7. Justification of the role of senior management and management bodies in the mapping policies.

8. Any reviews conducted of those policies and criteria.

9. If management data has been used in mapping Relevant Income to business lines, evidence that the mapping procedures have been approved, documented, updated and integrated in internal management systems.

C. Other qualitative requirements

C.1. Senior management

10. Description and documentary support of the role of the Board of Directors and senior management in approval and periodic review of the management framework.

11. Corporate manuals on operational risk policies and procedures; date of latest update, persons responsible for drafting them and the bodies to which they were submitted for approval and when.

12. List of other internal documents considered significant, with a brief description of their content.

C.2. Internal management structure

13. Composition and functions of the areas, departments and committees involved in operational risk management, assessment and control, including also for the latter the periodicity of meetings and the date they were set up.

14. Composition and functions of the committees which, although not directly managing operational risk, may be related to it.

C.3. Loss database

15. Internal loss database file.

16. Description of:

a. Persons responsible for database input, maintenance and validation.

b. Automatic and manual data capture procedure.

17. Data quality and integrity control procedures carried out by the operational risk unit. Results of the latest tests.

18. Database analysis reports. Historical record and distribution of events by unit, business line and event type. Explanation of changes in and distribution of data.

19. Internal accounting plan. List of accounts fully or partially reflecting operational risk.

20. Register of significant reputational or business events excluded from the database.

C.4. Operational risk management system

21. Corporate tools used for operational risk management. Methodological and user’s manuals, date when last updated, persons responsible for drafting them and the bodies to which they were submitted for approval and when.

22. Implementation of corporate tools for operational risk management in the various group entities. For each entity, specification of the following:

a. units, areas or departments in which the tools have been implemented, with an indication of their relative importance within the entity in terms of operational risk (using gross income or, if this is not sufficiently informative, other items).

b. units, areas or departments in which qualitative management tools are not used, indicating why not.

23. Map of the entity’s level 1 processes.

24. Identification of the credit institution’s significant operational risk sources and the measures to assess exposure to the main types of events.

25. If qualitative internal risk assessment exercises have been carried out, give details of the internal procedures for the construction and quality control of internal assessments, the database of completed assessments and the timetable of envisaged exercises.

26. List and brief description of risk mitigation plans and recommendations that have been actually implemented and of those envisaged.

27. List and brief description of risk indicators implemented, and a risk indicator implementation timetable.

C.5. Management information

28. List of periodic and ad hoc reports addressed to business lines and to supporting activities, particularly those sent to senior management. Identification of their recipients and of the extent to which their preparation is manual or automated. Content and frequency of these reports.

C.6. Technological support

29. Description of the technological support, information systems and applications which enable the use of databases, management tools and risk assessment systems.

30. Description of internal controls and procedures in place to ensure the consistency and reliability of management system information sources, indicating who is responsible for these controls and the periodicity thereof.

C.7. Independent review

31. Description of the role of Internal Audit. List of reviews carried out and of their results, which should at least include the report with the content and structure given in Annex 2.

32. List of independent reviews or collaborations (external audit, consulting, etc.). Aims of them and conclusions drawn.

C.8. Contingency plans

33. List of emergency and business continuity plans of the credit institution.

34. Periodicity of the drills carried out. Results of the latest drills.

C.9. Internal assessment

35. Assessment of the degree of compliance with the current minimum qualitative requirements for eligibility for the desired approach, with an indication of the known weaknesses and the proposed timetable for remedying them.

36. List and implementation timetable of envisaged changes to and future development of the management system.

1. Audit plan

Internal Audit should prepare a plan for ongoing review of the credit institution’s operational risk management and assessment system.

This plan should address all significant activities which expose the credit institution to substantial operational risks. In addition, it should be updated regularly to take into account:

. The development of internal procedures to identify, assess, monitor, control and mitigate operational risk

. The implementation of new products, procedures and systems which expose the credit institution to significant operational risks.

2. Internal audit report

Internal Audit should issue at least annually a specific report in which it expressly pronounces an opinion on each of the matters listed below, documenting all its conclusions. Also, it should give a list of the audit tests carried out to support each of the opinions expressed.

If an opinion cannot be expressed on any of the matters mentioned because it is not in a sufficiently advanced state, the implementation timetable and, subsequently, the degree of compliance therewith, should be indicated.

2.1. Mapping of activities and Relevant Income to business lines

Internal Audit will have to review the procedure designed by the credit institution for mapping its activities and Relevant Income to the eight business lines defined in the solvency regulations. As a minimum, it should check that:

1. The internal documentation is complete.

2. The internal business lines are adequately defined and assigned to the lines established in the new solvency rules.

3. The internal event types are adequately defined and assigned to those established in the new solvency rules.

4. There are specific policies and criteria for mapping Relevant Income to business lines.

5. Regulatory requirements are met in the event that management data are used in mapping Relevant Income to business lines.

6. Senior management and management bodies take responsibility for establishing the aforementioned policies and criteria.

7. The policies and criteria are suitably reviewed and adjusted.

2.2 Operational risk management and assessment system

2.2.1 Integration of assessment system in management

1. Internal Audit should verify that the internal operational risk assessment system is appropriately integrated in the day-to-day operational risk management procedures.

2.2.2 Operational risk management procedures and tools

Internal Audit will have to verify compliance with internal rules on operational risk. As a minimum, it should check that:

1. The internal documentation is complete.

2. Internal data. In particular, it should be verified that the information gathered:

i. is integral and complete

ii. is consistent throughout the organisation

iii. is assigned appropriately to the parent institution specified in the rules with seven event types and eight business lines

3. The significant sources of operation risk for the credit institution are suitably identified, measures have been developed to assess exposure to the main types of event and those measures of exposure are used in management.

4. If internal assessment exercises are carried out, it should be checked that the risk indicators/loss data/compliance reports and the risk estimates are in line with the results of the qualitative assessment.

5. Monitoring actions are performed effectively and on a timely basis.

6. The procedures for reviewing and updating the operational risk management framework are followed.

7. The management information reporting procedures are followed.

8. There are emergency and business continuity plans and drills are carried out regularly.

2.2.3 Technological environment and applications

The activity of Internal Audit should also cover matters such as the suitability of technological infrastructure and data capture and maintenance, in order to verify effective use of the management system. As a minimum, it should check:

1. The degree of internal integration (between management system components) and external integration (with other information systems of the institution), identifying manual procedures, technological weaknesses and possible deficiencies in other external systems which may affect the management system.

2. Regarding applications:

a. The availability of data and the replicability of databases over time.

b. The level of automation of the periodic processes for the proposed regulatory use.

c. Appropriate scheduling of the calculation methodologies used.

d. Replicability of the obtainment of outputs.

3. Regarding the information system:

a. Maintenance processes.

b. Systems plan.

c. Database management.

d. Contingency plans.

e. Sufficiency of resources (human, software and hardware).

4. The existing technical documentation.

. Chapter 8: Capital requirements for operational risk:

- Rule ninety-five:

− Section 1: applicable methods

− Sections 6 to 10: combined use of methods

- Rule ninety-six, Section 2: definition of Relevant Income

- Rule ninety-seven:

− Section 1: calculation of capital requirements

− Section 2: qualitative requirements

- Rule one hundred: loss event types