1. Some of the key aspects that an Authorised Person should consider in its Operational Risk policy include:
a. the governance structures used to manage Operational Risk, including reporting lines and accountabilities;
b. risk assessment tools and how they are used;
c. the Authorised Person's accepted Operational Risk appetite, permissible thresholds or tolerances for inherent and residual risk, and approved risk mitigation strategies and instruments;
d. the Authorised Person's approach to establishing and monitoring thresholds or tolerances for inherent and residual risk Exposure;
e. risk reporting and MIS; and
f. appropriate independent review and assessment of the Authorised Person's Operational Risk framework.
2. An Authorised Person's Operational Risk policy should, amongst other things, include consideration of Principles for the Sound Management of Operational Risk, issued by the BCBS and the Guidelines on the management of Operational Risk in market-related activities issued by the European Banking Authority which are useful in relation to activities other than banking.