(1) An Authorised Person must implement and maintain an Operational Risk policy which enables it to identify, assess, control and monitor Operational Risk.
(2) The policy must be documented and provide for a sound and well-defined risk management framework to address the Authorised Person's Operational Risk.
(3) An Authorised Person must:
(a) ensure that its risk management systems enable it to implement the Operational Risk policy;
(b) identify, assess, mitigate, control and monitor the risk; and
(c) review and update the policy at intervals that are appropriate to the nature, scale and complexity of its activities.