PRU 6.2.1

(1) An Authorised Person must implement and maintain an Operational Risk policy which enables it to identify, assess, control and monitor Operational Risk.
(2) The policy must be documented and provide for a sound and well-defined risk management framework to address the Authorised Person's Operational Risk.
(3) An Authorised Person must:
(a) ensure that its risk management systems enable it to implement the Operational Risk policy;
(b) identify, assess, mitigate, control and monitor the risk; and
(c) review and update the policy at intervals that are appropriate to the nature, scale and complexity of its activities.