A firm must implement policies and processes to evaluate and manage
the exposure to operational risk, including model risk and to cover
low-frequency high severity events. Without prejudice to the definition of
operational risk, a firm must articulate what constitutes operational risk
for the purposes of those policies and procedures.
[Note: Art 85(1) of the CRD]