259. Competent authorities should conduct an assessment of the nature and the extent of the operational risk to which the institution is or might be exposed. To this end, competent authorities should develop a thorough understanding of the institution's business model, its operations, its risk culture and the environment in which it operates, since all these factors determine the institution's operational risk exposure.
260. The assessment of inherent operational risk comprises two steps, which are described in more detail in this section:
a. preliminary assessment; and
b. assessment of the nature and significance of the operational risk exposures facing the institution.
Preliminary assessment
261. To determine the scope of the assessment of operational risk, competent authorities should first identify the sources of operational risk to which the institution is exposed. To do so, competent authorities should also leverage the knowledge gained from the assessment of other SREP elements,
…