294. Competent authorities should assess the framework and arrangements that the institution has specifically to manage and control operational risk as an individual risk category. This assessment should take into account the outcome of the analysis of the overall risk management and internal control framework addressed in Title 5, as this will influence the institution's operational risk exposures.
295. Competent authorities should approach this review having regard to the key operational risk drivers (i.e. people, processes, external factors, systems), which can also act as mitigating factors, and should consider:
a. the operational risk management strategy and tolerance;
b. the organisational framework;
c. policies and procedures;
d. operational risk identification, measurement, monitoring and reporting;
e. business resilience and continuity plans; and
f. the internal control framework as it applies to the management of operational risk.
Operational risk management strategy and tole
…