Identification and Assessment
Principle 6: Senior management should ensure the identification and assessment of the operational risk inherent in all material products, activities, processes and systems to make sure the inherent risks and incentives are well understood.
38. Risk identification and assessment are fundamental characteristics of an effective operational risk management system. Effective risk identification considers both internal factors [For example, the bank’s structure, the nature of the bank’s activities, the quality of the bank’s human resources, organisational changes and employee turnover.] and external factors [For example, changes in the broader environment and the industry and advances in technology.]. Sound risk assessment allows the bank to better understand its risk profile and allocate risk management resources and strategies most effectively.
39. Examples of tools that may be used for identifying and assessing operational risk include:
(a) Audit Findings: While audit findings primarily focus on control weaknesses and vulnerabilities, they can also provide insight into inherent risk due to internal or external factors.