1. Introduction
The Basel Committee on Banking Supervision ("the Committee") introduced its Principles for the Sound Management of Operational Risk ("the Principles") in 2003, and subsequently revised them in 2011 to incorporate the lessons from the Great Financial Crisis of 2007-09. In 2014, the Committee conducted a review of the implementation of the Principles. The purpose of this review was to (i) assess the extent to which banks had implemented the Principles; (ii) identify significant gaps in implementation; and (iii) highlight emerging and noteworthy operational risk management practices at banks not currently addressed by the Principles.
The 2014 review identified that several principles had not been adequately implemented, and further guidance would be needed to facilitate their implementation in the following areas:
a) Risk identification and assessment tools, including risk and control self-assessments (RCSAs), key risk indicators, external loss data, business process mapping, comparative analysis, and the monitoring of action plans generated from various operational risk management tools.
b) Change management programmes and processes (and their effective monitoring).
c) Implementation of the three lines of defence, especially by refining the assignment of roles and responsibilities.
d) Board of directors and senior management oversight.
e) Articulation of operational risk appetite and tolerance statements.