Risk management environment (paras. 34-57)
Identification and assessment
Principle 6: Senior management should ensure the comprehensive identification and assessment of the operational risk inherent in all material products, activities, processes and systems to make sure the inherent risks and incentives are well understood.
34. Risk identification and assessment are fundamental characteristics of an effective operational risk management system, and directly contribute to operational resilience capabilities. Effective risk identification considers both internal factors and external factors. Sound risk assessment allows the bank to better understand its risk profile and allocate risk management resources and strategies most effectively.
35. Examples of tools used for identifying and assessing operational risk are: [This list is not comprehensive and does not reflect the full diversity of sophistication of possible analyses. It should be seen as indicative (and not limitative).]
a) Event management - When banks experience an operational risk event, the process of identification, analysis, end-to-end management and reporting of the event follows a pre-determined set of protocols. A sound event management approach typically includes analysis of events to identify new operational risks, understanding the underlying causes and control weaknesses, and formulating an appropriate response to prevent recurrence of similar events. This information is an input to the self-assessment and, in particular, to the assessment of control effectiveness.