272. Competent authorities should assess operational risk throughout all the business lines and operations of the institution, taking into account findings from the assessment of internal governance arrangements and institution-wide controls as specified in Title 5. In conducting this assessment, they should determine how operational risk may materialise (economic loss, near miss, loss of future earnings, gain) and should also consider potential impacts in terms of other related risks (e.g. credit-operational risk, market-operational risk 'boundary cases').
273. Competent authorities should assess the materiality of operational risk arising from outsourced services and activities, and whether these could affect the institution's ability to process transactions and/or provide services, or cause legal liabilities for damage to third parties (e.g. customers and other stakeholders).
274. When assessing operational risk, competent authorities should assess ICT risk, as ICT performance and s
…