June 2007 Capital Adequacy Extension © Copyright 2007, CCRO. All rights reserved. Page 35 of 92 the specific characteristics of this risk category. The board should be responsible for approving the basic structure of the framework for managing operational risk and ensuring that senior management is carrying out its risk management responsibilities. PRINCIPLE 2: Senior management should have the responsibility for implementing the operational risk strategy approved by the board of directors. The strategy should be implemented consistently throughout the whole…organization, and all levels of staff should understand their responsibilities with respect to operational risk management. Senior management should also have the responsibility for developing policies, processes and procedures for managing operational risk in all of the…products, activities, processes and systems. PRINCIPLE 3: Information flows within the…organization play a key role in establishing and maintaining an effective operational risk management framework. Communication flows within the [company] should establish consistent operational risk management culture across the [company]. Reporting flows should enable senior management to monitor the effectiveness of the risk management system for operational risk, and also enable the board of directors to oversee senior management performance. These three principles are designed so that emphasis for the operational risk assessment comes from the top levels of the company. These are the same principles that should be employed for market and credit risk, and it is meant to highlight the fact that operational risk reporting should be an embedded part of the overall enterprise risk assessment. 4.5. Operative Risk Management: Identification, Measurement, Monitoring and Control With support form the board established in Principles 1-3, risk managers can go about the task of identifying, measuring, monitoring and controlling operational risks for the purposes of determining their effect on earnings, cash, and adequate capital requirements. PRINCIPLE 4: [Companies] should identify the operational risk inherent in all types of products, activities, processes and systems. [Companies] should also ensure that before new products, activities, processes and systems are introduced or undertaken the operational risk inherent in them is subject to adequate assessment procedures. All known material operative risks should be identified and categorized, in order to be dealt with in the most effective manner. When building the Operative Risk Taxonomy, recall that operative risks can be broadly classified into the following categories: