June 2007 Capital Adequacy Extension © Copyright 2007, CCRO. All rights reserved. Page 42 of 92 • Determine the appropriate balance between historical, statistical-based approaches and qualitative assessment approaches. The two most important factors that any approach must include are the probability and severity of a particular negative operational event. Whatever method is chosen, it must be justifiable and fit the risk being measured. The results of the measurement will be the fundamental data used in answering the general question of “How much?” Specifically, how much capital is required? How much insurance is required? How much risk should we let the shareholders bear? 4.8. Monitoring Operative Risks PRINCIPLE 6: [Companies] should implement a system to monitor, on an on-going basis, operational risk exposures and loss events by major business lines. As with any risk program, regular and appropriate monitoring is imperative. This is especially relevant in the case of assessing Capital Adequacy. As the landscape changes and the operative risk profile changes with it, adjustments to the capital requirement must also follow. This can be accomplished through a regular and formalized assessment and monitoring program of the operative risks. Included in this is a reporting mechanism that provides the up-to-date risk posture of the company, broken out by major business units and aggregated, to all concerned parties, including the board of directors. Recall from PRINCIPLE 4 that risks were classified into a ‘matrix’ that allowed for identification by risk type and by business unit. Reporting should follow the same structure which allows those utilizing the reports to assess where risks reside and what their significance is. A formalized monitoring and reporting framework allows companies to adjust quickly to potential changes as opposed to reacting to changes as they occur, and ensures that the Operative risk posture is maintained commensurate with the capital on hand and allocated. The frequency of such a reporting system should be predicated on the volatility of the events, or more specifically, the assessed tendency of the operational risk to change. As part of the reporting process, it is important to have transparent metrics that are easily understood by all concerned parties. The actions taken as a result of the risk assessment, such as capital allocation, should be an extension of the defined metrics and allow concerned parties to understand the cost/benefit payoff between the reduction of risk and the cost of that reduction. 4.9. Controlling Operative Risks PRINCIPLE 7: [Companies] should have policies, processes and procedures to control or mitigate operational risk. [Companies] should assess the costs and benefits of alternative risk limitation and control strategies and should adjust their operational risk exposure using appropriate strategies, in light of their overall risk profile.