June 2007 Capital Adequacy Extension © Copyright 2007, CCRO. All rights reserved. Page 43 of 92 This principle ties together the previous six, and is an extension of PRINCIPLE 2. It dictates that companies should document and formalize their operative risk mitigation process in accordance with the board approved operative risk strategy. This policy should dictate the fundamental approach to operative risk mitigation and define the approach for assessing Capital Adequacy as an operative risk mitigation tool. The policy should also state how Capital Adequacy, in conjunction with other operative risk mitigation tools (Insurance, security, oversight, etc.), provides a complete operative risk assessment and mitigation framework. Once operative risks have been identified and measured, one can determine the appropriate mitigation tool to accomplish the desired level of risk reduction. Such tools include the following: • Purchase Insurance Contracts • Develop ‘Self-Insurance’ • Deploy Capital to o Increase Operating Reliability o Improve Technology o Strengthen Internal Controls o Improve Physical Security • Maintain Capital Reserves In determining the appropriate mitigation technique, one should ensure that it is appropriate to the risk exposure, and ensure that the cost of the reduction is appropriate to the cost of the risk exposure. As stated in PRINCIPLE 6, this should all be a part of the Operative Risk Report so that all concerned parties can understand the following: • What the risks are • How they are mitigated or why they are not mitigated • Why a particular mitigation tool was used • The residual risk exposure • The Cost of Mitigation vs. the Reduction in Risk