June 2007 Capital Adequacy Extension © Copyright 2007, CCRO. All rights reserved. Page 44 of 92 The capital required to employ the mitigation tools and/or the capital required to reserve for residual risk should be determined and communicated to all concerned parties. 4.10. Role of Supervisors Supervisors in this case are entities that oversee the operations of a company in order to protect the public interest. Supervisors can be regulatory agencies, rating agencies, and/or other entities that are meant to ensure an open and efficient market. Examples of Supervisors are the SEC, the FERC, Standard and Poor’s, and Moody’s Investor Services. While the following principles do not directly affect capital, the results of these principles will. Therefore it is appropriate to mention them here as the outcome of these principles will drive the operational risk management framework. PRINCIPLE 8: …supervisors should require [companies] to have an effective system in place to identify, measure, monitor, and control operational risks as part of an overall approach to risk management. The rating agencies, Standard and Poor’s (S&P) in particular, are adopting a more robust evaluation methodology for assessing the overall risks faced by companies. S&P’s approach is referred to as the PIM (Policies, Infrastructure, and Methodologies) approach.13 It is meant to delve into the risk culture of a particular company and assess how that culture gets translated into policies and procedures. At the heart of this approach is the fact that rating agencies will look more favorably on a company if the evaluated company can demonstrate that they have an institutionalized operative risk assessment program that is transparent, understandable, and appropriate. If a company can demonstrate that they adhere to the 10 principles of operative risk management in spirit and practice, it could potentially result in an improved debt rating. S&P’s PIM approach is one example of how Supervisors are already adhering to this Principle. In some respects, it will be this pressure from supervising agencies that will be the impetus for boards to emphasize operative risk management as an integral part of the company’s risk management framework. PRINCIPLE 9: Supervisors should conduct, directly or indirectly, regular independent evaluation of a [company’s] strategies, policies, procedures, and practices related to operational risks. Supervisors should ensure that there are effective reporting mechanisms in place which allow them to remain apprised of developments… In order for Supervisors to make assessments and judgments regarding the validity and appropriateness of the overall Operative Risk Management process, they should conduct periodic reviews. These independent reviews should assess how well a company adheres to the Principles mentioned herein and how well these Principles are 13 Enterprise Risk Management for Financial Institutions, Rating Criteria and Best Practices. Standard and Poor’s. November 2005.