Basel II Effective Risk Management Control, Measurement and Validation Checklist

Effective risk management and control
• Banks must meet a series of qualitative standards, including: the existence of an independent risk control and audit function, effective use of risk reporting systems, active involvement of board of directors and senior management, and appropriate documentation of risk management systems.
• Banks must establish an independent operational risk management and control process, which covers the design, implementation and review of its operational risk measurement methodology. Responsibilities include establishing the framework for the measurement of operational risk and control over the construction of the operational risk methodology and key inputs.
• Banks. internal audit groups must conduct regular reviews of the operational risk management process and measurement methodology.

Measurement and validation
• Banks must have appropriate risk reporting systems to generate data used in the calculation of a capital charge and the ability to construct management reporting based on the results.
• Banks must begin to systematically track relevant operational risk data by business line across the firm. It should be noted that the ability to monitor loss events and effectively gather loss data is a basic step for operational risk measurement and management and is a pre-requisite for movement to the more advanced regulatory approach.
• Banks will have to develop specific, documented criteria for mapping current business lines and activities into the standardised framework. In addition, a bank should regularly review the framework and adjust for new or changing business activities and risks as appropriate.

Effective risk management and control
• Accuracy of loss data, and confidence in the results of calculations using that data, (including PE and LGE), have to be established through .use tests.. Banks must use the collected data and the resulting measures for risk reporting, management reporting, internal capital allocation purposes, risk analysis, etc. Banks that do not fully integrate an internal measurement methodology into their day-to-day activities and major business decisions should not qualify for this approach.

Measurement and validation
• Banks must develop sound internal loss reporting practices, supported by an infrastructure of loss database systems that are consistent with the scope of operational losses defined by supervisors and the banking industry.
• Banks must have an operational risk measurement methodology, knowledgeable staff, and an appropriate systems infrastructure capable of identifying and gathering comprehensive operational risk loss data necessary to create a loss database and calculate appropriate PEs and LGEs. Systems should be able to gather data from all appropriate sub-systems and geographic locations. Missing data from various systems, groups or locations should be explicitly identified and tracked.
• Banks need an operational risk loss database extending back for a number of years (to be set by the Committee) for significant business lines. Additionally, banks must develop specific criteria for assigning loss data to a particular business line and risk types.
• Banks must have in place a sound process to identify in a consistent manner over time the events used to construct a loss database and to be able to identify which historical loss experiences are appropriate for the institution and are representative of their current and future business activities. This entails developing and defining loss data criteria in terms of the type of loss data and the severity of the loss data that goes beyond the general supervisory definition and specifications.
• Banks must develop rigorous conditions under which internal loss data would be supplemented with external data, as well as a process for ensuring the relevance of this data for their business environment. Sound practices need to be identified surrounding the methodology and process of scaling public external loss data or pooled internal loss data from other sources. These conditions and practices should be re-visited on a regular basis, must be clearly documented, and should be subject to independent review.
• Sources of external data must be reviewed regularly to ensure the accuracy and applicability of the loss data. Banks must review and understand the assumptions used in the collection and assignment of loss events and resultant loss statistics.
• Banks must regularly conduct validation of their loss rates, risk indicators and size estimations in order to ensure the proper inputs to the regulatory capital charge.
• Banks must adhere to rigorous processes in estimating parameters such as EI, PE and LGE.
• As part of the validation process, scenario analysis and stress testing would help banks in their ability to gauge if the operational environment is accurately reflected in data aggregation and parameter estimates. A process would need to be developed to identify and incorporate plausible historically large or significant events into assessments of operational risk exposure, which may fall outside the observation period. These processes should be clearly documented and be specific enough for independent review and verification. Such analysis would also assist in gauging the appropriateness of certain judgements or over-rides in the data collection process.
• Bank management should incorporate experience and judgement into an analysis of the loss data and the resulting PEs and LGEs. Banks have to clearly identify the exceptional situations under which judgement or over-rides may be used, to what extent they are to be used and who is authorised to make such decisions. The conditions under which these over-rides may be made and detailed records of changes should be clearly documented and subject to independent review.
• Supervisors will need to examine the data collection, measurement, and validation process and assess the appropriateness of the operational risk control environment of the institution.