BANK 7.2.8 Principle 8: monitoring and reporting

(1) The senior management of a banking business firm must implement a process to regularly monitor operational risk profiles and material exposures to losses. There must be appropriate reporting mechanisms at the board, senior management, and business line levels that support proactive management of operational risk.
(2) A banking business firm must ensure that its reports are comprehensive, accurate, consistent and actionable across business lines and products.
Guidance
Reports should be manageable in scope and volume; too much or too little data impedes effective decision-making. A banking business firm should endeavour to continuously improve its operational risk reporting.
(3) Reporting must be timely and the firm must be able to produce reports in both normal and stressed market conditions. The frequency of reporting must reflect the risks involved and the pace and nature of changes in the operating environment.
(4) The results of monitoring activities, and assessments of the framework by the firm’s internal audit or risk management functions, must be included in regular management and board reports. Reports generated for the Regulatory Authority must also be reported internally to senior management and the board, where appropriate.
(5) Operational risk reports must include:
(a) breaches of the firm’s risk appetite and tolerance, and breaches of thresholds or limits;
(b) details of recent significant internal operational risk events and losses; and
(c) relevant external events and any possible effect on the firm and its operational risk capital calculation.
Guidance
Operational risk reports may contain internal financial, operational, and compliance indicators, as well as external market or environmental information about events and conditions that are relevant to decision making.
(6) The firm must analyse its data capture and risk reporting processes periodically with a view to continuously improving the firm’s risk management performance and advancing its risk management policies, procedures and practices.
Derived from QFCRA RM/2020-2 (as from 1st January 2021)