Application Process to Adopt the Advanced Measurement Approach for Measuring Banks' Operational Risk Exposure

1 Annexure D Basel Committee on Banking Supervision (BCBS) Paper Operational risk - Supervisory Guidelines for the Advanced Measurement Approaches Paragraph # Paragraph Description Sub - Paragraph Criteria Rating Rating Rationale* Action Plans^ 54 A bank should establish clear and measurable objectives for its verification and validation activities. Verification and validation activities should consider, on an ongoing basis, whether the ORMF and ORMS are appropriate. Verification and validation activities should also provide an effective challenge that questions existing processes and information, while conducting specific testing of procedures and processes, consistent with the unique aspects of the bank’s ORMF, ORMS and risk profile. There is no single method that is universally accepted by supervisors. None (a) Policies, processes, procedures and systems that comprise the bank’s ORMF, including the ORMS, are conceptually sound, transparent and documented; (b) Business unit activities, the independent corporate operational risk management function and operational risk management governance committees and structures are effective and appropriate; (c) ORMF inputs and outputs are accurate, complete, credible, relevant, authorised and accessible; (d) Risk monitoring and management of the accuracy and soundness of all significant processes and systems are effective; (e) Appropriate remediation is undertaken if deficiencies are identified; (f) Outcome analysis is incorporated into bank processes, as appropriate, and is effective (outcome analysis includes comparisons of data elements such as a comparison of BEICFs with actual loss experience, or a comparison of scenario results with internal loss data and external data); (g) Validation processes are satisfactory. The verification function should ensure that validation of AMA models is completed in accordance with the bank’s model validation policy; (h) Tests of operational risk management controls determine whether they are designed to prevent or detect and correct material deviations from or non￾compliance with the policies, procedures and processes and operate effectively throughout the period being reviewed; (i) Every significant activity and division, subsidiary or other component of the bank is included; and (j) There is a periodic independent review of the AMA framework. 56 The validation activity is designed to provide a reasoned and well-informed opinion of whether AMA models work as predicted, and whether their results (capital requirement estimates and other information produced by the ORMS) are suitable for their various internal and supervisory purposes. Validation activities should: (a) Have a broad scope, evaluating all relevant items of the ORMS, such as:

• Distributional assumptions;
• Correlation assumptions;
• Documentation;
• The four elements of the AMA;
• Qualitative aspects (including the internal controls, use test, reporting, role of senior management and organisational aspects);
• Technological environment relating to the computational processes; and
• Procedures for the approval and use of new and modified estimation models or methodologies (such procedures should seek explicit opinion from the validation function in the approval process); As you are aware, this Office continually monitors developments with regard to operational risk. In this regard the BCBS issued two consultative documents on operational risk in December 2010, namely “Sound practices for the management and supervision of operational risk” and “Operational risk: Supervisory guidelines for the advanced measurement approaches”. South African banks were invited to respond to these two documents and to highlight any practical difficulties foreseen or potential effects on both themselves and the general banking sector that would require some consideration from the BCBS. This Office received feedback on both papers from banks during the first quarter of 2011 and consolidated and presented the comments to the Standards Implementation Group Operational Risk (SIGOR) for its consideration. The two final papers were published by the BCBS during June 2011. The second paper issued by the Basel Committee on operational risk in 2011 is entitled “Operational risk - Supervisory Guidelines for the Advanced Measurement Approaches” (Available at http://www.bis.org/publ/bcbs196.htm). The regulatory capital adequacy framework envisages that, over time, the operational risk discipline will continue to mature and converge towards a narrower band of effective risk management and measurement practices. The Basel Committee’s paper in this regard seeks to improve the operational risk discipline by setting out supervisory guidelines. Consistent with SIGOR’s mandate, this paper identifies supervisory guidelines associated with the development and maintenance of key internal governance, data and modelling frameworks underlying an AMA. Because operational risk is an emerging discipline, this paper is intended to be a living document and, as further issues are identified and expectations for convergence towards a narrower range of appropriate practices are developed, they too will be added to the document. The paper does not reduce or supersede the discretion of national supervisors to act in a manner that is consistent with their particular regulatory approaches. Rather, the publication of this paper is intended to facilitate a convergence of practices by banks and national supervisors. Furthermore, while the status of banks accredited to use an AMA framework will not be affected by the observations and conclusions of this paper, some AMA banks may need to amend their practices to reflect the paper’s contents. Banks are required to complete a self-assessment against the supervisory guidelines outlined in the paper, according to the following criteria: Criteria Rating Compliant Largely compliant Materially non-compliant Non-compliant No substantive progress towards compliance has been achieved Description All “essential” criteria are met without any significant deficiencies in all operations Minor shortcomings, but not sufficient enough to raise doubts about the institution’s ability to achieve the objective of a given principle Shortcoming is sufficient to raise doubts about the institution’s ability to achieve compliance Not applicable A principle deemed not to have relevance The rating rationale column must be completed at all times, even in instances where a rating of 'Not applicable' has been selected. In addition, banks must ensure that evidence is collected and maintained as substantiation to the 'Criteria Rating' and 'Rating Rationale' as this may be requested for inspection by this Office. Furthermore, the BCBS paper and documents referred to in the body and footnotes thereof, should be read in full to be able to consider as sound practices where applicable as well as for understanding and information purposes. Verification of the ORMF includes testing whether all material aspects of the ORMF have been implemented effectively, remain appropriate, and are performing as intended. Activities should ensure that: 55 Governance Supervisory guidelines Verification and validation

• Rating Rationale - Provides justification, explanation, meaning and context and plays an important part in understanding the reasons or principles employed in arriving at the 'Criteria Rating' assigned. Detailed explanations are therefore required in terms of what the bank does in practice. Examples can also be included. Moreover, be reminded that evidence should be collected and maintained. ^ Action Plans - It is recommended that SMART (Specific, Measurable, Attainable, Realistic, Timely) principles are applied when setting action plans. Detailed explanations are therefore required in terms of the steps / actions the bank will be taking to attain the 'Compliant' 'Criteria Rating' status. If 'Compliant' has been selected, then the column can be left blank and / or details can be provided in terms of any maintenance or enhancements planned.

2 Paragraph # Paragraph Description Sub - Paragraph Criteria Rating Rating Rationale* Action Plans^ (b) Evaluate the bank’s processes for escalating issues identified during validation reviews to ensure that:

• Escalation processes are sufficiently comprehensive;
• All significant ORMS concerns are appropriately considered and acted upon by senior management; and
• All significant ORMS concerns are escalated to appropriate governance committees; (c) Evaluate the conceptual soundness – including benchmarking and outcome analysis – of the ORMS and of the modelling output; (d) Reflect policies and procedures to ensure that model validation efforts are consistent with board and senior management expectations; (e) Assess whether policies and procedures are sufficiently comprehensive to address critical elements of the validation process. These include independent review; clearly defined responsibilities for model development and validation; model documentation; validation procedures and frequency; and audit oversight;and (f) Confirm that the relationship between the model’s inputs and outputs are stable and that the techniques underlying the model are transparent and intuitive. 57 The organisational structure of the verification process will vary depending on the size, complexity and operational risk profile of the bank. Verification activities may be carried out by qualified external parties and/or internal or external audit, if independent of the process or system being reviewed. None 58 The validation function should generally be carried out internally by qualified validation resources. However, supervisors recognise that this may present a challenge for some banks. None 59 While the outsourcing of verification and validation work is acceptable, the board and senior management are accountable for ensuring that outsourced functions are completed in a manner consistent with the bank’s overall verification and validation plan. None 60 Independence: The bank’s verification and validation functions should provide independent assessments and opinions, while avoiding improper influence from those units being reviewed. Personnel conducting verification and validation work should not be involved in the development, implementation or operation of the ORMF or ORMS processes or systems being reviewed, or be subordinate to the units under review. Bank staff performing the verification and validation should be impartial and prepared to challenge management’s views and conclusions regarding any aspect of the None 61 Capacity: Verification and validation functions should be adequately staffed and have reasonable access of resources to perform their duties. The board and senior management are responsible for ensuring that these functions are adequately staffed. None 62 Professional Competence and Due Care: Bank staff performing verification and validation work should be technically competent, appropriately trained and possess the appropriate skills. None 63 Critical Analysis: Verification and validation functions should critically analyse all relevant information by questioning the work of the units involved in the design of the ORMF and ORMS. None 64 A bank should have a broad strategic plan that governs the verification and validation of its ORMF and ORMS. The plan should be approved by the appropriate audit or operational risk committee and should incorporate all relevant business units. The plans should ensure that the bank’s ORMF and ORMS are independently reviewed. In addition, the bank should develop more detailed annual plans which state the purpose and tasks to be carried out during upcoming years. None 65 The nature, timing and extent of work performed each year should provide a sufficient indication as to whether the bank’s ORMF and ORMS: (i) function appropriately, (ii) are consistent with bank policies and (iii) are free of material weaknesses. The frequency with which policies, processes and systems within the bank’s AMA framework is reviewed should be based on risk and significance. None (a) Independent review with respect to development, implementation and operation; (b) Explicit documentation requirements for major processes and systems; (c) Unlimited access to information; (d) The nature, timing and extent of planned assessment procedures; (e) Follow up on outstanding items from previous reviews; (f) Frequency of the independent review; and (g) Audit involvement or oversight over independent review work performed by third parties. 67 Results from verification and validation work should be documented and distributed to appropriate business line management, internal audit, the corporate operational risk management function and appropriate risk committees. Bank staff ultimately responsible for the validated units should have access to, and an understanding of, these results. None 68 Reporting should include underlying processes to resolve deficiencies and weaknesses, ensuring that corrective actions are implemented in a timely manner. Internal audit should evaluate management’s response to significant findings. None Organisational aspects Essential elements Work plan Reporting 66 Independent review plans, including procedures that will be used to test the ORMS and ORMF, should provide for the following expectations: Verification and validation work plans should cover, at a minimum, the areas outlined in the description column.

3 Paragraph # Paragraph Description Sub - Paragraph Criteria Rating Rating Rationale* Action Plans^ 69 Board Reporting: Results of verification and validation reviews (including senior management’s attestation) should be summarised and reported annually (or periodically, as appropriate) to the bank’s board of directors, or a committee thereof, for approval. Attestation by senior management entails review and approval of the effectiveness of the bank’s ORMF and states that the ORMF, including the ORMS, is working appropriately. None (a) Summarise the verification and validation work done, indicate any limitations in the scope of work performed and detail the deviations from the plan; (b) Contain the assessment of the verification or validation teams on the essential elements of the area or model being reviewed (validation reports should assess the suitability of the model for internal use); (c) Identify weaknesses and their potential consequences, including deviation from or non-compliance with objective criteria, policy, procedures and Basel II Framework requirements; (d) Establish a corrective action plan and specific timeline for remediation as appropriate for significant deficiencies and weaknesses; (e) Establish a procedure to resolve disagreements between the verification and validation units and among the areas and units being reviewed; and (f) Be distributed, at the minimum, to the senior management, the board of directors and the individuals in charge of the relevant organisational units. 74 The bank should have a sustainable and embedded ORMF in its overall risk management decision-making processes that clearly indicates the level of integration between the measurement and management processes of the ORMF throughout the entire institution. The ORMF, including the ORMS, should be updated on a regular basis and become more embedded as the operational risk discipline further evolves. None (a) The purpose and use of an AMA should not be solely for regulatory compliance purposes; (b) As the bank gains experience, an AMA should reflect evolving risk management techniques; (c) An AMA should support and enhance the bank’s operational risk management policies and practices; and (d) An AMA should benefit a bank in the management and control or mitigation of operational risk. 76 A bank’s strategic and business planning processes should consider its operational risk profile, including outputs from the ORMS. Potential material changes to the operational risk profile resulting from strategic and business planning change should be appropriately reviewed, considered, reported and monitored. None 77 A bank’s board of directors should approve and review a clear statement of operational risk appetite and tolerance. Risk appetite and tolerance statements should: account for all relevant risks, including the bank’s current financial situation and strategic direction; encapsulate various risk tolerance and/or threshold levels; and detail how the board of directors will monitor and manage adherence to the risk appetite and tolerance statement. The board of directors and senior management performance assessment should reflect and measure adherence to the risk appetite and tolerance statement and be applied and monitored across all business entities. None 78 The bank should have adequate processes in place to monitor the identified controls and ensure they are appropriate to mitigate the identified risks to the desired residual level. The processes should include the identification, review, escalation and remediation of the issues identified. None 79 The ORMS elements should provide a key input into the assessment and ongoing monitoring of the control’s effectiveness in relation to the risk appetite and tolerance statement. For example, during the stressing of the control environment in a scenario workshop (as a result of a loss event or from monitoring of indicators), weaknesses within the control environment may be detected. Additionally, the results from the ORMS elements should reflect the control environment. For example, a material deficiency in the control environment should result in a review of the relevant elements of the ORMS and the operational risk capital charge estimates. None 82 The following guidance sets forth standards for “gross loss” and “recoveries”, including specific items for inclusion and/or exclusion. The guidance generally parallels consortia practices. Common definitions will bring more consistency to loss data collection and treatment for purposes of quantification. None 83 An operational risk loss can arise only from an actual operational risk event. Some operational risk events may have an impact on the financial statements of the firm while others are only detectable from other sources. Regardless of its impact on the financial statements, the scope of operational risk loss refers to the type of events, included in the operational risk database as well as the reasons for which they are included (eg for management and /or measurement purposes). None Supervisory guidelines Monitoring/Periodic Reporting: The verification and validation reporting should: Operational risk appetite and tolerance Data Gross loss definition 70 Control effectiveness Strategic and operational business planning process Use test and experience Supervisory guidelines Items included in or excluded from the gross loss computation 75 The bank should incorporate the following guidelines in its assessment of an AMA’s use and embeddedness:

4 Paragraph # Paragraph Description Sub - Paragraph Criteria Rating Rating Rationale* Action Plans^ 84 A gross loss is a loss before recoveries of any type. Net loss is defined as the loss after taking into account the impact of recovery. A recovery is an independent occurrence, related to the original loss event, separate in time, in which funds or inflows of economic benefits are received from a third party. For an operational risk event, a bank should be able to discretely identify the gross loss amount as well as any recoveries and insurance recoveries. None (a) Direct charges (including impairments) to the statement on comprehensive income and write-downs due to operational risk events. (b) Costs incurred as a consequence of the event that should include external expenses with a direct link to the operational risk event (eg legal expenses directly related to the event and fees paid to advisors, attorneys or suppliers) and costs of repair or replacement, to restore the position that was prevailing before the operational risk event. (c) Provisions (“reserves”); the potential operational loss impact is reflected in the comprehensive income statement and should be taken into account in the gross loss amount. (d) Pending losses stem from operational risk events with a definitive financial impact, which are temporarily booked in transitory and/or suspense accounts and are not yet reflected in the statement of comprehensive income. For instance, in some countries, the impact of some events (eg legal events, damage to physical assets) may be known and clearly identifiable before these events are recognised through the establishment of a reserve. Moreover, the way this reserve is established (eg the date of recognition) can vary across institutions or countries. ”Pending losses”, that are recognised to have a relevant impact, should be included in the scope of operational risk loss within a time period commensurate to the size and age of the pending item; this can be done through the recognition of their actual amount in the loss database or pertinent scenario analysis. (a) Costs of general maintenance contracts on property, plant or equipment; (b) Internal or external expenditures to enhance the business after the operational risk event: upgrades, improvements, risk assessment initiatives and enhancements; (c) Insurance premiums. (a) Timing losses are defined as the negative economic impacts booked in an accounting period, due to operational risk events impacting the cash flows or financial statements of previous accounting periods. Timing impacts typically relate to the occurrence of operational risk events that result in the temporary distortion of an institution’s financial accounts (eg revenue overstatement, accounting errors and mark-to-market errors). While these events do not represent a true financial impact on the institution (net impact over time is zero), if the error continues across two or more accounting periods, it may represent a material misrepresentation of the institution’s financial statements. Material “timing losses” due to operational risk events that span two or more accounting periods should be included, ie full amount that includes make-up payments as well as penalties and interest, in the scope of operational risk loss when they give rise to legal events. (b) Rapidly recovered loss events are operational risk events that lead to losses recognised in financial statements that are recovered over a short period. For instance, a large internal loss is rapidly recovered when a bank transfers money to a wrong party but recovers all or part of the loss soon thereafter. A bank may consider this to be a gross loss and a recovery. However, when the recovery is made rapidly, the bank may consider that only the loss net of the rapid recovery constitutes an actual loss. When the rapid recovery is full, the event is considered to be a “near miss”. (a) Mark-to-market: the economic impact of an operational risk loss is usually the same as the accounting impact when an operational risk loss affects assets or accounts treated on a mark-to-market basis. In such cases, the gross loss amount is the loss or adjustment as recognised in the comprehensive statement of income. (b) Replacement cost: the economic impact of an operational risk loss usually differs from the accounting impact when losses affect assets or accounts that are not maintained on a mark-to-market basis such as property, plant, equipment or intangible assets. The gross loss amount is the replacement cost of the item.12 Replacement cost means the cost to replace an item or to restore it to its pre-loss condition. The inclusion or exclusion of the following items depends on their nature and materiality. 87 85 The following specific items should be included in gross loss computation. 86 The following specific items should be excluded from the gross loss computation. It should not be considered to be an exhaustive list: Measures of the gross loss amount 88 There are different ways to measure the gross loss amount: Other cases

5 Paragraph # Paragraph Description Sub - Paragraph Criteria Rating Rating Rationale* Action Plans^ (a) “Near-miss events”: operational risk events that do not lead to a loss. For example, an IT disruption in the trading room just outside trading hours. (b) “Operational risk gain events”: operational risk events that generate a i (c) “Opportunity costs/lost revenues”: operational risk events that prevent undetermined future business from being conducted (eg unbudgeted staff costs, forgone revenue and project costs related to improving processes). 97 Considering the progress of AMA implementation, a bank should have strong processes to collect operational risk losses based on clear and consistent definitions of “gross loss” and “recoveries”. Supervisory expectations on gross loss definition and recoveries are treated in another section of this paper. None 98 Banks should follow the guidelines below on the use of internal loss amount to enhance consistency and harmonisation in the implementation of AMA models across jurisdictions. None 99 A bank may use “gross loss amount” or “gross loss amount after all recoveries (except insurance)” as an input for its AMA models and should demonstrate to its supervisor the rationale for this choice. Additionally, a bank should collect gross losses and recoveries separately and use the information for risk management purposes. None 100 A bank should not use loss net of insurance recoveries as an input for its AMA models. An approach using loss net of recoveries and insurance recoveries may prove especially difficult in the calculation of the maximum 20% capital requirements reduction permitted for insurance mitigation in the Basel II Framework and discussed in Recognising the risk-mitigating impact of insurance in operational risk modelling. None 101 A bank should use conservative data as an input for the AMA capital requirements. There are specific limitations and requirements for the use of risk mitigation from insurance in the operational risk capital charge estimation. None 102 Conservatism should be considered, for example, following a significant loss event, where a bank receives recoveries after a considerable delay. During this timing lag “gross loss” may represent a material impact on the statement of comprehensive income. The prevalent practice of “gross loss amount after all recoveries (except insurance)” as a model input should be rigorously challenged in these circumstances. For this kind of loss event, it may be more appropriate to use the “gross loss amount” even when those losses are fully recovered. None 103 The recognition of insurance in operational risk capital models is in an early stage of development. A bank should calculate the total operational risk capital charge gross of insurance recovery in order to determine the 20% limit and isolate the bank’s methodology for modelling insurance mitigation. None 107 A bank is responsible for defining and justifying appropriate thresholds for each operational risk class, both for data collection and modelling. None 108 A bank may use different thresholds for data collection and modelling. A lower threshold may be desirable for risk management (eg to examine credit card fraud) and expected loss calculation. None (a) Sufficiency of data for statistical modelling; (b) Ability to reconcile between accounting and loss data or demonstrate assurance of data quality (an elevated threshold could lead to significant gaps between the sum of losses in the database and the actual loss without being able to explain them); (c) Ability to calculate expected losses for each risk class; (d) Capacity to make management decisions to avoid, mitigate, transfer or take operational risk; and (e) Whether thresholds account for the inherent risk and complexity of the class and the related business (a lower threshold could be chosen for retail business due to the high frequency of losses). 110 It should be noted that the threshold for internal loss collection processes corresponds to the gross loss amount. None 111 Thresholds for data collection and risk management should be reasonable and should not omit operational loss event data that are material for operational risk exposure and for effective risk management. None 112 A bank should be aware of the effect of loss data collection thresholds on the management of operational risk. This is especially important for a bank with high thresholds for data collection. None 113 The choice of threshold may greatly affect the manner in which operational risk is managed. A bank should ensure that its choice of thresholds provides a clear understanding of realised as well as potential operational losses. None 114 Data collection thresholds should capture all material losses in terms of their value. A bank should verify, on a regular basis, that its choice of thresholds includes all material operational risk losses for risk management purposes. For example, a bank may attempt to collect all below-threshold items for a given period and then reconcile them with accounting data to examine the effect of including these losses in management action. None 115 In the case of very high frequency losses with no causal relationships (but with common features) that are below the threshold, a bank may individually collect these losses or group them in order to collect their aggregated amount and features for risk management purposes. None 116 It is important to note that the €10,000 threshold mentioned in paragraph 673 of the Basel II Framework is merely an example of a threshold. Implementing this threshold, without further analysis, would not be acceptable by supervisors. None Gross versus net internal loss amounts Supervisory guidelines Supervisory guidelines 89 Some items are important for risk management although they may be beyond the scope required for quantification. In particular, the items below can be useful for promptly detecting failures and errors in processes or internal control systems. These items may also be useful inputs for scenario analysis. Internal loss data thresholds 109 A bank should examine the following points when justifying its decision:

6 Paragraph # Paragraph Description Sub - Paragraph Criteria Rating Rating Rationale* Action Plans^ 117 The choice of threshold for modelling should not adversely impact the credibility and accuracy of the operational risk measures. None 118 A bank may establish a de minimis “modelling threshold” for an ORC so that the frequency and severity distributions in each ORC are fitted to the data only above the threshold. None 119 Use of de minimis modelling thresholds that are much higher than the data collection thresholds should be limited and properly justified by sensitivity analysis at various thresholds. Moreover, changes in the de minimis modelling thresholds, when not embedded in the model engine and driven by specific reasons (eg discount rates), should be limited in number and duly motivated by the need to better capture the risk profile of the ORC. None 120 All operational losses above the set de minimis modelling threshold should be included in the calculation dataset and used, whatever their amounts, for generating the regulatory measures. None 127 The collection of numerous dates does not represent a concern from an operational risk management perspective, as each reference date offers potentially different information on the characteristics of each loss. A bank should not select a reference date for quantification that results in the omission of large internal losses as this can have a significant impact on the bank’s operational risk capital charge. Due to the potential for material differences in capital requirement levels for similar risk exposures, supervisors are encouraging convergence of practice in the way losses are treated and recorded as operational risk loss events. This issue is particularly relevant for institutions that use the occurrence date to build their calculation dataset, and in regions where legal losses represent a material amount of all losses. None 128 These guidelines are designed to encourage more consistency to AMA models and more harmony to AMA implementation in different jurisdictions for building a calculation dataset. None 129 A bank may use any of the reference dates (occurrence date, discovery date, contingent liability date or accounting date) for building its calculation dataset, and for meeting minimum observation period requirements as long as material loss data is not omitted. No other dates are acceptable for building a calculation dataset. None 130 The building of a proper calculation dataset from available internal/external data is critical to the quantification of a bank’s operational risk capital charge and for accurately representing its operational risk profile. To maintain consistency, a bank should develop policies and procedures that include guidelines around the perimeter of application, minimum observation period, reference date, de minimis modelling thresholds and data treatment. None 131 A bank should select the appropriate reference date in order to extract data from the internal/external database, thereby ensuring that the Basel II Framework minimum observation period is fulfilled. When collecting data, banks usually gather information from three reference dates: occurrence date, discovery date and accounting date. The discovery date and accounting date are the most prudent choices for developing a bank’s dataset for the quantification of the operational risk capital requirements related to that event. However, a bank may use the occurrence date for building the calculation dataset if the bank has not constrained or limited the observation period. Because there is often a time lag between the actual occurrence and discovery of an operational risk event, material losses could be excluded if the occurrence date falls outside of the time series used for the capital charge estimation. For this reason, a bank should carefully consider the time series used for the frequency and severity estimation and should incorporate an observation period that avoids the omission of any material loss data. None 132 Consistent with other operational risk losses, a bank should use a date no later than the date of reserve for including legal related losses/exposures as an input in its AMA model. None 133 Differences as to when legal losses are recognised may impact the measurement of operational risk exposure for similar events. Consequently a bank should follow the principle of conservatism when considering the inputs in its AMA model. Given the time lag between the legal proceeding and its conclusion, a date that is no later than the date for establishment of a legal reserve provides consistency and conservatism and more effectively reflects the bank’s operational risk profile. None 134 Because a legal exposure can change over time, a bank should consider alternative methods for the inclusion of legal events in the interim (eg through scenario analysis). That is, from discovery date until the date of accounting of the legal reserve, these events are recognised potential exposures that may potentially impact the bank’s operational risk profile. A bank should also implement a robust process for updating legal event exposures between the reserve date and settlement date. None Supervisory guidelines Date of internal losses

7 Paragraph # Paragraph Description Sub - Paragraph Criteria Rating Rating Rationale* Action Plans^ Consider the following example to illustrate: Bank X is named in an investor lawsuit claiming inadequate and misleading disclosure of mortgage-related losses on 4 May 2006 (discovery date). The suit asks for monetary damages for investment losses in the amount €5 billion. At the discovery date, when the bank was served with a potential exposure of €5 billion, legal counsel indicated that the suit had no merit, and that the likelihood of loss is remote. On 15 November 2008, following a review of internal documents/discovery the bank’s legal counsel recommends that the “least cost” would be to settle the case for €1 billion. As a result, the bank takes a reserve for that amount. The case is settled two years later (settlement date) for €2 billion. At the reserve date, the exposure of €1 billion is reasonably probable and it has been reasonably estimated. Supervisors expect the reserve amount of €1 billion to be reflected as a direct input into the AMA model. However, between the discovery date and the reserve date, legal counsel updates the probability that some settlement would be paid. During that time period the bank should consider reflecting this exposure in the capital calculation, for instance by a scenario analysis. Between the reserve date and settlement date, the exposure may increase or decrease based on the outcome of settlement negotiations. In this example, the settlement amount increased to €2 billion, so during the period between the reserve date and settlement date that bank should reflect the increased exposure in its’ AMA capital requirement estimation process. Alternatively, if the exposure declined to €500 million, the bank should reflect the decreased exposure in its’ AMA capital requirement estimation process. However, if the bank paid a settlement as a provisional execution following a court decision, only to have the decision/settlement overturned or reduced, the bank should reflect the paid amount as its’ gross loss with any reduction reflected as a recovery. 136 The diverse use of dates for quantification purposes raises questions as to whether a bank’s operational risk profile quantification properly reflects all known operational risk exposures. The example above clearly illustrates that a bank that uses settlement date rather than accounting date may in fact omit a material exposure for an extended time period. None 137 Date of reserve is a sensible option for improving industry convergence because the loss exposure is reasonably estimated and it can be reconciled to the general ledger. Convergence would likely ensure that similar legal exposures across banks do not materially differ in the determination of a bank’s calculation dataset. None 138 Supervisors understand industry concerns that including legal events in the loss database prior to settlement may lead to an increase in the frequency and severity of legal settlements. Several banks continue to raise this matter contending that the loss data and accompanying descriptive information could be revealed through the discovery process in a legal proceeding, thereby increasing the likelihood and magnitude of an adverse outcome. However, this concern lacks credibility, as many banks have developed processes to provide information on legal events that support their AMA modelling methodology without disclosing confidential data. As a result, a bank should capture all known legal-related exposures in its operational risk measurement and management systems. None 144 Different guidelines apply for Situation 1 and Situation 2. None 145 Losses caused by a common operational loss event should be grouped and entered into the calculation dataset as a single loss, unless the bank chooses to model causality or dependence among those losses in a different manner. None 146 A bank’s internal loss data policy should establish guidelines for deciding the circumstances, types of data and methodology for grouping data as appropriate for their business, risk management and capital charge modelling needs. They should also clarify and document their individual judgments in applying these guidelines. None 147 The bank’s policy about the threshold and dates for single losses should also be applied to grouped losses. None 148 Since the losses in this case should be treated as a single loss modelling purposes, the threshold should be applied to the grouped loss comprised of ostensibly single losses. As such, a bank should ensure its threshold is not circumvented or compromised because of failure to collect some of the losses that could comprise the group. None 149 An unacceptable example: Bank X sets its threshold for its modelling at €10,000 and it neither collects nor enters losses smaller than that amount in its internal loss database. It also has a policy of grouping losses together that are caused by the same underlying event. A natural disaster hits its three branches over a week and damages each of them, resulting in an €8,000 loss for each. However, each branch did not report its loss because its damage was below the €10,000 threshold. As a result, the loss that would have amounted to €24,000 in sum was not used in their risk calculation, although the bank has the policy of using all the losses that are greater than €10,000. None Grouped losses 135 None Supervisory guidelines Losses caused by a common operational loss event

8 Paragraph # Paragraph Description Sub - Paragraph Criteria Rating Rating Rationale* Action Plans^ 150 To prevent such cases from occurring, internal loss data collection procedures and internal controls should be sufficiently robust to ensure information capture and data grouping consistent with the firm’s policy. Oversight, communication and assurance processes should ensure firm-wide understanding of the policy, information sharing regarding events that may have related or delayed impacts, and review processes to test the grouping of data for conformance with policy. The independent review function also should review data grouping as part of its verification activities. None 151 A bank should be consistent in dating these grouped losses for modelling purposes; that is, it should apply the same policy to single losses as it does to grouped losses. None 152 For a bank that limits the use of internal loss data by age (eg using only the internal data that occurred within the past seven years), special consideration should be taken to ensure that grouped losses are not discarded too early. None 153 If a significant time lag exists between an incident’s discovery date and the dates of the related grouped losses, the more recent discovered losses may not be included in the calculation dataset if their reference date falls outside of the bank-determined observation period. A more prudent practice would consider the date of the last discovered/accounted loss as the reference date for all the related loss events and include the related losses in the calculation dataset as a single loss with the severities of the individual losses added together. None 154 A bank that groups small losses above the threshold for modelling with no causal relations for data collection and registration purposes generally should not include them in its calculation dataset. If a bank chooses to include these losses in its calculation dataset, it should demonstrate that the use of this type of grouped losses does not materially distort the capital requirements calculation. None 155 When banks group losses in this way (ie grouping losses with no causal relations) and decide to enter them into their models, some banks input them as bundles of data points/losses. Other banks may decide to ungroup the losses that comprise the groups and input them individually, instead of inputting the bundles. A bank should not input bundles of data points that have no causal relationship as it distorts reality and lacks theoretical grounding. A bank that wishes to apply this grouping method should demonstrate that it does not materially distort the capital requirements calculation and that the model output is independent of the grouping methods. None 156 Ungrouping bundled losses may provide a bank with a dataset that more accurately reflects its risk profile than bundled losses. However, in most cases, a bank does not have information about individual losses (eg loss amounts and dates for individual losses) as the purpose of grouping losses is to simplify the data collection process. In these cases, the bank should approximate individual losses (eg inputting the number of grouped losses with an average loss amount assigned to each) and ensure that the effect of this approximation is immaterial to the calculation results. None 157 A bank should not circumvent or infringe its threshold by grouping losses. One such unacceptable example: Bank Z implements a €1,000 threshold for modelling purposes. The bank groups "cases of minor damage to physical assets which can easily be replaced from inventory" that occurred during a given year and enters them as a single entry into its database for management purposes. This year, the losses were reported as an estimation of 1000 events with a total estimated amount of €50,000. Consequently, the bank decided that there were no losses above the modelling threshold of €1,000, since the average amount of losses was €50. However, the reality (not known to the bank) was that there were 999 cases of theft or damages with a €49 loss and a single €1,049 theft, which was ignored. The bank should have identified this major loss and ensured that it was reflected in its models. None 158 Similar to the first example, strong governance on data collection procedures is essential to preventing such cases. In the example above, Bank Z’s corporate operational risk management function should have monitored possible events that needed grouping and ensured that the branches collected necessary losses. None 159 In both Scenario 1 and Scenario 2, special consideration of issues related to data grouping is required in the case of a merger. For example, when quantifying the operational risk of a merged bank, all the relevant losses, including those that occurred before the merger, with a common underlying cause should be grouped together before being input into the model. When this is not feasible, a bank should ensure that the effect of not doing so is insignificant to the quantification result. None 162 When choosing their operational risk categories, a bank should take into account the nature and complexity of business activities and the operational risks to which they are exposed. None Modelling Granularity Supervisory guidelines Losses without causal relations Most AMA models are currently based on either the loss distribution approach (LDA) or on the scenario-based approach (SBA). While some of the criteria and examples under this section are more applicable to one approach than another, the underlying principles are meant to be generally valid; therefore they should be applicable to any AMA method. This in particular holds for the “Building of the calculation dataset” and “Determination of aggregated loss distributions and risk measures” Sections, which are elaborated having the LDA as reference, but that should be applied to the maximum extent to other approaches such as the SBA.

9 Paragraph # Paragraph Description Sub - Paragraph Criteria Rating Rating Rationale* Action Plans^ 163 When modelling operational risks, a bank should ensure that the model takes into account the bank’s idiosyncrasies. These may include the business profile, risk profile, history of operational losses, business environment and other factors. A bank should characterise operational risks along these factors. For modelling purposes, it is important that risks sharing common factors are grouped together. None 164 When a major change in the organisational or the risk profile of an institution occurs, the bank should ensure the choice of granularity remains valid. None 165 A bank should determine the optimum balance between granularity of the classes and volume of historical data for each class. Using one or only a few ORCs can lead to increased heterogeneity for the events in each category. A high number of ORCs can cause the number of losses in each category to fall below a model’s data threshold. As such an outcome is more likely for business lines where the underlying risk exposure is immaterial, the materiality of a business line may in effect be one of the factors determining the level of granularity. Supervisors should be wary when an institution uses either a very low or very high number of ORCs, especially when used in conjunction with a loss distribution approach (LDA). None 166 A bank should provide evidence to supervisory authorities that its choice of operational risk categories is reasonable and does not adversely impact other factors of the operational risk model, such as diversification assumptions, correlations and capital allocation. None 167 A bank should support its choice of granularity by qualitative and quantitative means. It should be particularly aware of the impact its choice of granularity has on the capital charge and provide evidence that the choice is reasonable. None 168 A high number of ORCs may lead to an unrealistically high capital charge when no correlations are modelled and capital charges for all ORCs are summed together. On the other hand, a bank modelling correlations that use a high number of ORCs might have difficulty finding statistical means to validate correlation assumptions due to minimal loss data for each ORC. None 169 Capital allocation to internal business lines should be a factor when choosing ORCs, as these ORCs may be used as part of the capital allocation process. When using an allocation method that is very different in nature from the choice of ORCs, the bank should ensure that its choice of ORCs and allocation method was reasonable in the first place. Note that changes in the ORCs need not always correspond with changes in the capital allocation method. For example, banks often take continuous management actions leading to changes in their business units that may not lead to major changes in their business processes or risk profile. Such changes may not justify changing the ORCs used for capital modelling, even though they must be incorporated in the capital allocation process. None 178 A bank should have a policy that identifies when a loss or an event recorded in the internal (or external) loss event database is also to be included in the calculation dataset. This policy should provide a consistent treatment for loss data across the institution. Exceptions to the policy should be limited and, in any case, duly documented and properly addressed to prevent undue reduction of the capital charge. None 179 The building of a proper calculation dataset from the available internal/external data requires that a bank develop policies and procedures to address its several features (ie perimeter of application, observation period, reference date, de minimis modelling thresholds and data treatment). None 180 The definition of “gross loss” for the purpose of building the calculation dataset should include all the items mentioned in Paragraphs 85 and, when applicable, 87 of these Guidelines. The Basel II Framework requires banks to base their internally generated operational risk measures on a minimum historical observation period of five years (three years when an institution first moves to an AMA). For certain ORCs with low frequency of events, an observation period greater than five years may be necessary to collect sufficient data to generate reliable operational risk measures and ensure that all material losses are included in the calculation dataset. If very long data series are used, banks will need to consider the heterogeneity arising from changes in the risk profile through time. In such cases, time trends or other adjustments should be strongly preferred to discarding older data. Discarding older data should be undertaken only as last resort for ORCs where loss experience is sparse. None 181 A bank may use one of the reference dates (occurrence date, discovery date, contingent liability date or accounting date) for building the calculation dataset, as long as material loss data are not omitted. No other dates are acceptable for building the calculation dataset. None 182 The discovery date or accounting date are the most prudent choices for developing a bank’s dataset for the quantification of operational risk capital related to that event. However, a bank may use the occurrence date for building the calculation dataset if the bank has not constrained or limited the observation period. None 183 A bank should use a date no later than date of reserve for including legal related losses/exposures in the calculation dataset. None 184 A bank may establish a de minimis modelling threshold for an ORC, so that frequency and severity distributions in each ORC are fitted to the data only in excess of the threshold. The de minimis modelling threshold may differ across ORCs. The choice of threshold for modelling should not adversely impact the credibility and accuracy of the operational risk measures. None Distributional assumptions Supervisory guidelines Building of the calculation dataset

10 Paragraph # Paragraph Description Sub - Paragraph Criteria Rating Rating Rationale* Action Plans^ 185 On an exceptional basis, a bank may identify data points related to abandoned business lines within the calculation data. It may adopt specific techniques for the treatment of these data points to address an undesired effect on capital measures. However, a bank should justify and clearly document the identification and treatment of these data points and provide estimates of the capital requirements with and without this treatment. None 186 Use of de minimis modelling thresholds that are much higher than the data collection thresholds should be limited and properly justified by sensitivity analysis at various thresholds. Moreover, changes in the de minimis modelling thresholds, when not embedded in the model engine and driven by specific reasons (eg discount rates), should be limited in number and duly motivated by the need to better capture the risk profile of the ORC. None 187 All operational losses above the set de minimis modelling threshold should be included in the calculation dataset and used, whatever their amounts, for generating the regulatory measures. None 188 Losses caused by a common operational loss event should be grouped and entered into the calculation dataset as a single loss, unless a bank chooses to model causality or dependence among those losses in a different manner. A bank’s internal loss data policy should establish guidelines for deciding the circumstances, types of data and methodology for grouping data as appropriate for their business, risk management and capital charge modelling needs. They should also clarify and document their individual judgments in applying these guidelines. A bank’s policy about the threshold and dates for single losses should also be applied to grouped losses. None 189 A bank that groups small losses above the threshold for modelling with no causal relations for data collection and registration purposes generally should not include them in its calculation dataset. None 190 A bank should consider applying appropriate adjustment rates on data when inflation or deflation effects are material. For example, when the observation period for a specific ORC is extensive (eg 15-20 years) due to the infrequent occurrence of loss events and the loss data series is not stationary, adjusting loss amounts due to discount effects could be the solution to recover stationarity. None 191 A bank should not use loss net of insurance recoveries as an input for its AMA models. An approach using loss net of recoveries and insurance recoveries may prove especially difficult in the calculation of the maximum 20% capital requirements reduction permitted for insurance mitigation in the Basel II Framework and discussed in Recognising the risk-mitigating impact of insurance in operational risk modelling. None 192 The recognition of insurance in operational risk capital models is in an early stage of development. A bank should calculate the total operational risk capital charge gross of insurance recovery in order to determine the 20% limit and isolate the bank’s methodology for modelling insurance mitigation. None 193 A bank should follow a well specified, documented and traceable process for the selection, update and review of probability distributions and the estimate of their parameters. This process should result in consistent and clear choices and be finalised to properly capture the risk profile in the tail. None 194 Severity distributions play a crucial role in AMA models. That the models are often medium/heavy tailed implies that the final outcome is significantly impacted by the chosen distribution. The choice of frequency distributions has a lesser impact on the final outcome. None • realistic (eg it generates a loss distribution with a realistic capital requirements estimate, without the need to implement “corrective adjustments” such as caps), • well specified (eg the characteristics of the fitted data are similar to the loss data and logically consistent), • flexible (eg the method is able to reasonably accommodate a wide variety of empirical data) and • simple (eg it is easy to implement and it is easy to generate random numbers for the purpose of loss simulation). (a) Exploratory Data Analysis (EDA) for each ORC to better understand the statistical profile of the data and select the most appropriate distribution; (b) Appropriate techniques for the estimation of the distributional parameters; and (c) Appropriate diagnostic tools for evaluating the quality of the fit of the distributions to the data, giving preference to those most sensitive to the tail. 197 In order to examine the statistical properties of each ORC (ie homogeneity, independence, stationarity), a bank should make use of statistical tools which include, but are not limited to, scatter plots, time series autocorrelation plots, empirical distribution plots, histograms and regression analysis. Other tools, such as p-p plots, q-q plots and mean excess plots provide preliminary evidence on the type and shape of the probability distributions which better represent the data. None 198 The Range of Practice Paper reveals a wide range of practices for the estimate of the severity distributions, with 31% of AMA banks applying a single distribution to all the data and nearly 50% using two separate distributions for the body (or HFLI region) and the tail (or LFHI region). None 199 The operational risk data from a severity perspective clearly illustrate positive skewness and medium-heavy tailedness (leptokurtosis). In statistical terms, this may mean that not all the statistical moments of the severity distribution exist; in many cases the 2nd moment (ie the standard deviation) and higher moments, although always empirically calculable, are often enormous due to the relevant dispersion of the data. None Identification of the probability distributions 195 The selection of probability distributions should be consistent with all elements of the AMA model. In addition to statistical goodness of fit, Dutta and Perry (2007) have proposed the following criteria for assessing a model’s suitability: 196 The process of selecting the probability distribution should be well￾documented, verifiable and lead to a clear and consistent choice. To this end, a bank should generally adhere to the following:

11 Paragraph # Paragraph Description Sub - Paragraph Criteria Rating Rating Rationale* Action Plans^ 200 A bank should pay particular attention to the positive skewness and, above all, leptokurtosis of the data when selecting a severity distribution. In particular, when the data are medium/heavy tailed (therefore very dispersed in the tail), the use of empirical curves to estimate the tail region is an unacceptable practice due to the inability to extrapolate information beyond the last observable data point. None 201 In such cases the use of so-called sub-exponential distributions is highly recommended. Subexponential distributions, which sometimes have a higher number of parameters than light tailed curves, can better represent the shape of the data in the tail (other than their skewness in the body) by allowing estimates of parameters that do not depend on the higher order statistical moments. None 202 When separate distributions for the body and the tail are used, a bank should carefully consider the choice of the body-tail modelling threshold that distinguishes the two regions. The bank should provide documented statistical support, supplemented as appropriate by qualitative elements, for the selected threshold, as the threshold may significantly impact the capital requirements. Ideally the estimate of the body-tail modelling threshold should be made conjunctly with the parameters of the distribution; however for practical reasons banks tend to first identify the threshold and then estimate the parameters. EDA instruments like the hill plot and the mean excess function plot can be useful in the determination of the threshold. A bank should employ sound methods to connect the body and tail distributions. In particular, jumps in the probability mass function when attaching the body and tail of the distributions should be avoided, in order to guarantee that the LFHI and HFLI regions are mutually exclusive and are properly reflected in the aggregated distribution. None 203 When estimating the parameters of the distribution, a bank should take into account the incompleteness of the calculation dataset in the model (eg due to the presence of de minimis modelling threshold(s) which may or may not coincide with the data collection threshold). The bank should provide evidence that an incomplete calculation dataset does not adversely impact the credibility and accuracy of the parameter estimates and capital requirements. None 204 A bank should pay particular attention to the estimate of the kurtosis-related parameters, which describe the tail region of the losses. Because of data scarcity, the estimates can be highly unstable. The bank should put in place methodologies to reduce estimate variability and provide measures of the error around these estimates (eg confidence intervals, p-values). None 205 Robust estimation methods (such as alternatives to classical methods as the Maximum Likelihood and the Probability Weighted Moments), proposed recently in operational risk literature, are reasonably efficient under small deviations from the assumed model. These methods also highlight which observations or deviating substructures have the greatest influence on the statistic to be estimated. A bank may adopt alternatives to classic estimators, provided it can demonstrate that its use does not underestimate risk in the tail. These estimators may also be used as a diagnostic technique for evaluating the sensitivity of the capital charge to the chosen parameter estimation method. None 206 A bank should assess the quality of fit between the data and the selected distribution. The tools typically adopted for this purpose are graphical methods (which visualise the difference between the empirical and theoretical functions) and quantitative methods, based on goodness-of-fit tests. In selecting these tools, a bank should give preference to graphical methods and goodness-of-fit tests that are more sensitive to the tail than to the body of the data (eg the Anderson Darling upper tail test). None 207 While diagnostic tools provide information on the quality of fit between the data and each distribution, they do not always lead to a clear choice of the best-fitting distribution. Moreover, the results of the goodness-of-fit tests are usually sensitive to the sample size and the number of parameters estimated. In such cases, a bank should consider selection methods that use the relative performance of the distributions at different confidence levels. Examples of selection methods may include the Likelihood Ratio, the Schwarz Bayesian Criterion and the Violation Ratio. None 208 A bank should have a regular cycle to verify assumptions underlying the probability distributions they have selected. These verifications may follow the criteria and tests a bank’s use in the selection of the probability distribution. If assumptions are invalidated, alternative methods should be tested and implemented. However, any change should be properly justified. In particular, after suffering one or more significant losses in an ORC, a bank should not decide to replace the probability distributions used in that ORC with lighter￾tailed curves. None 209 Many observed SBA models do not apply statistical inference to raw scenario data. Very often the SBA-model curves are predetermined and the scenario data are used only to estimate the parameters of those distributions (usually by percentile matching). None 210 While this approach is very common in practice, banks generally use the same curve (usually the Lognormal) for modelling the severity of the scenario data across all ORCs, regardless of its business, size and complexity. The selection of a single curve across ORCs implies that the only admissible driver of variation in the operational risk exposure lies in the scenario driven parameter estimates of the chosen distribution. None 211 A bank should ensure that the loss distribution(s) chosen to model scenario analysis estimates adequately represents the risk profile of the ORCs. In doing so, banks should also consider the potential differences with an LDA in terms of level of granularity and dependence across the ORCs. None Additional considerations for AMA models based on scenario analysis

12 Paragraph # Paragraph Description Sub - Paragraph Criteria Rating Rating Rationale* Action Plans^ 212 The techniques to determine the aggregated loss distributions should ensure adequate levels of precision and stability of the risk measures. The risk measures should be monotonic, reasonable and supplemented with information on their level of accuracy. None 213 Banks use several statistical techniques to generate the aggregated loss distributions from frequency and severity curves and parameter estimates. Given the type of distributions adopted in the context of operational risk, it is especially difficult to represent the aggregated loss distributions by closed form curves. As such, simulation, numerical or approximation methods are necessary to derive aggregated curves (eg Monte Carlo simulations, Fourier Transform-related methods, Panjer algorithm and Single Loss Approximations). None 214 A bank should adopt criteria that mitigate sample and/or numerical related errors and provide a measure of the magnitude of these errors, regardless of the techniques used to aggregate frequency and severity distributions. None 215 Where Monte Carlo simulations are used, the number of steps to be performed is an important variable. Good modelling practice suggests that the number should be consistent with the shape of the distributions and with the confidence level to be achieved. In particular, where the distribution of losses is heavy tailed and measured at a high confidence level, the number of steps should be sufficiently large to reduce sampling variability to an acceptable level. In order to do this, a bank can use either (i) a very large number of iterations or (ii) a dynamic number of iterations. The latter, which is typically more accurate, allows the simulation process to stop when the marginal variation of the risk measure, or some other dispersion index, is l t None 216 If Fourier Transform or other numerical methods are used, a bank should pay attention to algorithm stability and error propagation issues. None 217 The risk measure is a single statistic extracted from the aggregated loss distribution at the desired confidence level. The most common and, so far, most adopted measure in risk management, including operational risk, is the Value at Risk (VaR). However, in certain applications and fields, including risk management, Shortfall measures (eg Expected Shortfall, Median Shortfall) have also gained acceptance in representing the whole tail region and in providing a coherent risk estimate (under a sub-additivity perspective). None 218 Whichever risk measure is adopted, a bank should ensure that the measure (and the overall AMA model) fulfils the monotonic principle of risk, which can be seen in the generation of higher capital requirements when the underlying risk profile increases. None 219 It is also crucial that the risk measures (while using conservative criteria and assumptions for prudential purposes) are realistic from a managerial and economical perspective. In specific cases, banks may adopt distributions that envisage the non existence of the first moment (ie the mean), as this would determine high capital requirements and would not be easily and clearly justifiable and applicable within the firm. None 220 A bank should recognise that the estimated capital charge is inherently uncertain due to the heaviness and scarcity of operational risk losses in the tail region. As such, the bank should explicitly recognise this variability in their estimates and provide measures of the error around these estimates. None 221 A bank should also gather information on the expected loss. Due to its high sensitivity to extreme losses, the arithmetic mean can cause an inaccurate picture for the expected losses. In light of this, the use of statistics that are less influenced by extreme losses (eg median, trimmed mean) is recommended, especially in the case of medium/heavy tailed datasets. None 228 Dependence assumptions should be supported to the greatest extent possible by an appropriate combination of empirical data analysis and expert judgment. It is important to recognise that using internal and external data to model dependence presents challenges, as data limitations observed in the univariate context (modelling loss distributions for single ORCs) are likely to be more significant in the multivariate context (modelling multiple ORCs). Using judgment to model dependence presents its own challenges, as eliciting accurate but subjective estimates is more difficult in the multivariate context than in the univariate context. As such, the specification of dependence structures represents one of the most significant challenges in AMA modelling. None 229 Assumptions regarding dependence should be conservative given the uncertainties surrounding dependence modelling for operational risk. Consequently, the dependence structures considered should not be limited to those based on Normal or Normal-like (eg T-Student distributions with many degrees of freedom) distributions, as normality may underestimate the amount of dependence between tail events. None 230 The degree of conservatism should increase as the rigor of the dependence model and the reliability of the resulting capital requirements estimates decrease. Accordingly, models assuming statistical independence across all loss events would require a very high degree of rigour. Such rigor may be difficult to attain given the evolving nature of dependence modelling for operational risk. It is important to note that the trade-off between rigor and conservatism will function only within certain bounds; supervisors would not accept a high degree of conservatism to compensate for an approach to dependence that suffered from fundamental deficiencies. None Correlation and dependence Determination of aggregated loss distributions and risk measures Supervisory guidelines

13 Paragraph # Paragraph Description Sub - Paragraph Criteria Rating Rating Rationale* Action Plans^ 231 Losses within each ORC should be independent of each other. If this is not the case, either within-ORC dependence should be modelled explicitly or the input data should be modified to achieve independence across individual losses. None 232 Dependence should not be inappropriately affected by the choice of granularity. For example, many operational risk management frameworks assume statistical independence between losses within the same ORC. To the extent that a bank’s framework has only a few ORCs, the impact of dependence may be inappropriately minimised. In such a situation, it may be preferable to simply add capital estimates across ORCs. None 233 A bank should perform sensitivity analyses and stress testing (eg different parameter values and different correlation models) on the effect of alternative dependence assumptions on its operational risk capital charge estimate. A bank should have a rigorous process in place specifying the conditions under which the results based on alternative dependence assumptions would lead to a revision of the operational risk capital requirements estimate. None 234 Given the evolving nature of dependence modelling for operational risk, it may be difficult to meaningfully differentiate the impact of dependence at one bank versus another. One would thus expect some degree of cross-bank consistency in the overall impact of dependence. None (a) The quantity and relevance of the available loss data; and (b) Different emphasis in the regulatory assessment of quantitative methodologies (which may in part be a reflection or a cause of point a). 246 In light of these acknowledged differences, there are certain modelling approaches that have been developed which the Committee believes are within an acceptable range of practice with respect to the use of the four data elements. None 247 While the Basel II Framework provides flexibility in the way a bank combines and uses the four data elements in its operational risk management framework (ORMF), supervisors expect that the inputs to the AMA model are based on data that represent or the bank’s business risk profile and risk management practices. ILD is the only component of the AMA model that records a bank's actual loss experience. Supervisors expect ILD to be used in the operational risk measurement system (ORMS) to assist in the estimation of loss frequencies; to inform the severity distribution(s) to the extent possible; and to serve as an input into scenario analysis as it provides a foundation for the bank’s scenarios within its own risk profile. The Committee has observed that many banks have limited high severity internal loss events to inform the tail of the distribution(s) for their capital charge modelling. It is therefore necessary to consider the impact of relevant ED and/or scenarios for producing meaningful estimates of capital requirements. None 248 ED provides information on large actual losses that have not been experienced by the bank, and is thus a natural complement to ILD in modelling loss severity. Supervisors expect ED to be used in the estimation of loss severity as ED contains valuable information to inform the tail of the loss distribution(s). ED is also an essential input into scenario analysis as it provides information on the size of losses experienced in the industry. Note that ED may have additional uses beyond providing information on large losses for modelling purposes. For example, ED may be useful in assessing the riskiness of new business lines, in benchmarking analysis on recovery performance, and in estimating competitors’ loss experience. None 249 While the ED can be a useful input into the capital model, external losses may not fit a particular bank’s risk profile due to reporting bias. Reporting bias is inherent in publicly-sourced ED and therefore focuses on larger, more remarkable losses. A bank should address these biases in their methodology to incorporate ED into the capital model. None 250 As ED may not necessarily fit a particular bank’s risk profile, a bank should have a defined process to assess relevancy and to scale the loss amounts as appropriate. A data filtering process involves the selection of relevant ED based on specific criteria and is necessary to ensure that the ED being used is relevant and consistent with the risk profile of the bank. To avoid bias in parameter estimates, the filtering process should result in consistent selection of data regardless of loss amount. If a bank permits exceptions to its selection process, the bank should have a policy providing criteria for exceptions and documentation supporting the rationale for any exceptions. A data scaling process involves the adjustment of loss amounts reported in external data to fit a bank’s business activities and risk profile. Any scaling process should be systematic, statistically supported, and should provide output that is consistent with the bank’s risk profile. None 251 To the extent that little or no relevant ED exists for a bank, supervisors would expect the model to rely more heavily on the other data elements. Limitations in relevant ED most frequently arise for banks operating in distinct geographic regions or in specialised business lines. None 252 A robust scenario analysis framework is an important element of the ORMF. This scenario process will necessarily be informed by relevant ILD, ED and suitable measures of BEICFs. While there are a variety of integrated scenario approaches, the level of influence of scenario data within these models differs significantly across banks. None Use of the four data elements Internal loss data External data Scenario analysis Supervisory guidelines 245 The Committee recognises that there will be jurisdictional differences in the use of the four data elements because of:

14 Paragraph # Paragraph Description Sub - Paragraph Criteria Rating Rating Rationale* Action Plans^ 253 The scenario process is qualitative by nature and therefore the outputs from a scenario process necessarily contain significant uncertainties. This uncertainty, together with the uncertainty from the other elements, should be reflected in the output of the model producing a range for the capital requirements estimate. Thus, scenario uncertainties provide a mechanism for estimating an appropriate level of conservatism in the choice of the final regulatory capital charge. Because quantifying the uncertainty arising from scenario biases continues to pose significant challenges, a bank should closely observe the integrity of the modelling process and engage closely with the relevant supervisor. None (a) A clearly defined and repeatable process; (b) Good quality background preparation of the participants in the scenario generation process; (c) Qualified and experienced facilitators with consistency in the facilitation process; (d) The appropriate representatives of the business, subject matter experts and the corporate operational risk management function as participants involved in the process; (e) A structured process for the selection of data used in developing scenario estimates; (f) High quality documentation which provides clear reasoning and evidence supporting the scenario output; (g) A robust independent challenge process and oversight by the corporate operational risk management function to ensure the appropriateness of scenario estimates; (h) A process that is responsive to changes in both the internal and external environment; and (i) Mechanisms for mitigating biases inherent in scenario processes. Such biases include anchoring, availability and motivational biases. 255 BEICFs are operational risk management indicators that provide forward￾looking assessments of business risk factors as well as a bank’s internal control environment. However, incorporating BEICFs directly into the capital model poses challenges given the subjectivity and structure of BEICF tools. Banks continue to investigate and refine measures of BEICFs and explore methods for incorporating them into the capital model. None 256 BEICFs are commonly used as an indirect input into the quantification framework and as an ex-post adjustment to model output. Ex-post adjustments serve as an important link between the risk management and risk measurement processes and may result in an increase or decrease in the AMA capital charge at the group-wide or business-line level. Given the subjective nature of BEICF adjustments, a bank should have clear policy guidelines that limit the magnitude of either positive or negative adjustments. It should also have a policy to handle situations where the adjustments actually exceed these limits based on the current BEICFs. BEICF adjustments should be well-supported and the level of supervisory scrutiny will increase with the size of the adjustment. Over time, the direction and magnitude of adjustments should be compared to ILD, conditions in the business environment and changes in the effectiveness of controls to ensure appropriateness. BEICFs should, at a minimum, be used as an input in the scenario analysis process None 257 There are various ways that an AMA model can be constructed to effectively incorporate the four data elements. A bank should carefully consider how the data elements are combined and used to ensure that the bank’s operational risk capital charge is commensurate with its level of risk exposure. A bank should provide a clearly articulated rationale for their modelling choices and assumptions and conduct sufficient research and analysis to support their decisions. The approach adopted should also encourage ownership of the outcomes and be readily understood by the business. It is highly desirable that there is no disconnect between the measurement and the management of operational risk within the bank. The Committee recognises that operational risk modelling continues to evolve and encourages further investigation into the combination of the four data elements within AMA dl None (a) Perform separate calculations for each data element; or (b) Precisely evaluate the effect of gradually introducing the different elements. 259 While in principle this may be a useful mathematical approach, certain approaches to modelling may not be amenable to this style of decomposition. However, regardless of the modelling approach, a bank should have a clear understanding of how each of the four data elements influences the capital charge. None 260 A bank should avoid arbitrary decisions if they combine the results from different sub-models within an AMA model. For example, in a model where internal and external loss data are modelled separately and then combined, the blending of the output of the two models should be based on a logical and sound statistical methodology. There is no reason to expect that arbitrarily weighted partial capital requirement estimates would represent a bank’s requisite capital requirements commensurate with its operational risk profile. Any approach using weighted capital charge estimates needs to be defensible and supported, for example by thorough sensitivity analysis that considers the impact of different weighting schemes. None Combining data elements within the capital model 254 Scenario data provides a forward-looking view of potential operational risk exposures. A robust governance framework surrounding the scenario process is essential to ensure the integrity and consistency of the estimates produced. Supervisors will generally observe the following elements in an established scenario framework: BEICF Combining the elements Mixing of outcomes from AMA sub-models 258 The Range of Practice Paper recognises that “[t]here are numerous ways that the four data elements have been combined in AMA capital models and a bank should have a clear understanding of the influence of each of these elements in their capital model”. In some cases it may not be possible to:

15 Paragraph # Paragraph Description Sub - Paragraph Criteria Rating Rating Rationale* Action Plans^ 261 The combination of data elements within the capital model can provide the opportunity for the development of an integrated and self-consistent modelling framework. However, there are significant challenges that banks will need to address when combining data elements (eg combining scenario data or ED directly with ILD). The combination of data elements should be based on a sound statistical methodology. The Committee will continue to monitor progress in the development of robust techniques to combine data None