Guidance

1. An Authorised Person should have policies and procedures that address the process for review and approval of new products, activities, processes and systems. The review and approval process should include consideration of:
a. inherent risks in any new product, service, or activity;
b. resulting changes to the Authorised Person's Operational Risk profile, appetite and tolerance, including changes to the risk of existing products or activities;
c. necessary controls, risk management processes, and risk mitigation strategies;
d. residual risk;
e. changes to relevant risk limits;
f. procedures and metrics to measure, monitor, and manage the risk of the new product or activity; and
g. appropriate investment in human resources and technology infrastructure.
2. Tools that an Authorised Person may employ for identifying and assessing Operational Risk include:
a. internal loss data collection and analysis;
b. external data collection and analysis;
c. risk assessments;
d. business process mapping;
e. risk and performance indicators; and
f. scenario analysis.