1. 1.A Bank must identify and assess the operational risk inherent in all material products, activities, processes and systems. Effective identification and assessment considers both internal and external factors. This must include any operational risk arising from common points of exposure, such as a single external service provider serving the Bank.²
2. 2.A Bank’s approach to assessment of operational risk at a minimum must address the following items:
   1. a.Determining which operational risk assessment tools will be employed by the Bank and how they are to be used;
   2. b.Establishing and monitoring thresholds or limits for inherent and residual risk exposure;
   3. c.Calibration of identified risks against operational risk appetite limits, as well as thresholds or limits for inherent and residual risk and approved risk mitigation strategies and instruments; and
   4. d.Providing for common operational risk terminology to ensure consistency of risk identification and assessment on a bank-wide or, if applicable, Group-wide basis.
3. 3.A Bank must take into account its assessment of operational risk in its internal pricing and performance monitoring mechanisms.

² Appendix 1 provides examples of tools that may be used for identifying and assessing operational risk.