France's Financial Markets Authority publishes lessons from SPOT inspections of asset managers’ operational risk management

France's Financial Markets Authority (AMF) published the findings from a thematic SPOT inspection campaign reviewing how portfolio management companies identify, monitor, control and report operational risk, including analysis of operational incidents that occurred or were avoided. The exercise highlights generally established governance and procedures, alongside recurring gaps in loss measurement, incident assessment and the quality and traceability of reporting. The AMF reviewed five management companies of varying size and organisation over the period 1 January 2022 to 31 December 2024, covering governance and resourcing, incident handling procedures, incident registers, professional liability coverage, reporting to senior bodies and the AMF, and internal control work. Firms typically had a dedicated operational risk function, often linked to the compliance and internal control officer (RCCI) or the risk head with direct access to management, and used specialist committees. However, approaches to booking and ex post verification of incident-related losses were often less detailed, incident registers did not always include systematic severity grading for events, and follow-up on remediation plans was sometimes incomplete. Most firms combined an additional own-funds buffer with professional liability insurance, but the methodology for calculating the buffer remained insufficiently formalised despite AMF recommendations; reporting to management was in place, but materiality rules excluding certain incidents were not always documented, and one firm showed significant inaccuracies in operational loss amounts reported to the regulator via annual information forms (FRA). The AMF highlighted good practices such as setting a quantified maximum tolerable operational risk impact, using structured and validated incident investigation sheets, and regularly reconciling recorded operational losses with the incident register. Poor practices included risk maps without a graduated grid for financial and non-financial impacts, multiple non-harmonised incident registers, and insufficient consideration of operational risks when selecting significant or sensitive outsourced providers or delegates.