guidance specified by the intermediary to comply with such rules, and in any case there shall be at least sufficient and efficient operating systems as follows: (a) risk management system; (b) internal