Operational risk management for banks

6 mins read

Operational Risk (OR) is the risk of direct and indirect loss resulting from inadequate or failed internal processes, people and systems or from external events. This definition includes legal risk but excludes reputational and strategic risks. In this post we look at some of the key components of operational risk management for banks

Operational risk capital charge approaches

According to the Basel II accord, a financial institution like a bank, based on the level of sophistication of their operational risk management systems and practices, has the option of using one of the following approaches to calculation their operational risk capital charge:

a. Basic indicator approach

Capital is calculated as the average over the past three years of a fixed percentage, or alpha, equal to 15% times the enterprise – level positive gross income. Negative gross incomes incurred during this period are excluded from the calculation of the average.

b. Standardized approach

Fixed percentages, called betas, of 12%, 15%, or 18% depending on the business line, are applied to that line’s gross income, positive or negative. The sum across business lines is floored at zero. The average of this result over the previous three years is the capital charge.

There is an alternative to the Standardized Approach called the Alternative Standardized Approach that is available to entities that demonstrate that the use of this measure produces a better and improved risk charge. Under this alternative approach, the operational risk capital charge/methodology is the same as for the Standardized Approach except for two business lines — retail banking and commercial banking. For these business lines, loans and advances — multiplied by a fixed factor ‘m’ — replaces gross income as the exposure indicator.

c. Advanced measurement approach

Calculated using the banks own internal operational risk measurement system. The internal operational risk measurement system must consist of the following four data elements:

  1. Internal loss data,
  2. External loss data,
  3. Scenario analysis, and
  4. Business environment and internal control systems factors.

Within the bank’s operational risk management framework we will start our discussion with reviewing the three core components and then take a deeper look.

Operational Risk - OpRiskFlow

Risk Control Self Assessment (RCSA)

Risk control self assessments are used to identify risks present in the various units that make up the entity and the efficiency of the controls used to mitigate them.

Using RCSA helps the entity to understand its business processes of its various units (RCSA entities) and their related risks (RCSA risk types & exposure categories), define where the controls are (RCSA controls) and generate a subjective assessment of how well the controls are working (RCSA self assessment). See Annex 3 to understand the methodology followed for a RCSA process.


On the basis of this assessment Key Risk Indicators are specified.  

Key Risk Indicator (KRI)

KRIs are measurable metrics or indicators that track operational risk exposure or loss. An example of a KRI is the number of customer complaints. As the customer complaints increase, the probability that there are some underlying and potentially systemic mistakes and errors of judgment being made is likely to rise. Changes in the value of the indicator are likely to be associated with changes in operational risk exposure or operational loss exposure. Other examples of KRIs include volume, staff turnover, frequency of unmatched trades, etc.

KRI and associated loss events need to be captured with associated organization hierarchy data so that operational risk losses can be assigned to a given function within a given business line.


Loss Event

Business Line

According to Basel II, all activities of the entity are mapped in a mutually exclusive and jointly exhaustive manner in one of eight business lines:

LEVEL 1 LEVEL 2 Activity groups
Corporate Finance
  • Corporate Finance
  • Municipal /Government
  • Finance
  • Merchant Banking
  • Advisory Services
Mergers and acquisitions, underwriting, privatisations, securitisation, research, debt (government, high yield), equity, syndications, IPO, secondary private placements
Trading and Sales
  • Sales
  • Market Making
  • Proprietary positions
  • Treasury
Fixed income, equity, foreign exchanges, commodities, credit, funding, own position securities, lending and repos, brokerage, debt, prime brokerage
Retail Banking Retail Banking Retail lending and deposits, banking services, trust and estates
Private Banking Private lending and deposits, banking services, trust and estates, investment advice
Card Services Merchant/commercial/corporate cards, private labels and retail
Commercial Banking Commercial Banking Project finance, real estate, export finance, trade finance, factoring, leasing, lending, guarantees, bills of exchange
Payment and Settlement External Clients Payments and collections, funds transfer, clearing and settlement
Agency Services Custody Escrow, depository receipts, securities lending (customers) corporate action
Corporate Agency Issuer and paying agents
Corporate Trust
Asset Management Discretionary Fund Management Pooled, segregated, retail, institutional, closed, open, private equity
Non – Discretionary Fund Management Pooled, segregated, retail, institutional, closed, open
Retail Brokerage Execution and full service Execution and full service

Currently Basel II specifies eight business lines (Annex 8 of http://bis.org/publ/bcbs128.pdf ).

Loss Type

According to Basel II (Annex 9 of http://bis.org/publ/bcbs128.pdf), loss events fall into one of seven categories. These categories are further divided by subcategory and activities.

Event – Type Category (Level 1) Definition Categories (Level 2) Activity Examples (Level 3)
Internal Fraud Losses due to acts of a type intended to defraud, misappropriate property or circumvent regulations, the law or company policy, excluding diversity/ discrimination events, which involves at least one internal party Unauthorized Activity
  • Transactions not reported (intentional)
  • Transaction type unauthorized (w/monetary loss)
  • Mismarking of position (intentional)
Theft and Fraud
  • Fraud / credit fraud / worthless deposits
  • Theft / extortion / embezzlement / robbery
  • Misappropriation of assets
  • Malicious destruction of assets
  • Forgery
  • Check kiting
  • Smuggling
  • Account take-over / impersonation / etc.
  • Tax non-compliance / evasion (willful)
  • Bribes / kickbacks
  • Insider trading (not on firm’s account)
External Fraud Losses due to acts of a type intended to defraud, misappropriate property or circumvent the law, by a third party Theft and Fraud
  • Theft/Robbery
  • Forgery
  • Check kiting
Systems Security
  • Hacking damage
  • Theft of information (w/monetary loss)
Employment Practices & Workplace Safety Losses arising from acts inconsistent with employment, health or safety laws or agreements, from payment of personal injury claims, or from diversity / discrimination events Employee Relations
  • Compensation, benefit, termination issues
  • Organized labor activity
Safe Environment
  • General liability (slip and fall, etc.)
  • Employee health & safety rules events
  • Workers compensation
Diversity & Discrimination All discrimination types
Clients, Products & Business Practices Losses arising from an unintentional or negligent failure to meet a professional obligation to specific clients (including fiduciary and suitability requirements), or from the nature or design of a product. Suitability, Disclosure & Fiduciary
  • Fiduciary breaches / guideline violations
  • Suitability / disclosure issues (KYC, etc.)
  • Retail customer disclosure violations
  • Breach of privacy
  • Aggressive sales
  • Account churning
  • Misuse of confidential information
  • Lender liability
Improper Business or Market Practices
  • Antitrust
  • Improper trade / market practices
  • Market manipulation
  • Insider trading (on firm’s account)
  • Unlicensed activity
  • Money laundering
Product Flaws
  • Product defects (unauthorized, etc.)
  • Model errors
Selection, Sponsorship & Exposure
  • Failure to investigate client per guidelines
  • Exceeding client exposure limits
Advisory Activities Disputes over performance of advisory activities
Damage to Physical Assets Losses arising from loss or damage to physical assets from natural disaster or other events. Disasters and other events
  • Natural disaster losses
  • Human losses from external sources (terrorism, vandalism)
Business Disruption and System Failures Losses arising from disruption of business or system Failures Systems
  • Hardware
  • Software
  • Telecommunications
  • Utility outage / disruptions
Execution, Delivery & Process Management Losses from failed transaction processing or process management, from relations with trade counterparties and vendors Transaction Capture, Execution &


  • Miscommunication
  • Data entry, maintenance or loading error
  • Missed deadline or responsibility
  • Model / system misoperation
  • Accounting error / entity attribution error
  • Other task misperformance
  • Delivery failure
  • Collateral management failure
  • Reference Data Maintenance
Monitoring and Reporting
  • Failed mandatory reporting obligation
  • Inaccurate external report (loss incurred)
Customer Intake and Documentation
  • Client permissions / disclaimers missing
  • Legal documents missing / incomplete
Customer / Client Account Management
  • Unapproved access given to accounts
  • Incorrect client records (loss incurred)
  • Negligent loss or damage of client assets
Trade Counterparties
  • Non-client counterparty misperformance
  • Misc. non-client counterparty disputes
Vendors & Suppliers
  • Outsourcing
  • Vendor disputes

Besides the losses defined above, there may also be other loss types that are important for risk management but are not generally considered in the quantification of operational risk charge. These items are useful for detecting failures and errors in processes and internal control systems. They include:

  • Exceptions: Actions done in breach of the laid down policies intentionally, due to extraordinary circumstances and with due approval
  • Near Misses: Operational risk events that do not lead to a loss.
  • Transactions in Difficulty: (TIDs) transactions that could potentially have operational loss as a probable outcome
  • Operational risk gain events”: operational risk events that generate a gain
  • Opportunity costs/lost revenues: operational risk events that prevent an undetermined future business from being conducted (eg unbudgeted staff costs, forgone revenue and project costs related to improving processes).


  • International Convergence of Capital Measurement and Capital Standards – A Revised Framework Comprehensive Version – Basel Committee on Banking Supervision – June 2006
  • Operational Risk –Supervisory Guidelines for the Advanced Measurement Approaches– Basel Committee on Banking Supervision – June 2011
  • IS Auditing procedure -Control Risk Self-Assessment (RCSA) – Information Systems Audit and control systems – 2003
  • Key Risk Indicators – Their Role in Operational Risk Management and Measurement – Jonathan Davies, Mike Finlay, Tara McLenaghen, Duncan Wilson – Risk Business International Limited -13-2-2006