Operational

Risk Capital
Charge: Basel III
Compiled by
Gaby Frangieh
Risk Management, Finance and Banking – Senior Advisor
May 2025

https://www.linkedin.com/in/gaby-frangieh-1873aa11/
Operational Risk Capital Charge: Basel III
Operational Risk Capital Charge: Basel III
Compilation Contents

1. BNP-Paribas – Risk Weighted Assets Composition Q 1 2025

Regulatory Guidelines:

1. Reserve Bank of New Zealand: BPR150 Standardised Operational Risk –

2. Reserve Bank of New Zealand: BPR151 AMA Operational Risk
3. OSFI-Office of the Superintendent of Financial Institutions – Canada -
Subject: Capital Adequacy Requirements (CAR) Chapter 3 – Operational
Risk
4. APRA Australia: Prudential Practice Guide CPG 230 Operational Risk
Management
5. FINMA Guidance 07/2024 Calculation of minimum capital for operational
risks: exclusion of loss events

Reports/Analysis/Papers:

1. Rethinking Operational Risk Capital Requirements by Peter Sands

Gordon Liao Yueran Ma, Harvard | Business | School Project on Behavioral
Finance and Financial Stability, Working Paper 2016
2. A Modification to the Basel Committee’s Standardized Approach to
Operational Risk, Bank Policy Institute, May 2022
3. Operational risk in the new Basel framework, Slim Ben Ali Director |
Financial Risk Management, UAE Banking Perspectives, 2022
4. Revised Operational Risk Capital Framework, KPMG, 2016
5. The Basel III Endgame – Implications for Operational Risk, Forvis Alert,
2023
6. Calculating capital requirements for operational risk, Gerd Waschbusch,
Sabrina Kiszka, Managerial Economics, 2021
7. CPG 230 Operational Risk Management Final Guidance June 2024, KPMG
Alert, 2024
8. Operational Risk Management – Regulatory Guidance to remain Resilient
Dr Richa Verma Bajaj Working Paper , NIBM WORKING PAPER SERIES
(Policy Research Paper), 2024
9. Operational Risk Modeling in Banking: Basel III Frameworks, Approaches,
and Techniques, Anaptys,
10. The Impact of Inspections on Operational Risk: Uncovering Learning and
Forgetting Patterns by Zhanzhi Zheng, Yuqian Xu, Bradley Staats
11. The future of operational risk in financial services A new approach to
operational risk capital management, Deloitte, 2018
12. Financial Hedging of Operational Risk Constraints: A General Framework
by Leon Valdes Katz and Rene Caldentey
RESULTS
FIRST QUARTER 2025
1Q25 DETAILS BY BUSINESS LINES
APPENDICES
24 APRIL 2025

31.03.2025 Results | 31
 RISK-WEIGHTED ASSETS1

 Breakdown of RWA1 by business based on €792bn

 €792bn as at 31.03.25 (€762bn as at 31.12.24)
as at 31.03.25
31.03.25 31.12.24
€bn (CRR2)
(CRR3)
published
IPS: 6% Corporate Center: 3%
Credit risk 566 580 Personal Finance: 10%
Global Markets &
- o/w transitional arrangements 9 Securities Services: 17% Arval &
Operational risk 104 65 Leasing Solutions: 8%
Counterparty risk 53 48
Market / Foreign exchange risk Global Banking:
29 28 CPBF: 13%
18%
Securitisation positions in the banking book 20 21
Others² 20 21 BNL bc : 6%
NDB & PI³: 1%
Europe Med.: 8% CPBB: 9%
RWA Fully Loaded¹ 792 762 CPBL: 1%

RWA Phased In 783

Commercial and Personal Banking
in the euro zone: 29%

1. Excluding transitionary arrangements allowed in the Art. 495 of CRR (2024/1623); 2. Including the DTAs and significant investments in entities in the financial sector subject to
250% weighting; 3. New Digital Businesses & Personal Investors

31.03.2025 Results | 72
Guideline
Subject: Capital Adequacy Requirements (CAR)

Chapter 3 – Operational Risk

Effective Date: November 2023 /January 2024
Note: For institutions with a fiscal year ending October 31 or December 31, respectively.

I. Introduction

The Capital Adequacy Requirements (CAR) for banks (including federal credit unions), bank
holding companies, federally regulated trust companies and federally regulated loan companies
are set out in nine chapters, each of which has been issued as a separate document. This
document should be read in conjunction with the other CAR chapters. The complete list of CAR
chapters is as follows:

Chapter 1 Overview of Risk-based Capital Requirements

Chapter 2 Definition of Capital

Chapter 3 Operational Risk

Chapter 4 Credit Risk - Standardized Approach

Chapter 5 Credit Risk - Internal Ratings-Based Approach

Chapter 6 Securitization

Chapter 7 Settlement and Counterparty Risk

Chapter 8 Credit Valuation Adjustment (CVA) Risk

Chapter 9 Market Risk

 Table of Contents

Page

3.1 Definition of operational risk ...............................................................................................3

3.2 Measurement methodologies ...............................................................................................3
3.3 The Simplified Standardized Approach ...............................................................................4
3.4 The Standardized Approach .................................................................................................5
3.4.1 Components of the Standardized Approach ....................................................................5
3.4.2 Minimum standards for the use of loss data under the standardized approach ...............7
3.4.3 General criteria on loss data identification, collection and treatment .............................8
3.4.4 Specific criteria on loss data identification, collection and treatment .............................9
3.4.5 Exclusion of losses from the Loss Component .............................................................12
3.4.6 Exclusions of divested activities from the Business Indicator ......................................12
3.4.7 Inclusion of BI items and operational loss events related to mergers and acquisitions 12
Annex 3-1: Definition of Business Indicator components .........................................................14
Annex 3-2: Detailed Loss Event Type Classification ................................................................17

Banks/BHC/T&L Operational Risk

October 2023 Chapter 3 - Page 2
Chapter 3 – Operational Risk
1. The requirements related to the Standardized Approach in this chapter (section 3.4) are
drawn from the Basel Committee on Banking Supervision’s (BCBS) Basel Framework dated
December 15, 2019. 1 For reference, the Basel paragraph numbers that are associated with the
text appearing in this chapter are indicated in square brackets at the end of each paragraph. 2

3.1 Definition of operational risk

2. Operational risk is defined as the risk of loss resulting from inadequate or failed internal
processes, people and systems or from external events. This definition includes legal risk, 3 but
excludes strategic and reputational risk.
[Basel Framework, OPE 10.1]

3.2 Measurement methodologies

3. There are two methodologies for calculating operational risk capital:

(i) the Standardized Approach (SA); and,
(ii) the Simplified Standardized Approach (SSA).

4. Domestic Systemically Important Banks (D-SIBs) must use the Standardized Approach.

5. Category I Small and Medium Sized Deposit-Taking Institutions (SMSBs) with annual
Adjusted Gross Income 4 greater than $1.5 billion must also use the Standardized Approach.

a) Category I SMSBs must calculate Adjusted Gross Income at each fiscal year-end. If
annual Adjusted Gross Income is greater than $1.5 billion, the institution must notify
OSFI within 60 days of the end of the fiscal year, and use the Standardized Approach for
operational risk in the following fiscal year.
b) Once a Category I institution crosses the $1.5 billion threshold, it must use the
Standardized Approach for a minimum of two years. If, after two years, annual Adjusted
Gross Income falls below $1.5 billion, the institution must notify OSFI and may revert to
the Simplified Standardized Approach. 5

6. Category I SMSBs with annual Adjusted Gross Income less than $1.5 billion may apply
to OSFI to use the SA if they have a minimum of five years of high-quality loss data (i.e. data
meeting the minimum standard for loss data collection as outlined in section 3.4.2). If approved,
an institution is not permitted to set the Internal Loss Multiplier (ILM) to less than one until
OSFI has determined that they have 10 years of high-quality loss data.

1
The Basel Framework
2
Following the format: [Basel Framework, XXX yy.zz].
3
Legal risk includes, but is not limited to, exposure to fines, penalties, or punitive damages resulting from supervisory actions, as well as private
settlements.
4
Adjusted Gross Income is defined in paragraph 9 of this chapter
5
For example, if fiscal 2024 Adjusted Gross Income is greater than $1.5 billion for the first time, the institution must use the Standardized
Approach starting in fiscal Q1 2026 and continue using the SA until, at a minimum, the end of fiscal 2027.

Banks/BHC/T&L Operational Risk

October 2023 Chapter 3 - Page 3
7. All other SMSBs must use the SSA.

3.3 The Simplified Standardized Approach

8. Institutions using the SSA must hold capital for operational risk (ORC) equal to 15% of
average annual Adjusted Gross Income (AGI) over the previous 12 fiscal quarters:

ORCSSA = (AGI previous 12 fiscal quarters / 3) × 15%

Where:
ORCSSA = the operational risk capital charge under the Simplified Standardized Approach

AGI previous 12 fiscal quarters = Adjusted Gross Income over the previous 12 fiscal quarters

Risk-weighted assets (RWA) for operational risk are equal to 12.5 times ORC.

9. Adjusted Gross Income is defined as the sum of the following:

a) The lesser of (i) the absolute value of net interest income, and (ii) 2.25% of
interest earning assets;
b) Dividend income;
c) The absolute value of fee and commission income;
d) The absolute value of other income;
e) The absolute value of net profit/loss (trading book); and
f) The absolute value of net profit/loss (banking book).

Adjusted Gross Income should (i) be gross of any provisions; (ii) be gross of operating expenses,
and (iii) exclude extraordinary or irregular items as well as income derived from insurance.
Institutions should refer to the reporting instructions in OSFI’s Capital Adequacy Return for the
specific line items in OSFI’s P3 (Income Statement) and M4 (Balance Sheet) returns that should
be used for each of the components of Adjusted Gross Income in the definition above.

10. Newly incorporated institutions having fewer than 12 quarters of financial information
should calculate the operational risk capital charge using available Adjusted Gross Income data
to develop proxies for the missing portions of the required three years’ data.

11. Adjusted Gross Income should be adjusted to reflect acquired businesses and merged
entities. Since the Adjusted Gross Income calculation is based on a rolling 12-quarter average,
the most recent four quarters of Adjusted Gross Income for the acquired business or merged
entity should be based on actual Adjusted Gross Income amounts reported by the acquired
business or merged entity. If three years of historical financial data is not available for the
acquired business or merged entity, the Adjusted Gross Income for the previous year may be
used as a proxy for each of the other two years.

12. When an institution using the SSA makes a divestiture, Adjusted Gross Income may be
adjusted, with OSFI approval, to reflect this divestiture.

Banks/BHC/T&L Operational Risk

October 2023 Chapter 3 - Page 4
3.4 The Standardized Approach

13. The standardized approach methodology is based on the following components:

a) the Business Indicator (BI) which is a financial-statement-based proxy for
operational risk;
b) the Business Indicator Component (BIC), which is calculated by multiplying
the BI by a set of regulatory determined marginal coefficients; and
c) the Internal Loss Multiplier (ILM), which is a scaling factor that is based on
an institution’s average historical losses and the BIC.

[Basel Framework, OPE 25.1]

14. Operational risk capital requirements under the Standardized Approach (ORCSA) are
calculated by multiplying the BIC and the ILM, as shown in the formula below. Risk-weighted
assets (RWA) for operational risk are equal to 12.5 times ORC.

ORCSA = BIC x ILM

[Basel Framework, OPE 25.2]

3.4.1 Components of the Standardized Approach

15. The BI comprises three components: the interest, leases and dividend component
(ILDC), the services component (SC), and the financial component (FC).

[Basel Framework, OPE 25.3]

16. The BI is defined as:

BI = ILDC + SC+ FC

In the formula below, a bar above a term indicates that it is calculated as the average over three
years: t, t-1 and t-2, and: 6

𝐼𝐼𝐼𝐼𝐼𝐼𝐼𝐼 = 𝑀𝑀𝑀𝑀𝑀𝑀 [𝐴𝐴𝐴𝐴𝐴𝐴(𝐼𝐼𝐼𝐼𝐼𝐼𝐼𝐼𝐼𝐼𝐼𝐼𝐼𝐼𝐼𝐼 𝐼𝐼𝐼𝐼𝐼𝐼𝐼𝐼𝐼𝐼𝐼𝐼 – 𝐼𝐼𝐼𝐼𝐼𝐼𝐼𝐼𝐼𝐼𝐼𝐼𝐼𝐼𝐼𝐼 𝐸𝐸𝐸𝐸𝐸𝐸𝐸𝐸𝐸𝐸𝐸𝐸𝐸𝐸) ; 2.25% 𝑥𝑥 𝐼𝐼𝐼𝐼𝐼𝐼𝐼𝐼𝐼𝐼𝐼𝐼𝐼𝐼𝐼𝐼 𝐸𝐸𝐸𝐸𝐸𝐸𝐸𝐸𝐸𝐸𝐸𝐸𝐸𝐸 𝐴𝐴𝐴𝐴𝐴𝐴𝐴𝐴𝐴𝐴𝐴𝐴]
+ 𝐷𝐷𝐷𝐷𝐷𝐷𝐷𝐷𝐷𝐷𝐷𝐷𝐷𝐷𝐷𝐷 𝐼𝐼𝐼𝐼𝐼𝐼𝐼𝐼𝐼𝐼𝐼𝐼

𝑆𝑆𝑆𝑆 = 𝑀𝑀𝑀𝑀𝑀𝑀 �𝐹𝐹𝐹𝐹𝐹𝐹 𝑎𝑎𝑎𝑎𝑎𝑎 𝐶𝐶𝐶𝐶𝐶𝐶𝐶𝐶𝐶𝐶𝐶𝐶𝐶𝐶𝐶𝐶𝐶𝐶𝐶𝐶 𝐼𝐼𝐼𝐼𝐼𝐼𝐼𝐼𝐼𝐼𝐼𝐼 ; 𝐹𝐹𝐹𝐹𝐹𝐹 𝑎𝑎𝑎𝑎𝑎𝑎 𝐶𝐶𝐶𝐶𝐶𝐶𝐶𝐶𝐶𝐶𝐶𝐶𝐶𝐶𝐶𝐶𝐶𝐶𝐶𝐶 𝐸𝐸𝐸𝐸𝐸𝐸𝐸𝐸𝐸𝐸𝐸𝐸𝐸𝐸𝐸𝐸�
+ 𝑀𝑀𝑀𝑀𝑀𝑀 [𝑂𝑂𝑂𝑂ℎ𝑒𝑒𝑒𝑒 𝑂𝑂𝑂𝑂𝑂𝑂𝑂𝑂𝑂𝑂𝑂𝑂𝑂𝑂𝑂𝑂𝑂𝑂 𝐼𝐼𝐼𝐼𝐼𝐼𝐼𝐼𝐼𝐼𝐼𝐼 ; 𝑂𝑂𝑂𝑂ℎ𝑒𝑒𝑒𝑒 𝑂𝑂𝑂𝑂𝑂𝑂𝑂𝑂𝑂𝑂𝑂𝑂𝑂𝑂𝑂𝑂𝑂𝑂 𝐸𝐸𝐸𝐸𝐸𝐸𝐸𝐸𝐸𝐸𝐸𝐸𝐸𝐸𝐸𝐸 ]

𝐹𝐹𝐹𝐹 = 𝐴𝐴𝐴𝐴𝐴𝐴(𝑁𝑁𝑁𝑁𝑁𝑁 𝑃𝑃&𝐿𝐿 𝑇𝑇𝑇𝑇𝑇𝑇𝑇𝑇𝑇𝑇𝑇𝑇𝑇𝑇 𝐵𝐵𝐵𝐵𝐵𝐵𝐵𝐵) + 𝐴𝐴𝐴𝐴𝐴𝐴(𝑁𝑁𝑁𝑁𝑁𝑁 𝑃𝑃&𝐿𝐿 𝐵𝐵𝐵𝐵𝐵𝐵𝐵𝐵𝐵𝐵𝐵𝐵𝐵𝐵 𝐵𝐵𝐵𝐵𝐵𝐵𝐵𝐵)

6
Abs() represents the absolute value of the term or calculation within the brackets. The absolute value of net items (e.g. interest income – interest
expense) should be calculated first year by year. Only after this year by year calculation should the average of the three years be calculated.

Banks/BHC/T&L Operational Risk

October 2023 Chapter 3 - Page 5
 [Basel Framework, OPE 25.4 and Basel Framework, OPE 25.5]

17. The definitions for each of the components of the BI are provided in Annex 3-1.

[Basel Framework, OPE 25.6]

18. The Business Indicator Component (BIC) is calculated as follows: 7

a) 12% of BI, plus

b) 3% of BI above $1.5 billion (if any), plus
c) 3% of BI above $45 billion (if any).
[Basel Framework, OPE 25.7]

19. An institution’s internal operational risk loss experience affects the calculation of
operational risk capital through the ILM. The ILM is defined as:

𝐿𝐿𝐿𝐿 0.8
𝐼𝐼𝐼𝐼𝐼𝐼 = 𝑙𝑙𝑙𝑙 �exp(1) − 1 + � � �
𝐵𝐵𝐵𝐵𝐵𝐵

where the Loss Component (LC) is equal to 15 times average annual operational risk losses, net
of recoveries, incurred over the previous 10 years. The ILM is equal to one where the loss and
business indicator components are equal. Where the LC is greater than the BIC, the ILM is
greater than one. That is, an institution with losses that are high relative to its BIC is required to
hold higher capital due to the incorporation of internal losses into the calculation methodology.
Conversely, where the LC is lower than the BIC, the ILM is less than one. That is, an institution
with losses that are low relative to its BIC is required to hold lower capital due to the
incorporation of internal losses into the calculation methodology.

[Basel Framework, OPE 25.8 and Basel Framework, OPE 25.9]

20. The calculation of average losses in the Loss Component must be based on 10 years of
high-quality annual loss data (i.e. data meeting the minimum standard for loss data collection as
outlined in section 3.4.2). Institutions that do not have ten years of high-quality loss data must
calculate the capital requirement using an ILM greater than or equal to one. In these cases, OSFI
will require an institution to calculate capital requirements using fewer than 10 years of losses if
the ILM using the available high-quality loss data is greater than 1 and OSFI believes the losses
are representative of the institution’s operational loss exposure.

[Basel Framework, OPE 25.10]

21. ORC is to be calculated and reported quarterly. Financial information used in the
calculation of the BI should be up to and including the institution’s most recent fiscal quarter-

7
For example, if an institution had a BI = $50 billion, the BIC = ($50B x 0.12) + [($50B -$1.5B) x 0.03] + [($50B - $45B) x 0.03] = $7.605 B.

Banks/BHC/T&L Operational Risk

October 2023 Chapter 3 - Page 6
end. Operational risk losses used in the calculation of the LC may be reported on a one-quarter
lag.

22. Institutions should perform a reconciliation between the BI and Net Interest Income and
Non-Interest Income 8 for the previous three years. This information should be available to OSFI
upon request.

23. At the consolidated level, the SA calculations use fully consolidated BI figures, which
net all the intragroup income and expenses.

[Basel Framework, OPE 10.4]

24. A subsidiary institution using the SA should use its own consolidated income and loss
experience in the calculation of BI and LC for the SA calculations, and is subject to the
minimum standards for the use of loss data in the following sections.

[Basel Framework OPE, 10.5 and Basel Framework, OPE 10.6]

3.4.2 Minimum standards for the use of loss data under the standardized approach

25. Institutions using the SA are required to use loss data as a direct input into the
operational risk capital calculations. The soundness of data collection and the quality and
integrity of the data are crucial to generating capital outcomes aligned with the institution’s
operational loss exposure. The minimum loss data standards are outlined in sections 3.4.3, 3.4.4,
3.4.5 and 3.4.7. 9 The quality of institutions’ loss data will be reviewed by OSFI periodically.

[Basel Framework OPE, 25.12]

26. Institutions using the SA that do not meet the loss data standards 10 are required to hold
capital that is at a minimum equal to 100% of the BIC (i.e. ILM greater than or equal to one).
The exclusion of internal loss data due to non-compliance with the loss data standards, and the
application of any resulting adjustment to the ILM, must be publicly disclosed.
[Basel Framework OPE, 25.13]

8
Net Interest and Non-Interest Income is line 22 from OSFI’s P3 return.
9
Institutions are also required to meet OSFI’s Data Maintenance Expectations for Institutions Using the Standardized Approach for Operational
Risk Capital Data
10
This includes Category I SMSBs with annual Adjusted Gross Income less than $1.5 billion that have been approved to use the SA, but do not
have 10 years of high-quality loss data. These institutions must receive OSFI approval before they can set ILM<1 in the calculation of ORCSA.

Banks/BHC/T&L Operational Risk

October 2023 Chapter 3 - Page 7
 3.4.3 General criteria on loss data identification, collection and treatment

27. The proper identification, collection and treatment of internal loss data are essential
prerequisites to the capital calculation under the standardized approach. The general criteria for
the use of the LC are as follows:
[Basel Framework, OPE 25.14]

a) Internally generated loss data calculations used for regulatory capital purposes must be
based on a 10-year observation period.
[Basel Framework, OPE 25.15]

b) Internal loss data are most relevant when clearly linked to an institution’s current business
activities, technological processes and risk management procedures. Therefore, an
institution must have robust, documented procedures and processes for the identification,
collection and treatment of internal loss data. Such procedures and processes must be
subject to validation before the use of the loss data within the operational risk capital
requirement measurement methodology, and to regular independent reviews by internal
and/or external audit functions. At a minimum, this would include effective and
independent challenge by the institution’s second line of defense, and periodic
independent review by the third line of defense.
[Basel Framework, OPE 25.16]

c) For risk management purposes, and to assist in supervisory validation and/or review,
institutions should map historical internal loss data into the relevant Level 1 supervisory
categories as defined in Annex 3-2 and to provide this data to OSFI upon request. The
institution must document criteria for allocating losses to the specified event types.
[Basel Framework, OPE 25.17]

d) An institution’s internal loss data must be comprehensive and capture all material 11
activities and exposures from all appropriate subsystems and geographic locations. 12

[Basel Framework, OPE 25.18]

e) For the purposes of the operational risk capital calculation, the minimum threshold, net of
recoveries, for including a loss event in the data collection and calculation of average
annual losses is set at $30,000. 13
[Basel Framework, OPE 25.18]

11
10 years of actual or estimated loss data must be included for all parts of an institution. Estimation of more than 10% of an institution’s total
loss data over the past 10 years using the methodology detailed in paragraph 40(a) is only permitted on a temporary basis. Where this is the case,
the institution must inform OSFI and come below the 10% threshold in a timely manner in order to continue to meet the loss data standards. (see
section 3.4.7).
12
The financial impacts of events that an institution is responsible for should be included in the dataset as operational losses. For outsourced
activities, the financial impacts of events that are paid by the outsourcer (rather than by the institution) are not operational losses to the institution.
[Basel Framework, OPE 25.18 FAQ#1]
13
Loss impacts denominated in a foreign currency should be converted using the same exchange rate that is used to convert the institution’s
financial statements of the period the loss impacts were accounted for. [Basel Framework, OPE 25.18 FAQ#2]

Banks/BHC/T&L Operational Risk

October 2023 Chapter 3 - Page 8
 f) Aside from information on gross loss amounts, the institution must collect information
about the reference dates of operational risk events, including:
• the date when the event happened or first began (“date of occurrence”), where
available;
• the date on which the institution became aware of the event (“date of discovery”);
and
• the date (or dates) when a loss event results in a loss, reserve or provision against
a loss being recognized in the institution’s profit and loss (P&L) accounts (“date
of accounting”).

In addition, the institution must collect information on recoveries of gross loss amounts
as well as descriptive information about the drivers or causes of the loss event. 14 The
level of detail of any descriptive information should be commensurate with the size of the
gross loss amount.
[Basel Framework, OPE 25.19]

g) Operational loss events related to credit risk and that are accounted for in credit risk
RWAs should not be included in the loss data set. Operational loss events that relate to
credit risk, but are not accounted for in credit risk RWAs should be included in the loss
data set.
[Basel Framework, OPE 25.20]

h) Operational risk losses related to market risk are treated as operational risk for the
purposes of calculating minimum regulatory capital under this framework and will
therefore be subject to the standardized approach for operational risk.
[Basel Framework, OPE 25.21]

i) Institutions must have processes to independently review the comprehensiveness and

accuracy of loss data. At a minimum, this would include effective and independent
challenge by the institution’s second line of defense, and periodic independent review by
the third line of defense.
[Basel Framework, OPE 25.22]

3.4.4 Specific criteria on loss data identification, collection and treatment

28. Building an acceptable loss data set from the available internal data requires that the
institution develop policies and procedures to address several features, including gross loss
definition, reference date and grouped losses.
[Basel Framework, OPE 25.23]

29. Gross loss is a loss before recoveries of any type. Net loss is defined as the loss after
taking into account the impact of recoveries. The recovery is an independent occurrence, related

14
Tax effects (e.g. reductions in corporate income tax liability due to operational losses) are not recoveries for purposes of the standardized
approach for operational risk.

Banks/BHC/T&L Operational Risk

October 2023 Chapter 3 - Page 9
to the original loss event, separate in time, in which funds or inflows of economic benefits are
received from a third party. 15
[Basel Framework, OPE 25.24]

30. Institutions must be able to identify the gross loss amounts, non-insurance recoveries,
and insurance recoveries for all operational loss events. Institutions should use losses net of
recoveries (including insurance recoveries) in the loss dataset. However, recoveries can be used
to reduce losses only after the institution receives payment. Receivables do not count as
recoveries. Verification of recovery payments received to net losses must be provided to OSFI
upon request.
[Basel Framework, OPE 25.25]

31. The following items must be included in the gross loss computation of the loss data set:

a) Direct charges, including impairments and settlements, to the institution’s P&L accounts
and write-downs due to the operational risk event;

b) Costs incurred as a consequence of the event including:

(i) external expenses with a direct link to the operational risk event (e.g. legal
expenses directly related to the event and fees paid to advisors, attorneys or
suppliers);
(ii) costs of repair or replacement, incurred to restore the position that was
prevailing before the operational risk event; and
(iii) uncollected revenue due to an operational risk event that can be quantified
based on the contractual obligations of the institution’s client or customer.

c) Provisions or reserves accounted for in the P&L against the potential operational loss
impact; 16

d) Losses stemming from operational risk events with a definitive financial impact, which
are temporarily booked in transitory and/or suspense accounts and are not yet reflected in
the P&L (“pending losses”); 17 and

e) Negative economic impacts booked in a financial accounting period, due to operational

risk events impacting the cash flows or financial statements of previous financial

15
Examples of recoveries are payments received from insurers, repayments received from perpetrators of fraud, and recoveries of misdirected
transfers.
16
When an institution makes a provision due to an operational loss event, such provision must be considered an operational loss immediately for
the calculation of the Loss Component. When a charge-off (such as a settlement) eventually takes place later, only the difference between the
initial provision and the charge-off (if any) should be added to the operational loss calculation. There should be no double counting of the same
financial impacts in the calculation of operational losses. For example, if an institution takes a $1 million provision for a legal event in 2018, this
should be included in the loss data for 2018. If the legal event is settled for $1.2 million in 2019, an additional $200,000 should be included in
2019. [Basel Framework, OPE 25.26 FAQ#1]
17
For instance, the impact of some events (e.g. legal events, damage to physical assets) may be known and clearly identifiable before these
events are recognized through the establishment of a reserve. Moreover, the way this reserve is established (e.g. the date of discovery) can vary
across institutions or countries.

Banks/BHC/T&L Operational Risk

October 2023 Chapter 3 - Page 10
 accounting periods (“timing losses”). 18 Timing losses should be included in the loss data
set when they are due to operational risk events that span more than one financial
accounting period. 19 20

[Basel Framework, OPE 25.26]

32. The following items should be excluded from the gross loss computation of the loss data
set:

a) Costs of general maintenance contracts on property, plant or equipment;

b) Internal or external expenditures to enhance the business after the operational risk
losses: upgrades, improvements, risk assessment initiatives and enhancements; and

c) Insurance premiums.
[Basel Framework, OPE 25.27]

33. Institutions must use the date of accounting for building the loss data set. 21 This
includes using the date of accounting for including losses related to legal events in the loss
dataset. For legal loss events, the date of accounting is the date when a legal reserve is
established for the probable estimated loss in the P&L.

[Basel Framework, OPE 25.28]

34. Losses caused by a common operational risk event or by related operational risk events
over time, but posted to the accounts over several years, should be allocated to the corresponding
years of the loss database, in line with their accounting treatment.

[Basel Framework, OPE 25.29]

18
Timing impacts typically relate to the occurrence of operational risk events that result in the temporary distortion of an institution’s financial
accounts (e.g. revenue overstatement, accounting errors and mark-to-market errors). While these events do not represent a true financial impact
on the institution, (net impact over time is zero), if the error continues across more than one financial accounting period, it may represent a
material misrepresentation of the institution’s financial statements.
19
For example, when an institution refunds a client that was overbilled due to an operational failure, if the refund is provided in the same
financial accounting period as the overbilling took place and thus no misrepresentation of the institution’s financial statements occurs, there is no
operational loss. However, if the refund occurs in a subsequent financial accounting period to the overbilling, it is considered a timing loss and
should be included in the loss dataset if it exceeds the $30,000 minimum threshold (note that in this case the prior overbilling cannot be netted
against the payment to the client as a recovery). [Basel Framework, OPE 25.26 FAQ #2]
20
For timing losses that are accounting errors, institutions must determine the threshold for inclusion of these events in the loss data set. This
threshold may be greater than $30,000 but must be below the level used by the institution’s external auditor for determining the summary of
material misstatements within the annual financial statement audit. Accounting errors do not include errors in the mark-to-market valuation of
financial assets or timing errors that involve third parties (e.g. customer over-billing or underpayment to third parties), which must be included in
the loss data set when the amount of the timing loss exceeds $30,000.
21
For losses from uncollected revenue (paragraph 31(b)(iii)), institutions may use either the date in which the revenue should have been
collected, or the date on which the decision was made not to collect the revenue.

Banks/BHC/T&L Operational Risk

October 2023 Chapter 3 - Page 11
 3.4.5 Exclusion of losses from the Loss Component

35. Institutions may request OSFI approval to exclude certain operational loss events that
are no longer relevant to the institution’s risk profile. The exclusion of internal loss events should
be rare and supported by strong justification. In evaluating the relevance of operational loss
events to the institution’s risk profile, OSFI will consider whether the cause of the loss event
could occur in other areas of the institution’s operations. 22 Taking settled legal exposures and
divested businesses as examples, OSFI would expect the organization’s analysis to demonstrate
that there is no similar or residual legal exposure and that the excluded loss experience has no
relevance to other continuing activities or products.
[Basel Framework, OPE 25.30]

36. The total loss amount and number of exclusions must be disclosed in accordance with
the Pillar 3 requirements with appropriate narratives, including total loss amount and number of
exclusions.

[Basel Framework, OPE 25.31]

37. A request for loss exclusions is subject to a materiality threshold such that the excluded
loss event should be greater than 5% of the institution’s average annual losses over the past 10
years. In addition, losses can only be eligible for exclusion after being included in an institution’s
operational risk loss database for a minimum of three years. Losses related to divested activities
will not be subject to a minimum operational risk loss database retention period.

[Basel Framework, OPE 25.32]

3.4.6 Exclusions of divested activities from the Business Indicator

38. Institutions may request OSFI approval to exclude divested activities from the
calculation of the BI. Such exclusions must be disclosed in accordance with the Pillar 3
requirements.

[Basel Framework, OPE 25.33]

3.4.7 Inclusion of BI items and operational loss events related to mergers and
acquisitions

39. The measurement of the BI must include BI items that result from acquired businesses
and merged entities. If three years of historical financial data is not available for an acquired
business or merged entity, actual BI items for at least the previous year may be used for the BI
calculation, and the BI items for the previous year may be used as a proxy for each of the other

22
This includes consideration of the extent to which the loss event was due to the lack of effective operational risk management policies,
practices or controls within the institution.

Banks/BHC/T&L Operational Risk

October 2023 Chapter 3 - Page 12
two years. Alternatively, institutions may use 125% of Adjusted Gross Income of the acquired
business or merged entity (detailed in section 3.3) for the year prior to the merger or acquisition
as a proxy for the acquired business or merged entity’s BI.

[Basel Framework, OPE 25.34]

40. Institutions using the standardized approach must also include historical loss events
from the acquired business or merged entity for the previous 10 years.

a) If an acquired business or merged entity does not have historical high-quality loss
data for the previous 10 years, the institution must estimate historical loss data for
each of the years where data is missing for the purposes of calculating the LC
(actual high-quality loss data should be used for those years where available).

(i) If the institution’s ILM in the quarter prior to the merger or acquisition
was less than or equal to one, operational losses for each missing year
should be estimated as 1% 23 of the BI of the acquired business or merged
entity at the time of acquisition. 24

(ii) If the institution’s ILM in the quarter prior to the merger or acquisition
was greater than one, estimated operational losses for each missing year of
the acquired business or merged entity in the 10-year window should be
estimated as x% of the BI of the acquired business or merged entity at the
time of acquisition,24 where

𝑎𝑎𝑎𝑎𝑎𝑎𝑎𝑎𝑎𝑎𝑎𝑎𝑎𝑎 𝑎𝑎𝑎𝑎𝑎𝑎𝑎𝑎𝑎𝑎𝑎𝑎 𝑛𝑛𝑛𝑛𝑛𝑛 𝑙𝑙𝑙𝑙𝑙𝑙𝑙𝑙𝑙𝑙𝑙𝑙 𝑓𝑓𝑓𝑓𝑓𝑓 𝑡𝑡ℎ𝑒𝑒 𝑝𝑝𝑝𝑝𝑝𝑝𝑝𝑝 𝑡𝑡𝑡𝑡𝑡𝑡 𝑦𝑦𝑦𝑦𝑦𝑦𝑦𝑦𝑦𝑦 𝑟𝑟𝑟𝑟𝑟𝑟𝑟𝑟𝑟𝑟𝑟𝑟𝑟𝑟𝑟𝑟 𝑖𝑖𝑖𝑖 𝑡𝑡ℎ𝑒𝑒 𝑞𝑞𝑞𝑞𝑞𝑞𝑞𝑞𝑞𝑞𝑞𝑞𝑞𝑞 𝑝𝑝𝑝𝑝𝑝𝑝𝑝𝑝𝑝𝑝 𝑡𝑡𝑡𝑡 𝑡𝑡ℎ𝑒𝑒 𝑚𝑚𝑚𝑚𝑚𝑚𝑚𝑚𝑚𝑚𝑚𝑚/𝑎𝑎𝑎𝑎𝑎𝑎𝑎𝑎𝑎𝑎𝑎𝑎𝑎𝑎𝑎𝑎𝑎𝑎𝑎𝑎𝑎𝑎
𝑥𝑥 =
𝐵𝐵𝐵𝐵 𝑟𝑟𝑟𝑟𝑟𝑟𝑟𝑟𝑟𝑟𝑟𝑟𝑟𝑟𝑟𝑟 𝑖𝑖𝑖𝑖 𝑡𝑡ℎ𝑒𝑒 𝑞𝑞𝑞𝑞𝑞𝑞𝑞𝑞𝑞𝑞𝑞𝑞𝑞𝑞 𝑝𝑝𝑝𝑝𝑝𝑝𝑝𝑝𝑝𝑝 𝑡𝑡ℎ𝑒𝑒 𝑡𝑡ℎ𝑒𝑒 𝑚𝑚𝑚𝑚𝑚𝑚𝑚𝑚𝑚𝑚𝑚𝑚/𝑎𝑎𝑎𝑎𝑎𝑎𝑎𝑎𝑎𝑎𝑎𝑎𝑎𝑎𝑎𝑎𝑎𝑎𝑎𝑎𝑎𝑎

b) Post-acquisition or merger, if the collection of actual loss data for the acquired
business or merged entity is not feasible immediately, the institution may
temporarily estimate operational risk loss amounts for the acquired business or
merged entity, using the methodology detailed in paragraph 40(a) above.

23
1% of BI is the implied level of annual losses for an institution with an ILM=1 and a marginal coefficient of 15%.
24
Institutions may alternatively use 125% of Adjusted Gross Income (detailed in section 3.3) for the year prior to the merger or acquisition as a
proxy for BI to calculate BI for an acquired business or merged entity at the time of acquisition.

Banks/BHC/T&L Operational Risk

October 2023 Chapter 3 - Page 13
Annex 3-1: Definition of Business Indicator components

[Basel Framework OPE 10.2]

Business Indicator Definitions

BI Income Description Typical sub-items
Component Statement or
balance sheet
items
Interest, Interest income Interest income from all financial Interest income from loans and
•
lease and assets and other interest income advances, assets available for sale,
dividend (includes interest income from assets held to maturity, trading
financial and operating leases assets, financial leases and
and profits from leased assets) operational leases
• Interest income from hedge
accounting derivatives
• Other interest income
• Profits from leased assets
Interest Interest expenses from all • Interest expenses from deposits,
expenses financial liabilities and other debt securities issued, financial
interest expenses leases, and operating leases
(includes interest expense from • Interest expenses from hedge
financial and operating leases, accounting derivatives
losses, depreciation and • Other interest expenses
impairment of operating leased • Losses from leased assets
assets) • Depreciation and impairment of
operating leased assets
Interest earning Total gross outstanding loans, advances, interest bearing securities (including
assets (balance government bonds), and lease assets measured at the end of each financial
sheet item) 25 year
Dividend Dividend income from investments in stocks and funds not consolidated in
income the institution’s financial statements, including dividend income from non-
consolidated subsidiaries, associates and joint ventures.
Services Fee and Income received from providing Fee and commission income from:
commission advice and services. Includes • Securities (issuance, origination,
income income received by the reception, transmission, execution
institution as an outsourcer of of orders on behalf of customers)
financial services. • Clearing and settlement; Asset
management; Custody; Fiduciary
transactions; Payment services;
Structured finance; Servicing of
securitisations; Loan commitments
Fee and Expenses paid for receiving Fee and commission expenses from:
commission advice and services. Includes • Clearing and settlement; Custody;
expenses outsourcing fees paid by the Servicing of securitisations; Loan
institution for the supply of commitments and guarantees
financial services, but not received; and Foreign transactions
outsourcing fees paid for the

25
For clarity, all outstanding credit obligations, including those of non-accrued status (e.g. non-performing loans), in the balance sheet should be
included in the interest-earning assets. [Basel Framework, OPE 10.2 FAQ #1]

Banks/BHC/T&L Operational Risk

October 2023 Chapter 3 - Page 14
 supply of non-financial services
(e.g. logistical, IT, human
resources)
Other operating Income from ordinary banking • Rental income from investment
income operations not included in other properties
BI items but of similar nature • Gains from non-current assets and
(income from operating leases disposal groups classified as held for
should be excluded) sale not qualifying as discontinued
operations (IFRS 5.37)
Other operating Expenses and losses from • Losses from non-current assets and
expenses ordinary banking operations not disposal groups classified as held for
included in other BI items but of sale not qualifying as discontinued
similar nature and from operations (IFRS 5.37)
operational loss events (expenses • Losses incurred as a consequence of
from operating leases should be operational loss events (e.g. fines,
excluded) penalties, settlements, replacement
cost of damaged assets), which have
not been provisioned/reserved for
in previous years
• Expenses related to establishing
provisions/reserves for operational
loss events
Financial Net profit (loss) • Net profit/loss on trading assets and trading liabilities (derivatives, debt
on the trading securities, equity securities, loans and advances, short positions, other
book assets and liabilities)
• Net profit/loss from hedge accounting
• Net profit/loss from exchange differences
Net profit (loss) • Net profit/loss on financial assets and liabilities measured at fair value
on the banking through profit and loss
book • Realized gains/losses on financial assets and liabilities not measured at
fair value through profit and loss (loans and advances, assets available
for sale, assets held to maturity, financial liabilities measured at
amortized cost
• Net profit/loss from hedge accounting
• Net profit/loss from exchange differences

The following P&L items do not contribute to any of the items of the BI:

• Income and expenses from insurance or reinsurance businesses

• Premiums paid and reimbursements/payments received from insurance or reinsurance

policies purchased (including deposit insurance premiums)

• Administrative expenses, including staff expenses, outsourcing fees paid for the supply of
non-financial services (e.g. logistical, human resources, information technology - IT), and
other administrative expenses (e.g. IT, utilities, telephone, travel, office supplies,
postage)

Banks/BHC/T&L Operational Risk

October 2023 Chapter 3 - Page 15
• Recovery of administrative expenses including recovery of payments on behalf of
customers (e.g. taxes debited to customers)

• Expenses of premises and fixed assets (except when these expenses result from
operational loss events)

• Depreciation/amortization of tangible and intangible assets (except depreciation related to

operating lease assets, which should be included in financial and operating lease
expenses)

• Provisions/reversal of provisions (e.g. on pensions, commitments and guarantees given)

except for provisions related to operational loss events

• Expenses due to share capital repayable on demand

• Impairment/reversal of impairment (e.g. on financial assets, non-financial assets,

investments in subsidiaries, joint ventures and associates)

• Changes in goodwill recognized in profit or loss

• Corporate income tax (tax based on profits including current tax and deferred).

[Basel Framework OPE 10.3]

Banks/BHC/T&L Operational Risk

October 2023 Chapter 3 - Page 16
Annex 3-2: Detailed Loss Event Type Classification

[Basel Framework OPE 25.17]

Event-Type Category (Level 1) Definition Categories (Level 2) Activity Examples (Level 3)

Internal fraud Losses due to acts of a type intended to Unauthorized Activity Transactions not reported (intentional)
defraud, misappropriate property or Transaction type unauthorized (w/monetary
circumvent regulations, the law or company loss)
policy, excluding diversity/ discrimination Mismarking of position (intentional)
events, which involves at least one internal Theft and Fraud Fraud / credit fraud / worthless deposits
party Theft / extortion / embezzlement / robbery
Misappropriation of assets
Malicious destruction of assets
Forgery
Check kiting Smuggling
Account take-over / impersonation / etc.
Tax non-compliance / evasion (wilful)
Bribes / kickbacks
Insider trading (not on firm’s account)
External fraud Losses due to acts of a type intended to Theft and Fraud Theft/Robbery
defraud, misappropriate property or Forgery
circumvent the law, by a third party Check kiting
Systems Security Hacking damage
Theft of information (w/monetary loss)
Employment Practices and Workplace Losses arising from acts inconsistent with Employee Relations Compensation, benefit, termination issues
Safety employment, health or safety laws or Organized labour activity
agreements, from payment of personal Safe Environment General liability (slip and fall, etc.)
injury claims, or from diversity / Employee health and safety rules events
discrimination events Workers compensation
Diversity and Discrimination All discrimination types

Banks/BHC/T&L Operational Risk

October 2023 Chapter 3 - Page 17
Event-Type Category (Level 1) Definition Categories (Level 2) Activity Examples (Level 3)
Clients, Products and Business Practices Losses arising from an unintentional or Suitability, Disclosure and Fiduciary Fiduciary breaches / guideline violations
negligent failure to meet a professional Suitability / disclosure issues (KYC, etc.)
obligation to specific clients (including Retail customer disclosure violations
fiduciary and suitability requirements), or Breach of privacy
from the nature or design of a product. Aggressive sales
Account churning
Misuse of confidential information
Lender liability
Improper Business or Market Practices Antitrust
Improper trade / market practices
Market manipulation Insider trading (on
firm’s account)
Unlicensed activity
Money laundering
Product Flaws Product defects (unauthorized, etc.) Model
errors
Selection, Sponsorship and Exposure Failure to investigate client per guidelines
Exceeding client exposure limits
Advisory Activities Disputes over performance of advisory
activities
Damage to Physical Assets Losses arising from loss or damage to Disasters and other events Natural disaster losses
physical assets from natural disaster or Human losses from external sources
other events. (terrorism, vandalism)
Business disruption and system failures Losses arising from disruption of business or Systems Hardware
system failures Software
Telecommunications
Utility outage / disruptions
Execution, Delivery and Process Losses from failed transaction processing or Transaction Capture, Execution and Miscommunication
Management process management, from relations with Maintenance Data entry, maintenance or loading error
trade counterparties and vendors Missed deadline or responsibility
Model / system misoperation
Accounting error / entity attribution error
Other task misperformance
Delivery failure
Collateral management failure
Reference Data Maintenance
Monitoring and Reporting Failed mandatory reporting obligation
Inaccurate external report (loss incurred)
Customer Intake and Documentation Client permissions / disclaimers missing
Legal documents missing / incomplete
Customer / Client Account Management Unapproved access given to accounts
Incorrect client records (loss incurred)
Negligent loss or damage of client assets
Trade counterparties Non-client counterparty misperformance
Miscellaneous non-client counterparty
disputes
Vendors and suppliers Outsourcing
Vendor disputes

Banks/BHC/T&L Operational Risk

October 2023 Chapter 3 - Page 18
 BPR150
Standardised
Operational Risk

Purpose of document
This document sets out the standardised methodology for calculating a bank’s
operational risk capital requirement. This is part of the calculation of capital
ratios, as defined in BPR100, which a bank must carry out to determine its
compliance with minimum regulatory capital requirements. This document
applies to any bank that is subject to minimum capital requirements and has
not been accredited by the Reserve Bank to use the Advanced Measurement
Approach (AMA) for operational risk.

Banking Prudential Requirements July 2024

Ref #21327592 v1.0

Document version history
1 July 2021 First issue date

1 July 2024 Revised for minor correction

Conditions of registration
The Banking (Prudential Supervision) Act 1989 (the Act) permits the Reserve Bank to impose
conditions of registration (conditions) on registered banks1.

This document BPR150: Standardised Operational Risk forms part of the requirements for the
following conditions:*

 A New Zealand-incorporated registered bank is normally subject to a condition requiring it

to maintain capital ratios above specified minimum levels, and also to a condition imposing
restrictions on its dividend payments when its prudential capital buffer ratio falls below
specified levels2. This document sets out the operational risk capital methodology that will
be needed by such a bank (unless it is accredited to use the Advanced Measurement
Approach for operational risk), to allow it to calculate its day-to-day values for the capital
ratios and the capital buffer ratio, and hence monitor its compliance with these capital
adequacy conditions.

* All of the material set out in this document forms part of the requirements of the
applicable condition, except material that is expressly identified as guidance by being
included in a shaded box like this.

____________
1
The conditions can relate to any of the matters referred to in sections 73 – 73B, 78 and 81. The standard conditions are contained in Appendix 1 of document BS1: Statement of
Principles.
2
These conditions of registration relate to the matter referred to in: section 78(1)(c) (capital in relation to the size and nature of the business).

BPR150 1
BPR150: Standardised Operational Risk
Part A: Introduction
Part B: Calculation of capital requirement

Contents

Part A: Introduction
A1 Overview and definitions
A1.1 Overview
A1.2 Definitions
Part B: Calculation of capital requirement
B1 Capital calculation
B1.1 Division of activities
B1.2 Operational risk capital requirement
for retail and commercial banking
B1.3 Operational risk capital requirement
for all other activities
B1.4 Total operational risk capital
requirement

BPR150 2
Part A: Introduction

A1 Overview and definitions

A1.1 Overview
This document sets out the methodology a bank must use to determine its capital requirements
for operational risk when it is required to use the standardised approach.

Guidance: A bank’s operational risk capital requirement forms part of the

calculation of its capital ratios, as specified in subpart B2 of BPR100: Capital
Adequacy.

A1.2 Definitions
1. In this document, unless the context otherwise requires,—

all other activities means any activity that is not retail and commercial banking

corporate finance activities—

a. include those activities that are undertaken primarily to generate non-interest fee-
based income; but

b. exclude fee-based income derived from the provision of transaction services related
to lending activity and deposit taking

Guidance: Corporate finance activities include, for example, underwriting, and

the provision of advisory services related to mergers and acquisitions or
privatisations.

retail and commercial banking–

a. means all banking book activities; and

b. includes–

i. lending to households, non-profit organisations, small and medium

enterprises (SMEs), sovereigns, multilateral development banks and other
international organisations, public sector entities, banks, and corporate
customers; and
ii. provision of transaction services related to lending activity and deposit taking
2. Accounting terms used in this document must be determined in accordance with GAAP.

Guidance: Operational risk has the meaning given in the Glossary.

BPR150 3
Part B: Calculation of capital requirement

B1 Capital calculation
B1.1 Division of activities
For the purposes of calculating the standardised capital requirement for operational risk, a
bank must divide its activities into two categories:

a. retail and commercial banking; and

b. all other activities.

Guidance: The standardised operational risk capital requirement is the sum of

two components, covering the operational risk arising on retail and commercial
banking business on the one hand (subsection (a)), and all other activities on the
other (subsection (b)).

B1.2 Operational risk capital requirement for retail and commercial banking
1. A bank must calculate its operational risk capital requirement for its retail and commercial
banking area of business by–
a. taking the last twelve consecutive quarterly observations of gross retail and
commercial loans and advances; and

b. multiplying gross retail and commercial loans and advances at each observation
point by 0.525%; and

c. summing the 12 quarterly results produced in paragraph (b) and dividing the
resulting sum by 12.

2. For the purposes of calculating its gross retail and commercial loans and advances under
subsection (1)(b), the bank must use the sum of the following amounts before deducting
allowances for impairment:
a. loans and advances to retail customers, including purchased retail receivables; and

b. loans and advances to SMEs, including purchased receivables; and

c. loans and advances to corporates, sovereigns, multilateral development banks and

other international organisations, public sector entities, and banks, including
purchased receivables but excluding funded positions arising from corporate
finance-related activities; and

d. securities held in the banking book, at market value as carried on the balance sheet,
excluding those that are deducted from capital.

B1.3 Operational risk capital requirement for all other activities

1. A bank must calculate its operational risk capital requirement for its all other activities area of
business by–

BPR150 4
 a. taking the greater of zero and adjusted gross income from other activities earned
over the quarter for each of the last 12 quarters; and

b. multiplying the amount derived at each observation point by 18%; and

c. summing the 12 quarterly results determined in paragraph (b) and dividing the
resulting sum by 3.

2. For the purpose of subsection (1), the bank must calculate adjusted gross income from all other
activities as total profit or loss before taxation, less the following amounts:
a. net interest income from retail and commercial loans and advances; and

b. net fees from the retail and commercial banking area of business, including–

i. net fees from retail and commercial loans and advances; and

Guidance: These fees include, for example, loan establishment fees,

administration fees, and penalty fees.

ii. net fees from retail and commercial transaction accounts; and
iii. net fees from automatic teller machine networks; and
c. net impairment losses on assets; and

Guidance: These assets include, for example, financial assets, intangibles, and
physical assets.

d. realised profits or losses from the sale of banking book items; and

e. income derived from insurance activities; and

f. total other operating expenses; and

Guidance: These expenses include, for example, fees paid by the bank to
outsourcing providers.

g. income and expenses from irregular items.

3. To avoid doubt, the net income that a bank obtains from its involvement in securitisation
(including servicing), trading, and corporate finance activities must be included in adjusted
gross income from other activities.

Guidance: For trading activities, net income includes profits and losses on
instruments held for trading.

B1.4 Total operational risk capital requirement

1. The total capital requirement for operational risk is the sum of—

BPR150 5
 a. the operational risk capital requirement for its retail and commercial banking
business calculated in accordance with section B1.2; and

b. the operational risk capital requirement for its all other activities area of business
calculated in accordance with section B1.3.

2. The bank must use the following formula for calculating its total operational risk capital
requirement:

where—

KSA is the total standardised capital requirement for operational risk

LAt is the dollar value of gross retail and commercial loans and advances measured at the
end of financial quarter “t”

AGIt is the dollar value of adjusted gross income from other activities earned over financial
quarter “t”

t is an index of consecutive quarterly observations running from 1 to 12, where t=12

represents the most recent period for which observations are available.

3. However, if actual observations are not available, the Reserve Bank will specify an alternative
means of determining capital requirements for operational risk, appropriate to the particular
circumstances involved.

Guidance: An example of a situation in which actual observations will not be

available is when a bank is in its first years of operation.

BPR150 6
 BPR151
AMA Operational Risk

Purpose of document
This document sets out the requirements that apply to a bank’s use of the
Advanced Measurement Approach (AMA) in determining its capital
requirements for operational risk. This is part of the calculation of capital
ratios, as defined in BPR100, which a bank must carry out to determine its
compliance with minimum regulatory capital requirements. This document only
applies to a bank that has been accredited by the Reserve Bank to use the AMA
for operational risk.

Banking Prudential Requirements July 2024

Ref #21327593 v1.0

Document version history
1 July 2021 First issue date

1 July 2024 Revised for minor correction

Conditions of registration
The Banking (Prudential Supervision) Act 1989 (the Act) permits the Reserve Bank to impose
conditions of registration (conditions) on registered banks1.

This document BPR151: AMA Operational Risk forms part of the requirements for the following
conditions:*

 A New Zealand-incorporated registered bank is normally subject to a condition requiring it

to maintain capital ratios above specified minimum levels, and also to a condition imposing
restrictions on its dividend payments when its prudential capital buffer ratio falls below
specified levels2. This document sets out the operational risk capital methodology that will
be needed by such a bank, if it is accredited to use the AMA methodology, to allow it to
calculate its day-to-day values for the capital ratios and the capital buffer ratio, and hence
monitor its compliance with these capital adequacy conditions.

 An AMA-accredited bank is also subject to a standard condition of registration requiring it to

comply with the minimum qualitative requirements for managing operational risk set out in
this document3.

* All of the material set out in this document forms part of the requirements of the
applicable condition, except material that is expressly identified as guidance by being
included in a shaded box like this.

____________
1
The conditions can relate to any of the matters referred to in sections 73 – 73B, 78 and 81. The standard conditions are contained in Appendix 1 of document BS1: Statement of
Principles.
2
These conditions of registration relate to the matter referred to in: section 78(1)(c) (capital in relation to the size and nature of the business).
3
This condition relates to the matters referred to in: section 78(1)(fa) (risk management systems and policies).

BPR151 1
BPR131: Standardised Credit Risk RWAs
Part A: Introduction
Part B: Qualitative and quantitative requirements

Contents

Part A: Introduction B2.4 Detailed criteria

A1 Overview, definitions, and general B2.5 Internal loss data: general
requirements requirements
A1.1 Overview B2.6 Internal loss data: standards
A1.2 Regulatory capital requirement for B2.7 External data
operational risk
B2.8 Scenario analysis
A1.3 Requirements for banks using AMA
for operational risk B2.9 Business environment and internal
control factors
Part B: Qualitative and quantitative
B2.10 Operational risk mitigation
requirements
B1 Qualitative requirements B2.11 Principles applying for mapping to
Appendix 2 business lines
B1.1 Purpose of subpart B1
B1.2 Role of the board of directors
B1.3 Sufficient resources
B1.4 Independent operational risk
management function
B1.5 Compliance arrangements
B1.6 Documentation
B1.7 Internal reporting of operational risk
information
B1.8 Integration of operational risk
measurement system into day-to-day
operational risk management
B1.9 External/internal audit
B2 Quantitative requirements
B2.1 Purpose of subpart B2
B2.2 AMA soundness standard
B2.3 Treatment of inter-jurisdictional
diversification benefits

BPR151 2
Part A: Introduction

A1 Overview, definitions, and general requirements

A1.1 Overview
This document sets out the Advanced Measurement Approach (AMA) for determining capital
requirements for operational risk.

Guidance: A bank’s operational risk capital requirement forms part of the

calculation of its capital ratios, as specified in Part B2 of BPR100. Operational
risk has the meaning given in the Glossary.

A1.2 Regulatory capital requirement for operational risk

1. A bank approved by the Reserve Bank to use the AMA for operational risk–
a. must use its own internal model to determine its banking group operational risk
regulatory capital requirement; and

b. may seek approval from the Reserve Bank to apply the AMA to the calculation of its
solo operational risk capital requirement.

2. For the purpose of calculating its solo capital adequacy ratios, a bank approved by the Reserve
Bank to use the AMA must calculate its operational risk solo capital requirement as follows:
a. if the bank has obtained approval from the Reserve Bank to apply the AMA to the
calculation of its solo operational risk capital requirement, the bank must use its
own internal model to determine its solo operational risk regulatory capital
requirement; but

b. in all other cases, the bank must use the formula in subsection (3).

3. If subsection (2)(b) applies, the bank must calculate its solo operational risk capital requirement
as follows:
SolOp = (GrpOp) x (Solo NonOp)
(Group NonOp)

Where–

SolOp is the solo operational risk capital requirement

GrpOp is the group operational risk capital requirement calculated in accordance with
subsection (1)(a)

NonOp is the capital requirement for risks other than operational risk, calculated in accordance
with subsection (4) on a solo or group basis, as applicable.

4. The non-operational risks capital requirement NonOp is calculated as follows:

NonOp = 8% x (total RWAs for credit risk) + total capital requirement for market risk
exposure + 8% x (supervisory adjustment)

BPR151 3
 where the terms in the formula have the meanings given in sections B2.5 and B2.7 of BPR100.

A1.3 Requirements for banks using AMA for operational risk

A bank using the AMA for operational risk is subject to a standard condition of registration that
requires it to meet the qualitative and quantitative requirements set out in Part B (see BPR100,
section C1.5).

BPR151 4
Part B: Qualitative and quantitative requirements

B1 Qualitative requirements
B1.1 Purpose of subpart B1
This subpart sets out the qualitative requirements for banks using the AMA for operational risk.

B1.2 Role of the board of directors

The board of directors must be responsible for overseeing the bank’s overall operational risk
profile and for approving the operational risk management framework.

B1.3 Sufficient resources

The bank must have sufficient resources in major business lines, control, and audit to ensure that
its operational risk management framework operates effectively on a continuing basis.

B1.4 Independent operational risk management function

1. Responsibility for the design and implementation of the bank’s operational risk management
framework must reside with an operational risk management function that is independent of
the business units that use the framework.
2. The operational risk management function is responsible for–
a. modification of firm-level policies and procedures relating to operational risk
management and control; and

b. design and implementation of a risk reporting system for operational risk.

3. The bank must develop sound methodologies to identify, measure, monitor, control, and
mitigate operational risk.

B1.5 Compliance arrangements

The bank must have arrangements in place to ensure compliance with internal policies, controls,
and procedures.

B1.6 Documentation
1. The bank’s operational risk management framework must be clearly documented.
2. The documentation referred to in subsection (1) must include–
a. a definition of operational risk which is consistent with the definition in the
Glossary; and

b. a set of internal policies, controls, and procedures for operational risk

management, including policies for the treatment of non-compliance.

B1.7 Internal reporting of operational risk information

1. The bank must have a formal process for regular reporting of operational risk exposures and
loss experience to business unit management, senior management, and the board of directors.

BPR151 5
2. The bank must have procedures for taking appropriate action on the basis of the information in
these reports.

B1.8 Integration of operational risk measurement system into day-to-day

operational risk management
1. The bank’s operational risk measurement system must be closely integrated into the practical
day-to-day risk management processes of the bank.
2. The outputs from the bank’s operational risk measurement system must help inform the
bank’s decision-making, corporate governance, risk management, and internal capital allocation
processes.
3. The bank’s operational risk measurement system must–
a. include techniques for allocating operational risk capital to all material business
lines; and

b. create incentives for improving operational risk management.

B1.9 External/internal audit

1. The bank’s operational risk management processes and measurement systems must be
subject to annual review by external or internal auditors or by a suitably qualified independent
reviewer.
2. The AMA annual reviews must include–
a. verification that internal validation processes are operating in a satisfactory manner;
and

b. checking that data flows and processes associated with the risk measurement system,
including system parameters and specifications, are transparent and accessible.

B2 Quantitative requirements
B2.1 Purpose of subpart B2
This subpart sets out the quantitative requirements for banks using the AMA for operational
risk.

B2.2 AMA soundness standard

1. The bank’s approach to operational risk measurement must capture potentially severe low-
frequency, high-impact, loss events.
2. Specifically, the operational risk measure must meet a soundness standard comparable to a
one-year holding period and a 99.9% confidence level of the total operational loss distribution.

Guidance: This is comparable to the soundness standard used for the IRB
approach to credit risk, set out in BPR133.

3. The bank must have rigorous procedures for operational risk model development and
independent model validation.

BPR151 6
B2.3 Treatment of inter-jurisdictional diversification benefits
Where a bank is a subsidiary of an overseas bank, diversification benefits derived from being
part of a larger banking group must not be incorporated into that bank’s AMA capital
calculations unless specifically approved by the Reserve Bank.

B2.4 Detailed criteria

1. The following quantitative standards apply to internally generated operational risk measures
for the purposes of regulatory capital calculations:
a. the internal operational risk measurement system must be consistent with the
definition of operational risk in the Glossary and the operational loss event types
defined in Appendix 1; and

b. the bank must measure the regulatory capital requirement for operational risk as
the sum of both expected loss (EL) and unexpected loss (UL) unless the Reserve
Bank has agreed that the bank can base its minimum regulatory capital requirement
on UL alone; and

c. the bank’s operational risk measurement system must be sufficiently granular to

capture the major drivers of operational risk affecting the distribution of low-
frequency, high-impact, losses; and

d. risk measures for different operational risk estimates must be added together for
the purposes of calculating the overall regulatory minimum capital requirements,
unless the Reserve Bank has approved the use of internally determined correlations
in operational risk losses across individual operational risk estimates.

2. The bank’s internal operational risk measurement system must have a reasonable mix of the
following features, to help ensure compliance with the AMA soundness standard:
a. the bank’s operational risk measurement system must include the following four
features:

i. use of internal loss event data; and

ii. use of relevant external loss event data; and
iii. scenario analysis; and
iv. factors reflecting the business environment and internal control systems; and
b. the bank must have a credible, transparent, well-documented, and verifiable
approach to weighting the above features in its overall operational risk
measurement system; and

Guidance: For example, there may be cases where estimates of the 99.9th
percentile confidence interval based primarily on internal and external loss event
data would be unreliable for business lines with a heavy-tailed loss distribution
and a small number of observed losses. In such cases, scenario analysis may play
a more dominant role in the risk measurement system. Conversely, operational
loss event data may play a more dominant role in the risk measurement system

BPR151 7
 for business lines where estimates of the 99.9th percentile confidence interval
based primarily on such data are considered reliable.

c. in all cases, the bank’s approach to weighting the four features specified in
paragraph (a) should be internally consistent and avoid the double-counting of
qualitative assessments or risk mitigants already recognised in the other elements of
its operational risk management framework.

B2.5 Internal loss data: general requirements

1. The bank must–
a. track internal loss data according to the criteria set out in this section so that it can
link its operational risk estimates to its actual loss experience; and

b. have well-documented procedures for assessing the ongoing relevance of historical

loss data.

2. The documentation referred to in subsection (1)(b) should cover situations in which judgemental
overrides, scaling, or other adjustments to the internal data may be used, the extent to which
they may be used, and who is authorised to make such decisions.
3. Internally generated operational risk measures used for regulatory capital calculations must be
based on a minimum 5-year observation period of internal data, regardless of whether the
internal dataset serves as a direct input to build the loss measure or as a basis for validation.

Guidance: However, despite the 5-year period referred to in subsection (3) the
Reserve Bank may, at the time at which a bank first moves to the AMA, allow it
to use a 3-year observation period for an initial period.

B2.6 Internal loss data: standards

1. The bank’s internal loss collection processes must meet the standards set out in subsection (2).
2. The standards are as follows:
a. the bank must–

i. be able to map its historical internal loss data to the relevant Level 1 loss event
types described in Appendix 1 and to the Level 1 business lines described in
Appendix 2; and
ii. have well-documented and objective criteria for the mapping referred to in
subparagraph (i); and
b. the bank’s internal loss data must capture all material activities and exposures from
all operational systems and geographic locations; and

c. the bank must collect information about–

i. gross loss amounts; and

ii. the date of the loss event; and
iii. any recoveries of gross loss amounts; and

BPR151 8
 iv. descriptive information, at a level of detail commensurate with the size of the
gross loss amount, about the drivers or causes of the loss event; and
d. the bank must, for the purposes carrying out the mapping referred to in paragraph
(a), have specific criteria for–

i. assigning loss data resulting from an event in a centralised function or an

activity that spans more than one business line; and

Guidance: A centralised function will include, for example, an information

technology department.

ii. assigning loss data from related operational loss events over time; and
e. in respect of operational losses that are related to credit risk and/or have been
included in the bank’s credit risk databases, the bank must–

i. treat such losses as credit risk for regulatory capital calculations; and
ii. not reflect such losses in its operational risk capital charge; but
iii. include any such loss, if material, in its internal operational risk database.
f. the bank must treat operational losses that are related to market risk as operational
risk for regulatory capital calculations.

B2.7 External data

1. The bank’s operational risk measurement system must use relevant external data.

Guidance: The external data may be public data and/or pooled industry data.
The inclusion of external loss data is important because banks may be exposed
to infrequent, but potentially severe, operational loss events that are not
captured in internal data.

2. The bank’s external operational-loss data should include–

a. data on the actual loss amounts; and

b. information about–

i. the scale of business operations where the loss event occurred; and
ii. the causes and circumstances of the loss events; and
iii. any other matters that could help assess the relevance of the loss event for
the bank.
3. The bank must have a systematic process for determining the situations for which external data
must be used and the methodologies used to incorporate the data.

Guidance: The processes might include, for example, scaling, qualitative

adjustments, and/or informing the development of improved scenario analysis.

BPR151 9
4. The bank must–
a. regularly review and document the conditions and practices for external data use;
and

b. ensure that these reviews, and the documentation, are subject to periodic
independent review.

B2.8 Scenario analysis

1. The bank must use scenario analysis, using expert opinion in conjunction with external data, to
evaluate its exposure to infrequent, high-severity, operational loss events.

Guidance: Scenario analysis should be used to help assess the impact of

deviations from the correlation assumptions that are embedded in the bank’s
operational risk measurement system. In particular, this analysis should help
evaluate potential losses arising from multiple simultaneous operational events.

2. This analysis must draw on the knowledge of both experienced business managers and risk
management experts to derive reasoned assessments of plausible severe losses.
3. The bank must, over time, validate and re-assess the expert assessments referred to in subsection
(2), by comparing them to actual loss experience and ensuring the reasonableness of those
assessments.

B2.9 Business environment and internal control factors

1. The bank’s firm-wide operational risk assessment methodology must capture key business
environment and internal control factors that can impact on its operational risk profile.
2. The use of the factors in the operational risk measurement system must meet the following
standards:
a. each factor chosen must–

i. be justified as a meaningful driver of risk, based on experience and involving

the expert judgement of the affected business areas; and
ii. where possible, be translatable into a quantitative measure that lends itself to
verification; and
b. the sensitivity of the bank’s risk estimates to changes in the risk factors and the
relative weighting of the various risk factors must be well reasoned; and

c. the bank’s risk measurement framework must capture changes in risk due to
improvements in risk controls and potential increases in risk arising from increased
volumes of business or greater complexity of activities; and

d. the risk measurement framework and each instance of its application, including the
rationale for any adjustments to empirical estimates, must be documented and
subject to independent review within the bank; and

e. the process and outcomes must be validated through comparison with actual
internal loss experience and relevant external data, and appropriate adjustments
made as necessary.

BPR151 10
B2.10 Operational risk mitigation
1. The bank may recognise the risk-mitigating effect of insurance in the operational risk measures
used for regulatory capital calculations.
2. However, subsection (1) is subject to–
a. the limitation specified in subsection (3); and

b. the bank meeting the requirements specified in subsections (4) to (6).

3. The recognition of insurance is limited to 20% of the total regulatory operational risk capital
charge calculated under the AMA.
4. The bank may recognise risk mitigation from insurance in regulatory capital calculations only if
the following criteria are met:
a. the insurance provider must have a minimum claims-paying ability rating of A under
Standard & Poor’s Insurer Financial Strength Ratings, A2 under Moody’s Insurance
Financial Strength Ratings, or A under A.M.Best’s Financial Strength Ratings; and

Guidance: These are the insurer rating agencies that the Reserve Bank has
approved for the purposes of section 62 of the Insurance (Prudential
Supervision) Act 2010. The Reserve Bank may approve additional credit rating
agencies for this purpose: see the Reserve Bank document “Rating Agency
Approval Guidelines: Insurance Sector”, December 2010.

b. the insurance policy must have–

i. an initial term of no less than a year; and

ii. a minimum notice period for cancellation of 90 days; and
c. the insurance policy must have no exclusions or limitations of liability that:

i. are triggered by any regulatory or supervisory action taken against the bank,
except that cover under the insurance policy may exclude any fine, penalty, or
punitive damages resulting from supervisory action; and
ii. in the case of the failure of the bank, prevent the bank, or its statutory
manager, liquidator, receiver, or administrator (as the case may be), from
recovering, under the policy, damages suffered or expenses incurred by the
bank as a result of a loss event, provided that the loss event occurred at, or
prior to, the point of failure of the bank; and
d. the bank must, in relation to the operational losses that it uses in the overall
calculation of its capital requirement for operational risk, reflect the risk mitigating
effect of the insurance in a manner that is both transparent in its relationship to, and
consistent with, the likelihood, and financial impact, of those losses; and

e. the insurance must be provided by a third party; and

BPR151 11
 Guidance: This means that insurance provided by a captive or affiliated insurer
(that is, self-insurance) is not eligible for risk mitigation in the operational risk
capital calculation.

f. the bank’s framework for recognising insurance must be well documented.

5. The bank’s inclusion of insurance risk mitigation in its regulatory capital measurement must
capture the following elements through appropriate discounts and/or haircuts in the value of
insurance recognition:
a. the insurer’s ability to cancel the policy, if the notice period for cancellation is less
than a year; and

b. the uncertainty of payment as well as mismatches in coverage of insurance policies.

6. If an insurance policy used by the bank to mitigate its operational risk has a residual term of
less than one year, the bank must multiply the value of the risk mitigation recognised in the
calculation of its operational risk capital charge by the following amount:

Max [0, (R – 0.25)/0.75]

where R is the residual term of the policy expressed as a portion of a year.

Guidance: The effect of applying this formula is that the allowed mitigation
benefit of the insurance declines as the residual maturity of the policy declines
from 1 year to 3 months, at which point it is no longer recognised.

B2.11 Principles applying for mapping to Appendix 2 business lines

A bank must apply the following principles when mapping business lines in accordance with
section B2.6(2)(a) and Appendix 2:

a. all activities must be mapped into the eight level 1 business lines in a mutually
exclusive and jointly exhaustive manner; and

b. a banking or non-banking activity must be allocated to the business line it supports if

it–

i. cannot be readily mapped into the business line framework; and

ii. represents an ancillary function to an activity included in the framework; and
c. if, in relation to paragraph (b), the ancillary activity supports more than one business
line, the bank must use objective criteria for mapping the activity to those business
lines; and

d. subject to paragraph (e), the mapping of activities into business lines for
operational risk capital purposes must be consistent with the definitions of
business lines used for the other categories of risk in the regulatory capital
calculations, namely credit and market risk; and

BPR151 12
e. however, a bank may depart from the principle of consistent mapping in paragraph
(d) if the departure is clearly justified and documented; and

f. the mapping process used must be clearly documented; and

g. written business line definitions must be clear and detailed enough to allow third
parties to replicate the business line mapping; and

h. documentation must, among other things, clearly justify any exceptions or overrides
and be kept on record; and

i. processes must be in place to define the mapping of any new activities or products;
and

j. the bank’s senior management is responsible for the mapping policy; and

k. the mapping policy used by the bank must have been approved by the bank’s board
of directors; and

l. the mapping process to business lines must be subject to independent review.

BPR151 13
Appendix 1
Detailed Loss Event Type Classification

See sections B2.4(1)(a) and B2.6(2)(a).

Event-Type Category (Level 1) Definition Categories (Level 2) Activities Examples (Level 3)

Internal fraud Losses due to acts of a type intended Unauthorised Activity Transactions not reported (intentional).
to defraud, misappropriate property or Transaction type unauthorised (with
circumvent regulations, the law or monetary loss).
company policy, excluding diversity/
discrimination events, which involve at Mismarking of position (intentional).
least one internal party Theft and Fraud Fraud, credit fraud, worthless deposits.
Theft, extortion, embezzlement,
robbery.
Misappropriation of assets.
Malicious destruction of assets.
Forgery.
Cheque kiting.
Smuggling.
Account take-over, impersonation, etc.
Tax non-compliance/evasion (wilful).
Bribes, kickbacks.
Insider trading (not on firm’s account).
External fraud Losses due to acts of a type intended Theft and Fraud Theft, robbery.
to defraud, misappropriate property or Forgery.
circumvent the law, by a third party
Cheque kiting.

Systems Security Hacking damage.

BPR151 14
Event-Type Category (Level 1) Definition Categories (Level 2) Activities Examples (Level 3)
Theft of information (with monetary
loss).
Employment Practices and Losses arising from acts inconsistent Employee Relations Compensation, benefit, termination
Workplace Safety with employment, health or safety laws issues.
or agreements, from payment of Organised labour activity.
personal injury claims, or from diversity
/ discrimination events Safe Environment General liability.
Employee health & safety rules events.
Workers compensation.

Diversity & Discrimination All discrimination types.

Clients, Products, and Business Losses arising from an unintentional or Suitability, Disclosure & Fiduciary Fiduciary breaches, guideline
Practices negligent failure to meet a professional violations.
obligation to specific clients (including Suitability, disclosure issues (know your
fiduciary and suitability requirements), customer, etc).
or from the nature or design of a
product. Retail customer disclosure violations.
Breach of privacy.
Aggressive sales.
Account churning.
Misuse of confidential information.
Lender liability.
Clients, Products, and Business Losses arising from an unintentional or Improper Business or Market Practices Antitrust
Practices (continued) negligent failure to meet a professional Improper trade / market practices
obligation to specific clients (including
fiduciary and suitability requirements), Market manipulation
or from the nature or design of a Insider trading (on firm’s account)
product. Unlicensed activity
Money laundering

Product Flaws Product defects (unauthorised, etc.)

BPR151 15
Event-Type Category (Level 1) Definition Categories (Level 2) Activities Examples (Level 3)
Model errors

Selection, Sponsorship & Exposure Failure to investigate client per

guidelines
Exceeding client exposure limits

Advisory Activities Disputes over performance of advisory

activities
Damage to Physical Assets Losses arising from loss or damage to Disasters and other events Natural disaster losses
physical assets from natural disaster or Human losses from external sources
other events. (terrorism, vandalism)
Business disruption and system Losses arising from disruption of Systems Hardware
failures business or system failures Software
Telecommunications
Utility outage / disruptions
Execution, Delivery, and Process Losses from failed transaction Transaction Capture, Execution & Miscommunication
Management processing or process management, Maintenance Data entry, maintenance or loading
from relations with trade error
counterparties and vendors
Missed deadline or responsibility
Incorrect operation of model / system
Accounting error / entity attribution
error
Other task misperformance
Delivery failure
Collateral management failure
Reference Data Maintenance

Monitoring and Reporting Failed mandatory reporting obligation

BPR151 16
Event-Type Category (Level 1) Definition Categories (Level 2) Activities Examples (Level 3)
Inaccurate external report (loss
incurred)

Customer Intake and Documentation Client permissions / disclaimers missing

Legal documents missing / incomplete

Customer / Client Account Unapproved access given to accounts

Management Incorrect client records (loss incurred)
Negligent loss or damage of client
assets

Trade Counterparties Non-client counterparty

misperformance
Misc. non-client counterparty disputes

Vendors & Suppliers Outsourcing

Vendor disputes

BPR151 17
Appendix 2
Mapping of Business Lines

See sections B2.6(2)(a) and B2.11

Mapping of Business Lines

Level 1 Level 2 Inactive Activity Groups

Corporate Finance Corporate Finance Mergers and acquisitions,

underwriting, privatisations,
Municipal/Government Finance securitisation, research, debt
Merchant Banking (government, high yield), equity,
syndications, IPO, secondary
Advisory Services private placements.

Trading & Sales Sales Fixed income, equity, foreign

exchange, commodities, credit,
Market Making funding, own position securities,
Proprietary Positions lending and repos, brokerage,
debt, prime brokerage.
Treasury

Retail Banking Retail Banking Retail lending and deposits,

banking services, trust and
estates.

Private Banking Private lending and deposits,

banking services, trust and
estates, investment advice.

Card Services Merchant, commercial,

corporate, and retail cards.

Commercial Banking Commercial Banking Project finance, real estate,

export finance, trade finance,
factoring, leasing, lending,
guarantees, bills of exchange.

Payment and Settlement External Clients Payments and collections, funds

transfer, clearing and settlement.

Agency Services Custody Escrow, depository receipts,

securities lending (customers),
corporate actions.

Corporate Agency Issuer and paying agents.

Corporate Trust

Asset Management Discretionary (Active) Fund Pooled, segregated, retail,

Management institutional, closed, open, private
equity.

Non-Discretionary (Passive) Fund Pooled, segregated, retail,

Management institutional, closed, open.

Retail Brokerage Retail Brokerage Execution and full service.

BPR151 18
Guidance: In relation to the Level 1 business line “payment and settlement”, losses
related to a bank’s own activities would be incorporated in the loss experience of the
affected business line.

BPR151 19
 Prudential Practice Guide
CPG 230 Operational Risk Management

June 2024
AUSTRALIAN PRUDENTIAL REGULATION AUTHORITY | APRA.GOV.AU
Contents
About this guide........................................................................................................................................2

Glossary ...................................................................................................................................................3

Key principles ...........................................................................................................................................4

Risk management framework ...................................................................................................................5

Roles and responsibilities .........................................................................................................................7

Operational risk management...................................................................................................................9

Business continuity .................................................................................................................................13

Management of service provider arrangements ......................................................................................17

Disclaimer and Copyright

This prudential practice guide is not legal advice and users are encouraged to obtain professional advice
about the application of any legislation or prudential standard relevant to their particular circumstances and to
exercise their own skill and care in relation to any material contained in this guide.

APRA disclaims any liability for any loss or damage arising out of any use of this prudential practice guide. ©
Australian Prudential Regulation Authority (APRA) 2024

This work is licensed under the Creative Commons Attribution 3.0 Australia Licence (CCBY 3.0). This licence
allows you to copy, distribute and adapt this work, provided you attribute the work and do not suggest that
APRA endorses you or your work. To view a full copy of the terms of this licence, visit
https://creativecommons.org/licenses/by/3.0/au/

APRA June 2024 1

About this guide

Prudential practice guides (PPGs) share APRA’s views on sound practice. They discuss requirements from
legislation, regulations or APRA’s prudential standards, but do not themselves create enforceable requirements.

This PPG offers guidance to APRA-regulated entities to aid compliance with Prudential Standard CPS 230
Operational Risk Management (CPS 230). CPS 230 sits within the Risk Management pillar of APRA’s framework,
as a supporting standard.

Effective operational risk management is essential to ensure the resilience of an entity, and its ability to maintain
critical operations through disruptions.

Proportionality

CPS 230 applies to every APRA-regulated entity. Each one, regardless of size, has operational risks which can
crystalise and adversely affect their depositors, policyholders or beneficiaries.

CPS 230 sets baseline expectations for all entities. APRA expects significant financial institutions (SFIs) to have
stronger practices, commensurate with the size and complexity of their operations. All entities should mature their
practice over time, as business operations grow and evolve, and to match the scale of their risks and role in the
financial system.

Reading this guide

Relevant paragraphs from CPS 230 (enforceable requirements) are in blue boxes. The remainder of the text is
guidance. Footnotes in CPS 230 have not been reproduced in this document.

APRA June 2024 2

Glossary

Accountable person Accountable person as defined in sections 10 and 11 of the Financial Accountability
Regime Act 2023

ADI Authorised deposit-taking institution, as defined in the Banking Act 1959

APRA Australian Prudential Regulation Authority

APS 001 Prudential Standard APS 001 Definitions

ASIC Australian Securities and Investments Commission

BCP Business continuity plan

Board Board of directors

CPS 220 Prudential Standard CPS 220 Risk Management

CPS 230 Prudential Standard CPS 230 Operational Risk Management

CPS 234 Prudential Standard CPS 234 Information Security

Critical operations Processes undertaken by an APRA-regulated entity or its service provider which, if
disrupted beyond tolerance levels, would have a material adverse impact on its
depositors, policyholders, beneficiaries or other customers, or its role in the financial
system

GPS 001 Prudential Standard GPS 001 Definitions

HPS 001 Prudential Standard HPS 001 Definitions

LPS 001 Prudential Standard LPS 001 Definitions

Material arrangements Material arrangements are those on which an APRA-regulated entity relies to
undertake a critical operation or that expose it to material operational risk

Material service Material service providers are those on which an APRA-regulated entity relies to
providers undertake a critical operation or that expose it to material operational risk

RSE Registrable Superannuation Entity

RSE licensee RSE licensee as defined in subsection 10(1) of the SIS Act

SIS Act Superannuation Industry (Supervision) Act 1993

SPS 220 Prudential Standard SPS 220 Risk Management

APRA June 2024 3

Key principles

12. An APRA-regulated entity must:

(a) effectively manage its operational risks, and set and maintain appropriate standards for conduct and
compliance;

(b) maintain its critical operations within tolerance levels through severe disruptions; and

(c) manage the risks associated with the use of service providers.

13. An APRA-regulated entity must identify, assess and manage operational risks that may result from
inadequate or failed internal processes or systems, the actions or inactions of people or external drivers and
events. Operational risk is inherent in all products, activities, processes and systems.

14. An APRA-regulated entity must, to the extent practicable, prevent disruption to critical operations, adapt
processes and systems to continue to operate within tolerance levels in the event of a disruption and return to
normal operations promptly once a disruption is over.

15. An APRA-regulated entity must not rely on a service provider unless it can ensure that in doing so it can
continue to meet its prudential obligations in full and effectively manage the associated risks.

1. The aim of CPS 230 is to ensure that APRA-regulated entities (‘entities’) are resilient to operational risks and
disruptions. Operational resilience is the outcome of prudent operational risk management: the ability to
effectively manage and control operational risks; limit disruptions; and maintain critical operations through
disruptions.

2. APRA expects that, in implementing CPS 230, a prudent entity would start with the identification of its critical
operations. An entity would:

a) identify its critical operations (paragraph 36 of CPS 230 sets out the minimum list);

b) set tolerance levels for disruption of these critical operations; and

c) identify the processes and resources needed to deliver these critical operations, including material
service providers.

3. A prudent entity would then use this information as the starting point for an assessment of its operational risk
profile.

APRA June 2024 4

Risk management framework

16. As part of its risk management framework required under Prudential Standard CPS 220 Risk
Management (CPS 220) and Prudential Standard SPS 220 Risk Management (SPS 220), an APRA-regulated
entity must develop and maintain:

(a) governance arrangements for the oversight of operational risk;

(b) an assessment of its operational risk profile, with a defined risk appetite supported by indicators, limits
and tolerance levels;

(c) internal controls that are designed and operating effectively for the management of operational risks;

(d) appropriate monitoring, analysis and reporting of operational risks and escalation processes for
operational incidents and events;

(e) business continuity plan(s) (BCPs) that set out how the entity would identify, manage and respond to a
disruption within tolerance levels and are regularly tested with severe but plausible scenarios; and

(f) processes for the management of service provider arrangements.

17. As part of the required reviews of the risk management framework under CPS 220 and SPS 220, an
APRA-regulated entity must review its operational risk management. The reviews must cover those aspects of
operational risk management set out in paragraph 16.

18. Operational risk management must be integrated into an APRA-regulated entity’s overall risk
management framework and processes. Business continuity planning must be consistent with, and not conflict
or undermine, an APRA-regulated entity’s recovery and exit planning.

19. Where APRA considers that an APRA-regulated entity’s operational risk management has material
weaknesses, APRA may:

(a) require an independent review of the entity’s operational risk management;

(b) require the entity to develop a remediation program;

(c) require the entity to hold additional capital, as relevant;

(d) impose conditions on the entity’s licence; and

(e) take other actions required in the supervision of this Prudential Standard.

4. CPS 230 builds on the general risk management requirements in Prudential Standard CPS 220 Risk
Management (CPS 220) and Prudential Standard SPS 220 Risk Management (SPS 220), with more specific
requirements for the management of operational risks.

5. Where an entity has identified material weaknesses in its operational risk management, APRA expects that the
entity would keep APRA informed of the progress of the entity’s remediation.

APRA June 2024 5

6. APRA’s prudential standards for ADIs and insurers require that operational risk capital reflects the operational
risk profile of the entity.1 Generally, where there are material weaknesses in the management of operational
risk, APRA expects an ADI or insurer would hold additional capital until remediation is complete. This may be
through an overlay determined by senior management, required by the Board or applied by APRA.

1
APRA requires ADIs and insurers to hold capital for operational risks, as prescribed by Prudential Standard APS 115 Capital Adequacy:
Standardised Measurement Approach to Operational Risk (APS 115), Prudential Standard GPS 118 Capital Adequacy: Operational Risk
Charge (GPS 118), Prudential Standard LPS 118 Capital Adequacy: Operational Risk Charge (LPS 118) and Prudential Standard HPS 118
Capital Adequacy: Operational Risk Charge (HPS 118).

APRA June 2024 6

Roles and responsibilities

20. The Board of an APRA-regulated entity is ultimately accountable for oversight of an entity’s operational
risk management. This includes business continuity and the management of service provider arrangements.

21. The Board must ensure that the APRA-regulated entity sets clear roles and responsibilities for senior
managers for operational risk management, including business continuity and the management of service
provider arrangements.

22. The Board must:

(a) oversee operational risk management and the effectiveness of key internal controls in maintaining the
entity’s operational risk profile within risk appetite. The Board must be provided with regular updates on the
APRA-regulated entity’s operational risk profile and ensure senior management takes action as required to
address any areas of concern;

(b) approve the BCP and tolerance levels for disruptions to critical operations, review the results of testing
and oversee the execution of any findings; and

(c) approve the service provider management policy, and review risk and performance reporting on material
service providers.

23. Senior management of an APRA-regulated entity must provide clear and comprehensive information to the
Board on the expected impacts on the entity’s critical operations when the Board is making decisions that
could affect the resilience of critical operations.

The Board

Allocate responsibility

7. A prudent Board would have a clear understanding of who is responsible within the entity for each aspect of
operational risk management, including business continuity and the management of service provider
arrangements. It should have reasonable assurance that there are no gaps in responsibilities.

8. Processes for delegation from, and reporting to, the Board and senior management should be clear and
documented, including for the escalation of risks and issues.

Oversee the risk profile

9. The Board would typically:

a) oversee updates to an entity’s operational risk profile and ensure risks outside of its appetite are
addressed promptly;

b) oversee the effectiveness of key internal controls;

APRA June 2024 7

 c) be kept informed of areas of any material weaknesses and major remediation efforts;

d) understand the material operational risks that arise from new ventures; and

e) ensure internal audit provides assurance and has appropriate capabilities for this task.

Challenge and approve

10. The Board, in approving the BCP and overall tolerances for the disruption of critical operations, would also
ensure that the BCP aligns with its tolerances.

11. While the Board approves the service provider management policy, it may delegate approval of non-material
changes.

Senior management
12. Senior managers play an important role in equipping Boards to make effective decisions. APRA expects that
information provided to the Board is targeted and timely.

13. Boards may delegate to senior management the ability to approve more granular policies, tolerance levels and
plans which sit beneath, and align to, Board-approved documents.

Notifying APRA
14. Where CPS 230 requires notification to APRA (see Table 1), it is to be made electronically using the form on
APRA’s web site.

Table 1. Notifications to APRA

Notifications to APRA2

Operational risk As soon as possible and not later than 72 hours after becoming aware of an operational risk
incidents incident that it determines to be likely to have a material financial impact or a material impact
on the ability of the entity to maintain its critical operations (paragraph 33 of CPS 230)

Disruption As soon as possible and not later than 24 hours after a disruption to a critical operation
outside of tolerance (paragraph 42 of CPS 230)

Material services As soon as possible and not later than 20 business days after entering into or materially
changing an agreement (paragraph 59(a) of CPS 230)

Offshoring Before entering into, or when there is a significant change to an offshoring agreement with
a material service provider (paragraph 59(b) of CPS 230)

2
Notification to APRA of an information security incident under CPS 234 does not need to be separately reported under CPS 230. Where a
notification falls into two different notification categories, the requirement for notification to APRA is the shorter notification timeframe.

APRA June 2024 8

Operational risk management

24. An APRA-regulated entity must manage its full range of operational risks, including but not limited to
legal risk, regulatory risk, compliance risk, conduct risk, technology risk, data risk and change management
risk. Senior management are responsible for operational risk management across the end-to-end process for
all business operations.

25. An APRA-regulated entity must maintain appropriate and sound information and information technology
(IT) capability to meet its current and projected business requirements and to support its critical operations
and risk management. In managing technology risks, an APRA-regulated entity must monitor the age and
health of its information assets and meet the requirements for information security in Prudential Standard CPS
234 Information Security (CPS 234).

Operational risk profile and assessment

26. An APRA-regulated entity must assess the impact of its business and strategic decisions on its operational
risk profile and operational resilience, as part of its business and strategic planning processes. This must
include an assessment of the impact of new products, services, geographies and technologies on its
operational risk profile.

27. An APRA-regulated entity must maintain a comprehensive assessment of its operational risk profile. As
part of this, an APRA-regulated entity must:

(a) maintain appropriate and effective information systems to monitor operational risk, compile and analyse
operational risk data and facilitate reporting to the Board and senior management;

(b) identify and document the processes and resources needed to deliver critical operations, including people,
technology, information, facilities and service providers, the interdependencies across them, and the
associated risks, obligations, key data and controls; and

(c) undertake scenario analysis to identify and assess the potential impact of severe operational risk events,
test its operational resilience and identify the need for new or amended controls and other mitigation
strategies.

28. An APRA-regulated entity must conduct a comprehensive risk assessment before providing a material
service to another party, to ensure that the APRA-regulated entity is able to continue to meet its prudential
obligations after entering into the arrangement. APRA may require an APRA-regulated entity to review and
strengthen internal controls or processes where APRA considers there to be heightened prudential risks in
such circumstances.

Operational risk controls

29. An APRA-regulated entity must design, implement and embed internal controls to mitigate its operational
risks in line with its risk appetite and meet its compliance obligations.

30. An APRA-regulated entity must regularly monitor, review and test controls for design and operating
effectiveness, the frequency of which must be commensurate with the materiality of the risks being controlled.

APRA June 2024 9

 The results of testing must be reported to senior management and any gaps or deficiencies in the control
environment must be rectified in a timely manner.

31. An APRA-regulated entity must remediate material weaknesses in its operational risk management,
including control gaps, weaknesses and failures. This remediation must be supported by clear accountabilities
and assurance and address the root causes of weaknesses in a timely manner. An APRA-regulated entity
must include identified control gaps, weaknesses, and failures in its operational risk profile until such matters
are remediated.

Operational risk incidents

32. An APRA-regulated entity must ensure that operational risk incidents and near misses are identified,
escalated, recorded and addressed in a timely manner. An APRA-regulated entity must take incidents and
near misses into account in its assessment of its operational risk profile and control effectiveness in a timely
manner.

33. An APRA-regulated entity must notify APRA as soon as possible, and not later than 72 hours, after
becoming aware of an operational risk incident that it determines to be likely to have a material financial
impact or a material impact on the ability of the entity to maintain its critical operations.

Identify critical operations

15. APRA expects that, in identifying its critical operations, an entity would focus on outward-facing services to
support depositors, policyholders, beneficiaries and other customers, as well as the broader financial system
and its role therein.

16. In identifying critical operations, in addition to APRA’s minimum list (see CPS 230 paragraph 36), a prudent
entity would consider business operations that, if disrupted beyond tolerance levels:

a) would have a direct material adverse impact on depositors, policyholders, beneficiaries or other
customers;

b) would have an indirect material adverse impact on depositors, policyholders, beneficiaries or other
customers, such as through significantly impacting the entity’s profitability, financial soundness,
reputation or ability to comply with legal or regulatory requirements; or

c) could impact the broader financial system or economy, including through flow-on effects or contagion.

17. APRA expects that ‘critical functions’ as determined by APRA under Prudential Standard CPS 900 Resolution
Planning (CPS 900) would also be classified as critical operations.

18. APRA expects that where an entity determines that a business operation prescribed by APRA is not a critical
operation, the reasons would be documented, approved by an Accountable person, and reviewed on at least
an annual basis. It is not necessary to provide the documented reasoning to APRA, unless APRA specifically
asks an entity to provide this information.

APRA June 2024 10

Identify processes and resources needed to deliver critical operations

19. Senior management should be satisfied that they have sufficient detail about the resources and processes
needed to deliver critical operations. It is important to understand how critical operations are delivered during
business-as-usual and maintained in a disruption.

20. Prudent entities will incorporate documented processes into their broader operational risk management
framework and ensure it is kept up to date. The more comprehensive the information, the better equipped
entities will be to make decisions and take appropriate action.

Maintain an operational risk profile

21. A prudent entity would regularly update their risk profile to reflect changes in strategy, risk environment or
business mix.

22. Risk profiles should also be informed by scenario analysis which test severe but plausible events. Scenario
analysis helps entities to identify gaps or opportunities to improve their management of operational risk.

Table 2. Steps to assess operational risk profile

Operational risk profile

Context Consider the business environment and changes within the business.

Critical Identify the business’ critical operations, and the processes and resources required to
Operations provide them.

Identify and record operational risks within the business, including causes and inherent and
Risks residual (post-control) ratings.

Identify and record controls used to mitigate risks. Assess the efficacy of controls. Test
Controls results and any gaps and weaknesses.

Risk appetite Assess performance against risk appetite.

Develop and document actions or remediation plans for higher-rated risks or those
Actions exceeding appetite. Accept risks where appropriate.

Maintain effective controls (design, test, monitor)

23. Entities should design, implement and embed effective internal controls. To the extent possible, controls should
minimise the likelihood and impact of disruptions – particularly to critical operations. Testing would be
conducted by staff and teams independent of those with operational responsibility for controls.

24. To monitor, review and test the effectiveness of controls, entities could consider:

a) the use of consistent criteria across the entity;

b) design and operating effectiveness;

APRA June 2024 11

 c) testing of controls for material risks more frequently than for less material risks;

d) capturing of all controls, including those owned by related parties and service providers;

e) having a mix of preventative, detective and corrective controls;

f) having a mix of automated and manual controls;

g) if recent issues and incidents are within appetite or controls need to be adjusted;

h) recording the rationale for the control effectiveness assessment; and

i) any recent changes in the environment or business strategies that could impact control effectiveness.

25. APRA expects that any gaps, weaknesses or failures in controls are identified, escalated and rectified in a
timely manner.

Manage and record incidents, remediate

26. Entities would typically have mechanisms to manage all stages of an incident, whether occurring sequentially
or concurrently.

Table 3. Steps in managing incidents

Managing incidents

Detect Detect incident using automated controls and/or manual review.

Escalate Escalate so that decision-makers are aware of the incident and to trigger response.

Contain Contain to minimise damage.

Respond Respond and remediate.

Analyse and review after the incident, to improve incident management procedures, and
Review support attribution and restitution (where relevant).

27. A prudent entity would identify the root cause of an incident and take steps to remediate. This lessens the
chance of the incident recurring and helps to identify any common underlying weaknesses in other products,
business areas, the control framework or risk culture.

28. Effective management responses to control weaknesses often include tactical responses (temporary controls
or monitoring), followed by strategic solutions (changes to processes, people or systems) to mitigate the risk
over the long term.

29. APRA expects that an entity would avoid extended delays or unwarranted extensions to targeted closure dates
in addressing operational risk incidents. Incidents and near misses would be recorded in the entity’s
operational risk information system and linked to controls to ensure that the risk profile accurately reflects any
control weaknesses or gaps.

APRA June 2024 12

Business continuity

34. An APRA-regulated entity must:

(a) define, identify and maintain a register of its critical operations;

(b) take reasonable steps to minimise the likelihood and impact of disruptions to its critical operations;

(c) maintain a credible BCP that sets out how it would maintain its critical operations within tolerance levels
through disruptions, including disaster recovery planning for critical information assets;

(d) activate its BCP if needed in the event of a disruption; and

(e) return to normal operations promptly after a disruption is over.

Critical operations and tolerance levels

35. Critical operations are processes undertaken by an APRA-regulated entity or its service provider which, if
disrupted beyond tolerance levels, would have a material adverse impact on its depositors, policyholders,
beneficiaries or other customers, or its role in the financial system.

36. An APRA-regulated entity must, at a minimum, classify the following business operations as critical
operations, unless it can justify otherwise:

(a) for an ADI: payments, deposit-taking and management, custody, settlements and clearing;

(b) for an insurer (general, life, private health): claims processing;

(c) for an RSE licensee: investment management and fund administration; and

(d) for all APRA-regulated entities: customer enquiries and the systems and infrastructure needed to support
critical operations.

37. APRA may require an APRA-regulated entity, or a class of APRA-regulated entities, to classify a business
operation as a critical operation.

38. For each critical operation, an APRA-regulated entity must establish tolerance levels for:

(a) the maximum period of time the entity would tolerate a disruption to the operation;

(b) the maximum extent of data loss the entity would accept as a result of a disruption; and

(c) minimum service levels the entity would maintain while operating under alternative arrangements during a
disruption.

39. APRA may require an APRA-regulated entity to review and change its tolerance levels for a critical
operation. APRA may set tolerance levels for an APRA-regulated entity, or a class of APRA-regulated entities,
where it identifies a heightened risk or material weakness.

APRA June 2024 13

 Business continuity plan

40. An APRA-regulated entity’s BCP must include:

(a) the register of critical operations and associated tolerance levels;

(b) triggers to identify a disruption and prompt activation of the plan, and arrangements to direct resources in
the event of activation;

(c) actions it would take to maintain its critical operations within tolerance levels through disruptions;

(d) an assessment of the execution risks, required resources, preparatory measures, including key internal
and external dependencies needed to support the effective implementation of the BCP actions; and

(e) a communications strategy to support execution of the plan.

41. An APRA-regulated entity must maintain the capabilities required to execute the BCP, including access to
people, resources and technology. An APRA-regulated entity must monitor compliance with its tolerance levels
and report any failure to meet tolerance levels, together with a remediation plan, to the Board.

42. An APRA-regulated entity must notify APRA as soon as possible, and not later than 24 hours after, if it has
suffered a disruption to a critical operation outside tolerance. The notification must cover the nature of the
disruption, the action being taken, the likely impact on the entity’s business operations and the timeframe for
returning to normal operations.

Testing and review

43. An APRA-regulated entity must have a systematic testing program for its BCP that covers all critical
operations and includes an annual business continuity exercise. The program must test the effectiveness of
the entity’s BCP and its ability to meet tolerance levels in a range of severe but plausible scenarios.

44. The testing program must be tailored to the material risks of the APRA-regulated entity and include a
range of severe but plausible scenarios, including disruptions to services provided by material service
providers and scenarios where contingency arrangements are required. APRA may require the inclusion of an
APRA-determined scenario in a business continuity exercise for an APRA regulated entity, or a class of APRA-
regulated entities.

45. An APRA-regulated entity must update, as necessary, its BCP on an annual basis to reflect any changes
in legal or organisational structure, business mix, strategy or risk profile or for shortcomings identified as a
result of the review and testing of the BCP.

46. An APRA-regulated entity’s internal audit function must periodically review the entity’s BCP and provide
assurance to the Board that the BCP sets out a credible plan for how the entity would maintain its critical
operations within tolerance levels through severe disruptions and that testing procedures are adequate and
have been conducted satisfactorily.

30. Business continuity is achieved through a combination of controls that reduce the likelihood and/or impact of a
business disruption. This approach may include measures to minimise the immediate impact of a disruption;
activate contingency arrangements; and facilitate the recovery of critical operations.

APRA June 2024 14

Maintain a register of critical operations, set tolerance levels

31. An entity’s register of critical operations would typically include:

a) the name of the critical operation;

b) a description of the critical operation;

c) tolerance levels for disruptions; and

d) the material service provider arrangements supporting the critical operation.

32. In setting and reviewing tolerance levels, a prudent entity would consider:

a) the impact on its customers and other stakeholders of a disruption;

b) the financial and reputational impact on the entity from a prolonged or material disruption;

c) the financial and reputational impact on the broader financial system, including any flow-on effects or
contagion;

d) legal or regulatory requirements, including any tolerance levels set by APRA; and

e) recovery objectives.

33. APRA expects that entities will reassess tolerance levels as they learn lessons from actual disruptions, testing,
scenario analysis and evolution in industry practices.

Table 4. Types of tolerance levels for disruptions

Tolerance type Factors to consider in setting tolerances

Maximum period Maximum allowable disruption (the maximum amount of time a business service
can be unavailable before the impact is deemed unacceptable).
Recovery time objectives (the maximum amount of time allowed for the recovery
of information assets that relate to a business service).

Maximum data loss Recovery point objective (the maximum amount of data loss that the business can
tolerate in terms of time).
This is typically measured by how far back the business can reconstruct data
through other techniques such as re-keying and is normally used to inform the
frequency of point-in-time backups.

Minimum service levels Recovery level objective (the minimum level of service that needs to be restored
to avoid impacts that are deemed unacceptable).
An entity would normally establish a recovery level objective when resumption to
business-as-usual operations may take a long time. An entity would normally
determine the minimum level of people, information assets and other resources
required to provide the business service.

APRA June 2024 15

Maintain a BCP, be ready to activate it

34. An entity’s BCP caters to all stages of disruption to critical operations: triggers and identification; initial actions
(such as alternative arrangements); further actions; assessment; and communications.

35. The use of contingency arrangements (where viable options exist) enables entities to respond quickly to a
disruption when recovery plans do not operate as intended, including those of service providers and related
parties.

36. An entity may maintain one or more BCPs and would be able to enact these quickly when required. It is useful
to clearly link the BCP and any other management plans that deal with incidents, including disaster recovery,
liquidity management and information security incident management. Alignment with crisis management
governance, triggers, actions and communication plans is important.

Test the BCP

37. Testing the BCP should highlight any deficiencies, build experience in managing a crisis and strengthen the
plan. Systematic testing of BCPs and associated disaster recovery plans would typically occur over a multi-
year cycle, during which all critical operations would be considered (for example, over a three-year cycle).

38. Test results and the execution of any findings such as remediation would be reported to and reviewed by the
Board, with associated follow-up actions formally tracked and reported. Reports on BCP tests would typically
include:

a) the scope, including the critical operations included (and excluded) and the specific tolerance levels
tested;

b) what was demonstrated by the test, including whether tolerance levels were met; and

c) any issues raised, root causes and required remediation, including timeframes and accountabilities for
actions.

39. Entities that rely on material service providers would seek to confirm that those providers also maintain robust
BCP testing. Joint testing of arrangements with the service provider could be considered.

Update the BCP

40. An entity must review and update its BCP annually, and as soon as possible after a material change in the
entity’s structure, business or risk profile, such as after a merger or acquisition or a major external shock.

41. BCPs should be informed by results of testing, internal audit findings and lessons learned from actual business
disruptions.

Audit the BCP

42. Internal audit is an important vehicle for assurance. The Board may consider seeking assurance through expert
opinion or other means to complement internal audit.

43. An audit program would typically assess all aspects of business continuity capability over time. Additional
assurance projects could be triggered by changes to services, processes, information assets, the business
environment and stakeholder expectations.

APRA June 2024 16

Management of service provider arrangements

47. An APRA-regulated entity must maintain a comprehensive service provider management policy. The policy
must cover how the entity will identify material service providers and manage service provider arrangements,
including the management of material risks associated with the arrangements.

48. The policy must include:

(a) the entity’s approach to entering into, monitoring, substituting and exiting agreements with material service
providers;

(b) the entity’s approach to managing the risks associated with material service providers; and

(c) the entity’s approach to managing the risks associated with any fourth parties that material service
providers rely on to deliver a critical operation to the APRA-regulated entity.

Material service providers

49. An APRA-regulated entity must identify and maintain a register of its material service providers and
manage the material risks associated with using these providers. Material service providers are those on
which the entity relies to undertake a critical operation or that expose it to material operational risk. Material
arrangements are those on which the entity relies to undertake a critical operation or that expose it to material
operational risk.

50. An APRA-regulated entity must, at a minimum, classify a provider of the following services as a material
service provider, unless it can justify otherwise:

(a) for an ADI: credit assessment, funding and liquidity management and mortgage brokerage;

(b) for an insurer (general, life, private health): underwriting, claims management, insurance brokerage and
reinsurance;

(c) for an RSE licensee: fund administration, custodial services, investment management and arrangements
with promoters and financial planners; and

(d) for all APRA-regulated entities: risk management, core technology services and internal audit.

51. An APRA-regulated entity must submit its register of material service providers to APRA on an annual
basis.

52. APRA may require an APRA-regulated entity, or a class of APRA-regulated entities, to classify a service
provider, type of service provider or service provider arrangement as material.

APRA June 2024 17

 Service provider agreements

53. Before entering into or materially modifying a material arrangement, an APRA-regulated entity must:

(a) undertake appropriate due diligence, including an appropriate selection process and an assessment of the
ability of the service provider to provide the service on an ongoing basis; and

(b) assess the financial and non-financial risks from reliance on the service provider, including risks associated
with geographic location or concentration of the service provider(s) or parties the service provider relies on in
providing the service.

54. For all material arrangements, an APRA-regulated entity must maintain a formal legally binding agreement
(formal agreement). The formal agreement must, at a minimum:

(a) specify the services covered by the agreement and associated service levels;

(b) set out the rights, responsibilities and expectations of each party to the agreement, including in relation to
the ownership of assets, ownership and control of data, dispute resolution, audit access, liability and
indemnity;

(c) include provisions to ensure the ability of the entity to meet its legal and compliance obligations;

(d) require notification by the service provider of its use of other material service providers that it materially
relies upon in providing the service to the APRA-regulated entity through sub-contracting or other
arrangements;

(e) require the liability for any failure on the part of any sub-contractor to be the responsibility of the service
provider;

(f) include a force majeure provision indicating those parts of the contract that would continue in the case of a
force majeure event; and

(g) termination provisions including, but not limited to, the right to terminate both the arrangement in its
entirety or parts of the arrangement. For an RSE licensee, termination provisions must include the ability for
the RSE licensee to terminate the arrangement where to continue the arrangement would be inconsistent with
the RSE licensee’s duty to act in the best financial interests of beneficiaries (refer to subsection 52(2)(c) of the
SIS Act).

55. The formal agreement must also include provisions that:

(a) allow APRA access to documentation, data and any other information related to the provision of the
service;

(b) allow APRA the right to conduct an on-site visit to the service provider; and

(c) ensure the service provider agrees not to impede APRA in fulfilling its duties as prudential regulator.

56. For each material arrangement, an APRA-regulated entity must:

(a) identify and manage risks that could affect the ability of the service provider to provide the service on an
ongoing basis;

APRA June 2024 18

 (b) identify and manage risks to the APRA-regulated entity that could result from the arrangement, such as
step-in risk or contagion risk;

(c) ensure it can execute its BCP if needed; and

(d) ensure it can conduct an orderly exit from the arrangement if needed.

57. APRA may require an APRA-regulated entity to review and make changes to a service provider
arrangement where it identifies heightened prudential concerns.

Monitoring, notifications and review

58. An APRA-regulated entity must monitor and ensure that senior management receive reporting on material
arrangements commensurate with the nature and usage of the service. This monitoring must include a regular
assessment of:

(a) performance under the service agreement with reference to agreed service levels;

(b) the effectiveness of controls to manage the risks associated with the use of the service provider; and

(c) compliance of both parties with the service provider agreement.

59. An APRA-regulated entity must notify APRA:

(a) as soon as possible and not more than 20 business days after entering into or materially changing an
agreement for the provision of a service on which the entity relies to undertake a critical operation; and

(b) prior to entering into any material offshoring arrangement, or when there is a significant change proposed
to the arrangement, including in circumstances where data or personnel relevant to the service being provided
will be located offshore.

60. An APRA-regulated entity’s internal audit function must review any proposed material arrangement
involving the outsourcing of a critical operation. The internal audit function must regularly report to the Board
or Board Audit Committee on compliance of such arrangements with the entity’s service provider management
policy.

Maintain a service provider management policy

44. Where an entity uses a service provider, the entity still owns and is responsible for managing its risk. The
service provider management policy must set out how this is to be done.

45. In addition to those matters set out in CPS 230, a service provider management policy would usually include:

a) roles and responsibilities of Accountable persons or equivalent;

b) processes for the selection of and due diligence on service providers;

c) methodology for the assessment of the materiality of service providers;

d) on-boarding and exiting procedures;

APRA June 2024 19

 e) BCPs and alternative arrangement considerations (including where the service provider is unable to
provide the service for an extended period of time);

f) issues management and escalation procedures;

g) processes for vetting key personnel of service providers; and

h) oversight processes and practices to monitor the service providers, service level agreements and risks.

Maintain a register of material service providers

46. Material service providers are those on which the entity relies to undertake a critical operation or that expose it
to material operational risk. Paragraph 50 of CPS 230 prescribes a minimum list of material service providers,
which provides a starting point for entities developing their register of material service providers.

47. For the purposes of the register, CPS 230 does not intend to capture arm’s length transactions or
intermediation unless they meet criteria under paragraph 49 of CPS 230. For example, the purchase of
reinsurance or the intermediation of an insurance policy by a broker would not mean that the provider of the
service would automatically be deemed a material service provider and need to be captured in the register.
Rather, CPS 230 is intended to capture those arrangements where an entity relies on a service provider to
undertake a critical operation, or the arrangement introduces material operational risk to the entity.

48. In developing its material service provider register, a prudent entity would:

a) include a list of the entity’s material arrangements, and identify the responsible person for each
arrangement within the entity;

b) identify which critical operation(s) the material arrangement supports, and/or which material risk the
arrangement connects to in the entity’s risk profile; and

c) where the material arrangement is relied on to deliver a critical operation, take reasonable steps to list
fourth parties involved in delivery of the critical operation.

49. APRA expects that where an entity decides not to classify a service provider prescribed by APRA as material,
the reasons would be documented, approved by an Accountable person and reviewed on at least an annual
basis. It is not necessary to provide the documented reasoning to APRA, unless APRA specifically requests an
entity to provide this information.

Manage risks associated with material service providers

50. Entities should proactively manage the key risks associated with material arrangements. Entities’ BCPs would
account for these key risks and have contingencies to limit disruption of critical operations. Entities would also
look to satisfy themselves that their material service providers’ risk management practices and BCPs are
similarly robust.

51. A prudent entity would manage the operational risk associated with cohorts of service providers, where the
aggregate impact is material, but each individual provider is not. This does not mean that each service provider
in the cohort needs to be identified as a material service provider, but rather that the entity has additional
processes and controls in place to satisfy itself that the operational risks of such cohorts are being monitored
and managed.

APRA June 2024 20

Maintain agreements for material arrangements

52. CPS 230 requires entities to maintain formal agreements for material arrangements with material service
providers. Not all arrangements with a material service provider will be material to support delivery of the
critical operation or expose the entity to material operational risk.

Monitor performance

53. An entity would normally conduct periodic reviews of material arrangements with a service provider. This could
include assessment of operational issues (including information security incidents and service disruptions);
control effectiveness; information security capabilities and business continuity capabilities; strategic changes;
and comparisons to other offerings in the market.

Assess risk when engaging a new material service provider

54. When selecting and assessing a prospective provider of material arrangements, an entity would typically
consider the following against its risk appetite:

a) business services and capabilities which must be retained in-house;

b) country or region risk;

c) supplier risk;

d) concentration risk; and

e) reputational risk.

55. A prudent entity would assess the risks of engaging a service provider in another jurisdiction to determine if it is
within appetite. This would include consideration of:

a) the ability to continue operations and meet core obligations following a loss of service;

b) maintenance of information security;

c) the ability to own and manage controls on its behalf;

d) compliance with legislative and prudential requirements; and

e) impediments, legal and technical, to APRA being able to fulfil its duties, including timely access to
information in a usable form.

56. Where an entity proposes to outsource a critical operation, or part thereof, currently performed in-house, the
proposed outsourcing is to be reviewed by internal audit before any final decision is made. A prudent entity
would ensure its internal audit function has sufficient capability and capacity to undertake the required review.

APRA June 2024 21

FINMA Guidance 07/2024
Calculation of minimum capital for operational risks: exclusion
of loss events

13 December 2024

Laupenstrasse 27, 3003 Bern, Tel. +41 (0)31 327 91 00, www.finma.ch
Contents
1 Introduction .............................................................................................3

2 Exclusion of loss events ........................................................................3

2.1 Requirements ..................................................................................3

2.2 Timing of the exclusion of loss events ............................................5
2.3 Threshold for the exclusion of loss events ......................................6
2.4 Notification to FINMA ......................................................................6

2/7
1 Introduction

From 1 January 2025, minimum capital requirements for operational risks

will be calculated in accordance with the Capital Adequacy Ordinance of 1
June 2012 (CAO; SR 952.03) and the FINMA Ordinance of 6 March 2024 on
the Leverage Ratio and Operational Risks of Banks and Securities Firms
(LROO-FINMA; SR 952.033.11). These two ordinances contain
requirements and implementing provisions for the standardised approach for
calculating minimum capital requirements for operational risks and, in
particular, for the business indicator, business indicator component, internal
loss multiplier and loss component.

Banks may exclude loss events that are no longer relevant from the
calculation of the loss component if certain requirements are met (Art. 93a
paras. 3 and 4 CAO).

This guidance sets out these requirements and examples and refers to the
relevant implementing provisions from the explanatory notes to the final
Basel III standards.1

2 Exclusion of loss events

All losses that are no longer incurred within the ten-year period pursuant to
Article 93 para. 1 let. b CAO are excluded. For losses that are still within the
ten-year period to be excluded, the allocated loss events must fulfil the
requirements of Article 93a paras. 3 and 4 CAO and Article 30 LROO-
FINMA. An exclusion must be clearly justified and of an exceptional nature.

2.1 Requirements

Specifically, under Article 30 para. 1 LROO-FINMA, a loss event is no longer

relevant for the bank’s risk profile if:

• no further losses are expected from the facts underlying the loss event
(in particular, no further legal risks exist), and
• a comparable event can no longer occur under the inherent risk profile of
the bank.

The inherent risk profile of the bank corresponds to the risks to which the
bank is exposed through its products, activities, processes and systems,

1 Explanatory notes of 6 March 2024 on the final Basel III standards – FINMA ordinances, available at
www.finma.ch > Documentation > Consultations and evaluations > Completed consultations > 2022
> Final Basel III standards – new FINMA ordinances (4.7.2022–25.10.2022)

3/7
without taking into account control and mitigation measures (see margin no.
4 of FINMA Circular 2023/1 “Operational risks and resilience – banks”).

When assessing the relevance of a loss event for the inherent risk profile of
a bank, it must be considered whether the cause of the loss could lead to
further losses in other areas of the bank’s business activities. For example,
in the case of settled legal cases, the bank must demonstrate that there are
no remaining or comparable legal risks for the bank.

Example of an inherent risk profile:

Bank A conducts cross-border business activities and has to pay a

fine following legal disputes in jurisdiction B. The resulting costs are
recognised in a loss event. Bank A discontinues all business
activities in jurisdiction B. At the same time, however, bank A
continues its cross-border business activities in other jurisdictions.

The requirements pursuant to Article 30 para. 1 let. a LROO-FINMA

are fulfilled in this case by the discontinuation of the business
activity. This means that no further losses are to be expected due to
the discontinuation of cross-border business activities in jurisdiction
B.

However, in order to justify the exclusion of the loss event due to the
fine in jurisdiction B, it must be ensured with regard to the inherent
risk profile of the bank as a whole that a comparable event (i.e. a
fine in another jurisdiction) can no longer occur. As bank A continues
to conduct cross-border business activities with other jurisdictions, a
comparable event (i.e. a fine in another jurisdiction) cannot be ruled
out. The inherent risk therefore remains.

As a result, the loss event in connection with the fine in jurisdiction B

cannot be excluded from the calculation of the loss component. If
bank A discontinues its cross-border business activities altogether,
no further comparable events are to be expected either from the
underlying facts (business activities in jurisdiction B) or from the
inherent risk profile of the bank. Accordingly, the loss due to the fine
in jurisdiction B can be excluded.

The focus should be placed in particular on the cause of the loss event.
Certain causes are inherent and relevant to the inherent risk profile of a bank
to such an extent that such loss events can only be excluded if substantial
adjustments are made to the business model of the respective bank. One
example of this is loss events caused by the sale of banking products or
cross-border business activities. Therefore, the exclusion of loss events is
generally the exception.

4/7
Furthermore, provisions for possible future claims arising from the loss event
do not fulfil the requirements of Article 30 para. 1 let. a LROO-FINMA. It
cannot be ruled out due to the existence or recognition of provisions that
further losses may arise from the circumstances underlying the loss event.

Some further examples of indications of a change (but not necessarily a

reduction) in the inherent risk profile:2

• A previously manual process is converted into a fully automated

process, thus losses from this process due to human errors such as
typing errors can no longer occur; however, if there are other manual
processes in which human errors such as typing errors can occur, a
justified exclusion is unlikely.
• Business activities are no longer continued or no new business activities
are commenced (e.g. no more investment banking); however, if there
are other comparable business activities, a justified exclusion is unlikely.
• Specific product offerings are discontinued entirely or no new products
are offered (e.g. no longer offering residential mortgage-backed
securities); however, if comparable product offerings exist (e.g.
commercial mortgage-backed securities), a justified exclusion is unlikely.
• Introduction of new processes such as payment methods (e.g. using
new FinTech solutions) that completely replace current processes (with
loss events).
• Substantial changes in client onboarding (e.g. by video instead of in
person) that completely replace current processes (with loss events).
• New outsourcing to external service providers or to a cloud, or cessation
of outsourcing.
• New system landscape (e.g. complete replacement of several previously
connected IT systems with one).

2.2 Timing of the exclusion of loss events

Loss events that are no longer relevant to the bank’s risk profile can be
excluded from the calculation of the loss component three years after the
last loss was recognised. The period may be shortened if the bank no longer
continues the business activity on which the loss is based or comparable
business activities (Art. 30 para. 2 LROO-FINMA).

2
No. 4.5.5.3 of the explanatory notes of 6 March 2024 on the final Basel III standards – FINMA
ordinances, available at www.finma.ch > Documentation > Consultations and evaluations >
Completed consultations > 2022 > Final Basel III standards – new FINMA ordinances (4.7.2022–
25.10.2022)

5/7
Example:

A loss event has arisen from cross-border business activities. If the

bank completely discontinues cross-border business activities, the
loss event can be excluded if it can be clearly attributed to this
discontinued business activity due to its nature and no further losses
can arise from this loss event. However, if the bank resumes cross-
border business, corresponding loss events suffered in the past
must be included again in the calculation of the loss component,
provided they still fall within the ten-year period.

2.3 Threshold for the exclusion of loss events

In principle, the materiality threshold of 10% of the average annual loss is

used to exclude loss events. The net loss of the loss event within the ten-
year period must exceed 10% of the average of the calculated annual losses
for the ten years (Art. 29 para. 2 in conjunction with para. 3 LROO-FINMA).
Furthermore, all gross losses and loss reductions allocated to the loss event
are excluded from the calculation of the annual loss relevant for the loss
component (Art. 29 para. 3 LROO-FINMA).

Loss events that do not reach this materiality threshold of 10% are still taken
into account in the calculation of the loss component.

The materiality threshold of 10% of the average annual loss does not apply
to the exclusion of loss events from a discontinued business activity (Art.
93a para. 3 CAO).

2.4 Notification to FINMA

The assessment of a loss exclusion is at the discretion of the bank.

However, the criteria for the exclusion of losses must be set strictly and
applied consistently (see section 2.1). The decision and the assessment of
the loss exclusion must be clearly justified and documented.

The exclusion of a loss event is an exception and must be reported to

FINMA. In the notification to FINMA regarding the exclusion of a loss event,
the bank must prove that the conditions are met (Art. 30 para. 3 LROO-
FINMA, see section 2.1).

The notification to FINMA must be made six weeks before the loss event is
excluded (Art. 30 para. 3 LROO-FINMA), i.e. for example on 15 November
for the annual financial statements as at 31 December.

FINMA reviews the notification and contacts the bank within six weeks if the
exclusion of the loss event does not fulfil regulatory requirements. If FINMA

6/7
does not respond, the bank may apply the exclusion after six weeks from the
date of notification to FINMA.

7/7
 Operational risk in the new
Basel framework
A new standardized approach introduced by decision making, and embed operational
the Basel committee has led to a number risk management mindsets into
of changes for banks, with implications for the business.
how they manage their capital. Slim Ben Ali
Components of the new standardized
assesses its impact on financial institutions’
approach
levels of operational and regulatory risk.
The new formula for the standardized
Following a one-year deferral due to the approach consists of two main components
Covid-19 pandemic, the Basel committee – a business indicator component (BIC)
has introduced a standardized approach (a measure of a bank’s income) and a
effective January 2023, building upon loss component (LC), from which an
previous Basel accords, with the aim to internal loss multiplier (ILM) is derived,
strengthen risk management, regulation, a measure of a bank’s historical losses.
supervision, and stability within the The minimum (pillar 1) operational risk
4 Connected banking industry. capital (ORC) requirement is the product
control and risk of the BIC and the ILM, with risk weighted
frameworks
Currently, banks can choose the approach
assets for operational risk being the capital
to take for calculating operational capital,
requirement multiplied by 12.5.
with the possibility of capital savings
in return for higher investments in risk This shift has major implications for banks’
management. Under the new Basel internal loss data and how it could be
accord, banks will have to use a revised used to derive business value and risk
standardized approach (SA) to calculate management insight.
the minimum operational risk capital
In practical terms, the ILM is the only
requirements. This approach will replace all
variable a bank has significant control over,
three existing approaches for operational
but its impact can be crucial and the new
risk under Pillar 1.
formula is predicted to affect banks to
As with all Basel committee standards, the varying degrees.
new SA applies to all internationally active
Given the fact that the revised operational
banks on a consolidated basis, and national
risk framework will not take effect until 1
supervisors may also apply the framework
January 2023, banks have time to improve
to non-internationally active banks.
their processes for collecting, managing,
The new approach seeks to restore and analyzing internal loss data to reduce
credibility in the calculation of risk their ILM and thus the ORC.
weighted assets (RWAs) and to improve
Implications for banks
the comparability of banks’ capital ratios.
The implementation of the new
It is therefore critical that banks maintain
standardized approach framework will
high quality operational risk teams, use
have potential impact on the bank’s data,
processes such as risk modeling and
systems, business models and capital.
scenario analysis to assist with business
— Data, systems and processes: have independent assurance that Implementing the new approach
Banks will have to ensure their operational loss tracking systems, The Basel Committee on Banking
internal loss data collection processes, and controls provide for Supervision (BCBS) has introduced a
processes are sufficiently robust high quality data. single non model-based method for
and cover the required ten-year calculating operational risk capital,
Exploring the latest advances
history. Banks must have robust the SA. This will replace all three
in robotic process automation
processes for appropriately capturing existing approaches for operational
(RPA) and cognitive technology to
operational risk loss data, including risk under Pillar 1 and will become
streamline and automate routine
loss dates, accounting dates and effective starting 1st January 2023.
activities, such as data collection,
recovery data. They may need to
cleansing, and storage can be also The main objectives of the BCBS in
invest in training and incentive
something that banks may consider defining this new framework were to
schemes for individuals involved
in the future. improve comparability and simplicity,
in LC, in data quality processes
which might be challenging given
and in documentation to ensure — Business model and capital:
the scope of national discretion
that LC is of a sufficiently high The definition of the BIC – as
and the use of opaque Pillar 2
quality. Moreover, risk management compared to gross income currently
capital requirements. We expect
teams will need to work together used for calculating the simpler pillar
a high level of variability in capital
with finance to define exactly how 1 approaches – generates higher
impact across banks and across
the components of the business capital requirements for some
jurisdictions under the new approach.
indicator are derived from the profit business activities. Banks would
Nevertheless, we believe that it will
and loss accounts. do well to analyze their different
have significant impact on the way
business lines to ensure they remain
Documented policies and procedures banks manage operational risk and
sustainable in all aspects (including
for identifying and reporting presents a valuable opportunity for
profitability, customer expectations
operational risk events must serve financial institutions to embrace
and capital usage). Moreover, due
as the starting point for managing new technologies and techniques
to the bucketing of the business
data capture and quality. Associated including big data analytics and
indicator, larger banks are expected
procedures and processes must be predictive risk intelligence.
to face higher capital charges
validated before a bank’s loss data
compared to smaller ones, which
can be used to calculate capital
might have an influence on strategic
charge for operational risk. Regular
decisions, especially those related
independent reviews by corporate
to achieving non-organic growth
internal audit functions and external
through mergers and acquisitions.
independent party are also required.
Although the new framework will not
Many banks already have systems
come into force until 2023, all banks
for capturing operational loss data
should ensure they are incorporating
but with the new framework, banks
the new approach into their capital
may need to enhance their existing
planning process, as well as in risk
system to capture all the required
adjusted return measures at an
operational loss data elements.
early stage.
Banks will also need to continue to

Slim Ben Ali

Director | Financial Risk
Management
E: [email protected]

UAE banking
Thought
perspectives
leadership2022
title 59
Revised
Operational
Risk Capital
Framework
March 2016

kpmg.com
Introduction
The BCBS has published a further
The Basel Committee on Banking Supervision (BCBS)
consultation on operational
are proposing to scrap internal modelling of operational risk capital measurement. This
risk capital in an attempt to introduce simplicity and confirms the withdrawal of the
internal modelling‑based Advanced
comparability across banks. Banks will welcome this
Measurement Approach (AMA), and
clarity in an area that has been under review for many proposes to replace all of the Basel
years but concerns will remain around increased capital II approaches to operational risk with
a single revised Business Indicator
costs, additional data and disclosure burdens, good risk
(BI) approach – the Standardised
management incentivisation, national application and Measurement Approach (SMA).
global consistency. Responses should be submitted by 3
June 2016.

The BCBS has also published a

Summary
consultation paper on revised Pillar
3 disclosure requirements, including
amendments relating to operational
risk. These include revising disclosures
The proposed SMA combines a view of the BCBS that the inherent to meet the newly proposed SMA,
revised version of the BI approach complexity of the AMA and the lack additional disclosures of internal
(which the BCBS first consulted on of comparability arising from a wide losses, and more detailed information
in 2014) with some recognition of range of internal modelling practices relating to a bank’s operational risk
bank‑specific loss data. The BCBS has exacerbated the variability in management framework. Responses
sees this as a way of introducing risk‑weighted asset calculations should be submitted by 10 June 2016.
a degree of risk‑sensitivity, which across banks using the AMA and
provides some incentive for banks eroded confidence in risk‑weighted These are both part of a wider picture
to improve their operational risk capital ratios. covering all the components of the
management, while simplifying denominator of the capital ratio – the
the approach. Banks with low The BCBS states that the objective BCBS has already published its revised
operational risk losses will benefit of these proposals is not to market risk framework, while revisions
from a lower operational risk increase significantly overall capital to the capital treatment of credit risk
regulatory capital charge – although requirements. However, this is not and the introduction of a capital floor are
this will not apply to small banks. a ‘one size fits all’ proposal, and both due to be finalised by the end of
the impact will vary from bank to 2016. It is clear that apparently technical
The removal of the internal bank and will lead to an increase in papers will continue to shape business
modelling approach for operational minimum capital requirements for model and strategy.
risk regulatory capital reflects the some institutions.

© 2016 KPMG LLP, a UK limited liability partnership and a member firm of the KPMG network of independent member firms affiliated
with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. Printed in the United Kingdom.
Impact on firms
Banks will welcome greater certainty in an area that has been under review for many
years, notably the revisions to the BI approach in response to comments on the 2014
proposals, and the recognition of bank‑specific loss data. However, some concerns are
likely to remain:

Capital Data and systems Incentives for good Disclosure

operational risk
management
Analysis of the 2014 proposals The data requirements for The introduction of an internal The enhanced Pillar 3 disclosure
showed that some global calculating internal loss loss component will provide requirements will require banks
banks could face increases of experience and the proposed some regulatory incentive for to detail how they manage their
up to 70 percent of their Pillar 1 disclosure requirements will firms to reduce their operational operational risks as well as their
operational risk capital charges. impose an additional burden risk losses. However, this loss history.
The latest proposals should on some banks. Banks not element of risk‑sensitivity is
have a smaller impact, but this currently using the AMA will limited to past losses, and does
could still be significant for have to put the necessary not include the three other key
some banks. The overall impact systems and processes in place elements of the AMA, namely
will also depend on how the to collect, analyse, and report the external data, forward‑looking
proposed new Pillar 1 approach required data; while even banks scenario analysis information,
interfaces with Pillar 2 capital currently adopting AMA may and the business environment
requirements – banks that can have to revise their systems and and internal control factors
demonstrate good internal processes to deliver the required (BEICF) data (even if these
modelling and strong operational calculations and disclosures. elements were difficult to apply
risk systems and controls could consistently across banks under
potentially gain a partial offset to the AMA). The Pillar 2 capital
higher Pillar 1 requirements. framework is used as a tool by
some regulators to encourage
enhanced risk management
across banks. As an example
in the UK, the PRA has issued
standard methodologies for
assessing Pillar 2 operational
risk capital, taking into account
internal data, forecast losses
and scenario analysis. However,
it remains to be seen how this
will be applied by supervisors
and how consistently this will be
used globally.

© 2016 KPMG LLP, a UK limited liability partnership and a member firm of the KPMG network of independent member firms affiliated
with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. Printed in the United Kingdom.
In the detail
Operational risk management and measurement has been a key regulatory focus
given the number of significant loss incidents across banking in recent years, which
banks have failed to prevent or hold sufficient capital against. For example, the PRA has
recently published new standards for Pillar 2 operational risk measurement in the UK,
while the EBA has included operational risk in its 2016 EU‑wide stress test exercise.
The BCBS consultation proposes a The revised BI approach also addresses The concerns previously highlighted
new Standardised Measurement some of the comments received on the in relation to the BI components
Approach (SMA) that revises the earlier proposal by reducing differences introduced in the previous 2014
Business Indicator (BI) approach in the treatment of the “distribute proposal are summarised in
(proposed in 2014) and combines it with only” and the “originate to distribute” Table 1 below, along with the
some recognition of a bank’s internal business models, under which banks corresponding changes proposed in
loss data (for medium and large sized that originate products would have faced the new consultation. A comparison
banks), thereby introducing a degree a lower operational risk charge; reducing of the calculations of each of the BI
of risk‑sensitivity and providing some the inconsistent treatment of dividend components across the different rules
incentive for banks to improve their income across jurisdictions; reducing or proposals (i.e. Gross Income (Basel
operational risk management. Banks the impact of high net interest margins II), 2014 BI proposal, and latest BI
with more effective risk management and high fee revenues and expenses in proposal) follows in Table 2.
and lower operational risk losses will be inflating the operational risk charge; and
required to hold a comparatively lower taking a more consistent approach to
operational risk regulatory capital charge. the treatment of leasing compared with
Banks that do not meet the minimum credit. In addition, the BI operational risk
data quality standards will be penalised charge has been made more linear in the
with a higher capital charge. way it applies to banks of different sizes.

Table 1: Concerns highlighted in relation to the BI components introduced in the 2014 proposal and corresponding proposed changes in
the new consultation

BI Component Concern of previous Description of concern raised in

Proposed changes in the new consultation
Impacted proposal previous proposal
Interest Inconsistency in the The treatment of dividend income in financial Dividend income has been included in the interest
component treatment of dividend statements varies significantly across jurisdictions component of the BI.
income leading to inconsistencies in the BI across banks,
e.g. some banks include dividend income within
the interest component.
Interest Overcapitalisation of Banks with high NIM (Net Interest Income/ A linear normalisation ratio for high‑margin
component banks with a high net Interest‑earning Assets) have high BI values leading banks (larger than 3.5%) is adopted. The Interest
interest margin (NIM) to over‑conservative regulatory capital. component is adjusted by the ratio of the NIM cap,
set to 3.5%, to the actual NIM.
Interest Inconsistent treatment Business models based on credit finance, financial To ensure consistency across banks and
component of leasing compared leasing or operating leasing face similar operational jurisdictions, all financial and operating lease income
with credit risks, therefore the contributions of income and and expenses are netted and then included in
expenses from financial and operating lease to the absolute value into the interest component (i.e. the
BI should be consistent with the contribution of absolute value of average lease income over the
credit finance, irrespective of accounting treatment. three years less average lease expense over the
three years).
Services Asymmetric impact The former definition of the services component The services component is changed from the sum
component on the ‘distribute only’
meant that banks distributing products bought from of fee income, fee expense, other operating income
and the ‘originate to third parties would include both the fee income and and other operating expenses, to the maximum of
distribute’ business fee expense, thereby leading to higher capital than fee income and fee expense, plus the maximum
models banks producing the products themselves who of other operating income and other operating
would include only fee income, even though both expense.
banks face similar operational risks.
Services Overcapitalisation of Banks with a high fee component produces very The BI for high fee banks (i.e. share of fees greater
component banks with high fee high BI values, resulting in over‑conservative than 50% of unadjusted BI) is modified by accounting
revenues and expenses regulatory capital. for only 10% of fees in excess of 50% of the
unadjusted BI (with absolute value of net fee income
as a floor to avoid unintended capital reductions).
Source: KPMG International, March 2016

© 2016 KPMG LLP, a UK limited liability partnership and a member firm of the KPMG network of independent member firms affiliated
with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. Printed in the United Kingdom.
 Table 2: Comparison of calculations for BI components under each proposal

BI Component Gross Income Business Indicator Business Indicator

Impacted (Basel II) (2014 Consultation) (2016 Consultation)
Interest Interest Income Abs (Interest Income – Interest Expense) Min [ Abs (Interest Income – Interest Expense);
Component – Interest Expense 0.035 x Interest Earning Assets ]
(ILDC) + Abs (Lease Interest – Lease Expense)
+ Dividend Income
Services Fee Income Fee Income Max (Other Operating Income; Other Operating
Component – Fee Expense + Fee Expense Expense)
(SC) + Other Operating + Other Operating Income + Max{ Abs(Fee Income – Fee Expense);
Income + Other Operating Expense Min [ Max (Fee Income; Fee Expense);
0.5 * uBI
+ 0.1 * Max (Fee Income – Fee
Expense) – 0.5 * uBI ]}

Where
uBI = Interest Component
+ Max (Other Operating Income; Other
Operating Expense)
+ Max (Fee Income; Fee Expense)
+ Financial Component
Financial Net P&L on Trading Abs (Net P&L on Trading Book) Abs (Net P&L on Trading Book)
Component (FC) Book + Abs (Net P&L on Banking Book) + Abs (Net P&L on Banking Book)
Other Dividend Income Not included Dividend income included in interest component

Source: KPMG International, March 2016

Under the new approach, banks are Table 3: BI component in the 2016 consultation
divided into five ‘buckets’ based on the
value of the BI, as defined in Table 3 The 2014 proposal introduced
BI Range BI Component
below. For banks that fall within the first a set of escalating coefficients
bucket, with BI of less than €1 billion, 1. €0 to €1bn 0.11*BI
based on the size of the bank
the operational risk capital charge would 2. €1bn to €3bn €110m + 0.15(BI – €1bn)
as reflected in the BI, assuming
be an increasing linear function of the BI 3. €3bn to €10bn €410m + 0.19(BI – €3bn)
that the relationship between
and would not take into account internal 4. €10bn to €30bn €1.74bn + 0.23(BI – €10bn) operational risk exposure and
losses. For banks in buckets 2 through 5. €30bn and above €6.34bn + 0.29(BI – €30bn) size increases in a non‑linear
5, the capital is calculated in two steps: fashion. To keep the framework
Source: BCBS Consultative Document: Standardised
1. A baseline level of capital is Measurement Approach for operational risk, March 2016 simple, a discrete structure for
calculated using the BI component. the coefficients was proposed,
Table 4: Proposed coefficients per bucket under the
as per Table 4. Under the
2. A portion of the BI component above 2014 proposal new proposals, the BI
€1 billion is multiplied by an ‘internal component increases linearly
loss multiplier’ which is based on an BI (€ Millions) Coefficient within buckets, however the
internal loss component to take into marginal effect of the BI on
1. 0–100 [10%]
account the different risk profiles the BI component increases
2. >100–1,000 [13%]
of banks, thereby introducing risk progressively the higher the
sensitivity in the approach. The 3. >1,000–3,000 [17%] bucket. Specifically, the unit
consultation paper proposes one 4. >3000–30,000 [22%] increase in the BI relates to
way of introducing risk sensitivity, 5. >30,000 [30%] a marginal increase of 0.11,
while seeking views on alternative 0.15, 0.19, 0.23 and 0.29
Source: BCBS Consultative Document: Standardised
approaches. Measurement Approach for operational risk, March 2016 under buckets 1, 2, 3, 4 and 5
respectively.

© 2016 KPMG LLP, a UK limited liability partnership and a member firm of the KPMG network of independent member firms affiliated
with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. Printed in the United Kingdom.
Figure 1 illustrates the resulting Figure 1: £’m change in capital (under SMA) per bucket, with a
regulatory capital under each of the proportionate change in the data loss component.
buckets, taking the BI for each bucket
as the average between the lower 35,000.00
and upper bound for that bucket and 30,000.00
assuming a loss multiplier equal to one 25,000.00
(i.e. assuming a loss component equal 20,000.00
to the BI component which indicates 15,000.00
an operational risk exposure in line 10,000.00
with industry average). In addition, the 5,000.00
impact of the internal loss data on the 0.00
capital charge is illustrated per bucket 1 2 3 4 5
by assuming the loss component is BI Buckets
half, equal, two times greater, four
times greater and six times greater than SMA (Loss Comp = 0.5 x BI Comp) SMA (Loss Comp = BI Comp)
the BI component. The corresponding SMA (Loss Comp = 2 x BI Comp) SMA (Loss Comp = 4 x BI Comp)
percentage of these changes are SMA (Loss Comp = 6 x BI Comp)

further reflected in Figure 2. As internal Source: KPMG International, March 2016

loss data is not taken into account for
banks in the first bucket the capital Figure 2: The percentage change in capital (under SMA) per bucket, with
remains unchanged, while for those a proportionate change in the data loss component.
in buckets 2‑5 the capital increases
proportionately. 250%

200%

150%

100%

50%

0%
1 2 3 4 5
BI Buckets

SMA (Loss Comp = 0.5 x BI Comp) SMA (Loss Comp = BI Comp)

SMA (Loss Comp = 2 x BI Comp) SMA (Loss Comp = 4 x BI Comp)
SMA (Loss Comp = 6 x BI Comp)

Source: KPMG International, March 2016

The internal loss component reflects Minimum data standards would In addition to the minimum data
the operational loss exposure of a bank therefore include: standards, the proposed Pillar 3
that can be inferred from its internal disclosure requirements would mean
loss experience. The loss component • A minimum of 5‑10 years of internal banks also need to capture and report:
distinguishes between loss events loss data (ILD).
above €10 million, above €100 million, • Documented procedures and • The value of the business indicator/
and smaller loss events, to differentiate processes for the identification, subcomponent drivers of the SMA
between banks with different loss collection and treatment of ILD. calculation for the last 3 years (i.e.
distribution tails but similar average loss interest, services, financial).
• Mapping of ILD to relevant
totals. Banks would be required to use Basel categories and criteria for • Their internal losses for the last 3
10 years of good‑quality loss data to allocating losses. years (including the number of losses
calculate the averages used in the loss over €1m, the total amount of losses
• A minimum threshold of €10,000 for
component. In the transition period, over €1m, and the total of the 5
capturing ILD.
banks that do not have 10 years of good largest losses).
quality loss data may use a minimum • Specific loss data information such
• The historical losses used for SMA
of 5 years of data to calculate the loss as gross loss, recoveries, reference
calculation split out over the last ten
component. dates (date of occurrence, discovery
years (total amount and total amount
and accounting), drivers and causes.
over €1m), for banks in buckets 2‑5
• Specific criteria for assigning loss using internal losses.
data arising from an event in a
centralised function.
• The treatment of boundary events.

• Policies and procedures for including

ILD in the calculation dataset.

© 2016 KPMG LLP, a UK limited liability partnership and a member firm of the KPMG network of independent member firms affiliated
with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. Printed in the United Kingdom.
There is an inherent possibility of an Table 3: Significant policy changes or consultations regarding operational risk modelling
extreme event occurring that would not
be commercially viable to hold capital Provide clearer supervisory Enhance regulatory
against. Arguably, the best approach to guidance relating to harmonisation in the banking
governance, data and sector across the European
managing risks of this nature is to ensure modelling, to assist the maturity Union by establishing
of AMA organisations’ common standards for the
that robust processes are in place around BCBS operational risk management
BCBS
assessment methodology for
BCBS
Revisions to Standardised
scenario analysis and horizon scanning, Basel II and measurement practices
the Simpler
all AMA approved banks
Measurement
Approaches Approach
and that effective but realistic contingency
JUNE 2011 JUNE 2015
plans are in place as required – something
which should be part of good risk
management within the business. JUNE 2004 OCT 2014 MAR 2016
EB A
Set out the framework of BCBS Introduced the Revised Introduced the
Regulatory
the three approaches to Supervisory Standardised Approach (RSA) Standardised Measurement
Technical
The management and measurement modelling the minimum Guidelines which aimed to simplify BIA
Standards-use
Approach (SMA) aiming to
capital requirements for for AMA and TS A to allow more build on the simplicity and
of AMA
of operational risk has been a key operational risk (BIA, TS A comparability between consistency offered by the
and AMA); which organisations using the standardised approach as
regulatory focus for a number of years introduce increasing approach and give a more well as improve risk
given the number of significant loss levels of sophistication
and risk-sensitivity
accurate reflection of the
operational risk inherent within
sensitivity by incorporating
internal loss data
incidents across the banking sector, a bank

which banks have failed to prevent or Source: KPMG International, March 2016
hold sufficient capital against. Figure 3
shows a timeline overview of regulatory
activity for operational risk.

Basel II current approaches for Figure 4: Basel II approaches to calculating operational risk capital
calculating operational risk capital
The three existing approaches – BIA, TSA
and AMA – have features which introduce
increasing levels of sophistication and
risk‑sensitivity. Internationally active
banks and banks with significant
operational risk exposures were Basic Indicator Advanced Measurement
Approach (BIA) Approach (AMA)
expected to use an approach that is more • Risk‑sensitive
• Not risk‑sensitive
sophisticated and that is appropriate • Based on 15% gross • Involves complex,
statistical models
for the risk profile of the institution. income
• No standard method;
Banks were encouraged to move along The Standardised allow for flexibility
the spectrum of available approaches Approach (TSA)
• Not risk‑sensitive
as they developed more sophisticated • Based on weighted
operational risk measurement and precentage of gross
income per business line
management systems and practices.

The three existing approaches to Source: KPMG International,

calculation operational risk capital are March 2016

summarised in Figure 4.

The Basic Indicator Approach (BIA) For both the BIA and TSA, gross income account the bank’s historical operational
Under the BIA, banks are required to hold is used as a broad indicator that serves risk loss data, external operational
capital for operational risk equal to the as a proxy for the scale of business risk loss data (from sources such as
average over the previous three years of a operations as it is assumed that a bank’s ORX), forward‑looking operational risk
fixed percentage (15%) of positive annual exposure to operational risk is linearly scenarios, as well as the bank’s Business
gross income (GI). related to the size of the bank’s revenue. Environment and Internal Control Factors.
These approaches do not take into While this approach is risk‑sensitive,
The Standardised Approach (TSA) account the management of operational incorporating the operational risk
TSA is simply an extension to the BIA that risk within the business and therefore are environment of the bank, it has obtained
allows banks to divide their activities into not considered to be risk‑sensitive. a reputation for being both too complex
eight business lines and apply a weight to and too reliant on statistical models.
The Advanced Measurement In order to become AMA approved,
each of these business lines. The capital
Approach (AMA) banks must be able to demonstrate
charge for each business line is calculated
by multiplying gross income by a factor The three existing approaches – BIA, TSA that they have in place a robust risk
assigned to that business line. The factor The AMA allows banks to calculate the management framework.
(known as the beta‑factor) ranges from regulatory capital requirement equal to
12% to 18% depending on the business the risk measure generated by the bank’s
line. A negative GI for a business line may internal operational risk measurement
be included, but a total GI for any given system using quantitative and qualitative
year that is negative must be set to zero. criteria. This approach takes into

© 2016 KPMG LLP, a UK limited liability partnership and a member firm of the KPMG network of independent member firms affiliated
with KPMG International Cooperative (“KPMG International”), a Swiss entity. All rights reserved. Printed in the United Kingdom.
Contact us
Karim Haji Giles Williams
Partner, Financial Services Partner, Financial Services
E: [email protected] E: [email protected]

Heather Townson Clive Briault

Senior Manager, Operational Risk Senior Advisor, Financial Services
E: [email protected] E: [email protected]

Lisa Afonso
Manager, Operational Risk
E: [email protected]

kpmg.com/socialmedia kpmg.com/app

© 2016 KPMG International Cooperative (“KPMG International”), a Swiss entity. Member firms of the KPMG network of independent firms are affiliated with KPMG International. KPMG International
provides no client services. No member firm has any authority to obligate or bind KPMG International or any other member firm vis‑à‑vis third parties, nor does KPMG International have any such
authority to obligate or bind any member firm. All rights reserved.

Create Graphics | CRT058776 | March 2016

The future of operational
risk in financial services
A new approach to operational
risk capital management
The future of operational risk in financial services

02
 The future of operational risk in financial services

The future of operational risk in financial services

A new approach to operational risk capital management

Understanding the implications of the new Standard

Measurement Approach and using it as a catalyst to enhance
operational risk management programs

As part of its completion of post-crisis reforms, have a tremendous opportunity to reduce the
the Basel Committee on Banking Supervision existing and future ORC by focusing effort on
(Basel Committee) recently finalized its Basel managing and reducing actual operational losses,
III standard, which complements its previously thereby mitigating the impact of the ILM factor in
published initial phase of Basel III reforms1. the calculation of ORC.

The new standard fundamentally changes how The latter will likely require new behaviors
operational risk capital (ORC) is calculated. This and a new mind-set, since many banks have
shift has major implications for banks’ internal traditionally viewed internal operational risk
loss data and how it could be used to derive incidents—and the corresponding losses—
business value and risk management insight. as unavoidable costs of doing business and
something over which banks have had little
In the past, many internationally active banks, control. However, with the addition of strong
based on requirements of their primary capital incentives to improve, banks may likely
regulator, used a model-based approach that discover that internal losses can, in fact, be
included a number of variables that determined actively reduced. This is particularly the case
the ORC they were required to hold. Under the with respect to new analytic and predictive
new standard, that model-based advanced technologies that make it possible to identify root
measurement approach (AMA) is being replaced causes and mitigate potential problems and risks
by the Standardized Measurement Approach before they result in major losses.
(SMA), which essentially limits a bank’s influence
over ORC to a single variable: the Internal Loss This point of view highlights essential
Multiplier (ILM), which is in turn based on the components of a mature operational risk
bank’s actual loss history. management framework that goes beyond
compliance with the new standard. We describe
The focus on internal losses when determining how firms can leverage anticipated investments
a bank’s ORC requirement has two important to derive risk intelligence from existing data to
implications. First, banks need to ensure that generate insight and reduce internal losses.
their internal loss data—and the systems, By building an operational risk management
processes, and controls associated with building framework that goes beyond compliance, banks
internal loss databases—are as accurate and can better navigate operational risk incidents by
robust as possible in order to support and actively reducing their impact, allowing them to
substantiate their calculated ILM. Second, banks lead in their industry.

1. Basel III: Finalising post-crisis reforms, Bank for International Settlements, December 2017, https://www.bis.org/bcbs/publ/
d424.htm.
03
The future of operational risk in financial services

The new formula-based approach for

calculating operational risk capital
In December 2017, the Basel Committee
issued revised standards that finalized
its post-crisis reforms and new Basel III
framework. The revised standards include
a new way to measure the amount of ORC
that banks are required to hold. This new
SMA seeks to restore credibility in the
calculation of risk-weighted assets (RWAs)
and improve the comparability of banks’
capital ratios. Specific objectives of the
reform include:

•• Simplifying the Basel framework by

replacing the four current approaches
with a single standardized approach

•• Making the framework more risk-sensitive

by combining a refined measure of gross
income with a bank’s own internal 10-
year loss history

•• Making it easier to compare RWAs

from bank to bank by removing the
option to use multiple approaches and
internal models

The SMA is based on the following

components:

•• The Business Indicator (BI), which is a

financial-statement-based proxy for
operational risk

•• The Business Indicator Component

(BIC), which is calculated by multiplying
the BI by a set of regulatory-determined
marginal coefficients (αi)

•• The ILM, which is a scaling factor that

is based on a bank’s average historical
losses and the BIC

In practical terms, the ILM is the only

variable a bank has significant control
over, but its impact can be significant. The
revised operational risk framework doesn’t
take effect until January 1, 2022. This gives
banks time to improve their processes for
collecting, managing, and analyzing internal
loss data to reduce their ILM and, thus, the
ORC they’re required to hold.

04
 The future of operational risk in financial services

Improving the quality of historical loss data

Given the new standardized formula for calculating ORC,
Changing behaviors and culture banks will likely scale back on their advanced modeling
In the financial services industry, the past decade has seen efforts. Instead, they may pivot those resources to improve
numerous well-publicized and damaging misconduct scandals, both the quality of their internal loss history through such
institutional and retail. As a result, improving conduct is at the top of activities as formalizing definitions of operational risk
most firms’ agendas. events and improving incident identification and reporting.

Advanced operational risk management programs with predictive The Basel Committee has provided specific guidelines and
risk capabilities can provide intelligence on changes in employee criteria for data quality. In particular:
sentiments and behaviors that might be early indicators of potential
conduct lapses. However, deep-rooted changes at the culture level •• Banks are expected to base their ORC calculations on
are also needed. ten years of data. During the transition period, five years
of data is acceptable. However, for large institutions that
Many organizations have no pre-defined incentives or consequences previously used the AMA, ten years of data shouldn’t
related to high-frequency, low-impact operational losses. Typically, pose a significant challenge as the required incident
only massive loss events have any consequences for management. reporting processes and data quality procedures should
This is likely due to the fact that operational losses have traditionally already be in place.
been viewed as an unavoidable cost of doing business, and there’s •• Data is most relevant when it can be directly linked
a common perception that management has no control over such to a bank’s current businesses and internal operating
losses (unlike credit and market risk, which have standard levers for environment. Extra consideration should be given
managing and mitigating risk). to historical losses in businesses and activities that
have been carved out and sold or in businesses being
In the wake of the financial crisis, some local regulators introduced wound down.
“clawback” frameworks and longer term incentive compensation
linked to risk adjusted performance. However, these limited efforts •• Banks must have documented procedures and
haven’t had a significant impact on reducing the industry’s overall processes for the identification, collection, and treatment
operational losses. More recently, the introduction of conduct risk of internal loss data, including documented de minimis
frameworks, along with a renewed focus on culture risk, has helped thresholds. Documented policies and procedures
some organizations begin to better understand the links in product for identifying and reporting operational risk events
design, compensation and sales incentives, management objectives, must serve as the starting point for managing data
and employee behavior. capture and quality.

•• Associated procedures and processes must be validated

What’s still missing in many cases is direct accountability for before a bank’s loss data can be used to calculate
operational risk losses—specifically, consequences that have a its ILM and ORC. Regular independent reviews by
meaningful impact on first-line management, whether by affecting corporate audit functions and external organization
the size of their operating budgets and available investment funds are also required.
or, more personally, by affecting their performance evaluations and
compensation. These types of consequence and incentives can help •• Specific information and attributes should be collected
establish a culture where operational losses aren’t just glossed over as as part of the data for individual operational risk events.
a write-off in financial statements. These data elements include gross loss amounts and
key reference dates, such as the date of occurrence, date
The SMA makes the long-term capital and business consequences of of discovery, and date of accounting. In addition, banks
operational losses more significant for banks. Thus, it’s only common must collect information on recoveries of gross loss
sense for banks to try to change behavior by aligning operational amounts as well as descriptive information about the
losses with business unit and executive performance. This will require causes and drivers of the loss event
institutions to empower their managers with enough authority
and flexibility to change their business environment—including the The Basel Committee has specified that banks failing
underlying process and tools—and to manage risks more proactively. to meet the minimum loss data standards might be
subjected to severe penalties, including the requirement
to hold capital that’s at a minimum equal to 100 percent
of their BIC.

05
The future of operational risk in financial services

Gaining efficiency by automating data collection

and aggregation from multiple sources
Cost efficiency is becoming a higher priority in risk Creating an effective infrastructure for
management and compliance, with risk managers aggregated risk data and risk reporting
increasingly being expected to do more with less. This When designing an infrastructure for operational
pressure is creating an incentive for risk leaders to risk data and reporting, institutions should
explore and embrace new technologies and techniques consider the principles issued by the Basel
that can help improve the efficiency and effectiveness Committee for effective risk data aggregation
of their programs. and risk reporting. Also known as BCBS 239,
these principles apply to all key internal risk
A bank’s infrastructure for operational risk management models for regulatory capital,
management should leverage automated workflows including the AMA for operational risk. Although
to continuously monitor for emerging problems and the AMA is being replaced by the SMA, BCBS
ensure the right people receive the right information 239 will continue to be relevant to the design
in a timely manner, enabling them to respond quickly of an operational risk data infrastructure, given
and effectively. the importance of internal loss data to an
institution’s calculation of its operational risk
Banks can consider taking advantage of the latest capital using the SMA.
advances in robotic process automation (RPA) and
cognitive technology to streamline and automate The principles outlined in BCBS 239 aim
routine activities, such as data collection, cleansing, to strengthen banks’ risk data aggregation
and storage—for both structured and unstructured capabilities and internal risk reporting practices.
data. RPA “bots” can be created to continuously scan Broad areas covered by the principles include:
the internal environment and collect data from pre- •• Overarching governance and infrastructure
determined sources. In conjunction with increased
information standardization and more intelligent •• Risk data aggregation capabilities
optical character recognition (OCR) and cognitive •• Risk reporting practices
technologies, these innovations can transform
data into a powerful tool for real-time production •• Supervisory review, tools, and cooperation
and monitoring of key risk indicators, management
information, and internal risk and control reporting. According to BCBS 239, the term “risk data
aggregation” refers to defining, gathering, and
A valuable byproduct of introducing these methods processing risk data. For operational risk, key
and technologies into operational risk management is activities include:
the alignment of expectations and outcomes across •• Establishing policies that define operational
the three lines of defense: risk incidents
•• The first-line businesses and functions where the •• Specifying attributes to be collected for
risk originates each event that’s considered an operational
•• The second-line risk and compliance groups risk incident

•• The third-line internal audit function •• Building an internal loss history as part of an
institution’s operational risk database
Once all three lines of defense agree on a solution
and its inputs and outputs—for example, agreeing Moving forward, banks should consider
on what an RPA bot will do, what data it will use, and expanding the attributes collected for
what reports it will generate—everyone should be able operational risk events and include a broader
to use the same results, leading to synchronous and range of data elements in operational risk
seamless alignment. databases to enable more advanced data
modeling and analytics.

06
The future of operational risk in financial services

07
The future of operational risk in financial services

Developing advanced capabilities in risk (e.g., human resources information, compliance data,
analytics and predictive risk intelligence and internal management information systems),
Armed with aggregated historical data about and external data (e.g., sensing data, social media,
internal losses (along with robust automated customer complaints, and regulatory actions).
processes for data collection and management), These aggregated models enable vastly improved
banks will be better positioned to capitalize on analytical results and insights by providing billions
advanced capabilities, such as big data analytics, of data combinations, which greatly increase the
correlation and root cause analysis, and predictive likelihood of uncovering patterns and correlations
risk intelligence. These capabilities will enable banks that were previously unnoticeable or detected too
to identify patterns and trends that may help reduce late. This can help banks prevent unpredictable tail
internal losses in the future. outcomes, potentially reducing operational losses
and capital impacts.
Banks have long been interested in finding ways to
enhance their traditional operational risk practices Banks also need to develop robust reporting
via predictive risk intelligence2. Although historical capabilities that can provide early warnings
data on operational losses is still the baseline for about emerging situations that may exceed their
complying with regulatory capital rules, such data risk tolerance and risk appetite. Several leading
has always been seen as a blunt instrument for institutions are already using advanced analytics and
controlling loss and risk profiles. In the past, the big data techniques to improve the effectiveness of
necessary tools and technologies to make more their risk programs in a wide range of areas, from
insightful correlations and predictions didn’t yet exist. trade surveillance and third-party risk management
to fraud prevention, anti-money laundering, and
A specific challenge is that most Basel historical regulatory reporting.
data models don’t provide enough information
for organizations to identify truly meaningful
correlations between losses and other factors,
leading to insights that are obscure or spurious.
Occasionally, experienced operational risk
practitioners—with help from data scientists—have
used their intuition to identify some patterns among
risk profiles, losses, and the events in legacy models.
However, this generally didn’t happen until long after
the event occurred. In addition, it was often limited to
situations where extreme data variations were clearly
visible—situations that were so infrequent that they
had no real predictive value.

Given the advanced tools and vast amounts of data

available today, banks should seize upon the valuable
opportunities enabled by predictive risk intelligence,
big data analytics, and other breakthrough
innovations. Through such techniques as machine
learning and artificial intelligence, banks now have
the ability to efficiently build and mine large and
complex data sets that combine traditional Basel
data with transaction data, non-transaction data

2. Please see our whitepaper, “Seeing the storm ahead: Predictive Risk Intelligence,” Deloitte Development LLC, 2017, https://
www2.deloitte.com/us/en/pages/risk/articles/predictive-risk-intelligence.html.

As used in this document, “Deloitte” means Deloitte & Touche LLP, a subsidiary of Deloitte LLP. Please see www.deloitte.com/us/about for a detailed
description of our legal structure. Certain services may not be available to attest clients under the rules and regulations of public accounting.

08
 The future of operational risk in financial services

Predictive risk intelligence case study

As the world becomes more digitized and customers and
counterparties continue to leverage multiple bank-provided
platforms for their transaction needs, banks rely heavily on the
24x7 availability of the underpinning technologies to facilitate
these transactions. Regulators have also stepped up their efforts
to curb technology failures in order to maintain the integrity of
markets and protect customers. The loss from a technology failure
can not only damage an organization’s reputation and drive away
potential revenue, but it could also result in significant fines from
regulatory agencies.

How does our solution work?

•• Incident and issue logs

•• Capacity monitoring
and peak loads Cleanse Analyze and Generate early Report
Internal and identify warning predictive
•• System upgrades
sources standardize risk patterns signals scores
•• Error logs
•• Operational incident
•• Machine
loss data •• Data anomaly •• Near-real-time
learning •• Risk scores for
detection dashboards
algorithms emerging risk
•• Data de- with alerts
•• Predictive trends
duplication •• System alerts
modeling
•• External cyber threats
External
•• Customer complaints
sources
•• Risk sensing data

Deloitte’s predictive risk intelligence (PRi) solution can help

organizations uncover information on increasing risk profiles
and potentially provide advanced warning of a technology failure
event. The PRi solution begins by collecting and evaluating internal
and external variables that can best predict a future technology
failure. Data is cleansed and standardized to remove anomalies
and machine learning algorithms. Other advanced analytics are
applied to the data to identify potential patterns of causation and
correlation to technology failures, which typically have a very short
cycle to impact. Leaders can then view a near-real-time dashboard
that provides alerts and early warnings for the organization’s
critical systems.

09
The future of operational risk in financial services

Looking ahead from a wide range of other internal and external

As operational risk managers search for ways to sources and then using the latest cognitive, machine
increase the value of their programs, much of their learning, and analytics tools to identify dangerous
focus should be on reducing internal losses. An buildups of potential risk.
essential step toward achieving that objective is
improving the quality and completeness of internal loss These advanced capabilities can give a bank the
data. The greatest value will revolve around identifying forward-looking insights it needs to develop effective
patterns and correlations in data and predictive strategies for mitigating risk and reducing losses,
intelligence—aggregating internal loss data with data including reducing the bank’s ILM and required ORC.

10
 The future of operational risk in financial services

Contacts

Monica O’Reilly Nitish Idnani

Banking and Capital Markets Advisory Leader Operational Risk Banking Leader
Principal | Deloitte Risk and Financial Advisory Principal | Deloitte Risk and Financial Advisory
Deloitte & Touche LLP Deloitte & Touche LLP
[email protected] [email protected]
+1 415 783 5780 +1 212 436 2894

Krissy Davis Steve Bhatti

Operational Risk Leader Specialist Leader | Deloitte Risk and Financial Advisory
Partner | Deloitte Risk and Financial Advisory Deloitte & Touche LLP
Deloitte & Touche LLP [email protected]
[email protected] +1 617 437 2451
+1 617 437 2648

11
This publication contains general information only and Deloitte is not,
by means of this publication, rendering accounting, business, financial,
investment, legal, tax, or other professional advice or services. This publication
is not a substitute for such professional advice or services, nor should it be
used as a basis for any decision or action that may affect your business. Before
making any decision or taking any action that may affect your business, you
should consult a qualified professional advisor.

Deloitte shall not be responsible for any loss sustained by any person who
relies on this publication.

Copyright © 2018 Deloitte Development LLC. All rights reserved.

 Harvard | Business | School

The
Project on Behavioral Finance
Behavioral Financeandand
Financial Stabilities
Financial Project
Stability

Rethinking Operational Risk Capital

Requirements
Peter Sands

Gordon Liao

Yueran Ma

Working Paper 2016-06

Havard Kennedy School
Mossavar-Rahmani Center for Business and Government

Harvard Business School

Project on Behavioral Finance and Financial Stability

Rethinking Operational Risk Capital

Requirements

Peter Sands

Gordon Liao

Yueran Ma

This paper is being published simultaneously as a Working Paper by the Mossavar-Rahmani

Center for Business and Government, Harvard Kennedy School, and the Project on Behavioral
Finance and Financial Stability, Harvard Business School.

1
Rethinking Operational Risk Capital Requirements1

Peter Sands
[email protected]
Harvard University

Gordon Liao
[email protected]
Harvard University

Yueran Ma
[email protected]
Harvard University

Abstract

Operational risk capital requirements represent a relative backwater of the Basel

capital framework for banks. We examine both the existing Basel II framework and the
latest Basel Committee proposals for reform and conclude that neither are effective in
creating appropriate incentives and loss absorbency to minimize negative
externalities from operational risk events. We evaluate an alternative approach that
would appear to be much more effective in achieving the regulatory objectives. We do
not offer a view on the amount of capital required, focusing instead on the
methodology and structure of the capital requirement.

1
Peter Sands is currently a Senior Fellow at the Mossavar-Rahmani Center for Business and Government,
Harvard Kennedy School. He was the Group Chief Executive of Standard Chartered Bank from November 2006 to
June 2015. Gordon Liao and Yueran Ma are Ph.D. candidates in economics at Harvard University. Peter Sands
retains a shareholding in Standard Chartered related to deferred compensation, but has no direct financial interest
in any other bank. Gordon Liao and Yueran Ma have no direct financial interest in any banks. The authors are
grateful to Robin Greenwood, Karim Haji, Howell Jackson, Hal Scott, Jeremy Stein, and Larry Summers for very
helpful comments, and to ORX for their kind help in providing access to their public source data.
2
 1 INTRODUCTION

Operational risk weighted assets (“RWA”) are one of the three components of the
denominator of any bank’s risk-based capital ratio. Operational RWA represent 15.6%
of the RWA of the 30 globally systemically important banks (“GSIBs”). 2 With an
average Common Equity Tier 1 (“CET1”) ratio of 11.7%, 3 this means some
USD$411bn of equity capital4 is dedicated to protecting banks, their investors and
ultimately, society from the consequences of operational risk events, as shown in
Exhibit 1. Yet despite the amount of capital involved, the derivation and deployment of
operational risk capital typically receives much less management, regulatory, investor
or academic attention than the two other components of banks’ RWA, credit and
market risk.
Exhibit 1: Opera/onal RWA a component of
the1:capital
Exhibit ra/o
Operational RWA:denominator
a component of the capital ratio denominator

Adjusted Common Equity* = Common Equity

(Credit RWA + Market RWA + Opera<onal RWA) Tier 1 (CET1)

Average CET1 of 11.7%

Represents 15.6% across GSIBs. So USD
of total RWA for $411bn equity aligned
GSIBs against opera<onal
RWA

* Adjusted for deductions for expected loss, tax credits, etc

* Adjusted for deduc.ons for expected loss, tax credits, etc

The Basel Committee on Banking Supervision (“BCBS”) has proposed to reform the
calculation of operational RWA, replacing an existing system which offers banks a
choice between three approaches differing in complexity and reliance on internal
models, with a single approach, named the Standardised Measurement Approach
(“SMA”). This has prompted considerable debate, particularly around the overall
impact on banks’ capital requirements, the backward-looking nature of the proposed
methodology, and the complexity and potential unintended consequences of the
calculation, including so-called “cliff effects” arising from the thresholds.5

2
Average across 30 GSIBs based on company filings and investor disclosures.
3
BCBS Monitoring Report September 2016.
4
CET1 of €2,424 billion as of 2015, BCBS Monitoring Report September 2016.
5
Responses to the March 2016 BCBS consultative document have voiced a wide range of concerns including the
overall impact, lack of transparency, disconnect with managerial actions, poor predictive power, and
counter-intuitive consequences. The so-called “cliff effects” arise where losses slightly above or below the defined
thresholds can have marked difference on capital requirements.
3
The objective of this paper is to answer the question of whether the BCBS proposals
fix the widely recognized flaws in the existing system, or whether a more radical
alternative would be better. We start by briefly summarizing the history of operational
risk capital requirements within the Basel framework. We then set out what we think
should be the objectives of an operational risk capital regime and evaluate the
performance of both the existing system and new proposals in delivering against
these objectives. Finally, we suggest and explore an alternative approach that might
achieve the underlying regulatory objectives more effectively.

While the BCBS’s desire to improve the current system is well-intentioned, our
analyses corroborate many of the criticisms directed at the BCBS’s proposals
(hereafter described as the SMA). Yet our objection is more fundamental: our
evaluation suggests that much of the current debate around the SMA largely misses
the point, and that there should be a much more fundamental rethink of operational
risk capital requirements. When one considers the underlying regulatory objectives,
both the existing system and the SMA look deeply flawed, for several important
reasons.

First, despite requiring significant levels of capital, in practice neither approach gives
banks more ability to absorb the losses from operational loss events without negative
externalities such as disruption to credit provision. In effect, the capital deployed
against operational RWA to meet the required capital ratio is “dead” capital, largely
incapable of being used. Without effective loss absorbency, banks are likely to react
to operational losses by cutting lending and shrinking assets, precisely the actions
regulators aim to avoid (Rajan and Stein, 2008; Hanson, Kashyap and Stein, 2011). In
fact, the argument could be expressed more strongly. Since significantly increased
operational losses would lead to increased operational RWA under the SMA and
there is virtually no scope for management to reduce operational RWA in the way a
credit book or trading positions can be managed to reduce credit or market RWA, the
SMA approach arguably provides negative loss absorbency. This lack of loss
absorbency is discussed in more depth in Section 5 (p24-25) using a highly simplified
example to illustrate the point.

Second, both the existing and proposed approaches appear of little to no use in
incentivizing bank management to improve the management of operational risk. Both
approaches are almost entirely backward-looking, while operational risks are
constantly evolving and the drivers of the biggest losses defy mechanistic prediction
from historical data (see Ames, Schuermann and Scott, 2015).

Finally, the weaknesses in the determination of operational RWA across both existing
and proposed approaches, and the sometimes counter-intuitive variability in
outcomes, do little to contribute to the overall credibility and comparability of
risk-based capital ratios. As Exhibit 2 shows, under the current regime, there is

4
significant variation in the percentage of a bank’s total RWA contributed by
operational RWA. Some of this variation can be explained by differences in strategy
and business model (eg the fact that among the GSIBs, State Street and Bank of New
York Mellon have the highest proportions of operational RWA reflects their focus on
custody and settlement services rather than traditional lending), but many of the
differences appear to reflect differences in the approach towards determining
operational RWA across banks and regulatory jurisdictions, rather than differences in
the underlying operational risk profile.

Exhibit 2. Operational RWA as a percentage of total RWA for GSIBs

50%
45%
40%
35%
30%
25%
20%
15%
10%
5%
0%

Note: This figure presents the fraction of operational risk weighted asset (RWA) as a
percentage of total RWA for 30 GSIBs as disclosed in regulatory filings and investor reports.

The SMA will eliminate the comparability problems posed by having different banks
use completely different approaches, but arguably, will provide the appearance of
comparability rather than real comparability: under the SMA, two banks could have
equivalent operational RWA whilst facing very different levels of risk, and vice versa.

These considerations lead us to propose an alternative approach that replaces the

notion of operational RWA with a capital buffer approach, which could provide both
loss absorbency and appropriate management incentives. Under this approach, the
size of the buffer would be based on a combination of: 1) scale-based minima
expressed in absolute dollar terms; 2) calculated capital to cover unexpected losses
for those operational risk types that are amenable to statistical modelling, again
expressed in absolute dollar terms; and 3) a judgment–based overlay determined by
the regulator on the basis of a structured assessment of the specific risks faced by a
bank and its capability to manage and mitigate these risks6. When significant loss

6
A variant of this proposal would have only two components, the scale-based minimum and the discretionary
element. The logic here is that the calculated component for operational risk types for which the definitions and
data are sufficiently robust to enable robust and comparable predictions will be a relatively small contributor to the
total and can probably be proxied by the scale-based calculation. This would have the advantage of increasing
5
events occurred, the bank could deploy part of this buffer to absorb the loss. How
much of the buffer could be deployed would be agreed with the regulator, together
with a plan to return the buffer to the required level.

This approach echoes what a number of regulators have already done. Recognizing
the deficiencies of the existing Pillar 17 approach to operational risk in providing either
loss absorbency or appropriate incentives, several regulators8 have already included
forward-looking assessments of specific operational losses (such as losses that arise
from regulatory fines) in their Pillar 2 requirements or stress tests.

Our suggestion of shifting to a buffer approach does not imply a reduction in

operational risk capital requirements. This approach could be implemented in a
manner that is capital neutral, or even that requires more capital. However, for any
given amount of capital deployed against operational risks, we believe this approach
would achieve the underlying regulatory objectives more effectively than either the
existing system or the BCBS proposals. Under our approach, banks would be able to
use their operational risk buffers to help absorb significant loss events, thus protecting
their core financial intermediation activities from unnecessary disruption.9 Regulators
could structure the discretionary component of the buffers to provide incentives,
penalizing banks with control deficiencies and rewarding those that rectified problems
or strengthened their defenses. Investors will see more clearly delineated the
underlying CET1 ratio based on credit and market RWA, and the operational risk
capital buffer as determined by the regulator, thus contributing to the Pillar III objective
of reinforcing market discipline.

If the test of success is protecting society from the negative externalities of

operational risks, then the SMA represents an attempt to reform a regulatory construct
that has clearly failed. In the wake of the global financial crisis, banks have
experienced operational risk losses of unprecedented scale as shown in Exhibit 3.
The negative externalities from bank losses have been significant, including reduction
in credit provision, disruption to specific markets, withdrawal of certain socially
beneficial products, and financial exclusion as a consequence of “de-risking”, plus a
significant diminution of trust in the financial system (Ivashina and Scharfstein, 2011;
Chodorow-Reich 2014; Zingales 2011). However, the SMA does not really address
the the flaws in the current regime. It is more an exercise in methodological tinkering

simplicity.
7
As introduced in Basel 2, Pillar 1 emphasizes bank capital adequacy by setting a minimal capital ratio of CET1
to risk-weighted asset (RWA) composed of market, credit and operational RWA; Pillar 2 focsus on supervisory
review and enables local regulators to monitor and fine-tune risk management and supervision for individual banks;
Pillar 3 enhances disclosure to the public to support market discipline.
8
For example, the UK Prudential Regulation Authority, European Banking Authority, U.S. Federal Reserve,
Monetary Authority of Singapore.
9
The theoretical merits of a buffer approach to capital charges had been examined closely in Kashyap and Stein
(2004).
6
that makes some aspects of the current system marginally better, others worse. The
scale of recent losses from operational risk events, the amount of capital deployed
(albeit ineffectively) against operational RWA, and the significance of the risks banks
face in the future, all point to the need for a more radical rethink.

Exhibit 3: Operational losses by year of public disclosure

140

120

100
Publicized Losses (US$Billions)

80

60

40

20

0
2008 2009 2010 2011 2012 2013 2014 2015 2016

Note: This figure presents operational losses by the year of public disclosure in filings and
10
media using the Public Source ORX News Data . The date of public disclosure is generally
around the announced fine and legal settlement and/or loss provision and accounting dates.
The median time between event start (end) date and publication/settlement date is six (three)
years.

In the rest of this paper we expand on this argument, setting out in turn:

• The background to today’s operational risk capital requirements and the BCBS
proposals (Section 2)
• The objectives of operational risk capital requirements (Section3)
• An assessment of the current approach to operational risk capital
requirements against these objectives (Section 4)
• An assessment of the BCBS proposals against these objectives (Section 5)
• An alternative approach (Section 6)
• Potential arguments against the alternative approach (Section 7)
• Concluding comments (Section 8)

10
Data on publicly announced loss events is provided by ORX (www.orx.org) and presented in
Exhibits 3, 6, 7, 8 and 9. The ideas and conclusions do not represent any views of ORX or its
members.

7
2 THE BACKGROUND TO TODAY’S OPERATIONAL RISK CAPITAL
REQUIREMENTS AND THE BCBS PROPOSALS

As highly complex operational businesses dealing with money in all its forms, banks
face a wide range of operational risks, from fraud and theft through regulatory
penalties to system failures, as well as natural disasters, technology glitches and
reputational issues. Failure to manage or mitigate these risks can lead to negative
externalities. A bank that fails as a result of an operational risk event could bring down
other banks, disrupt credit provision or disturb the functioning of markets. Alternatively,
a bank that suffers a significant operational loss may cut back on lending or other
activities to create the capacity to absorb the loss and ensure survival. Because of the
resultant externalities, bank regulators have sought oversight of operational risks and
how they are managed. However, it was only in 1998, following the collapse of
Barings in 1995, that the BCBS formally introduced the notion of operational risk as a
regulatory concern. The idea that banks should hold capital against operational risks
is even more recent. Formal operational risk capital requirements were first
introduced as part of Basel II in 2004.

2.1 The Introduction of Operational Risk

The term “operational risk” became prominent in banking and regulatory circles after a
rogue trader caused the collapse of Barings Bank in 1995. This event highlighted the
importance of internal controls and corporate governance in managing financial
losses associated with fraud, human errors, and technical failures as well as other
breakdowns in normal business processes and operations. In the early days, most
banks and regulators defined operational risk simply as any risk not categorized as
market or credit risk (BCBS, 1999). The consensus among banks was that “the
primary responsibility for management of operational risk is the business unit” (BCBS
1998). The internal measurement, monitoring and control of operational risks at the
overall bank level were still in their infancy. Furthermore, the prevailing view was that
the role of regulatory supervisors in operational risk management should be limited to
encouraging “qualitative improvements” through raising awareness and facilitating the
sharing of best practices (BCBS, 1998). 11 The BCBS continued to develop the
concept of strengthening supervisory oversight in subsequent documents such as
“Sound Practices for the Management and Supervision of Operational Risk” (BCBS,
2003).

2.2 The Introduction of Operational Risk Capital Requirements

The concept of operational risk capital requirements was introduced with the Basel II

11
The 1998 BCBS survey indicated that “few banks seem to have made considerable progress in developing more
advanced techniques for allocating capital with regard to operational risk,” although no regulatory discussion of
operational risk capital were provided at the time.
8
Accord in 2004.12 Operational risk was introduced as an additional risk category
alongside the existing categories of market and credit risk in formulating the revised
Pillar 1 framework of minimum regulatory requirements. The BCBS formally defined
operational risk “as the risk of loss resulting from inadequate or failed internal
processes, people and systems or from external events. This definition includes legal
risk, but excludes strategic and reputational risk” (BCBS 2006, 2011). Seven broad
categories of operational losses were delineated in Basel II: internal fraud, external
fraud, employment practices and workplace safety, clients, products and business
practices, damage to physical assets, business disruption and system failures, and
execution, delivery and process management.

There is some debate as to the rationale for moving from a focus on supervisory
oversight of operational risk management practices (known as Pillar 2 in the language
of Basel II) to making operational risk an integral component of the minimum capital
requirements regime (known as Pillar 1). Some have expressed the view that the
BCBS included capital requirements for operational risk in Basel II primarily to offset
the anticipated reduction in capital requirements for credit risk as a result of the newly
introduced internal rating-based (“IRB”) approach (Herring 2005, 2007). There was
also considerable skepticism at the time about the wisdom of adding the
heterogenous and vaguely-defined operational risk RWA, alongside the relatively
well-defined market and credit RWA (Power, 2005).

Basel II stipulated three different approaches to assessing operational risk capital

requirements depending on the complexity of a bank’s business (see Appendix A).
First, the Basic Indicator Approach (“BIA”) calculates operational risk RWA based on
a coefficient (set by the BCBS at 15%) multiplied by the rolling three year average
revenue of the bank as a whole. This is the simplest approach and is widely used by
small banks. Second, the Standardized Approach (“TSA”) derives operational RWA
by applying defined coefficients (set between 12-18%) to the rolling three year
average revenue of eight broadly defined business lines. Under this approach a
bank’s overall operational risk capital requirement is simply the sum of these
calculations. 13 Finally, large banks with more complex business lines were
encouraged to adopt the Advanced Measurement Approach (“AMA”) utilizing the
bank’s own internally developed risk measurement framework to develop a Value-at
-Risk (“VaR”) to a 99.9% confidence level. In adopting the AMA banks had to meet
various criteria around the governance and management of operational risks and be
able to demonstrate that they could take account of four variables in their calculation
of their own capital requirements: i) internal data; ii) external data; iii) scenario
analysis; and iv) the business environment and internal control factors. Whilst the
BCBS provided guidance, ultimately it was for home regulators to determine how

12
Before the introduction of an explicit operational risk capital charge, it was generally held that the credit RWA
were designed and calibrated all relevant risks, thus implicitly covering operational risk (OCC, 2007).
13
There is also a variant of the TSA called the alternative standardized approach (“ASA”), which is relatively
rarely used.
9
much to encourage adoption of the AMA and to approve individual banks’
methodologies. This inevitably led to differences between regions. For instance, while
US-based GSIBs have mostly adopted the AMA, all but one UK GSIB are under the
TSA.14

Under this framework, operational RWA has steadily increased and, given increased
CET1 ratios, the implied levels of capital dedicated to operational risks have risen
significantly. Exhibit 4 illustrates these developments for the five top European banks.

Exhibit 4: Operational RWA to total RWA ratio and Operational CET1 for 5 top
European Banks

300

250

200

150

100
2008 2009 2010 2011 2012 2013 2014 2015

Opera1onal RWA Opera1onal CET1

Note: This graph shows the time trend of operational risk RWA and the corresponding CET 1
capital (operational RWA*CET1 ratio) for the largest 5 European banks. Operational risk RWA
was not consistently publicly disclosed by US banks before 2013.

2.3 BCBS Current Proposals – The SMA

Under the Basel II framework, banks were “encouraged to move along the spectrum
of available approaches as they develop more sophisticated operational risk
measurement systems and practices” (BCBS, 2006). However, the BCBS’s latest
proposals on operational risk, which were first put forward in October 2014, then
subsequently updated in March 2016, envisage discontinuing all three current
approaches, including the AMA, moving all banks to an updated standardized
approach, the SMA, that incorporates both backward-looking and scale-based
elements. The BCBS cited non-convergence of risk measurement methodologies as a
key reason for withdrawing the option of internal modeling of operational risk under
the AMA (BCBS, 2016). With a logic analogous to recent proposals for credit risk
RWA, the BCBS is looking to achieve greater comparability of operational risk RWA
across banks and regulatory jurisdictions by implementing a single standardized

14
Among the four UK G-SIBS (Barclays, RBS, HSBC Standard Chartered), only Barclays utilizes AMA.
10
approach that is more risk-sensitive than current standardized approaches. As the
BCBS states, “the combination of a simple standardized measure of operational risk
and bank-specific loss data provides a sufficiently risk sensitive measure of
operational risk…[and] meets its objectives of promoting comparability of risk-based
capital measures and reducing model complexity.”

Under the BCBS proposals, the SMA will be determined by two components (see
Appendix B): first, a business indicator (“BI”) component with coefficients increasing
with scale (to reflect the BCBS’s view that operational risks increase more than
linearly with the size of banks); and second, an Internal Loss Multiplier (“ILM”) based
on a Loss Component (“LC”) that factors in a bank’s own loss history. The
components are calibrated such that a “bank with a Loss Component equal to the BI
Component is a bank with an exposure at the average of the industry.” In this case the
ILM is set at 1 and the SMA equals the BI component. If the LC is greater than the BI
component, then the ILM increases the SMA. Whilst the principle of above (or below)
average loss experience acting as a multiplier to a standardized calculation is
relatively intuitive, the mathematics of the calculation turn out to be remarkably
complex, given the issues around defining loss and different types of income, and the
outcomes can be far from intuitive, not least due to the “cliff-effects” arising from the
thresholds built into the methodology, and the persistent impact of large losses from
many years ago.

There has been significant debate about the impact on banks’ overall operational risk
capital requirements. There appears to be some ambiguity about underlying intent. In
its original consultation document in October 2014 the BCBS asserted that “the
current standardised framework comprising the BIA, TSA and ASA is on average
undercalibrated, especially for large and complex banks” and suggested that one
objective of the proposed SMA is to address this concern. By contrast, in its March
2016 document the BCBS stated that “the objective of these proposals is to not
significantly increase overall capital requirements.” The consensus amongst analysts
(and indeed many regulators) is that implementation of the proposals as currently
calibrated would lead to significant increases across all jurisdictions, especially in
Europe, where it is estimated that banks would face increases averaging 63% in
operational RWA (ORX, 2016). Exhibit 5 shows the estimated potential impact of the
SMA for a significant number of banks across different regions.

We note this debate because it is the aspect of the BCBS proposals that has arguably
generated most heat. However, in this paper we are not offering an opinion as to
whether operational risk capital risk requirements should stay at current levels or be
increased (or decreased for that matter). Our concern is to suggest how any
specificied quantum of capital can be made most effective in achieving the underlying
regulatory objectives.

11
ORX Response: The Standardised Measurement Approach

Exhibit 5: Impact of proposed SMA capital requirement by region

Note: The calculation and figure are sourced from Operational Riskdata eXchange Association
Figure
(ORX) in its 1: SMA
May 2016 as a %
response to of
the2015
SMA regulatory approved
proposal publicaly capital by region
available.

Table 1: Median and mean increases from current regulatory approved capital to the SMA by
region
3. THE OBJECTIVES OF OPERATIONAL RISK CAPITAL REQUIREMENTS
% capital
South
increase
Here towe offer All Australia about
some observations Canada
prudentialEurope USA
regulatory considerations
Africa
concerning
SMA the operational risks that banks face and then distill some specific
objectives for the design and functioning of an operational risk capital requirement
Median 33.2 8.9 24.6 63.5 26.3 2.9
regime. These objectives can then be used as the criteria by which to evaluate the
Mean system,61.3
existing 12 alternative.
the SMA, and any 22.9 79.6 33.2 1.3

Whilst the
3.1 relative
High Level increase is highest
Observations onfor
theEuropean banks
Prudential (+63.5% of
Regulation Table 1), those Risks
Operational banks
headquartered in the USA still hold the greatest proportion of income as operational risk capital
We2).
(Figure offer five the
Under high-level
SMA theobservations:
median proportion of gross income US institutions would hold in
capital is 31%, compared to 20% for European banks (Table 2). Figure 2 also shows the
1) Operational risk encompasses a wide variety of risk-types with very
spread of capital outcomes to income is broader for the SMA than for 2015 regulatory
different loss characteristics and predictability. At one end of the
approved capital in all jurisdictions
spectrum exceptlike
there are risks Australia.
individual credit card fraud, teller errors,
employee expense fraud, or data entry errors, which are characterized by
relatively large numbers of events and relatively small losses per event. These
are amenable to the kinds of statistical analysis of historical data commonly
used in the credit and market risk arenas. Here it is possible to build relatively
robust models of expected and unexpected loss. However, as shown in
Exhibits 6 and 7, banks financial losses from operational risks are dominated
by relatively few large loss events from limited number of risk types, namely
regulatory action, large-scale fraud and rogue traders.

12

ORX response to the proposed SMA Page 10 of 28

www.orx.org
Exhibit 6: Distribution of loss events by size

A. Aggregate loss amount

300
Aggregate Loss Amount in US$Bil

250
200
150
100
50
0
>=5 1 to 5 0.5 to 1 0.25 to 0.5 0.05 to <.05
0.25
Loss event size in US$Billions

B. Number of events

2000
Number of events

1500

1000

500

0
>=5 1 to 5 0.5 to 1 0.25 to 0.5 0.05 to 0.25 <.05
Loss event size in US$Billions

Note: The distribution of operational losses are compiled using the Public Source ORX News
data. The data set consists of 3,250 publically-disclosed banking operational loss events.

13
Exhibit 7: Categorization of top 250 operational losses
Other Legal Rogue Cyber
SeIlements Trader 1%
4% 3%

Fraud
16%

Regulatory
76%

Note: The top 250 losses in aggregate amount to US$468 billion, representing 85% of all
losses in the Public Source ORX News data. The data consists of 3,250 publically-disclosed
banking operational loss events.

The risk types that have led to the largest operational losses are much less
amenable to prediction based on historical loss data than most credit and
market risks for a number of reasons:

a. Individual banks are unlikely to experience enough loss events of the

same type to enable robust prediction. Whilst many banks have
experienced more than one significant regulatory penalty, very few have
experienced multiple significant penalties for the same type of regulatory
issue (and when they have it is normally been as a result of making
separate settlements with different regulatory or law enforcement
agencies for the same event). Likewise very banks have suffered more
than one significant fraud or rogue trading instance.

b. Significant regulatory issues tend to result in major penalties (or customer

recompense) for all or most of the banks participating in the specific
market (e.g., auction-rate fixing, sanctions breaches) or selling the
particular product (e.g., PPI, MBS). Exhibit 8 shows the composition of
major regulatory penalties. Participation in a market in which one bank
has been penalized appears a better predictor of a future loss of this kind
than a bank’s own loss history.

14
Exhibit 8: Composition of regulatory-related operational losses

Tax Mortgage, Market

Sanc1ons
3% Other Manipula1on
4%
Mis-selling 2% 2%
4%
Benchmark Mortgage-
Rigging backed
5% securi1es
Other 30%
5%
Foreclosure
9%
Payment Auc1on rate
Protec1on securi1es
Insurance 18%
18%

Note: This graph shows the composition of 151 regulatory-related settlements and fines
categorized by misconduct type compiled using the Public Source ORX News Data. The
aggregate total of these losses is US$347 billion, or 76% of all top 250 banking operational
losses.

c. With regulatory penalties the lag between the event and recognition of the
loss is usually several years, which means predictions based on losses
would inevitably miss the intervening years. Moreover, the timing and
definition of the losses can be somewhat opaque since they might involve
multiple penalties, settlements, customer compensation, lookbacks,
business restrictions and remedial action, and because accounting
conventions differ on the timing and precise nature of loss recognition.

d. Significant regulatory penalties tend to result in major changes to market

practices, ranging from the withdrawal of the offending products (e.g., PPI)
to radical changes in management practices (e.g., salesforce
incentivization) or market mechanisms (e.g., LIBOR). In these instances,
significant penalties can be seen as indicating the closure of a problem
rather than an indicator of future problems.

e. Regulatory penalties escalated enormously in the years following 2008,

but have now fallen to some degree. Given that regulatory enforcement
actions now dominate most banks’ operational risk losses, a predictive
model for operational risk based on a bank’s historical losses would have
massively underestimated the losses incurred by most major Western
banks from 2009 onwards and may overestimate them now. Exhibit 9
shows regulatory penalties over time by types. The graph illustrates that

15
 the majority of regulatory operational losses were relating to three
categories – payment protection insurance (“PPI”), mortgage-backed
securities (“MBS”) and auction rate securities (“ARS”) – all of which saw a
wave of penalties and customer recompense before diminishing.

These characteristics make us skeptical about the predictive quality of

historical loss data for events such as regulatory penalties, major frauds and
rogue traders – and given that these types of operational losses dominate
overall operational risk losses, skeptical about the value of historical loss data
in predicting future operational risk losses. Some (eg Curti and Miguies, 2016)
have claimed to demonstrate that “past losses are predictive of future
exposure”. However, we think this analysis is flawed, at least when applied to
determining operational RWA. While past losses are predictive for the more
frequently recurring operational risk types, this does not appear to hold for the
more extreme events that dominate overall losses and thus drive the
determination of operational RWA. As Ames et al (2015) point out: “as
operational risk is characterized by highly skewed and extreme outcomes, the
assumed severity distribution must also be higly skewed and allow for extreme
outcomes. The problem is that such distributions also tend to be highly
sensitive to the sparse data used for parameter estimation” (Ames,
Schuermann and Scott, 2015). Moreover, spurious time-series correlations
can arise where there are multiple legal settlements/fines over time for a
singular regulatory failing, as Exhibit 10 illustrates using the LIBOR example.

Exhibit 9: Regulatory-related operational losses by category and year

90
Tax
80
Sanc1ons
70
Payment Protec1on Insurance
60
Loss Amount (US$Bn)

Mortgage, Others

50 Others

Mis-selling
40
Mortgage-backed securi1es
30
MarketManipula1on
20 Foreclosure

10 Benchmark Rigging

Auc1on rate securi1es

0
2008 2009 2010 2011 2012 2013 2014 2015 2016

Note: This graph shows aggregate amount of regulatory-related settlements and fines over
time totaling US$347 billion, compiled using the Public Source ORX News Data.

16
Exhibit 10: Libor-rigging regulatory timeline

Note: This graph plots the timeline of major events and regulatory fines related to libor-rigger
issues as recorded in the press.

Finally, it is worth considering cyber risk, which most bank CEOs would put at
or near the top of their operational risk management priorities. Thus far, banks’
financial losses directly attributable to cyber risk have been relatively low.15
An empirical model based on past losses would almost certainly
underestimate future risks. Moreover, cyber risks would appear to have the
potential to generate disproportionate negative externalities relative to the
direct losses incurred by the bank suffering the risk event (eg leakage of
customer data, or compromising the integrity of the payment system). An
operational risk capital requirement based on historical loss patterns may
incentivize too much “closing the stable door” rather than more
forward-looking assessment and prevention.

2) The regulation of operational risks should focus on avoiding negative

externalities. As with most aspects of the prudential regulation of banks,
operational risk capital requirements should be designed with the objective of
curbing negative externalities. Significant operational risk events can disrupt
the provision of credit, the functioning of markets especially if the banks
affected are key players in certain specialized markets, and could even
threaten financial stability. Therefore, capital requirements should create
incentives for banks to internalize and mitigate the social costs associated with
these risks.

15
For example, a partial review indicates that financial institutions’ average annual costs due to cyber attacks are
around $28 million in 2015 (Ponemon Institute 2015).
17
 Since the term “operational risk” covers an enormously wide (arguably,
unbounded) variety of risk types, it is possible to postulate an extremely broad
range of operational risk events that could have negative externalities. Two
types of event where operational risk capital might appear immediately
relevant are: 1) the event that leads to a financial loss so catastrophic that the
bank fails with direct implications for its customers and potential implications
for financial stability; and 2) the event that leads to the bank suffering a
financial loss so significant that it needs to constrain its lending activities in
order to survive. In both cases it is easy to see how having substantial
operational risk capital resources in place might help the bank minimize the
negative externalities.

However, it is also possible to envisage operational risk events that might not
pose significant direct financial losses to the bank suffering the event, but
could create negative externalities of far greater magnitude. For example, a
bank with a relatively small share in a particular market for traded instruments
might fall victim to a cyber attack that propagates to an extent that it cripples
the entire market, imposing far greater costs on other market participants than
on the bank itself. Ultimately, legal redress and regulatory penalties might lead
to the bank bearing a fuller share, but at the first instance, the direct cost to the
bank might be only a tiny fraction of the societal cost. The point here is that the
scale of the loss to the bank might not be the best measure of societal impact,
and therefore of regulatory concern.

3) Operational risk capital requirements can reduce negative externalities

by enhancing loss absorbency. Where the operational risk event does
cause significant losses to the bank suffering the event, which in turn cause
significant negative externalities, capital can obviously provide loss
absorbency and thus mitigate the knock-on consequences. Where an
operational loss event is of such catastrophic scale as to cause the bank to fail,
the regulator wants to ensure sufficient capital is in place to enable enough
“gone concern” loss absorbency to facilitate orderly resolution,
dismemberment, or sale without recourse to the taxpayer. Where an
operational loss event does not lead a bank to collapse, but is of a magnitude
to put a dent in capital ratios, the regulator wants to ensure sufficient capital is
in place to provide enough “going concern” loss absorbency for the bank to
take the loss in its stride without undue disruption to the bank’s core financial
intermediation activities. In both cases, there is a clear rationale for requiring
banks to hold capital for operational risk events, as long as that capital can be
used when the event happens.

One may argue that since operational events tend to be idiosyncratic, the
negative externalities from operational losses should be limited, as firms can

18
 switch to lenders that are not affected. We make several observations in light
of this view:
- First, it is well documented that switching to different lenders is costly
and substitution is limited, especially for smaller firms (Petersen and
Rajan, 1994; Ashcraft, 2005; Chodorow-Reich, 2014).
- Second, operational losses due to regulatory actions often affect most
banks in a given market (eg ARS, MBS, PPI), which has systematic as
opposed to idiosyncratic impact on financial intermediation activities.
- Finally, if it were true that operational losses pose little threat of
negative externalities, then it seems hard to explain why there are
operational risk capital requirements in the first place.

4) Operational risk capital requirements are only one component of the

prudential regulation of operational risks. As the BCBS has repeatedly
stressed (BCBS 2011), supervisory oversight and other regulations relating to
specific risk-types (eg on data privacy) or governance arrangements (eg
senior management accountability) are also necessary, since operational risk
capital requirements are a relatively blunt and imperfect tool for internalizing
the social costs of operational risk failures and mitigating their consequences.
So the effectiveness of an operational risk capital requirements regime has to
be assessed in the light of how it complements such non-capital based
mechanisms. In this context it is perhaps worth observing that the regulatory
regimes for other industries in which operational risk events can significant
negative externalities – such as aviation, shipping, pharmaceuticals or nuclear
– tend not to use capital requirements as regulatory instrument, but instead put
more reliance on standards, reporting, inspection and accountability.

5) The regulatory approach to operational risk must recognize that banks

do not approach operational risk in the same way as credit and market
risk. Banks willingly take on credit and market risks to generate a return. This
is how they make money and perform their role in the broader economy. The
allocation of capital across different types of market and credit risks to
generate returns is central to how banks are run. Measures of return on credit
and market risk RWA are typically embedded at every level of
decision-making from client relationship management and product pricing, to
overall portfolio management and strategy.

This is not how banks approach operational risk. Banks do not take on
operational risk to generate a return in the way they do credit or market risk,
deliberately accepting a quantifiable risk exposure for a prospective return.
Depending on the type of operational risk, their approach will typically vary on
a spectrum from reducing the risk to acceptable parameters within a cost
constraint (eg with credit card fraud), or simply minimizing the risk as far as
possible without any constraint (eg certain types of regulatory or cyber risk).

19
 Even in businesses where the operational risks are large relative to the credit
or market risks, such as custody or clearing, the operational risks are seldom
measured and managed through operational RWA. Indeed, the operational
RWA associated with different types of operational risk rarely gets mentioned
or considered in managing operational risks, often because it is impossible to
identify separately, frequently because it bears no resemblance to
management’s judgement of the prospective risk, and also because
operational RWA is seen more as a tax than a controllable variable.

The implication of this is that whereas credit and market risk RWA are
powerful influences on management behavior, operational risk RWA has very
limited, if any, influence.

Pillar 3 disclosures provide an indication of how differently banks approach

operational RWA versus credit and market risk RWA. Pillar 3 disclosure
obligations vary significantly by jurisdiction, but two examples illustrate the
point. Barclays’ annual Pillar 3 disclosure is 170 pages long and 58 pages are
devoted to a discussion of RWA. Of these 58 pages, three are dedicated to the
£56.7bn of operational RWA that constitutes 16% of Barclays’ total. For credit
and market risk Barclays provides a detailed disaggregation by business line,
credit grade and geography, and explains the derivation of the RWA figure,
showing the performance of their IRB models. By contrast, the disclosures on
operational RWA are much more cursory (Barclays, 2016). Bank of America’s
Q3 Pillar 3 disclosure amounts to 27 pages, of which roughly half a page is
devoted to the precisely $500bn of operational RWA they carry, representing
32% of their total RWA (Bank of America, 2016).

3.2 Objectives of Operational Risk Capital Requirements

Where do these observations take us in thinking about what should be the objectives
of an operational risk capital requirement approach? Whilst we recognize that this is a
matter of judgement, we would offer for consideration the following five objectives:

1) The approach should be designed to provide incentives to minimize and

mitigate negative externalities from operational risk events by internalizing
potential societal costs. This implies focusing on the risk types with most
potential to cause negative externalities.

2) The approach should provide both “going concern” and “gone concern” loss
absorbency to minimize the negative externalities arising from operational risk
events creating significant financial losses. This implies making operational
risk capital “usable”

20
 3) The approach should be designed to complement supervisory interventions on
operational risk , reflecting the fact that capital requirements will not be the
most effective tool for all risk types. This implies making some element of the
capital requirements subject to regulatory discretion

4) The approach should be as simple as possible avoiding over-complex

modelling to facilitate implementation, maximize transparency and minimise
the potential for gaming. This is consistent with the BCBS’ emphasis on
reducing complexity.

5) The approach should seek to enable meaningful comparability across

institutions and jurisdictions, so that to the extent possible, equivalent risks
result in equivalent capital requirements. This is also consistent with the
BCBS’ desire to enhance comparability.

4. ASSESSMENT OF THE CURRENT APPROACH TO OPERATIONAL RISK

CAPITAL REQUIREMENTS

The Basel II approach to defining operational risk capital requirements, combining the
BIA, TSA and AMA methods arguably fails to meet any of the five objectives
described above. Specifically:

1) Provide incentives to minimize and mitigate negative externalities from

operational risk events. The BIA and TSA approaches create no incentives to
minimize and mitigate the societal downsides of operational risk, because
there is no connection between the effectiveness of a bank’s operational risk
management and its operational risk RWA. Under AMA, there is in theory
more scope for creating such incentives. However, in practice, most banks
that use the AMA see signifcant disconnects between how they manage their
risks and how they determine their operational RWA (Ames et al, 2016).

2) Provide both “going concern” and “gone concern” loss absorbency. Here, for
reasons discussed in more detail in the next section (because the same
applies to the SMA), none of the three methods appears satisfactory,
particularly in terms of “going concern” loss absorbency.

3) Complement supervisory interventions on operational risk. The BIA and TSA

approaches contribute little or nothing to a more comprehensive approach
towards regulating operational risk. Moreover, as the BCBS have noted, the
fact that they are based on revenue means that the operational risk capital
requirements can fall even when underlying operational risks are rising: “The
most common situation involved banks experiencing a decline in their GI
[Gross Income] due to systemic or bank-specific events, including those

21
 involving operational risk losses, and seeing a commensurate decline in
operational risk capital when intuitively this should have either stayed at the
same level or increased” (BCBS, 2014). By contrast, the AMA approach can
be used as part of a broader array of tools, but this depends on how it is
implemented by individual regulators.

4) Be as simple as possible, avoiding over-complex modelling. The BIA and TSA

approaches are commendably simple, but precisely because they are so
simple, fail to give any insight about the operational risks faced by an
institution. The AMA, on the other hand, is intrinsically complex. As the BCBS
put it in justifying their decision to withdraw the approach “The inherent
complexity of the AMA and the lack of comparability arising from a wide range
of internal modelling practices have exacerbated variability in risk-weighted
asset calculations” (BCBS, 2016).

5) Enable comparability across institutions and jurisdictions. The BIA and TSA
approaches are directly comparable across institutions because they are
formulaically driven from historical revenue. However, it is a consistency of an
unhelpful kind, in that it is equally uninformative about the operational risks
faced by any institution. The AMA, on the other hand, produces RWA results
that are very difficult to compare across institutions and even more difficult to
compare across jurisdictions.

5. ASSESSMENT OF THE BCBS PROPOSALS AGAINST THE OBJECTIVES

The BCBS proposals offer one significant advantage over the current system in that
they envisage one method of calculating RWA rather than three, which certainly aids
simplicity and comparability. However, in general they still score poorly against the
objectives as we have described them, since these proposals fail to address the lack
of loss absorbency in the current system, provide limited incentives and remain
mechanistically backward-looking.

1) Provide incentives to minimize and mitigate negative externalities from

operational risk events. Because they combine a size-based component and a
multiplier related to past loss history, it is hard to see how the SMA provides
anything but very weak incentives to minimize and mitigate operational risk
events with negative externalities. The principal channel through which such
incentives can be created is through the impact of an institution’s loss history
on the ILM. Yet given that the ILM is derived from a 10 year loss history,
actions taken today will have limited impact. A bank that takes decisive action
to remedy control weaknesses following a particular loss event will see no
RWA benefit relative to a bank that is much more dilatory in its rectification
unless and until the less diligent bank suffers another loss event. In addition,

22
 past losses from business lines that are no longer relevant can have a major
impact on capital requirement. For instance, analysts have estimated that the
CET1 ratio of Lloyds will decline by 390bps under the SMA, of which 210bps is
due to PPI-related historical losses (Deutsche Bank, 2016). Since Lloyds no
longer sells PPI and has revamped its sales processes, the logic of PPI being
a powerful driver of its operational RWA for the next decade could be
questioned. Some of the secondary incentives created by the SMA seem
somewhat perverse. The methodology is strongly skewed to advantage
smaller banks, thus disincentivising scale. We are not convinced that this
make sense. The exclusion of risk mitigants like insurance from the SMA
methodology effectively disincentivizes their use (see Ames et al, 2016, for a
discussion of insurance).

2) Provide “going concern” and “gone concern” loss absorbency. The SMA does
not address one of the biggest flaws in the current system, the lack of loss
absorbency. Whilst banks are required to hold significant amounts of capital,
ostensibly to enable them to absorb operational risk losses, in practice the
capital is unusable, in particular on a “going concern” basis. This is best
illustrated with a stylized example. Suppose a bank has RWA of $100,
comprising credit RWA of $70, market RWA of $15 and operational RWA of
$15. Suppose also that the bank has $10 of equity, so a CET1 ratio of 10%. If
the bank suffers an operational loss of $1 and wants to maintain its CET1 ratio
of 10% its only immediate option (ignoring the flow of profits and retained
earnings for the moment) is to reduce credit and market risk RWA by $10. In
fact, because the operational RWA will increase as a result of the loss, the
bank will have to reduce credit and market RWA by more than $10. In this
highly stylized example, the result will be exactly what a regulator would not
want: the operational risk loss results in a sharp reduction in credit provision
and market facilitation.

There are of course a number of potential objections to this stylized example.

For instance:

• If the bank is operating at 11% CET1 – i.e., it has equity of $11 – it can
absorb the loss without breaching the 10% CET1 limit or reducing credit or
market RWA. This is true, but begs the question of what the $1.5 of equity
represented by CET1 of 10% on operational risk RWA of $15 is for,
because it will not contribute to absorbing this loss. Moreover, given
investor pressure for returns on equity, banks do not typically carry
significantly more equity than they believe they need (which is typically
substantially above the prescribed regulatory minimum, given the
consequences of breaching the minimum)

23
 • If the bank’s retained profits in the next period amount to at least $1 then it
can absorb this loss without denting its capital ratio or reducing credit or
market RWA. Again, this is true, and in practice this is how much of the
most significant operational risk losses are absorbed, but once more it
begs the question of the purpose of the operational RWA (It also misses
the point that it is through retaining earnings that the bank can support
credit growth: in essence the deployment of retained earnings to absorb
the loss is a sacrifice of future credit and market RWA)

A more subtle objection points to the fact that if our stylised bank lost $10 on
credit risk (or market risk) rather than operational risk, the same problem might
arise. From this perspective, the problem is less about operational risk than
the construct of requiring banks to hold minimum capital ratios: capital below
the required ratio cannot be used, at least not on a “going concern” basis
because breaching the minimum would compromise the bank’s status as a
“going concern”. The higher the perceived minimum capital ratio, the more
capital is available for “gone concern” loss absorbency, but with potentially no
gain (or even a negative impact) on “going concern” loss absorbency. There is
merit in this argument, but this broader discussion is beyond the remit of this
paper. Here we would simply observe that there may be reasons to believe the
problem of “going concern” loss absorbency is even more acute for
operational risk than it is for credit or market risk:

• First, when a bank writes off a credit or closes out a loss-making position
then the RWA associated with the loan or position is extinguished. In this
way some capital is released, although typically only a small fraction of the
loss. This will not happen with operational RWA under the BCBS
proposals – indeed a significant loss will lead to an increase in RWA
through the ILM16.

• Second, a bank will typically react to significant credit or market losses by

reducing the related portfolio with a consequent reduction in RWA
(although this may be offset by negative credit migration). The point is that
a bank will be actively managing its credit and market RWA both to
maintain target capital ratios and in response to the risk environment. The
SMA does not provide any scope for operational RWA to be managed in
an equivalent way.

16
As an illustrative example, suppose a bank holds $100 of risk-weighted assets composed of $70 of credit RWA,
$15 of market RWA and $15 of operational RWA, and furthermore, suppose the bank holds $10 of equity,
yielding a risk-weighted capital ratio of 10%. A loss of $2 in the credit portfolio reduces equity by 2 and (assuming
100% risk-weghting for simplicity) credit RWA by $2. To maintain a CET1 ratio of 10%, the bank would need to
cut $18 of credit or market RWA. On the other hand, if the loss of $2 is operational in nature, under the SMA
proposal operational risk RWA might increase to $16 . To maintain a 10% CET1 the bank would need to cut $21
of credit or market RWA.
24
 • Third, it could be argued that whilst both are relevant, the relative need for
“going concern” and “gone concern” loss absorbency is different for
operational risk versus credit and market risk. Whilst bank failures
typically involve a complex combination of loss drivers, it is extremely rare
for the primary driver to be an operational risk event. Barings is probably
the clearest example in recent history. By contrast we have seen
numerous failures of banks driven by credit losses and losses on market
portfolios. If this is correct, we might want to strike a different balance
between “going concern” loss absorbency and “gone concern” loss
absorbency” for operational risk.17

The SMA does not provide “going concern” loss absorbency, but neither does
it automatically help in a “gone concern” scenario. Suppose our stylised bank
suffers an operational loss of $10 wiping out all the equity. In this case the
$1.5 of equity devoted to operational risk will have contributed in part to
protecting the taxpayer. However, this is only true to the extent that the bank is
completely dissolved. To the extent that some aspects of the bank are rescued,
folded into another bank or in some other way kept operational, as is likely to
be the case, then these component parts will have operational risk RWA,
which will likely be elevated given the reason for the failure. So even in a
“gone concern” scenario, there may be limits to the loss absorbency provided
by the bank’s operational risk capital.

3) Complement supervisory interventions on operational risk. As with the current

system, it is difficult to see how the SMA can be used to complement or
reinforce non-capital based regulatory interventions on operational risk, since
the RWA is mechanistically determined on the basis of scale and past loss
history. It is a “top-down” approach that does not link to identified risk drivers
(Peters et al, 2016). Regulators who want to give banks a capital incentive to
rectify particular issues or in anticipation of new threats will need to use a Pillar
2 buffer or the stress tests, as some already do.

4) Be as simple as possible, avoiding overly-complex modelling. The SMA

replaces three methodologies with one.18 However, the methodology is not

17
The importance of “going concern” loss absorbency also depends on whether firms can find alternative lenders
when the original lender cuts credit availability due to a loss event. It has been well documented that lending
relationships are sticky; switching is costly and substitution is limited (Petersen and Rajan, 1994; Ashcraft, 2005;
Chodorow-Reich, 2014). Moreover, major operational losses (e.g. regulatory fines) tend to be correlated across
banks, thus aggrevating the potential impact on credit availability.
18
Banks that currently use the AMA tend to mention one advantage of the SMA: it will enable them to determine
their operational RWA figure, however arbitrary, without devoting nearly as much analytical effort and time as is
currently involved in calculating the (almost equally arbitrary) AMA figure. Yet this is hardly a ringing
endorsement.
25
 particularly simple, since it combines a scale-based element that increases in
a non-linear manner with a multiplier based on loss history. The interaction of
these two components can produce capital requirements that are unstable and
excessively sensitive to large historical losses: two banks with the same risk
distribution can end up with drastically different capital requirements
depending on the random realization of past losses (Peters et al., 2016). A
large GSIB that suffers a one-off significant operational loss (say the
settlement of a regulatory issue related to a business that is now closed) could
face a significant capital penalty for years thereafter, given the interaction of
the loss multiplier with the BI component, exacerbated by the GSIB buffer.
Conversely, a smaller bank that has under invested in cyber security, but has
been lucky enough so far to escape significant operational loss might enjoy a
significant capital benefit. The consultation responses also highlighted a range
of methodological issues in the derivation of the ILM, including pronounced
“cliff effects” in the banding of loss events by size, the determination of the
timing of events, and the interaction with accounting practices.

5) Provide comparability across institutions and jurisdictions. One of the

strongest arguments made by the BCBS for its proposals is increased
comparability of operational risk capital requirements across banks and
regulatory jurisdictions, because there would no longer be the differences
between banks adopting BI, TSA or AMA, nor the differences in definitions and
methodology between banks using AMA. Indeed the proposals are framed as
part of the broader effort of “[e]stablishing consistency in the implementation of
post-crisis regulatory reforms” (BCBS, 2016). It is true that implementation of
the SMA would lead to consistent application of more comparable
methodology. However, the comparability would be largely meaningless, since
it would not translate into comparable treatment of operational risks. Banks of
the same size facing very different prospective risks might have the same
operational risk RWA. Banks facing equivalent risks could have very different
operational risk RWA due to size, random historical events, or the number of
subsidiaries (Peters et al, 2016).

One aspect of the proposals that seems to demonstrate historical “path dependency”
rather than any underlying logic is the translation into RWA. The SMA methodology
generates a required capital amount which is then multiplied by 12.5 (a throwback to
the old Basel I 8% capital weighting) to arrive at a figure for operational RWA. This
creates an entirely illusory appearance of equivalence to market and credit RWA.
Moreover, in including this contrived operational RWA in the calculation of a bank’s
CET1 ratio we are arguably eroding the credibility of this ratio (which of course is
already challenged by ongoing arguments about discrepancies in credit and market
risk methodologies).

26
This is a point worth emphasizing. Whatever the flaws of the methodologies to derive
credit and market RWA, they at least represent relatively coherent approaches to
defining the risks attaching to loans and market positions. The risks are well defined,
and in most cases, bounded, in that it is possible to define a maximum exposure or
value- at-risk (this is not the case when writing certain types of derivatives, but even
here it is possible to plot a meaningful loss distribution curve). Definitions of default,
exposure, collateral, mitigants, etc, are well understood and being made increasingly
consistent, and there are an array of well understood and demonstrably effective
analytical tools to translate vast amounts of data on historical losses into assessments
of future risk. Of course there are still many areas of debate, such as with low default
portfolios, or asset classes with low idiosyncratic risk and high systemic risk, but the
fact is that our analytical tools for identifying and measuring credit and market risks
are far more advanced than they are for operational risks.

Moreover, while it is important to create a common metric across credit and market
risks, since banks can often create the synthetic equivalent of a credit exposure
through a market risk approach and vice versa, this is simply not true of operational
risks. Few bankers would consider a dollar of operational RWA as conceptually
representing an equivalent risk as a dollar of credit or market RWA. Indeed, most
bankers would consider a dollar of operational RWA as simply a somewhat arbitrary
regulatory construct that has very little to do with anything, including the management
of operational risk.

6. AN ALTERNATIVE APPROACH

We believe the BCBS proposals fail to achieve the regulatory objectives, largely
because they are focused on fixing perceived problems about comparability and
complexity with the existing system, applying an approach not dissimilar to the logic
used to address the issues with IRB and the Standardized methodologies for credit
risk RWA, rather than going back to first principles to examine the underlying
objectives underpinning the imposition of regulatory requirements for operational risk
capital.

We would suggest that, rather than just debating the finer points of the ILM
methodology, the non-linearity of the BI component, or the potential impact on
overall capital requirements, serious consideration be given to a radically different
approach designed from first principles to achieve the regulatory objectives.

For example, we would see considerable advantages to an alternative approach

comprising the following core components:

1) Replace operational RWA with an incremental operational risk capital buffer

requirement expressed in absolute dollar terms. The operational risk capital

27
 requirement would be switched from being a determinant of the denominator
of the CET1 ratio to being an increment to the required numerator. Specifically,
the total RWA would comprise only market and credit RWA, but the CET1 ratio
would have a new component, the operational risk capital buffer. 19 This
change could be made capital neutral, with the required CET1 ratio increasing
to reflect the operational risk capital buffer.20 Making this switch would, when
combined with the other proposed changes, facilitate loss absorbency, and
help align incentives appropriately. This will also enhance the transparency
and credibility of the underlying capital ratio

2) Determine the quantum of this operational risk capital buffer using a

combination of scale, history and judgement about prospective risks. Whilst
there are various ways of constructing the buffer and we do not attempt to
flesh out a detailed approach in this paper, we see merit in combining three
separately identified components: one related to scale; a second based on
proven models for those types of high-frequency operational risk for which a
bank has sufficient data to provide statistically robust predictions; and a third
based on a process of structured judgement by the regulator.21

The first component would be deliberately crude, like the SMA BI component
(although we are skeptical about the non-linear scalar in the BI), but would
ensure a basic minimum level of operational risk capital.

The second component would only cover those risk types for which there is
sufficient clarity of definition and data to provide confidence that past
experience represents a reasonable guide to future losses. This will be most
relevant for frequently recurring losses like credit card fraud, data entry errors
and petty theft. Banks that have the data and models to do this sufficiently well
(typically those that have been using AMA) would get an appropriate discount
off the scale-based minimum. This second component would not contribute

19
For example, Bank of America has total RWA of around $1,550 bn, of which $500 bn is operational RWA. Its
common equity tier 1 ratio is 11.6%. This implies that about $58 bn CET1 capital (out of $180 bn total CET1
capital) is accounted for by operational risks. To be capital neutral the $58 billion will become the buffer. The new
CET1 ratio under our approach will be calculated as 180/(1550-500) = 17.1%. The difference between this ratio
and the current CET1 ratio is 17.1%-11.6%=5.5%. This is equal to the buffer divided by our new total RWA,
namely the sum of market and credit RWA.
20
In practice, banks’ models calculate the equity capital required based on 8% capital requirement, and multiply it
by 12.5 to calculate the RWA. In the Bank of America example, the model-based equity capital would be $40
billion. To be conservative, we calculate the buffer using the actual CET 1 ratio (as opposed to 8%), which is $58
bn.
21
A simpler variant would exclude the second component on the grounds that it will represent only a small part of
the total capital requirement and can be reflected in the calibtration of the scale-based component. While this is
true, and a two component model would be simpler, we see benefit in encouraging banks to build their data
gathering and modelling capabilities for these kinds of risks.
28
 much to the overall total and could be omitted on grounds of simplicity, but has
the merit of encouraging the development of modelling for those risk types for
which this is appropriate.

The third component will be explicitly judgmental, determined by the regulator

informed by their knowledge of prospective risks facing the bank, the quality of
the bank’s operational risk management capabilities, infrastructure and
governance, and broader industry developments and challenges. To derive
this component of the buffer, regulators would need to take account of: i)
specific known risks, such as pending legal settlements for which it is possible
to estimate potential losses (such as those that US banks disclose under
Reasonable and Probable Losses); ii) risk types where it is possible to
describe the loss mechanisms and loss drivers, even if the amounts at stake
are uncertain, such as rogue trading, or emerging regulatory issues; iii) risk
types where the dynamics of loss and negative externalities remain extremely
uncertain, such as cyber risk; iv) assessment of an individual bank’s relative
strengths and weakenesses in infrastructure, capabilities and governance.
The process could involve banks submitting structured self-assessments
along these lines to their supervisor, as input into the regulatory judgement. To
minimize differences across jurisdictions, it would make sense for BCBS to
establish some principles for determining this component of the buffer, but
because it will be separately identifiable, differences in regulatory approach
will be relatively transparent to the market.

3) Provide a mechanism by which banks can seek regulatory approval to use at

least part of this buffer on a “going concern” basis when they suffer a
significant operational risk loss, subject to agreeing whatever remedial action
is appropriate and a time frame and plan to return the buffer to whatever level
the regulator determines. Here again, it would make sense for the BCBS to
establish some principles.

In this paper we do not attempt to provide the details of how to determine or calibrate
the components of the buffer, nor a detailed description of the mechanics by which it
could be used and rebuilt. Our focus here is on discussing the potential pros and cons
of such a radically different approach versus the SMA. How would this be different?

First, by configuring the operational risk capital requirement as an absolute buffer with
a mechanism to allow it to be used, this approach facilitates “going concern” loss
absorbency. This in turn reduces the need for a bank to respond to an operational risk
loss by reducing lending or conducting a fire-sale of marketable securities.

Second, the judgmental component of the buffer enables the regulator to make a
forward-looking assessment of operational risks (which can of course include an
appraisal of the extent to which past losses indicate future risks) and to connect

29
capital requirements to identified risk drivers. The advantages of this can be seen by
considering a situation where one bank is penalized by the regulators for miss-selling
a product, but it is recognized that other banks sold the same product in a similar way
and are therefore likely to get penalized as well. The SMA (unlike the AMA) gives no
scope for including this risk in the operational risk capital requirement, while under the
alternative approach the regulator can increase the required capital buffer of the
affected banks. This approach also allows a regulator to judge the difference between
a loss that is a harbinger of future problems and a loss, such as a final settlement, that
closes off a problem. This cannot be done under the SMA.

Third, the judgmental component of the buffer allows the regulator to create powerful
incentives for banks’ management to reinforce their operational risk controls. Banks
that fall behind on enhancement programs can be penalized with incremental capital
requirements. Banks that demonstrate material improvements can be rewarded with
reductions in the required buffer. No such flexibility exists in the SMA.

Fourth, including historical data for those risk types for which sufficient loss data
exists to provide robust predictions, leverages the experience of those banks that
adopted AMA and encourages such practices amongst other banks. It seems
perverse to throw away the benefits of the considerable investments in data collection
and modelling where these are of demonstrable benefit. We anticipate that this
element of the buffer would be relatively small, since while these types of risks
account for a very proportion of the operational risk events by number, they account
for a very small proportion of the total by value. For example, Barclays notes that 83%
of its operational losses by frequency were of amounts of less than £50,000.

Finally, removing operational risk from the calculation of a bank’s RWA should
improve the credibility and comparability of banks’ RWA and capital ratios in the eyes
of investors and counterparties. Investors have typically paid relatively little attention
to the determinants of banks’ operational RWA, rightly considering them rather
arbitrary and unrelated to the prospective operational risks the banks are facing.
However, neither do investors usually strip out operational risk RWA from comparison
of capital ratios. One indication this lack of interest in is the fact that bank’s
operational RWA figures are not readily available on the most common industry data
sources, as Exhibit 11 demonstrates. Under both the current system and the BCBS
proposals, operationl RWA serve to muddy the assessment of banks’ capital strength.
Under the alternative approach, investors and other market participants will be able to
assess a bank’s operational risk capital requirements separately from its capital
position relative to the credit and market risks it has taken on.

30
Exhibit 11: Coverage of Operational RWA in commercially available
databases

Source Coverage of Operational RWA

Factset Not available
CapitalIQ Not available
Bloomberg Limited (missing data for many GSIBs)
Bankscope Limited (missing/inconsistent data quality)
SNL Interactive Limited (missing data for many GSIBs)
Compustat Not available

Note: This table presents an assessment of the data availability across major commercial
financial databases that provide information on other relevant data including T1 capital ratio
and total RWA.

How would our alternative approach stack up against the five objectives discussed
earlier?

1) Provide incentives to minimize and mitigate negative externalities from

operational risk events. The inclusion of a component of the capital
requirements that is determined by regulatory judgement would enable to
regulator to incentivize banks’ management teams as they see fit.

2) Provide “going concern” and “gone concern” loss absorbency. Constructing

the operational risk capital requirement as an incremental buffer rather than as
RWA and with an explicit mechanism for drawdown would make the capital
much more “usable”. It could be used to absorb significant losses on “going
concern” basis and it would be available for “gone concern” loss absorbency.

3) Complement supervisory interventions on operational risk. The

judgement-based component of the buffer could be used in conjunction with
other initiatives – either industry-wide or institution specific – to reinforce other
actions to address operational risk concerns.

4) Be as simple as possible, avoiding over-complex modelling. At its simplest the

alternative approach would comprise just two elements: a fixed requirement
based on scale, and a judgemental component at the regulator’s discretion.
Where banks are able to demonstrate to regulators’ satisfaction that historical
loss modelling for specific risk types can provide robust forward-looking risk
assessment this can be included. However, BCBS should determine the risk
types for which this option is available and define methodological and data
standards to be used. The greatest potential complexity would lie in the
determination of the judgmental component of the buffer. Here it would be
helpful for the BCBS to agree some overarching principles.

31
 5) Enable comparability across institutions and jurisdictions. Whilst on the face of
it, there is more room for inconsistency in this alternative approach, given the
inclusion of a component determined by regulatory judgement in our view, the
alternative approach would provide more meaningful comparability than the
BCBS proposals. Within a jurisdiction, the regulator would presumably ensure
consistency of approach towards the banks under its jurisdiction.
Inconsistencies would mainly arise where regulators took different approaches
towards evaluating the judgmental component. This could be constrained in
part by agreeing some principles on how to exercise this judgement for
different risk types and perhaps reinforced by periodic peer review of
processes. Yet even if such differences persisted, the fact that this component
would be separately identifiable would enable market participants to form their
own view of comparability.

7. ARGUMENTS AGAINST THE ALTERNATIVE APPROACH

In this section we discuss potential counter arguments against the alternative

approach. Through our discussions thus far on this topic we have encountered five
principal arguments:

7.1 Is this an attempt to reduce the capital requirements disguised as an

alternative methodology?

Some will argue that moving from an RWA approach to a buffer approach will reduce
discipline and enable banks to achieve a reduction in operational risk capital
requirements through ”regulatory capture”. This is not our intent. In fact we would
suggest that the starting point for defining the scale of the buffer should be the same
amount of capital as is currently implied by a bank’s current operational risk RWA and
CET1 ratio (e.g. if a bank has operational risk RWA of $10 and a CET1 ratio of 10%,
and thus implied operational risk capital of $1, then the starting point for defining the
scale of the buffer should be $1). Exhibit 12 shows, for GSIB banks, what the new
capital ratio would be for the buffer to be capital neutral. The blue part is the current
CET1 ratio, and the red bar is the part of the new ratio that is accounted for by
operational risk capital buffer. Since part of the buffer will be mechanistically defined
as a function of scale, part empirically derived for predictable risk types, the only
scope for gaming or reduction is the component determined by regulatory judgement.
Our view is that regulators should be asked to give a rationale for reducing the capital
required below the current number, or below the average for the banks in that
jurisdiction.

32
Exhibit 12: Operational risk capital buffer and CET 1 ratio under proposed
capital-neutral change

25.0
20.0
15.0
10.0
5.0
0.0
BofA
Bank of China
NY Mellon
Banque Populaire
Barclays
BNP Paribas
China

Crédit Agricole

GS
HSBC

ING
JPM Chase
Mitsubishi UFJ FG
Mizuho FG

Société Générale
MS
Nordea
RBS
Santander

Standard
State Street

Wells Fargo
Ci1group

CS

Sumitomo Mitsui

Unicredit Group
UBS
ICBC
Agricutural Bank

DB

Current CET 1 Ra1o (%) Opera1onal Risk Buffer (%)

Note: This figure shows the current core tier 1 ratio for GSIB banks (blue bar), and the new
ratio according to our approach (blue plus red). The red bar reflects the part of the new ratio
that is accounted by operational risks.

In our view, the alternative approach would have significant benefits beyond
operational risk, in that it would improve the meaning and coherence of the CET1 ratio.
The overall CET1 ratio could now be thought of as expressing the amount of equity
capital a bank has against its financial assets as described by its market and credit
RWA, with a defined component of this equity identified as being held against
operational risks. Market particpants could then form their own views of the adequacy
the overall CET1 ratio, the component dedicated to operational risk and the balance
deployed against the financial risks.

7.2 Why not achieve the benefits of the alternative approach by using Pillar 2
buffers or stress tests in addition to the BCBS proposals?

The argument here is that some regulators are already using Pillar 2 and stress tests
to provide loss absorbency and incentivize management as a complement to the
existing system of operational risk capital requirements. Why not encourage all
regulators to do this in addition to implementing the SMA? We have three responses
to this argument:

• First, the fact that regulators are building significant operational risk buffers
into Pillar 2 and incorporating them into stress test scenarios is a powerful
indication that the current system is failing to provide the right incentives and
loss absorbency. The SMA will not change this.

• Second, creating Pillar 2 buffers or using tests in addition to the SMA means
that banks’ overall operational risk capital requirements would make more

33
 acute the question of what purpose the Pillar 1 SMA capital requirement
serves. If equity were a free resource that might not matter. But since the
Modigliani-Miller theorem does not apply very well to banks (Baker and
Wurgler, 2013; Stein, 2012), an arbitrary capital requirement that sefves
limited regulatory purpose is arguably a misuse of society’s resources.

• Third, increasing reliance on Pillar 2 and stress tests would seem an odd
outcome given the desire to achieve greater comparability. The operational
risk buffer we propose would be implemented according to consistent
principles, and the judgemental component would be readily identifiable. By
contrast, regulators’ approaches to incorporating operational risks in Pillar 2
and stress tests are far more opaque.

• Finally, there is real benefit in removing operational risk from the determination
of RWA, since its inclusion only erodes the credibility of this metric.

7.3 Won’t differences between regulators’ use of discretion in determining

operational RWA under the alternative approach lead to regulatory arbitrage
and investor confusion?

We recognise that some regulators see the elimination of differences in the regulatory
treatment of operational risk across jurisdictions as a key benefit of the SMA. From
this perspective, our suggestion of a buffer determined in part by regulatory judgment
may not strike a chord. We are sympathetic to the view that overreliance on regulatory
judgement can lead to a corrosion of standards, particularly where the exercise of
such judgment is not transparent (as is typically the case in the determination of RWA,
Pillar 2 add-ons, or stress tests). Yet we believe that a component of operational risk
capital requirements should be determined by forward-looking judgement, rather than
relying entirely on entirely consistent, but also entirely backward-looking formulae. By
making the judgemental component of the operational risk capital buffer transparent,
our approach will expose differences in regulatory approach. Moreover, the scope for
differences in the exercise of judgement could be further constrained by agreement of
principles through the BCBS and potentially, by peer review. Even where the
characteristics of the risk types preclude robust predictive modelling from past losses,
it is possible to take a structured approach to evaluating the risk exposure and drivers
(see, for example, JPMorgan, 2016)

7.4 If the real driver here is to enhance “going concern” loss absorbency
should we not be doing the same thing for credit risk?

Whilst a reasonable argument can be made about whether the current calibration of
capital ratios and credit risk can create a pro-cyclical dynamic with credit losses,

34
forcing credit contraction as losses are reflected in RWA reduction rather than a
reduction in CET1 (Kashyap and Stein, 2004), this is not our focus here. In any case,
we think operational risk merits different treatment for three reasons:

• First, because banks’ credit RWA plays a central role in the way banks are run
(alongside market RWA). It is the basic measure of the risk capital the bank is
deploying to generate a return. Operational RWA does not play much role, if
any, in the way banks manage themselves.

• Second, whilst far from perfect, historical modelling of credit losses has proved
to be a powerful tool in assessing future credit risks and plays a central role in
bank’s risk management. Historical modelling of operational risk losses is far
less effective, particularly for the types of risk that cause the greatest losses
and have most scope to generate negative externalities. With operational risk
it makes more sense to place greater reliance on regulatory judgement.

• Third, when banks suffer significant credit losses, it is often sensible to for the
bank to reduce exposure (and the RWA) to correlated portfolios from both a
shareholder and micro-prudential perspective. If the regulator is concerned
about the impact on the broader economy they already have the
counter-cyclical buffer as a tool they can flex in response.

7.5 Won’t the buffer be quickly exhausted, and what happens then?

We do not anticipate that banks will be allowed to draw down on their operational risk
capital buffers as a regular occurrence. Most operational risk losses will be absorbed,
as now, through depletion of current year earnings. We envisage that regulators
would only allow use of the buffer when the alternative is an undesirable reduction in
financial intermediation activities, and where the remaining buffer still appears not
unreasonable given other prospective risks. Thus it could make sense to allow partial
deployment of the buffer in the face of a particularly large one-off loss or to absorb the
loss from the final settlement of a regulatory issue relating to a business that has
since been closed or where the regulatory deficiencies have been rectified. When an
operational incident is indicative of a broader vulnerability or control weaknesses,
regulators should be much more cautious about allowing use of the buffer.

Of course one can imagine scenarios in which there is an operational loss of such
magnitude that absorbing it purely through the buffer would exhaust the buffer entirely.
In these circumstances, we would envisage the regulator deciding how much of the
loss could be absorbed through the buffer versus through depletion of retained
earnings, reduction in credit or market RWA, or reduction in the overall capital ratio.
The regulator’s decision on use of the buffer should be made transparent and should
reflect a judgement on the minimum acceptable level of the residual operational risk
buffer. In these circumstances, the advantage of the buffer approach is that it enables

35
at least part of the loss to be absorbed through operational risk capital, whereas under
the current system or the SMA, none of it would be.

7.6 Will abandoning operational RWA and switching to a buffer approach upset
the calibration of other RWA-based metrics such as the counter-cyclical
buffer?

The short answer is that other RWA-based buffers, such as the counter-cyclical and
GSIB buffers, and other ratios, such as the Total Loss Absorbing Capital (“TLAC’)
ratio, will need to be looked at to see whether they need recalibration. However, we
would turn this argument on its head and suggest that rather than being a problem,
this should be seen as another advantage of this alternative approach. Most of these
buffers have been designed with market and credit RWA in mind, without much
considerations of their impact and relevance on operational risk capital requirements
Consider how adjustments to the counter-cyclical buffer apply to the capital
supporting operational RWA. Increasing the counter-cyclical buffer to “lean against
the wind” in buoyant markets would lead to banks holding more operational risk
capital, while easing requirements to respond to economic stress would lead to a
reduction. Given that operational risk events appear more likely in times of economic
stress (Hess, 2011; Chernobai, Jorion and Yu, 2011; Moosa, 2011), this seems
perverse.

The GSIB buffer and TLAC ratio could be recalibrated for neutrality at an industry
level, although there would be some wnners and losers amongst individual banks.
However, we would suggest that the BCBS avoid automatically recalibrating for
neutrality and consider carefully the purpose of these other ratios as they relate to
operational risk. If the primary objective of these of the GSIB buffer and the TLAC
ratio is to protect the taxpayer against the risks inherent in the financial activites of a
bank then it is not clear whether these buffers and ratios should be recalibrated
pro-rata.

8. CONCLUSION

Operational risk capital requirements drive a substantial proportion of banks’ capital

requirements. The BCBS has recognized the current system works poorly and has
developed proposals for reform. Yet the SMA proposal does not address the most
fundamental problems with the current approach and neither would the suggestions
for refinement that have emerged thorugh the consultation process.

We believe serious consideration should be given to a radically different approach,

along the lines of the alternative capital buffer approach outlined in this paper.
Replacing operational RWA with an operational risk buffer approach would:

36
• Enable regulators to use operational risk capital far more effectively to
incentivize banks to manage and mitigate prospective operational risks with
potential negative externalities.

• Create a mechanism to provide “going concern” loss absorbency to minimize

the negative externalities from significant operational risk loss events.

• Enhance the clarity and coherence of the CET1 ratio as a measure of capital
against risk-adjusted financial assets as represented by credit and market
RWA.

37
Reference

Ames, M., Schuermann, T. and Scott, H.S., 2015. Bank Capital for Operational Risk:
A Tale of Fragility and Instability. Journal of Risk Management in Financial
Institutions, 8(3), pp.227-243.
Ashcraft, A.B., 2005. Are Banks Really Special? New Evidence from the
FDIC-Induced Failure of Healthy Banks. American Economic Review, 95(5),
pp.1712-1730.
Baker, M. and Wurgler, J., 2013. Do Strict Capital Requirements Raise the Cost of
Capital? Banking Regulation and the Low Risk Anomaly. Working Paper.
Bank of America, 2016. Pillar 3 Regulatory Capital Disclosures. Availabel at:
http://investor.bankofamerica.com/phoenix.zhtml?c=71595&p=irol-basel#fbid=R
Zu_npO-xC2.
Barclays, 2016. 2015 Annual Report. Available at:
https://www.home.barclays/annual-report-2015.html.
Basel Committee on Banking Supervision, 1998. Operational Risk Management.
Availabel at: http://www.bis.org/publ/bcbs42.pdf.
Basel Committee on Banking Supervision, 1999. A New Capital Adequacy
Framework. Available at: http://www.bis.org/publ/bcbs50.pdf.
Basel Committee on Banking Supervision, 2003. Sound Practices for the
Management and Supervision of Operational Risk. Available at:
http://www.bis.org/publ/bcbs183.pdf.
Basel Committee on Banking Supervision, 2006. International Convergence of Capital
Measurement and Capital Standards. Available at:
http://www.bis.org/publ/bcbs128.pdf.
Basel Committee on Banking Supervision, 2011. Principles for the Sound
Management of Operational Risk. Availale at:
http://www.bis.org/publ/bcbs195.pdf.
Basel Committee on Banking Supervision, 2014. Operational Risk – Revisions to the
Simpler Approaches Issued. Availabel at: http://www.bis.org/publ/bcbs291.pdf.
Basel Committee on Banking Supervision, 2016. Standardised Measurement
Approach for Operational Risk. Available at:
http://www.bis.org/bcbs/publ/d355.pdf.
Chernobai, A., Jorion, P.,and Yu, F., 2011. The Determinants of Operational Risk in
US Financial institutions. Journal of Financial and Quantitative Analysis, 46:6,
pp.1683-1725
Chodorow-reich, G., 2014. The Employment Effects of Credit Market Disruptions:
Firm-Level Evidence From the 2008-09 Financial Crisis. Quarterly Journal of
Economics, 129 (1): 1–59.
Curti, F. & Migueis, M., 2016. Predicting Operational Loss Exposure Using Past
Losses, Working Paper.
Deutsche Bank, 2016. Operational Risk: Sense Check, Research Report.
Hanson, Samuel G., Anil K. Kashyap, and Jeremy C. Stein, 2011. A Macroprudential
Approach to Financial Regulation." Journal of Economic Perspectives 25 (1):

38
 3-28.
Herring, R., 2005. Implementing Basel II: Is the Game Worth the Candle?, Financial
Markets, Institutions & Instruments, 14(5), pp.267-287.
Herring, R.J., 2007. The Rocky Road to Implementation of Basel II in the United
States. Atlantic Economic Journal 35(4):411-429
Hess, C., 2011. The Impact of the Financial Crisis on Operational Risk in the Financial
Services Industry: Empirical Evidence. Journal of Operational Risk, 6(1), pp.23–
35.
Ivashina, V. and Scharfstein, D., 2010. Bank Lending During the Financial Crisis of
2008. Journal of Financial Economics, 97(3), pp.319-338.
JPMorgan Chase, 2016. Bridging The Gap Between Operational Risk Measurement
And Management. Conference Presentation.
Kashyap, A.K., Rajan, R.G. and Stein, J.C., 2008. Rethinking Capital Regulation.
In Proceedings of the Jackson Hole Economic Policy Symposium, pp. 431-471.
Federal Reserve Bank of Kansas City.
Kashyap, A.K. and Stein, J.C., 2004. Cyclical Implications of the Basel II Capital
Standards. Federal Reserve Bank Of Chicago Economic Perspectives, 28(1),
pp.18-33.
Office of the Comptroller of the Currency, 2007. Risk-Based Capital Standards:
Advanced Capital Adequacy Framework -- Basel II. Available at:
https://www.regulations.gov/document?D=OCC-2007-0018-0001.
Operational Risk eXchange Association, 2016. ORX Response: The Standardised
Measurement Approach. pp.1–28. http://www.orx.org
Moosa, I., 2011, Operational Risk as a function of the state of the economy. Economic
Modelling, 28, pp.2137-2142
Peters, G.W., Shevchenko, P.V., Hassani, B. and Chapelle, A., 2016. Should the
Advanced Measurement Approach be Replaced with the Standardized
Measurement Approach for Operational Risk? Working Paper.
Petersen, M.A. and Rajan, R.G., 1994. The Benefits of Lending Relationships:
Evidence from Small Business Data. Journal of Finance, 49(1), pp.3-37.
Ponemon Institute, 2015. 2015 Cost of Cyber Crime Study: Global. Ponemon Institute
Research Report, p.30. Available at:
http://www8.hp.com/us/en/software-solutions/ponemon-cyber-security-report/ind
ex.html?jumpid=va_fwvpqe387s.
Power, M., 2005. The Invention of Operational Risk. Review of International Political
Economy, 12(4), pp.577–599. Available at:
http://www2.lse.ac.uk/researchAndExpertise/units/CARR/home.aspx.
Stein, J.C., 2012. Monetary Policy as Financial Stability Regulation. Quarterly Journal
of Economics, 127(1), pp.57-95.
Zingales, L., 2011. Trust and Finance. The NBER Digest.

39
Appendix A: Derivation of Operational Risk RWA under Basel II

Basel II employs three different approaches increasing in sophistication and the

complexity of the bank’s operations.

• Basic Indicator Approach (BIA) The simplest approach of the three. Bank must
hold operational risk capital equal to the average of past three years’ of gross
income, where positive, multiplied by 15%.

• Standardized Approach (TSA) Bank’s activities are divided into eight business
lines. Gross income is calculated within each business line, and capital charge
is levied on each business line as a fixed fraction of the gross income ranging
from 12% to 18% (see tale below). The total capital charge is calculated as the
three-year average of the simple summation of the capital charges across
each of the business lines in each year.

Business Line Factor

Corporate finance 18%
Trading and sales 18%
Payment and settlement 18%
Commercial banking 15%
Agency services 15%
Retail Brokerage 12%
Retail banking 12%
Asset Management 12%

• Advanced Measurement Approaches (AMA) The most risk-sensitive of the

three approaches. Capital requirement is determined by internally developed
risk models of banks. The AMA requires banks to take into acount four
variables in their calculation of capital requirements: i) internal data; ii) external
data; iii) scenario analysis; and iv) the business environment and internal
control factors. The required amount of capital is derived through simulations
that estimate the value-at-risk at the 99.9th percentile.The BCBS provides
general guidance for AMA implementation, and home regulators determine
qualification to use the AMA and approve individual banks’ methodologies.
Banks can adopt AMA for some business lines and TSA for other
less-complex business lines at the same time.

40
Appendix B: Derivation of Operational Risk RWA under the proposed
Standardised Measurement Approach (SMA)

Under the proposed SMA in the March 2016 BCBS Consultation Paper, operational
risk capital charges is determined by multiplying a Business Indicator (BI) component
that assess the scale of the bank’s operation with an Internal Loss Multiplier (ILM) that
reflects historical operational losses.

• The BI is comprised of three components: financial component, interest, lease

and dividend component and services component. The BI aims to capture
P&L items that are found in the composition of gross income. It is determined
based on the past three-year average of the individual components. The main
conceptual difference relative to the BIA under Basel II is that the newly
proposed BI emphasizes non-linearity that disproportionally raises the capital
charges for banks with larger operations. Banks are categorized into five
buckets based on the size of their operation. The BI component increases
non-linearly across buckets.

• The BI is multiplied by the ILM to arrive at the SMA capital charge. The loss
multiplier is formulaically determined by average historical losses over the past
10 years calculated as follows:

• The constants in the formula for BI and ILM are determined through calibration
in BIS’s Quantitative Impact Study conducted in 2015 with the intention of
preserving capital neutrality relative to existing charges.

41
A Modification to the Basel Committee’s
Standardized Approach to Operational Risk
05.04.22

The U.S. banking regulators will at some point release a proposal to implement the latest changes to Francisco Covas
the Basel Committee capital framework in the United States. One important novelty of the Basel 202.589.2413
framework is the introduction of a new capital charge for operational risk, known as the standardized
approach for operational risk or “OPE.” If the OPE is implemented in the U.S., it would be the first [email protected]
time that a U.S. standardized approach to calculating risk-weighted assets includes an explicit capital
charge for operational risk.
Katie Collard
The standards promulgated by the Basel Committee use a simple approach to estimate operational
202.589.2533
risk and determine the minimum required capital. In essence, the OPE uses a financial-statement-
based proxy which is based on certain income and expense balance sheet items. This is called the [email protected]
Business Indicator, or BI. Specifically, as further described herein, the BI component utilizes three
different types of income streams (each averaged over the last three years) to determine required
operational risk capital: interest component; services component; and financial component. Brett Waxman

Although the OPE is a significant improvement over the current advanced measurement approach for 646.736.3961
several reasons, it comes with some important potential drawbacks. In this note we show that banks [email protected]
with business models that rely more heavily on noninterest income (e.g., capital market activities,
custodial services) relative to net interest income will have an inappropriately high BI component and
therefore an excessive operational-risk capital requirement. Gonzalo Fernandez Dionis

One important novelty in this note is that we estimate the operational risk losses used in the Dodd- 202.589.2404
Frank Act stress tests and benchmark them against the operational risk capital requirements derived [email protected]
under the OPE. In this comparison, we assume that the OPE’s capital requirements apply over a one-
year horizon and adjust operational risk losses in DFAST accordingly. There are two key advantages to
comparing Basel’s capital requirement for operational risk and operational risk losses in DFAST. First, Jose Tapia
operational risk losses in DFAST are tightly linked to banks’ idiosyncratic business and risk profiles.
202.589.2427
Second, operational-risk losses in DFAST are derived under severe economic conditions, so those
estimates are already biased to the upside. [email protected]

Our results show that the operational risk capital requirement using the OPE is significantly higher
than operational risk losses in the stress tests for almost all large banks. The difference in capital
requirements is especially elevated for banks with proportionately higher fee revenue and expenses.
To avoid an overstatement of the operational risk capital requirement, we investigate a cap to the
BI’s services component, similar to the 2.25-percent cap that already exists on the BI’s interest
component. Extending a similar cap to the BI’s services component would be a natural extension of
Basel’s OPE methodology. Analysis shows that introducing a cap on the services component equal to
2.25 percent of total assets (adjusted for certain safe assets) would significantly ameliorate concerns
about the existing OPE methodology.

BANK POLICY INSTITUTE: Research Paper

 A Brief History of Operational Risk in the Basel Framework
The first Basel Capital Accord was released in 1988 and established a risk-sensitive framework to quantify bank
assets, thereby initiating what is now usually referred to as risk-weighted assets.1 Basel I categorized bank assets
into five risk categories and assigned risk weights ranging from 0 to 100 percent to each, based on each category’s
level of credit risk. The calibration of capital charges in Basel I was designed to reflect these credit risks. The
original Basel framework did not separately account for operational risk, but implicitly accounted for it instead in
the overall calibration of risk weights and minimum capital ratio requirements. For example, the U.S. banking
agencies’ October 2005 advance notice of proposed rulemaking for Basel II implementation in the United States
noted that capital charges for operational risk (and interest-rate risk) were embedded in the Basel I risk-based
capital rules:

The existing risk-based capital requirements focus primarily on credit risk and
generally do not impose explicit capital charges for operational or interest rate risk,
which are covered implicitly by the framework. 2

Operational risk is defined as the risk of losses derived from inadequate or failed internal processes, people, and
systems or from external events. The precise types of losses included in this definition have evolved over time.
Under Basel I, operational risk generally included any type of unquantifiable risk faced by a bank. 3 In the early
2000s, the BCBS published a set of principles on the management and supervision of operational risk including
seven broad types of events that could result in material losses: internal fraud; external fraud; employment
practices and workplace safety; clients, products and business practices; damage to physical assets; business
disruption and system failures; and execution, delivery, and process management.4

Basel II elevated operational risk to a category of its own and assigned it an explicit capital charge. The revised
capital framework included three distinct methodologies to calculate the operational-risk capital charge: the basic
indicator approach, the standardized approach, and the advanced measurement approach (AMA). The first two
approaches were based on fixed percentages of average operating income, with the standardized approach being
slightly more granular across business lines than the basic indicator approach. The AMA modeled operational-risk
loss exposure using data on each bank’s historical experience.

Although the Basel Committee defined the AMA operational-risk exposure as the 99.9th percentile of the
distribution of aggregate operational-risk losses over a one-year horizon, making such an estimation with any
degree of accuracy is impossible, so taking such estimates seriously is silly. In practice, banks could use various
models including scenario analysis or extreme value theory to quantify operational risk. However, the lack of
concrete guidance led to huge variability in operational-risk charges across jurisdictions, especially since not all
jurisdictions were as permissive in terms of allowing banks to use scenario analysis to lower their AMA models’
outputs. The final implementation of the Basel II Accord in the United States only subjected the largest banks to an
explicit capital charge for operational risk and required them to use the AMA to determine this charge.

1 “History of the Basel Committee.” Bank for International Settlements. Available at https://www.bis.org/bcbs/history.htm.
2 Risk-Based Capital Guidelines; Capital Adequacy Guidelines; Capital Maintenance: Domestic Capital Modifications, 70 Fed. Reg. 61,068 at
61,071 (Oct. 2005).
3 Power, Michael. “The Invention of Operational Risk.” Review of International Political Economy, October 2005. Available at (PDF) The

Invention of Operational Risk (researchgate.net)

4 See “Sound Practices for the Management and Supervision of Operational Risk,” Basel Committee on Banking Supervision, February 2003.

Available at https://www.bis.org/publ/bcbs96.pdf.

2 www.bpi.com
 The most recent Basel Accord replaces all three Basel II methodologies for operational risk with a new
standardized measurement approach. The OPE presents a unified, non-model-based approach that aims to
maintain risk-sensitivity of the framework but overcome some limitations of prior approaches. In essence, the OPE
combines information from financial statements and historical losses to calculate an operational-risk capital
charge.

The Standardized Approach for Operational Risk

The new standardized approach for operational risk calculates operational-risk capital requirements in three steps.
First, it estimates a financial-statement-based proxy for operational risk (the BI), using a bank’s income and
expense items as inputs. The BI is defined as the sum of three components: (1) the interest, leases, and dividend
component; (2) the services component; and (3) the financial component. Each component is calculated based on
the income generated by the relevant activities. A complete derivation of each of the three components is
contained in the Appendix.

Second, the OPE multiplies a bank’s BI by a coefficient that increases as the BI rises to generate the Business
Indicator Component (BIC). For instance, a bank with a BI between €1 billion and €30 billion is subject to a
coefficient of 15 percent, whereas a bank with a BI more than €30 billion is subject to a coefficient of 18 percent. In
the last step, the BIC is multiplied by a scaling factor, or internal loss multiplier (ILM), that depends on each bank’s
average historical losses over the last 10 years. Throughout this analysis, we will assume the ILM is equal to 1,
which is permissible in the Basel framework.5

Third, the risk-weighted-assets associated with operational risk are defined as:

RWA for Operational Risk = 12.5 × 𝐼𝐿𝑀 × 𝐵𝐼𝐶 (1)

5 According to the definition of ILM, it is more likely for the ILM to exceed 1 than to be lower than 1.

3 www.bpi.com
 Exhibit 1 plots the RWA for operational risk relative to total RWA as currently defined. The bar chart uses data on
bank income statements between 2018 and 2020, since the BI is calculated using an average of financial data over
a three-year period (see the Appendix for details). Although which U.S. banks will be subject to OPE under the
Basel proposal is still unknown, we have included all banks with more than $100 billion in assets and therefore
subject to the Fed’s stress tests.6

As shown in the chart, the share of RWA for operational risk across large banks varies widely. Specifically, the share
of operational risk in total RWA varies from 6.7 percent for Citizens Financial Group (CFG) to 48.3 percent for
American Express (AXP). As the purple portions of the bars show, the services component generates a significant
share of RWA for operational risk, especially for banks that tend to have the highest operational risk capital
requirement.7

6 This set of banks represent the largest cohort that allows us to compare Basel’s operational-risk requirement with losses associated with
operational risk events in the Fed’s stress tests.
7 The operational risk requirement is higher for larger banks, so relative to revenues the outliers are the largest banks followed by AXT.

4 www.bpi.com
 Exhibit 2 breaks out the services component for banks for which the share of RWAs generated from the services
component is highest and shows the portions of RWA generated from investment banking, fiduciary services,
credit card and payments fees, and other fees and services. The portion of the services component generated by
credit card and payments fees alone would account for nearly 40 percent of AXP’s RWA. For UBS, investment
banking fees generate an operational risk-based RWA that would account for about 20 percent of the firm’s
aggregate RWA. For DB, income from other fees and services would also generate nearly 20 percent of its
aggregate RWA.

The services component of the OPE drives these outsized operational risk charges because the BI formula
generates higher RWAs from noninterest income than from interest income. Specifically, the operational risk
capital requirement tied to interest income offsets interest income with interest expense and is no higher than
2.25 percent of interest-earning assets. By contrast, the operational risk capital charge tied to noninterest income
does not offset revenues with expenses and it is uncapped. The decoupling between the interest and services
components penalizes banks with a business mix tilted toward noninterest income in the absence of any evidence
of higher operational risk. In addition, the differences in capital requirements across the interest and services
components misaligns the risk of banking products that generate both interest income and noninterest revenue,
such as credit cards.

This overstatement of risk for banks whose business mix is tilted towards noninterest revenues, could be corrected
by capping the BI’s services component at 2.25 percent of a banking institution’s total assets (less reserve
balances, Treasuries, and Agency MBS to mitigate procyclicality).8 For some lines of business, it would also be
logical to offset fee income with fee expense because the product generating the two flows is the same (e.g.,
credit card fees are aligned with credit card member rewards). However, for other firms, the fee income source is

8 The argument to also exclude Treasuries and Agency MBS in addition to deposits at Federal Reserve Banks is that in a downturn loan demand
is weak and banks hold a larger share of their portfolios in securities.

5 www.bpi.com
 mainly from investment banking and fiduciary fees while the major source of expenses comes from brokerage and
clearing activities. In this latter case, offsetting fee income with fee expenses is less straightforward because there
is less of a comparable relationship between services offered and services used. That said, this is a topic that
deserves further analysis beyond the one done in this note.

Losses Associated with Operational Risk Events in the Federal Reserve Stress Tests
The Federal Reserve’s stress tests estimate losses associated with operational risk events for banks above $100
billion in assets using banks’ own historical data on operational risk losses. Those projections offer a robust reality
check against the capital requirements for operational risk calculated in Exhibit 1. The level of losses associated
with operational risk events in the stress tests depends significantly on the severity of the stress scenarios. In
addition, since the losses in the stress tests are derived using banks’ own historical data, analyzing the correlation
between OPE’s capital charges and operational risk losses in the Fed’s stress tests is also useful.

One key challenge is that bank-level losses associated with operational risk events in the stress tests are not
disclosed but are included in the noninterest expense projections. Fortunately, the projections of noninterest
expense are publicly available. The Federal Reserve provides a description of the models used to generate the
projections of noninterest expense without operational risk losses in the stress tests. Moreover, those projections
rely entirely on data from banks’ FR Y-9C regulatory reports, which are publicly available. Therefore, we estimate
losses associated with operational risk events in the stress tests as the difference between the Federal Reserve’s
projections of noninterest expense and the projections based on our own models and publicly available data. In
addition, the Federal Reserve also publishes aggregate operational risk losses in the stress tests for all firms—
another useful datapoint to help calibrate our estimates.

The supervisory stress test methodology document states that the Federal Reserve uses three regression
equations to project the components of noninterest expense in the stress tests: compensation expense; fixed
assets expense; and all other noninterest expense, excluding operational risk losses and OREO expenses.9 The
supervisory models are estimated using data from the FR Y-9C. These data are publicly available, so it is therefore
possible to approximate some of the assumptions the Federal Reserve uses in its projections, excluding operational
risk losses and OREO expenses. The projections are based on autoregressive models that relate each specific
noninterest expense subcomponent (expressed as a share of total assets) to macroeconomic variables, previous
values of the expenses, bank fixed effects, and other bank-specific variables.

The Federal Reserve’s description of expense models offers useful information about the functional form of the
regression models, but it does not say precisely which macroeconomic or bank-specific variables are included in
each regression. Based on an analysis of DFAST 2020 results, we find that compensation expenses and other
noninterest expenses are positively correlated with stock returns, while real GDP growth drives some of the
variation in expenses of premises and fixed assets.

The Federal Reserve uses banks’ own historical data on operational risk losses to develop two different modelling
approaches during its stress testing exercise: a linear regression model and a historical simulation model. The
regression model correlates operational risk losses with macroeconomic variables such as BBB spreads, the house

9The Federal Reserve excludes operational risk losses and OREO expenses from all other noninterest expense because there is a separate
supervisory model that estimates losses from fraud, employee lawsuits, litigation-related expenses, or computer system or other operating
disruptions. We removed these types of expenses from all other noninterest expense using the information from the write-in fields for other
noninterest expense. We also exclude goodwill impairment losses and amortization expense from noninterest expense.

6 www.bpi.com
 price index, and the unemployment rate. Operational losses are estimated for the full sample of banks. The share
of losses allocated to a given firm is a function of the size of the firm, measured by the total assets of each bank.

The historical simulation model attempts to capture historical variation in operational risk losses across seven
different types of operational risk events based on data the Fed receives directly from the firms. The projected
operational risk losses used in the Fed’s stress tests are calculated as an average of losses obtained from each
model.

We will also follow a similar approach and average the projections for operational risk losses from the regression
model with those obtained by allocating aggregate projected operational risk losses from the stress tests using
bank size. Next, we divide our estimate by 2.25 percent to transform a nine-quarter projection into a yearly
estimate, to ensure the OPE and the estimates from the stress test results conform to the same time horizon.
Finally, we multiply the stress test projections by 12.5 to transform the operational risk losses into a risk-weighted
assets metric.

An appropriate strategy to assess the overall calibration of the OPE is to compare operational risk losses in the
stress tests with the operational risk capital requirement calculated using the OPE. Also, our estimates make a
conservative assumption and assume the tax rate to be zero; the assumption is conservative because bank profits
are typically below zero under stress.10 Operational risk losses are a reasonable proxy for capital needs, because
losses feed directly to bank capital through declines in net income and retained earnings. Since operational risk
losses in the stress tests are estimated conditional on a stress scenario, it is also reasonable to compare the
aggregate and bank-specific operational risk losses directly with the capital requirements calculated using OPE.
Had those losses not been derived under stress conditions, it would be more appropriate to look at the distribution
of operational risk losses and compare the tail of the distribution to OPE’s capital requirement.

First, the minimum aggregate operational risk capital under OPE being nearly twice as high as the aggregate
operational risk losses in DFAST 2020 as shown in Panel A in Exhibit 3. Cumulative operational risk over the nine
quarters of the projection horizon equaled $144 billion in aggregate for the 33 banks. Annualizing those losses to a
one-year horizon yields losses of $64 billion under the Federal Reserve’s severely adverse scenario in DFAST 2020.
In addition, the OPE methodology results in higher operational risk capital requirements for 31 of the 33 firms that
participated in the 2020 stress tests.

10This assumption also helps simplify the analysis. In practice, banks can use deferred tax assets to lower future taxable income, so negative
taxes can increase capital in some cases.

7 www.bpi.com
 Second, as shown in Panel B in Exhibit 3, there are some sizable outliers for minimum operational risk capital under
OPE relative to DFAST. The x-axis measures the annualized losses associated with operational risk events in the
Fed’s stress tests, and the y-axis represents the share of RWA for operational risk under the OPE. In addition, the
correlation between the OPE capital requirement and operational risk losses in DFAST is low because the dots lie
vertically on the top of each other. More precisely, the correlation between OPE’s operational risk capital
requirement and operational-risk losses in the stress tests is only 29 percent. The correlation would jump to 59
percent if AXP, foreign-bank organizations with an elevated capital markets presence (UBS, CS, DB, BARC), and STT
were excluded from the sample.

All together, these findings suggest that the capital requirement for the services component is overstated in OPE.

Adjustment to BI’s Services Component

The current specification of OPE disproportionately penalizes business models with a high percentage of
noninterest income in total revenues for two main reasons. First, unlike the interest component, the services
component does not offset revenues with expenses. Second, there is no cap on the BI’s services component. The
solution we discuss in this section is to introduce a cap to the BI’s services component similar to the one already in
place for the interest component.

A cap tied to total assets is preferable to one tied to interest-earning assets, since the services component covers
noninterest income. Furthermore, deducting deposits at Federal Reserve Banks, U.S. Treasuries, and Agency MBS
from total assets would better reflect operational risk and reduce the procyclicality of the cap. We know that
during economic downturns, the Federal Reserve tends to expand its balance sheet as it conducts asset purchases.
This causes a large influx of reserve balances into the banking system, since only banks can hold deposits at Federal
Reserve Banks. In addition, banks typically use their excess liquidity to purchase Treasury securities and Agency
MBS.

8 www.bpi.com
 A cap on the BI’s services component equal to 2.25 percent of total adjusted assets would be binding for 15 out of
the 33 CCAR banks. 11 That is approximately the same number of banks bound by the BI’s cap on the interest
component. In Exhibit 4, we plot the adjusted RWA for operation risk for all the banks in the sample. In the revised
formulation, AXP has a capital charge near 10 percent of RWA instead of 48 percent, as shown in Exhibit 1.
Foreign-bank organizations with high capital markets presence (UBS, DB, CS, and BARC) would also benefit by
having a cap on the services component. In addition, the correlation between the adjusted OPE capital charge and
operational risk losses in the stress tests would increase from 29 to 53 percent. Finally, the Basel III capital
requirement for operational risk would decline from $112 billion to $99 billion, or 11.6 percent. Still, the Basel III
operational risk capital requirement would exceed operational-risk losses in the stress tests over a one-year
horizon.

11 There is no special reason to choose 2.25 percent, except that it is identical to the cap on the interest, leases, and dividend component.

9 www.bpi.com
 Conclusion
The OPE methodology to calculate capital charges for operational risk in the Basel III endgame proposal offers a
simplified, non-model, financial-statement-based approach that resolves some problems related to the large
variability in capital charges under the previous methodologies introduced by Basel. Although the calculation
allows for calibration based on actual historical losses, a misalignment of certain requirements leads to capital
charges significantly and inappropriately higher than operational risk losses in the Fed’s stress tests, especially for
banks with business models tilted toward noninterest revenues. This problem could largely be corrected by
imposing a cap on BI’s services component. Furthermore, deducting reserves, Treasuries and agency MBS
securities would not only further enhance accuracy but also make the requirement less procyclical.

10 www.bpi.com
 Appendix
The new standardized measurement approach for operational risk calculates operational capital requirements in
three steps. First, it estimates a proxy for operational loss exposure by aggregating financial statement data based
on three types of revenue streams (interest, services, and financial) to generate the Business Indicator (BI).
Second, the BI is then multiplied by marginal capital requirement coefficients to obtain the Business Indicator
Component (BIC). Third, the BIC is multiplied by an adjustment factor called the Internal Loss Multiplier (ILM),
which compares the BIC with actual historical operational losses over the last decade.12 We describe each
component of the BIC in detail below.

Minimum operational risk capital (𝑂𝑅𝐶) = 𝐵𝐼𝐶 ∗ 𝐼𝐿𝑀 (1)

In this appendix, we present the relevant business indicator formulas and explain our methodology and
adjustments in detail. In the formulas below, a bar above a term indicates that the term is calculated as the
average over three years: t, t – 1, and t – 2. We will be using 2018, 2019, and 2020 for our three years when
calculating the variables.

A detailed item-by-item mapping of the Business Indicator to FRY-9C items can be found in Table 2.

Business Indicator

The BI has three components: the interest, leases, and dividend component (ILDC); the services component (SC),
and the financial component (FC).

The BI is defined as:

𝐵𝐼 = 𝐼𝐿𝐷𝐶 + 𝑆𝐶 + 𝐹𝐶 (2)

Interest, Leases, and Dividend Component. The ILDC quantifies risks coming from shocks to net interest income. It
compares the absolute value of net interest income over the last three years to a reference value of 2.25 percent
of total interest earning assets. The ILDC takes the minimum of both metrics and then adds total dividend income
from unconsolidated entities to obtain a measure of potential operational risk stemming from interest revenues.
̅̅̅̅̅̅̅̅̅̅̅̅̅̅̅̅̅̅̅̅̅̅̅̅̅̅̅̅̅̅̅̅̅̅̅̅̅̅̅̅̅̅̅̅̅̅̅̅̅̅̅̅̅
𝐼𝐿𝐷𝐶 = 𝑀𝑖𝑛[ 𝐴𝑏𝑠(Interest Income − Interest expense); 2.25% × ̅̅̅̅̅̅̅̅̅̅̅̅̅̅̅̅̅̅̅̅̅̅̅̅̅̅̅̅̅̅
Interest Earning Assets] (3)
̅̅̅̅̅̅̅̅̅̅̅̅̅̅̅̅̅̅̅̅̅̅
+ Dividend Income

The interest income from the FRY-9C schedule HI Item 3 is adjusted according to the BCBS guidelines for operating
leases other than investment property disclosed as other expenses under the classification in Schedule HI item 7n
to 7p. The absolute value of net items (e.g., interest income – interest expense) is calculated first year by year and
then averaged over three years.

Interest earnings assets are defined according to the New York Federal Reserve stress testing methodology (see
Hirtle et al. 2015). This includes interest-bearing balances, hold-to-maturity and available-for-sale securities,
federal funds sold in domestic offices, securities purchased under agreements to re-sell, trading assets, and total
loans and leases.

11 www.bpi.com
 We do not have available data for dividend income from investments in stocks and funds not consolidated in the
bank’s financial statements, including dividend income from non-consolidated subsidiaries, associates, and joint
ventures.

Services Component. The SC captures income and expenses received from offering advice and services. For
example, this includes but is not limited to activities such as securities issuance, clearing and settlement, or fees
obtained through asset management business. The BCBS definition aggregates revenues and expenses into those
related to fees and those representing other operating income. Finally, the maximum of fee income or expense is
added to the maximum of other operating income or expenses, as in this formula.
̅̅̅̅̅̅̅̅̅̅̅̅̅̅̅̅̅̅̅̅̅̅̅̅̅̅̅̅̅̅̅
𝑆𝐶 = 𝑀𝑎𝑥[Other Operating Income; Other ̅̅̅̅̅̅̅̅̅̅̅̅̅̅̅̅̅̅̅̅̅̅̅̅̅̅̅̅̅̅̅̅ ̅̅̅̅̅̅̅̅̅̅̅̅̅̅̅
Operating Expense] + 𝑀𝑎𝑥[Fee Income;Fee ̅̅̅̅̅̅̅̅̅̅̅̅̅̅̅̅
Expense] (4)

We do not have available data for other operating income, defined as income from ordinary banking operations
not included in other BI items but of similar nature (income from operating leases should be excluded). We define
other operating expense using Schedule HI memoranda items 7n to 7p when related to losses incurred because of
operational loss events (e.g., fines, penalties, settlements, replacement cost of damaged assets), which have not
been provisioned/reserved for in previous years; or expenses related to establishing provisions/reserves for
operational loss events.

We use fee income as established by the FRY-9C: (1) Income from fiduciary activities; (2) service charges on deposit
accounts; (3) fees and commissions from securities brokerage and investment banking activities; (4) venture
capital revenues; and (5) servicing and securitization income. We exclude fee income from insurance or re-
insurance business as stated by BCBS.

We define fee expense as Schedule HI item 7e “Other noninterest expense” from the FRY-9C. We adjust this metric
downward to better reflect BCBS definition. This adjustment includes: (1) fees paid by the bank for the supply of
non-financial services (e.g., travel expenses, IT services, and general administrative costs); (2) for operating lease
expenses; and (3) for expenses included in “Other operating expense” above.

Our adjustment to the services component introduces a cap to the BI’s services component by taking the minimum
of the original services component and 2.25 percent of total adjusted assets. Total adjusted assets subtract reserve
balances, U.S. Treasuries, and Agency MBS from total assets.

𝐴𝑑𝑗𝑢𝑠𝑡𝑒𝑑 𝑆𝐶 = 𝑀𝑖𝑛 [ 𝑆𝐶 , 2.25% × Total adjusted assets] (5)

Financial Component. The FC adds the absolute value of the profit and loss coming from the banking book and the
trading book to obtain a proxy for the firm’s exposure to net financial operating losses.

𝐹𝐶 = ̅̅̅̅̅̅̅̅̅̅̅̅̅̅̅̅̅̅̅̅̅̅̅̅̅̅̅̅̅̅̅̅̅̅̅̅
𝐴𝑏𝑠(Net P&L Trading Book) + ̅̅̅̅̅̅̅̅̅̅̅̅̅̅̅̅̅̅̅̅̅̅̅̅̅̅̅̅̅̅̅̅̅̅̅̅̅
𝐴𝑏𝑠(Net P&L Banking Book) (6)

Net P&L for the trading book is defined as trading revenues determined according to the definition of the Federal
Reserve Bank of New York stress testing methodology (see Hirtle et al. 2015).

Net P&L for the banking book follows the FRY-9C mapping of realized gains and losses from the trading book,
including: (1) net gains (losses) on the sale of other assets, (2) realized gains on held-to-maturity securities, and (3)
realized gains (losses) on available-for-sale debt securities.

12 www.bpi.com
 Business Indicator Component

Once these three elements are added to obtain the Business Indicator, the BCBS guidelines apply marginal
coefficients to obtain an intermediate capital charge.

Table 1: BI Ranges and Marginal Coefficients

Bucket BI Range (€bn) BI Marginal Coefficients

1 𝐵𝐼 ≤ 1 12%
2 1 < 𝐵𝐼 ≤ 30 15%
3 > 30 18%

Note: The analysis assumes a €/U.S.$ exchange rate of 1.13. [2]

To calculate the BIC, the BI is multiplied by the marginal coefficients. For example, for banks with a BI of €40
billion, the following BIC would apply: First bucket impact of (1 × 12%), a second bucket impact of (30 – 1) × 15%,
and a final bucket impact of (40 – 30) × 18% = €6.27 billion.

Internal Loss Multiplier

And finally, the intermediate capital charge can be scaled to account for historical operational risk losses through
an adjustment factor. The internal loss multiplier (ILM) compares the potential losses estimated through the BIC to
actual average historical losses over a period of 10 years using the following formula:

𝐿𝐶 0.8 (7)
𝐼𝐿𝑀 = 𝐿𝑛 (exp(1) − 1 + ( ) )
𝐵𝐼𝐶

The loss component (LC) is calculated as 15 times the net annual operational losses and then averaged over a
window of the last 10 years. If the LC equals the BIC, then no adjustment factor is needed and the ILM is equal to 1.
If, on the other hand, actual historical losses are above those calculated by the BIC, then the ILM would be higher
than 1 and the minimum operational risk capital would be adjusted upward to reflect the incremental risk
associated with higher historical losses. ILM is set to 1 throughout this research note.

Table 2: Mapping of BCBS Operational Risk Items to the FRY-9C Reporting Form

Item FRY-9C item Description

Interest
BHCK4107 Total interest income
Income
BHCK4073 Total interest expense
Interest
Adjustment for operating leases expenses (see Table 3 for
Expense + operating lease adjustment
details)
Interest BHCK0395 Interest-bearing balances: in U.S. offices
Earning Interest-bearing balances: In foreign offices, Edge and
+ BHCK0397
Assets Agreement subsidiaries, and IBFs

[2] We use a €/U.S.$ exchange rate of 1.13.

13 www.bpi.com
 Item FRY-9C item Description
Total Securities, MBS, ABS and Other Debt Securities Held-
+ BHCK1754
to-Maturity at Amortized Cost (from Schedule HC-B)
Total Securities, MBS, ABS and Other Debt Securities
+ BHCK1773
Available-for-Sale at Amortized Cost (from Schedule HC-B)
+ BHDMB987 Federal funds sold in domestic offices
+ BHCKB989 Securities purchased under agreements to resell
+ BHCK3545 Trading assets (from Schedule HC-D)
Total Consolidated loans and leases held for investment and
+ BHCK2122
held for sale
Dividend
– –
Income
BHCK4070 Income from fiduciary activities
+ BHCK4483 Service charges on deposit accounts in domestic offices
+ BHCKC886 Fees and commissions from securities brokerage
+ BHCKC887 Fees and commissions from annuity sales
Investment banking, advisory, and underwriting fees and
+ BHCKC888
commissions
Fee Income Fees and commissions from securities brokerage,
+ BHCKKX46 investment banking, advisory, and underwriting fees and
commissions
+ BHCKB491 Venture capital revenue
+ BHCKB492 Net servicing fees
+ BHCKB493 Net securitization income
+ BHCKB497 Other noninterest income
BHCK4092 Other noninterest expense
Adjustment for operating leases expenses (see Table 3 for
– operating lease adjustment
details)
– BHCKC018 Printing, stationery, and supplies expense
Fee Expense
– BHCK4803 Postage expense
– BHCKF559 Telecommunications expense
– [BHCK8565 + BHCK8566 + Adjustment for outsourcing fees paid for the supply of non-
BHCK8567]* financial services (see Table 3 for details)
BHCK2170
– [BHCK0081 + BHCK0395 +
BHCK0397] Total assets
– [BHCK0213 + BHCK1287 + Cash and balances due from depository institutions
BHCM3531] U.S. Treasuries (AFS, HTM, Trading)
Total Assets – [BHCKG303 + BHCKG307 + Agency mortgage-backed-securities (AFS)
Adjusted BHCKG311 + BHCKG315 +
BHCKK145] Agency mortgage-backed-securities (HTM)
– [BHCKG301 + BHCKG305 +
BHCKG309 + BHCKG313 + Agency mortgage-backed-securities (Trading)
BHCKK143]
– [BHCKG380 + BHCKG379]

14 www.bpi.com
 Item FRY-9C item Description

Other
Operating – –
Income
Other
[BHCK8565 + BHCK8566 + Adjustment for expenses and losses incurred because of
Operating
BHCK8567]** operational loss events (see Table 3 for details)
Expense
Net P&L
Trading BHCKA220 Trading revenue
Book
BHCK8560 Net gains (losses) on sales of loans and lease
Net P&L + BHCK8561 Net gains (losses) on sales of other real estate owned
Banking + BHCKB496 Net gains (losses) on sales of other assets
Book + BHCK3521 Realized gains (losses) on held-to-maturity securities
+ BHCK3196 Realized gains (losses) on available-for-sale debt securities

*Only items related to outsourcing fees paid for the supply of non-financial services are selected from items BHCK8565, BHCK8566, and
BHCK8567 (see Table 3 for details).
**Only items related to expenses and losses incurred because of operational loss events are selected from items BHCK8565, BHCK8566, and
BHCK8567 (see Table 3 for details).

15 www.bpi.com
 Table 3: Definitions of Adjustment Items
Memoranda Items BHCK8565, BHCK8566, and BHCK8567 from Schedule HI of the FRY-9C forms outline additional
disclosure on “Other Noninterest expense”. We categorize these items into three adjustments: (1) operating lease
and expense; (2) outsourcing fees paid for the supply of non-financial services; and (3) expenses and losses
incurred as a consequence of operational loss events. We follow the definitions contained in Finalizing Post Crisis
Reforms (BCBS 2017) and Policy Advice on Basel III Reforms: Operational Risk (EBA 2019).

Item FRY-9C disclosure

Adjustment for Depreciation expenses of operating leases

operating leases and
expense Loan and lease expense

Capitalized computer software expense

Depreciation and amortization of technology assets
General administrative expense
Adjustment for IT professional services
outsourcing fees paid Software licensing and maintenance expenses
for the supply of non-
financial services Technology expense
Technology services
Travel and entertainment
Travel expense
Accrual for legal matters
Adjustment for Fraud losses
expenses and losses Increase provision for litigation
incurred as a Insurance losses
consequence of Legal and risk provisions
operational loss Litigation expense
events Operating losses
Provision for contingent liability

16 www.bpi.com
 Table 4: Derivation of Minimum Operational Risk Capital for American Express (Illustrative Example )

U.S.$ in Billions* 2018 2019 2020 Average

Net Interest Income 7.7 8.6 8.0 8.1

Adjustment for Operating Leases Expense 0.0 0.0 0.0 0.0
Net Interest Income Adjusted 7.7 8.6 8.0 8.1
Interest Bearing Balances 22.2 18.2 27.5 22.6
Total—HTM Securities 0.0 0.0 0.0 0.0
Total—AFS Securities 4.8 8.5 21.7 11.6
Federal Funds Sold in Domestic Offices 0.0 0.0 0.0 0.0
Securities Purchased Under Agreements to Re-sell 0.1 0.1 0.1 0.1
Trading Assets 0.0 0.0 0.0 0.0
Total Loans and Leases 141.5 149.5 119.9 137.0
Total Interest Earning Assets 168.6 176.3 169.2 171.4
Dividend Income – – –
2.25% of Interest Earning Assets 3.9
Interest, Leases, and Dividend Component (ILDC) 3.9
*Source: FRY-9C; balance sheet items are end of year. P&L data are for the full fiscal year. Average

17 www.bpi.com
 Table 4: Derivation of Minimum Operational Risk Capital for American Express (Illustrative Example cont’d)

U.S.$ in Billions* 2018 2019 2020 Average

Other Operating Income – – –

Other Operating Expense 0.0 0.0 0.0 0.0
Income from Fiduciary Activities 0.0 0.0 0.0 0.0
Service Charges on Deposit Accounts in Domestic Offices 0.0 0.0 0.0 0.0
Fees and Commissions from Securities Brokerage 0.0 0.0 0.0 0.0
Investment Banking, Advisory, and Underwriting Fees and 0.0 0.0 0.0 0.0
Commissions
Fees and Commissions from Annuity Sales 0.0 0.0 0.0 0.0
Venture Capital Revenue 0.0 0.0 0.0 0.0
Net Servicing Fees 0.0 0.0 0.0 0.0
Net Securitization Income 0.0 0.0 0.0 0.0
Other Noninterest Income 32.3 34.5 27.8 31.5
Total Fee Income 32.3 34.5 27.8 31.5
Fee Expense 22.8 25.0 20.7 22.8
Adjustment for Outsourcing Fees Paid for the Supply of Non- 0.0 0.0 0.0 0.0
Financial Services
Fee Expense Adjusted 22.8 25.0 20.7 22.8
Services Component (SC) 31.5
Net P&L Trading Book 0.1 0.1 0.1 0.1
Net P&L Banking Book 0.0 0.0 0.0 0.0
Financial Component (FC) 0.1
Business Indicator (BI) 35.5
Business Indicator Component (BIC) 5.3
Internal Loss Multiplier (ILM) 1.0
Minimum Operational Risk Capital (ORC) 5.3
Minimum Operational Risk Capital (as a Percentage of Risk-Weighted 48.3
Assets)
*Source: FRY-9C; balance sheet items are end of year. P&L data are for the full fiscal year. Average

18 www.bpi.com
 Table 5: Adjusted Derivation of Minimum Operational Risk Capital for American Express

U.S.$ in Billions* 2018 2019 2020 Average

Interest, Leases, and Dividend Component (ILDC) 3.9

Services Component (SC) Prior to Cap 31.5
Total Assets Adjusted 157.5 166.7 137.9 154.0
2.25% of Total Assets Adjusted 3.5
Services Component (SC) Adjusted 3.5
Financial Component (FC) 0.1
Business Indicator (BI) 7.5
Business Indicator Component (BIC) 1.1
Internal Loss Multiplier (ILM) 1.0
Minimum Operational Risk Capital (ORC) 1.1
Minimum Operational Risk Capital (as Percentage of
9.8
Risk-Weighted Assets)

19 www.bpi.com
CPG 230 Operational
Risk Management
Final Guidance
June 2024

On 13 June 2024, APRA formally released its final Prudential Practice Guide CPG 230
Operational Risk Management.

Summary of key changes Operational Risk Management

• Promotion of Critical Operations as the key focal
In response to consultation feedback received from
point for operational risk management practices
16 entities and industry bodies, APRA recognised the
and procedures, including risk profiling.
requirement for greater clarity to avoid the creation of
unintentional practical difficulties during implementation. • Less prescriptive guidance and expectations on
The guidance has been simplified to be shorter, sharper the approach for end-to-end process and resource
and focused on effective baseline compliance. Whilst mapping, providing more flexibility to Senior
maintaining strong expectations around achieving Management in implementation.
resilience, APRA has effectively given regulated entities • Removal of detailed guidance on approach to
more flexibility around how they achieve stronger maintaining operational risk profiles, including risk
resilience outcomes by applying more of a risk-based identification and assessment, control management
lens to their approaches. Key changes include: and testing, incident management and root cause
analysis. Replaced with high-level considerations.
• Day One checklist – entities should consider
the summary of requirements and suggested Business Continuity
order of implementation in their plans.
• Less prescriptive guidance, with the removal of
• Non-Significant Financial Institutions have better practice statements, regarding:
an additional 12 months to comply with certain – approach to Business continuity management;
requirements in CPS 230 relating to business
– detail of BCPs and alignment to disaster
continuity and scenario analysis.
recovery;
• A three-year forward plan has been provided on – BCP testing approach.
APRA’s intended approach to supervising CPS 230
to assist industry with implementation and planning. • Addition of MSP details to Critical Operations register.
• Removal of indicative/relative tolerance levels.
Key changes per section • Removal of sound practice for tolerance of data loss
Roles and Responsibilities
Material Service Providers
• Less prescriptive guidance as to how the Board
delegates responsibility to senior management, • Guidance provided on attributes to be included in
providing more flexibility to entities in application. the MSP register, specifying attributes not previously
Noting, however, that processes for delegation requiring disclosure (e.g. responsible persons,
between the Board and Senior Management should mapping to Critical Operations and/or material
be clear and documented. operational risks, list of fourth parties, etc.).
In Q3 2024, APRA will provide a template register.
• Entities should consider how delegated
responsibilities align to accountability for Operational • APRA requests that for SFIs, the first MSP register
Risk Management under FAR. is to be submitted by 1 October 2025.

• Less prescriptive on what effective oversight

by the Board entails.

©2024 KPMG, an Australian partnership and a member firm of the KPMG global organisation of independent member firms affiliated with KPMG International Limited, a private English
company limited by guarantee. All rights reserved. The KPMG name and logo are trademarks used under license by the independent member firms of the KPMG global organisation.
Liability limited by a scheme approved under Professional Standards Legislation.
• Clarification that service providers within a material
cohort are not required to be classified as material
Key focus areas
as long as they are not individually material. Over and above the extensive work completed by
clients to this point, KPMG is focusing its support
• Clarification that arm’s length transactions with the
in the following key areas:
prescribed list of service providers does not result in
a material arrangement. Material arrangements arise • Mapping processes, risks and controls
only when there is reliance on a critical operation or for critical operations.
exposure to a material operational risk.
• Support for defining vulnerabilities, severe
• Guidance on the need for Internal Audit to review but plausible scenarios and a testing library.
any proposed outsourcing of critical operations prior
to a decision being made and the capability and • Conducting pre-implementation or
capacity to do so. readiness assessments.

• Removal or less prescriptive guidance relating • Supporting definition of an operating model

to the following, allowing more flexibility for that articulates clear accountability across
the depth to which entities can take: business divisions, central functions (BCM, Supplier
Management, Technology), senior management
– the identification and assessment and Board.
of downstream service providers;
• Accelerating Material Service Provider assessments
– provisions within service agreements; through finalisation of enhanced frameworks,
– approach to monitoring performance. but also providing capability and capacity to
accelerate the program of conducting the
MSP assessments.
Implementation considerations • Defining and implementing a program of responding
to information requests and risk assessments
• Critical Operations Mapping – Determine the
for those entities that are also Material Service
level of process and resource mapping that is of
Providers to other regulated entities.
sufficient detail for senior management to understand
how Critical Operations are delivered during
business-as-usual and maintained during disruption.
“By amending the accompanying guidance,
• Material Service Providers (MSP) –
we aim to keep industry standards high
Consideration of the operational risks of cohorts
while also being mindful of the compliance
of service providers where the aggregate risk is
material in addition to MSPs. burden on smaller entities so they can
remain competitive.”
• Fourth Parties – Determine the approach to
identifying fourth parties supporting MSPs and the JOHN LONSDALE, APRA CHAIR
impact they could have on the critical operation.

IMPLEMENTATION TIMELINE

1 JULY 2025
CPS 230 commences

JUNE 2024 MID-2024 END OF 2024 JULY 2025 JULY 2026

Release of MSPs/critical Entities New: extra CPS 230 all

final CPG 230 operations positioned to set transition for requirements in
identified tolerance levels non-SFIs for some effect for all entities
requirements

©2024 KPMG, an Australian partnership and a member firm of the KPMG global organisation of independent member firms affiliated with KPMG International Limited, a private English
company limited by guarantee. All rights reserved. The KPMG name and logo are trademarks used under license by the independent member firms of the KPMG global organisation.
Liability limited by a scheme approved under Professional Standards Legislation.
Appendix A: CPS 230 compliance checklist

REQUIREMENT SUBMISSION TO APRA U P D AT E D O R N E W R E Q U I R E M E N T

1. Critical Operations Entities are not required to submit their list NEW as concept of critical
(COs) are identified. of critical operations. However, an APRA operations is introduced by
supervisor could request it. CPS 230.
2. Tolerances are defined and Entities are not required to submit tolerance UPDATE as tolerances exist
approved by the Board for lists. However, an APRA supervisor could under CPS 232 for time and
COs (time, data loss, and request it, to understand how critical SLAs. CPS 230 applies a
service level). operations are monitored and to confirm Critical Operations lens.
Board approval as required by the Standard.
3. Material Service Providers Entities are required to submit a register of NEW but building on the
(MSPs) are identified. MSPs to APRA on an annual basis. APRA requirements that have been
requests the first submission by 1 Oct 2025. in place under CPS 231, in
This is the key data requirement of CPS 230 monitoring and oversight of
along with incident notifications and supplier/ suppliers.
offshore notifications.
4. Notifications are Entities are required to have notifications to UPDATE as notification
operational for material APRA in place per paragraphs 33 (material requirements do exist under
events, tolerance breaches events), 49 (tolerance breach) and 59 (MSP CPS 231 and CPS 232 in the
and MSP changes. arrangement/offshoring changes). current architecture.

5. Board Governance & Entities are not required to submit updated UPDATE to align with
Oversight is in place senior management accountabilities or target the critical operations
and clear roles and operating model documentation. This could requirements in CPS 230
responsibilities are set. be requested and discussed as part of a but builds on CPS 220
prudential review. positioning.
6. Risk Profiles & Reporting is Entities are not required to submit risk profiles UPDATE against critical
established and supporting or risk reporting as part of compliance with operations and building
oversight accountabilities. CPS 230. These could be requested and on CPS 220, 231, 232
discussed as part of a prudential review. foundations.
7. Accountability for COs, Entities are not required to submit updated UPDATE to accountabilities,
MSPs, and monitoring operational accountabilities or examples of to refer to new concepts
is in place. BAU monitoring, reporting or controls for introduced under CPS 230
compliance with CPS 230. These could be building on CPS 220, 231,
requested as part of a prudential review. 232 foundations.
8. Contract Updates have Entities have an additional 12 months to UPDATE to pre-existing
an extension of 12 months ensure that pre-existing service provider contracts to comply with
per paragraph 7 of the arrangements comply with contract CPS 230.
standard. requirements under CPS 230.

9. Business Continuity Entities are not required to submit their UPDATE of existing BCM
Management (BCM) updated BCM strategy, policy, or plans. These policy, plans, testing under
shifts from Critical could be requested and discussed as part of a CPS 232 to the CPS 230
Operations focus. prudential review. Critical Operations focus.

10. Scenarios align with BCM Entities are not required to submit their new UPDATE of existing scenario
uplift and focus on severe scenarios or testing results as part of CPS approach under CPS 232
yet plausible scenarios for 230 compliance. This could be requested and to apply a CPS 230 Critical
Critical Operations and discussed as part of a prudential review. Operations lens.
Material Service Providers.

©2024 KPMG, an Australian partnership and a member firm of the KPMG global organisation of independent member firms affiliated with KPMG International Limited, a private English
company limited by guarantee. All rights reserved. The KPMG name and logo are trademarks used under license by the independent member firms of the KPMG global organisation.
Liability limited by a scheme approved under Professional Standards Legislation.
Appendix B: Transition details for non-SFIs
C P S 2 3 0 : R E Q U I R E M E N T S T H AT W I L L N O W C O M M E N C E 1 J U LY 2 0 2 6 F O R N O N - S F I s ( P R E V I O U S LY 1 J U LY 2 0 2 5 )

40. An APRA-regulated entity’s BCP must include:

– the register of critical operations and associated tolerance levels;
– triggers to identify a disruption and prompt activation of the plan, and arrangements to direct resources
in the event of activation;
– actions it would take to maintain its critical operations within tolerance levels through disruptions;
– an assessment of the execution risks, required resources, preparatory measures, including key internal
and external dependencies needed to support the effective implementation of the BCP actions; and
– a communications strategy to support execution of the plan
41. An APRA-regulated entity must maintain the capabilities required to execute the BCP, including access to
people, resources and technology. An APRA-regulated entity must monitor compliance with its tolerance
levels and report any failure to meet tolerance levels, together with a remediation plan, to the Board.
43. An APRA-regulated entity must have a systematic testing program for its BCP that covers all critical
operations and includes an annual business continuity exercise. The program must test the effectiveness
of the entity’s BCP and its ability to meet tolerance levels in a range of severe but plausible scenarios.
44. The testing program must be tailored to the material risks of the APRA-regulated entity and include a range
of severe but plausible scenarios, including disruptions to services provided by material service providers
and scenarios where contingency arrangements are required. APRA may require the inclusion of an
APRA-determined scenario in a business continuity exercise for an APRA-regulated entity, or a class
of APRA-regulated entities.
45. An APRA-regulated entity must update, as necessary, its BCP on an annual basis to reflect any changes
in legal or organisational structure, business mix, strategy or risk profile or for shortcomings identified as
a result of the review and testing of the BCP.
46. An APRA-regulated entity’s internal audit function must periodically review the entity’s BCP and provide
assurance to the Board that the BCP sets out a credible plan for how the entity would maintain its critical
operations within tolerance levels through severe disruptions and that testing procedures are adequate
and have been conducted satisfactorily.

C P S 2 3 2 : R E Q U I R E M E N T S T H AT C O N T I N U E U N T I L 3 0 J U N E 2 0 2 6 F O R N O N - S F I s

30. An APRA-regulated institution must maintain at all times a documented BCP for the institution that meets
the objectives of the institution’s BCM policy.
31. The BCP must document procedures and information that enable the institution to:
– manage an initial business disruption (crisis management); and
– recover critical business operations.
32. The BCP must reflect the specific requirements of the institution and must identify:
– critical business operations;
– recovery levels and time targets for each critical business operation;
– recovery strategies for each critical business operation;
– infrastructure and resources required to implement the BCP;
– roles, responsibilities and authorities to act in relation to the BCP; and
– communication plans with staff and external stakeholders.
33. Where material business activities are outsourced, an APRA-regulated institution must satisfy itself
as to the adequacy of the outsourced service provider’s BCP and must consider any dependencies
between the two BCPs.
34. An APRA-regulated institution must review and test the institution’s BCP at least annually, or more
frequently if there are material changes to business operations, to ensure that the BCP can meet the BCM
objectives. The results of the testing must be formally reported to the Board or to delegated management.
35. The BCP must be updated if shortcomings are identified as a result of the review and testing required
under paragraph 34.

©2024 KPMG, an Australian partnership and a member firm of the KPMG global organisation of independent member firms affiliated with KPMG International Limited, a private English
company limited by guarantee. All rights reserved. The KPMG name and logo are trademarks used under license by the independent member firms of the KPMG global organisation.
Liability limited by a scheme approved under Professional Standards Legislation.
Appendix B: Transition details for non-SFIs

S P S 2 3 2 : R E Q U I R E M E N T S T H AT C O N T I N U E U N T I L 3 0 J U N E 2 0 2 6 F O R N O N - S F I s

21. An RSE licensee must maintain at all times a documented BCP that meets the objectives of the BCM Policy.

22. An RSE licensee’s BCP must document procedures and information that enable the RSE licensee to:
– manage an initial business disruption (crisis management); and
– recover critical business activities.
23. An RSE licensee’s BCP must reflect the specific requirements of the RSE licensee and must identify:
– critical business activities;
– recovery levels and recovery times for each critical business activity;
– recovery strategies for each critical business activity;
– infrastructure and resources required to implement the BCP;
– roles, responsibilities and authorities to act in relation to the BCP; and
– communication plans with staff and external stakeholders.
24. Where material business activities are outsourced, an RSE licensee must satisfy itself as to the adequacy
of the outsourced service provider’s BCP and must consider any dependencies between the two BCPs.
25. An RSE licensee must review and test its BCP at least annually, or more frequently if there are material
changes to its business operations, to ensure that the BCP can meet the BCM objectives. The results of
the testing must be formally reported to the Board or to delegated management.
26. The BCP must be updated if shortcomings are identified as a result of the review and testing required
under paragraph 25.

©2024 KPMG, an Australian partnership and a member firm of the KPMG global organisation of independent member firms affiliated with KPMG International Limited, a private English
company limited by guarantee. All rights reserved. The KPMG name and logo are trademarks used under license by the independent member firms of the KPMG global organisation.
Liability limited by a scheme approved under Professional Standards Legislation.
Contact us
Matt Tottenham Gavin Rosettenstein
Partner in Charge, Partner, Operational & Service
Regulatory & Compliance Provider Risk Management
T: +61 436 188 811 T: +61 413 956 179
E: [email protected] E: [email protected]

Kat Conner Natasha Passley

Partner, Risk Transformation, Partner, Business Continuity
Regulatory & Compliance & Operational Resilience
T: +61 438 057 483 T: +61 411 010 209
E: [email protected] E: [email protected]

Caroline Leong Dr Lisa Butler Beatty

Partner, Process Architecture Partner and Practice Lead,
and Modelling Superannuation Advisory
T: +61 423 030 794 T: +61 477 753 941
E: [email protected] E: [email protected]

Louise Rose Fiona Jarmson

Partner, Enterprise Advisory Director, Regulatory
T: +61 478 159 379 & Compliance
E: [email protected] T: +61 438 688 155
E: [email protected]

Simon Taylor-Allan
Director, Operational Risk
Management
T: +61 427 962 177
E: [email protected]

KPMG.com.au

The information contained in this document is of a general nature and is not intended to address the objectives, financial situation or needs of any particular individual or entity. It is provided
for information purposes only and does not constitute, nor should it be regarded in any manner whatsoever, as advice and is not intended to influence a person in making a decision, including,
if applicable, in relation to any financial product or an interest in a financial product. Although we endeavour to provide accurate and timely information, there can be no guarantee that such
information is accurate as of the date it is received or that it will continue to be accurate in the future. No one should act on such information without appropriate professional advice after a
thorough examination of the particular situation.
To the extent permissible by law, KPMG and its associated entities shall not be liable for any errors, omissions, defects or misrepresentations in the information or for any loss or damage
suffered by persons who use or rely on such information (including for reasons of negligence, negligent misstatement or otherwise).
©2024 KPMG, an Australian partnership and a member firm of the KPMG global organisation of independent member firms affiliated with KPMG International Limited, a private English
company limited by guarantee. All rights reserved.
The KPMG name and logo are trademarks used under license by the independent member firms of the KPMG global organisation.

Liability limited by a scheme approved under Professional Standards Legislation.

June, 2024. 1378250952FS.
 FO RV I S A l e r t

The Basel III Endgame – Implications for Operational Risk

On July 27, 2023, the Federal Reserve Board, Federal Deposit Insurance Corporation, and the Office of Comptroller of
the Currency (“Agencies”) jointly issued a Notice of Proposed Rulemaking (NPR) for the implementation of the Basel III
Endgame that would significantly revise the capital requirements for banking organizations with $100 billion or more in
assets.

Among other revisions, the NPR proposes new capital requirements related to operational risk.1 The current requirement,
based on the advanced measurement approach (AMA) framework, requires banks to develop internal models to measure
operational risk. However, under the NPR, the agencies eliminate the use of internal models for operational risk out of
concern that internal models lack transparency and comparability. Internal models present challenges for supervisors and
market participants to assess the relative magnitude of operational risk across banking organizations, the adequacy of
operational risk capital, and the effectiveness of operational risk management practices.

Updated Provisions Under NPR

1. New Capital Requirement – The NPR introduces a capital requirement for operational risk based on a
standardized approach. The operational risk capital requirements are a function of a large banking organization’s
business indicator component and internal loss multiplier:

■ The business indicator is intended to serve as a proxy for a banking organization’s business volume and is
based on inputs from the financial statements. It is derived from the three-year rolling average of three income
components: 1) interest, lease, and dividends, e.g., lending and investment activities; 2) services, e.g., fee and
commission-based activities; and 3) financial, e.g., trading activity.

■ The internal loss multiplier is a scaling factor applied to the operational risk capital requirement derived from
the business indicator component and is based on the banking organization’s actual historical operational
loss experience. The internal loss multiplier is based on the ratio of a banking organization’s average annual
net operational losses over the last 10 years to its business indicator component. In the NPR, the Agencies
floor the internal loss multiplier at one so that lower historical loss experience cannot decrease operational
risk capital requirements.

A large banking organization’s operational risk capital requirement is calculated by multiplying its business
indicator component by its internal loss multiplier. The result is then multiplied by 12.5 to arrive at the risk-weighted
assets for operational risk.
2. Independent Operational Risk Function – Banking organizations must have an operational risk management
function independent of business line management. This independent operational risk management function is
expected to design, implement, and oversee the comprehensiveness and accuracy of operational loss event
data collection processes, in addition to overseeing other aspects of the banking organization’s operational risk
management.
3. Better Review and Documentation – Banking organizations are required to document the procedures used for
the identification and collection of operational loss event data. Additionally, they are required to have processes to
independently review the comprehensiveness and accuracy of operational loss data and submit these processes to
regular independent reviews by internal or external audit functions.

1
Operational risk refers to the risk of loss resulting from inadequate or failed internal processes, people, and systems, or from external events

Assurance / Tax / Consulting forvis.com

FORVIS is a trademark of FORVIS, LLP, registration of which is pending with the U.S. Patent and Trademark Office. August 2023
 FO RV I S A l e r t

4. Stronger Data Collection – Banking organizations must collect operational loss event data for all operational loss
events which result in $20,000 or more of gross operational loss.
5. Root Cause Analysis – Banking organizations must collect descriptive information about the causes of operational
loss events which result in a gross operational loss of $20,000 or more. The level of detail for the descriptive
information should be commensurate with the size of the gross loss amount of the operational loss event.
6. Timing Losses – Timing losses would constitute an operational loss. A timing loss is the negative financial impact
on a banking organization’s financial statements due to having incorrectly booked a positive financial impact in a
previous financial statement, e.g., revenue overstatement, accounting, and mark-to-market errors. However, if the
overstatement and its correction occur in the same financial statement period there would be no operational loss.
7. Insurance Recoveries – Insurance recoveries would be included as part of the internal loss multiplier calculation
in the quarter in which they are paid to the banking organization. However, insurance receivables would not be
considered recoveries.
8. Reporting of Loss Events – Banking organizations must report operational loss events and other relevant
operational risk information to business line management, senior management, and the board of directors (or a
designated committee of the board).
As implementation of the Basel III Endgame moves forward, banking organizations should become familiar with the
proposed regulation, how it applies to their current operations, and implications for reporting on FR Y-14Q, Schedule E
(Operational Risk). Whatever shape the final rules take, there will be a significant impact on the global financial market as
banking organizations restructure their businesses and reconfigure balance sheets to meet the new capital requirements.
Banking organizations should perform an impact assessment to understand the effects that the NPR will have on its
regulatory capital requirements, including overlap with its Stress Capital Buffer (SCB), and the costs associated with
compliance.
If you have questions or need assistance, please reach out to a professional at FORVIS.

FORVIS Contacts

Jared Forman Prashant Panavalli

Global Practice Leader – Enterprise Risk & Quantitative Principal
[email protected] [email protected]
+1 646 798 3427 +1 646 798 3448

Bobby Bean Michael Rosen

Managing Director Director
[email protected] [email protected]
+1 703 472 3382 +1 646 876 4800

forvis.com
The information set forth in this presentation contains the analysis and conclusions of the author(s) based upon his/her/their research and analysis of industry information and legal
authorities. Such analysis and conclusions should not be deemed opinions or conclusions by FORVIS or the author(s) as to any individual situation as situations are fact specific.
The reader should perform its own analysis and form its own conclusions regarding specific information. Further, the author(s) conclusions may be revised without notice with or
without changes in industry information and legal authorities. FORVIS has been registered in the U.S. Patent and Trademark Office, which registration is pending.
 Managerial Economics
2021, Vol. 22, No. 1, pp. 35–59
https://doi.org/10.7494/manage.2021.22.1.35
©2021 Authors. Creative Commons CC-BY 4.0

Gerd Waschbusch*, Sabrina Kiszka**

Calculating capital requirements for

operational risk

1. Continuum of measurement approaches

for operational risk
The Capital Requirements Regulation (CRR) aims to standardise bank regu-
lation within the EU. It therefore regulates the amount and requirements of the
regulatory capital base of institutions, financial holding companies and mixed
financial holding companies. The regulation has direct legal effect in the EU
states, so that any conflicting national regulations are superseded by the regula-
tion (Andrae 2014, 9; European Council 2020). According to art. 92 (3)(e) CRR,
institutions must back their operational risks with own funds. From a regulatory
point of view, the operational risk of an institution is understood as the risk of loss
resulting from the inadequateness or failure of internal processes, people, and
systems or from the occurrence of external events. This definition also includes
the legal risks of an institution (art. 4 (1) no. 52 CRR). The need for own funds
results from the knowledge that institutions bear considerable operational risks,
especially against the background of growing IT dependency and the increasing
complexity of their activities (Federal Ministry of Finance 2007, 116).
The CRR provides a tiered concept for calculating the capital required to
cover operational risks. According to Part 3 Title III CRR, an institution may use
either the Basic Indicator Approach, the (Alternative) Standardised Approach or
a so-called Advanced Measurement Approach to determine the capital require-
ments for operational risk (see Figure 1).

* Saarland University, e-mail: [email protected]

** Saarland University, e-mail: [email protected]

35
 Gerd Waschbusch, Sabrina Kiszka

Methods to determine capital requirements for the opera-

tional risk of an institution

Advanced Measure-
ment Approach, e. g.:
– Internal Assess-
(Alternative) ment Approach
Basic Indicator
Standardised – Loss Distribution
Approach
Approach Approach
– Scorecard Ap-
proach

Figure 1. Methods to determine capital requirements for the operational risk of

an institution

The various measurement methods of Part 3 Title III CRR are characterized
by a different level of risk sensitivity and implementation effort respectively
requirements for risk management (see Figure 2). In doing so, they specify the
basic order in which these methods should be used by the institutions (Basel
Committee on Banking Supervision 2006, 144). If certain qualitative and quanti-
tative minimum standards are met, however, a more risk-sensitive measurement
approach can be used right from the start (Basel Committee on Banking Supervi-
sion 2001a, 4). The use of an Advanced Measurement Approach instead of the
Basic Indicator Approach or (Alternative) Standardised Approach is expected by
internationally active institutions as well as by institutions with a significant risk
from operational risks (e.g. banks specializing in the processing of transactions)
(Basel Committee on Banking Supervision 2006, 144). The various measurement
methods are therefore designed in such a way that institutions are rewarded
for improving their risk management, because the more advanced the measure-
ment method used, the lower the minimum capital requirements are likely to
be (Basel Committee on Banking Supervision 2001a, 14; Buzziol, Steffi 2004,
16–17; Deutsche Bundesbank 2004, 86; Schulte-Mattler, Hermann 2007, 58;
Conlon et al. 2020, 34).

36
Calculating capital requirements for operational risk
high

Advanced
Measurement
Approach
risk sensitivity

(Alternative)
Standardised
Approach

Basic Indicator
Approach
low

low implementation effort / risk management requirements high

Figure 2. Risk sensitivity and implementation effort respectively

risk management requirements of the methods to determine the capital requirements
for the operational risk of an institution

In order to facilitate the development of a more risk-sensitive measurement

approach, the institutions are given the opportunity – at least temporarily – to
move only partially along the intended spectrum of measurement methods, i.e.
initially only using a more risk-sensitive measurement method for individual areas
of their business activities (so-called ‘partial use’) if certain minimum require-
ments are met (Basel Committee on Banking Supervision 2006, 144 and 156).
This way an institution can use the Advanced Measurement Approach with either
the Basic Indicator Approach or the Standardized Approach. A combination of
different approaches, however, always requires permission from the competent
supervisory authority (art. 314 (1) CRR). A prerequisite for such a permit is the that
the selected combination of approaches captures all operational risks of the in-
stitution. In addition, the methodology used by an institution to cover different
activities, geographical locations, legal structures or other significant divisions
is to be found satisfactory by competent supervisory authorities (art. 314 (2)(a)
CRR). Moreover, the criteria set out in art. 320 CRR for the application of the
Standardised Approach and the requirements in accordance with art. 321 and
322 CRR for the application of the Advanced Measurement Approaches must be
met for those activities covered by the Standardised Approach or the Advanced
Measurement Approaches (art. 314 (2)(b) CRR, see Table 3). Additional condi-
tions for a transitional approval of the combination of an Advanced Measurement

37
 Gerd Waschbusch, Sabrina Kiszka

Approach with either the Basic Indicator Approach or with the Standardised Ap-
proach are that on the date of implementation of an Advanced Measurement
Approach a significant part of the institution’s operational risks are captured by
that approach and that the institution takes a commitment to apply the Advanced
Measurement Approach across a substantial part of its operations according to
a time schedule approved by the competent supervisory authority (art. 314 (3)
CRR). The purpose of these requirements is for institutions to introduce an Ad-
vanced Measurement Approach, which goes hand in hand with an improvement
in internal management of operational risk, in as large an area of their business
activities as possible. It should therefore be ensured that almost all business op-
erations are covered by an Advanced Measurement Approach and, for reasons of
practicality, at most an insignificant part of business activity is covered by a simpler
measurement method in the long term (Federal Ministry of Finance 2007, 134).
However, only in exceptional cases – e.g. the recent acquisition of new business
to which the Standardised Approach may only be applied after a transitional pe-
riod – a permit for the use of the combination of the Basic Indicator Approach
and the Standardised Approach may be requested (art. 314 (4)(1) CRR). Here too,
the institution must commit itself to applying the Standardised Approach within
a time schedule submitted and approved by the competent supervisory authority
(art. 314 (4)(2) CRR). This is ultimately intended to establish a consistent method
for determining the capital requirements for the operational risk of an institution
and thus avoid capital arbitrage (Federal Ministry of Finance 2007, 124).
The progression from a simple measurement method to a more risk-sensitive
measurement method usually represents a ‘one-way street’. According to art. 313
(1) and (2) CRR, an institution that uses a Standardised Approach or an Advanced
Measurement Approach to determine capital requirements for operational risk
may only revert to a less sophisticated approach if that institution can prove to the
competent supervisory authority, ‘that the use of a less sophisticated approach is
not proposed in order to reduce the operational risk related own funds require-
ments of the institution, is necessary on the basis of nature and complexity of the
institution and would not have a material adverse impact on the solvency of the in-
stitution or its ability to manage operational risk effectively’ (art. 313 (3)(a) CRR).
Approval from the competent supervisory authority to return to a less sophisticated
method must be applied for in advance by the institution (art. 313 (3)(b) CRR).

2. Basic Indicator Approach

The Basic Indicator Approach is the simplest method for determining the
own funds that an institution must hold for its operational risks. According to

38
Calculating capital requirements for operational risk

the rules of this measurement procedure, the calculation of the capital require-
ment for operational risks of an institution is based on a single risk indicator,
which serves as an approximation for the full scope of operational risks of this
institution. This risk indicator is the so-called ‘relevant indicator’. In accordance
with art. 315 (1)(1) CRR, the capital requirements for operational risks of an
institution using the Basic Indicator Approach are equal to 15% of the three-year
average of the relevant indicator. The three-year average of the relevant indica-
tor is calculated based on the last three twelve-monthly observations at the end
of the financial year (art. 315 (1)(2) sentence 1 CRR). If no audited figures are
available, the calculation may also be based on internal estimates of these annual
values (art. 315 (1)(2) sentence 2 CRR). The purpose of using a three-year average
is to reduce variation in the capital requirements for operational risk (Federal
Ministry of Finance 2007, 118). When determining the three-year average of the
relevant indicator, however, only annual values with a positive value are taken
into account (art. 315 (4)(1) CRR). The three-year average of the relevant indica-
tor is therefore always calculated ‘as the sum of positive figures divided by the
number of positive figures’ (art. 315 (4) sentence 2 CRR). Therefore, if a negative
relevant indicator occurs in one of the last three years, the determination of the
capital requirements for operational risk is based only on the two-year average
of the years with a positive relevant indicator. For institutions whose relevant
indicator is equal to zero or negative in all three years considered, this results in
an own funds requirement for operational risk equal to zero. However, this case
is unlikely to be of any significance in practice. The rule that only annual values
with a positive value are to be considered in the calculation is intended to ensure
that even in case of a negative earnings situation of the institution the operational
risks inherent in the business of this specific institution are still backed with own
funds (Federal Ministry of Finance 2007, 118). Pattern 1 summarizes the above
remarks in a formula.

1 n 

∑
CR OR = 0,15 ◊  ◊ rI i 
n i=1 
CROR = capital requirements for operational risk
i = financial year i
n = number of financial years i with a positive relevant indicator (a maximum of
three years)

Pattern 1. Conception of the Basic Indicator Approach

The relevant indicator is defined in art. 316 CRR. Accordingly, the relevant
indicator is to be calculated based on the items listed in Pattern 2, considering

39
 Gerd Waschbusch, Sabrina Kiszka

the structure of the profit and loss accounts of institutions according to art. 27
of the directive on consolidated financial statements (art. 316 (1)(1) CRR). The
directive on consolidated financial statements aims to harmonise the accounting
standards of credit institutions within the EU (Rogler 2020, 204–205).

relevant indicator = interest receivable and similar income

– interest payable and similar charges

+ income from shares and other variable/fixed-yield securities
+ commissions/fees receivable
– commissions/fees payable
+/– net profit or net loss on financial operations
+ other operating income

Pattern 2. Calculation of the relevant indicator according to art. 316 CRR

The list in Pattern 2 makes it clear that the calculation of the relevant indicator
does not include any deductions in the form of provisions, risk provision amounts
and operating expenses (art. 316 (1)(2)(a) sentence 1 CRR). In addition, expenses
for outsourced services that are provided by third parties may only reduce the
relevant indicator if the expenditure is incurred by a company that is also subject
to the CRR or equivalent regulations (art. 316 (1)(2)(a) sentence 3 CRR). This
also applies if they are included in the operating expenses. Furthermore, the
following items must not be included in the calculation of the relevant indicator
(art. 316 (1)(2)(b) CRR):
1) realised profits/losses from the sale of non-trading book items,
2) income from extraordinary or irregular items,
3) income derived from insurance.
The removal of extraordinary or irregular income and realised profits/losses
from the sale of non-trading book items from the calculation of the relevant indi-
cator can be justified by the fact that in this way larger variations in the relevant
indicator can be avoided. The disregard of income derived from insurance in the
calculation of the relevant indicator can be explained by the separate supervision
of companies conducting insurance business. Since commissions received from
insurance brokerage is not included in income derived from insurance, it is part
of the relevant indicator (Federal Ministry of Finance 2007, 119).
If revaluations of trading items are part of the profit and loss statement of
an institution, they may be included in the calculation of the relevant indicator
(art. 316 (1)(2)(c) sentence 1 CRR). If an institution applies art. 36 (2) of the

40
Calculating capital requirements for operational risk

directive on consolidated financial statements and accounts for transferable se-

curities which are not held as financial fixed assets at the higher market value at
the balance sheet date, there is an obligation to include revaluations booked in
the profit and loss account in the calculation of the relevant indicator (art. 316
(1)(2)(c) sentence 2 CRR).
If an institution does not prepare its annual financial statements according
to the specifications of the directive on consolidated financial statements or its
implementation in national law, but according to other accounting standards
(e.g. according to IFRS), the calculation of the relevant indicator must be based
on data that best reflect the definition set out in art. 316 CRR (art. 316 (2) CRR).
The Basic Indicator Approach represents the entry-level method for calculat-
ing the capital requirements for an institution’s operational risk. Therefore, the
CRR does not provide any special requirements for the use of this measurement
method (Buzziol 2004, 17; Köhne 2005, 282). Nonetheless, those institutions that
decide to use the Basic Indicator Approach are asked to follow the guidelines
set out by the Basel Committee on Banking Supervision in the paper ‘Principles
for the Sound Management of Operational Risk’ (Lenzmann 2008, 290; Basel
Committee on Banking Supervision 2011; Kiszka 2018, 44–49). In 2021, the
Basel Committee on Banking Supervision published a revised version of these
principles (Waschbusch, Kiszka 2020b, Basel Committee on Banking Supervision
2021). Ultimately, however, the application of the Basic Indicator Approach is in
no way equal to a ‘real risk measurement’ (Schulte-Mattler 2007, 59). Although
the relevant indicator is a variable that can largely be derived from the institu-
tions’ profit and loss account, a connection to the actual operational risk profile
of an institution cannot be established with the aid of the relevant indicator. In
this context, the Federal Ministry of Finance of Germany speaks of an indirect
measure of the scope of business activities and thus also of the operational risks
of an institution (Federal Ministry of Finance 2007, 118). A simple connection
between the earnings and the operational risk profile of an institution is as-
sumed (Auer 2008, 45). In particular, however, the regulatory ‘punishment’ of
additional income by the Basic Indicator Approach is diametrically opposed to
the business policy goals of an institution (Schulte-Mattler 2007, 59). After all,
the fixing of the multiplication factor at 15% is only a blanket estimate by the
banking supervisory authority. In this respect, the Basic Indicator Approach does
not identify weaknesses of operational nature in an institution and consequently
cannot make any significant contribution to the management of operational risk.
Institutions are not given any incentive to improve their operational risk profile
or risk management, since ultimately only a reduction in the income generated
enables a reduction in capital requirements (Buchmüller 2001, 12). Finally, when

41
 Gerd Waschbusch, Sabrina Kiszka

using the Basic Indicator Approach operational risks that have materialized result
in a reduction of capital requirement due to the decline in earnings that those
risks have caused (Capobianco 2014, 4; Enrique 2015, 8), rather than increasing
the capital requirements because of a higher risk profile.

3. Standardised Approach

If an institution intends to use the Standardised Approach to calculate the

capital requirements for operational risk instead of the Basic Indicator Approach,
it has to qualify for the use of the Standardised Approach by meeting the require-
ments of art. 320 CRR (art. 312 (1)(1) sentence 1 CRR; see Table 3). The institution
must notify the competent authorities prior to using the Standardised Approach
(art. 312 (1)(1) sentence 2 CRR). If an institution decides to use the Standardised
Approach, it must first assign its business activities to the eight regulatory business
lines listed in art. 317 (4) CRR (art. 317 (1) CRR), which are shown in Table 1.
The relevant indicator to be determined in accordance with the requirements
of art. 316 (1) CRR is then allocated proportionally to these eight regulatory
business lines (art. 317 (2) sentence 2 CRR). The last three financial year values
are also decisive for the calculation of the relevant indicator in the Standardised
Approach (art. 317 (2) sentence 1 in conjunction with (4)(1) sentence 1 CRR).
If no audited figures are available, business estimates of these annual values can
also be used for the calculation (art. 317 (4)(1) sentence 2 CRR).

Table 1
Mapping of business activities into the regulatory business lines of
the Standardised Approach

Regulatory business
List of activities
line
– underwriting of financial instruments or placing of finan-
cial instruments on a firm commitment basis
– services related to underwriting
– investment advice
– advice to undertakings on capital structure, industrial
Corporate Finance
strategy and related matters and advice and services relat-
ing to the mergers and the purchase of undertakings
– investment research and financial analysis and other
forms of general recommendation relating to transac-
tions in financial instruments

42
Calculating capital requirements for operational risk

Table 1 cont.

– dealing on own account

– money broking
– reception and transmission of orders in relation to one
or more financial instruments
– execution of orders on behalf of clients
Trading and Sales
– placing of financial instruments without a firm commit-
ment basis
– operation of Multilateral Trading Facilities
Corresponding transactions with retail customers are as-
signed to Retail Brokerage.
– money transmission services
Payment and Settlement
– issuing and administering means of payment
– safekeeping and administration of financial instruments
Agency Services for the account of clients, including custodianship and
related services such as cash/collateral management
– acceptance of deposits and other repayable funds
– lending
– financial leasing
Commercial Banking
– guarantees and commitments
Corresponding transactions with retail customers are as-
signed to Retail Banking.
– acceptance of deposits and other repayable funds
– lending
Retail Banking 1
– financial leasing
– guarantees and commitments
– portfolio management
Asset Management – managing of UCITS
– other forms of asset management
– reception and transmission of orders in relation to one
or more financial instruments
Retail Brokerage1 – execution of orders on behalf of clients
– placing of financial instruments without a firm commit-
ment basis
1
These are transactions with retail customers. Business with retail customers includes business
with natural persons or small and medium-sized companies, which are to be classified as retail
exposure in analogous application of the criteria of art. 123 CRR.

In addition to the mapping of an institution’s business activities into the

separate regulatory business lines, the CRR determines a beta factor in the form of

43
 Gerd Waschbusch, Sabrina Kiszka

a fixed percentage for each of the eight regulatory business lines listed (art. 317 (2)
sentence 2 CRR in conjunction with table 2 in art. 317 (4) CRR). These beta fac-
tors represent the relationship between the industry-wide operating losses in
a specific regulatory business line and the industry-wide relevant indicators for
this regulatory business line (Basel Committee on Banking Supervision 2001b, 7;
Basel Committee on Banking Supervision 2006, 147). A beta factor of e.g. 12% in
the ‘Asset Management’ business line means that the operational losses that have
occurred in this business line amount to 12% of the relevant indicator generated
in the ‘Asset Management’ business line across the industry. Table 2 provides
a summary of the regulatory business lines, relevant indicators and beta factors
defined in the Standardised Approach. The allocation of the relevant indicator
from an institution’s own business lines and activities to the separate regulatory
business lines must be made in accordance with the requirements of art. 318 CRR.
In this regard, art. 318 (1) CRR calls for the development of specific policies
and criteria for mapping the relevant indicators for current business lines and
activities into the standardised framework shown in Table 1. These policies and
criteria are to be documented, reviewed and adjusted regarding new or changed
business activities and risks.

Table 2
Regulatory business lines, risk indicators and beta factors in the Standardised Approach

Regulatory Business Line Risk Indicator Beta factor

Corporate Finance relevant indicator 1 b1 = 18%
Trading and Sales relevant indicator 2 b2 = 18%
Payment and Settlement relevant indicator 3 b3 = 18%
Agency Services relevant indicator 4 b4 = 15%
Commercial Banking relevant indicator 5 b5 = 15%
Retail Banking relevant indicator 6 b6 = 12%
Asset Management relevant indicator 7 b7 = 12%
Retail Brokerage relevant indicator 8 b8 = 12%

Art. 318 (2) CRR also includes the following requirements for the development
of policies and criteria for the mapping of business activities into the regulatory
business lines in the Standardised Approach:
1. Every business activity can be assigned to exactly one regulatory business line.
In this context it must be considered that the regulatory business lines do
not necessarily have to correspond to the internal business lines or business

44
Calculating capital requirements for operational risk

areas originating from the internal organisation of the institution (Federal

Ministry of Finance 2007, 122). In case of need, a corresponding reconcilia-
tion is therefore necessary.
2. Supporting activities that cannot be directly assigned to a regulatory business
line are to be assigned to the regulatory business line that they support. If an
activity supports several business activities that can be assigned to different
regulatory business lines, an objective criterion must be used for the assign-
ment of this supporting activity.
3. Business activities which cannot be assigned to any regulatory business line,
including the activities that support them, are to be fully assigned to a regula-
tory business line with the highest beta factor.
4. When allocating the relevant indicator to regulatory business lines, internal
pricing methods can be used. However, this must be factually justified. In
addition, costs generated that arise within one regulatory business line but
are imputable to a different regulatory business line may be assigned to the
regulatory business line to which they pertain.
5. The criteria for mapping business activities into the regulatory business lines
must be consistent with the criteria used in the credit and market risk area.
6. The responsibility for the policies and criteria for the mapping of business
activities and the relevant indicator into the separate regulatory business lines
lies with the senior management under the control of the management body
of the institution.
7. The mapping process must be subject to an independent review by internal
or external auditors. This is to be understood as a person who is not identical
to the person who conducted the mapping process and who is not dependent
on the instructions of the latter (Federal Ministry of Finance 2007, 133).
The procedure for determining the capital requirements for the opera-
tional risk of an institution that uses the Standardised Approach is regulated in
art. 317 (2) CRR. According to this, the capital requirements for the operational
risk of an institution correspond to ‘the average over three years of the sum of the
annual own funds requirements across all regulatory business lines’ (art. 317 (2)
sentence 1 CRR). The annual own funds requirement of each regulatory busi-
ness line results from the weighting of the relevant indicator mapped to the
respective regulatory business line with the beta factor assigned to this specific
regulatory business line (art. 317 (2) sentence 2 CRR). If there is a negative own
funds requirement in a regulatory business line in a given financial year, which
results from a negative value of the relevant indicator assigned to this regula-
tory business line, this negative own funds requirement can be offset against
the positive own funds requirements in other regulatory business lines of this

45
 Gerd Waschbusch, Sabrina Kiszka

financial year without limitation (art. 317 (3) sentence 1 CRR). However, if the
sum of the capital requirements of all regulatory business lines within a given
financial year is negative, the relevant indicator for this year will be considered
as zero within the numerator (art. 317 (3) sentence 2 CRR). In contrast to the
calculation of the capital requirements for an institution’s operational risk using
the Basic Indicator Approach, the value of the denominator of the three-year
average does not decrease in such a case; rather it is still “3” (Federal Ministry
of Finance 2007, 121). The following Pattern 3 summarizes the above statements
in a formula.

n   k  
1
CR OR = ∑
3 i=1  ∑
◊  max 0; rI j ∙b j  

  j=1   i

CROR = capital requirements for operational risk

i = financial year i (i = 1, 2, 3)
n = number of financial years i with a positive relevant indicator (n = 3)
j = regulatory business line j (j = 1, …, 8)
k = number of regulatory business lines j (k = 8)
rIj = relevant indicator of the regulatory business line j
βj = beta factor of the regulatory business line j
rIj ∙ βj = capital requirement of the regulatory business line j

Pattern 3. Conception of the Standardised Approach

Art. 319 CRR gives institutions the option of using the so-called Alterna-
tive Standardized Approach instead of the Standardized Approach. In the Alter-
native Standardized Approach, an institution is allowed to replace the relevant
indicator for the calculation of the capital requirements in the regulatory business
lines ‘Retail banking’ and ‘Commercial banking’ with an alternative indicator,
which corresponds to 0.035 times the nominal amount of loans and advances
(art. 319 (1)(a) CRR). The loans and advances in Retail Banking and Commercial
Banking consist of the total drawn amounts in the respective credit portfolios
in accordance with art. 319 (1)(b) sentence 1 CRR. In Commercial banking the
securities held in the non-trading book must also be added in accordance with
art. 319 (1) (b) sentence 2 CRR. Otherwise, the calculation of the own funds
requirements for the operational risk of an institution corresponds to the proce-
dure in the Standardised Approach. In particular, the same beta factors as in the
Standardised Approach apply to these two regulatory business lines. Pattern 4
demonstrates the calculation of the capital requirement for the operational risks
of an institution using the Alternative Standardised Approach.

46
Calculating capital requirements for operational risk

The use of the Alternative Standardised Approach for calculating the capital
requirements for the operational risk of an institution, however, is only permitted
if the following conditions are cumulatively met (art. 319 (2) CRR):
– At least 90% of the institution’s income is derived from the two regulatory
business lines ‘Retail Banking’ and ‘Commercial Banking’.
– A significant proportion of the retail or commercial banking activities consists
of loans associated with a high probability of default.
– The Alternative Standardised Approach provides an appropriate basis for
calculating the capital requirements for operational risk.
The application of the Alternative Standardised Approach is also subject to
prior approval by the competent supervisory authorities (art. 312 (1)(2) CRR).

n   

k
1
∑ ∑
CR OR = ⋅  max 0; (rI j ⋅ b j )+m ⋅ nala RB ⋅ b RB+m ⋅ nala CB ⋅ b CB  
3 i=1  
  j=1   i

CROR = capital requirements for operational risk

i = financial year i (i = 1, 2, 3)
n = number of financial years i with a positive relevant indicator (n = 3)
j = regulatory business line j (j = 1, …, 6); this does not include the two regula-
tory business lines ‘Retail Banking’ and ‘Commercial Banking’
k = number of regulatory business lines j (k = 6)
rIj = relevant indicator of the regulatory business line j
βj = beta factor of the regulatory business line j
rIj ∙ βj = capital requirement of the regulatory business line j
m = factor of 0.035
nalaRB = nominal amount of loans and advances of the regulatory business line ‘Retail
Banking’
nalaCB = nominal amount of loans and advances of the regulatory business line ‘Com-
mercial Banking’
βRB = beta factor of the regulatory business line ‘Retail Banking’
βCB = beta factor of the regulatory business line ‘Commercial Banking’

Pattern 4. Conception of the Alternative Standardised Approach

In general, the assignment of business activities and the relevant indicator of an

institution to the separate regulatory business lines in the Standardised Approach
represents a step forward compared to the procedure of the Basic Indicator Ap-
proach. If it is possible to delimit the regulatory business lines of an institution in
a useful way and to determine the beta factors in such a way that they estimate the
specific operational risks of the individual regulatory business line with sufficient
accuracy in relation to the relevant indicator assigned, the Standardised Approach

47
 Gerd Waschbusch, Sabrina Kiszka

possesses a higher risk sensitivity compared to the Basic Indicator Approach. It is

obvious that the consideration of the focus of activity within an institution leads
in principle to a more realistic mapping of the operational risks than the use of
a single indicator that represents the entire operational risks of an institution. In
practice, however, the precise delimitation of the eight regulatory business lines
is seen as a major problem. The mapping of the different business activities of an
institution into the individual regulatory business lines usually causes a high level
of implementation effort. In addition, the beta factors specified by the banking
supervisory authorities do not exhibit any statistically significant relationships
between the operational risks and the relevant indicator of the individual regula-
tory business lines. Thus, the Basel Committee on Banking Supervision found
inconsistencies in the assessment of the risk potential of the individual regulatory
business lines in the past (Federal Financial Supervisory Authority 2009, 15; Basel
Committee on Banking Supervision 2014, 7). Therefore, the Standardised Approach
is unlikely to be suitable for adequately mapping the operational risks inherent
in the individual regulatory business lines of an institution. The Standardized Ap-
proach, just like the Basic Indicator Approach, does not allow a precise measure-
ment of the operational risk profile of an institution (Schulte-Mattler 2007, 59).
Ultimately, this is due to the fact that the calculation of the capital requirements for
the operational risk of an institution in both measurement methods is not based
on any institution-specific loss data (Schulte-Mattler 2007, 59). The above conclu-
sion that neither the Basic Indicator Approach nor the Standardised Approach are
linked to the actual operational risk profile of an institution applies equally to the
Alternative Standardised Approach.

4. Advanced Measurement Approaches

According to art. 312 (2)(1) CRR, an institution may use an Advanced Mea-
surement Approach instead of the Basic Indicator Approach or the (Alternative)
Standardised Approach to determine the capital requirements for operational
risk. However, the use of an Advanced Measurement Approach requires prior
approval by the competent supervisory authority. Apart from this, the CRR grants
the institutions a high degree of flexibility in developing Advanced Measurement
Approaches for calculating the capital requirement for operational risks. Institu-
tions can use measurement approaches that are based on their own systems for
measuring operational risk, as long as they meet all the qualitative and quantitative
requirements of art. 321 and 322 CRR as well as the general risk management
standards of art. 74 and 85 CRD (art. 312 (2)(1) CRR). Table 3 summarizes these
minimum requirements.

48
Calculating capital requirements for operational risk

Table 3
Minimum requirements for the use of the (Alternative) Standardised Approach
or Advanced Measurement Approaches

(Alternative) Standardised Approach Advanced Measurement Approach

establishment of a well-documented system for identifying, assessing, managing and
controlling of operational risk with clearly assigned responsibilities
regular independent reviews of the risk management system for operational risks by
internal or external auditors
integration of the system for assessing operational risks in the risk management pro-
cesses of the institution
establishment of a management reporting system and methods to take appropriate
corrective action
collection of the relevant data for opera- independent central risk management
tional risk, including material loss data function
consideration of the results of the system solid and effective validation processes
for assessing operational risks as an
integral part of the processes for monitor- transparent and accessible data flows and
ing and controlling the operational risk processes related to the risk measurement
profile of the institution system
methods that capture both expected and
unexpected losses from operational risks,
severe events on the edge of distribution,
key risk drivers and correlations
calculation of the capital requirements
for operational risk based on internal loss
data, external data, scenario analyses as
well as bank-specific business environ-
ment and internal control factors, includ-
ing expert judgments
ensuring the internal coherence of the
risk measurement system and avoidance
of multiple counting of qualitative assess-
ments or risk reduction techniques that
are recognized in other parts of the CRR
at least five-year observation period for in-
ternal loss data (three years if the method
is approved for the first time)
documentation of the framework for risk
measurement, internal review and audit
by the competent supervisory authority

49
 Gerd Waschbusch, Sabrina Kiszka

According to art. 312 (2)(2) CRR, significant changes and extensions to an

Advanced Measurement Approach that has already been approved require renewed
approval from the competent supervisory authority. In addition, the competent
supervisory authority must be notified of any change made to an Advanced Mea-
surement Approach (art. 312 (3) CRR).
In addition to these minimum requirements for the usage of an Advanced
Measurement Approach, further requirements for the use of internal and ex-
ternal data, scenario analyses and factors that affect the business environment
and the internal control systems of the institution are included in art. 322 CRR.
For example, an institution must be able to map its historical internal loss data
into the business lines of the Standardised Approach according to art. 317 CRR
and, in addition, into the event types according to art. 324 CRR (art. 322 (3)(b)
CRR) – as shown in Table 4.

Table 4
Event categories for mapping historical internal loss data

Event-type Category Losses due to:

– acts of a type intended to defraud
– misappropriate property
Internal fraud – circumvent regulations, the law or company policy
This does not apply to losses due to diversity or discrimi-
nation events if at least one internal party is involved.
– acts of a type intended to defraud,
– misappropriate property
External fraud
– circumvent the law
These losses must each be caused by a third party.
– acts inconsistent with employment, health or safety
Employment Practices laws or agreements
and Workplace Safety – payment of personal injury claims
– diversity or discrimination events
– an unintentional or negligent failure to meet a profes-
Clients, Products & Busi- sional obligation to specific clients (including fiduciary
ness Practices and suitability requirements)
– the nature or design of a product
– loss or damage to physical assets from natural disaster
Damage to Physical Assets
or other events
Business disruption and – disruption of business
system failures – system failures
Execution, Delivery & – failed transaction processing or process management
Process Management – relations with trade counterparties and vendors.

50
Calculating capital requirements for operational risk

In contrast to the regulations of the Basic Indicator Approach and the (Al-
ternative) Standardised Approach, institutions that decide to use an Advanced
Measurement Approach are permitted to recognise the risk mitigating effect of
insurance and other risk transfer mechanisms when calculating their own funds
requirements for operational risk (art. 323 (1) CRR). By taking insurance and
other risk transfer mechanisms into account, however, the capital requirements
for operational risk may be reduced by a maximum of 20% compared to its
amount before the recognition of risk mitigation techniques (art. 323 (5) CRR).
This limitation of the recognition of the risk-reducing effect of insurance and
other risk transfer mechanisms is justified by the fact that an adequate capital
requirement for operational risk is to be guaranteed (Federal Ministry of Finance
2007, 131).
For an institution to be allowed to consider the risk-reducing effect of insur-
ance contracts, all of the following requirements must be met (art. 323 (2) and
(3) CRR):
– The insurance provider is authorised to provide insurance or re-insurance.
– The insurance provider has an appropriate credit rating. This is considered
to be given if the insurance provider is assigned at least credit quality step 3
under the rules of the Standardised Approach for measuring credit risks.
– The insurance policy has an initial term of no less than one year.
– If the insurance policy includes a notice period for cancellation of the con-
tract, it is at least 90 days.
– The insurance policy does not contain any exclusion clauses or limitations
on insurance coverage in the event of supervisory actions, nor those which
preclude the institution’s receiver or liquidator from recovering the damages
suffered or expenses incurred by the institution in case of a failed institution.
This does not apply to events that occurred after the initiation of receivership
or liquidation proceedings in respect of the institution. However, the insur-
ance policy may exclude any fines, penalties or punitive damages resulting
from actions by the competent authorities.
– The insurance coverage is calculated in a transparent and consistent manner
with the likelihood and impact of loss used in the overall determination of
operational risk capital.
– The insurance is provided by a third party entity. In the case of insurance
through captives and affiliates, the insured risk must be transferred to an
independent third party. This regulation is intended to ensure that the conclu-
sion of an insurance policy leads to an additional coverage for risks (Federal
Ministry of Finance 2007, 133).
– The framework for recognising insurance is well reasoned and documented.

51
 Gerd Waschbusch, Sabrina Kiszka

In addition, art. 323 (4)(a) and (b) CRR determines that when taking into
account the risk-reducing effect of insurance suitable discounts must be made
for insurance policies with residual term or cancellation term being less than
one year. For example, in the case of insurance policies with a residual term of
less than one year, the institution applies appropriate haircuts in order to take
into account the decreasing residual term of the insurance policy, up to a 100%
haircut for insurance policies with a residual term of 90 days or less (art. 323 (3)
(a) sentence 2 CRR). Appropriate discounts or haircuts must also be applied if
there are payment uncertainties or mismatches in coverage of insurance policies
(art. 323 (4)(c) CRR).
Only the Advanced Measurement Approaches, including the Internal Mea-
surement Approach as well as various types of Loss Distribution and Scorecard
Approaches can provide an individual and risk-adequate measurement of op-
erational risk, as there is a tangible connection between the operational risk
profile and the resulting capital requirements. Thus, suitable control measures
can be introduced. This advantage of the Advanced Measurement Approaches is
offset by the high requirements that must be met when using these approaches
and that go hand in hand with considerable investments in management tools
and specialist staff.
It should be noted, however, that even the Advanced Measurement Ap-
proaches do not necessarily ensure reflecting the actual risk situation, as qual-
ity defects, e.g. due to an inadequate database or the selection of unsuitable
indicators or scenarios, can negatively affect the significance of the models.
Furthermore, there is a certain scope for manipulation when designing the
models. For this reason, when the Advanced Measurement Approaches were
introduced, it was criticized that institutions can design the models just the
way they want to. This is problematic due to the different objectives that are
being pursued. The internal models are usually based on efforts to optimize
shareholder value, whereas regulatory measurement approaches try to guaran-
tee the solvency of the banking sector. Attempts are made to limit this scope
for manipulation through the approval and monitoring of the models by the
competent supervisory authorities. On top of that, the flexibility in choice of
method leads to a lack of comparability of the different Advanced Measurement
Approaches. Ultimately, the Basel Committee on Banking Supervision found that
when using Advanced Measurement Approaches, there are large differences in
the capital requirements of institutions, which, however, are difficult to justify
due to similar risk profiles of these institutions (Kiszka 2018, 91–94 as well as
the references given there).

52
Calculating capital requirements for operational risk

5. Outlook
on the changes resulting
because of the Basel III finalisation
Based on the experience in the implementation of the previous measure-
ment approaches for operational risk gained in recent years and because many
of the aforementioned weaknesses of the measurement approaches have become
apparent, the adequacy of the previous capital framework was reviewed by the
Basel Committee on Banking Supervision (Basel Committee on Banking Supervi-
sion 2014, 5; KPMG 2014, 2; Kiszka 2018, 95). As a result of this review, the final
Basel III reform package was published on December 7, 2017 (Basel Committee
on Banking Supervision 2017; Feridun, Özün 2020, 8), which is currently being
transposed into European and national law. According to the notion of the Basel
Committee on Banking Supervision, the new requirements must be implemented
by January 1, 2023 at the latest. The implementation was originally planned by
January 1, 2022. However, this implementation date was postponed by one year
due to the burdens on the institutions because of the corona pandemic (Wasch-
busch, Kiszka 2020a).
Since institutions that use an Advanced Measurement Approach to determine
capital requirements for operational risk have not been able to establish a consis-
tent market standard and this ultimately resulting in a wide range of calculated
capital requirements, institutions are no longer allowed to use an Advanced
Measurement Approach in the future (the statements in this chapter largely refer
to Deutsche Bundesbank 2018, 88–89 in conjunction with Basel Committee on
Banking Supervision 2017, 128–130). Instead, the new Standardised Measure-
ment Approach was developed, which will replace the Basic Indicator Approach
and the previous Standardised Approach. This new Standardised Measurement
Approach is designed similarly to the Basic Indicator Approach in that it also
considers the three-year average of a single risk indicator. However, since the
previous risk indicator proved to be unsuitable in the Great Financial Crisis of
2007/2008, the calculation of the capital requirement for operational risk will
be based on the so-called business indicator (BI), the composition of which is
shown in Table 5.
The business indicator consists of an interest, leases and dividend com-
ponent (ILDC), a service component (SC) and a financial component (FC). All
components are considered with a positive sign, so that a negative component
does not reduce the business indicator. The three-year average is calculated for
all sub-items underlined in Table 5.

53
 Gerd Waschbusch, Sabrina Kiszka

Table 5
Calculation of the business indicator in the new Standardised Measurement Approach

Business = Interest, Leases and Dividend Component (ILDC)

Indicator + Service Component (SC) + Financial Component (FC)
Min [Absolute Value (Interest Income – Interest Expense); 2.25% ·
ILDC
Interest Earning Assets] + Dividend Income
Max [Other Operating Income; Other Operating Expense] + Max
SC
[Fee Income; Fee Expense]
Absolute Value (Net Profit/Loss Trading Book) + Absolute Value
FC
(Net Profit/Loss Banking Book)

Due to the importance of the institution’s size for the operational risk profile,
marginal coefficients are introduced (Feridun, Özün 2020, 15). For this purpose,
the institution’s business indicator – as shown in Table 6 – is assigned to three
buckets.

Table 6
Buckets for determining the business indicator component in the new Standardised
Measurement Approach

Business Indicator marginal

Bucket Business Indicator range (in €bn)
coefficients
1 ≤1 12%
2 1 < BI ≤ 30 15%
3 > 30 18%

The so-called business indicator component is calculated by multiplying the

business indicator by the marginal coefficients. The respective marginal coeffi-
cients relate to that portion of the business indicator that is assigned to the cor-
responding bucket, which is intended to counteract a sudden increase in capital
requirements when the bucket limits are exceeded (Kiszka 2018, 101). For an
institution a business indicator in the amount of 35 €bn, results in a business
indicator component of:

1 €bn · 12% + 29 €bn · 15% + 5 €bn · 18% = 5,37 €bn.

To increase the risk sensitivity of the new Standardised Measurement Ap-

proach, a loss component was introduced, which represents the loss potential of

54
Calculating capital requirements for operational risk

an institution, which is derived from its past loss experience. The loss component
is equal to 15 times the average annual operational losses incurred over the previ-
ous 10 years. The loss component is then considered in the capital requirements
using the so-called internal loss multiplier, which is calculated as follows:

  loss component  
0,8
internal loss multiplier=Ln exp (1 ) − 1+  
  business indicator component  

Ultimately, the capital requirements for operational risk in the new Stan-
dardised Measurement Approach are determined by the product of the business
indicator component and the internal loss multiplier. The latter thus scales the
business indicator component up or down (Kiszka 2018, 118). As a result, this
means that the capital requirements for operational risk increase if the losses
incurred by an institution are above average in a long-term comparison. How-
ever, by using a logarithmic function, the internal loss multiplier rises less and
less as the loss component increases. If, on the other hand, comparatively few
operational losses have occurred, the capital requirement can be reduced by
half, so that the integration of the loss component creates an incentive for ef-
fective risk management. The above explanations are combined in a formula
in Pattern 5.

CROR = BIC · ILM

CROR =capital requirements for operational risk

BIC =business indicator component
ILM =internal loss multiplier

Pattern 5. Conception of the Standardised Measurement Approach

For institutions with a business indicator that does not exceed 1 €bn, the
loss component does not apply, so that for small institutions the capital require-
ments for operational risk will correspond to the business indicator component
(= 12% of the business indicator). This regulation is intended to relieve smaller
institutions but was criticized during the consultation phase. Smaller institutions
would be discriminated against, despite a possibly existing database on historical
losses, and unequal competitive conditions would be created. In this context, in
the consultation phase an option to integrate the loss multiplier for small institu-
tions was proposed, which, however, was not included in the final Basel paper
(Capobianco 2016, 8).

55
 Gerd Waschbusch, Sabrina Kiszka

In principle, however, the loss component is not mandatory and can therefore
be disregarded at national discretion (Feridun, Özün 2020, 15), which would,
however, severely limit risk sensitivity. The Deutsche Börse Group comes to the
conclusion that, after 20 years of exchange and the development of a new mea-
surement method, the new Standardised Measurement Approach is an appropri-
ate method for calculating the capital requirement for the operational risk of an
institution (Thompson, Hillen 2016, 5), even though some of the aforementioned
criticism of the previous approaches is still partially valid.

References
[1] Andrae, S. (2014) ‘Regulierung und Aufsicht im Wandel’, in Gendrisch, T.,
Gruber, W. and Hahn, R. (ed.) Handbuch Solvabilität: Aufsichtsrechtliche
Kapitalanforderungen an Kreditinstitute, 2nd edition, Stuttgart: Schäffer-
Poeschel.
[2] Auer, M. (2008) Operationelles Risikomanagement bei Finanzinstituten:
Risiken identifizieren, analysieren und steuern, Weinheim: Wiley.
[3] Basel Committee on Banking Supervision (2001a) Operational Risk: Con-
sultative Document, [Online], Available: https://www.bis.org/publ/bcbsca07.
pdf [17 May 2021].
[4] Basel Committee on Banking Supervision (2001b) Working Paper on the
Regulatory Treatment of Operational Risk, [Online], Available: https://www.
bis.org/publ/bcbs_ wp8.pdf [17 May 2021].
[5] Basel Committee on Banking Supervision (2006) International Convergence
of Capital Measurement and Capital Standards: A Revised Framework: Com-
prehensive Version, [Online], Available: https://www.bis.org/publ/bcbs128.
pdf [17 May 2021].
[6] Basel Committee on Banking Supervision (2011) Principles for the Sound
Management of Operational Risk, [Online], Available: https://www.bis.org/
publ/bcbs195.pdf [17 May 2021].
[7] Basel Committee on Banking Supervision (2014) Operational risk: Revisions
to the simpler approaches: Consultative Document, [Online], Available:
https://www.bis.org/ publ/bcbs291.pdf [17 May 2021].
[8] Basel Committee on Banking Supervision (2017) Basel III: Finalising post-
crisis reforms, [Online], Available: https://www.bis.org/bcbs/publ/d424.pdf
[17 May 2021].
[9] Basel Committee on Banking Supervision (2021) Revisions to the principles
for the sound management of operational risk, [Online], Available: https://
www.bis.org/bcbs/ publ/d515.pdf [17 May 2021].

56
Calculating capital requirements for operational risk

[10] Buchmüller, P. (2001) Die Berücksichtigung des operationellen Risikos in

der Neuen Basler Eigenkapitalvereinbarung, [Online], Available: https://
publikationen.uni-tuebingen.de/xmlui/handle/10900/47399 [17 May 2021].
[11] Buzziol, S. (2004) ‘Operationelle Risiken managen: Eine erste Systematik
zum überlegten Umgang mit operationellen Risiken’, BankInformation,
no. 9, pp. 16–20.
[12] Capobianco, C. (2014) Position Paper in response to BCBS consultation on
Operational Risk: Revisions to the simpler approaches, [Online], Available:
https://www.bis. org/publ/bcbs291/aiba.pdf [17 May 2021].
[13] Capobianco, C. (2016) Position Paper in response to BCBS consultation
on the Standardised Measurement Approach for operational risk, [Online],
Available: https:// www.bis.org/bcbs/publ/comments/d355/italianbankinga.
pdf [17 May 2021].
[14] Conlon, T., Huan, X. and Ongena, S. (2020) Operational Risk Capital, Swiss
Finance Institute Research Paper, no. 20–55, [Online], Available: http://ssrn.
com/abstract= 3661486 [17 May 2021].
[15] Deutsche Bundesbank (2004) ‘Neue Eigenkapitalanforderungen für Kre-
ditinstitute (Basel II)’, Monatsbericht der Deutschen Bundesbank, no. 9,
pp. 75–100.
[16] Deutsche Bundesbank (2018) ‘Die Fertigstellung von Basel III’, Monatsbericht
der Deutschen Bundesbank, no. 1, pp. 77–94.
[17] Enrique, J. (2015) Saudi banks comments on BCBS Consultative document
Entitled ‘Operational Risk: Revisions to the simpler approaches’, [Online],
Available: https://www.bis.org/publ/bcbs291/sama.pdf [17 May 2021].
[18] European Council (2020) Eigenkapitalanforderungen für den Bankensektor,
[Online], Available: https://www.consilium.europa.eu/de/policies/banking-
union/single-rulebook/capital-requirements/ [17 May 2021].
[19] European Economic Community (2006) Council Directive of 8 December
1986 on the annual accounts and consolidated accounts of banks and other
financial institutions (86/635/EEC, cited as directive on consolidated financial
statements) (EU Official Journal, L 372 of 31.12.1986, pp. 1–17), amended
by Directive 2006/46/EC of the European Parliament and of the Council of
14 June 2006 (EU Official Journal, L 224 of 16.08.2006, pp. 1–7).
[20] European Union (2019) Directive 2013/36/EU (cited as CRD) of the European
Parliament and of the Council of 26 June 2013 on access to the activity of
credit institutions and the prudential supervision of credit institutions and
investment firms, amending Directive 2002/87/EC and repealing Directives
2006/48/EC and 2006/49/EC (EU Official Journal, L 176 of 27.06.20213,
pp. 338–436), amended by Directive (EU) 2019/878 of the European Par-
liament and of the Council of 20 May 2019 (EU Official Journal, L 150 of
07.06.2019, pp. 253–295).

57
 Gerd Waschbusch, Sabrina Kiszka

[21] European Union (2020) Regulation (EU) No 575/2013 (cited as CRR) of the
European Parliament and of the Council of 26 June 2013 on prudential re-
quirements for credit institutions and investment firms and amending Regula-
tion (EU) No 648/2012 (EU Official Journal, L 176 of 27.06.2013, pp. 1–337),
amended by Regulation (EU) 2020/873 of the European Parliament and the
Council of 24 June 2020 (EU Official Journal, L 204 of 26.06.2020, pp. 4–17).
[22] Federal Financial Supervisory Authority (2009) Studie zum Management
operationeller Risiken in Instituten, die einen Basisindikatoransatz verwen-
den, [Online], Available: https://www.bafin.de/SharedDocs/Downloads/DE/
Eigenmittel_BA/dl_studie_oprisk_ bia_ba.html [17 May 2021].
[23] Federal Ministry of Finance (2007) Begründung zur Verordnung über die
angemessene Eigenmittelausstattung (Solvabilität) von Instituten: Solvabili-
tätsverordnung (SolvV) vom 18.01.2007, in Consbruch, J. and Fischer, R.
(ed.) Kreditwesengesetz: Bank-, Bankaufsichts- und Kapitalmarktrecht mit
amtlichen Verlautbarungen: Textsammlung, Munich: Beck.
[24] Feridun, M. and Özün, A. (2020) ‘Basel IV implementation: a review of the case
of the European Union’, Journal of Capital Markets Studies, vol. 4, pp. 7–24.
[25] Kiszka, S. (2018) Die Steuerung operationeller Risiken in Kreditinstituten:
Eine kritische Analyse des neuen Standardansatzes, Wiesbaden: Springer
Gabler.
[26] Köhne, M.F. (2005) ‘Die Implementierung eines Frameworks für das Man-
agement von Operational Risk’, in Becker, A., Gaulke, M. and Wolf, M. (ed.)
Praktiker-Handbuch Basel II, Stuttgart: Schäffer-Poeschel.
[27] KPMG (2014) Operationelle Risiken: Überarbeitung der einfachen Kapitalan-
sätze (Säule 1) durch den Basler Ausschuss: Konsultation der Änderung des
Berechnungsverfahrens für die Eigenmittelunterlegung, [Online], Available:
https://assets.kpmg/content/dam/kpmg/pdf/2014/10/kpmg-newsletter-oprisk-
okt2014.pdf [17 May 2021].
[28] Lenzmann, B. (2008) ‘Quantifizierung operationeller Risiken als Bestand-
teil der ökonomischen Kapitalsteuerung’, in Becker, A., Gehrmann, V. and
Schulte-‑Mattler, H. (ed.) Handbuch ökonomisches Kapital, Frankfurt am
Main: Fritz Knapp.
[29] Rogler, S. (2020) ‘Keyword «Bankbilanzrichtlinie»’, in Gramlich, L., Gluchow­
ski, P., Horsch, A., Schäfer, K. and Waschbusch, G. (ed.) Gabler Banklexikon
(A–J), Wiesbaden: Springer Gabler.
[30] Schulte-Mattler, H. (2007) ‘Kontinuum der Messansätze für operationelle
Risiken’, Die Bank, no. 9, pp. 58–61.
[31] Thompson, M. and Hillen, J. (2016) Deutsche Börse Group Position Paper
on BCBS consultative document ‘Standardised Measurement Approach for
operational risk’, [Online], Available: https://www.bis.org/bcbs/publ/com-
ments/d355/gdb.pdf [17 May 2021].

58
Calculating capital requirements for operational risk

[32] Waschbusch, G. and Kiszka, S. (2020a) Die bremsende Wirkung der Coro-
nakrise auf die finale Umsetzung der Krisenregularien von Banken, Global
Mergers & Transactions, [Online], Available: https://www.tax-legal-excellence.
com/bremsende-wirkung-coronakrise-auf-finale-umsetzung-krisenregularien-
banken/ [17 May 2021].
[33] Waschbusch, G. and Kiszka, S. (2020b) ‘Neue aufsichtsrechtliche Anforde-
rungen an die Risikosteuerung’, Zeitschrift für das gesamte Kreditwesen,
vol. 73, pp. 1044–1048.

Summary

Operational risks have become increasingly important for banks, especially against the back-
ground of growing IT dependency and the increasing complexity of their activities. Further-more,
the corona pandemic contributed to the increased risk potential. Therefore, banks have to back
these risks with own funds. There are currently three measurement approaches for determining
the capital requirements for operational risk. In recent years, and especially during the Great
Financial Crisis of 2007/2008, however, some of the weaknesses inherent in these approaches
have become apparent. Thus, the Basel Committee on Banking Supervision revised the cur-
rent capital framework. Therefore, this article examines the various measurement approaches,
addresses inherent weaknesses and moreover, presents the future measurement approach
developed by the supervisory authorities.

JEL codes: G21, G22, G28, G32, M16, M21, C02

Keywords: banking, banking supervision, operational risk, measurement approaches

 NIBM WORKING PAPER SERIES
(Policy Research Paper)

Operational Risk Management –

Regulatory Guidance to remain Resilient

Dr Richa Verma Bajaj

Working Paper
(WP47/2024)

NATIONAL INSTITUTE OF BANK MANAGEMENT

Pune, Maharashtra, 411048
INDIA
August 2024

The views expressed herein are those of the authors and do not necessarily reflect the views of
the National Institute of Bank Management.
NIBM working papers are circulated for discussion and comment purposes. They have not been
peer-reviewed or been subject to the review for Journal or Book Publication
© 2024 by Richa Verma Bajaj

Citation Guideline:
Bajaj, Richa Verma (2024), “Operational Risk Management – Regulatory Guidance to remain
Resilient”. NIBM Working Paper Series: Policy Research Paper WP 47/August.

https://www.nibmindia.org/static/working_paper/NIBM_WP47_RVB.pdf
Operational Risk Management – Regulatory Guidance to remain Resilient
Richa Verma Bajaj
NIBM Working Paper No. 47
August 2024

ABSTRACT

The new and revised guidance note issued on April 30, 2024 on Operational Risk
Management and Operational Resilience, is in response to the sound practice principles
issued by Basel Committee for Operational Risk Management and Operational Resilience
in 2021. These are on account of growing dependency of regulatory entities (RE) on third
party service providers, technological advancements and interconnected financial
landscape. In order to reduce the impact of these, separate principles for mapping of
internal and external interconnections and interdependencies, Information and
communication technology (ICT), and disclosure are suggested. This calls for efforts from
all the stakeholders to foster a resilient financial environment. The introduction of
incident management system, reflecting on “Lesson Learned Exercise and Continuous
feedback mechanism”, is an important move to control operational incidences.

Key words: Banks, Operational risk, Risk management, Basel Accord

JEL Classification: G18, G21, G32

Richa Verma Bajaj (Corresponding Author)

[email protected]

2
Operational Risk Management – Regulatory Guidance to remain Resilient

I. Introduction

Operational Risk is defined as risk of loss resulting from inadequate or failed

internal processes, people and systems or from external events. It includes legal risk but
excludes strategic and reputational risk. It is inherent in all banking/financial products,
activities, processes and systems. The recent Covid 19 pandemic has highlighted the
financial sector’s rising exposure to various operational risks, on account of increasing
reliance on third-party service providers (including technology service providers) and
virtual working arrangements. This calls for strong operational risk management and
operational resilience, for smooth provision of financial services and intermediation
function to ensure continuous delivery of critical operations during any disruption. The
recent guidance note lists out the causes of disruption in banks and financial institutions
mainly on account of “man-made, system and IT related, geopolitical conflicts, business
disruptions, internal/external frauds, execution/delivery errors, third party
dependencies, or natural disasters and climate change”. The pandemic and crises in the
past have suggested that the disruptions are enough to impact a financial entities
customers and other market participants and ultimately have an impact on its financial
stability. This demands separate principles for mapping of internal and external
interconnections and interdependencies, incident management system, Information and
communication technology (ICT), and disclosures. The new and revised guidance note
clearly spelt out the same.

II. Summary of the Guidance Note

This note, aligns regulatory Guidance Note on Operational Risk Management and
Operational Resilience, issued on April 30, 2024, with Basel Committee on Banking
Supervision (BCBS) principles on Operational risk (a) ‘Revisions to the Principles for the
Sound Management of Operational Risk’ (PSMOR) & (b) ‘Principles for Operational
Resilience (POR)’ issued in 2021. The focus of these principles are on:

Principles for Operational Risk Principles for Operational Resilience

Management
- Strong Risk Culture - Governance
- Operational Risk Management - Operational risk management
Framework (ORMF) - Business continuity planning &
- Governance testing
- Operational Risk Appetite and - Mapping of interconnections &
Tolerance interdependencies of critical
- Identification and Assessment operations
- Change Management Process - Third-party party dependency
management
- Monitoring and Reporting
- Incident management
- Control and Mitigation

3
 Principles for Operational Risk Principles for Operational Resilience
Management
- ICT risk management - Resilient information &
- Business continuity planning communication technology (ICT),
including cybersecurity
- Role of Disclosures and Role of
Supervisors
Source: bis.org

Given this, the focus of guidance note is to instruct all the regulatory entity to
enhance their operational risk management and operational resilience. The update
incorporates lessons learned from recent pandemic and subsequent disruptions, as well
as technological advancement that pose both risks and opportunities for financial
institutions. The objective is to adopt global best practices in operational risk
management and operational resilience. The principle-based approach allows for
implementation based on the RE’s nature, size and complexity of operations. With the
introduction of new guidance note, the existing one issued in 2005 stands repealed. The
changes, suggested through the guidance note, not only expand the scope of operational
risk management practices but also suggest a strategic response to the concept of
operational resilience. These principles listed below emphasize the role of effective
governance and strong risk management in the regulatory entity to work through
disruptions with minimal operational issues and downtime. The Annexure I provide the
tabular representation of how sound practice papers have evolved in last 20 years and
align it with the guidance note provided by RBI.

Source: RBI, Guidance Note (2024)

4
III. Newer Elements in the Guidance Note

As mentioned above the revised guidance note is an improvement over the

existence one and the guiding principles are an outcome of recent disruption caused on
account of pandemic and bank specific operational issues. The newer elements in the
guidance are as below:

(i) Scope of the Guidance Note: In order to strengthen financial sector resilience,
the scope of the revised and new guidance note has been extended to all regulatory
entities, comprising of commercial banks, non-banking finance companies and all
India finance institutions (AIFI), including Housing Finance Companies (HFCs) and
cooperative banks, which was previously applied only to commercial banks
operating in the country.

(ii) Measures for Technology and Cyber Security: With the increasing reliance on
technology, the guidance note provides complete instructions on managing risks
related to ICT, including cyber security. The RE need to develop strong ICT risk
management programme, which should be aligned with its ORMF. The RE are also
instructed to prioritise cyber security measure to avoid any security breach to
institution specific critical information.

(iii) Managing External Dependencies: The guidance stresses the timely recognition
of threats to the bank and financial institution. Given this, managing dependencies
on external relationships, including third parties (particularly, outsourcing)
becomes important. That is why; before engaging any party a thorough risk
assessment and required due diligence should be conducted. The RE has to ensure
operational resilience, of third party, both in routine operations and during
disruptions.

(iv) Mapping Interconnection and Interdependencies: According to BIS, “Once a

bank has identified its critical operations, the bank should map the internal and
external interconnections and interdependencies that are necessary for the
delivery of critical operations consistent with its approach to operational
resilience”1. This includes, identification and documentation of people,
technology, processes, information and facilities to perform critical operations.
The note provides principles on mapping interdependencies and establishing
impact tolerances for critical operations and suggest to develop and implement
recovery and response plan to manage incidents that could disrupt the delivery of
critical operations.

(v) Three Lines of Defence: The note elucidates the need for clear governance
structure, with clearly defined roles and responsibilities in line with ‘Three lines
of defence model’, wherein – a Business unit management forms the first line of
defence; Organisational operational risk management function (including
compliance function) forms the second line of defence; and Audit function forms
the third line of defence. This was not considered in earlier guidance note.

1
Principles for operational resilience – Executive Summary (bis.org)

5
(vi) Risk Management Processes: The Principle 6, 8 and 9, of the note details the
need for tools for identification and assessment of operational risks. It
recommends tools like self-assessment, event management, scenario analysis, and
benchmarking to help REs to proactively identify, assess and manage their
operational risk profiles. An effective operational risk management process helps
in timely identification of both, internal and external threat to a RE and help timely
corrective action plan designed to deal with human and/or technological errors.

(vii) Business Continuity Planning: The guidance note urges the REs to have robust
business continuity plans. The BCP and testing framework of the entity should be
tested through simulating exercises under both normal and severe condition. The
severe scenario may look at plausible disruptions to an entity operation. The note
emphasizes that BCP Framework should be aligned with the RE’s operational risk
management framework. The decision regarding identification of key operations
as well as key personnel is important to decide about these scenarios. This makes
the task of simulating disruptive event easy for the RE.

(viii) Change Management: The literature suggests that an effective operational risk
management process influences the change management capabilities within an
institution. That is why; in order to maintain operational resilience in regulatory
entities, this principle spelt out the role of effectively managing change. The
guidance note provides detailed guidance in line with PSMOR. The focus is to
detect and evaluate threats and vulnerabilities fast and develop adequate controls
and procedures to deal with the same.

(ix) Develop Risk Appetite and Tolerance Statement (RATS): The RE should
develop a risk appetite and tolerance statement for both normal and for
disruption.

(x) Lesson Learned Exercise and Feedback Mechanism: The note also introduces
separate principles on "lessons learned exercise" and continuous
feedback mechanism, in line with Incident Management Principle under
Operational Resilience. The guidance suggests to learn from past events and
suggest continuous improvement in risk management process and method based
on the same for better controls.

(xi) Operational Risk Capital Charge Estimation: The 2005 Guidance note clearly
provides details regarding the methods of operational risk capital charge
estimation. In contrast, the revised guidance note provides no discussion on
capital charge estimation methods.

IV. Implication on Banking and Financial Institutions

The increasing dependence and integration of technology in financial operations

of the regulatory entity has exposed it to significant vulnerabilities, necessitating an
innovative approach to assess operational risk management in order to remain resilient
to shock. The BIS press release2 documents that “The principles for operational resilience
build upon the PSMOR, are largely derived and adapted from existing guidance on

2
Press release: Basel Committee issues principles for operational resilience and risk (bis.org)

6
outsourcing, business continuity and risk management related guidance issued by the
Committee or national supervisors over a number of years”. Given this background, the
revised guidance note by Reserve Bank of India, provides holistic approach for enhancing
operational resilience in the regulatory entities, with interconnected financial landscape
and growing dependency on third party service providers. The 17 principals listed in the
note would help the regulatory entities to identify, assess, manage and mitigate their
operational risks in an increasingly complex and changing environment. The alignment
of the Operational Risk Management Framework (ORMF) by regulatory entities to these
principles is a first step in this direction.

On the whole, rapid adaption to this evolving regulatory risk landscape calls for an
effective change management, advanced technological solutions, incident management
systems, and third-party dependency management in regulatory entities. The effort from
all the stakeholders' is essential to foster a resilient financial environment that can
withstand and thrive in the presence of any disruption. In addition, introduction of robust
feedback mechanism and analysing the feedback to develop action plans to ensure
continuous improvement and adaptation to new challenges is need of the hour. The RBI
guidance note suggest guidance the best suited to an Indian Environment and consider
global best practices.

References

RBI Guidance Note (2024),

rbidocs.rbi.org.in/rdocs/notification/PDFs/GUIDANCENOTEONORMANDORBFDF
5D6F62CE430D82E672634B8C4F02.PDF

PSMOR (2021), Revisions to the Principles for the Sound Management of Operational
Risk (bis.org)

POR (2021), https://www.bis.org/bcbs/publ/d516.pdf

7
 Annexure I
Sound Practice Paper

Basel Committee on Banking Supervision Reserve Bank of India (RBI)*3

2003 2011 2021
Sound Practices for the Principles for the Principles for the Sound Principles for Operational
Management and Sound Management of Risk Management and
Supervision of Management of Operational Risk Operational Resilience
Operational Risk Operational Risk
Developing an Principle 1 The board of directors Fundamental The board of The board of directors Prepare and The Board of Directors should
Appropriate should be aware of the principles of directors should should take the lead in Protect take the lead in establishing a
Risk major aspects of the operational risk take the lead in establishing a strong risk strong risk management
Management bank’s management establishing a management culture, culture, implemented by Senior
Environment operational risks as a strong risk implemented by senior Management. The Board of
distinct risk category management management. The board Directors and Senior
that should be managed, culture. The board of directors and senior Management should establish a
and it should of directors and management should corporate culture guided by
approve and senior establish a corporate strong risk management, set
periodically review the management culture guided by strong standards and incentives for
bank’s operational risk should establish a risk management, set professional and responsible
management corporate culture standards and incentives behaviour, and ensure that staff
framework. that is guided by for professional and receives appropriate risk
The framework should strong risk responsible behaviour, management and ethics
provide a firm-wide management and and ensure that staff training.
definition of operational that supports and receives appropriate risk
risk and lay down provides management and ethics
the principles of how appropriate training.
operational risk is to be standards and
identified, assessed, incentives for
monitored, and professional and
controlled/mitigated. responsible
behaviour. In this
regard, it is the
responsibility of
the board of
directors to ensure
that a strong

3
*the text in bold highlights the text given in RBI guidance note but doesn’t form part of PSMOR

8
 Basel Committee on Banking Supervision Reserve Bank of India (RBI)*3
2003 2011 2021
Sound Practices for the Principles for the Principles for the Sound Principles for Operational
Management and Sound Management of Risk Management and
Supervision of Management of Operational Risk Operational Resilience
Operational Risk Operational Risk
operational risk
management
culture exists
throughout the
whole
organisation.
Principle 2 The board of directors Banks should Banks should develop, REs should develop, implement
should ensure that the develop, implement and maintain and maintain an ORMF that is
bank’s operational risk implement and an operational risk fully integrated into the RE’s
management framework maintain a management framework overall risk management
is subject to effective Framework that is that is fully integrated into processes. The ORMF adopted
and comprehensive fully integrated the bank’s overall risk by an individual RE will depend
internal audit by into the bank’s management processes. on a range of factors, including
operationally overall risk The ORMF adopted by an its nature, size, complexity and
independent, management individual bank will risk profile. Further, REs
appropriately trained processes. The depend on a range of should utilize their existing
and competent staff. The Framework for factors, including the governance structure to
internal audit function operational risk bank’s nature, size, establish, oversee and
should not be directly management complexity and risk implement an effective
responsible for chosen by an profile. operational resilience
operational risk individual bank approach that enables them
management. will depend on a to respond and adapt to, as
range of factors, well as recover and learn
including its from, disruptive events in
nature, size, order to minimise their
complexity and impact on delivering critical
risk profile. operations through
disruption.
Principle 3 Senior management Governance The Board of Board of directors: The The Board of Directors should
should have Directors: The board of directors should approve and periodically
responsibility for board of directors approve and periodically review the ORMF and
implementing the should establish, review the operational Operational Resilience
operational risk approve and risk management approach, and ensure that

9
 Basel Committee on Banking Supervision Reserve Bank of India (RBI)*3
2003 2011 2021
Sound Practices for the Principles for the Principles for the Sound Principles for Operational
Management and Sound Management of Risk Management and
Supervision of Management of Operational Risk Operational Resilience
Operational Risk Operational Risk
management framework periodically review framework, and ensure Senior Management
approved by the board the Framework. that senior management implements the policies,
of directors. The The board of implements the policies, processes and systems of the
framework should be directors should processes and systems of ORMF and Operational
consistently oversee senior the operational risk Resilience approach effectively
implemented management to management framework at all decision levels.
throughout the whole ensure that the effectively at all decision
banking policies, processes levels.
organisation, and all and systems are
levels of staff should implemented
understand their effectively at all
responsibilities with decision levels.
respect to operational
risk management.
Senior management
should also have
responsibility for
developing policies,
processes and
procedures for
managing
operational risk in all of
the bank’s material
products, activities,
processes and
systems.
Risk Principle 4 Banks should identify The board of The board of directors The Board of Directors should
Management: and assess the directors should should approve and approve and periodically
Identification, operational risk approve and periodically review a risk review a risk appetite and
Assessment, inherent in all review a risk appetite and tolerance tolerance statement for
Monitoring and material products, appetite and statement for operational Operational Risk that
Mitigation/Cont activities, processes and tolerance risk that articulates the articulates the nature, types and
rol systems. Banks should statement for nature, types and levels of levels of Operational Risk the
also ensure that operational risk RE is willing to assume. The

10
 Basel Committee on Banking Supervision Reserve Bank of India (RBI)*3
2003 2011 2021
Sound Practices for the Principles for the Principles for the Sound Principles for Operational
Management and Sound Management of Risk Management and
Supervision of Management of Operational Risk Operational Resilience
Operational Risk Operational Risk
before new products, that articulates the operational risk the bank Board of Directors should
activities, processes and nature, types and is willing to assume. also review and approve the
systems are introduced levels of criteria for identification and
or undertaken, operational risk classification as critical
the operational risk that the bank is operations as well as of
inherent in them is willing to assume. impact tolerances for each
subject to adequate critical operation, in order to
assessment procedures. enhance RE’s Operational
Resilience.
Principle 5 Banks should implement Senior Senior management Senior Management should
a process to regularly management should develop for develop for approval by the
monitor operational risk should develop for approval by the board of Board of Directors a clear,
profiles and material approval by the directors a clear, effective effective and robust governance
exposures to losses. board of directors and robust governance structure with well-defined,
There should be regular a clear, effective structure with well- transparent and consistent lines
reporting of and robust defined, transparent and of responsibility. Senior
pertinent information to governance consistent lines of Management is responsible for
senior management and structure with well responsibility. Senior consistently implementing and
the board of directors defined, management is maintaining throughout the
that supports transparent and responsible for organisation policies, processes
the proactive consistent lines of consistently implementing and systems for managing
management of responsibility. and maintaining Operational Risk in all of the
operational risk. Senior throughout the RE’s material products,
management is organisation policies, activities, processes and
responsible for processes and systems for systems consistent with its risk
consistently managing operational risk appetite and tolerance
implementing and in all of the bank’s statement.
maintaining material products,
throughout the activities, processes and
organisation systems consistent with
policies, processes the bank’s risk appetite
and systems for and tolerance statement.
managing
operational risk in

11
 Basel Committee on Banking Supervision Reserve Bank of India (RBI)*3
2003 2011 2021
Sound Practices for the Principles for the Principles for the Sound Principles for Operational
Management and Sound Management of Risk Management and
Supervision of Management of Operational Risk Operational Resilience
Operational Risk Operational Risk
all of the bank’s
material products,
activities,
processes and
systems consistent
with the risk
appetite and
tolerance.
Principle 6: Banks should have Risk Management Identification and Identification and Identification and
policies, processes and Environment Assessment: assessment: Senior assessment: Senior
procedures to control Senior management should Management should ensure the
and/or management ensure the comprehensive comprehensive identification
mitigate material should ensure the identification and and assessment of the
operational risks. Banks identification and assessment of the Operational Risk inherent in all
should periodically assessment of the operational risk inherent material products, activities,
review their risk operational risk in all material products, processes and systems to make
limitation and control inherent in all activities, processes and sure the inherent risks and
strategies and should material products, systems to make sure the incentives are well understood.
adjust their operational activities, inherent risks and Both internal and external
risk profile processes and incentives are well threats and potential failures
accordingly using systems to make understood. in people, processes and
appropriate strategies, sure the inherent systems should be assessed
in light of their overall risks and promptly and on an ongoing
risk appetite and incentives are well basis. Assessment of
profile. understood. vulnerabilities in critical
operations should be done in
a proactive and prompt
manner. All the resulting
risks should be managed in
accordance with operational
resilience approach.
Principle 7 Banks should have in Senior Senior management Senior Management should
place contingency and management should ensure that the ensure that the RE’s change

12
 Basel Committee on Banking Supervision Reserve Bank of India (RBI)*3
2003 2011 2021
Sound Practices for the Principles for the Principles for the Sound Principles for Operational
Management and Sound Management of Risk Management and
Supervision of Management of Operational Risk Operational Resilience
Operational Risk Operational Risk
business continuity should ensure that bank’s change management process is
plans to there is an management process is comprehensive, appropriately
ensure their ability to approval process comprehensive, resourced and adequately
operate on an ongoing for all new appropriately resourced articulated between the
basis and limit losses in products, and adequately relevant lines of defence.
the event of activities, articulated between the
severe business processes and relevant lines of defence.
disruption. systems that fully
assesses
operational risk.
Role of Principle 8 Banking supervisors Monitoring and Monitoring and Monitoring and reporting:
Supervisors should require that all Reporting: Senior reporting: Senior Senior Management should
banks, regardless of size, management management should implement a process to
have an effective should implement implement a process to regularly monitor Operational
framework in place to a process to regularly monitor Risk profiles and material
identify, assess, monitor regularly monitor operational risk profiles operational exposures.
and control/mitigate operational risk and material operational Appropriate reporting
material operational profiles and exposures. Appropriate mechanisms should be in place
risks as part of an material exposures reporting mechanisms at the Board of Directors, Senior
overall approach to risk to losses. should be in place at the Management, and business unit
management. Appropriate board of directors, senior levels to support proactive
reporting management, and management of Operational
mechanisms business unit levels to Risk.
should be in place support proactive
at the board, management of
senior operational risk.
management, and
business line levels
that support
proactive
management of
operational risk.

13
 Basel Committee on Banking Supervision Reserve Bank of India (RBI)*3
2003 2011 2021
Sound Practices for the Principles for the Principles for the Sound Principles for Operational
Management and Sound Management of Risk Management and
Supervision of Management of Operational Risk Operational Resilience
Operational Risk Operational Risk
Principle 9 Supervisors should Control and Control and mitigation: Control and mitigation: REs
conduct, directly or Mitigation: Banks Banks should have a should have a strong control
indirectly, regular should have a strong control environment that utilises
independent strong control environment that utilises policies, processes and systems;
evaluation of a bank’s environment that policies, processes and appropriate internal controls;
policies, procedures and utilises policies, systems; appropriate and appropriate risk mitigation
practices related to processes and internal controls; and and/or transfer strategies.
operational risks. systems; appropriate risk
Supervisors should appropriate mitigation and/or transfer
ensure that there are internal controls; strategies.
appropriate and appropriate
mechanisms in place risk mitigation
which and/or transfer
allow them to remain strategies.
apprised of
developments at banks.
Role of Principle 10 Banks should make Business Information and Build Mapping of Interconnections
Disclosure sufficient public Resiliency and communication Resilience and Interdependencies: Once
disclosure to allow Continuity: Banks technology: Banks should a RE has identified its critical
market should have implement a robust ICT operations, it should map the
participants to assess business resiliency risk management internal and external
their approach to and continuity programme in alignment interconnections and
operational risk plans in place to with their operational risk interdependencies that are
management. ensure an ability to management framework. necessary for the delivery of
operate on an critical operations consistent
ongoing basis and with its approach to
limit losses in the operational resilience.
event of severe
business
disruption.
Principle 11 Role of A bank’s public Business continuity Third-party dependency
Disclosure disclosures should planning: Banks should management: REs should
allow stakeholders have business continuity manage their dependencies

14
 Basel Committee on Banking Supervision Reserve Bank of India (RBI)*3
2003 2011 2021
Sound Practices for the Principles for the Principles for the Sound Principles for Operational
Management and Sound Management of Risk Management and
Supervision of Management of Operational Risk Operational Resilience
Operational Risk Operational Risk
to assess its plans in place to ensure on relationships, including
approach to their ability to operate on those of, but not limited to,
operational risk an ongoing basis and limit third parties (which include
management. losses in the event of a intragroup entities), for the
severe business delivery of critical
disruption. Business operations.
continuity plans should be
linked to the bank’s
operational risk
management framework.
Principle 12 Role of disclosure: A Business Continuity Planning
bank’s public disclosures and Testing: REs should have
should allow stakeholders business continuity plans in
to assess its approach to place to ensure their ability to
operational risk operate on an ongoing basis and
management and its limit losses in the event of a
operational risk exposure. severe business disruption.
Business continuity plans
should be linked to the RE’s
ORMF. REs should conduct
business continuity exercises
under a range of severe but
plausible scenarios in order
to test their ability to deliver
critical operations through
disruption.
Principle 13 Role of supervisors Incident management: REs
should develop and
implement response and
recovery plans to manage
incidents that could disrupt
the delivery of critical
operations in line with the

15
 Basel Committee on Banking Supervision Reserve Bank of India (RBI)*3
2003 2011 2021
Sound Practices for the Principles for the Principles for the Sound Principles for Operational
Management and Sound Management of Risk Management and
Supervision of Management of Operational Risk Operational Resilience
Operational Risk Operational Risk
RE’s risk appetite and
tolerance for disruption. REs
should continuously improve
their incident response and
recovery plans by
incorporating the lessons
learned from previous
incidents.
Principle 14 Information and
Communication Technology
(ICT) including Cyber
Security: REs should
implement a robust Information
and Communication
Technology (ICT) risk
management programme in
alignment with their ORMF and
ensure a resilient ICT
including cyber security that
is subject to protection,
detection, response, and
recovery programmes that
are regularly tested,
incorporate appropriate
situational awareness and
convey relevant timely
information for risk
management and decision-
making processes to fully
support and facilitate the
delivery of the RE’s critical
operations.

16
 Basel Committee on Banking Supervision Reserve Bank of India (RBI)*3
2003 2011 2021
Sound Practices for the Principles for the Principles for the Sound Principles for Operational
Management and Sound Management of Risk Management and
Supervision of Management of Operational Risk Operational Resilience
Operational Risk Operational Risk
Principle 15 Learn and Disclosure and Reporting: An
Adapt RE’s public disclosures should
allow stakeholders to assess its
approach to Operational Risk
management and its
Operational Risk exposure.
Principle 16 Lessons Learned Exercise and
Adapting: A lessons learned
exercise should be conducted
after a disruption to a critical
or important business service
to enhance an RE’s
capabilities to adapt and
respond to future operational
events.
Principle 17 Continuous improvement
through Feedback Systems: A
RE should promote an
effective culture of learning
and continuous improvement
as operational resilience
evolves through effective
feedback systems.

17
White Paper

Operational Risk
Modeling in Banking:
Basel III Frameworks, Approaches, and Techniques
1 Operational Risk Modeling in Banking - White Paper

Contents
Introduction 03

Overview of Basel III Regulatory Accord 04

BASEL III Implementation Status 05

BASEL III Implications on Small Banks 06

BASEL III Operational Risk Modeling: Frameworks and Approaches 07

I. Basic Indicator Approach (BIA) 08

II. Standardized Approach (SA) 08

III. Advanced Measurement Approaches (AMA) 09

IV. T
 he Standardized Measurement Approach (SMA) – Latest Update 09

Advanced Techniques in Operational Risk Modeling 10

I. Scenario Analysis and Stress Testing 10

II. Quantitative Models and Simulation 10

III. Machine Learning and AI in Risk Modeling 11

Challenges and Opportunities in Operational Risk Modeling 11

I. Data Quality and Integration 11

II. Specialized Talent Requirement 12

III. Regulatory Changes and Compliance 12

Conclusion 13

References & Endnotes 13

Issued by: Anaptyss Inc.

© Anaptyss 2024. All rights reserved
2 Operational Risk Modeling in Banking - White Paper

Executive Summary
This white paper provides banking executives, risk managers, and compliance professionals
crucial guidance for enhancing operational risk management practices in line with Basel III
mandates.

It overviews operational risk modeling in banking under the Basel III regulatory framework
and explains key approaches to managing operational risks. These include the Basic Indicator
Approach (BIA), Standardized Approach (SA), Advanced Measurement Approaches (AMA), and
the latest Standardized Measurement Approach (SMA).

The white paper outlines advanced techniques such as scenario analysis, quantitative models,
and integrating AI and ML with operational risk assessment, emphasizing the need to transition
from qualitative to quantitative, data-driven approaches.

It also overviews the challenges and opportunities arising from regulatory changes, data
management, and the advent of new technologies, underscoring the importance of
cybersecurity and the incorporation of ESG factors into risk modeling.

Through this comprehensive analysis, the whitepaper aims to provide helpful guidance on
effective operational risk management practices.

Issued by: Anaptyss Inc.

© Anaptyss 2024. All rights reserved
3 Operational Risk Modeling in Banking - White Paper

Introduction
Operational risk management (ORM) in banking is not just a regulatory requirement but also
a strategic necessity. Banks that effectively manage operational risks can safeguard against
financial losses and enhance their reputation, operational efficiency, and resilience.

Operational Risk Modeling is a more specific aspect of ORM. It involves using statistical models
to quantify operational risks and predict the potential financial impact of those risks on the
organization.

These models are crucial for setting aside adequate capital reserves under regulatory
requirements (such as the Basel III framework) and for internal risk management purposes.

Operational risk can manifest in various ways, such as:

• Fraud Risks - associated with the lack of controls that could allow for theft or fraud.
• Process Risks - associated with the design, organization, and management of people and
processes.
• System Risks - related to the use of technology and systems.
• External Risks - from external events such as natural disasters or changes in the
regulatory environment.

They present extreme complexities to mitigation strategies due to diverse and volatile risk
factors that span multiple aspects, such as technology, people, policies, and external factors.

For instance, the sheer availability of data can give rise to challenges in data processing,
privacy, security, etc., leading to the risks of data theft or misuse.

The ongoing need to adopt new/disruptive technologies to keep up with the evolving market
can also spawn unique risk scenarios concerning cybersecurity and technological breakdown.

The Basel Committee on Banking Supervision defines operational risk as potential loss due to
inadequate or failed internal processes, people, systems, or external events.

This broad definition includes a range of issues, from fraud and legal risks to disasters.
However, its profile has increased in the banking sector, particularly considering financial
crises and scandals that underscore the need for robust risk management practices.

Unlike credit or market risk, operational risk is often less transparent and deeply embedded
in the web of an institution’s processes, making it inherently challenging to identify and
quantify.

Issued by: Anaptyss Inc.

© Anaptyss 2024. All rights reserved
4 Operational Risk Modeling in Banking - White Paper

Overview of Basel III Regulatory Accord

The Basel III is a global regulatory framework representing a significant evolution in the
global standards for bank capital adequacy, stress testing, and market liquidity risk.

Introduced in 2010 in response to the deficiencies in financial regulation revealed by the 2008
financial crisis, Basel III aims to strengthen the regulation, supervision, and risk management
within the banking sector.

A key component of Basel III is its emphasis on operational risk management, reflecting the
growing recognition of operational risk’s impact on a bank’s financial health and stability.

For operational risk, Basel III mandates banks to maintain a capital reserve, the Operational
Risk Capital Requirement (ORCR), as a buffer against potential losses. The minimum
Common Equity Tier 1 (CET1) capital was raised from 4% under Basel II to 4.5% under Basel III.

Additionally, a capital conservation buffer of 2.5% was introduced, effectively raising the total
CET1 requirement to 7%.

This requirement is calculated based on a bank’s size, complexity, and overall risk profile.

Issued by: Anaptyss Inc.

© Anaptyss 2024. All rights reserved
5 Operational Risk Modeling in Banking - White Paper

BASEL III Implementation Status

Basel III reforms, initially published in 2010 with a voluntary implementation deadline set
for 2015, were designed to improve the banking sector’s ability to absorb shocks arising
from financial and economic stress, enhance risk management, and strengthen banks’
transparency and disclosures.

United States European Union & United Kingdom

• The consultation process has • Finalizing rules, with

not yet started. implementation starting January
1, 2025.
• Future notices of proposed
rulemaking are anticipated. • Five-year phase-in for output floor
requirements.

Switzerland Asia-Pacific & Others

• Expected to finalize Basel III • Some jurisdictions like Australia

rules in 2025. and China have started
implementation
• With a 3-year transition period
ending in 2028 • Others planning to follow suit

However, the implementation has been carried out in stages due to the complexity of the
reforms and the need for a phased approach to allow banks and regulators to make the
necessary adjustments.

The timeline for implementing these reforms experienced several adjustments. In 2019,
updates to the timeline were announced, setting a new path forward for the adoption of
these measures.

This timeline was further extended in 2020 as a response to the COVID-19 pandemic,
acknowledging the operational challenges faced by banks and the critical need to support
the economy during the crisis. Consequently, the starting date for implementing the Basel III
reforms was pushed to January 1, 2023, with a five-year phase-in period to fully accommodate
the breadth and depth of the changes required.
Design aNext-Generation Establish a Controls
AtReconstruct
the time of the Internal
creating this white paper, the Basel
Controls III is in the final stage
Operating of the Ecosystem
Technology
Controls Framework
implementation. Model Use AI and Machine
Transition to dynamic,
Transform controls into Learning for predictive
data-driven frameworks
strategic assets insights

Issued by: Anaptyss Inc.

© Anaptyss 2024. All rights reserved
 6 Operational Risk Modeling in Banking - White Paper

BASEL III Finalization Timeline Overview

Voluntary Final market risk Implementation

2010 implementation 2017 capital requirements 2020 phase across 2028
deadline standard released various jurisdictions

Basel III reforms Final Basel III A one-year deferral Full implementation
were published 2015 reforms issued 2019 due to COVID-19 2025 of Basel III reforms
moved to 2023

According to the RCAP report1, two-thirds of member jurisdictions plan to implement all, or
the majority of, the standards by the end of 2024 and the remaining jurisdictions in 2025.

The Basel Committee on Banking Supervision met in February 2024 and approved revisions
to the Core Principles for effective banking supervision2 . The final standard will be published
following the International Conference of Banking Supervisors on 24–25 April 2024.

BASEL III Implications on Small Banks

Basel III has significant implications for small banks. Here are some key points:

• Profitability and Efficiency Challenge

Basel III mandates banks to increase their capital, which can affect their lending and
investment capacities. They also need to invest in technology, data management, and risk
management tools to comply with the Basel III requirements, leading to additional costs.

• Increased Regulatory Burden

Basel III imposes additional administrative and regulatory burdens on both residential
and commercial lending that can arguably expected to force many small banks to exit
the industry.

Issued by: Anaptyss Inc.

© Anaptyss 2024. All rights reserved
7 Operational Risk Modeling in Banking - White Paper

• Failure of Potential Mergers

The increased burdens could result in future failures or mergers with larger banks, as
losses and BI items from merged entities need to be included in the calculation of
operational risk capital (ORC). This can lead to a higher concentration in the banking
sector and increased systemic risk.

BASEL III Operational Risk Modeling: Frameworks and

Approaches
The transition to Basel III has compelled banks to revisit their operational risk management
frameworks, emphasizing comprehensive risk assessment, data quality, and model
validation.

The Basel III framework encourages banks to adopt more sophisticated quantitative
approaches for managing operational risk. These approaches calculate regulatory capital
and enhance the bank’s understanding and management of operational risk. This section
explores the four main quantitative approaches outlined in Basel III:

1. Basic Indicator Approach (BIA)

2. Standardized Approach (SA)
3. Advanced Measurement Approaches (AMA)
4. Standardized Measurement Approach (SMA) – Latest Update

(BIA) (SA)

Basic Indicator Approach Standardized Approach

BASEL III
Operational
Risk Modeling
Approaches

(AMA) (SMA)

Advanced The Standardized

Measurement Approaches Measurement Approach

Issued by: Anaptyss Inc.

© Anaptyss 2024. All rights reserved
8 Operational Risk Modeling in Banking - White Paper

I. Basic Indicator Approach (BIA)

BIA is the simplest of the three, requiring banks to hold capital for operational risk based on a
fixed percentage of their annual gross income. The fundamental assumption is that a bank’s
operational risk is directly proportional to its business volume. Therefore, gross income serves
as a proxy for the scale of operational risk exposure.

Key Features:
• Ease of Implementation
BIA is straightforward to implement, as it relies on readily available financial data.
• Fixed Capital Charge
The approach applies a standard alpha factor, typically 15%, across all banks, regardless of
the actual risk profile.
Limitations:
• Lack of Risk Sensitivity
It does not account for variations in risk across different banks or business lines.
• Incentive Misalignment
May not incentivize banks to improve risk management practices, as the capital
requirement is unrelated to the actual risk mitigated.

II. Standardized Approach (SA)

The Standardized Approach is more refined than the BIA and introduces differentiation by
business lines. Banks calculate their operational risk capital requirement as the sum of the
capital charges for each of the predefined business lines, multiplied by a factor (β) assigned
to each line.

Key Features:
• Business Line Differentiation
Recognizes that operational risk varies significantly across different business lines.

• Greater Sensitivity
Offers a more tailored approach by assigning different beta factors to different business
lines based on perceived risk levels.

Limitations:
• Limited Customization
While more sensitive than BIA, it does not fully account for the bank’s risk profile or
mitigation efforts.

• Potential for Misallocation

The predefined business lines and beta factors may not align perfectly with the bank’s
operational structure, leading to potential capital misallocations.

Issued by: Anaptyss Inc.

© Anaptyss 2024. All rights reserved
9 Operational Risk Modeling in Banking - White Paper

III. Advanced Measurement Approaches (AMA)

AMA represents the most sophisticated method, allowing banks to develop statistical models
to assess operational risk. Banks using AMA must demonstrate to regulators their ability to
capture severe tail risk events and show that their models are integrated into their daily risk
management processes.

Key Features:
• Customization
Banks can tailor their operational risk measurement to their specific business model and
risk profile.

• Use of Internal Data

Incorporates a wide range of internal data, scenario analysis, and external data to estimate
potential operational risk losses.

• Focus on Risk Management Integration

Encourages the integration of operational risk management into the bank’s overall risk
management framework.

Limitations:
• Complexity and Cost
Implementing AMA requires significant investment in systems, data collection, and
model validation.

• Regulatory Approval Required

Banks must obtain regulatory approval to use AMA, which can be a lengthy and uncertain
process.

IV. The Standardized Measurement Approach (SMA) – Latest Update

SMA is a significant update in the Basel III framework that addresses the shortcomings in the
first three operational risk capital frameworks, specifically BIA, SA, and AMA.

Basel III discontinues the use of banks’ internal models for calculating operational risk capital
requirements. This revision aims to refine the operational risk capital measurement by
replacing older approaches with a system that helps better understand the operational risk
exposure, primarily through introducing the Business Indicator (BI).

Key Features:
• Incorporation of Business Indicators (BI)
With BI calculation derived from the income statement and historical operational losses,
banks can understand their operational risks comprehensively.

• Regulatory Coefficients’ Calibration

A dynamic calibration mechanism for regulatory coefficients can allow banks to

Issued by: Anaptyss Inc.

© Anaptyss 2024. All rights reserved
10 Operational Risk Modeling in Banking - White Paper

adjust regulatory parameters or coefficients in response to changing market or risk

environments. This helps mitigate disproportionate capital requirements.

• Internal Loss Multiplier (ILM)

Adjusts the capital requirement based on the bank’s loss history, encouraging better loss
management.

• Loss Component
Incorporates the bank’s historical loss experience into the capital calculation.

Limitations:
• Complexity in BI Calculation
Calculating BI is a complex and intricate process that can pose a challenge for banks in
accurately assessing their operational risks.

• No One-size-fits-all All Approach

The SMA approach may not fully accommodate the unique risks of different banking
models.

Advanced Techniques in Operational Risk Modeling

Advanced risk modeling techniques are crucial to prepare banks for handling operational
risks and ensure capital adequacy.

I. Scenario Analysis and Stress Testing

Scenario Analysis and Stress Testing evaluate the impact of potential risk events on a bank’s
financial condition in extreme hypothetical circumstances or changes in the market.

These techniques involve:

1. The development of hypothetical scenarios

2. Assessment of internal controls, processes, and systems for operational risk management
in such scenarios

3. Analyze how operational risks could lead to significant financial losses

Basel III encourages forward-looking stress tests that consider various operational risk
scenarios. These use cases also include extreme but plausible events to help banks
understand vulnerabilities and enhance their risk management practices and internal
controls.

II. Quantitative Models and Simulation

Quantitative Models and Simulation involve using statistical models to estimate the
probability and impact of operational risk events.

These models often use historical data to simulate the loss distribution of operational risk
events, helping banks to quantify potential losses.

Issued by: Anaptyss Inc.

© Anaptyss 2024. All rights reserved
11 Operational Risk Modeling in Banking - White Paper

The Loss Distribution Approach (LDA)3 is a common quantitative method in operational

risk modeling prescribed in the Basel norms. Risk management practitioners follow this
approach to identify and evaluate the possible risks they could face in business. It combines
frequency and severity distributions to estimate the total loss distribution. This approach aids
in determining the capital necessary to cover potential operational risk losses.

III. Machine Learning and AI in Risk Modeling

Integrating machine learning and AI into operational risk modeling offers an innovative
approach to managing and mitigating risks.

ML and AI can analyze large volumes of data to identify patterns, correlations, and trends that
might not be evident through traditional risk management methods.

These technologies can predict and detect operational risks more effectively by improving
the accuracy of risk assessment models. Despite their potential, the application of ML and
AI in operational risk modeling must observe caution, considering model governance, data
quality, and interpretability.

Challenges and Opportunities in Operational Risk

Modeling
Operational risk modeling in the banking sector is fraught with challenges, yet ripe with
opportunities. As banks navigate operational risks, they encounter obstacles that test their
resilience and adaptability.

I. Data Quality and Integration

The Challenge
The foundation of effective operational risk management lies in the quality and integration
of data. Banks often grapple with issues such as data accuracy, completeness, and timeliness
across diverse and siloed systems.

The heterogeneity of data sources, combined with varying data standards and formats,
complicates the integration process. These challenges can lead to gaps in risk visibility and
flawed risk assessments.

The Opportunity
Advanced analytics and real-time reporting can detect operational risks more effectively,
revealing issues faster and reducing false positives. This approach enables banks to move
away from qualitative self-assessments towards automated, objective, and real-time risk
detection and transparency.

This setup can improve the data quality and foster advanced data technologies such as cloud
storage, data lakes, and sophisticated analytics platforms that can enhance data aggregation
and analytical precision. Banks can leverage this to improve operational risk modeling, foster

Issued by: Anaptyss Inc.

© Anaptyss 2024. All rights reserved
12 Operational Risk Modeling in Banking - White Paper

a data-driven culture, and enable better decisions across all levels.

II. Specialized Talent Requirement

The Challenge
As the digitization of banking processes advances, there’s a growing need for specialists
to manage specific risk types such as cyber risk, fraud, and conduct risk. Operational risk
management requires technological expertise, data analysis, and sectoral knowledge to
monitor and assess human-factor risks and misconduct.

Insufficient resources and expertise can lead to:

• Failure to identify and assess potential risks
• Ineffective risk controls and mitigation strategies
• Inability to use data-driven insights for risk management
• Poor adoption and utilization of technology
• Generic risk management solutions
• Higher training costs due to limited resources

The Opportunity
Financial institutions should consider recruiting individuals and developing specialized
expertise in managing various operational risks.

To minimize human errors, financial institutions need to ensure continuous workforce

training, educate their employees about potential risks, and provide them with the necessary
tools and knowledge. This will also help identify and report risks promptly.

To achieve this effectively, financial institutions can consider digital learning and knowledge
management solutions to train their workforce and build hands-on execution capabilities
within a few weeks to months. This will also enable them to onboard new talent quickly.

III. Regulatory Changes and Compliance

The Challenge
Implementing Basel III and subsequent updates requires banks to adapt their operational
risk management frameworks continuously. This dynamic regulatory environment can strain
resources and divert attention from other strategic initiatives.

The Opportunity
Regulatory changes, while challenging, encourage banks to innovate and strengthen their
risk management practices.

Compliance can act as a catalyst for adopting more robust and sophisticated risk modeling
techniques.

Moreover, it can enhance the bank’s reputation among regulators, investors, and customers
as a prudent and secure institution. Engaging with regulatory bodies can also provide banks
with insights into best practices and emerging risks, positioning them to manage operational
risks more effectively.

Issued by: Anaptyss Inc.

© Anaptyss 2024. All rights reserved
13 Operational Risk Modeling in Banking - White Paper

Conclusion
Basel III is still evolving and will continue to reshape the banking industry, with full
implementation expected by 2025. It highlights where the focus lies in strengthening resilience
in the banking sector and enhancing risk management practices.

The quantitative approaches for operational risk management under the Basel III framework
offer various methodologies through which banks can determine the capital charge of
operational risk. From the simplest BIA to the most sophisticated AMA, each has its benefits
and limitations.

The choice of approach depends on the bank’s size, complexity, and the sophistication of its
risk management systems. In the end, it contributes to a sound risk management culture that
effectively answers the risks posed on the operational platforms in a manner that safeguards
the stability and integrity of the financial system.

References:
• https: //thedocs.worldbank.org/en/doc/ 158291560353163648-0130022019/original/
Session3IsBaselIIIEnoughMaureneA.SimmsDeputyGovernorBankofJamaica.pdf

• https://www2.deloitte.com/content/dam/Deloitte/us/Documents/finance/us-the-future-of-
operational-risk-management.pdf

• https://www.bis.org/bcbs/publ/d355.htm

• https://www.bis.org/bcbs/publ/d355.pdf

• https://www.bis.org/bcbs/implementation/rcap_reports.htm
1.

• 2.
https://www.bis.org/press/p240229.htm

• 3.
https://managementstudyguide.com/loss-distribution-approach.htm

Issued by: Anaptyss Inc.

© Anaptyss 2024. All rights reserved
Anaptyss is a digital solutions and business services company based in Alpharetta, GA, USA. Its
mission is to enable realistic, measurable, and sustainable digital transformation in the BFS&I
industry.

The company serves a diverse clientele globally, comprising regional/super-regional banks,

community banks, FinTech players, crypto payment companies, insurance providers, and others.
It offers solutions to accelerate digital delivery and innovation in domains such as financial
crime and fraud prevention, enterprise risk management, deposit and payment services,
insurance, wealth and investment management, mortgage lending, etc.

Anaptyss Digital Knowledge Operations™ (DKO™) framework integrates deep-domain

consultative expertise, digital solutions, and operational talent, enabling the delivery of tailored
and scalable solutions with quality and cost-effectiveness.

Curious to learn how Anaptyss can help you cocreate and implement
effective internal controls to mitigate future risks?
Connect with us:
[email protected]

Join the conversation:

The Impact of Inspections on Operational Risk:
Uncovering Learning and Forgetting Patterns
Zhanzhi Zheng, Yuqian Xu, Bradley Staats
Kenan-Flagler Business School · University of North Carolina at Chapel Hill
zhanzhi [email protected], yuqian [email protected], bradley [email protected]

Abstract. Operational risk, one of the top three risks in financial services, has become a critical issue globally, with regulators
mandating stringent controls and inspections to prevent severe financial losses. However, despite significant regulatory and industry
efforts, to the best of our knowledge, no empirical research has examined how operational risk inspections affect employee perfor-
mance. To fill this gap, we collaborate with a large commercial bank to investigate the impact of inspections on employee behavior,
focusing on the dynamics of learning and forgetting. Our findings demonstrate the presence of individuals’ learning and forgetting
patterns, with the identification of risk events in the most recent inspection reinforcing learning and mitigating forgetting. Further-
more, we explore the distinct roles of internal and external inspections, revealing that while both inspection types lead to learning,
forgetting is more likely to occur after external inspections. Finally, leveraging text mining techniques, we show that learning and
forgetting patterns are consistent across the three most common types of risk events (i.e., operation failure, verification failure, and
interest rate/maturity issues). However, the magnitude of these effects varies by risk category: Internal inspections are more effec-
tive for routine operation and verification failures, whereas external inspections better address performance-seeking issues such as
interest rate/maturity. On a broader note, understanding these dynamics provides valuable insights for organizations to optimize
their inspection strategies, improve risk management practices, and sustain long-term performance improvements.

Key words: operational risk, inspection, learning and forgetting, empirical, operations-finance.

1. Introduction
Operational risk, as defined by the Basel II framework, refers to the risk of loss resulting from inadequate
or failed internal processes, people and systems or from external events. This category of risk covers a wide
range of incidents, from internal and external fraud to routine operational errors such as data-entry mistakes
and failures in mandatory reporting. Alongside credit and market risks, operational risk is now among the
top three risks faced by financial institutions (Barclays PLC 2014). The 2008 financial crisis highlighted
the critical need for robust operational risk management, as insufficient controls contributed to global finan-
cial losses exceeding one trillion USD in the banking sector (Ashby 2010). Since then, operational risk
has drawn growing attention from regulators and financial institutions, prompting significant investments in
capital reserves, governance frameworks, and business inspection and monitoring plans to prevent similar
crises (Marrison 2005, Basel Committee on Banking Supervision 2011). Recognizing its significance, reg-
ulators like the Basel Committee (see Basel Committee on Banking Supervision 2012) have mandated that
banks implement rigorous internal controls and inspection practices to mitigate potential operational losses.

1
 Zheng, Xu, Staats: The Impact of Inspections on Operational Risk
2 Article submitted to

Given that operational risk has become a crucial managerial challenge for bank practitioners, it is gaining
increased attention in finance and financial engineering literature, with most studies focusing on quantify-
ing its impact and modeling risk exposure (Cruz 2002, Brown et al. 2008, Jarrow 2008, Basak and Buffa
2019). However, despite its strong connection to operations management (OM), research addressing opera-
tional risk within the OM field remains limited (see Xu et al. 2017, for an overview), with empirical studies
on this topic being particularly scarce (see Hora and Klassen 2013 and Xu et al. 2022). To bridge this
gap, our study aims to provide empirical insights into operational risk management, specifically examining
the impact of operational risk inspections. It is important to note that, although various approaches have
been proposed and implemented in practice to mitigate operational risk (see Xu et al. 2017), operational
risk inspections are mandatory for financial institutions under the Basel Committee’s regulation require-
ments (see Basel Committee on Banking Supervision 2012). Therefore, banks are required to conduct these
inspections regardless of the other risk management practices employed, highlighting the crucial role of
operational risk inspections.
However, despite the importance of operational risk management and inspections, to our knowledge, only
Kim and Xu (2024) have examined the design of inspection policies for managing operational risk. No
empirical studies have yet investigated the impact of operational risk inspections on individual employee
responses in the banking sector. Moreover, most prior research on inspection modeling has primarily
focused on how inspection timing and uncertainties influence employee effort (see Kim and Xu 2024), leav-
ing a critical gap in understanding the more nuanced individual behavioral dynamics triggered by inspec-
tions. Research on people-centric operations highlights that employees are dynamic agents whose skills and
performance change over time through learning, forgetting, and other behavioral shifts (Roels and Staats
2021). This idea suggests that employees’ responses to operational risk inspections may not be static but
shift over time, with learning and forgetting processes potentially playing crucial roles. Understanding these
evolving patterns is essential for designing more informed inspection strategies that foster continuous learn-
ing and mitigate operational risk. As a result, further empirical research is important to uncover the nuanced
individual behavioral dynamics that emerge in response to operational risk inspections.
This discussion gives rise to our first key research question: Do employees exhibit learning and for-
getting patterns following inspections? (Q1a) If these patterns exist, a critical follow-up question is: How
does being identified for committing risk events during the last inspection influence these dynamics? (Q1b)
In particular, each inspection may identify certain employees as responsible for risk events, triggering
divergent behavioral responses. For example, identified employees may become more vigilant, internaliz-
ing feedback to improve performance and reduce future errors. This enhanced awareness could possibly
improve learning and reduce forgetting. Conversely, the pressure of being caught and accountable for the
risk event may hurt employees’ confidence and focus, leading to a sense of embarrassment and discour-
agement. This negative experience could impair cognitive functioning, making it harder for employees to
Zheng, Xu, Staats: The Impact of Inspections on Operational Risk
Article submitted to 3

internalize lessons and retain critical information. As a result, learning may be disrupted, forgetting may
accelerate, and identified employees may become more prone to future mistakes. Taken together, it is crucial
to understand how the effects of inspections vary based on whether employees are identified as committing
risk events. By investigating these dynamics, we aim to shed light on how different inspection outcomes
influence future performance.
Furthermore, organizations typically employ two primary inspection types for operational risk events–
internal and external inspections–each with distinct implications for operational risk management (Basel
Committee on Banking Supervision 2011). Internal inspections are carried out by managers within the
branch who possess in-depth knowledge of internal processes, culture, and structure. Their proximity to
daily operations enables them to provide tailored guidance and oversight, fostering continuous improve-
ment. However, this familiarity may also introduce emotional attachment and limit their ability to recog-
nize blind spots. In contrast, external inspections, conducted by managers from other branches or the bank
headquarters’ audit team, offer fresher perspectives, as external inspectors are less embedded in the orga-
nization’s daily operations. This detachment enables them to identify structural inefficiencies and risks that
internal teams might overlook (Power 1997). Nevertheless, this detachment may simultaneously intensify
forgetting effects due to the infrequent involvement of external inspectors and their limited direct influence
over employees’ career progression. As a result, internal and external inspections are likely to exhibit differ-
ent learning and forgetting patterns, an area largely unexplored in prior research. Our second main research
question then is: How does the impact of internal and external inspections differ in employees’ learning and
forgetting outcomes? (Q2) Additionally, it is essential to examine how organizational characteristics, such
as geographical location, manager experience, and branch customer traffic, moderate the learning and for-
getting patterns within each inspection type. Understanding these relationships could offer valuable insights
into how organizations can optimize their inspection strategies to enhance their risk management practices
and sustain performance improvements over time.
Finally, one unique feature of operational risk events is their broad range of event categories, distin-
guishing operational risk inspections from other types of inspections, such as environmental inspections.
Operational risk events could differ significantly in their cognitive demands and complexity, which results
in different employee behavioral responses. For instance, routine tasks with straightforward procedures may
generate stronger learning effects, while events that require more complex cognitive processes might be
more prone to forgetting over time. These differences raise an important question: Are the effects of learn-
ing and forgetting consistent across different types of risk events, and how does their magnitude vary? (Q3)
Additionally, the nature of the risk event might influence the effectiveness of internal versus external inspec-
tions. Internal inspectors, with their close involvement in daily operations, may provide more actionable
oversight for routine tasks. However, for events associated with performance-seeking behaviors, external
inspectors may be more effective, as their detachment from the branch’s incentive structure provides a more
 Zheng, Xu, Staats: The Impact of Inspections on Operational Risk
4 Article submitted to

objective perspective. Thus, investigating how learning and forgetting patterns might differ across risk types
provides critical guidance for designing tailored inspection policies.
To address these research questions, we collaborated with a large commercial bank in China and obtained
a unique dataset on its operational risk events and inspection practices. The dataset includes 2,389 opera-
tional risk events recorded between January 1, 2014, and April 30, 2015. Starting from January 1, 2014,
our collaborator bank introduced two inspection approaches following the Basel Committee on Banking
Supervision (2012): internal and external inspections, as discussed earlier. Therefore, one unique advan-
tage of our dataset is that it covers the period from the beginning of the launch of these two inspection
approaches, reducing the concern of data-censoring issues. Another key advantage of our dataset is that
inspections are conducted randomly at the branch level, following instructions from the bank’s headquarters.
As highlighted by Kim and Xu (2024), random inspections are widely adopted in operational risk man-
agement practices because of their surprise effects on branch employees. In our setting, this randomization
ensures that both the timing and intensity of inspections are independent of branch-specific characteristics.
As a result, employees are unaware of when or how inspections will occur, effectively mitigating potential
endogeneity concerns, such as self-selection bias.
Using this dataset, our paper provides the first empirical evidence of the impact of inspections on opera-
tional risk in the banking sector, uncovering critical individual behavioral patterns. Our results and contri-
butions can be summarized as follows:
First, our findings reveal that repeated inspections reduce the likelihood of mistakes, indicating the pres-
ence of learning effects.1 In contrast, as time passes since the last inspection, employees are more likely
to commit mistakes, providing evidence of forgetting effects. Additionally, when employees are identified
as having made mistakes in the most recent inspection, the resulting feedback reinforces learning and miti-
gates forgetting. These findings demonstrate that employees’ responses to inspections evolve, highlighting
the importance of inspection frequency and the time interval between inspections.
Second, we further contribute by examining the distinct roles of internal and external inspections and
how they interact with branch-specific characteristics. Our analysis shows that, while learning effects are
consistent across both inspection types, forgetting is more likely to occur after external inspections than
internal ones. Moreover, the impact of being identified for mistakes in the most recent inspection varies
by inspection type: In internal inspections, identification tends to reduce forgetting, whereas in external
inspections, it enhances learning. In addition, branch characteristics further shape the effectiveness of each
inspection type. Internal inspections are more effective at branches farther from headquarters, managed
by experienced managers, or with lower in-person visit traffic, whereas external inspections work better
under the opposite conditions. These findings provide practical insights into how inspection strategies can
be tailored based on branch-specific characteristics to improve operational risk management.
1
Note that throughout the paper, we use the terms mistakes, errors, and operational risk interchangeably.
Zheng, Xu, Staats: The Impact of Inspections on Operational Risk
Article submitted to 5

Finally, our study also advances the literature by exploring how inspection impacts vary across different
categories of risk events. Using text mining, we classify risk events into ten categories, with a particular
focus on the top three types (i.e., operation failure, verification failure, and interest rate/maturity issues),
which constitute about 75% of total events. We find consistent learning and forgetting patterns across these
three categories, with the strongest learning effects observed for operation failure involving routine tasks.
Internal inspections are particularly effective for addressing operation and verification failure closely tied
to employees’ daily responsibilities, while external inspections are better suited for managing issues such
as interest rate or maturity, which involve performance-seeking behaviors. These findings emphasize the
importance of matching inspection types to the nature of risk events, leading to more informed inspection
policies.

2. Literature Review
This study is closely related to three streams of OM literature: (i) operational risk in financial services, (ii)
effects of inspections, and (iii) learning and forgetting effects.

2.1. Operational Risk in Financial Services

To start with, we contribute to the emerging literature on operational risk in the financial sector. As oper-
ational risk gains increasing attention among banking practitioners, it has also drawn growing interest in
finance and financial engineering research. Much of the existing work focuses on measuring its impact and
modeling risk exposure (e.g., Cruz 2002, Brown et al. 2008, Jarrow 2008, Basak and Buffa 2019). How-
ever, despite its clear connection to OM, research on operational risk within the OM field remains relatively
limited (see Xu et al. 2017, for an overview). Among the few OM studies on this topic, Xu et al. (2020)
introduce a general stochastic control framework that integrates resource allocation decisions aimed at min-
imizing operational risk losses. Expanding on this work, Kim and Xu (2024) is the first to investigate the
design of optimal inspection policies to reduce operational risk losses. Our research is closely related to
Kim and Xu (2024) because of the focus on operational risk inspection strategies. Extending their work,
we empirically analyze the effects of operational risk inspections on bank employee behavior. As such, our
research is one of the few empirical studies in this area. To the best of our knowledge, most previous OM
papers in this stream centered on operational risk modeling, with only Hora and Klassen (2013) and Xu et al.
(2022) addressing this topic from an empirical standpoint. Specifically, Hora and Klassen (2013) examine
how perceived operational similarity and market leadership influence managers’ acquisition of knowledge
to reduce operational risk, and Xu et al. (2022) investigate the relationship between employee workload and
the occurrence of operational risk events.
Our study contributes to this line of research by analyzing the impact of operational risk inspections on the
individual learning and forgetting behaviors of bank employees–an area previously unexplored. Addition-
ally, we apply text-mining techniques to classify operational risk events into different categories and analyze
 Zheng, Xu, Staats: The Impact of Inspections on Operational Risk
6 Article submitted to

whether the effects of inspections vary across event types, tailored to the specific context of operational
risk. These insights advance the understanding of operational risk dynamics and support the development
of more informed risk inspection strategies.

2.2. Effects of Inspections

Our study is also related to research examining the role of inspections in operations (Wu and Babich 2012,
Kim 2015, Plambeck and Taylor 2016, Chen and Lee 2017, Kim and Xu 2024). Much of the earlier research
in this area primarily focuses on the modeling and design of optimal inspection policies across different
industry contexts. To the best of our knowledge, only a few recent operations studies have empirically
investigated the effects of inspection policies. For example, Ball et al. (2017) focus on the impact of plant
inspection outcomes on the probability of a future recall. From the organizational learning perspective, Mani
and Muthulingam (2019) examine how both firms’ own inspection experiences and those of other firms
influence their environmental performance. Ibanez and Toffel (2020) investigate how inspector scheduling
introduces biases that can reduce the effectiveness of inspections by affecting their stringency. Additionally,
a few working papers focus on inspections in the healthcare context. Wu and Wang (2024) demonstrate that
frequent inspections reduce quality issues such as adverse event and recall rates, and Wang et al. (2024) find
that the most unfavorable inspection outcome from the Food and Drug Administration (FDA) inspection
reduces future drug shortage risks. Moreover, Lin et al. (2024) document the negative effects of inspection
delays on the nursing home quality. Collectively, these studies highlight the need for a more comprehensive
understanding of inspections and more effective policy design.
In addition, research in economics and accounting has also investigated the effects of inspections or
audits, though with particular attention to areas such as sustainability (Jin and Leslie 2003, Earnhart and
Segerson 2012, Duflo et al. 2018) and auditor characteristics or reporting behaviors (Choudhary et al. 2019,
Bhaskar 2020, Fuller et al. 2021). For instance, Jin and Leslie (2003) explore the impact of hygiene quality
grade cards on restaurant health inspection scores, and Fuller et al. (2021) study how auditors’ reporting
choice influence their reporting quality. Unlike these studies, our research focuses on the effects of inspec-
tions on operational risk in the financial industry, with a specific focus on employees’ learning and forgetting
behaviors.
Therefore, our study contributes to this stream of research by providing the first empirical evidence on
how inspections influence operational risk through individual learning and forgetting behaviors. Moreover,
we examine the distinct roles of internal and external inspections and how their effectiveness varies with
branch-specific characteristics, a topic not previously explored in the inspection literature.

2.3. Learning and Forgetting Effects

The concept of learning curves, or learning effects, has been widely studied in academic research for
decades, tracing back to Wright (1936). For a thorough review of early studies in this area, please refer
Zheng, Xu, Staats: The Impact of Inspections on Operational Risk
Article submitted to 7

to Lapré et al. (2011). Much of the earlier research focuses on learning at the organization or team level,
emphasizing how collective knowledge, standardized procedures, and shared experience within a team or
organization drive improvements in efficiency and performance (e.g., Wright (1936), Lapré and Tsikriktsis
(2006), Huckman et al. (2009), Lapré et al. (2011), Tan and Netessine (2019), Akşin et al. (2021), and
Kim et al. (2023)). In recent years, more academic attention has shifted toward individual-level learning,
which examines how personal skills, knowledge, and performance improve through repetition, feedback,
and experience (e.g., Reagans et al. (2005), Huckman and Pisano (2006), Narayanan et al. (2009), Kc and
Staats (2012), Kc et al. (2013), Ibanez et al. (2018), Batt and Gallino (2019), Ramdas et al. (2018), Bavafa
and Jónasson (2021), and Lapré and Cravey (2022)). On the contrary, forgetting effects, defined as the ero-
sion of skills or knowledge over time, have received significantly less attention in the literature compared
to learning effects (Bailey 1989, Argote et al. 1990). Most studies on forgetting effects focus on the organi-
zational level (Boone et al. 2008, Agrawal and Muthulingam 2015, Agrawal et al. 2020), with only Ramdas
et al. (2018) examining such effects at the individual level.
Taken together, our research aligns more closely with the individual-focused stream by investigating the
learning and forgetting effects from the perspective of employees. While Ramdas et al. (2018) focus on
surgeons’ use of specific devices in the healthcare context, our study uncovers the learning and forgetting
patterns following operational risk inspections in the banking sector. Furthermore, we extend the literature
by exploring the differentiated learning and forgetting dynamics between internal and external inspections,
an area that has not yet been addressed in prior research. Lastly, by using text mining to classify risk events,
we further assess whether learning and forgetting patterns differ across event categories, specifically tailored
to the context of operational risk.

3. Context and Theory Development

In this section, we introduce the context of our study by describing the operations of retail banking branches,
outlining the bank’s inspection policy, and explaining operational risk events. Drawing on insights from
the literature reviewed earlier and contextual knowledge, we then establish the theoretical basis for our
hypotheses.

3.1. Retail Banking Branch

Our study focuses on retail banking branches of a city commercial bank in China, part of the third-largest
tier within the country’s banking sector (KPMG 2007). The bank branch in this study operates at the most
basic level within the hierarchy of Chinese commercial banks, akin to a credit union branch in the United
States. Its services are limited to basic personal and business banking functions, mainly involving deposits,
savings, loan processing, and the sale of asset-management products.
The branch employees consist of two primary roles: managers and tellers. Branch managers oversee the
overall performance of the branch, with a focus on both revenue management and risk control. Tellers,
 Zheng, Xu, Staats: The Impact of Inspections on Operational Risk
8 Article submitted to

who are the focus of our study, perform front-line duties. Throughout their shifts, they serve customers
from behind a glass partition, calling the next customer in line by pressing a button. Their responsibilities
begin with verifying customer identities before processing service requests. The most common services they
provide include handling deposits and withdrawals. Moreover, tellers also issue cashier’s checks, process
fund transfers, sell asset-management products, and manage personal loan applications. At the end of their
shifts, they need to reconcile daily transactions and securely store stamps and blank checks.

3.2. Bank’s Inspection Policy

In line with Basel guidelines, financial firms are required to carry out thorough inspections to manage oper-
ational risk effectively, following the principles outlined by the Basel Committee on Banking Supervision
(2012). In this subsection, we explain the two new inspection approaches introduced by the focal bank in
response to the Basel guidelines on January 1, 2014. The first is internal inspections, where branch man-
agers inspect their own employees. The second is external inspections, conducted by managers from other
branches or the bank headquarters’ audit team, where external managers inspect the branch employees.2 It is
worth noting that we also conduct a robustness check by excluding inspections conducted by the headquar-
ters’ audit team from the definition of external inspections in Section 5.4.3 and the results remain highly
consistent. During inspections, inspectors examine each transaction to ensure compliance with regulatory
protocols, checking for errors such as missing or incorrect information, mismatches, and procedural viola-
tions. They are expected to perform these inspections thoroughly across all areas to identify operational risk
issues, as failing to detect such events could lead to substantial losses and serious consequences.
Our dataset and inspection context present two unique advantages. First, we collect our dataset from the
launch date of these two new inspection approaches. This allows us to identify the first instance of each
branch being inspected under the new inspection types. As a result, our dataset is largely free from the issue
of data censoring. Second, all inspections are conducted randomly at the branch level, ensuring both the
timing and intensity of inspections are independent of branch-specific characteristics. Therefore, employees
are unaware of when or how these inspections will take place. This random assignment helps us avoid
endogeneity concerns, such as self-selection bias.

3.3. Operational Risk Events

We now proceed to explain operational risk events in our context. As outlined by Bank for International
Settlements (June 2011), Basel II defines seven types of operational risk events, which are summarized
in Table A.1 in the Appendix (see more details in Olson and Wu (2007), pp. 27–28). It is evident from
Table A.1 that although high-profile operational risk events involving external or internal fraud, such as the
London Whale incident (Hurtado 2015), frequently capture media attention, most operational risk events

2
To our knowledge, there is no fixed practice of one branch regularly inspecting another. Instead, the decision on which branch
inspects another is randomly determined by the bank’s headquarters, following the practice of random inspections.
Zheng, Xu, Staats: The Impact of Inspections on Operational Risk
Article submitted to 9

stem from inadvertent routine errors during daily operations. Specifically, 68.43% fall under the category of
clients, products, and business practices, while 18.24% relate to execution, delivery, and process manage-
ment, as shown in Table A.1 in the Appendix.
Our study then focuses on this predominant category of routine and day-to-day errors as the operational
risk events of interest, where employee learning and forgetting behaviors play crucial roles. A well-known
example of such errors occurred at JPMorgan, where spreadsheet miscalculations by the investment port-
folio team led to significant financial losses (JPMorgan Chase & Co. 2013). In particular, the team made a
mistake in their model by incorrectly applying a sum function instead of an average, resulting in a signif-
icant underestimation of the portfolio’s risk exposure. This seemingly minor copy-and-paste error led to a
trading loss of approximately six billion dollars. Our dataset contains similar routine operational risk events.
For instance, one employee issued a business loan of one million RMB to a company, applying an incorrect
interest rate of 3.38% instead of the correct 9.38%. Another example is that an employee failed to verify
a deposit certificate linked to re-deposited funds. In general, these operational risk events are associated
with process conformance (Ton and Huckman 2008) and have the potential to lead to significant financial
losses for the bank, either immediate or long-run. Both cases highlight the critical importance of effectively
managing and mitigating operational risk. In Section 6, we provide additional examples of operational risk
events from our dataset as part of the discussion on risk event classification using text mining.

3.4. Theory Development

3.4.1. Learning and Forgetting Effects First, we explore the learning effects that occur as
employees accumulate inspection experiences. Inspections provide a systematic approach to identifying
errors and uncovering their root causes (Ball et al. 2017). As the number of inspections increases, employ-
ees receive more feedback on areas where risks might arise and where process standards may have been
violated. As employees become more aware of potential issues within specific operational processes, they
are better positioned to identify solutions and implement corrective actions to address mistakes and improve
the related process. In addition to detecting errors, inspections could also identify operational processes that
are being executed both correctly and incorrectly. By analyzing these processes, inspections help validate
whether the steps taken comply with regulations and operational standards (Mani and Muthulingam 2019).
This validation might provide employees with a clearer understanding of why certain processes are effec-
tive, enabling them to refine their practices and promote continuous improvement. As such, more frequent
inspections act as a driver for learning, reducing the likelihood of future mistakes.
Furthermore, the accumulation of inspections may serve as a powerful external stimulus, which fos-
ters continuous learning effects. Each inspection acts as a reminder of the importance of following proper
procedures and maintaining operational protocols. This process emphasizes the need for vigilance and pre-
cision in task execution. As the number of inspections increases, employees are repeatedly reminded of
 Zheng, Xu, Staats: The Impact of Inspections on Operational Risk
10 Article submitted to

compliance expectations and procedural guidelines, making them more likely to internalize these standards
and incorporate such practices into their daily routines. Over time, adherence to correct protocols becomes
more automatic, transforming vigilance into habitual behavior (Beshears et al. 2021), thereby reducing the
chances of errors. Combining both, we propose the following hypothesis:
Hypothesis 1 (Learning Effects) With the accumulation of inspections, employees become less likely to
make mistakes.
Next, we discuss the potential forgetting effects that may occur following the last inspection. As time
passes after the last inspection, the likelihood of knowledge depreciation increases, raising the probability
of errors. Knowledge depreciation refers to the gradual decline in employees’ expertise and understanding
when not consistently reinforced and recalled (Bailey 1989). Procedural knowledge is particularly prone
to decay (Cohen and Bacdayan 1994), as it often involves habitual tasks that become automatic over time
but are not regularly brought into conscious focus. Therefore, the concept of knowledge depreciation is
especially relevant in settings where employees must adhere to complex procedures to mitigate errors (Ram-
das et al. 2018), such as managing operational risks. This means that over time, the procedural memory
associated with correct behaviors may decay before the next inspection, leading employees to forget criti-
cal knowledge related to risk management practices (Anand et al. 2012). The longer the interval between
inspections, the more likely employees are to commit errors due to the erosion of detailed knowledge.
As time passes since the last inspection, employees’ vigilance in adhering to procedures may also decline,
which increases the likelihood of mistakes. This decline in vigilance could be attributed to the tendency
of individuals to adjust their behaviors based on perceived oversight and the probability of risk detection
(Slovic 1992). Immediately after an inspection, employees are likely to feel a heightened awareness of non-
compliance being identified, as the recent presence of inspectors serves as a clear reminder of potential
oversight and the consequences of being caught for errors. The proximity of inspections reinforces the
perception that managers are actively monitoring performance, prompting employees to follow procedures
more closely. However, as more time elapses since the last inspection, the perceived likelihood of detection
may decrease. With the memory of the inspection fading and a lack of immediate oversight, employees may
develop a false sense of security (Froehle and White 2014). In the absence of recent inspections signaling
continued monitoring, employees might assume a lower risk of being caught for mistakes, leading to a
decline in procedural vigilance. As a result, the probability of errors increases. Taken together, we propose
the following hypothesis:
Hypothesis 2 (Forgetting Effects) As time passes since the last inspection, the likelihood of employees
making mistakes increases.

3.4.2. Moderating Effects of Being Identified for Mistakes Compared to situations where no
mistakes are detected, when errors are identified during an inspection, the provided feedback is often more
Zheng, Xu, Staats: The Impact of Inspections on Operational Risk
Article submitted to 11

specific and actionable, offering greater opportunities for effective learning. Employees identified for errors
typically receive more specific and focused feedback that clearly points out where their operational pro-
cedures failed to meet expectations (Madsen and Desai 2010). This focused identification of deficiencies
provides a direct prompt for corrective actions, giving employees a concrete understanding of what went
wrong and how to address it (Kc et al. 2013). As a result, the learning process from these inspections
becomes more effective. In contrast, when no mistakes are found, the feedback tends to be more general,
lacking the urgency and specificity that follow error detection. Consequently, employees may view such
inspections as routine formalities, resulting in a less meaningful learning experience.
Furthermore, identifying mistakes could enhance motivation to learn from inspections by fostering a
sense of accountability. Research indicates that individuals who become explicitly aware of their mistakes
might be more motivated to improve, driven by a desire to avoid repeating mistakes and to demonstrate
competence (Edmondson 1999). Thus, employees identified as having made mistakes in the most recent
inspection may feel a greater responsibility to correct their actions in the future, motivated by both an
awareness of past mistakes and a commitment to improvement. This sense of accountability strengthens
their incentive to engage in the learning process and apply the feedback they receive. Combining these
arguments, we hypothesize:
Hypothesis 3. When employees are identified for mistakes in the most recent inspection, learning effects
are strengthened.
Being identified for mistakes may increase risk aversion and promote vigilance in adhering to proce-
dures, thereby reducing the forgetting effects and likelihood of future errors. Mistakes often lead to personal
and professional costs, such as reputational damage and loss of trust from supervisors. Behavioral eco-
nomics research on loss aversion suggests that individuals are generally more motivated to avoid losses
(e.g., mistakes) than to seek gains (Kahneman and Tversky 2013). Therefore, employees identified for errors
during the most recent inspection may view future errors as greater losses, amplifying the potential negative
consequences. This perception encourages greater caution and focus in performing tasks, which not only
counteracts the natural tendency to forget over time but also reinforces adherence to established protocols.
The identification of mistakes could trigger psychological responses in employees, often involving dis-
comfort, embarrassment, and even guilt (Miller 1986, Avgerinos et al. 2020), which helps mitigate the
forgetting effects. These emotions may make the memory of the inspection and the associated mistakes
more meaningful and lasting, which enhances the salience of corrective feedback and helps counteract the
typical decay of procedural knowledge over time (Stemn et al. 2018). As a result, this emotional significance
of past mistakes motivates employees to take corrective actions and put in extra effort to avoid repeating
similar errors. Even as time passes since the last inspection, the likelihood of future mistakes decreases,
reducing the impact of time-related forgetting. Taken together, we hypothesize:
Hypothesis 4. When employees are identified for mistakes in the most recent inspection, forgetting effects
are reduced.
 Zheng, Xu, Staats: The Impact of Inspections on Operational Risk
12 Article submitted to

3.4.3. Effects of Internal and External Inspections Internal inspections, carried out by the orga-
nization’s internal management team, differ in several key ways from external inspections, which are con-
ducted by individuals outside the organization. These differences, discussed in detail below, lead us to
propose that external inspections are more likely than internal ones to promote learning effects.
First, external inspectors are more likely to maintain emotional detachment compared to internal ones,
which might strengthen learning effects. In external inspections, inspectors typically do not have direct
personal interactions with the employees they evaluate. This detachment fosters a sense of distance and
formality, prompting employees to take the feedback more seriously and view it as a valuable opportunity
for skill development and performance improvement (Pitkänen and Lukka 2011). As a result, employees are
likely to pay closer attention and engage more actively with feedback from external inspectors. In contrast,
feedback from internal inspectors may be seen as routine and predictable due to familiar and ongoing
relationships. This familiarity could diminish the perceived urgency and importance of the feedback, leading
employees to downplay it (Ramachandran et al. 2017). Thus, employees may demonstrate stronger learning
commitment in response to external inspections than internal ones.
Second, external inspections may serve as a valuable channel for cross-organizational knowledge trans-
fer, which enhances learning effects. External inspectors could bring diverse experiences and knowledge
from different operational contexts, offering a fresh perspective on processes. This allows them to introduce
useful methodologies, tools, and best practices identified in other organizations to the ones under inspection.
By sharing these insights, external inspectors help bridge gaps in local expertise and encourage employees
to reevaluate and improve their procedures, thereby improving problem-solving capabilities and stimulating
learning (Di Stefano et al. 2014). In contrast, internal inspections tend to be narrower in scope, relying pri-
marily on the knowledge and experience already present within the organization. This dependence on inter-
nal knowledge limits exposure to new ideas and approaches from outside, reinforcing established routines
and potentially fostering complacency. Without fresh perspectives to challenge established assumptions and
introduce new methods, the employee’s ability to learn and adapt may be constrained. As a result, the oppor-
tunity for meaningful improvements diminishes, limiting the development of more effective solutions for
managing operational risks. Combining these, we hypothesize:
Hypothesis 5. Learning effects are more likely to occur after external inspections compared to after
internal inspections.
While external inspections might offer greater learning opportunities through emotional detachment and
cross-organizational knowledge transfer, they may also be more prone to forgetting effects compared to
internal inspections. First, the proximity and familiarity between internal managers and employees may
reduce the likelihood of forgetting. Internal inspections are conducted by managers who are deeply involved
with employees’ daily operations and interact with them regularly. This frequent contact could be both
formal and informal reinforcement of the procedures highlighted during previous inspections, acting as
Zheng, Xu, Staats: The Impact of Inspections on Operational Risk
Article submitted to 13

continuous reminders that prevent the natural erosion of knowledge over time and help maintain proper
practices (Calzolari and Nardotto 2017).
In contrast, external inspections, typically conducted by different outside inspectors each time, might be
less effective in preventing knowledge decay. These inspections tend to be sporadic, functioning as isolated
events, which creates a sense of transience. Without consistent follow-up, employees are more likely to
revert to previous routines once external inspectors depart, as they do not receive the sustained reinforcement
needed to retain procedural knowledge and maintain vigilance. As a result, forgetting effects are more likely
to occur following external inspections, with employees gradually forgetting critical practices and becoming
less vigilant in adhering to procedures over time.
Furthermore, the power dynamics between employees and inspectors is another important factor. Inter-
nal managers have direct influence over employees’ careers, including decisions related to promotions and
performance evaluations. This authority could create sustained psychological pressure that extends beyond
the inspection itself (Magee and Galinsky 2008), motivating employees to maintain vigilance and retain
the knowledge required for appropriate task performance. Unlike external inspections, this ongoing influ-
ence encourages employees to adhere to proper procedures beyond the inspection period, as they remain
conscious of the long-term impact such compliance may have on their professional growth.
On the contrary, external inspectors often lack direct authority over employees’ career advancement and
job opportunities. Although external inspectors may report their findings to upper management, employees
are likely to perceive these inspections as less personally consequential. As a result, employees may not feel
the same pressure to retain the knowledge learned from external inspections. Once the external inspection
ends, the sense of urgency to maintain vigilance may diminish, leading to a gradual decline in procedural
knowledge and an increased risk of errors over time. Taken together, we hypothesize:
Hypothesis 6. Forgetting effects are more likely to occur after external inspections compared to after
internal inspections.

4. Data and Estimation

Our dataset contains 19 branches from a large city commercial bank in Jiangsu Province, which consistently
ranks second among all provinces in China in terms of Gross Domestic Product (GDP).3 As outlined in
Section 3.2, our collaborator bank introduced two new inspection approaches on January 1, 2014, aimed
at improving the identification of operational risk events in response to the Basel guidelines. Our dataset
consists of detailed information on inspection practices and 2,389 risk events observed over 16 months from
January 1, 2014, to April 30, 2015. It also includes information on branch characteristics and employee
demographics.

3
Note that the dataset used in this study is different from that of Xu et al. (2022), which was obtained from another bank and does
not include detailed inspection information.
 Zheng, Xu, Staats: The Impact of Inspections on Operational Risk
14 Article submitted to

Specifically, the data for inspection practices and operational risk events includes the following: the name
of the employee responsible for the risk event, the branch affiliation of the employee, the date the event
occurred, a textual description of the event, the name and branch of the manager who conducted the inspec-
tion and identified the event, the inspection date, and the type of the inspection (i.e., internal or external).
Additionally, the branch characteristics include key operational metrics, such as the monthly number of
deposits and withdrawals, the number of in-person customer visits, the volume of online transactions pro-
cessed via the digital banking platform, the branch address, and its distance from the bank headquarters.
Employee demographic data includes education level, industry working experience, and the specific branch
where each employee works.
In this study, we conduct employee-level daily analysis leveraging the unique advantages of our dataset.
First, our dataset records the exact occurrence and inspection discovery dates for each operational risk event.
Therefore, compared to the weekly or monthly level inspection data, this daily level granularity enhances
the accuracy of our empirical analysis, allowing for more detailed insights into event patterns and their
temporal dynamics. Second, our dataset identifies the specific employee associated with each risk event,
enabling an analysis at the individual level. By including individual fixed effects, this approach controls for
employee-specific abilities and unobserved heterogeneity, such as work ethic and personal risk tolerance,
thereby improving the robustness and reliability of our findings.

4.1. Dependent Variables: Risk Measures

This section introduces the operational risk performance measures used as dependent variables in our empir-
ical analysis. To start with, we employ a binary variable, If Errori,g,t , as a key performance indicator of
operational risk losses, following established practices in risk modeling (Cruz 2002). A value of 1 indicates
that employee i in branch g committed at least one operational risk event on date t, while a value of 0 indi-
cates that employee i did not commit any mistakes on that date. Besides the binary performance measure,
we also consider an alternative dependent variable, N um Errorsi,g,t , which measures the number of errors
committed by employee i in branch g on date t. Later in our regression analysis, we apply a logarithmic
transformation to this variable to address the potential right-skewness in the data distribution and stabilize
the variance. One advantage of our dataset is that it captures not only the error detection date, which corre-
sponds to the inspection date but also the actual occurrence date of each error. To more accurately reflect the
timing of operational risk events, we rely on the occurrence date when calculating these two risk measures.
It is also worth noting that employees in our sample remain in the same branch throughout our observation
period.

4.2. Independent Variables

In this section, we introduce the key measures used to capture the learning and forgetting effects following
inspections and outline the control variables included in our analysis. Table 1 presents the summary statistics
Zheng, Xu, Staats: The Impact of Inspections on Operational Risk
Article submitted to 15

for the key variables used in our analysis, based on our data from a total of 586 employees across 19
branches in Jiangsu province at a daily level.
To start with, we define Sum Inspecti,g,t as the cumulative number of inspections conducted up to
date t for branch g , where employee i works, within our observation period. This variable enables us to
assess the learning effects associated with the accumulation of inspections over time. Next, we construct
the variable Dates af ter Inspecti,g,t by calculating the number of calendar days since the most recent
inspection for branch g . This variable allows us to estimate the forgetting effects following the most recent
inspection (Ramdas et al. 2018). As part of our robustness checks, we apply a logarithmic transforma-
tion to this variable in Section 5.4.2, and the results are highly consistent. Note that in our analysis, we
drop the observations prior to each branch’s first inspection to ensure accurate computation of learning-
and forgetting-related measures after inspections. Although the two new inspection types were introduced
at the beginning of the study period, our collaborator bank uses a random inspection approach, meaning
the inspection time is randomly assigned. Consequently, the initial inspection occurred on different dates
across branches, with timing varying randomly by location. This variability results in an unbalanced panel
after removing observations preceding the initial inspection for each branch. Additionally, when estimat-
ing the effects of internal and external inspections on operational risk events, we further divide these two
independent variables Sum Inspecti,g,t and Dates af ter Inspecti,g,t into four distinct variables based
on internal and external inspections, following the framework outlined in Section 4.3.
In addition to the measures for learning and forgetting effects, we include control variables associated
with branch workload, as prior research has demonstrated that workload affects operational risk events (see
Xu et al. 2022). The first variable, In P erson V isits, captures the monthly number of customers visiting
the branch in person, and the second, N um T ran refers to the monthly number of deposits and withdrawals
handled by branch employees. We use both to measure the branch’s offline workload, while the third control
variable, Digital T ran, reflects the monthly number of transactions processed through the branch’s digital
banking platform.

4.3. Model Specifications

This section presents the details of our econometric estimation. As mentioned earlier, our analysis is con-
ducted at the employee-date level to take advantage of both daily and individual-level granularity.
We begin by specifying the following fixed-effects model to explore the effects of inspections on opera-
tional risk:
If Errori,g,t =β0 + β1 Sum Inspecti,g,t + β2 Dates af ter Inspecti,g,t
(1)
+ Xi,g,t + DateF Et + EmployeeF Ei + ϵi,g,t ,
where If Errori,g,t is a binary variable set to 1 if employee i in branch g committed at least one opera-
tional risk event on date t, as defined in Section 4.1, and 0 otherwise. We also use an alternative dependent
variable, log(N um Errorsi,g,t ), which measures the number of errors, as a robustness check. Following
 Zheng, Xu, Staats: The Impact of Inspections on Operational Risk
16 Article submitted to

Table 1 Summary Statistics of Key Variables

Variables Mean Standard Deviation 5% 25% 50% 75% 95%
Panel A: Main Analysis
If Error 0.007 0.084 0 0 0 0 0
Num Errors 0.009 0.126 0 0 0 0 0
Sum Inspect 17.204 11.598 1 9 15 22 41
Dates after Inspect 23.014 25.482 1 6 15 30 80
If Ident Errors 0.071 0.257 0 0 0 0 1
In Person Visits 39363 25401 10623 19776 30291 52583 90341
Digital Tran 23726 19060 4036 7588 17656 35414 63429
Num Tran 155976 105221 52949 91239 123029 190829 458914

Panel B: Two Inspection Types

Sum Int Inspect 9.569 10.114 0 2 7 14 31
Dates after Int Inspect 72.288 94.337 2 11 29 98 301
Sum Ext Inspect 8.569 4.697 1 5 9 12 17
Dates after Ext Inspect 37.535 32.649 2 13 29 53 103
If Int Ident Errors 0.074 0.262 0 0 0 0 1
If Ext Ident Errors 0.057 0.231 0 0 0 0 1

the definitions in Section 4.2, we focus on our key inspection-related learning and forgetting variables:
Sum Inspecti,g,t and Dates af ter Inspecti,g,t . Specifically, β1 reflects the impact from past cumulative
inspections (i.e., learning effects), while β2 captures the effect of time elapsed since the last inspection (i.e.,
forgetting effects). By estimating β1 and β2 , we seek to test Hypotheses 1 and 2. Recall that inspections are
conducted randomly at the branch level, following instructions from the bank’s headquarters. This random-
ization ensures that employees are unaware of when or how inspections will occur, effectively mitigating
potential endogeneity concerns in estimating β1 and β2 .
The vector Xi,g,t contains control variables In P erson V isits, N um T ran, and Digital T ran dis-
cussed in Section 4.2, primarily related to branch workload. In addition, we introduce the date fixed effects
denoted as DateF Et to capture any time-specific patterns, such as seasonal trends that could affect risk
events. Furthermore, we include the employee fixed effects denoted as EmployeeF Ei to account for time-
invariant employee characteristics that may affect the likelihood of operational risk events. In the main
analysis, we employ the linear probability model (LPM) instead of probit or logistic regression models due
to the sparse nature of our operational risk event data. Nonlinear models for binary outcomes, like probit or
logistic regression, become ineffective when dealing with rare event data, as they often fail to converge due
to the sparsity of the outcome variable. Even if convergence is achieved, the resulting coefficient estimates
could be biased (Greenland et al. 2016).
Next, we present the model specification used to estimate how being identified for operational risk in the
last inspection moderates the learning and forgetting effects:
If Errori,g,t =β0 + β1 Sum Inspecti,g,t + β2 Dates af ter Inspecti,g,t + β3 If Ident Errorsi,g,t

+ β4 Sum Inspecti,g,t × If Ident Errorsi,g,t

(2)
+ β5 Dates af ter Inspecti,g,t × If Ident Errorsi,g,t

+ Xi,g,t + DateF Et + EmployeeF Ei + ϵi,g,t ,

Zheng, Xu, Staats: The Impact of Inspections on Operational Risk
Article submitted to 17

where If Ident Errorsi,g,t is a binary variable, set to 1 if, on date t, employee i was identified as hav-
ing committed risk events in the most recent inspection for branch g , where the employee works. This
value remains 1 until the subsequent inspection for that branch, indicating that the employee is considered
accountable for operational risk since the last inspection. A value of 0 means that the employee was not
identified for risk events in the last inspection. By estimating β4 and β5 in Equation (2), we aim to test
Hypotheses 3 and 4.
Finally, we examine the effects of internal and external inspections on operational risk. To this end,
we split Sum Inspecti,g,t in Equation (1) into Sum Int Inspecti,g,t and Sum Ext Inspecti,g,t , which
measure the cumulative number of internal or external inspections for branch g , where employee i
works, up to date t, respectively. These variables allow us to estimate learning effects arising from
internal and external inspections separately. Additionally, we separate Dates af ter Inspecti,g,t into
Dates af ter Int Inspecti,g,t and Dates af ter Ext Inspecti,g,t , which represent the time elapsed since
the last internal or external inspection, respectively. We then employ these two variables to estimate forget-
ting effects that occurred after internal and external inspections individually. Note that in our dataset, most
branches had their first external inspection before their first internal inspection. Therefore, in the subsequent
analysis of the two inspection types, we exclude observations prior to each branch’s first external inspection
to enhance the accuracy of learning and forgetting measures. In Section 5.4.3, we also consider alternative
approaches by excluding observations before either the first external or internal inspection, or before both,
which yields highly consistent results.
Similarly, to examine the moderating effects specific to internal and external inspections, we separate
If Ident Errors into two variables: If Int Ident Errors and If Ext Ident Errors. Each is a dummy
variable indicating whether the employee was identified as having made mistakes in the most recent inter-
nal or external inspection, respectively. We then replace the two interaction terms in Equation (2) with
four interaction terms. For internal inspections, we include Sum Int Inspect × If Int Ident Errors
and Dates af ter Int Inspect × If Int Ident Errors. Likewise, for external inspections, we include
Sum Ext Inspect × If Ext Ident Errors and Dates af ter Ext Inspect × If Ext Ident Errors.

5. Empirical Results
In this section, we present our empirical results. Section 5.1 discusses the results related to the effects of
inspections on operational risk. Section 5.2 further categorizes inspections into two types (i.e., internal vs.
external) and analyzes each type’s impact on operational risk separately. Section 5.3 describes heteroge-
neous analysis using branch-level moderators. Finally, in Section 5.4, we conduct a number of robustness
checks to further validate our empirical findings.
 Zheng, Xu, Staats: The Impact of Inspections on Operational Risk
18 Article submitted to

5.1. Effects of Inspections on Operational Risk

By estimating Equations (1) and (2), we obtain the results on the effects of overall inspections in Table 2.
Columns (1) and (2) present the learning and forgetting effects that occur after inspections, while columns
(3) and (4) show how being identified for mistakes in the most recent inspection moderates these learning
and forgetting effects. The full estimation results can be found in Table A.2 in the Appendix.

Table 2 Effects of Inspections on Operational Risk

(1) (2) (3) (4)
Variables If Error log(N um Errors) If Error log(N um Errors)
Sum Inspect -0.00023∗∗∗ -0.00016∗∗∗ -0.00021∗∗∗ -0.00014∗∗∗
(0.00005) (0.00005) (0.00005) (0.00004)
Dates af ter Inspect 0.00002∗∗ 0.00001∗∗ 0.00002∗∗∗ 0.00002∗∗∗
(0.00001) (0.00001) (0.00001) (0.00001)
Sum Inspect × If Ident Errors -0.00019∗∗ -0.00014∗
(0.00009) (0.00008)
Dates af ter Inspect × If Ident Errors -0.00007∗∗ -0.00005∗
(0.00003) (0.00003)
Date Fixed Effects Yes Yes Yes Yes
Employee Fixed Effects Yes Yes Yes Yes
Control Variables Yes Yes Yes Yes
Observations 263,013 263,013 263,013 263,013
R-squared 0.0229 0.0226 0.0229 0.0227
Note. Robust standard errors are given in parentheses. ∗ p < 0.1; ∗∗ p < 0.05; ∗∗∗ p < 0.01.

First, in columns (1) and (2), the coefficient of Sum Inspect is negative and significant, suggesting that
as the number of cumulative inspections increases, the probability of employees making mistakes decreases.
This result provides empirical evidence for the learning effects from inspections, supporting Hypothesis 1.
With each inspection, employees receive valuable feedback on potential risk areas and are reminded of the
importance of adhering to procedures. As employees become more vigilant and aware of specific process
risks, they are better equipped to identify solutions and implement corrective actions, which helps reduce
future mistakes. In contrast, the coefficient of Dates af ter Inspect is positive and significant, indicating
that as time passes, the likelihood of employees making mistakes increases. This finding supports the for-
getting effects post-inspection, in line with Hypothesis 2. As time elapses, knowledge depreciation becomes
more likely, and employees may be less vigilant in following procedures, leading to a higher probabil-
ity of errors. More specifically, all else being equal, a one-standard-deviation increase in Sum Inspect
(Dates af ter Inspect) leads to a 0.0027 (0.0003) decrease (increase) in the employees’ probability of
making mistakes, which corresponds to a 38.24% (4.12%) change compared to the sample averages.
We next examine how being identified for risk events during the last inspection might influence inspection
effects. First, columns (3) and (4) confirm consistent results for the main learning and forgetting effects as
previously discussed. Next, we find that the interaction term Sum Inspect × If Ident Errors is negative
and significant. This finding indicates that when employees are identified for mistakes in the most recent
Zheng, Xu, Staats: The Impact of Inspections on Operational Risk
Article submitted to 19

inspection, learning effects from inspections are strengthened, supporting Hypothesis 3. When employ-
ees are identified for errors, they may experience an enhanced sense of accountability and receive more
concrete feedback, which could increase their motivation and facilitate deeper learning from the inspec-
tion. This process reinforces the learning effects following inspections. Moreover, the interaction term
Dates af ter Inspect × If Ident Errors is also negative and significant, indicating that after employees
are identified for mistakes, their forgetting effects are reduced. This result supports Hypothesis 4. This find-
ing implies that the identification of mistakes during inspections may increase employees’ risk aversion and
trigger emotions such as discomfort or embarrassment, which together promote vigilance in complying with
procedures and reduce the natural decay of procedural knowledge. These factors help mitigate the forgetting
effects following inspections.

5.2. Effects of Internal and External Inspections on Operational Risk

In this section, we categorize inspections into two types. The first type is internal inspections, carried out
by the branch’s own management team (i.e., the branch manager and assistant managers). The second type
is external inspections, conducted either by managers from other branches or by the audit team from the
bank’s headquarters. Using the model described in Section 4.3, we estimate the effects of these two types
of inspections. The results are presented in Table 3, with the full estimation results provided in Table A.3 in
the Appendix.

Table 3 Effects of Internal and External Inspections on Operational Risk

(1) (2) (3) (4)
Variables If Error log(N um Errors) If Error log(N um Errors)
Sum Int Inspect -0.00019∗∗∗ -0.00013∗∗∗ -0.00016∗∗∗ -0.00011∗∗
(0.00006) (0.00005) (0.00006) (0.00005)
Dates af ter Int Inspect -0.00001∗∗∗ -0.00000∗∗∗ -0.00000∗∗ -0.00000∗∗
(0.00000) (0.00000) (0.00000) (0.00000)
Sum Ext Inspect -0.00029∗∗ -0.00022∗∗ -0.00025∗∗ -0.00019∗∗
(0.00012) (0.00009) (0.00012) (0.00009)
Dates af ter Ext Inspect 0.00002∗∗∗ 0.00002∗∗∗ 0.00003∗∗∗ 0.00002∗∗∗
(0.00001) (0.00001) (0.00001) (0.00001)
Sum Int Inspect × If Int Ident Errors -0.00009 -0.00007
(0.00011) (0.00010)
Dates af ter Int Inspect × If Int Ident Errors -0.00003∗ -0.00002∗
(0.00002) (0.00001)
Sum Ext Inspect × If Ext Ident Errors -0.00071∗∗∗ -0.00044∗∗
(0.00023) (0.00018)
Dates af ter Ext Inspect × If Ext Ident Errors -0.00001 -0.00001
(0.00003) (0.00002)
Date Fixed Effects Yes Yes Yes Yes
Employee Fixed Effects Yes Yes Yes Yes
Control Variables Yes Yes Yes Yes
Observations 253,218 253,218 253,218 253,218
R-squared 0.0221 0.0218 0.0224 0.0220
Note. Robust standard errors are given in parentheses. ∗ p < 0.1; ∗∗ p < 0.05; ∗∗∗ p < 0.01.
 Zheng, Xu, Staats: The Impact of Inspections on Operational Risk
20 Article submitted to

To start with, as shown in columns (1) and (2) of Table 3, the coefficients for Sum Int Inspect and
Sum Ext Inspect are both negative and significant, indicating that as internal or external inspections
accumulate, the likelihood of employees making errors decreases. This finding suggests that learning effects
arise from both types of inspections. Additionally, the learning effect appears slightly stronger for external
inspections than internal ones (i.e., -0.00029 vs. -0.00019). However, a closer examination using the Wald
test did not reveal any statistically significant differences between the two coefficients. Thus, we do not
find empirical support for Hypothesis 5. One possible explanation is that, while external inspections may
bring benefits such as emotional detachment and cross-organizational knowledge, internal inspections also
have the added benefit of providing tailored and context-specific feedback closely aligned with the organi-
zation’s unique operational environment. Internal inspectors, being deeply involved in the daily processes,
culture, and personnel, may provide employees with precise and actionable recommendations. This institu-
tional knowledge allows internal inspectors to identify subtle errors and inefficiencies arising from specific
contextual challenges, thereby enhancing learning effects. As a result, the learning effects of internal and
external inspections may not differ significantly.
Next, the coefficient of Dates af ter Ext Inspect is positive and significant. This implies that as time
passes following the last external inspection, the probability of employees making mistakes increases.
This positive effect provides evidence of the forgetting effects after external inspections. On the contrary,
the coefficient of Dates af ter Int Inspect is significant and negative, indicating that the probability of
employees committing errors decreases over time after the most recent internal inspection. To further val-
idate this difference between external and internal inspections, we perform the Wald test and find the dif-
ference to be statistically significant at the 1% level. These findings suggest that forgetting effects are more
likely to occur after external inspections than internal ones, supporting Hypothesis 6. Unlike external inspec-
tors, internal inspectors are closely involved in employees’ day-to-day activities and directly influence their
career development. This ongoing engagement likely helps employees retain procedural knowledge and
maintain vigilance after internal inspections compared to external ones, thereby mitigating the forgetting
effects.
Finally, we proceed to the results presented in columns (3) and (4), which examine the moderating effects
of being identified for mistakes during the most recent internal or external inspection. The interaction term
Sum Ext Inspect × If Ext Ident Errors is negative and statistically significant at the 1% significance
level, whereas the coefficient of Sum Int Inspect × If Int Ident Errors is negative but not significant.
These findings indicate that being identified for mistakes in the most recent external inspection strengthens
the learning effects, whereas no similar patterns are observed for internal inspections. A plausible expla-
nation for these findings is that external inspectors tend to exhibit greater emotional detachment compared
to internal inspectors. This emotional neutrality may lead employees to perceive the feedback on identified
Zheng, Xu, Staats: The Impact of Inspections on Operational Risk
Article submitted to 21

mistakes as more credible and serious. Consequently, employees are more inclined to focus on this feed-
back and learn from it, making external inspections more effective than internal ones in stimulating learning
effects among employees identified as having made mistakes.
On the other hand, the interaction term Dates af ter Ext Inspect × If Ext Ident Errors is insignif-
icant, whereas Dates af ter Int Inspect × If Int Ident Errors is negative and significant at the 10%
significance level. This suggests that being identified for mistakes in external inspections does not signif-
icantly mitigate forgetting effects. In contrast, being identified for mistakes after internal inspections can
further reduce the likelihood of future errors. Recall that being identified for mistakes could increase risk
aversion and evoke feelings of discomfort to inhibit memory fading, which weakens forgetting effects.
However, these effects are more likely to occur following internal inspections than external ones, leading
to the observed results. The continuous involvement of internal inspectors in employees’ daily operations
likely serves as a powerful reminder, intensifying the discomfort associated with past mistakes. Addition-
ally, the direct authority of internal inspectors over employees’ career progression may heighten their fear
of repeating mistakes in future inspections, further reinforcing their risk aversion.

5.3. Post-Hoc Heterogeneous Analysis

In this subsection, we examine three branch-level moderators to explore how key branch characteristics may
affect the effects of internal and external inspections. The first moderator, Dist Headquarter, denotes the
distance between the branch and the bank’s headquarters. The second moderator M anager Exp measures
the branch managers’ cumulative working experience in the finance industry by the start of our observation
period. The third variable In P erson V isits refers to the total monthly number of customers visiting the
branch in person during our observation period.4 By interacting these moderator variables with the learning
and forgetting measures, we present the results of the heterogeneous analysis of these branch characteristics
in Table 4 and the full estimation results can be found in Table A.4 in the Appendix.5
First, we consider the distance to the bank’s headquarters, as presented in columns (1) and (4) of Table 4.
The coefficients for both Sum Int Inspect × Dist Headquarter and Dates af ter Int Inspect ×
Dist Headquarter are negative and significant. This indicates that for the branch located farther from
the bank’s headquarters, internal inspections play a more critical role in reducing the probability of future
mistakes. One plausible explanation is that branches farther from headquarters have less direct oversight
and fewer opportunities for regular engagement with central management, making internal inspections a
more important mechanism for maintaining procedural adherence and operational discipline. Conversely,

4
To address the potential skewness concern, we take the logarithmic transformation of Dist Headquarter and M anager Exp
in our analysis. Note that applying a logarithmic transformation to In P erson V isits also yields highly consistent results.
5
Since we control for date and individual fixed effects, time-invariant individual and branch characteristics, such as
Dist Headquarter and M anager Exp, are absorbed in the estimation. The coefficient for In P erson V isits, however, is
available in the full estimation results in the Appendix.
 Zheng, Xu, Staats: The Impact of Inspections on Operational Risk
22 Article submitted to

the coefficients for both Sum Ext Inspect × Dist Headquarter and Dates af ter Ext Inspect ×
Dist Headquarter are positive and significant, suggesting that external inspections are more effective in
reducing the likelihood of future errors for branches closer to headquarters. This may be because branches
near headquarters are subject to greater visibility and oversight by central management, which could amplify
the impact of external inspections.
Table 4 Effects of Branch-Level Moderators
If Error log(N um Errors)
Variables (1) (2) (3) (4) (5) (6)
∗∗∗ ∗∗∗ ∗∗∗
Sum Int Inspect 0.00082 0.00012 -0.00050 0.00061 0.00014 -0.00037∗∗∗
(0.00022) (0.00018) (0.00012) (0.00018) (0.00014) (0.00010)
Sum Int Inspect × Dist Headquarter -0.00030∗∗∗ -0.00022∗∗∗
(0.00007) (0.00006)
Sum Int Inspect × M anager Exp -0.00009∗ -0.00008∗
(0.00006) (0.00004)
Sum Int Inspect × In P erson V isits 0.00012∗∗∗ 0.00009∗∗∗
(0.00004) (0.00003)
Dates af ter Int Inspect 0.00002∗∗ 0.00006∗∗ -0.00001 0.00001∗∗ 0.00006∗∗ -0.00000
(0.00001) (0.00003) (0.00001) (0.00001) (0.00002) (0.00000)
Dates af ter Int Inspect × Dist Headquarter -0.00001∗∗∗ -0.00001∗∗∗
(0.00000) (0.00000)
Dates af ter Int Inspect × M anager Exp -0.00002∗∗∗ -0.00002∗∗∗
(0.00001) (0.00001)
Dates af ter Int Inspect × In P erson V isits 0.00000 0.00000
(0.00000) (0.00000)
Sum Ext Inspect -0.00103∗∗∗ -0.00124∗∗∗ 0.00007 -0.00076∗∗∗ -0.00110∗∗∗ 0.00004
(0.00030) (0.00046) (0.00018) (0.00024) (0.00036) (0.00014)
Sum Ext Inspect × Dist Headquarter 0.00021∗∗∗ 0.00015∗∗∗
(0.00007) (0.00005)
Sum Ext Inspect × M anager Exp 0.00026∗∗ 0.00024∗∗∗
(0.00011) (0.00009)
Sum Ext Inspect × In P erson V isits -0.00005∗∗∗ -0.00004∗∗
(0.00002) (0.00001)
Dates af ter Ext Inspect -0.00001 0.00001 0.00006∗∗∗ -0.00001 0.00002 0.00004∗∗∗
(0.00001) (0.00002) (0.00001) (0.00001) (0.00002) (0.00001)
Dates af ter Ext Inspect × Dist Headquarter 0.00001∗∗ 0.00001∗∗
(0.00000) (0.00000)
Dates af ter Ext Inspect × M anager Exp 0.00000 0.00000
(0.00001) (0.00000)
Dates af ter Ext Inspect × In P erson V isits -0.00001∗∗∗ -0.00001∗∗∗
(0.00000) (0.00000)
Date Fixed Effects Yes Yes Yes Yes Yes Yes
Employee Fixed Effects Yes Yes Yes Yes Yes Yes
Control Variables Yes Yes Yes Yes Yes Yes
Observations 253,218 253,218 253,218 253,218 253,218 253,218
R-squared 0.0223 0.0222 0.0223 0.0219 0.0218 0.0219
Note. We divide In P erson V isits by ten thousand to improve the interpretability of the coefficient. Robust standard errors are given in paren-
theses. ∗ p < 0.1; ∗∗ p < 0.05; ∗∗∗ p < 0.01.

Next, in columns (2) and (5) of Table 4, we examine the role of managers’ experience. The negative and
significant coefficients for the two interaction terms between managers’ experience and the learning and
forgetting measures of internal inspections suggest that branches managed by more experienced managers
benefit more from internal inspections by strengthening employees’ learning and reducing the likelihood
Zheng, Xu, Staats: The Impact of Inspections on Operational Risk
Article submitted to 23

of forgetting, leading to a greater reduction in mistakes. Experienced managers likely possess a deeper
understanding of the branch’s operational processes, enabling them to deliver more precise feedback and
tailored guidance during internal inspections. This may help employees internalize lessons more effectively
and decrease the likelihood of forgetting over time. On the other hand, the coefficients of the two interaction
terms between managers’ experience and the learning and forgetting measures of external inspections are
positive, with the learning measure being significant at the 5% level. These results indicate that branches
led by less experienced managers benefit more from external inspections, which help reduce errors by
enhancing learning effects. A possible explanation is that inexperienced managers may lack the insights
needed to fully leverage the internal inspections. As a result, external inspections conducted by outside
managers may compensate for this gap by offering fresh perspectives to identify areas for improvement,
thereby supporting the learning process more effectively.
Finally, we examine the moderating effects of offline branch traffic, measured by customer in-person
visits, as shown in columns (3) and (6). The coefficients for the two interaction terms between the total
monthly in-person visits and the learning and forgetting measures of internal inspections are positive, with
the interaction term for learning effects being significant at the 1% level. These results suggest that inter-
nal inspections are more effective for branches with lower in-person traffic, as they facilitate the employee
learning process. Specifically, in branches with higher customer traffic, managers may prioritize immediate
operational demands related to in-person visits, leaving limited time for reflective activities to enhance the
learning value of internal inspections. As a result, internal inspections may become more procedural and
lack the depth required to drive significant learning improvements when in-person traffic is high. In contrast,
the coefficients for the two interaction terms involving external inspections are negative and statistically sig-
nificant, indicating that external inspections become more effective when branch in-person traffic is higher.
External inspections amplify learning effects and mitigate forgetting effects by providing employees with
fresh perspectives and alternative practices from other branches. Higher customer traffic exposes employees
to a greater variety of customer needs (Perdikaki et al. 2012), creating a richer and more relevant context for
applying cross-organizational insights. Consequently, the effectiveness of external inspections increases.

5.4. Robustness Checks

In this subsection, we perform several robustness checks and demonstrate that our results remain consistent.

5.4.1. Separate Analyses of Internal and External Inspections. In Section 5.2, we analyzed
internal and external inspections by jointly estimating measures related to both inspection types. As a robust-
ness check, we now evaluate each inspection type separately with its associated variables. Columns (1) and
(2) of Table A.5 in the Appendix present the results for internal inspections, while columns (3) and (4)
examine external inspections. These results are highly consistent with our main findings, providing further
support for Hypotheses 5 and 6.
 Zheng, Xu, Staats: The Impact of Inspections on Operational Risk
24 Article submitted to

5.4.2. Logarithmic Transformation for Forgetting-Effect Measures. To address

potential skewness concern in the forgetting-effect measures (i.e., Dates af ter Inspect,
Dates af ter Int Inspect, and Dates af ter Ext Inspect), we apply a logarithmic transformation to
these three independent variables. The results, presented in Table A.6 in the Appendix, remain consistent
with our main findings. Specifically, we continue to observe learning and forgetting effects after inspec-
tions, as shown in columns (1) and (2). The results in columns (3) and (4), which analyze internal and
external inspections, provide consistent findings when employing the Wald test. These findings further
validate the existence of learning and forgetting effects, as well as the differences between internal and
external inspections.

5.4.3. Alternative Analyses for the Effects of Internal and External Inspections. In this
subsection, we conduct alternative analyses to assess the robustness of our main findings on internal and
external inspections. First, we exclude external inspections conducted by the headquarters’ audit team and
focus only on those performed by managers from other branches. This restriction allows for a more direct
comparison between the two inspection types performed exclusively by branch managers. Columns (1) and
(2) of Table A.7 in the Appendix present the estimation results. Applying the Wald test to these results, we
obtain consistent findings that support the comparisons between internal and external inspections.
Next, in columns (3) and (4), we exclude observations prior to either the first external or internal inspec-
tion (i.e., before the first inspection), rather than excluding observations only before the first external inspec-
tion, as in our main analyses in Section 5.2. In columns (5) and (6), we further refine the analysis by
excluding observations prior to both the first external and internal inspection. Applying the Wald test to
these alternative specifications, we find that our results remain highly consistent.

5.4.4. Clustered Standard Errors. In this robustness check, we re-estimate all our main analyses
using clustered standard errors at the employee level. Clustering at this level accounts for potential serial
correlation within individuals, ensuring that our inference about the significance of the main effects remains
valid in the presence of repeated measures or observations tied to the same employees. By applying Equa-
tion (1) and the model used in columns (1) and (2) of Table 3, we obtain the results in Table A.8 in the
Appendix. The first two columns continue to reveal the learning and forgetting patterns following inspec-
tions. Furthermore, the Wald test confirms a significant difference in forgetting effects but no significant
difference in learning effects between internal and external inspections. These results align with our previ-
ous findings, suggesting that the observed relationships are robust and not artifacts of serial correlation.

6. Text Mining of Operational Risk Events

As discussed in Section 3.3, operational risk events cover a number of categories, each potentially exhibiting
distinct patterns in frequency, severity, and underlying causes. These variations might influence the effec-
tiveness of inspections as well as the associated learning and forgetting dynamics. To investigate this further,
Zheng, Xu, Staats: The Impact of Inspections on Operational Risk
Article submitted to 25

we explore the learning and forgetting dynamics across different operational risk categories. Leveraging
the detailed textual descriptions of operational risk events in our dataset, we utilize text-mining techniques
to analyze these records and gain deeper insights into category-specific patterns. In particular, following
Xu et al. (2020), we utilize the Han Language Processing toolkit to analyze event descriptions in Chinese.
We begin by using a part-of-speech (POS) tagger to determine the grammatical roles, such as nouns, noun
phrases, and verbs, of each word within the event description. Following the methodology of Christopher
and Hinrich (1999), we then implement an association mining algorithm to further cluster our candidate
features, which uncovers the correlation and pattern within the dataset. After extracting the features (topics)
associated with each risk event, we group related features using association mining, resulting in ten types.
These types are labeled based on the predefined categories established by the bank, as outlined in Xu et al.
(2020). Finally, we vectorize the text using the Term Frequency-Inverse Document Frequency (TF-IDF)
and use the logistic regression as an initial classifier to categorize all the risk events in our dataset. To
ensure the accuracy of the classifications, we also manually reviewed all risk events categorized into these
ten types. Figure 1 presents the resulting distribution of risk event categories in our dataset. Among the
ten event types, operation failure, verification failure, and the interest rate/maturity issue are the top three,
collectively accounting for about 75% of all events in our dataset. Given their prevalence, we focus on these
three categories and investigate the impact of inspections on them separately in Section 6.1.

1,100

1,000

900

800

700
Frequency

600

500

400

300

200

100

0
Operation Verification Interest rate/ Guarantor Material Date error Information Applicant Default issue Collateral
failure failure maturity issue issue incomplete inconsistency quality issue

Figure 1 Histogram of risk event types.

Before proceeding with the analysis, it is important to define the categories and provide specific examples
from our dataset for clarity. Operation failure, the most common category in our dataset, refers to errors
in employees’ daily operational processes. Examples from our dataset include employees temporarily leav-
ing their workstations without securing cash in a storage container; leaving the workplace with an off-duty
receipt on the counter without conducting a formal handover; or failing to inspect ATMs as required. The
next one, verification failure, on the other hand, typically involves delays or errors in confirming customer
 Zheng, Xu, Staats: The Impact of Inspections on Operational Risk
26 Article submitted to

identities or verifying essential qualification materials, which can compromise compliance and security. For
instance, some cases in our dataset include employees failing to verify a customer’s identity by checking ID
cards or cross-referencing information, as well as neglecting to verify deposit certificates for re-deposited
funds. Lastly, interest rate/maturity issues arise when incorrect loan terms, such as interest rates or loan
maturities, are applied, leading to financial discrepancies and losses. An example from our dataset involves
an employee issuing a business loan to a company with an outstanding balance of one million RMB, apply-
ing an incorrect interest rate of 3.38% instead of the correct 9.38%.

6.1. Empirical Analysis of the Top Three Risk Event Types

After using text mining techniques to classify our risk events, we explore the effects of inspections on the
top three categories to assess whether these effects differ across event types.

6.1.1. Effects of Inspections on the Top Three Risk Event Types. First, by employing Equa-
tion (1), we examine the impact of inspections on the top three types of risk events. The results, presented in
columns (1)–(3) of Table 5, indicate that the learning and forgetting effects remain consistent across these
three types, aligning with our main findings (see Table A.9 in the Appendix for the full estimation results).6
Next, although we find no statistically significant differences in forgetting effects across the three categories,
the magnitude of the coefficient for the learning measure, Sum Inspect, differs across the three types,
with operation failure exhibiting the strongest learning effect. To provide statistical evidence, we employ
a bootstrap resampling test with 1,000 replications to compare learning effects across the three types (Wu
1986), based on their coefficients and standard errors. The results suggest that the difference between oper-
ation failure and verification failure is statistically significant at the 5% level, while the difference between
operation failure and interest rate/maturity issues is significant at the 1% level. These findings imply that
among the three most common types of operational risk events, learning effects are the most pronounced
for operation failure.
To understand the differences in learning effects across the three types of risk events, task complexity
might play a crucial role. Operation failure typically involves routine and procedural tasks, such as checking
the ATMs. These tasks rely on straightforward procedural knowledge, making it easier for employees to
adopt corrective measures after inspections. The simplicity of these tasks facilitates quicker learning, which
explains the more pronounced learning effects of this type of risk. In contrast, verification failure involves
more analytical processes, such as verifying customer identity and checking related certificates. These tasks
require a more nuanced understanding of various document types, standards, and compliance procedures.
Employees must exercise discernment and meticulous attention to detail, making these tasks harder to

6
While the learning effects become insignificant for verification failure in column (5) and interest rate/maturity issues in column
(6), their coefficients are still consistently negative and less than that of operation failure, as well as the associated p-values (0.186
and 0.137, respectively) are close to the 10% significance level.
Zheng, Xu, Staats: The Impact of Inspections on Operational Risk
Article submitted to 27

improve solely through inspections. Hence, the learning improvement for verification failure is less imme-
diate compared to operation failure. Finally, interest rate/maturity issues, such as applying incorrect loan
terms, involve the highest level of task complexity. These tasks demand specialized financial knowledge,
a clear understanding of lending principles, and familiarity with the operational conditions of borrowers.
Correcting such errors requires employees to internalize complex financial principles and develop a deeper
understanding of the lender’s context, which takes more time. Consequently, learning improvements in this
category are slower and less pronounced.
Table 5 Effects of Inspections on the Top Three Types of Risk Events
If Error log(N um Errors)
(1) Operation (2) Verification (3) Interest Rate (4) Operation (5) Verification (6) Interest Rate
Variables
Failure Failure or Maturity Issue Failure Failure or Maturity Issue
Sum Inspect -0.00014∗∗∗ -0.00005∗ -0.00003∗ -0.00009∗∗∗ -0.00003 -0.00002
(0.00004) (0.00003) (0.00002) (0.00003) (0.00002) (0.00001)
Dates af ter Inspect 0.00001∗∗ 0.00001∗∗ 0.00001∗∗ 0.00001∗∗ 0.00001∗∗ 0.00000∗∗
(0.00001) (0.00000) (0.00000) (0.00000) (0.00000) (0.00000)
Date Fixed Effects Yes Yes Yes Yes Yes Yes
Employee Fixed Effects Yes Yes Yes Yes Yes Yes
Control Variables Yes Yes Yes Yes Yes Yes
Observations 263,013 263,013 263,013 263,013 263,013 263,013
R-squared 0.0178 0.0112 0.0132 0.0176 0.0111 0.0127
Note. Robust standard errors are given in parentheses. ∗ p < 0.1; ∗∗ p < 0.05; ∗∗∗ p < 0.01.

6.1.2. Effects of Internal and External Inspections on the Top Three Risk Event Types.
Next, using the model specification for columns (1) and (2) of Table 3, we investigate the effects of
internal and external inspections on the top three types of risk events. The results in Table 6 imply
that the two inspection types exhibit different patterns with respect to these event types. Specifically, in
columns (1) and (2), the coefficient of Sum Int Inspect is negative and significant, whereas that of
Dates af ter Ext Inspect is positive and significant. This finding suggests that for operation and verifi-
cation failures, learning effects occur after internal inspections, whereas forgetting effects arise following
external inspections. In contrast, in column (3) for the interest rate/maturity issues, only the coefficient of
Sum Ext Inspect is negative and significant, indicating that learning effects from external inspections are
particularly relevant to this type of risk event. Based on these findings, we conclude that internal inspections
are more effective for addressing operation and verification failures, while external inspections are better
suited for handling interest rate/maturity-related issues. These findings highlight that the effectiveness of
internal and external inspections varies depending on the nature of risk events. For the full estimation results
corresponding to Table 6, please refer to Table A.10 in the Appendix.
Operation and verification failures are routine process issues that employees encounter in their daily
tasks. Internal inspectors, being familiar with the branch’s specific workflows, procedures, and operational
culture, might offer practical and context-specific solutions tailored to employees’ operational processes.
 Zheng, Xu, Staats: The Impact of Inspections on Operational Risk
28 Article submitted to

Their continuous involvement in the day-to-day operations enables them to monitor employee actions in
real-time and identify procedural gaps more effectively. As a result, internal inspections could provide more
tailored feedback and guidance towards daily process failures, enabling employees to promptly correct their
actions and reduce the occurrence of such failures. On the other hand, external inspections are better suited
to addressing interest rate/maturity-related issues. Risk events associated with issuing the loans, a key part
of employees’ income incentives, are often tied to performance-seeking behaviors (Xu et al. 2020). Such
incentives may lead employees to prioritize loan volume and short-term financial performance, sometimes
at the expense of making mistakes in loan terms, such as interest rates or maturities. Unlike internal inspec-
tors, external inspectors operate independently of the branch’s operational targets and incentive structures.
This detachment enables them to effectively assess whether loan terms are being applied consistently and
appropriately, free from performance pressures. As a result, external inspections are particularly suited to
identifying discrepancies in interest rates and maturities that might otherwise go unnoticed.
Table 6 Effects of Internal and External Inspections on the Top Three Types of Risk Events
If Error log(N um Errors)
(1) Operation (2) Verification (3) Interest Rate (4) Operation (5) Verification (6) Interest Rate
Variables
Failure Failure or Maturity Issue Failure Failure or Maturity Issue
Sum Int Inspect -0.00012∗∗∗ -0.00006∗∗ -0.00001 -0.00008∗∗ -0.00004∗ -0.00001
(0.00004) (0.00003) (0.00002) (0.00003) (0.00002) (0.00001)
Dates af ter Int Inspect -0.00000 -0.00000 0.00000 -0.00000 0.00000 0.00000
(0.00000) (0.00000) (0.00000) (0.00000) (0.00000) (0.00000)
Sum Ext Inspect -0.00004 -0.00004 -0.00015∗∗∗ -0.00002 -0.00003 -0.00013∗∗∗
(0.00008) (0.00005) (0.00005) (0.00006) (0.00004) (0.00004)
Dates af ter Ext Inspect 0.00002∗∗∗ 0.00001∗∗ 0.00000 0.00001∗∗∗ 0.00001∗∗ 0.00000
(0.00000) (0.00000) (0.00000) (0.00000) (0.00000) (0.00000)
Date Fixed Effects Yes Yes Yes Yes Yes Yes
Employee Fixed Effects Yes Yes Yes Yes Yes Yes
Control Variables Yes Yes Yes Yes Yes Yes
Observations 253,218 253,218 253,218 253,218 253,218 253,218
R-squared 0.0177 0.0114 0.0130 0.0174 0.0112 0.0125
Note. Robust standard errors are given in parentheses. ∗ p < 0.1; ∗∗ p < 0.05; ∗∗∗ p < 0.01.

7. Concluding Remarks
Operational risk has been widely recognized as a significant threat to the financial sector, with the poten-
tial for substantial financial losses. Regulations such as the Sarbanes-Oxley Act of 2002 and Basel III of
2012 have highlighted the importance of proper operational risk management across financial institutions
globally. In addition to emphasizing its importance, regulators like the Basel Committee (see Basel Com-
mittee on Banking Supervision 2012) have mandated that banks implement rigorous inspection practices
to mitigate potential operational losses. However, consistent guidelines on how such inspections should
be conducted have yet to be established. While Kim and Xu (2024) are the first to examine the optimal
design of operational risk inspection policies, the complexity of employee behaviors in response to inspec-
tions adds another layer of difficulty to addressing this issue. Despite its significance, no prior studies have
Zheng, Xu, Staats: The Impact of Inspections on Operational Risk
Article submitted to 29

empirically investigated the impact of operational risk inspections on bank employee behaviors, leaving a
critical gap in the literature with important managerial implications. Therefore, our study seeks to uncover
employee behaviors, with a focus on their learning and forgetting patterns, in response to operational risk
inspections. To achieve this, we utilize a unique dataset from a large commercial bank, which includes both
inspection records and operational risk events.
Our findings offer critical insights for banking practitioners and regulators aiming to enhance operational
risk management practices. We find that the likelihood of risk events decreases as the frequency of inspec-
tions increases, validating the learning effects of inspections. Conversely, as time passes since the most
recent inspection, the probability of employees committing operational risk events increases, supporting
the presence of forgetting effects. These findings reveal that employee behaviors regarding operational risk
are dynamic, shaped by both knowledge decay and feedback from inspections, thereby contributing to the
operational risk literature. We also find that for individuals, committing risk events in the last inspection
strengthens learning effects by providing more concrete and targeted feedback. Additionally, it reduces for-
getting effects by eliciting feelings of accountability and increasing risk aversion. These findings highlight
the dual role of inspections, not only in detecting errors but also in driving behavioral changes through
feedback.
By analyzing internal and external inspections, we uncover important differences between these two
widely adopted inspection types. Forgetting effects are more likely to occur after external inspections than
internal ones, likely due to the constant presence of internal inspectors who have direct authority over
employees’ careers and provide continuous reinforcement. Learning effects, however, do not differ signifi-
cantly between the two inspection types. Interestingly, being identified for mistakes during internal inspec-
tions helps mitigate forgetting, while for external inspections, it enhances learning. These findings advance
the inspection literature by revealing the nuanced learning and forgetting dynamics across different inspec-
tion types. Moreover, from a practical perspective, internal inspections are more effective at branches farther
from headquarters, managed by more experienced managers, or with lower customer traffic. In contrast,
external inspections are more beneficial for branches closer to headquarters, led by less experienced man-
agers, or with higher customer traffic. These findings provide actionable guidance for financial institutions
to optimize inspection schedules and assign proper inspectors based on branch characteristics.
Furthermore, our use of text mining to classify risk events into ten categories reveals that learning and
forgetting patterns are consistent across the three most common types of risk events (i.e., operation fail-
ure, verification failure, and interest rate/maturity issues), accounting for about 75% of all risk events in
our dataset. Notably, learning effects are most pronounced for operation failure, which typically involves
simpler and routine tasks. Additionally, internal inspections are particularly effective for addressing daily
operational risks, such as operation and verification failures, whereas external inspections are better suited to
 Zheng, Xu, Staats: The Impact of Inspections on Operational Risk
30 Article submitted to

handling events related to interest rates or maturities. These findings provide valuable insights for designing
inspection policies based on the nature of specific risk events.
While our study is the first to empirically examine the impact of operational risk inspections on bank
employee behaviors, it still has several limitations, which may serve as avenues for future research. First,
in this study, we focus on the effects of inspections on operational risk from the standpoint of employees,
which allows us to uncover individual learning and forgetting patterns. Future studies could expand on this
by investigating the impact of inspections from the perspective of inspectors. For instance, studies could
examine how the seniority level of inspectors (e.g., junior versus senior managers) and the nature of their
interactions with employees might influence the overall effectiveness of inspections. Second, our study
leverages the widely adopted random inspections conducted by our collaborator bank, which effectively
mitigate potential endogeneity concerns. However, future studies might extend our analyses by examining
other commonly implemented inspection policies, such as periodic inspections (see Kim and Xu 2024), to
see whether employee behaviors might change based on different inspection policies. Finally, while our
study primarily focuses on the occurrence of risk events, future research with more granular data could
further explore the severity of these risk events, which may also affect employee behaviors.
In conclusion, we hope this study can offer valuable insights for bank practitioners and regulators to
establish more effective inspection frameworks that align inspection frequency, type, and focus with the
complexity of operational risks and the behavioral dynamics of bank employees. More broadly, we hope to
stimulate future empirical and modeling research to further advance understanding in this area.

References
Agrawal, Anupam, Ujjal Mukherjee, Suresh Muthulingam. 2020. Does organizational forgetting affect quality knowledge gained
through spillover?—Evidence from the automotive industry. Production and Operations Management 29(4) 907–934.
Agrawal, Anupam, Suresh Muthulingam. 2015. Does organizational forgetting affect vendor quality performance? An empirical
investigation. Manufacturing & Service Operations Management 17(3) 350–367.
Akşin, Zeynep, Sarang Deo, Jónas Oddur Jónasson, Kamalini Ramdas. 2021. Learning from many: Partner exposure and team
familiarity in fluid teams. Management Science 67(2) 854–874.
Anand, Gopesh, John Gray, Enno Siemsen. 2012. Decay, shock, and renewal: Operational routines and process entropy in the
pharmaceutical industry. Organization Science 23(6) 1700–1716.
Argote, Linda, Sara L Beckman, Dennis Epple. 1990. The persistence and transfer of learning in industrial settings. Management
Science 36(2) 140–154.
Ashby, Simon. 2010. The 2007-2009 financial crisis: Learning the risk management lessons. Financial Services Research Forum,
Nottingham.
Avgerinos, Emmanouil, Bilal Gokpinar, Ioannis Fragkos. 2020. The effect of failure on performance over time: The case of cardiac
surgery operations. Journal of Operations Management 66(4) 441–463.
Bailey, Charles D. 1989. Forgetting and the learning curve: A laboratory study. Management Science 35(3) 340–352.
Ball, George, Enno Siemsen, Rachna Shah. 2017. Do plant inspections predict future quality? The role of investigator experience.
Manufacturing & Service Operations Management 19(4) 534–550.
Bank for International Settlements. June 2011. Operational risk - Supervisory Guidelines for the Advanced Measurement
Approaches .
Barclays PLC. 2014. Barclays PLC Annual Report. URL http://www.home.barclays/annual-report-2014.html.
Zheng, Xu, Staats: The Impact of Inspections on Operational Risk
Article submitted to 31

Basak, Suleyman, Andrea M Buffa. 2019. A theory of model sophistication and operational risk. Available at SSRN 2737178 .
Basel Committee on Banking Supervision. 2011. Principles for the sound management of operational risk. BIS Consultative
Document.
Basel Committee on Banking Supervision. 2012. The internal audit function in banks. BIS Consultative Document.
Batt, Robert J, Santiago Gallino. 2019. Finding a needle in a haystack: The effects of searching and learning on pick-worker
performance. Management Science 65(6) 2624–2645.
Bavafa, Hessam, Jónas Oddur Jónasson. 2021. The variance learning curve. Management Science 67(5) 3104–3116.
Beshears, John, Hae Nim Lee, Katherine L Milkman, Robert Mislavsky, Jessica Wisdom. 2021. Creating exercise habits using
incentives: The trade-off between flexibility and routinization. Management Science 67(7) 4139–4171.
Bhaskar, Lori Shefchik. 2020. How do risk-based inspections impact auditor behavior? Experimental evidence on the PCAOB’s
process. The Accounting Review 95(4) 103–126.
Boone, Tonya, Ram Ganeshan, Robert L Hicks. 2008. Learning and knowledge depreciation in professional services. Management
Science 54(7) 1231–1236.
Brown, Stephen, William Goetzmann, Bing Liang, Christopher Schwarz. 2008. Mandatory disclosure and operational risk: Evi-
dence from hedge fund registration. The Journal of Finance 63(6) 2785–2815.
Calzolari, Giacomo, Mattia Nardotto. 2017. Effective reminders. Management Science 63(9) 2915–2932.
Chen, Li, Hau L Lee. 2017. Sourcing under supplier responsibility risk: The effects of certification, audit, and contingency payment.
Management Science 63(9) 2795–2812.
Choudhary, Preeti, Kenneth Merkley, Katherine Schipper. 2019. Auditors’ quantitative materiality judgments: Properties and impli-
cations for financial reporting reliability. Journal of Accounting Research 57(5) 1303–1351.
Christopher, D Manning, Schütze Hinrich. 1999. Foundations of Statistical Natural Language Processing. The MIT Press, Cam-
bridge, MA.
Cohen, Michael D, Paul Bacdayan. 1994. Organizational routines are stored as procedural memory: Evidence from a laboratory
study. Organization Science 5(4) 554–568.
Cruz, Marcelo G. 2002. Modeling, Measuring and Hedging Operational Risk. John Wiley & Sons, New York.
Di Stefano, Giada, Francesca Gino, Gary P Pisano, Bradley Staats, Giada Di-Stefano. 2014. Learning by thinking: How reflection
aids performance. Harvard Business School Boston, MA.
Duflo, Esther, Michael Greenstone, Rohini Pande, Nicholas Ryan. 2018. The value of regulatory discretion: Estimates from envi-
ronmental inspections in India. Econometrica 86(6) 2123–2160.
Earnhart, Dietrich, Kathleen Segerson. 2012. The influence of financial status on the effectiveness of environmental enforcement.
Journal of Public Economics 96(9-10) 670–684.
Edmondson, Amy. 1999. Psychological safety and learning behavior in work teams. Administrative Science Quarterly 44(2)
350–383.
Froehle, Craig M, Denise L White. 2014. Interruption and forgetting in knowledge-intensive service environments. Production and
Operations Management 23(4) 704–722.
Fuller, Stephen H, Jennifer R Joe, Benjamin L Luippold. 2021. The effect of auditor reporting choice and audit committee oversight
on management financial disclosures. The Accounting Review 96(6) 239–274.
Greenland, Sander, Mohammad Ali Mansournia, Douglas G Altman. 2016. Sparse data bias: A problem hiding in plain sight. BMJ
352.
Hora, Manpreet, Robert D Klassen. 2013. Learning from others’ misfortune: Factors influencing knowledge acquisition to reduce
operational risk. Journal of Operations Management 31(1-2) 52–61.
Huckman, Robert S, Gary P Pisano. 2006. The firm specificity of individual performance: Evidence from cardiac surgery. Man-
agement Science 52(4) 473–488.
Huckman, Robert S, Bradley R Staats, David M Upton. 2009. Team familiarity, role experience, and performance: Evidence from
Indian software services. Management Science 55(1) 85–100.
Hurtado, Patricia. 2015. The London Whale. Bloomberg News URL https://www.bloomberg.com/opinion/
quicktake/the-london-whale.
 Zheng, Xu, Staats: The Impact of Inspections on Operational Risk
32 Article submitted to

Ibanez, Maria R, Jonathan R Clark, Robert S Huckman, Bradley R Staats. 2018. Discretionary task ordering: Queue management
in radiological services. Management Science 64(9) 4389–4407.
Ibanez, Maria R, Michael W Toffel. 2020. How scheduling can bias quality assessment: Evidence from food-safety inspections.
Management science 66(6) 2396–2416.
Jarrow, Robert A. 2008. Operational risk. Journal of Banking & Finance 32(5) 870–879.
Jin, Ginger Zhe, Phillip Leslie. 2003. The effect of information on product quality: Evidence from restaurant hygiene grade cards.
The Quarterly Journal of Economics 118(2) 409–451.
JPMorgan Chase & Co. 2013. Report of JPMorgan Chase & Co. Management Task Force Regarding 2012 CIO Losses. URL
https://ypfs.som.yale.edu/node/2821.
Kahneman, Daniel, Amos Tversky. 2013. Prospect Theory: An Analysis of Decision under Risk. Handbook of the Fundamentals
of Financial Decision Making: Part I. World Scientific, 99–127.
Kc, Diwas, Bradley R Staats, Francesca Gino. 2013. Learning from my success and from others’ failure: Evidence from minimally
invasive cardiac surgery. Management Science 59(11) 2435–2449.
Kc, Diwas S, Bradley R Staats. 2012. Accumulating a portfolio of experience: The effect of focal and related experience on surgeon
performance. Manufacturing & Service Operations Management 14(4) 618–633.
Kim, Sang-Hyun. 2015. Time to come clean? Disclosure and inspection policies for green production. Operations Research 63(1)
1–20.
Kim, Song H, Hummy Song, Melissa A Valentine. 2023. Learning in temporary teams: The varying effects of partner exposure by
team member role. Organization Science 34(1) 433–455.
Kim, Youngsoo, Yuqian Xu. 2024. Operational risk management: Optimal inspection policy. Management Science 70(6) 4087–
4104.
KPMG. 2007. China’s city commercial banks: Opportunity knocks? http://www.kpmg.com.cn/en/virtual_
library/Financial_advisory_services/Chin_comm_bank/Opportunity_knocks.pdf.
Lapré, Michael A, Candace Cravey. 2022. When success is rare and competitive: Learning from others’ success and my failure at
the speed of Formula One. Management Science 68(12) 8741–8756.
Lapré, Michael A, Ingrid M Nembhard, et al. 2011. Inside the organizational learning curve: Understanding the organizational
learning process. Foundations and Trends® in Technology, Information and Operations Management 4(1) 1–103.
Lapré, Michael A, Nikos Tsikriktsis. 2006. Organizational learning curves for customer dissatisfaction: Heterogeneity across
airlines. Management Science 52(3) 352–366.
Lin, Wilson, Lauren Xiaoyuan Lu, Susan F Lu. 2024. The impact of inspection backlogs on nursing home quality: State agen-
cies&Rsquo; Lax oversight and staffing shortage. Working Paper.
Madsen, Peter M, Vinit Desai. 2010. Failing to learn? The effects of failure and success on organizational learning in the global
orbital launch vehicle industry. Academy of Management Journal 53(3) 451–476.
Magee, Joe C, Adam D Galinsky. 2008. Social hierarchy: The self-reinforcing nature of power and status. Academy of Management
Annals 2(1) 351–398.
Mani, Vidya, Suresh Muthulingam. 2019. Does learning from inspections affect environmental performance? Evidence from
unconventional well development in Pennsylvania. Manufacturing & Service Operations Management 21(1) 177–197.
Marrison, Chris. 2005. The fundamentals of risk measurement. The Mathematical Intelligencer 27(2) 83–83.
Miller, Rowland S. 1986. Embarrassment: Causes and Consequences. Shyness: Perspectives on research and treatment. Springer,
295–311.
Narayanan, Sriram, Sridhar Balasubramanian, Jayashankar M Swaminathan. 2009. A matter of balance: Specialization, task variety,
and individual learning in a software maintenance environment. Management Science 55(11) 1861–1876.
Olson, David L, Desheng Dash Wu. 2007. Enterprise Risk Management. World Scientific Publishing Company.
Perdikaki, Olga, Saravanan Kesavan, Jayashankar M Swaminathan. 2012. Effect of traffic on sales and conversion rates of retail
stores. Manufacturing & Service Operations Management 14(1) 145–162.
Pitkänen, Hanna, Kari Lukka. 2011. Three dimensions of formal and informal feedback in management accounting. Management
Accounting Research 22(2) 125–137.
Zheng, Xu, Staats: The Impact of Inspections on Operational Risk
Article submitted to 33

Plambeck, Erica L, Terry A Taylor. 2016. Supplier evasion of a buyer’s audit: Implications for motivating supplier social and
environmental responsibility. Manufacturing & Service Operations Management 18(2) 184–197.
Power, Michael. 1997. The Audit Society: Rituals of Verification. OUP Oxford.
Ramachandran, Karthik, Necati Tereyagoglu, Murat Unal. 2017. Help or hindrance? The role of familiarity in collaborative product
development. Available at SSRN 3000522 .
Ramdas, Kamalini, Khaled Saleh, Steven Stern, Haiyan Liu. 2018. Variety and experience: Learning and forgetting in the use of
surgical devices. Management Science 64(6) 2590–2608.
Reagans, Ray, Linda Argote, Daria Brooks. 2005. Individual experience and experience working together: Predicting learning rates
from knowing who knows what and knowing how to work together. Management Science 51(6) 869–881.
Roels, Guillaume, Bradley R Staats. 2021. OM forum—people-centric operations: Achievements and future research directions.
Manufacturing & Service Operations Management 23(4) 745–757.
Schulz, Jan-Frederic, Daniele Funaro. 2018. How banks can manage operational risk. Bain & Company URL https://www.
bain.com/insights/how-banks-can-manage-operational-risk.
Slovic, Paul. 1992. Perception of Risk: Reflections on the Psychometric Paradigm. Theories of Risk.
Stemn, Eric, Carmel Bofinger, David Cliff, Maureen E Hassall. 2018. Failure to learn from safety incidents: Status, challenges and
opportunities. Safety Science 101 313–325.
Tan, Tom F, Serguei Netessine. 2019. When you work with a superman, will you also fly? An empirical study of the impact of
coworkers on performance. Management Science 65(8) 3495–3517.
Ton, Zeynep, Robert S Huckman. 2008. Managing the impact of employee turnover on performance: The role of process confor-
mance. Organization Science 19(1) 56–68.
Wang, Yixin Iris, George Ball, Anand Gopesh, Park Hyunwoo. 2024. Obligatory responses to FDA inspection outcomes and future
drug shortages. Working Paper .
Wright, Theodore P. 1936. Factors affecting the cost of airplanes. Journal of the Aeronautical Sciences 3(4) 122–128.
Wu, Anqi Angie, Yixin Iris Wang. 2024. The more monitoring, the better quality? Empirical evidence from the generic drug
industry. Available at SSRN 3596559 .
Wu, Chien-Fu Jeff. 1986. Jackknife, bootstrap and other resampling methods in regression analysis. Annals of Statistics 14(4)
1261–1295.
Wu, Owen Q, Volodymyr Babich. 2012. Unit-contingent power purchase agreement and asymmetric information about plant
outage. Manufacturing & Service Operations Management 14(2) 245–261.
Xu, Yuqian, Michael Pinedo, Mei Xue. 2017. Operational risk in financial services: A review and new research opportunities.
Production and Operations Management 26(3) 426–445.
Xu, Yuqian, Tom Fangyun Tan, Serguei Netessine. 2022. The impact of workload on operational risk: Evidence from a commercial
bank. Management Science 68(4) 2668–2693.
Xu, Yuqian, Lingjiong Zhu, Michael Pinedo. 2020. Operational risk management: A stochastic control framework with preventive
and corrective controls. Operations Research 68(6) 1804–1825.
 Zheng, Xu, Staats: The Impact of Inspections on Operational Risk
34 Article submitted to

Appendix A: Tables

Table A.1 Seven Types of Operational Risk and Their Definitions Established by Basel II
Amount of Losses
Types Definitions
(Percentage)
Clients, products, and business prac- Market manipulation, antitrust, improper trade (aggressive $143.3 bn (68.43%)
tices sales), product defects, fiduciary breaches, account churning
Execution, delivery, and process man- Data-entry errors, accounting errors, failed mandatory report- $38.2 bn (18.24%)
agement ing, negligent loss of client assets
External fraud Theft of information, hacking damage, third-party theft and $13.4 bn (6.40%)
forgery
Employment practices and workplace Discrimination, workers compensation, employee health and $7.8 bn (3.72%)
safety safety
Internal fraud Misappropriation of assets, tax evasion, intentional mismark- $3.1 bn (1.48%)
ing of positions, bribery
Business disruption and system failures Utility disruptions, software failures, hardware failures $2.4 bn (1.15%)
Damage to physical assets Natural disasters, terrorism, vandalism $1.2 bn (0.57%)
Note. The amount of losses that occurred at 96 major banks from January 2011 to December 2016 is documented by Schulz and
Funaro (2018)

Table A.2 Full Results of Effects of Inspections

(1) (2) (3) (4)
Variables If Error log(N um Errors) If Error log(N um Errors)
Sum Inspect -0.00023∗∗∗ -0.00016∗∗∗ -0.00021∗∗∗ -0.00014∗∗∗
(0.00005) (0.00005) (0.00005) (0.00004)
Dates af ter Inspect 0.00002∗∗ 0.00001∗∗ 0.00002∗∗∗ 0.00002∗∗∗
(0.00001) (0.00001) (0.00001) (0.00001)
Sum Inspect × If Ident Errors -0.00019∗∗ -0.00014∗
(0.00009) (0.00008)
Dates af ter Inspect × If Ident Errors -0.00007∗∗ -0.00005∗
(0.00003) (0.00003)
If Ident Errors 0.00427∗∗ 0.00326∗
(0.00214) (0.00184)
In P erson V isits 0.00144∗∗ 0.00108∗∗ 0.00143∗∗ 0.00107∗∗
(0.00059) (0.00049) (0.00059) (0.00049)
Digital T ran 0.00089∗∗∗ 0.00068∗∗∗ 0.00089∗∗∗ 0.00068∗∗∗
(0.00030) (0.00024) (0.00030) (0.00024)
N um T ran 0.00000 0.00000 0.00000 0.00000
(0.00003) (0.00003) (0.00003) (0.00003)
Date Fixed Effects Yes Yes Yes Yes
Employee Fixed Effects Yes Yes Yes Yes
Observations 263,013 263,013 263,013 263,013
R-squared 0.0229 0.0226 0.0229 0.0227
Note. We divide In P erson V isits, Digital T ran, and N um T ran by ten thousand to improve the interpretability of the coefficient, and
apply this in subsequent analyses. Robust standard errors are given in parentheses. ∗ p < 0.1; ∗∗ p < 0.05; ∗∗∗ p < 0.01.
Zheng, Xu, Staats: The Impact of Inspections on Operational Risk
Article submitted to 35

Table A.3 Full Results of Effects of Internal and External Inspections

(1) (2) (3) (4)
Variables If Error log(N um Errors) If Error log(N um Errors)
∗∗∗ ∗∗∗ ∗∗∗
Sum Int Inspect -0.00019 -0.00013 -0.00016 -0.00011∗∗
(0.00006) (0.00005) (0.00006) (0.00005)
Dates af ter Int Inspect -0.00001∗∗∗ -0.00000∗∗∗ -0.00000∗∗ -0.00000∗∗
(0.00000) (0.00000) (0.00000) (0.00000)
Sum Ext Inspect -0.00029∗∗ -0.00022∗∗ -0.00025∗∗ -0.00019∗∗
(0.00012) (0.00009) (0.00012) (0.00009)
Dates af ter Ext Inspect 0.00002∗∗∗ 0.00002∗∗∗ 0.00003∗∗∗ 0.00002∗∗∗
(0.00001) (0.00001) (0.00001) (0.00001)
Sum Int Inspect × If Int Ident Errors -0.00009 -0.00007
(0.00011) (0.00010)
Dates af ter Int Inspect × If Int Ident Errors -0.00003∗ -0.00002∗
(0.00002) (0.00001)
Sum Ext Inspect × If Ext Ident Errors -0.00071∗∗∗ -0.00044∗∗
(0.00023) (0.00018)
Dates af ter Ext Inspect × If Ext Ident Errors -0.00001 -0.00001
(0.00003) (0.00002)
If Int Ident Errors 0.00072 0.00052
(0.00198) (0.00169)
If Ext Ident Errors 0.00228 0.00058
(0.00252) (0.00193)
In P erson V isits 0.00131∗∗ 0.00103∗∗ 0.00124∗∗ 0.00099∗∗
(0.00056) (0.00047) (0.00056) (0.00048)
Digital T ran 0.00025 0.00021 0.00020 0.00017
(0.00030) (0.00025) (0.00030) (0.00024)
N um T ran 0.00003 0.00002 0.00003 0.00002
(0.00003) (0.00002) (0.00003) (0.00002)
Date Fixed Effects Yes Yes Yes Yes
Employee Fixed Effects Yes Yes Yes Yes
Observations 253,218 253,218 253,218 253,218
R-squared 0.0221 0.0218 0.0224 0.0220
Note. Robust standard errors are given in parentheses. ∗ p < 0.1; ∗∗ p < 0.05; ∗∗∗ p < 0.01.
 Zheng, Xu, Staats: The Impact of Inspections on Operational Risk
36 Article submitted to

Table A.4 Full Results of Effects of Branch-Level Moderators

If Error
Variables (1) (2) (3)
∗∗∗
Sum Int Inspect 0.00082 0.00012 -0.00050∗∗∗
(0.00022) (0.00018) (0.00012)
Sum Int Inspect × Dist Headquarter -0.00030∗∗∗
(0.00007)
Sum Int Inspect × M anager Exp -0.00009∗
(0.00006)
Sum Int Inspect × In P erson V isits 0.00012∗∗∗
(0.00004)
Dates af ter Int Inspect 0.00002∗∗ 0.00006∗∗ -0.00001
(0.00001) (0.00003) (0.00001)
Dates af ter Int Inspect × Dist Headquarter -0.00001∗∗∗
(0.00000)
Dates af ter Int Inspect × M anager Exp -0.00002∗∗∗
(0.00001)
Dates af ter Int Inspect × In P erson V isits 0.00000
(0.00000)
Sum Ext Inspect -0.00103∗∗∗ -0.00124∗∗∗ 0.00007
(0.00030) (0.00046) (0.00018)
Sum Ext Inspect × Dist Headquarter 0.00021∗∗∗
(0.00007)
Sum Ext Inspect × M anager Exp 0.00026∗∗
(0.00011)
Sum Ext Inspect × In P erson V isits -0.00005∗∗∗
(0.00002)
Dates af ter Ext Inspect -0.00001 0.00001 0.00006∗∗∗
(0.00001) (0.00002) (0.00001)
Dates af ter Ext Inspect × Dist Headquarter 0.00001∗∗
(0.00000)
Dates af ter Ext Inspect × M anager Exp 0.00000
(0.00001)
Dates af ter Ext Inspect × In P erson V isits -0.00001∗∗∗
(0.00000)
In P erson V isits 0.00127∗∗ 0.00119∗∗ 0.00156∗∗∗
(0.00057) (0.00057) (0.00062)
Digital T ran -0.00000 0.00008 0.00077∗∗
(0.00032) (0.00031) (0.00032)
N um T ran 0.00004 0.00003 0.00004
(0.00003) (0.00003) (0.00003)
Date Fixed Effects Yes Yes Yes
Employee Fixed Effects Yes Yes Yes
Observations 253,218 253,218 253,218
R-squared 0.0223 0.0222 0.0223
Note. Robust standard errors are given in parentheses. ∗ p < 0.1; ∗∗ p < 0.05; ∗∗∗ p < 0.01.
Zheng, Xu, Staats: The Impact of Inspections on Operational Risk
Article submitted to 37

Table A.5 Separate Analyses of Internal and External Inspections

(1) (2) (3) (4)
Variables If Error log(N um Errors) If Error log(N um Errors)
∗∗∗ ∗∗
Sum Int Inspect -0.00016 -0.00011
(0.00006) (0.00005)
Dates af ter Int Inspect -0.00001∗∗∗ -0.00001∗∗∗
(0.00000) (0.00000)
Sum Ext Inspect -0.00021∗∗ -0.00017∗∗
(0.00011) (0.00009)
Dates af ter Ext Inspect 0.00003∗∗∗ 0.00002∗∗∗
(0.00001) (0.00001)
Date Fixed Effects Yes Yes Yes Yes
Employee Fixed Effects Yes Yes Yes Yes
Control Variables Yes Yes Yes Yes
Observations 253,218 253,218 253,218 253,218
R-squared 0.0220 0.0221 0.0217 0.0217
Note. Robust standard errors are given in parentheses. ∗ p < 0.1; ∗∗ p < 0.05; ∗∗∗ p < 0.01.

Table A.6 Logarithmic Transformation for Forgetting-Effect Measures

(1) (2) (3) (4)
Variables If Error log(N um Errors) If Error log(N um Errors)
Sum Inspect -0.00024∗∗∗ -0.00017∗∗∗
(0.00005) (0.00004)
log(Dates af ter Inspect) 0.00033∗ 0.00028∗
(0.00019) (0.00016)
Sum Int Inspect -0.00017∗∗∗ -0.00012∗∗
(0.00005) (0.00005)
log(Dates af ter Int Inspect) -0.00012 -0.00010
(0.00018) (0.00015)
Sum Ext Inspect -0.00036∗∗∗ -0.00027∗∗∗
(0.00011) (0.00009)
log(Dates af ter Ext Inspect) 0.00081∗∗∗ 0.00066∗∗∗
(0.00020) (0.00016)
Date Fixed Effects Yes Yes Yes Yes
Employee Fixed Effects Yes Yes Yes Yes
Control Variables Yes Yes Yes Yes
Observations 263,013 263,013 253,218 253,218
R-squared 0.0229 0.0226 0.0221 0.0218
Note. Robust standard errors clustered at the employee level are given in parentheses. ∗ p < 0.1; ∗∗ p < 0.05; ∗∗∗ p < 0.01.
 Zheng, Xu, Staats: The Impact of Inspections on Operational Risk
38 Article submitted to

Table A.7 Alternative Analyses for the Effects of Internal and External Inspections
(1) (2) (3) (4) (5) (6)
Variables If Error log(N um Errors) If Error log(N um Errors) If Error log(N um Errors)
∗∗∗ ∗∗ ∗∗∗ ∗∗∗ ∗∗∗
Sum Int Inspect -0.00017 -0.00011 -0.00023 -0.00016 -0.00019 -0.00013∗∗
(0.00006) (0.00005) (0.00005) (0.00004) (0.00007) (0.00006)
Dates af ter Int Inspect -0.00001∗∗ -0.00000∗∗ -0.00001∗∗∗ -0.00000∗∗∗ -0.00000 -0.00000
(0.00000) (0.00000) (0.00000) (0.00000) (0.00000) (0.00000)
Sum Ext Inspect -0.00037∗∗∗ -0.00025∗∗ -0.00019 -0.00012 -0.00008 -0.00007
(0.00014) (0.00011) (0.00012) (0.00010) (0.00017) (0.00014)
Dates af ter Ext Inspect 0.00002∗∗∗ 0.00002∗∗∗ 0.00003∗∗∗ 0.00002∗∗∗ 0.00003∗∗∗ 0.00002∗∗∗
(0.00000) (0.00000) (0.00001) (0.00001) (0.00001) (0.00001)
Date Fixed Effects Yes Yes Yes Yes Yes Yes
Employee Fixed Effects Yes Yes Yes Yes Yes Yes
Control Variables Yes Yes Yes Yes Yes Yes
Observations 253,218 253,218 263,013 263,013 211,737 211,737
R-squared 0.0222 0.0219 0.0230 0.0227 0.0232 0.0228
Note. Robust standard errors are given in parentheses. ∗ p < 0.1; ∗∗ p < 0.05; ∗∗∗ p < 0.01.

Table A.8 Robustness Check of Clustered Standard Errors

(1) (2) (3) (4)
Variables If Error log(N um Errors) If Error log(N um Errors)
∗∗∗ ∗∗∗
Sum Inspect -0.00023 -0.00016
(0.00009) (0.00007)
Dates af ter Inspect 0.00002∗ 0.00001∗
(0.00001) (0.00001)
Sum Int Inspect -0.00019∗ -0.00013∗
(0.00010) (0.00008)
Dates af ter Int Inspect -0.00001∗ -0.00000∗
(0.00000) (0.00000)
Sum Ext Inspect -0.00029∗ -0.00022∗
(0.00016) (0.00013)
Dates af ter Ext Inspect 0.00002∗∗∗ 0.00002∗∗∗
(0.00001) (0.00001)
Date Fixed Effects Yes Yes Yes Yes
Employee Fixed Effects Yes Yes Yes Yes
Control Variables Yes Yes Yes Yes
Observations 263,013 263,013 253,218 253,218
R-squared 0.0229 0.0226 0.0221 0.0218
Note. Robust standard errors clustered at the employee level are given in parentheses. ∗ p < 0.1; ∗∗ p < 0.05; ∗∗∗ p < 0.01.
Zheng, Xu, Staats: The Impact of Inspections on Operational Risk
Article submitted to 39

Table A.9 Full Results of Effects of Inspections on the Top Three Types of Risk Events
If Error log(N um Errors)
(1) Operation (2) Verification (3) Interest Rate (4) Operation (5) Verification (6) Interest Rate
Variables
Failure Failure or Maturity Issue Failure Failure or Maturity Issue
Sum Inspect -0.00014∗∗∗ -0.00005∗ -0.00003∗ -0.00009∗∗∗ -0.00003 -0.00002
(0.00004) (0.00003) (0.00002) (0.00003) (0.00002) (0.00001)
Dates af ter Inspect 0.00001∗∗ 0.00001∗∗ 0.00001∗∗ 0.00001∗∗ 0.00001∗∗ 0.00000∗∗
(0.00001) (0.00000) (0.00000) (0.00000) (0.00000) (0.00000)
In P erson V isits 0.00065∗ 0.00023 0.00006 0.00054∗ 0.00015 -0.00001
(0.00038) (0.00029) (0.00019) (0.00030) (0.00024) (0.00014)
Digital T ran 0.00061∗∗∗ 0.00033∗ -0.00001 0.00046∗∗∗ 0.00022 -0.00001
(0.00019) (0.00017) (0.00010) (0.00014) (0.00014) (0.00007)
N um T ran 0.00000 0.00002 -0.00000 -0.00000 0.00002∗ -0.00000
(0.00002) (0.00001) (0.00001) (0.00001) (0.00001) (0.00001)
Date Fixed Effects Yes Yes Yes Yes Yes Yes
Employee Fixed Effects Yes Yes Yes Yes Yes Yes
Observations 263,013 263,013 263,013 263,013 263,013 263,013
R-squared 0.0178 0.0112 0.0132 0.0176 0.0111 0.0127
Note. Robust standard errors are given in parentheses. ∗ p < 0.1; ∗∗ p < 0.05; ∗∗∗ p < 0.01.

Table A.10 Full Results of Effects of Internal and External Inspections on the Top Three Types of Risk
Events
If Error log(N um Errors)
(1) Operation (2) Verification (3) Interest Rate (4) Operation (5) Verification (6) Interest Rate
Variables
Failure Failure or Maturity Issue Failure Failure or Maturity Issue
Sum Int Inspect -0.00012∗∗∗ -0.00006∗∗ -0.00001 -0.00008∗∗ -0.00004∗ -0.00001
(0.00004) (0.00003) (0.00002) (0.00003) (0.00002) (0.00001)
Dates af ter Int Inspect -0.00000 -0.00000 0.00000 -0.00000 0.00000 0.00000
(0.00000) (0.00000) (0.00000) (0.00000) (0.00000) (0.00000)
Sum Ext Inspect -0.00004 -0.00004 -0.00015∗∗∗ -0.00002 -0.00003 -0.00013∗∗∗
(0.00008) (0.00005) (0.00005) (0.00006) (0.00004) (0.00004)
Dates af ter Ext Inspect 0.00002∗∗∗ 0.00001∗∗ 0.00000 0.00001∗∗∗ 0.00001∗∗ 0.00000
(0.00000) (0.00000) (0.00000) (0.00000) (0.00000) (0.00000)
In P erson V isits 0.00047 0.00014 0.00002 0.00041 0.00011 -0.00001
(0.00036) (0.00030) (0.00017) (0.00029) (0.00025) (0.00013)
Digital T ran 0.00030 0.00019 -0.00003 0.00024∗ 0.00013 -0.00002
(0.00018) (0.00019) (0.00008) (0.00014) (0.00015) (0.00006)
N um T ran 0.00002 0.00003∗∗ -0.00001 0.00001 0.00002∗∗ -0.00000
(0.00002) (0.00001) (0.00001) (0.00001) (0.00001) (0.00001)
Date Fixed Effects Yes Yes Yes Yes Yes Yes
Employee Fixed Effects Yes Yes Yes Yes Yes Yes
Observations 253,218 253,218 253,218 253,218 253,218 253,218
R-squared 0.0177 0.0114 0.0130 0.0174 0.0112 0.0125
Note. Robust standard errors are given in parentheses. ∗ p < 0.1; ∗∗ p < 0.05; ∗∗∗ p < 0.01.