On this page
Operational Risk: Losses from Processes, People, and Systems
Operational risk is the risk of loss from failed internal processes, people, systems, or external events. It is the residual that is not market risk and not credit risk, and for many large banks it now requires more capital than market risk does.
Key Takeaways
- Operational risk covers fraud, rogue trading, system failures, legal settlements, and cyber events, the Societe Generale rogue trading loss in 2008 exceeded $4.9 billion, and the JPMorgan London Whale cost over $6 billion.
- Basel's revised Standardised Approach calculates capital as Business Indicator Component × Internal Loss Multiplier; a worse-than-average loss history raises the multiplier and thus the capital charge.
- Cyber and technology risk now dominates operational loss tails in financial services but is often still reported separately from operational risk capital, creating a dangerous blind spot.
- Risk and control self-assessments where every control is rated effective are theater, a credible program has visible rating downgrades and active remediation plans with owners and dates.
Key Takeaways
- Operational risk covers fraud, rogue trading, system failures, legal settlements, and cyber events, the Societe Generale rogue trading loss in 2008 exceeded $4.9 billion, and the JPMorgan London Whale cost over $6 billion.
- Basel's revised Standardised Approach calculates capital as Business Indicator Component × Internal Loss Multiplier; a worse-than-average loss history raises the multiplier and thus the capital charge.
- Cyber and technology risk now dominates operational loss tails in financial services but is often still reported separately from operational risk capital, creating a dangerous blind spot.
- Risk and control self-assessments where every control is rated effective are theater, a credible program has visible rating downgrades and active remediation plans with owners and dates.
What It Is
The Basel Committee defines operational risk to include legal risk but exclude strategic and reputational risk. The scope therefore covers fraud, litigation and compliance failures, system outages, rogue trading, cyber events, processing errors, and external disasters.
Historic loss events make the concept concrete. The 1995 Barings collapse from an unmonitored futures desk, the 2008 Societe Generale rogue trading loss of roughly 4.9 billion euro, the 2012 JPMorgan London Whale loss of over 6 billion dollars, and the 2016 Bangladesh Bank SWIFT theft of 81 million dollars all sit in the operational risk category.
The Intuition
Market and credit risk are priced, modelled, and often hedged. Operational risk is mostly about what can go wrong inside the firm or to the firm. It is harder to model because the distribution is dominated by rare, large events (fat tails) and the data is firm-specific and sparse.
The goal of an operational risk framework is less about predicting the next 100-million-dollar event and more about building enough controls and resilience that the event, when it comes, is survivable and does not repeat.
How It Works
Basel's revised Standardised Approach (SA), published in BCBS d424, replaced the earlier Advanced Measurement Approach for regulatory capital. It calculates a Business Indicator Component (BIC), based on revenues and expenses scaled by a progressive coefficient, and multiplies it by an Internal Loss Multiplier (ILM) derived from the firm's own loss history.
Operational risk capital = BIC x ILM
BIC uses three income lines (Interest, Leases and Dividends; Services; Financial) summed and mapped to a marginal coefficient that rises with size. ILM adjusts up for firms with worse-than-average loss experience, floored at 1 unless a supervisor opts otherwise.
Behind the capital number, firms run a program with four main components:
- Loss data collection. Every event above a reporting threshold (commonly 10,000 or 20,000) goes into a database with categorisation by event type and business line.
- Risk and control self-assessment (RCSA). Business owners identify their top risks and score existing controls.
- Key Risk Indicators (KRIs). Quantitative metrics such as failed-trade rate, system uptime, or open audit findings, reviewed against thresholds.
- Scenario analysis. Facilitated workshops that estimate frequency and severity for plausible tail events that the loss database does not yet contain.
Worked Example
Consider a regional bank with 3 billion in annual business indicator, placing it in the middle bucket of the SA scale. Using the published marginal coefficients (12 percent on the first billion, 15 percent on the next) the BIC works out to roughly 420 million.
Its three-year average annual operational loss is 30 million, about 7.1 percent of BIC, above the 1.0 reference ratio. The Internal Loss Multiplier under the formula comes in around 1.15.
Operational risk RWA contribution = 420m x 1.15 x 12.5 = ~6.0 billion
That RWA figure, multiplied by the bank's CET1 ratio target, determines the capital set aside for operational risk alone. If the loss history improves, ILM falls toward 1 and capital follows.
Frequently Asked Questions
Q: What is operational risk in simple terms? Operational risk is the chance the firm loses money because something inside the business went wrong, a rogue trader, a system failure, a compliance breach, a cyber attack, rather than because markets moved against a position.
Q: How does operational risk affect investment decisions? For banks, Basel's capital rules require explicit capital against operational risk based on revenue size and loss history. A bank with a bad loss record pays more capital per dollar of revenue than a clean-record peer, directly affecting its return on equity and competitive position.
Q: What is a real-world example of operational risk? In 1995, Nick Leeson's unmonitored futures desk at Barings accumulated $1.4 billion in losses on Nikkei futures, which the bank could not absorb. The failure was not from a market bet going wrong, it was from the complete absence of independent oversight and position limits, a pure operational risk event.
Q: How can institutions manage operational risk effectively? Build a complete loss database, run scenario analysis on tail events (cyber breach, third-party failure) that have not yet occurred internally, and treat RCSAs as genuine risk conversations rather than compliance checkboxes. The program should surface real risk, not validate that controls are fine.
Q: How is operational risk different from market and credit risk? Market risk is the loss from prices moving against you. Credit risk is the loss from a borrower failing to repay. Operational risk is everything else, process breakdowns, technology failures, human error, and external events like fraud or physical disasters. It is harder to model because the loss distribution is dominated by rare, large events rather than a continuous return series.
Common Mistakes
-
Treating loss data as the whole picture. A young, fast-growing firm or business line may not yet have experienced its tail event. Relying only on internal losses understates risk. External loss databases (ORX, FIRST) and scenario analysis are the corrective.
-
Siloing cyber and technology risk. Large outages and cyber events now dominate loss tails in financial services, yet many firms still report them in a separate technology risk channel that never reconciles to the operational risk capital number. Supervisors increasingly expect integrated reporting.
-
RCSA theatre. Self-assessments where every control is rated effective and every residual risk is low serve no one. A credible program has challenge from independent risk, visible rating downgrades, and action plans with owners and dates.
-
Ignoring third-party and fourth-party exposure. Outsourcing a function does not outsource the risk. Vendor failures, including the vendors of your vendors, are operational risk to you. SR 14-1 and related guidance focus on resolution preparedness for exactly this reason.
-
Capital as the only answer. Buffers do not prevent events. A program that optimises for capital relief without investing in controls, monitoring, and resilience produces a bank that eventually needs the capital.
Sources
- Basel Committee on Banking Supervision. "Basel III: Finalising Post-Crisis Reforms, Operational Risk." BCBS d424. https://www.bis.org/bcbs/publ/d424.htm
- Basel Committee on Banking Supervision. "Principles for the Sound Management of Operational Risk." BCBS 195. https://www.bis.org/publ/bcbs195.htm
- Federal Reserve. "SR 14-1: Heightened Supervisory Expectations for Recovery and Resolution Preparedness for Large Banking Organizations." https://www.federalreserve.gov/supervisionreg/srletters/sr1401.htm
- Office of the Comptroller of the Currency. "Operational Risk Comptroller's Handbook." https://www.occ.treas.gov/publications-and-resources/publications/comptrollers-handbook/index-comptrollers-handbook.html
Disclaimer
This article is educational content only and is not financial advice. Nothing here is a recommendation to buy, sell, or hold any security. Consult a licensed advisor before making investment decisions.