2/10/17 - Banks Confront the Challenge of Assessing Operational Risks
Home > News & Insights > Insights & Publications

2/10/17 - Banks Confront the Challenge of Assessing Operational Risks

With the increasing occurrence of events that highlight banks’ operational risks, financial institutions are under pressure to measure, monitor, and manage these risks effectively. According to the Basel Committee on Banking Supervision’s Basel II framework, which still stands as key guidance on the subject: “Operational risk is defined as the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events. This definition includes legal risk, but excludes strategic and reputational risk.” That broad definition poses a major challenge to banks, as they try to identify and measure their operational risks — which encompass threats as varied as card fraud, cyberattacks, natural disasters, and illegal sales practices. And financial institutions more and more use scenario analysis to assess and manage the disparate operational risks they face.

Banks of all sizes recognize the importance of monitoring their levels of operational risk and specific vulnerabilities, to guard themselves against severe, and potentially catastrophic, operational losses. Institutions draw on applicable regulations and supervisory guidance and their own internal subject-matter expertise to determine appropriate ways of monitoring, quantifying, and tracking operational risk and losses. Financial firms and their regulators consider regular stress-testing exercises as an essential tool for managing operational risks.

Unlike market, credit, and other major risk types, operational risk does not have a definitive correlation to the macroeconomic environment. For example, a hurricane that damages a physical asset is not caused by the macroeconomic environment in the area. Stress tests that encompass operational risk must therefore consider scenarios beyond the macroeconomic conditions offered by the regulatory agencies in exercises such as Dodd-Frank Act stress tests and the Federal Reserve’s Comprehensive Capital Analysis and Review.

Forward-thinking institutions can implement operational-risk frameworks that rely on relevant historical data — derived from internal and external sources — and perform scenario analysis focused on the key risks they face, to assess exposures to operational risk and develop meaningful mitigation plans.

Categorizing Data on Operational Losses

Analyzing operational risk depends on the availability of historical data on operational losses. Financial institutions track the majority of their operational losses in a series of accounts on the general ledger, but the information may not be granular enough or easy to analyze.

A key first step for effectively managing operational risks is determining how to categorize the loss data. To en-sure consistency in how banks categorize unstructured data derived from their general-ledger accounts, the BCBS identified seven types of operational loss:

  • Internal fraud
  • External fraud
  • Employment practices and workplace safety
  • Clients, products, and business practices
  • Damage to physical assets
  • Business disruption and system failures
  • Execution, delivery, and process management

Since the Basel II framework was introduced, institutions of all sizes have used these categories to identify the operational risks to which they are most vulnerable (and also determine what types of operational risk data are hardest to track). A financial firm can then use the operational-risk data it collects and categorizes to develop hypothetical scenarios — for stress-testing purposes — that most closely fit the firms’ profile and circumstances.

Scenario Analysis

Firms that take an active approach to measuring, monitoring, and managing operational risks find that work-shops are an effective tool for conducting scenario analysis. These workshops, in which subject-matter experts consult with representatives from across business lines, help firms design scenarios — often quite severe — that take into account the idiosyncrasies known to the institution. The participants calibrate each operational-risk scenario with a range of severities that allow firms to make adjustments for the adverse and severely adverse scenarios used in DFAST and CCAR.

Workshops for Analyzing Operational-Risk Scenarios

Operational Risk Graphic

These workshops — which allow banks to simulate realistic idiosyncratic events and estimate associated operational losses — rely heavily on management judgment and cannot predict exact losses in given scenarios. But the exercise forms a key part of banks’ strategy for managing operational risks and demonstrates a deliberate approach useful to bankers and encouraged by their regulators.

All scenarios considered in the workshop should be:

  • Plausible: Scenarios should be realistic
  • Relevant: Scenarios should be designed specifically for the institution’s operations
  • Complete: Scenarios should contemplate the full impact on the bank
  • Reportable: The outcome should lead to a clearly identifiable set of stressed risk factors to facilitate reporting

Holding these workshops at least once a year gives an institution regular opportunities to reevaluate its operational risks and ensure that the scenarios chosen remain relevant.


Scenario analysis also helps institutions develop, or reaffirm confidence in, their control structures. Firms can use the process of designing hypothetical operational-loss events and estimating their impact to assess the quality of their controls. And banks will most often design scenarios they have never actually experienced — an exercise in contemplating hypothetical situations that helps them accurately identify weaknesses and deficiencies in their controls.


Firms can use the output of their stress-testing activities to develop and maintain strong frameworks for managing operational risk — and also make significant operational improvements. As operational risks evolve, so too do regulatory expectations for how an institution monitors and mitigates these risks. By implementing an effective operational-risk framework, and making regular use of scenario-analysis workshops, institutions can carry out comprehensive assessments of their operational-risk controls and locate any vulnerabilities. Firms that demonstrate initiative in monitoring and managing operational risk will safeguard their earnings and help themselves meet regulatory expectations

How We Can Help

Institutions of any size can implement comprehensive frameworks for operational risk by using historical data to develop a strong understanding of their specific operational risks. Promontory, an IBM Company, advises clients on collecting and categorizing their unstructured data and on developing relevant stress-testing scenarios. We help firms perform this exercise in an efficient manner that saves time and money, while producing a scalable and effective framework.

Promontory has assisted institutions with all aspects of this process, including:

  • Designing and leading scenario-analysis workshops
  • Documenting the methodology used to quantify operational risk in DFAST or CCAR
  • Identifying issues with operational-loss data
  • Recommending and implementing processes for collecting and storing operational-loss data

Contact Promontory

Please contact Promontory to discuss how we help financial institutions use stress testing and scenario analysis to measure and manage their operational risks.

David Samuels
Managing Director
+1 212 542 6776