A comprehensive explainer of the operational risk capital framework — covering the historical approaches, the CRR III Standardised Approach, the seven loss event categories, governance, RCSA, KRIs, scenario analysis, and the Irish bank context.
Operational risk is the risk of loss resulting from inadequate or failed internal processes, people, systems, or from external events. It includes legal risk but excludes strategic and reputational risk. Unlike credit or market risk, operational risk cannot be eliminated by diversification — it is present in every business activity a bank undertakes.
The Basel III definition covers four sources: failures by people (fraud, errors, misconduct), failures in processes (inadequate controls, system failures), system failures (IT outages, cyber attacks), and external events (natural disasters, crime, regulatory changes). Legal risk — the risk of fines and litigation — is explicitly included.
For many retail banks, operational risk is the third-largest capital charge after credit and market risk — and for some, the largest single Pillar 1 charge. For Irish banks, conduct risk (tracker mortgage scandal, payment protection), IT risk, and financial crime risk have driven very material operational losses and regulatory fines over the past decade.
Unlike credit losses (which follow predictable default patterns) operational risk losses are fat-tailed — dominated by rare, catastrophic events. A bank can have a decade of small operational losses followed by a single €500m IT failure or regulatory fine. This makes historical averaging a poor basis for capital, and is why Basel introduced increasingly sophisticated measurement approaches.
| Feature | Credit Risk | Market Risk | Operational Risk |
|---|---|---|---|
| Primary driver | Borrower default | Price / rate movements | Internal failures and external events |
| Loss distribution | Moderately fat-tailed; correlated with macro cycle | Symmetric around zero; driven by volatility | Highly fat-tailed; dominated by rare extreme events; low frequency / high severity |
| Can be diversified? | Partially — across geographies and sectors | Partially — hedging available | Not easily — IT risk and conduct risk present across all business lines |
| Capital approach | SA or IRB models IRB Explainer | Standardised or IMA | BIA / TSA / AMA → CRR III New SA from 2025 |
| Key Irish driver | Mortgage defaults, SME credit cycles | Interest rate risk (trackers) IRRBB Explainer | Tracker mortgage scandal, IT outages, financial crime |
Operational risk capital requirements have evolved through three generations since Basel II in 2004. Each generation attempted to better reflect actual operational risk but each also had material weaknesses — ultimately leading to the wholesale replacement of all three with a single New Standardised Approach under CRR III.
Capital = 15% × average gross income over 3 years. The simplest possible approach — no distinction between business lines, no recognition of control quality, no use of loss data. Banks with negative gross income in any year excluded those years from the average.
Capital = sum of (gross income per business line × prescribed factor). Eight business lines with beta factors ranging from 12% to 18%. The Alternative Standardised Approach (ASA) allowed retail and commercial banking to use loans and advances instead of gross income.
Banks built internal models using internal loss data, external loss data, scenario analysis, and business environment factors to estimate a Value-at-Risk style capital requirement at 99.9% confidence. Significant capital reduction available for banks with strong data and controls.
Under the old TSA, eight business lines each had a prescribed capital factor (beta). While this approach is phased out under CRR III, the business line concept persists in how banks organise their operational risk taxonomy.
| Business Line | Beta Factor | Rationale |
|---|---|---|
| Corporate Finance | 18% | High operational complexity; transaction risk; adviser liability |
| Trading & Sales | 18% | High technology dependence; rogue trading risk; market conduct risk |
| Retail Brokerage | 12% | Lower complexity per transaction; but high volume |
| Commercial Banking | 15% | Lending process risk; documentation failures; collateral errors |
| Retail Banking | 12% | High volume; conduct risk; fraud; but lower per-event severity |
| Payment & Settlement | 18% | System criticality; very high transaction volume; settlement failure risk |
| Agency Services | 15% | Custody and fiduciary responsibilities; client asset risk |
| Asset Management | 12% | Investment error; mandate breach; valuation failures |
The New Standardised Approach (New SA), effective from 1 January 2025 under CRR III, replaces BIA, TSA, and AMA with a single mandatory approach for all banks. It has two components: the Business Indicator Component (BIC), which measures bank size and activity, and — for large banks — an Internal Loss Multiplier (ILM) that adjusts capital based on actual loss experience.
The Business Indicator combines three components from the bank's P&L, each designed to capture a different dimension of operational risk exposure. All figures use a 3-year average.
The BIC applies marginal rates to the BI across three buckets. Larger banks face higher marginal rates — reflecting that operational risk scales non-linearly with size (very large banks have disproportionately large operational losses from a small number of tail events).
| Bucket | BI Range | Marginal Rate | ILM Applies? | Irish Bank Applicability |
|---|---|---|---|---|
| Bucket 1 | ≤ €1bn | 12% | No — ILM = 1.0 (fixed) | Smaller Irish banks, credit unions, non-bank lenders. PTSB borderline. |
| Bucket 2 | €1bn – €30bn | 15% on portion above €1bn (plus 12% × €1bn) | Yes — ILM applied to full BIC | Most mid-size European banks. AIB and BOI may straddle Buckets 2/3 depending on year. |
| Bucket 3 | > €30bn | 18% on portion above €30bn (plus lower bucket calculations) | Yes — ILM applied to full BIC | Large global banks. AIB and BOI close to but typically below this threshold. |
The ILM adjusts the BIC based on whether the bank's actual loss experience is higher or lower than the BIC implies. It is calculated using the Loss Component (LC) — which is 15× the average annual operational risk loss over the past 10 years (including tail events).
Basel III defines seven mutually exclusive loss event type categories. Every operational risk loss must be classified into one of these categories. The categories drive the bank's loss database, RCSA taxonomy, scenario analysis, and regulatory reporting — making consistent classification essential.
Irish context: Tracker mortgage manipulation — where bank staff altered mortgage records or failed to restore tracker rates in breach of contractual obligations — has elements of this category, depending on whether individual intent is established.
Irish context: Mortgage fraud was significant during the Celtic Tiger period — inflated valuations, straw purchasers, and falsified income documentation. Cyber-enabled fraud has grown substantially post-2020.
Typically low severity for banks relative to other categories, but can generate significant legal costs on a cumulative basis. Irish employment legislation (Unfair Dismissals Acts, Employment Equality Acts) creates specific exposure.
Irish context: This is the most material operational risk category for Irish banks. The tracker mortgage examination, PPI mis-selling, and overcharging scandals all fall here. Cumulative losses and remediation costs across Irish banks from Category 4 events since 2015 run to several billion euros. Irish Bank Context — Tab 10
Typically low frequency for Irish banks in normal conditions, but climate-related flooding risk is increasing and is increasingly prominent in scenario analysis and insurance programmes.
Irish context: IT outages have been a recurring and publicly visible operational risk event at Irish banks — Ulster Bank/NatWest (2012, €175m loss), AIB and PTSB payment processing failures. The ECB has significantly increased supervisory focus on IT and cyber resilience through TIBER-EU exercises and DORA (Digital Operational Resilience Act).
High frequency, typically lower severity — this category generates the most individual loss events but usually at low individual amounts. Collectively material and an indicator of underlying process quality. AML failures (inadequate KYC) can escalate to Category 4 or Category 2 through regulatory fines.
A credible operational risk loss database is the foundation of the New SA capital calculation and of sound risk management more broadly. Without reliable historical loss data, the ILM cannot be calculated, scenario analysis lacks calibration, and management has no empirical basis for understanding where risk is concentrated.
| Requirement | Detail | CRR III / EBA Standard |
|---|---|---|
| Minimum observation period | At least 10 years of internal loss data required for the ILM calculation. Banks transitioning from AMA who previously held 5 years of data must build to 10 years. | 10 years — CRR III Art. 317 |
| Capture threshold | All operational risk losses above a gross threshold must be captured. EBA standard threshold is €10,000 gross; banks may use a lower threshold internally. | €10,000 gross minimum — EBA RTS |
| Required data fields | Date of event, date of discovery, date of accounting (can differ materially for legal events), gross loss, recoveries (insurance, legal), net loss, loss event category, business line, cause description, status (open/closed) | EBA GL on internal governance |
| Boundary events | Events that occur at the boundary between operational and credit risk — e.g. fraud-induced credit loss — must be classified consistently. Typically captured in both databases with a flag. | National discretion; EBA guidance |
| Near-miss events | Events where a loss was averted through chance or a control that functioned fortuitously. Not included in the formal capital calculation but essential for risk management and RCSA calibration. | Best practice; not mandatory for ILM |
Internal loss data alone is insufficient for calibrating tail risk — a bank may not have experienced a €500m cyber event in its own history, but this does not mean the risk doesn't exist. External loss data from industry consortia fills this gap.
ORX is the primary industry consortium for sharing anonymised operational risk loss data. Members (including AIB and BOI) submit their loss events above €20,000 to the pooled database and receive back anonymised aggregate statistics. This allows banks to calibrate their tail risk models against industry-wide experience rather than solely their own history.
ORX publishes annual reports on industry-wide loss trends and maintains separate reference databases for specific risk topics (cyber, conduct). As at 2024, ORX has collected over 700,000 loss events totalling more than €600bn in gross losses from member banks globally.
External data from ORX or publicly reported losses requires careful scaling before use. A €500m rogue trading loss at a global investment bank is not directly applicable to an Irish retail bank's operational risk capital calculation — the activities and control environments differ materially.
The operational risk event is identified — either at the time it occurs (e.g. a payment error is caught immediately) or later (e.g. a mis-selling issue discovered during a customer complaint review years after the product sale). The event is entered into the loss database at the capture threshold.
The event is classified into one of the seven loss event categories and assigned to a business line and risk sub-type. Root cause analysis is conducted to identify whether the event reflects a people failure (individual error/misconduct), process failure (inadequate control), system failure, or external cause. Root cause drives the remediation response.
The gross loss is estimated — for conduct events this may involve provisioning for a customer remediation programme that unfolds over years. Insurance recoveries and any direct recoveries from third parties are tracked separately. The net loss (gross minus recoveries) feeds the ILM calculation. Where a final loss amount cannot be determined, a provisioned estimate is used.
Material events are escalated to the ORCC (Operational Risk and Compliance Committee) and potentially the Board Risk Committee. Events above a reporting threshold — typically €1m–€5m depending on bank policy — require ECB notification under the SSM's incident reporting framework. Cyber incidents may also trigger separate DORA reporting obligations.
Control gaps identified through root cause analysis are addressed through action plans with assigned owners and target dates. The event remains open in the loss database until all financial impacts are finalised and the remediation action plan is complete. The remediated event then informs future RCSA assessments and scenario analysis calibration.
Effective operational risk management requires a robust governance structure — the Three Lines of Defence model — alongside clear escalation frameworks, Board-level oversight, and integration of operational risk into strategic decision-making. Poor governance, not inadequate capital, has been the root cause of most major Irish bank operational failures.
Every business unit owns its operational risk. The first line identifies, assesses, manages, and monitors operational risks in its own activities. Risk and Control Self-Assessments (RCSAs), Key Risk Indicators (KRIs), and loss event reporting are primarily first-line activities. Business line managers are accountable for maintaining effective controls — not the risk function. In Irish banks, the 2014 CBI Fitness & Probity regime reinforced individual accountability at senior levels.
The Operational Risk function (typically within the CRO organisation) sets the framework — the taxonomy, methodology, reporting standards, and capital model. It provides independent challenge to first-line risk assessments, maintains the loss database, runs scenario analysis, and reports to the Board Risk Committee. Compliance sits alongside OpRisk in the second line, covering conduct, AML/CFT, and regulatory change risk. The ECB supervises both functions through onsite inspections.
Internal Audit provides independent periodic assurance over the entire operational risk management framework — including the adequacy of first-line controls, the objectivity of second-line assessments, and the integrity of the loss database and capital model. Reports to the Audit Committee. External auditors also review aspects of the OpRisk framework as part of the statutory audit. ECB onsite inspections of operational risk serve a supervisory equivalent to third-line review.
| Body | Composition | OpRisk Responsibilities | Frequency |
|---|---|---|---|
| Board Risk Committee (BRC) | Non-executive directors; independent risk expertise required | Approves OpRisk appetite; receives material loss event reports; reviews RCSA outputs; challenges second and third line assessments; approves OpRisk capital model | Quarterly minimum |
| Operational Risk & Compliance Committee (ORCC) | CRO, CFO, COO, Compliance, Legal, IT, business line heads | Reviews loss events above threshold; approves RCSA; monitors KRI breaches; oversees remediation plans; escalates to BRC; approves scenario analysis assumptions | Monthly |
| IT & Cyber Risk Committee | CIO, CISO, COO, CRO; often a sub-committee of ORCC | IT risk appetite; cyber incident response; technology change risk; DORA compliance; TIBER exercise governance | Monthly |
| Business Line RCSAs | Business line heads; risk partners from second line | Identify and assess material risks; rate inherent and residual risk; agree control improvements; feed ORCC reporting | Annual (refresh quarterly) |
RCSA is the primary forward-looking tool for identifying and assessing operational risk before it materialises into a loss. KRIs provide ongoing quantitative signals of changing risk levels between formal RCSA cycles. Together they form the backbone of the bank's day-to-day operational risk management.
The business unit catalogues all significant operational risks in its activities using the bank's agreed risk taxonomy (typically aligned to the seven Basel categories and further decomposed into sub-types). The OpRisk function facilitates but does not perform this step — business ownership is essential.
For each identified risk, the business assesses the inherent risk — the risk level assuming no controls exist. This is assessed on two dimensions: likelihood (how often would this event occur without controls?) and impact (what would the financial or non-financial consequence be?). The combination gives an inherent risk rating (typically Low / Medium / High / Critical).
For each identified risk, the existing controls are documented and rated for their effectiveness (design adequacy) and operation (are they actually working?). A control rated as designed well but not consistently operated is rated as partially effective. Control ratings drive the gap between inherent and residual risk.
Residual risk = inherent risk adjusted for control effectiveness. A High inherent risk with Strong controls might reduce to Medium residual. A Low inherent risk with Weak or absent controls might remain or increase.
Residual risk ratings are compared to the board-approved risk appetite. Where residual risk exceeds appetite, a control improvement action plan is required with a named owner and target date. Material gaps are escalated to the ORCC. The RCSA output feeds scenario analysis calibration and informs the capital model.
KRIs are quantitative metrics that track the level of operational risk on an ongoing basis — providing early warning signals of deteriorating risk positions between RCSA cycles. A KRI breach should trigger investigation and management action before a loss event occurs.
| Risk Area | Example KRI | Green Threshold | Amber Threshold | Red — Action Required |
|---|---|---|---|---|
| IT Availability | Core banking system uptime (%) | >99.95% | 99.90–99.95% | <99.90% — Incident escalation |
| Cyber Security | Unresolved critical vulnerabilities (>30 days) | 0 | 1–3 | >3 — CRO escalation |
| Fraud | Payment fraud loss rate (€ per €m transactions) | <€0.50 | €0.50–€1.00 | >€1.00 — Fraud team review |
| Conduct | Customer complaint uphold rate (%) | <15% | 15–25% | >25% — Product review triggered |
| AML/CFT | Backlog of unreviewed transaction alerts (>3 days) | <200 | 200–500 | >500 — Resourcing escalation |
| Staff | Mandatory training completion rate (%) | >98% | 95–98% | <95% — HR escalation |
| Payments | Failed / reversed payment rate (%) | <0.05% | 0.05–0.10% | >0.10% — Operations review |
Scenario analysis estimates potential losses from plausible but severe operational risk events that either have not occurred at the bank historically or where the historical record understates the tail risk. It is particularly important for low-frequency / high-severity events where internal loss data is sparse.
Material risk scenarios are selected based on RCSA outputs (high residual risk areas), external loss data (large industry losses that could apply to the bank), regulatory guidance (ECB/EBA prescribed scenarios), and emerging risk trends. Typically 10–20 material scenarios are maintained covering the major risk categories. For Irish banks, cyber attack, conduct mis-selling, and payment system outage are typically in scope.
For each scenario, subject matter experts (IT heads, compliance officers, business line heads, legal) estimate the probability and severity. Structured workshops are facilitated by the OpRisk team. Experts are asked to estimate the frequency of the event and the potential financial impact at defined percentiles (e.g. P50 and P99 of the conditional loss distribution). External data is used to anchor estimates and challenge optimism bias.
The expert estimates are used to fit a statistical loss distribution for each scenario — typically a lognormal or Pareto distribution reflecting the fat-tailed nature of operational losses. The distribution produces an expected loss (used for provisioning calibration) and a VaR/CVaR estimate at 99.9% confidence (used to challenge the capital adequacy of the New SA output).
Scenario outputs must be approved by the ORCC and reviewed by the BRC at least annually. The OpRisk team provides independent challenge to expert estimates — anchoring to external data, identifying anchoring or optimism bias, and ensuring scenarios are severe enough to be informative. The ECB scrutinises scenario analysis quality as part of SREP and onsite model inspections.
Scenario outputs are compared to the Pillar 1 capital requirement. Where the scenario analysis suggests the 99.9th percentile loss materially exceeds the New SA capital, the bank must either document why the capital is nonetheless adequate or reflect the gap in a Pillar 2 add-on (ICAAP). ECB expects explicit reconciliation between scenario results and capital adequacy. IRB Explainer — ICAAP
| Scenario | Loss Category | Plausible Loss Range | Key Controls |
|---|---|---|---|
| Systemic cyber attack — core banking | Cat 6 (System failure) + Cat 2 (External fraud) | €100m – €500m | Network segmentation; backup & recovery; DORA; TIBER testing; cyber insurance |
| Large-scale conduct remediation | Cat 4 (Clients, products) | €200m – €1bn+ | Product governance framework; complaint monitoring; regular product reviews; regulatory engagement |
| AML/CFT regulatory fine | Cat 4 + Cat 7 (Execution failure) | €50m – €400m | AML transaction monitoring; KYC refresh programme; MLRO capacity; regulatory engagement |
| Payment system outage (>48 hours) | Cat 6 (System failure) | €20m – €100m | Business continuity; fallback payment routes; SEPA contingency; third-party SLA management |
| Major fraud by senior employee | Cat 1 (Internal fraud) | €10m – €200m | Four-eyes principle; segregation of duties; rotation policy; anomaly detection; whistleblowing |
| Critical third-party provider failure | Cat 6 + Cat 7 | €30m – €150m | DORA third-party risk management; contractual protections; concentration risk monitoring; exit plans |
Two illustrative Irish banks — a larger pillar bank with significant conduct losses and a smaller retail bank — showing the full New SA capital calculation including the ILM and the impact of a tail loss event on multi-year capital requirements.
| Step | Calculation | Result |
|---|---|---|
| Business Indicator (BI) | €2,800m (ILDC) + €800m (SC) + €200m (FC) | €3,800m |
| BIC — Bucket 1 portion | 12% × €1,000m | €120m |
| BIC — Bucket 2 portion | 15% × (€3,800m − €1,000m) = 15% × €2,800m | €420m |
| Total BIC | €120m + €420m | €540m |
| Loss Component (LC) | 15 × €180m average annual loss | €2,700m |
| ILM (pre-floor) | ln(e − 1 + (€2,700m / €540m)⁰·⁸) = ln(e − 1 + 5.0⁰·⁸) = ln(1.718 + 3.624) = ln(5.342) | 1.676 |
| ILM (floored at 1.0) | ILM pre-floor is 1.676 > 1.0 — floor does not apply here | 1.676 |
| ORC = BIC × ILM | €540m × 1.676 | €905m |
| Operational Risk RWA | €905m × 12.5 | €11,313m |
| CET1 capital required (13.5%) | €11,313m × 13.5% | €1,527m |
Operational risk has dominated Irish bank headlines and regulatory agendas for the better part of a decade. The tracker mortgage scandal, systemic IT failures, AML deficiencies, and PPI mis-selling have generated some of the largest conduct and operational losses in Irish banking history — with direct capital and reputational consequences still unwinding.
The tracker mortgage examination, conducted by the Central Bank of Ireland from 2015 to 2022, is the largest operational risk event in Irish retail banking history. Banks — primarily AIB, Bank of Ireland, Ulster Bank, KBC, and PTSB — failed to honour contracted rights to tracker mortgage rates following the ECB rate cycle that ended tracker origination in 2008.
Banks stop offering new tracker mortgages as ECB rates fall and tracker books become loss-making. Many existing borrowers have contractual rights to return to tracker rates after fixed periods — rights that banks subsequently failed to honour.
Across all major Irish lenders, borrowers entitled to tracker rates were placed on standard variable rates (SVRs) instead — in some cases costing affected customers tens of thousands of euro in excess interest over years. Internal processes failed to flag the contractual obligation; some instances involved deliberate mis-classification of affected accounts.
The Central Bank formally commences the Tracker Mortgage Examination — an industry-wide review. Banks are required to identify, remediate, and compensate all affected customers. The examination encompasses over 40,000 affected accounts across the industry at peak.
The CBI issues record fines under the Administrative Sanctions Procedure: AIB €96.7m, Bank of Ireland €100.5m, Permanent TSB €21m, Ulster Bank €37.8m. These enforcement actions, combined with customer remediation costs, push tracker-related losses well above €1bn across the industry. Each bank's 10-year average annual operational loss is materially impacted for the duration of the lookback window.
Under the New SA ILM calculation, the tracker losses enter the 10-year average annual loss calculation and remain there for 10 years from the date of accounting. For banks that recognised the bulk of remediation costs in 2018–2022, the elevated ILM will persist until 2028–2032 — creating a structural capital headwind from a past conduct failure. Worked Examples — Tab 9
A software upgrade failure at NatWest/Ulster Bank in June 2012 left 600,000 Ulster Bank customers unable to access accounts for up to three weeks. The total cost including customer compensation, regulatory fine (FSA fine of £17.5m on RBS Group), and operational remediation exceeded €175m for the Irish operation. It remains the benchmark scenario for Category 6 (business disruption) loss estimation in Irish scenario analysis.
DORA (EU Regulation 2022/2554), effective January 2025, introduces binding requirements on ICT risk management, incident reporting, digital operational resilience testing (including TIBER-style red team exercises), and third-party ICT provider oversight. For Irish banks, DORA raises the governance bar for IT risk — all major ICT risks must feed the OpRisk framework, and critical third-party providers (cloud, payments infrastructure) face direct CBI oversight. DORA failures will attract operational risk losses in Category 6 and Category 7.
Largest operational risk capital charge among Irish banks reflecting its balance sheet size (high BI), tracker remediation costs in the 10-year loss average (elevated ILM), and ongoing investment in IT resilience and AML systems. AIB was fined €96.7m by the CBI for tracker mortgage failures — the largest sanction imposed on an individual institution at the time of issue. Pillar 3 disclosures show OpRisk RWA of approximately €4–5bn, equivalent to ~10–12% of total RWA.
Fined €100.5m by CBI for tracker mortgage failures — the largest Irish financial sector fine at the time of issue. BOI's UK operations add cross-jurisdictional complexity: the PRA and FCA impose separate conduct and operational resilience requirements, with different DORA-equivalent frameworks (CBEST, STAR) applying to the UK book. BOI's investment in technology transformation creates change-related operational risk alongside the reduction of legacy system risk.
PTSB was fined €21m for tracker mortgage failures — smaller in absolute terms but significant relative to PTSB's capital base. PTSB's smaller IT infrastructure means proportionally lower Category 6 exposure, but its high dependence on a small number of core systems creates concentration risk in operational resilience. The acquisition of Ulster Bank's mortgage book in 2023 introduced integration risk — a Category 7 exposure that elevated PTSB's operational risk profile during the transition period.