This chapter sets out the standardised approach for calculating operational risk capital requirements.

This version has been removed on 05 Jun 2020 | View current version
Effective as of: 01 Jan 2023 | Last update: 27 Mar 2020
Status: (View changes)

Introduction

25.1

The standardised approach methodology is based on the following components:

(1)

the Business Indicator (BI) which is a financial-statement-based proxy for operational risk;

(2)

the Business Indicator Component (BIC), which is calculated by multiplying the BI by a set of regulatory determined marginal coefficients (αi); and

(3)

the Internal Loss Multiplier (ILM), which is a scaling factor that is based on a bank’s average historical losses and the BIC.

25.2

Operational risk capital requirements (ORC) are calculated by multiplying the BIC and the ILM, as shown in the formula below. Risk-weighted assets (RWA) for operational risk are equal to 12.5 times ORC.

Components of the standardised approach

25.3

The BI comprises three components: the interest, leases and dividend component (ILDC); the services component (SC), and the financial component (FC).

25.4

The BI is defined as:

25.5

ILDC, SC and FC are defined in the formulae below, where a bar above a term indicates that it is calculated as the average over three years: t, t-1 and t-2:1

1 Footnote
25.6

The definitions for each of the components of the BI are provided in OPE10.

25.7

To calculate the BIC, the BI is multiplied by the marginal coefficients (αi). The marginal coefficients increase with the size of the BI as shown in Table 1. For banks in the first bucket (ie with a BI less than or equal to €1bn) the BIC is equal to BI x 12%. The marginal increase in the BIC resulting from a one unit increase in the BI is 12% in bucket 1, 15% in bucket 2 and 18% in bucket 3.2

BI ranges and marginal coefficients

Table 1

Bucket

BI range (in €bn)

BI marginal coefficients (αi)

1

≤1

12%

2

1 < BI ≤30

15%

3

> 30

18%

1 Footnote
25.8

A bank’s internal operational risk loss experience affects the calculation of operational risk capital through the ILM. The ILM is defined as below, where the Loss Component (LC) is equal to 15 times average annual operational risk losses incurred over the previous 10 years:

25.9

The ILM is equal to one where the loss and business indicator components are equal. Where the LC is greater than the BIC, the ILM is greater than one. That is, a bank with losses that are high relative to its BIC is required to hold higher capital due to the incorporation of internal losses into the calculation methodology. Conversely, where the LC is lower than the BIC, the ILM is less than one. That is, a bank with losses that are low relative to its BIC is required to hold lower capital due to the incorporation of internal losses into the calculation methodology.

25.10

The calculation of average losses in the LC must be based on 10 years of high-quality annual loss data. The qualitative requirements for loss data collection are outlined in OPE25.14 to OPE25.34. As part of the transition to the standardised approach, banks that do not have 10 years of high-quality loss data may use a minimum of five years of data to calculate the LC.3 Banks that do not have five years of high-quality loss data must calculate the capital requirement based solely on the BIC. Supervisors may however require a bank to calculate capital requirements using fewer than five years of losses if the ILM is greater than 1 and supervisors believe the losses are representative of the bank’s operational risk exposure.

1 Footnote
25.11

For banks in bucket 1 (ie with BI ≤ €1 billion), internal loss data does not affect the capital calculation. That is, the ILM is equal to 1, so that operational risk capital is equal to the BIC (=12% x BI). At national discretion, supervisors may allow the inclusion of internal loss data into the framework for banks in bucket 1, subject to meeting the loss data collection requirements specified in OPE25.14 to OPE25.34. In addition, at national discretion, supervisors may set the value of ILM equal to 1 for all banks in their jurisdiction. In case this discretion is exercised, banks would still be subject to the full set of disclosure requirements summarised in OPE25.35.

Minimum standards for the use of loss data under the standardised approach

25.12

Banks with a BI greater than €1bn are required to use loss data as a direct input into the operational risk capital calculations. The soundness of data collection and the quality and integrity of the data are crucial to generating capital outcomes aligned with the bank’s operational loss exposure. The minimum loss data standards are outlined in OPE25.14 to OPE25.34. National supervisors should review the quality of banks’ loss data periodically.

25.13

Banks which do not meet the loss data standards are required to hold capital that is at a minimum equal to 100% of the BIC. In such cases supervisors may require the bank to apply an ILM which is greater than 1. The exclusion of internal loss data due to non-compliance with the loss data standards, and the application of any resulting multipliers, must be publicly disclosed in accordance with the Pillar 3 requirements.

General criteria on loss data identification, collection and treatment

25.14

The proper identification, collection and treatment of internal loss data are essential prerequisites to capital calculation under the standardised approach. The general criteria for the use of the LC are as follows.

25.15

Internally generated loss data calculations used for regulatory capital purposes must be based on a 10-year observation period. If ten years of good quality loss data are not available when the bank first moves to the standardised approach, a shorter observation period is acceptable on an exceptional basis (with a minimum observation period of five years). Note that all years of good-quality data available beyond five years must be included.

25.16

Internal loss data are most relevant when clearly linked to a bank’s current business activities, technological processes and risk management procedures. Therefore, a bank must have documented procedures and processes for the identification, collection and treatment of internal loss data. Such procedures and processes must be subject to validation before the use of the loss data within the operational risk capital requirement measurement methodology, and to regular independent reviews by internal and/or external audit functions.

25.17

For risk management purposes, and to assist in supervisory validation and/or review, a supervisor may request a bank to map its historical internal loss data into the relevant Level 1 supervisory categories as defined in Table 2 and to provide this data to supervisors. The bank must document criteria for allocating losses to the specified event types.

Detailed loss event type classification

Table 2

Event-type category (Level 1)

Definition

Categories (Level 2)

Activity examples (Level 3)

Internal fraud

Losses due to acts of a type intended to defraud, misappropriate property or circumvent regulations, the law or company policy, excluding diversity/ discrimination events, which involves at least one internal party

Unauthorised activity

Transactions not reported (intentional)

Transaction type unauthorised (with monetary loss)

Mismarking of position (intentional)

Theft and fraud

Fraud / credit fraud / worthless deposits

Theft / extortion / embezzlement / robbery

Misappropriation of assets

Malicious destruction of assets

Forgery

Check kiting

Smuggling

Account takeover / impersonation etc

Tax non-compliance / evasion (wilful)

Bribes / kickbacks

Insider trading (not on firm’s account)

External fraud

Losses due to acts of a type intended to defraud, misappropriate property or circumvent the law, by a third party

Theft and fraud

Theft / robbery

Forgery

Check kiting

Systems security

Hacking damage

Theft of information (with monetary loss)

Employment practices and workplace safety

Losses arising from acts inconsistent with employment, health or safety laws or agreements, from payment of personal injury claims, or from diversity / discrimination events

Employee relations

Compensation, benefit, termination issues

Organised labour activity

Safe environment

General liability (slip and fall etc)

Employee health and safety rules events

Workers compensation

Diversity and discrimination

All discrimination types

Clients, products and business practices

Losses arising from an unintentional or negligent failure to meet a professional obligation to specific clients (including fiduciary and suitability requirements), or from the nature or design of a product.

Suitability, disclosure and fiduciary

Fiduciary breaches / guideline violations

Suitability / disclosure issues (know-your-customer etc)

Retail customer disclosure violations

Breach of privacy

Aggressive sales

Account churning

Misuse of confidential information

Lender liability

Improper business or market practices

Antitrust

Improper trade / market practices

Market manipulation

Insider trading (on firm’s account)

Unlicensed activity

Money laundering

Product flaws

Product defects (unauthorised etc)

Model errors

Selection, sponsorship and exposure

Failure to investigate client per guidelines

Exceeding client exposure limits

Advisory activities

Disputes over performance of advisory activities

Damage to physical assets

Losses arising from loss or damage to physical assets from natural disaster or other events

Disasters and other events

Natural disaster losses

Human losses from external sources (terrorism, vandalism)

Business disruption and system failures

Losses arising from disruption of business or system failures

Systems

Hardware

Software

Telecommunications

Utility outage / disruptions

Execution, delivery and process management

Losses from failed transaction processing or process management, from relations with trade counterparties and vendors

Transaction capture, execution and maintenance

Miscommunication

Data entry, maintenance or loading error

Missed deadline or responsibility

Model / system misoperation

Accounting error / entity attribution error

Other task misperformance

Delivery failure

Collateral management failure

Reference data maintenance

Monitoring and reporting

Failed mandatory reporting obligation

Inaccurate external report (loss incurred)

Customer intake and documentation

Client permissions / disclaimers missing

Legal documents missing / incomplete

Customer / client account management

Unapproved access given to accounts

Incorrect client records (loss incurred)

Negligent loss or damage of client assets

Trade counterparties

Non-client counterparty misperformance

Miscellaneous non-client counterparty disputes

Vendors and suppliers

Outsourcing

Vendor disputes

25.18

A bank's internal loss data must be comprehensive and capture all material activities and exposures from all appropriate subsystems and geographic locations. The minimum threshold for including a loss event in the data collection and calculation of average annual losses is set at €20,000. At national discretion, for the purpose of the calculation of average annual losses, supervisors may increase the threshold to €100,000 for banks in buckets 2 and 3 (ie where the BI is greater than €1 billion).

2 FAQs
25.19

Aside from information on gross loss amounts, the bank must collect information about the reference dates of operational risk events, including the date when the event happened or first began (“date of occurrence”), where available; the date on which the bank became aware of the event (“date of discovery”); and the date (or dates) when a loss event results in a loss, reserve or provision against a loss being recognised in the bank’s profit and loss (P&L) accounts (“date of accounting”). In addition, the bank must collect information on recoveries of gross loss amounts as well as descriptive information about the drivers or causes of the loss event.4 The level of detail of any descriptive information should be commensurate with the size of the gross loss amount.

1 Footnote
25.20

Operational loss events related to credit risk and that are accounted for in credit RWA should not be included in the loss data set. Operational loss events that relate to credit risk but are not accounted for in credit RWA should be included in the loss data set.

25.21

Operational risk losses related to market risk are treated as operational risk for the purposes of calculating minimum regulatory capital under this framework and will therefore be subject to the standardised approach for operational risk.

25.22

Banks must have processes to independently review the comprehensiveness and accuracy of loss data.

Specific criteria on loss data identification, collection and treatment

25.23

Building an acceptable loss data set from the available internal data requires that the bank develop policies and procedures to address several features, including gross loss definition, reference date and grouped losses.

25.24

Gross loss is a loss before recoveries of any type. Net loss is defined as the loss after taking into account the impact of recoveries. The recovery is an independent occurrence, related to the original loss event, separate in time, in which funds or inflows of economic benefits are received from a third party.5

1 Footnote
25.25

Banks must be able to identify the gross loss amounts, non-insurance recoveries, and insurance recoveries for all operational loss events. Banks should use losses net of recoveries (including insurance recoveries) in the loss dataset. However, recoveries can be used to reduce losses only after the bank receives payment. Receivables do not count as recoveries. Verification of payments received to net losses must be provided to supervisors upon request.

25.26

The following items must be included in the gross loss computation of the loss data set:

(1)

Direct charges, including impairments and settlements, to the bank's P&L accounts and write-downs due to the operational risk event;

(2)

Costs incurred as a consequence of the event including external expenses with a direct link to the operational risk event (eg legal expenses directly related to the event and fees paid to advisors, attorneys or suppliers) and costs of repair or replacement, incurred to restore the position that was prevailing before the operational risk event;

(3)

Provisions or reserves accounted for in the P&L against the potential operational loss impact;

(4)

Losses stemming from operational risk events with a definitive financial impact, which are temporarily booked in transitory and/or suspense accounts and are not yet reflected in the P&L ("pending losses").6 Material pending losses should be included in the loss data set within a time period commensurate with the size and age of the pending item; and

(5)

Negative economic impacts booked in a financial accounting period, due to operational risk events impacting the cash flows or financial statements of previous financial accounting periods ("timing losses").7 Material "timing losses" should be included in the loss data set when they are due to operational risk events that span more than one financial accounting period and give rise to legal risk.

2 Footnotes , 2 FAQs
25.27

The following items should be excluded from the gross loss computation of the loss data set:

(1)

Costs of general maintenance contracts on property, plant or equipment;

(2)

Internal or external expenditures to enhance the business after the operational risk losses: upgrades, improvements, risk assessment initiatives and enhancements; and

(3)

Insurance premiums.

25.28

Banks must use the date of accounting for building the loss data set. The bank must use a date no later than the date of accounting for including losses related to legal events in the loss data set. For legal loss events, the date of accounting is the date when a legal reserve is established for the probable estimated loss in the P&L.

25.29

Losses caused by a common operational risk event or by related operational risk events over time, but posted to the accounts over several years, should be allocated to the corresponding years of the loss database, in line with their accounting treatment.

Exclusion of losses from the Loss Component

25.30

Banking organisations may request supervisory approval to exclude certain operational loss events that are no longer relevant to the banking organisation's risk profile. The exclusion of internal loss events should be rare and supported by strong justification. In evaluating the relevance of operational loss events to the bank's risk profile, supervisors will consider whether the cause of the loss event could occur in other areas of the bank's operations. Taking settled legal exposures and divested businesses as examples, supervisors expect the organisation's analysis to demonstrate that there is no similar or residual legal exposure and that the excluded loss experience has no relevance to other continuing activities or products.

1 FAQ
25.31

The total loss amount and number of exclusions must be disclosed in accordance with the Pillar 3 requirements with appropriate narratives, including total loss amount and number of exclusions.

25.32

A request for loss exclusions is subject to a materiality threshold to be set by the supervisor (for example, the excluded loss event should be greater than 5% of the bank’s average losses). In addition, losses can only be excluded after being included in a bank’s operational risk loss database for a minimum period (for example, three years), to be specified by the supervisor. Losses related to divested activities will not be subject to a minimum operational risk loss database retention period.

Exclusions of divested activities from the Business Indicator

25.33

Banking organisations may request supervisory approval to exclude divested activities from the calculation of the BI. Such exclusions must be disclosed in accordance with the Pillar 3 requirements.

1 FAQ

Inclusion of losses and BI items related to mergers and acquisitions

25.34

The scope of losses and BI items used to calculate the operational risk capital requirements must include acquired businesses and merged entities over the period prior to the acquisition/merger that is relevant to the calculation of the standardised approach (ten years for losses and three years for BI).

1 FAQ

Disclosure

25.35

All banks with a BI greater than €1bn, or which use internal loss data in the calculation of operational risk capital, are required to disclose their annual loss data for each of the ten years in the ILM calculation window in accordance with the Pillar 3 requirements. This includes banks in jurisdictions that have opted to set ILM equal to one. Loss data is required to be reported net of recoveries, both before and after loss exclusions. All banks are required to disclose each of the BI sub-items for each of the three years of the BI component calculation window in accordance with the Pillar 3 requirements.