“TEN LAWS OF OP RISK”

37. ARTICULATING
OPERATIONAL RISK
APPETITE
MICHAEL GRIMWADE
HEAD OF OPERATIONAL RISK, ICBC STANDARD BANK
26th FEBRUARY, 2024

The contents of this presentation are my own views rather

than those of ICBC Standard Bank.
INTRODUCTION

The Financial Stability Board (FSB) defined risk appetite succinctly as an articulation of “the aggregate level and types of risk that a
financial institution is willing to accept, or to avoid, in order to achieve its business objectives…It should also address more difficult to
quantify risks such as reputation and conduct risks as well as money laundering and unethical practices”.1&2

Within these principles, the FSB allocates responsibility to the Board for approving a firm’s risk appetite statement, which should
include both:
 Quantitative measures; and
 Qualitative statements, that articulate “…the motivations for taking or avoiding certain types of risks”. 1

These quantitative measures should be translated into risk limits that are cascaded to business lines and legal entities, and which can be
both “aggregated and disaggregated” 1 to enable measurement of risk against appetite across a group. Implementing these principles
for risks such as Market Risk has proved to be much more straight forward than for Operational Risk. This is problematic, as an effective
risk appetite statement, should help Operational Risk managers to:
 “evaluate opportunities for appropriate risk-taking”, i.e. guiding proactive risk taking; and
 “act as a defence against excessive risk-taking”, i.e. a trigger for action when a firm is approaching or exceeding its risk appetite.

Consequently, this presentation addresses these difficulties by considering:

1. The natures of Operational Risk, which need to be reflected in a firm’s Operational Risk appetite;
2.Different quantitative measures of Operational Risk appetite, and an assessment of their relative merits; and
3. Qualitative articulations of Operational Risk appetite.
Sources & footnotes:
1. Financial Stability Board, (2013) “Principles for An Effective Risk Appetite Framework”. 1
2.The FSB observes that different authors use the terms “risk appetite” and “risk tolerance” differently. Consequently the FSB just uses the term “risk appetite”, as have I in this presentation.
INTRODUCTION
- “WHICH IS THE MOST VALUABLE USE OF OP RISK APPETITE?”
In September 2023 I ran a poll on LinkedIn enquiring as to the most valuable use of Operational Risk appetite. The results were an almost
even split between the most valuable uses of Operational Risk appetite being:
 Reactive risk management, i.e. “A trigger for actions”; and
 Proactive risk management, i.e. “Assessing business strategy” and “Approving complex transactions”.

“Which is the most valuable use of Operational Risk appetite?” 1

Reactive risk management

Proactive risk management

Source: 2
1. LinkedIn Poll: 114 participants between 11th and 14th September, 2023.
 1. THE NATURES OF OPERATIONAL RISK,
WHICH NEED TO BE REFLECTED IN APPETITE
1. INTRODUCTION

The foundations for any risk appetite statement has to be an understanding as to how the relevant risk actually behaves. Consequently
this first section focuses on the natures of Operational Risk, i.e.:

 Frequency & severity - an “…unusually fat-tailed” risk.

 High frequency : low severity losses – how the frequencies of events vary between risk types.

 Low frequency : high severity losses – how velocity varies between different impacts.

 Durations of events & lags in settlements – today’s large losses (≥$0.1bn) are driven by past events.

 An over-arching formula for Operational Risk losses – “Ten Laws of Operational Risk”.

 Causal factors - their influence and correlations and the sensitivity of Operational Risk to economic shocks.

 More complex than the simple bow-tie diagram – a “Sandwich Diagram”.

 Active & passive taking of Operational Risk:

− Different risks drive different sources of income; and
− Actively taking Operational Risk is disproportionately risky.

 Conclusions.

3
 1. FREQUENCY & SEVERITY
- AN “…UNUSUALLY FAT-TAILED” RISK
The majority of Operational Risk events are low value, i.e. ≤€100k, and arise from either human mistakes & omissions or external fraud.
Whilst the majority of the value of Operational Risk losses are high value events, ≥€10m, and arise from misconduct. The PRA has
observed that Operational Risk is “…unusually fat-tailed…” 1, which is consistent with the BIS and ORX data in the charts below, which
show that <1% of events can represent up to 75% of the total value of losses.

Distribution of the number of losses, by the value of the Distribution of the value of losses, by the value of
individual loss events (1998 to 2018) 2 individual loss events (1998 to 2018) 2

High Frequency : Low Severity

Low Frequency : High Severity

(see slide 12)

Sources:
1. PRA, (July 2021) “Statement of Policy The PRA’s methodologies for setting Pillar 2 capital”. 4
2. Grimwade, M., (December 2021) “Ten Laws of Operational Risk”, Wiley & Sons.
1. HIGH FREQUENCY : LOW SEVERITY LOSSES
– HOW FREQUENCIES OF EVENTS VARY BETWEEN RISK TYPES
The Basel Committee defined Operational Risk as
Comparison of the frequency of seven subcategories of Operational Risk 1 being: “The risk of loss resulting from inadequate or failed
internal processes, people and systems or from external
Malicious acts events.”
(external)
Mistakes & Understanding the nature of these “inadequacies or
omissions failures” helps to explain why some Basel event
categories occur more frequently than others: Appendix
I contains a taxonomy of “inadequacies or failures”.
Individual & systemic
misconduct + Generally, people are honest, but they do make
mistakes & omissions mistakes and omit actions. As a consequence,
misconduct and malicious acts (e.g. Internal Frauds) are
much rarer than mistakes & omissions.
The exception is obviously professional criminals, whose
job is to act maliciously, and who will exploit any
Malicious identified / visible control weaknesses.
Malicious acts and
acts Mistakes & acts of Hence control weaknesses that mitigate persistent
(internal) omissions1 God threats, i.e. either mistakes & omissions or External
Fraud will inevitably result in losses, whilst for risks that
are inherently infrequent / rare this is not the case.
Four of the seven Basel II event categories generally,
have very low frequencies of Occurrence, i.e. they are
inherently infrequent / rare, although there are
geographical variations, e.g. whilst EPWS is typically
Sources: rare it has a much higher frequency of 5
1.Grimwade, M., (December 2021) “Ten Laws of Operational Risk”, Wiley & Sons. 2
2.ORX, ( June 2023) “Annual Banking Loss Report”, pages 22 & 25. Occurrence in Brazil.
1. THESE “INADEQUACIES OR FAILURES” ALSO DESCRIBE
HOW CONTROLS FAIL
James Reason’s “Swiss Cheese Model” A taxonomy of “inadequacies or
annotated for the nature of control failures 1 failures” that constitutes
Operational Risk events also
effectively describes how
controls fail (Appendix II).

This explains why some KRIs

are particularly important. For
example, KRIs relating to both:
 Volume of work, e.g. trade
volumes; and / or
 Capacity to do the work, e.g.
staff turnover, unfilled
vacancies etc,
can lead to increases in human
errors that can result in both
the:
 Occurrence of events that are
mistakes & omissions (slide
5); and also
 Failures of any of the manual
controls.
6
Source:
1. Grimwade, M., (December 2021) “Ten Laws of Operational Risk”, Wiley & Sons.
1. LOW FREQUENCY : HIGH SEVERITY LOSSES
- HOW VELOCITY VARIES BETWEEN IMPACTS
The nature of impacts drives the rapidity with which losses are incurred. Market : Operational Risk boundary losses have the highest
velocities (“hares”), whilst fines & penalties and compensation accrete losses more slowly (“tortoises”), and their longer durations
ultimately lead to higher losses.

The differing rates of velocity for five different underlying impacts 1

These differences in velocity should
be reflected in the frequency and
the nature of a firm’s Preventive,
Detective and Corrective /
Resilience Controls.

For example, “Rogue algos” can

generate the highest velocity losses
and hence require real time and
automated monitoring.

Whilst lower velocity losses

associated with fines & penalties
can be mitigated through T+1 / T+5
controls, e.g. reviews by
Compliance of evidence supporting
advised sales.

NB Acquisitions can lead to the

acquirer inheriting the losses of its
target, potentially converting 7
Source:
1. Grimwade, M., (December 2021) “Ten Laws of Operational Risk”, Wiley & Sons. “tortoises” into “hares”!
 1. DURATIONS OF EVENTS & LAGS IN SETTLEMENTS
- AVERAGES FOR LOSSES ≥€20k
On average Operational Risk losses display relatively short durations and lags in settlement, i.e. generally less than 12 months, with the
exception of CPBP and EPWS, i.e. most loss events are a product of a firm’s current internal controls and the current external environment.
Average durations & lags for Operational Risk losses ≥€20k (ORX)
Occurrence Detection Settlement

8
Source: Grimwade, M., (December 2021) “Ten Laws of Operational Risk”, Wiley & Sons.
1. DURATIONS OF EVENTS & LAGS IN SETTLEMENTS
– TODAY’S LARGE LOSSES ARE DRIVEN BY PAST EVENTS
Large Operational Risk losses (≥$0.1bn), however, typically exhibit average durations and lags of 3 to 4 years. This means that the large
losses that settle in the current year may often reflect a firm’s internal controls and the external environment from 5 to 10 years ago.

Average durations & lags for 390 losses ≥$0.1bn suffered by 30 current & former G-SIBs (IBM FIRST)
Occurrence Detection Settlement

$289bn CPBP is by far the most

important risk category, by
~$1bn total value, for large losses,
and it also shows the longest
$3bn lags in settlement.

$38bn Consequently, whilst a firm’s

current controls may be
$32bn working effectively, its
The “Digital
Revolution” may Operational Risk losses may
>$1bn
exacerbate these be outside of appetite, and
two risks the best and most reliable
$1bn
indicator of a firm’s future
losses can often be its current
pipeline of litigation!
9
1. AN OVER-ARCHING FORMULA FOR OP RISK LOSSES
- “TEN LAWS OF OPERATIONAL RISK”
Over time a firm’s appetite for Operational Risk losses should approximate to actual losses settling in a particular year, in terms of the:
 Frequency of losses, which is the combination of the Occurrence of losses in the current year, and also the Detection of historical
failures / loss events from prior years, and also on-going events. These may be influenced respectively by Preventive and Detective
Controls.1
 Severity of losses, which is the combination of the Duration1 of an event, and the rapidity with which losses are incurred over time
(Velocity) – Corrective / Resilience Controls may limit velocity, and hence the scale of any losses suffered.
 Lags between Detection & Settlement / recoveries – as already noted, a firm’s litigation pipeline may be a key driver of current losses.
 Causal factors can influence all of these factors.

An over-arching formula for Operational Risk losses 2

Internal & external causes

Over time,
Losses settling
Operational ≈ = (Occurrence , Detection) x (Duration x Velocity) , Lags
in a particular year
Risk Appetite

Preventive Detective Controls Corrective / Resilience

Controls Controls
Sources & footnotes:
1.The weakening of Preventive Controls will lead to an increase in Occurrence, but only if these controls mitigate persistent threats. Whilst a weakening of Detective Controls
may lead to a reduction in reported events in the short-term, but ultimately higher severity losses in the medium-term, due to longer Durations. 10
2.Grimwade, M., (December 2021) “Ten Laws of Operational Risk”, Wiley & Sons.
1. CAUSAL FACTORS
- THEIR INFLUENCE AND CORRELATIONS
Correlations between causal factors ORX defines causes as being “the underlying
associated with 16 large loss events 1 environment that allows risk events to develop. These
causes therefore go beyond the immediate triggers of a
This diagram represents the risk event, such as control failure.”2 Consequently
causes may:
number of times pairs of  Influence the Occurrence & Detection of events;
causal factors are  Weaken Preventive, Detective & Corrective /
Resilience Controls; and
associated with  Exacerbate the Severity (Velocity) of losses.
the same loss
Large loss events are associated with multiple causal
event, for a factors. For this sample of 16 well documented
sample of events the average is 4½ causal factors per event.1
16 events. This complexity means that, with a few exceptions,
individual metrics related to these larger losses are
very unlikely to be predictive, with any precision, on
their own, i.e. portfolios of metrics are required.
The distribution of these causes, however, is far from
random with the strongest correlations between
causal factors relating to:
Common to <60% 1. Strategy, regarding incentives;
of incidents in sample 2.Culture;
3. Governance;
Common to <40% 4.People; and
of incidents in sample 5. Processes.
Common to <20% Consequently, KRIs & KCIs linked to these causal
of incidents in sample factors will be more informative than the others,
Sources & footnotes:
regarding a firm’s Operational Risk profile.
11
1. These causal factors were explicitly described in the associated regulatory notices / court papers (Grimwade, M., (December 2021) “Ten Laws of Operational Risk”, Wiley & Sons).
2. Oliver Wyman and ORX, (November 2020) “Operational & Non-Financial Risk Taxonomy: Causes and Impacts – guidance document “
1. CAUSAL FACTORS
- SENSITIVITY TO ECONOMIC SHOCKS
Arguably, Operational Risk’s most important characteristic is that spikes in losses have coincided with economic shocks, most prominently
the bursting of the dot.com bubble in 2001/02, and the Global Financial & Euro Crises from 2007 to 2011. Economic shocks seem to drive
both the Frequency (Occurrence & Detection) and the Severity (Duration x Velocity) of Operational Risk losses. This may reflect that on
slide 11, economic cycles are linked to all of the five most strongly correlated causal factors.
463 large losses (≥$0.1bn) for 28 current & 3 former G-SIBs, with a value of $421bn, analysed by end date 1
Losses, $billions

Global Financial & Euro Crises

PPI compensation
& LIBOR fines

Rogue ~60% of the value of these losses are

Trading, inc linked to Credit or Market Risks:
SocGen
39%
MBS MBS
litigation litigation 9%

52%

Inappropriate
foreclosure FX rigging
fines
dot.com bubble AML
fines
1994 increases in $rates: Enron & Spitzer settlements
• P&G vs BT litigation WorldCom settlements MBS
• Kidder Peabody losses litigation 1MDB
Parmalat settlements Russia : Ukraine
• Orange County’s collapse
Wells Fargo settlement

Source: 12
1.The graph is adapted from Grimwade, M., (December 2021) “Ten Laws of Operational Risk”, Wiley & Sons. The data is sourced from IBM FIRST Case Studies.
1. MORE COMPLEX THAN THE SIMPLE BOW-TIE DIAGRAM
- A “SANDWICH DIAGRAM”
Whilst the over-arching formula (slide 10) for Operational Risk is
elegantly simple, it belies significant complexity, which is better
illustrated in this revised bow-tie diagram – a “Sandwich Diagram”.

 Causes are across the top of this diagram, as they can:

- Influence the Occurrence & Detection of events;
- Weaken Preventive, Detective & Corrective / Resilience Controls;
- Exacerbate the Severity (Velocity) of losses (slides 11 & 12).
 Correlations exist between these causal factors (slide 11).

 Inadequacies or failures that the Basel Committee used to define

Operational Risk describe both the nature of:
- An Operational Risk event (slide 5); and also
- Control failures (slide 6), are highlighted in RED.
 Impacts – the wide range of potential financial consequences
influences the rapidity with which losses are incurred (slide 7).

 Time spans the bottom of the diagram, i.e.:

- Duration is the time between the failure of Preventive Controls and
the success of a Detective Control; and
- Lags are the delays in losses crystallising after the success of a
Detective Control (slides 8 & 9).

Operational Risk events, controls and impacts are all “sandwiched”

The lines reflect a mis-marking event discovered in February 2008. between causes at the top, and time at the bottom. 13
Source: Grimwade, M., (December 2021) “Ten Laws of Operational Risk”, Wiley & Sons.
1. BUSINESS PROFILE - PRODUCTS & CUSTOMERS
– A KEY DRIVER OF OPERATIONAL RISK PROFILE
The two charts below compare the number and value of Operational Risk losses for both Banking and Trading & Investment businesses.
Whilst CPBP is the most important risk for both Banking and Trading & Investment, External Fraud is clearly more important in Banking
businesses. The CPBP losses also, evidently, have higher average loss values than either EDPM or External Fraud.
Banking Trading & Investment
Ratio of number of events ≥€20k and their value Ratio of number of events ≥€20k and their value
(ORX, 2013 to 2018) 1 (ORX, 2013 to 2018) 1

CPBP

EDPM

EF

Other

Number

Value 14
Source:
1. Adapted from Grimwade, M., (December 2021) “Ten Laws of Operational Risk”, Wiley & Sons.
1. ACTIVE & PASSIVE TAKING OF OPERATIONAL RISK
- DIFFERENT RISKS DRIVE DIFFERENT SOURCES OF INCOME
Banks generate three forms of income, each of which exposes them to different risks. Fee & commission income primarily exposes firms to
Operational Risk. This income is generated from providing services, e.g. underwriting securities; clearing & settlement; and underwriting
or selling insurance. By choosing to undertake these businesses firms are choosing to expose themselves to these Operational Risks.
3 types of income Primary & secondary risks Examples of associated Operational Risk losses
1.Interest income from Primary risk:  Customer compensation for improper foreclosure.
lending  Credit Risk  Customer compensation for erroneous interest rates
on loans.
Secondary risks / by-products:
 Some Interest Rate Risk in the Banking
Book, Liquidity & Operational Risks.
2.Trading income from Primary risk:  Fines for benchmark manipulation.
sales & trading  Market Risk  Compensation for the mis-sale of derivatives.
Secondary risks / by-products:  Rogue trading losses.
 Significant Credit, Liquidity &  Fat-fingered typing.
Operational Risks.  Penalty interest arising from settlement errors.
3.Fee & commission Primary risk: Examples of associated Operational Risk losses include
income from providing  Operational Risk some of the largest suffered by the industry:
services, e.g.:
 Underwriting the  Compensation for misrepresenting securities, e.g.
Secondary risks / by-products: MBS, CDO, WorldCom and dot.com IPO litigation.
issuance of securities.  Small and variable amounts of Credit,
 Fund management.  Penalties for the facilitation of tax evasion.
Market & Liquidity Risks.
 Clearing & settlement.  Compensation for breach of fiduciary duties.
 Underwriting1 or  Penalties for facilitating the breach of sanctions.
selling insurance.  Compensation for the mis-sale of PPI. 15
Footnote: 1. Underwriting General Insurance policies is the clearest example of a firm proactively taking Operational Risk in return for income in the form of an insurance premium.
1.ACTIVE & PASSIVE TAKING OF OPERATIONAL RISK
- ACTIVELY TAKING OP RISK IS DISPROPORTIONATELY RISKY
The analysis below compares the composition of revenues for 30 current & former G-SIBs for 2017, with the associated Operational
Risk losses for 2007 to 2017, and whilst it shows that Operational Risk is both all-pervasive, it also implies that actively taking
Operational Risk in this way is disproportionately risky!

Revenues of 30 current & former G-SIBs Op Risk losses ≥$0.1bn analysed by revenues
for 2017 1 for 30 current & former G-SIBs for 2007 to 2o17 1

Fees & commissions

Trading income

Interest income

Corporate items

Source: 16
1. Grimwade, M., (December 2021) “Ten Laws of Operational Risk”, Wiley & Sons.
1. CONCLUSIONS

When articulating appetite for Operational Risk firms need to consider:

 The majority of Operational Risk losses are high frequency and low value events (slide 4), primarily EDPM and External Fraud. In terms
of the inadequacies or failures referenced in Basel II, EDPM loss events are driven by mistakes & omissions, whilst External Fraud are
malicious acts. The majority of the seven Basel II risk event categories have low frequencies of Occurrence (slide 5).
 A minority of Operational Risk events generate the majority of the losses suffered by firms, and these are primarily CPBP loss events
(slides 4, 9 & 14).
 The nature of the impacts is a key driver of the rapidity with which losses are incurred (Velocity), i.e. losses relating to Market Risk are
very high velocity, whilst regulatory fines & penalties and customer compensation are relatively low velocity (slide 7). This should be
reflected in the frequency and the nature of the Preventive, Detective and Corrective / Resilience Controls.
 Most losses are driven by a firm’s current controls and external environment (slide 8). Large loss events (≥$0.1bn), however, on
average have durations of 3 to 4 years, and by coincidence, the lags between detection and settlement are also 3 to 4 years. This
means that the large losses settled by firms in the current year typically relate events that commenced 5 to 10 years ago (slide 9).
 Operational Risk is complex with causal factors influencing the Occurrence and / or Detection of events; the effectiveness of
Preventive, Detective, and Corrective / Resilience Controls; and the Severity of losses (slides 10, 11 & 13). Historically, significant spikes
in Operational Risk losses have coincided with economic shocks (slide 12).
 The Business Profile of firms is a key driver of their Operational Risk profiles, i.e. whilst CPBP and EDPM are key risks for all firms,
historically, External Fraud has only been a key risk for Banking businesses (slide 14).
 Operational Risk is all-pervasive, i.e. firms expose themselves to Operational Risk both passively through their trading and lending
businesses, but also actively through businesses that generate fee & commission income, e.g. underwriting securities; fund
management; etc (slide 15). Actively taking Operational Risk to generate fee & commission income has historically been
disproportionately risky (slide 16).
The next section considers how these behaviours of Operational Risk should be reflected in quantitative measures of risk appetite. 17
2. QUANTITATIVE MEASURES OF RISK APPETITE
2. INTRODUCTION

This section describes different quantitative measures for setting Operational Risk appetite, which include:

Financial measures – firm-wide:

 Expected Operational Risk losses:
− Cumulative number of Operational Risk loss events against a threshold. In practice, this can be either the total number of events or
events above a certain materiality.
− Cumulative value of Operational Risk losses (expected) against a threshold. In practice, this can be either an absolute amount or as a
% of revenues (slide 19).
 Unexpected Operational Risk losses: The value of an individual large event with a particular likelihood can be defined, e.g. once every
x years or values for different confidence intervals. This can also be either an absolute amount or as a % of revenues, and can both
drive insurance cover (slide 22) and also be compared to:
− Scenario analysis outputs; and
− Model outputs (slide 21).
 Target return on equity for businesses that proactively take Operational Risk, in order to generate fee & commission income (slide 21).

Non-financial measures – Basel event categories and / or top-risks:

 Value of metrics: KRIs can describe causal factors that are particularly relevant to the Occurrence of events or the scale of impacts
relative to a threshold (slides 11 & 12), and the progress with remedial actions, whilst KCIs describe the operation of controls (slides 23
& 24).
 Outputs of RCSAs (slide 25).
 Recovery Time Objectives for a firm’s Operational Resilience (slide 26).

Limits:
 Operational limits on business profile, e.g. the volume and value of transactions, and fat-finger limits (slide 27).

This section concludes by assessing the different applications of these measures and their relative merits, in terms of, for example, the
ability to both cascade and aggregate these measures. 18
2. APPETITE FOR EXPECTED LOSSES
- COMPARISON TO ACTUAL LOSSES
For risks that generate a high volume of low value losses, i.e. EDPM for all firms and External Fraud for Banking (slide 14) then firms
can compare actual losses suffered vs their appetite for these expected losses, either on a monthly basis (see graph) or cumulatively.1

Illustration of actual losses each month vs a monthly appetite for expected losses 2
Firms may need to exclude
Outside of appetite
“unexpected losses” from this
Monthly expected data, by, for example:
loss appetite  Removing losses above a
Return to threshold, e.g. >€0.5m; or
Adverse trend appetite  Excluding losses from
legacy businesses; or
 Making case-by-case
decisions, approved via
governance.
Determining appetite for expected losses may variously involve considering the following, and also adding some headroom / buffer:
 Trends & patterns in a firm’s historical loss data, e.g. how often would appetite have been breached historically;
 Expectations of staff members given planned levels of activity for the year ahead;
 Outputs of an Operational Risk capital model, at the 50th percentile, for relevant high frequency risks, i.e. EDPM and External Fraud;
 Benchmark data, e.g. ORX publishes the ratio of total losses to revenues of its members split between Banking and Trading &
Investment. This data, however, may need to adjusted to remove large loss events, e.g. >€0.5m.3
Appetite for expected losses may be articulated as either an absolute value or as a % of revenues, e.g. ~0.5%, aiding its cascade in a group.
Sources & footnotes:
1.A motor finance division of a UK bank that I used to work for set a threshold for the value of successful application fraud at o.1% of monthly 2nd hand car loan advances.
2.Grimwade, M., (2016) “Managing Operational Risk: New Insights & Lessons Learnt”, RiskBooks. 19
3.The ratio of total losses to revenues for Trading & Investment for 2022 for ORX members is 2.17%, and the proportion of total losses by value <€0.5m for all business lines is 24.4%,
suggesting that expected losses are 2.17% x 24.4% ≈ 0.5%. (ORX, (June 2023) “Annual Banking Loss Report”).
2. APPETITE FOR EXPECTED LOSSES
- COMPARISON TO ACTUAL LOSSES
Firms with different appetites for Operational Risk will sit at different points along an efficient frontier between risk / losses and control
expenditure. If expected losses move outside of appetite, then firms may respond to bring them back within appetite, per slide 10.

Illustration of the efficient frontier between risk / loss and control expenditure / effectiveness 1
Risk i.e. Losses

This feedback loop may

explain why the frequency
1. If losses exceed appetite, then… of losses resulting from
1 risks, such as, EDPM and
External Fraud, that are
driven by persistent
2. …firms may increase control expenditure to threats are relatively stable
bring losses back into appetite. (slide 5).
2
Efficient frontier between:
risk / losses vs control expenditure.
Control e.g. expenditure or
Source: effectiveness 20
1. Grimwade, M., (December 2021) “Ten Laws of Operational Risk”, Wiley & Sons.
2. APPETITE FOR UNEXPECTED LOSSES
- COMPARISON TO SCENARIOS & MODEL OUTPUTS
Appetite for unexpected losses can be articulated as either as a % of revenues, that may be lost with a remote probability, e.g. once
every x years, or values for different confidence intervals, such as, Earnings at Risk (e.g. 90th percentile) and Economic capital (e.g. 99.9th
percentile). This can be compared to either individual scenarios and / or the outputs of a capital model.
Illustration of the comparison of scenario and model outputs to appetite 1
10%
90th percentile
Target return on equity can
be used for businesses which
actively take Operational
Risk in order to generate fee
Unexpected loss appetite & commission income (slide
14), but only if the
businesses are large enough
to model meaningfully
economic capital (slide 15).

99.9th percentile
Key: Scenario analysis outputs Capital model outputs

Firms undertaking strategic initiatives (e.g. establishment of a new business or undertaking an acquisition) can undertake scenario
analysis to assess the impact on the firm’s Operational Risk profile, relative to its existing appetite, but only if sufficiently material.
Source: 21
1.Adapted from Grimwade, M., (2016) “Managing Operational Risk: New Insights & Lessons Learnt”, RiskBooks.
2. APPETITE FOR UNEXPECTED LOSSES
- DETERMINING INSURANCE COVER
Insurance policies can provide risk transference for a mid-range of higher value : lower frequency losses (slide 4) suffered by firms above
a deductible or excess but below the policy’s limit.1 Insurance cover can be aligned to a firm’s appetite for unexpected losses and
reflected in the outputs of an Operational Risk capital model - primarily Economic Capital (e.g. 99.9th percentile), depending on the
scale of any deductible.
Profile of transference of a single Operational Risk loss event, using insurance 2

Deductibles or excesses
may limit the influence of
insurance at lower
percentiles.

Cover may reduce a firm’s

Economic Capital.

Likelihoods typically range

from 1 in ~10 to >100 years

Sources & footnotes: 22

1. Appendix III contains a mapping of insurance policies to different “inadequacies or failures” and financial consequences.
2. Adapted from Grimwade, M., (December 2021) “Ten Laws of Operational Risk”, Wiley & Sons.
2. APPETITE USING NON-FINANCIAL MEASURES
- “BANKS SHOULD DEFINE CORRESPONDING METRICS” 1
The selection of relevant non-financial metrics in order to track a firm’s Operational Risk profile, relative to thresholds, has to reflect
the key causal factors (slide 11) and the nature of the underlying “inadequacies or failures” 2 and hence whether the risks are
underpinned by persistent threats or are inherently infrequent / rare (slide 5).
Somewhere
Persistent threats in between Inherently infrequent / rare threats For example, for:
 Risks driven by mistakes &
omissions, KRIs
highlighting stretch are
important;
 Persistent external threats,
i.e. External Fraud, then
monitoring of Preventive
Litigation pipeline Controls is critical, e.g.
patching for cyber-crime;
 Risks that are inherently
rare, then KCIs are more
important along with
assessments of the
completeness of controls.
For inherently rare events
setting thresholds for KCIs is
based on judgement, due to
the rarity of losses.
This analysis also highlights
the relative significance of
Less frequent, but with lags >1 year Infrequent events
the lags between detection
Sources: but with short lags & settlement (slide 8). 23
1. European Central Banks, (June 2016) “SSM supervisory statement on governance and risk appetite”.
2. Adapted from Grimwade, M., (December 2021) “Ten Laws of Operational Risk”, Wiley & Sons.
2. APPETITE USING NON-FINANCIAL MEASURES
- MONITORING OPERATING EFFECTIVENESS OF KEY CONTROLS
Month-on-month changes in risk profiles are primarily driven by the operating effectiveness of controls mitigating remote risks:
 Persistent threats – as described earlier, control weaknesses mitigating persistent threats (e.g. cyber-crime) will be exploited.
 Infrequent / rare events – the absence of losses may not imply that the controls are working effectively. The table below aggregates,
for a firm’s top-risks,2 data from 1st line control attestations, KCIs, and the results of 2nd & 3rd line assurance, to provide an holistic view.

Preventive Controls, Detective Controls, Corrective /

primarily in Front Office primarily in Operations, Resilience Controls
Product Control and Risk

, Appendix III

Sources & footnotes:

1.Grimwade, M., (December 2021) “Ten Laws of Operational Risk”, Wiley & Sons. 24
2.Research by McKinsey & Co suggests that the number of top-risks for which appetite is set is on average 10 to 12 in retail banking, wealth management, asset management,
and capital markets and 15 in corporate and investment banking, (McKinsey & Co, (October 2023) “How a defined risk appetite can improve nonfinancial risk management”).
2. APPETITE USING NON-FINANCIAL MEASURES
- COMPARISON TO RCSA OUTPUTS FOR TOP-RISKS
Although flawed, heat-maps are commonly used tools to
No residual risks are represent a firm’s residual exposure to its “top-risks”, based
Almost on the outputs of RCSAs. Heat-maps can be overlaid with a
certain 1 2 both high frequency firm’s Operational Risk appetite, i.e. which squares on a “5
100% & high severity! box matrix” are inside or outside of appetite.
Mistakes & (slide 4)
omissions This illustration attempts to address some of the well
Possible known limitations of heat-maps, i.e. the:
Risk
20 to 30%  Axes are quantitative and roughly use log scales, to make
Appetite differentiation easier; and
 The two risks are not represented as single data points,
Unlikely
but instead their distributions are reflected.
10% Mistakes & 1.Damage to physical assets reflects three different
2
omissions “inadequacies or failures” with different frequencies, i.e.:
− Mistakes & omissions;
Highly − Malicious acts; and
unlikely − Acts of God (slide 5).
2%
2.Fat-fingered typing – all are mistakes & omissions but
Rare Acts of God 1 they may be exacerbated by:
− Effectiveness / ineffectiveness of controls (slide 6).
Mistakes & 2 − Causes – market volatility (slide 11 & 12).
<1% omissions Malicious acts 1 − Business profile, i.e. trade sizes & volumes (slide 27).
Minimal Limited Significant Severe Critical Heat-maps can also reflect non-financial impacts, e.g.
damage to reputation with regulators and clients, as
>$0. 1m >$1m >$10m >$100m >$1,000m well as, operational disruption. 25
2. OPERATIONAL RESILIENCE
- CONTINGENCY BETWEEN RTOs AND ITOLs
Regulators expect firms to be operationally resilient, i.e. that they can recover from disruption prior to causing intolerable harm to
clients, markets, and themselves. This diagram illustrates that firms should have some contingency time between when they expect to
recover and the point at which they are causing intolerable harm. The scale of this contingency should form part of their appetite.

Representation of RTOs, ITOLs, and contingency

Recovery Time Objective (RTOs) Impact Tolerance (ITOLs)

Contingency
Restore Restore Restore &
Recovery Time Objectives infrastructure applications validate data
are equivalent of the lag on
slide 10 between Detection
and Correction.

26
Time
2. LIMITS
- FAT-FINGER LIMITS
Firms can set limits which may restrict their Operational Risk losses with varying degrees of precision, e.g. operational limits on the
volume of transactions that require manual intervention to reduce stretch. Whilst fat-finger limits can more directly restrict a firm’s losses
from mistakes & omissions by sales & trading staff. The formula below can link these limits to appetite for expected & unexpected losses.
Representation of the impact of fat-finger limits on losses and their link to Operational Risk appetite 1

 Low trade size + ‘buy : sell’ error;

Likelihood
 Small adverse movement; and
 Error quickly identified.

Fat-finger limit Fat-finger limit

also restricts the
potential for gains
Inside of Outside of
appetite appetite

 Large trade size +/- additional 000’s;

 Very volatile market; and
 Delay in identifying error.

Impact, gains Scale of 1 day movements in the FTSE 100 (Jan 1984 to August 2015) Impact, losses

Appetite for fat- 2 Market volatility

≥ Fat-finger limit x x
finger losses (buy : sell error) (1 day market movements, with different likelihoods)
Source: 27
1. Grimwade, M., (December 2021) “Ten Laws of Operational Risk”, Wiley & Sons.
2. ASSESSMENT OF DIFFERENT MEASURES OF APPETITE

The FSB (2013) expects that quantitative measures of appetite are capable of being cascaded and aggregated. The table below 1 assesses
different measures of Operational Risk appetite, and their relevance to different Operational Risk event types.
Potential risk appetite measures Assessment of measures Relevant event types
 Difficult to cascade.
 Cumulative number of expected loss
 Straight forward to aggregate.
Proactive and reactive Operational Risk management

events.  These are issues for all event types.

 Scaling requires judgement.
 Cumulative value of expected losses,
 Backward-looking – difficult to evaluate new opportunities.
e.g. absolute level of appetite for losses
 Trigger for action, if either a threshold is breached or a metric  High volume : low value events, e.g. mistakes &
(slide 19).
is trending upwards. omissions and also external frauds for retail banking.
 Straight forward both to cascade and aggregate.
 Cumulative value of expected losses,  Automatically scales.  All event types.
e.g. expected losses as a % of revenues. But also backward looking.
 Trigger for action, as above.  High volume : low value events.
 Straight forward to cascade.
 Low volume : high value events. Supports decision
 Unexpected loss events , e.g. an  Diversification hinders aggregation, a model is required.
making for new business opportunities that generate
unexpected loss as a % of revenues with  Scalable for % revenues.
remote but very high value events, e.g. systemic
a likelihood (slide 21).  Forward-looking, can be used to evaluate new opportunities.
misconduct.
 Trigger for action, by comparison to scenarios.
Effective for:
 Straight forward to cascade, for material businesses.
 Low volume : high value events; and
 Target Return on Equity for businesses  Diversification hinders aggregation.
 Material businesses.
proactively taking Operational Risk (slide  Scalable, N/A as it can be a consistent % across the firm.
21).  Forward-looking, can be used to evaluate new opportunities.
But can only be run infrequently and is insensitive to
 Trigger for action, if revenues fall and risks rise.
lower value risks.
 Straight forward to cascade.
 Diversification hinders aggregation.
 RCSA residual risks for top-risks on a
 Scalable, N/A if a consistent heat-map is used.  Typically only top-risks are included on a heat-map.2
heat-map (slide 25).
 Forward-looking, can be used to evaluate new opportunities.
 Trigger for action, for residual risks outside of appetite.
Sources & footnotes:
1.Adapted from Grimwade, M., (December 2021) “Ten Laws of Operational Risk”, Wiley & Sons. 28
3
2.Research by McKinsey & Co suggests that the number of top-risks for which appetite is set is on average 10 to 12 in retail banking, wealth management, asset management,
and capital markets and 15 in corporate and investment banking (McKinsey & Co, (October 2023) “How a defined risk appetite can improve nonfinancial risk management”).
2. ASSESSMENT OF DIFFERENT MEASURES OF APPETITE

Potential risk appetite measures Assessment of measures Relevant event types

 Cascade requires judgement.  High volume : low value events. KRIs indicating
 Difficult to aggregate. stretch may presage mistakes & omissions.
 Value of metrics (KRIs) that describe
 Scaling requires judgement.  Low volume : high value events. KRIs for economic
causal factors.2 (slides 23 & 24)
Proactive Operational Risk management

 Trigger for action, forward-looking, but often imprecise. slowdown (slide 12) may presage investor losses &
 Cannot be used to evaluate new opportunities. litigation from historical sales.
 Straight forward to cascade.
 Persistent threats: KCIs are highly predictive if the
 Difficult to aggregate.
controls are preventing persistent threats, e.g. cyber-
 Value of metrics (KCIs) indicating the  Scaling is not relevant.
crime.
effectiveness of controls.2 (slides 23 &  Trigger for action, forward-looking, but maybe imprecise.
 Inherently infrequent / rare: KCIs are much less
24)  Cannot be used to evaluate new opportunities.
predictive of losses if the controls are mitigating
 Relates to the current rather than the historical control
inherently infrequent / rare risks, e.g. a pandemic.
environment.
 Bottom-up approach, so does not require cascade, or Business disruption leading to:
aggregation or scaling.  Intolerable levels of harm to clients;
 Recovery Time Objectives, RTOs and
 Trigger for action if a “severe but plausible” scenario would  Risks to a firm’s safety and soundness;
Impact Tolerances, ITOLs (slide 26).
breach for tolerance.  Threats to the UK’s financial system; and
 Can support investment decisions.  Threats to the orderly operation of markets.
 Cascade requires judgement.
 Operational limits on business profile,  High volume : low value events. Volume limits may
 Difficult to aggregate.
e.g. the volume and value of restrict stretch, and hence mistakes and omissions.
 Scaling is not relevant.
transactions, and fat-finger limits (slide  Low volume : high value events. Value limits may
 Trigger for action when breached.
27). restrict the scale of remote losses.
 Can form part of the evaluation of new opportunities.

Whilst the aggregation of these metrics enables comparison to a firm-wide risk appetite statement, risks that are outside of appetite
in individual businesses, e.g. unacceptable backlogs in ongoing KYC, should still be escalated as breaches of appetite, even if the
firm as a whole is in line with its overall appetite statement.
Sources & footnotes:
1.Adapted from Grimwade, M., (December 2021) “Ten Laws of Operational Risk”, Wiley & Sons. 29
3
2.Research by McKinsey & Co suggests that three to five risk-specific metrics are used per risk type (McKinsey & Co, (October 2023) “How a defined risk appetite can improve
nonfinancial risk management”).
2. CONCLUSIONS
The complexity of Operational Risk and its all-pervasive
nature means that there can be no one solution for setting
appetite, as illustrated in the “Sandwich Diagram” that has
been overlaid with different quantitative appetite measures.
Different approaches also support different objectives, e.g.
triggers for action vs evaluation of new opportunities.

The relationship between KRIs and KCIs respectively and

future losses are generally weak, with the exception being:
 KCIs for Preventive Controls that are mitigating persistent
threats; and
 KRIs highlighting signs of stretch, as these will be
indicative of increased mistakes & omissions.

For risks that are inherently rare, and also those that have
long lags between detection and settlement, then the
relationship between current KCIs and losses will be
especially weak, i.e. current losses will be driven by the
status of KCIs 5 to 10 years ago, per slide 9.

As long as these limitations are recognised, then articulating

appetite, using these metrics, is beneficial.
Source: 30
Adapted from Grimwade, M., (December 2021) “Ten Laws of Operational Risk”, Wiley & Sons.
3. QUALITATIVE ARTICULATIONS OF
OPERATIONAL RISK APPETITE
3. INTRODUCTION
- QUALITATIVE ARTICULATIONS OF APPETITE
In response to the challenges of cascading Operational Risk appetite, firms have supplemented their quantitative appetite statements
with qualitative statements, in the form of a combination of:
 Acceptance: Risks that the firm accepts as part of its business strategy (slides 15 & 16).
 Avoidance: Details of activities and risks that a firm wishes to avoid; and
 Outcomes: Descriptions of desired and undesired outcomes for activities a firm wishes to undertake.

Activities that firms may wish to avoid are primarily associated with customers, products and services. For example, firms may wish to
avoid doing business with customers that present a higher risk of AML issues (e.g. bureau de change due to their handling of cash);
higher risk products (e.g. leveraged investment products) and services (e.g. provision of correspondent banking services), as well as,
proprietary and algo trading. A real world example of this is the following statement by HSBC’s then CEO in 2015: “We have absolutely
no appetite to do business with clients who are evading their taxes or who fail to meet our financial crime compliance standards”. 1

Outcome statements can be organised under the seven Basel II subcategories of Operational Risk and / or a firm’s top-risks. For
example, the High Street banks do not want to mis-sell products, as they did with PPI, but it is unlikely that they could put in place
controls to prevent this from ever occurring again, other than ceasing from selling the products altogether. Consequently, a more
realistic generic appetite statement might be to:

 “Seek to avoid the mis-sale of products – this drives Preventive Controls, e.g. in this case staff training; and to

 Identify promptly any systemic mis-sale – this drives Detective Controls, e.g. analysis of trends in sales, sampling of specific sales,
and mystery shopping. The frequency of these controls must reflect the rapidity with which losses are incurred (slide 7); and to

 Compensate any disadvantaged customers appropriately” – this drives a firm’s Corrective / Resilience Controls, such as their
complaints procedures and the rapidity of complaints handling, which can limit reputational damage.2
Sources & footnotes:
1.This is an extract from an open letter published in some UK Sunday newspapers on 15th February, 2015 from HSBC’s then CEO, Stuart Gulliver, and addressed to HSBC 31
customers and staff, and relating to the bank’s Swiss Private Banking business.
2.Incorporating into appetite statements an articulation of how firms wish to respond to events is consistent with the UK regulators’ Policy Statements on Operational Resilience.
3. EMBEDDING QUALITATIVE APPETITE STATEMENTS
Operational Risk Qualitative risk appetite statements can be
Appetite Statement embedded within a firm’s policies, by setting out
in each policy the risks covered, the firm’s
Quantitative approaches
 Cumulative number & value of losses
appetite for those risks, and the key controls
 Expected Operational Risk losses: X% of revenues. that keep the firm within appetite. There are
 Unexpected Operational Risk losses: Y% of revenues, 1 in three benefits of this approach:
25 years or 50 years.
 Target RoE for proactive Operational Risk takers. 1. Determining whether a firm’s controls for
 Metrics KRIs vs thresholds. mitigating its key risks are aligned to its stated
 Recovery time objectives / impact tolerances.
 Operational limits.
Operational Risk appetite. Gaps and
inadequacies can then be addressed through
Qualitative approaches remedial actions.
 Define desired and undesired outcomes.
2.Linking policies to risks, and mapping them
back to a taxonomy, provides assurance on
the completeness of the policy framework.
3. Requiring policy owners to consider
proactively the risks that their policies are
designed to mitigate, and the potential
impacts of those policies.
The population of key controls that are required
For example to keep a firm within appetite can be subject to
additional 1st and 2nd line oversight, e.g.:
Quantitative approach  Reporting of KCIs against thresholds;
 KCIs vs thresholds.  Regular 1st line attestations;
 1st line attestations.  2nd line control assurance (slide 24); and
 2nd line control assurance.  Tracking of remedial actions relating to these
 Tracking of remedial actions
key controls, with delays escalated. 32
Source: Adapted from Grimwade, M., (December 2021) “Ten Laws of Operational Risk”, Wiley & Sons.
CONCLUSIONS
CONCLUSIONS
- RISK ACCEPTANCE
A potential outcome of setting Operational Risk Appetite is Risk Acceptance, i.e. a formally governed process (e.g. involving both the
Risk Owner and the owners of Risk Appetite) resulting from a firm having a residual Operational Risk exposure, which is outside of
appetite, and which cannot be brought quickly (this varies between firms1) back within appetite. Risk Acceptance probably uniquely
applies to Operational Risk, reflecting the combination of the:
• Challenges of measuring Operational Risk;
• Lack of fungibility, i.e. for Market Risk excessive VaR on one desk can be offset by reducing VaR on other desks. This is not the case
for Operational Risk; and
• Potentially long lead times for addressing some difficult to resolve control weaknesses leading to residual risks, outside of appetite.
“What do you see is the key benefit of Risk Acceptance?” 2

Escalation

Risk reduction

Sources & footnotes:

1.LinkedIn Poll: 124 participants between 29th January to 1st February, 2024 showed 52% of respondents would initiate Risk Acceptance within 3 months of a risk being outside 33
of appetite.
2.LinkedIn Poll: also 124 participants between 22 nd and 25th January, 2024.
3. CONCLUSIONS
The complexity of Operational Risk and its all-pervasive nature means that there can be no one solution for setting appetite, i.e.
different approaches are required for different risks and different objectives:
 Appetite for expected losses provide something akin to a stop loss limit for the most frequent loss events, i.e. EDPM (primarily
mistakes & omissions) and External Fraud losses, in Banking. There is clearly a dynamic balance (an efficient frontier) between the
costs of control and a firm’s Operational Risk profile for risks that are passively taken.
 Appetite for unexpected losses extends quantitative appetite statements to less frequent risks. These appetite statements enable
firms to conclude whether the outputs of their regular scenario analysis are either inside or outside of appetite. They can also be used
to evaluate insurance cover and new business opportunities, e.g. a new business line, if sufficiently different and material.
 Target return on equity can be used for businesses which actively take Operational Risk in order to generate fee & commission
income, but only if the businesses are large enough to model meaningfully economic capital.
 Limits set for operational metrics, i.e. the volume and value of transactions can both reduce the likelihood of Operational Risk
events and also their impacts respectively, e.g. fat-finger limits.
 Monitoring KRIs for internal causes (e.g. staff turnover) can also give an indication of whether a business’ risk profile is deteriorating,
but there is limited precision in the relationship with specific losses. Whilst setting thresholds for external metrics, that cannot be
controlled, can give an indication of whether a firm’s Operational Risk profile is deteriorating, these metrics may again lack precision.
In both cases the setting of these limits and thresholds is generally a matter of experience and judgement rather than science.
 Monitoring KCIs can be highly predictive if the controls mitigate persistent threats, e.g. patching and cyber-crime. They will,
however, be less predictive of future losses if they mitigate infrequent / rare risks.
 Qualitative statements on risks and activities to be accepted or avoided, and desirable and undesirable outcomes can help
Operational Risk managers to evaluate less material new opportunities. Additionally, embedding these qualitative statements into
policies can help to drive the implementation of appropriate mitigating key controls at all levels within a firm.
In conclusion, firms typically articulate appetite in broadly similar ways, i.e. overall qualitative statements and financial metrics,
supported by statements for their top risks, with related KRIs and KCIs. The challenge is to ensure that these statements genuinely add
value by being effective both as triggers for action, and also the evaluation of new opportunities 34
CHAPTER 7 OF MY BOOK - “TEN LAWS OF OPERATIONAL RISK”
- IS FOCUSED ON OPERATIONAL RISK APPETITE
“This book is different from all other operational risk books in the market.”
“…one of the most interesting risk reads of the last 20 years.”
“…a turning point in the field of Operational Risk”
"A book replete with important insights...”
“Explodes myths around Operational Risk”
“It will make you think differently about Operational Risk.”
“Unique & compelling.”
“…genuinely thought-provoking.”
“Assertions are evidence based…”
“…a remarkable synthesis of his insightful & innovative work.”
"Un imprescindible para los gestores de riesgos.“
“Excellent ouvrage!”
“Lesenswert” - [worth reading]
“Nice to see fresh ideas and analysis in Operational Risk.”
"The Richard Dawkins of Operational Risk - another excellent contribution."
Pictures from readers in Abu Dhabi, Albania, Australia, Bangladesh, Brazil, Chile, Columbia, Denmark, the Dominican Republic, Germany, India, 35
Italy, Japan, Malaysia, Norway, Peru, Qatar, Saudi Arabia, Singapore, South Africa, Spain, Switzerland, Thailand, the UK, the US, and Vietnam.
YOU MAY ALSO WANT TO LOOK-UP MY PREVIOUS
RECORDINGS & SLIDES…
Previous presentations on Operational Risk management are available on LinkedIn via the hashtag #tenlawsofoprisk or my “posts”
for recorded presentations and “documents” for the slides:
Ten Laws of Operational Risk Practical risk management
1. A better bow-tie diagram? 11. Rogue trading: Techniques, Red Flags and Quantification.
2. Is Operational Risk really random? 13. Reputational Risk: Drivers, financial consequences & quantification.
3. The nature of inadequacies or failures. 24. Operational Risks arising from IT change.
4. How does business profile influence Operational Risk? 25. Operational Risks from risk transfer via new products.
5. Are causal factors correlated? 26. Tailoring RCSAs for Operational Risk’s behaviours.
6. Hares or tortoises: which losses are most expensive? 27. Predictive KRIS & KCIS - Op Risk’s Holy Grail?
7. The importance of time: duration & lags. 28. Using insurance to transfer Operational Risk.
8. How should an Operational Risk profile be represented? 30. Root cause analysis: “…tough on the causes of Op Risk”.
9. How & why is Operational Risk sensitive to economic shocks. 32. The potential impacts of digitization & AI on Operational Risk.
10. Transforming Credit & Market Risks into Op Risk.
12. Do firms proactively take Op Risks to generate revenues? Stress testing & scenario analysis
14. Op Risk: Understanding its behaviours, to improve its management. 15. & 29. How the current economic conditions may drive Op Risk losses.
16. Systematic Estimation of the likelihood of remote events.
Climate Change
17. Systematic Estimation of the severity of remote events.
19. Behavioural changes & economic consequences.
18. Validation techniques for scenario analysis.
20. Transmission to Operational & Reputational Risks.
34. AI’s impacts on Operational Risk scenarios.
21. Quantification of Operational Risks.
22. Emerging Op Risks: Looking back at 2022 and to 2023 & beyond.
23. Quantification of the financial consequences of reputational damage.
36. Emerging Op Risks: Looking back at 2023 and to 2024 & beyond.
33. How Climate Change may impact Operational & Reputational Risks.
31. Bank failures & rescues: “Where there’s a loss, there’s a lawsuit”. 36
APPENDICES
APPENDIX I: EVENT TAXONOMY BASED ON “INADEQUACIES OR
FAILURES” - HUMAN FAILINGS
Most Operational Risk events arise from human failings. A taxonomy of “inadequacies or failures” makes this clear:

Basel II Inadequacies or failures Examples

 Mistakes, primarily relating to data that is both physical and virtual:

Common
− Fat-fingers e.g. transposition errors.
− Replication errors i.e. copying an existing error.
− Duplication errors e.g. carrying out a task more than once.
 Mistakes & omissions
− Mis-communications.
− Loss e.g. of data or physical documents.
− Accidents e.g. “slips, trips & falls”.
People

 Omissions:
− Failure to carry out a task at all.

Increasingly remote
− Failure to carry out a task on time i.e. to meet a deadline.
 Individual misconduct.
 Misconduct
 Systemic misconduct.
 Theft.
 Malicious acts 1  Fraud.
 Vandalism.

Sources & footnotes:

Grimwade, M., (December 2021) “Ten Laws of Operational Risk”, Wiley & Sons. 37
1. This is often driven by either “Greed” or “Need” (BDO, 2018 “FraudTrack Survey”).
APPENDIX I: EVENT TAXONOMY BASED ON “INADEQUACIES OR
FAILURES” - VENDORS, LAWS OF PHYSICS, AND ACTS OF GOD
In addition to human failings, some events variously arise fr0m the 2 nd law of thermodynamics, credit defaults, and acts of God...

Basel II Inadequacies or failures Examples

 Theft.

Common
 Malicious acts 1  Fraud.
External

 Vandalism & terrorism.

 All of the inadequacies or failures may impact 3rd & 4th parties.
 Vendor & supplier failures  Credit defaults.
 Disruption of software.
 Malfunction of applications.
 Mistakes & omissions
Systems

 Disruption of data storage.

 Disruption of infrastructure.

 2nd law of thermodynamics 2  Physical failures of hardware.

Increasingly remote
 Design ineffectiveness, leading to systemic failures.
External Process

 Mistakes & omissions  Excludes operating ineffectiveness, as these are People: Mistakes &
Omissions.

 Physical events, including Climate Change e.g. storms, floods, fires, extreme
 Acts of God heat etc.
Sources & footnotes:
Grimwade, M., (December 2021) “Ten Laws of Operational Risk”, Wiley & Sons. 38
1.This is often driven by either “Greed”, e.g. professional criminals, or “Need”, e.g. customers in financial distress (BDO, 2018 “FraudTrack Survey”).
2.All physical objects degrade over time per the 2nd law of thermodynamics.
APPENDIX II: CONTROL FAILURE TAXONOMY BASED ON
“INADEQUACIES OR FAILURES”
“Inadequacies or failures” are represent both Operational Risk events and also control failures. The examples provided below are
explicitly described in 14 well documented Operational Risk events – the references are listed on slide 41.
Taxonomy Definitions or examples from various public sources
Controls not performed e.g.:
Mistakes & omissions

 “…the managers responsible…were unaware that their staff had stopped following agreed procedures [checks on internal trades].”a
Control incorrectly or partially performed e.g.:
 “…in a number of instances, maker / checker controls were not properly evidenced and did not identify errors”. b
People – Operating effectiveness

 “Multiple limit breaches were routinely signed-off without rigorous investigation or actions taken to reduce positions”. a
Internal control failures

Failure to act e.g.: on exceptions:

 “Operations did not have the reflex to inform their…supervisors or Front Office supervisors of…anomalies” c
 “Certain control functions failed to escalate in a timely manner price testing variances that were identified…”d
The mistakes and omissions described above can also occur deliberately. In addition:
Misconduct and Malicious

Circumvention of controls – falsification e.g.:

 The FSA received complaint files which had been “altered improperly” in “the form of amendments to existing documents”. e
 “To hide his losses and the size of his positions, he created fictitious options.” f
Acts

Circumvention of controls - breach of segregation of duties e.g.:

 A bank clerk made two fraudulent transfers with a total value of €90 million. ”Two of [his] colleagues, whose passwords were used to
carry out and approve the transactions, were initially questioned but soon declared innocent”. g
Circumvention of controls - collusion e.g.:
 A trader “…sent a list of four AAA bonds to his bond salesman contact [at another bank]…and requested month-end prices for the
bonds. At approximately the same time, [he also] communicated to his contact the desired prices on the bonds”. h 39
3
Source: Grimwade, M., (December 2021) “Ten Laws of Operational Risk”, Wiley & Sons.
APPENDIX II: CONTROL FAILURE TAXONOMY BASED ON
“INADEQUACIES OR FAILURES”
Taxonomy Definitions or examples from various public sources
Poorly designed controls for achieving Completeness; Accuracy; Existence; Valuation; Cut-Off; Rights & Obligations; and
Presentation & Disclosure e.g.:
 “The identification of suspicious trading patterns had to be performed manually. However, it was not generally feasible
for…desk supervisors to perform this task for high volume trading desks...” i
Process –
 The bank “extracted the relevant trading data for reconciliation purposes from its systems at different points in time which
Design created timing gaps”. j
control failures

effectiveness
Missing controls e.g.:
Internal

 The bank ”… had no specific systems and controls relating to its LIBOR or EURIBOR submissions processes until December
2009”. k
 The firm “…did not have…a control to compare orders leaving SMARS with those that entered it.” l
 Disruption of software e.g.: “…while [the firm] had installed a tool to inspect network traffic for evidence of malicious
Systems –
activity, an expired certificate prevented that tool from performing its intended function of detecting malicious traffic.” m
variously
 Application malfunctions e.g.: “…due to the concerns over the reliability of the VaR calculation, the VaR limit breaches in
design or
currency options was removed from the front page of the report…”.a
operating
 Disruption of data & storage e.g. controls fail due to being fed incomplete, or inaccurate data, or data in the wrong format,
effectiveness
or untimely data.
3rd (and 4th)  Any of the above e.g. Non-Functional Testing “...had been constrained by the test environments…and…had been conducted
External
failures
control

party failures at lower volumes than originally planned”. n

 External circumvention of controls e.g. “…the attackers removed the data in small increments, using standard encrypted
Malicious Acts 40
3
web protocols to disguise the exchanges as normal network traffic.” m
APPENDIX II: CONTROL FAILURE TAXONOMY BASED ON
“INADEQUACIES OR FAILURES” - REFERENCES
a. PwC, “Investigation into foreign exchange losses at the National Australia Bank”, 12th March 2004.
b. PRA, “Final Notice Citigroup Global Markets Limited…” et al, 26th November 2019.
c. Societe Generale, “Mission Green: Summary Report”, 20th May 2008.
d. FSA, “Final Notice: Credit Suisse International and Credit Suisse Securities (Europe) Limited”, 13th August 2008.
e. FSA, “Final Notice: UK Insurance Limited”, 17th January 2012.
f. The Ludwig Report, “Report to the Boards of Directors of Allied Irish Banks, P.L.C., Allfirst Financial INC., and Allfirst Bank
concerning currency trading losses”, 12th March 2002.
g. BBC, “Clerk jailed for £72m bank fraud”, 7th July 2008.
h. SEC, “Securities and Exchange Commission, Plaintiff, v. Kareem Serageldin, David Higgs, Faisal Siddiqii and Salmaan Siddiqui,
Defendants.” 1st February 2012.
i. FINMA, “UBS trading losses in London: FINMA finds major control failures”, 26th November 2012.
j. SFC, “SFC reprimands and finesThe Royal Bank of Scotland PLC $6 million for internal control failings”, 22nd April 2014.
k. FSA, “Barclays fined £59.5 million for significant failings in relation to LIBOR and EURIBOR”, 27th June 2012.
l. SEC, “SEC Charges Knight Capital With Violations of Market Access Rule”, 16th October 2013.
m. US Government Accountability Office, Report to Congressional Requesters “DATA PROTECTION Actions Taken by Equifax and
Federal Agencies in Response to the 2017 Breach”, August 2018.
n. Slaughter & May, “An independent review followingTSB's migration onto a new IT platform in April 2018”, October 2019.
41
Source: Grimwade, M., (December 2021) “Ten Laws of Operational Risk”, Wiley & Sons.
APPENDIX III: COVERAGE OF OP RISKS BY INSURANCE
- HISTORICAL DATA
The Basel Committee collected data on losses and recoveries from 30 banks for 1998 to 2000 (QIS-2). Whilst the number of events with
insurance recoveries in this two decade old data is low, this may reflect its fat-tailed nature, i.e. losses ≥€1m represented just 2.3% of
the total number of loss events ≥€10k, but 73% of the total value of these losses. Successful claims had high recovery rates.
(slide 14)

42
APPENDIX III: COVERAGE OF OP RISKS BY INSURANCE
- MAPPING TO “INADEQUACIES OR FAILURES” AND IMPACTS
The coverage of insurance policies can be illustrated by over-laying policies onto a matrix of taxonomies of events and financial impacts..
P&L items

Footnotes:
1.May include
incident
sheet driven

2
response
Balance

support.
2.Theft of
misdirected
payments.
43
Source: Grimwade, M., (December 2021) “Ten Laws of Operational Risk”, Wiley & Sons.