Introduction

• Monitoring operational risk helps boards and decision-makers evaluate risk management and ensure the organization stays within its risk appetite. Reports identify breaches, unexpected losses, and incidents, highlighting weaknesses in the risk management framework and prompting corrective actions. It is important to understand the best practices and challenges for effective risk monitoring, oversight, and reporting.
• Internal and external audiences served by operational risk reporting include the board’s risk committee, executive committee, central operational risk function, and relevant business lines, as well as external stakeholders such as regulators, the general public, suppliers, and clients. Depending on their role and interests in monitoring operational risk, each audience requires different information.
• Details about an organization’s operational risk profile include its exposure to operational risk, prior risk incidents, risk appetite and indicators, risk mitigation strategy, and resilience measures.

Risk Committee Of Board Of Directors

• The board risk committee oversees the effectiveness of the risk management framework for all risks, including operational risk. It requires adequate reporting on the firm’s operations to ensure the control and monitoring systems comply with the board’s established risk appetite and operate effectively within its limits. The committee operates under the board’s authority.
• The board risk committee will be provided with details on important risk indicators aligned with the firm’s risk appetite, the frequency and severity of risk events, and investigations into the root causes of significant incidents. It will also receive a summarized view of the operational risk exposure, emerging risks, and upward trends in operational risks. Any major issues with the control system or the operational risk status will be brought to the attention of the board risk committee.
• To improve the firm’s risk management profile, the executive committee will implement changes as directed by the board risk committee.

The Audit Committee

• The audit committee, a subcommittee of the board, oversees the third level of operational risk through the firm’s internal audit activities, which fall under the third line of defense. The internal audit function is responsible for more than just operational risk, and it frequently audits the operational risk function, reporting to the executive and audit committees.
• Internal audit and the audit committee have several overlaps in ORM activities, as they are in charge of ensuring the organization’s internal control system’s assurance. The audit committee is informed of any control system flaws discovered during internal audits.
• Because responsibilities may overlap, board members can serve on both the risk and audit committees to ensure continuity between identified operational flaws and risk-mitigation strategies.

The Executive Committee

• The Executive committee, or ExCo, comprises of elected board members and senior executives. It serves as a subcommittee of the board and functions as a steering committee. It assists in decision-making between board meetings and in times of crisis. In non-crisis situations, it determines the key issues that require the attention of the full board, supervises board policies, and upholds good governance practices.
• The ExCo is in charge of ensuring that the ORM framework is implemented correctly and efficiently in the context of risk management. The ORM reporting provided to the ExCo includes all significant information indicating the implementation and effectiveness of this framework, along with any problems or improvements that need to be made. This includes risk events, action plans, issue remediation progress, cultural and usage test indicators, and risk trends and exposure.

CORF And Operational Risk Committee

• The central operational risk function (second line of defence) collects all the important operational risk information from different parts of the organization, and creates a report that combines all the information for the operational risk committee. They also give feedback to different parts of the organization. This includes information on operational risk events, risk exposures, controls, indicators, status of action plans, and changes to the risk profile due to new initiatives or emerging trends.
• The central ORM function should analyze and present the information in a way that helps different stakeholders make decisions. They can report on cross-cutting risks that are often managed separately by different parts of the organization. Their role is to provide a complete view of the different risks and how they interact to give a comprehensive picture of the operational risk profile of the organization.
• A key responsibility of the central ORM function in operational risk reporting is to organize and streamline the various reporting procedures for each risk type and business line to avoid redundancy and provide a complete overview.

Business-Line Managers And Risk Champions

• The business operations level collects operational risk data and closely monitors key risk indicators (KRIs), action plan progress, and operational risk events. This information is then shared with the central ORM function for inclusion in the overall report on the organization’s operational risk profile.
• Feedback from operational risk reporting given to business-line managers and risk champions which allows them to monitor and compare their operational risks with other parts of the organization, as well as with a firm-wide average.
• Management reporting can be difficult, especially with risk reporting. It’s hard to balance the amount of information provided – too much can lead to key information being overlooked, while too little can result in a lack of important insights. Some firms submit risk reports of several hundred pages to the board’s risk committee, which can be overwhelming. Too much information can bury important insights, while too little information can be meaningless. Therefore, finding the right balance is crucial.
• When designing risk reporting, it is important to determine what information to report to different audiences and how. Upper management, business departments, and units require varying levels of detail regarding operational risk information. Prioritizing which information to escalate and which to summarize is crucial when reporting to upper management or decision-making bodies. Key information should be communicated directly, while other information can be summarized in aggregated statements. High risks, near misses, and defective key controls are typically escalated without alteration, while other information is summarized.

Reporting On Non-Financial Risks Internally

• Reporting aims to align with the firm’s risk appetite, identify risk mitigation strategies, and monitor risk goals. The board risk committee, audit committee, and ExCo collaborate on strategy, but reporting provides a glimpse into operations to ensure goals are met. Operational risk assessment is challenging due to its newness, requiring attention to qualitative and quantitative tracking to evaluate changes. Credit and market risk metrics have long histories, while operational risk metrics do not.
• Several major banks have implemented a method called the “reporting cake” where risk information is divided into tiers when reporting to different levels of decision-makers. This tiered approach resembles a cake, where the amount of information reported to each subsequent level decreases as the tiers go up.
  

Content Of Operational Risk Reporting

• Operational reporting lacks uniformity across firms, with varying templates and focus areas. Some organizations emphasize past events and financial losses, while others prioritize forward- looking analysis and risk outlook. Mature ORM approaches tend to be more forward-looking in their reporting. Qualitative assessments and quantitative tracking of changes are both crucial monitoring techniques, with equal importance.
• A comprehensive internal ORM report typically consists of seven key components, as shown in this table which presents an example of quarterly report outline. Depending on the intended audience, the level of detail and specific elements included may vary. If the report is for business lines on a specific task, it will be more detailed about that task. If it is for high-level managers, it will be more of a summary.

  Main Components of Operational Risk Reporting
  1.	Top-10 risks and risk outlook
  2.	Heatmap and risk register
  3.	Risk appetite metrics
  4.	KRIs and issue monitoring
  5.	Incidents and near misses
  6.	Action plans and follow-up
  7.	Emerging risks and horizon scan findings

Top 10 Risks List And Outlook

• A list of the top-10 risks, or the list of the most important risks of the risk register (or risk inventory), is a crucial component of operational risk reporting, presenting prioritized operational risks based on strategic priorities. This list reflects management’s concerns for specific operational risks, either due to inherent exposure or residual exposure from ineffective control environments. For example, during the COVID-19 pandemic, firms prioritized risks such as staff well-being, working from home, and cyberattacks. Similarly, organizations with concerns about the effectiveness of their AML checks may include compliance breaches in their top-10 list.
• Top-10 operational risks of financial organizations often include regulatory and compliance breaches, cyberattacks, data loss, and technology breakdowns, as well as risks specific to each company’s activity. For firms undergoing digitalization or transformation projects, project management and transformation risks are likely to be prioritized in the top 10.
• Similar to the credit risk outlook provided by rating agencies, the risk outlook provides information on the anticipated changes in each top risk, indicating whether the risk is likely to increase, decrease, or remain stable.

Heatmap And Risk Register

• Operational risks are evaluated in business areas through an RCSA exercise that employs qualitative scales to assess their likelihood and impact. The outcomes of this exercise are consolidated in a risk register that catalogs all the operational risks evaluated in the business, including their descriptions, likelihood, and impact before and after the application of controls.
• Although similar to the top-10 risk template, a typical risk register also details the controls employed for each risk and evaluates their operational effectiveness to justify the level of residual risk assessed. The top-10 risk template is generally a subset of the highest risks recorded in the risk register.
• The heatmap or probability-impact matrix is an alternative representation of the risk register that presents information in a more visual format with two dimensions. This method is typically more effective and succinct, enabling important information to be conveyed on a single page without requiring the audience to read through detailed tables with small print.

Risk Appetite Metrics

• The risk function must report to the board on whether the company is operating within its risk appetite and appropriate action plans. This involves reporting on risk appetite and monitoring metrics such as overall risk exposure, control requirements, incidents, and near misses.
• These metrics are gathered and assessed at the business level both separately and in conjunction with issue monitoring. Metrics for measuring risk appetite, also known as “risk appetite KRIs”, are indicators intended to show how well a company complies with the risk limits for its operational risk appetite.
• Instead of being broken down into operational risk sub-categories, these metrics are typically presented as a consolidated list when they are presented to the board and higher levels of management.
• An example of risk appetite KRIs is presented in the table in the next page, inspired by the risk appetite and KRI structure of a retail bank in Europe. The data presented in the table is provided solely for illustrative purposes and may not reflect best practices for any company.

  KRI type	KRI Name	Threshold	Value	Value (t-1)	Score	Comment
  Loss events KRIs	# events above tolerated threshold	3	2	2	G
  	# of events without completed action plans	3	4	4	A	Delays in action plans following risk events in retail banking
  	# repeated losses	5	6	4	G
  	Total value of losses	1M	500K	400K	G
  	Total number of losses	200	80	75	G
  Overdues	Overdue high- / medium-risk audit recommendations	2	0	0	G
  	Overdue high-risk action plans	0	0	0	G
  People Risk	% vacancies per team	10	20	20	A	Recruitment challenges and war for talent
  	% vacancies > 3M	10	0	20	G
  	(1-% of high performers)	50	45	45	G
  	% engagement score	80	75	82	A	Reorganization project impacts morale
  KRIs related to activities and controls	% weak controls	10	20	30	A	Situation improving and expected to be solved soon
  	% controls not tested	20	15	20	G
  	# issues raised	10	10	20	G

KRIs And Issue Monitoring

• Using KRIs can offer detailed analysis of risk exposure in various activities or specific risk factors. Repurposing existing data within the organization is often a more efficient way to collect and report KRIs, rather than creating new data collection methods.
• “Issues” are indicators of problems in operations or controls that can cause incidents, such as documented IT issues, weak controls, overdue action plans, operational problems, or process delays. For instance, a new underwriting tool in a mortgage business has bugs causing errors and delays in closing loans, which may lead to legal and business implications if not resolved.
• Organizing issues for effective reporting is difficult, but necessary. Like KRIs, issues indicate higher operational risk events, particularly process-based issues that are specific to a business line or activity. Some issues can even serve as preventive KRIs, such as control weakness or system vulnerability metrics. To make reporting more useful, issues should be categorized by business line or as part of an identified emerging risk or major initiative.
• Tier-1 banks often reclassify an issue as a KRI if it remains unresolved beyond a set time period, typically three months.

Incidents And Near Misses

• Reporting on risk events, losses, and near misses is a crucial aspect of ORM reporting. Firms often begin their reporting by detailing what occurred during operational risk events and the associated costs. Operational risk event reports show the event number, size, frequency, and severity per period, business line, or unit. Trend analysis or comparison over time is included, with a separate narrative for larger incidents above an internal materiality threshold.
• Best practices recommend reporting each financial loss event above a threshold separately, classified to link to similar losses in the organization. Loss classifications are now standardized and shared across financial institutions, such as the ORX loss-data service classification. Even after standardization, reporting thresholds vary widely between firms. Some collect all events with a financial loss as low as $1, while others only collect events with losses over $10,000 or certain impact types.
• A strong ORM practice includes reporting near-miss events as well as actual losses. Near- misses provide a chance to learn and improve the system without the pain of actual losses. Reporting thresholds should theoretically be based on potential impact, but most firms and regulators use observed impact of events due to the difficulty of estimating potential impact.

Action Plans, Control And Remediation

• Action plans aim to improve the control environment by mitigating risks, and there are three types –
  • Corrective plans respond to unexpected operational loss events.
  • Detective controls identify potential incidents before they occur.
  • Preventive plans are designed to reduce the risk of specific operational events beyond the firm’s risk appetite.
• Business-line owners are responsible for tracking and reporting on action plans, implementing controls, and providing progress reports. A strong risk management culture aims to have no overdue action plans or audit recommendations and reports both current and overdue metrics to senior management and appropriate committees.

Emerging Risks And Horizon Scanning

• Firms are using horizon scanning to identify emerging risks and trends in a business environment that is becoming increasingly volatile. These risks are typically reported to the board risk committee on a monthly or quarterly basis. The focus of horizon scanning is often on regulatory risks and changes in compliance and regulations.
• During the 2007-2009 financial crisis, horizon scanning would have revealed weak operational controls related to the mortgage crisis, such as unrealistic property appraisals and inaccurate valuation of mortgage-backed securities.
• The figure shows a common representation of non-financial risks on the horizon of financial firms, with concentric circles indicating the likelihood of the risk occurring within one year, one to three years, or beyond three years. Best practices recommend that horizon scanning should take into account factors that could potentially cause changes in emerging risks and highlight changes in volatility.
  

Rules Of Valuable Reporting

• Operational risk reporting should follow a cost-benefit rule, with data collection being expensive, so it’s essential to ensure that it’s worth the cost and reflects senior management’s priorities. There are three analytical considerations reflected by the risk–return trade-off –
  • The value of the information collected must exceed the cost of collection
  • The firm must know how the information content will be used. The reporting process should align with management’s objectives and priorities, and support the organization’s goals.
  • Effective reporting should influence decision-making, even if the decision is to maintain business as usual (BAU) or the status quo. Rule 3 connects the first two rules, as information is valuable if it influences decision-making, regardless of the outcome.
• These guidelines are based on the “so what?” reporting approach, which aims to ensure that all collected and reported information serves a purpose in supporting the organization’s business- line objectives and senior management’s risk appetite strategies.

Challenges Of Non-Financial Risk Data Reporting

• The following are the main challenges to the reporting of operational risks –
  • Asymmetry of Operational Risk Event Data
  • Escalation of Large Risk Events
  • Large Number of Small Losses
  • Benchmarking Operational Losses
  • No Averages in Operational Risk
  • Outliers, Concentration, and Scenarios
  • Aggregation of Qualitative Risk Data

Asymmetry Of Operational Risk Data

• Operational loss data is characterized by a heavy-tailed or skewed statistical distribution. Typically, operational loss severity is concentrated in a relatively small number of low- frequency but high-severity loss events. In contrast, many organizations report a significant number of high-frequency, low-severity incidents that account for only a small part of the annual loss budget. This asymmetry in loss proportions has been consistently observed over time and across firms. Analysis of statistics from the largest operational risk data consortium, ORX, for the period 2014-2019 reveals the following proportions of losses from aggregated data from member banks, including most of the largest banks in the world –
  • Largest losses (> €10M) – only 0.4% of the occurrences, 66.6% of the total severity
  • Smallest losses (€20K–100K) – 57.9% of the occurrences, only 4.4% of the total severity
• Important implications for risk management priorities result from this significant asymmetry in loss proportions. Instead of getting distracted by the daily fluctuations, the emphasis should be on preventing and dealing with the major incidents in order to allocate risk management resources effectively. The frequent occurrence of relatively minor events that are visible but not severe can easily divert inexperienced risk managers, resulting in the inefficient use of resources.

Escalation Of Large Risk Events

• When large risk events and significant near misses that exceed the organization’s risk tolerance occur, they are typically identified promptly by management and the affected parties. These incidents must be immediately escalated to upper management for review and action.
• Detailed reporting, root-cause analysis, and remediation action plans are typically applied to large risk events. Such events are also considered outliers in the loss distribution, and therefore need to be reported separately from small losses to prevent the skewing of summary statistics and avoid presenting a misleading view of the loss distribution.

Large Number Of Small Losses

• The majority of operational risk incidents reported are small and frequent losses, with the number of reported events increasing as the incident reporting threshold is lowered. In organizations where process automation is not widely used and manual operations are prevalent, a higher number of human errors often lead to the reporting of many small losses.
• Regular identification and analysis of small and frequent losses is necessary to detect any patterns that could indicate a control breach or structural flaw in a process, requiring an action plan. If these losses occur randomly, with no identifiable pattern and are structurally limited, stable, and repetitive, their average cost can be passed on to customers as part of the cost of services.

Benchmarking Operational Losses

• Reporting operational risk losses relative to a benchmark, such as gross income or regulatory capital consumption, can aid management in decision-making for operational risk budgeting and regulatory capital allocation. To avoid consuming regulatory capital in the form of a Pillar 2 add-on, banks are increasingly reporting operational risk financial impacts in terms of basis points of regulatory capital.
• Reporting operational losses as a percentage of income or capital facilitates comparability across business units of different sizes. It also helps operational risk managers understand the cost-benefit trade-offs of implementing controls and operating restrictions.

No Averages In Operational Risk

• The asymmetric distribution of operational losses impacts how data is handled and reported. A key principle in operational risk is – “No averages in operational risk”.
• Averages are only useful in distributions that have low variance, no outliers, no clustering, and a single mode – characteristics that are typically not present in operational risk distributions. Better alternatives are the median and the first and third quartiles, which are easy to explain.
• Outliers often bias operational loss averages, so they should be removed from the dataset if an average is needed. The body of the distribution is more concentrated and symmetric, making classic descriptions like average, minimum, and maximum more suitable.
• Averages are close to the data in most cases but far from the positive and negative outliers. In risk management, the informational value lies in the detection of outliers.
• Averages hide the data’s diversity and don’t allow the observer to identify clusters or groups of related activities, clients, or workers that are pushing the operational metric upward or downward. Therefore, it is beneficial to examine the entire distribution and then focus on relevant subcategories, such as complaints by salesperson, which can reveal that a small number of salespeople are responsible for the majority of complaints.
• This table presents an example which contrasts the information value of reporting on operational risk metrics using averages with the insight provided by analysing concentrations and outliers that the reporting through averages may hide.

  Reporting with Averages	Hidden Concentrations and Outliers
  Uptime = 99.4%	Maximum Downtime = 3 hours 10 minutes
  Sick days = 2.1 days/ staff	3 burn-outs (absences of >90 days) 80% of absenteeism is absences of 1 or 2 days
  Customer complaints = 285/quarter	95% of complaints coming from 16% of the customers
  Operational loss = $5,286 /incident	Max loss = $297,000 Mass loss < $700 (93%)
  Average risk assessment for suppliers – Yellow (moderate risk)	One supplier – Red (high risk)

From Data To Information – Outliers, Concentrations And Scenarios

• The value of information in risk reporting and other types of reporting is found in deviations from the norm. For instance, abnormal spending patterns uncover credit card fraud, positive outliers exhibit exceptional trading performance, negative outliers display abnormally low volatility, and the top managers have high staff retention and productivity. Data patterns, distribution clusters, and observation distances are all significant indicators of value.
• Setting KRI thresholds and alert criteria is made easier by analysing multiple cycles of trends to create a baseline for abnormality detection. However, data analysis must consider the data’s unique nature to be effective. It would be incorrect to apply a general strategy and conventional summary statistics to various data-generating tasks.
• Risk reporting involves exploring the underlying reasons behind numbers to identify both positive and negative trends. Success stories offer valuable lessons and should be given equal attention in risk reporting, but unfortunately, most risk managers focus more on analyzing large loss events than highlighting successful outcomes.
• Analyzing operational loss patterns involves examining low, medium, and high-risk scenarios that could impact the loss profile. Climate change is a prime example of a factor that can accelerate losses due to environmental volatility. Weather-related damage and changes in regulatory and compliance frameworks can also result in operational losses if businesses fail to adjust to a changing operational environment. For example, inadequate business continuity plans may result in significant system downtime and loss of customer revenue.

Challenge Of Aggregating Qualitative Risk Data

• Operational risk reporting presents a unique challenge in that it involves the aggregation of qualitative data. Risk scores, color ratings, and other indicators are qualitative and not suitable for mathematical treatment. The numeric ratings assigned to risks, such as “5” for extreme and “1” for low, cannot be treated as additive or quantitative. Therefore, two risks rated “3” may not be equivalent to one risk rated “5” and another rated “1”. Even though they offer information about ordinal ranking, numerical risk ratings are no more quantitative or additive than color or adjective-based ratings.
• There are three options for aggregating qualitative data –
  • Conversion and addition – Quantify non-financial impacts of operational risks by converting them into a common monetary unit, which can be added to financial impacts for arithmetical aggregation. This method makes it simpler to compare various risk events and RCSA outcomes. While some organizations may find the assumptions and approximations uncomfortable, others appreciate the convenience of quantification and comparability. Monetizing non-financial impacts of operational risks also raises awareness of their magnitude and attracts the attention of senior management more effectively than a color-based rating system.
  • Categorization – If conversion to monetary value or continuous data is not possible or preferred, an alternative is to report risk scores and indicators by category, grouping them by color or score. This approach avoids collapsing diverse information into improper aggregates, and presents a balanced view of the risk profile while keeping reporting concise. A candle bar chart can be used to report RCSA results, KRIs, action plan ratings, and issues or audit recommendations, with red scores at the top to signify higher danger. This method can effectively represent the distribution of ratings in a simple and clear way. This figure presents an example of reporting with bar charts using categorization. Red scores are positioned at the top of the figure, which is designed as a “candle” to convey the message that the longer the flame, the higher the danger.
    
  • Worst-case reporting – The most conservative form of rating aggregation for a data set, such as a group of key risk indicators, is reporting the worst score as the aggregated value. For instance, if one item is rated as red, then the whole data set is considered as red. This approach is suitable when there is little tolerance for risk and the collected data are reliable indicators and predictors of risk. Although this approach is prudent, it may be overly alarming and even risky if it generates too many alerts, which could result in disregarding them.

Combined Assurance

• The three lines of defense work together for combined assurance to give proper insights on governance, risk, and control management to senior management and the audit committee. Internal assurance providers, such as ORM, risk management, compliance, and quality assurance functions, represent the second line of defense.
• Combined assurance involves coordinated oversight and assurance functions with shared scheduling, planning, reporting, terminology, and methodology.
• Combined assurance requires collaboration and coordination among the three lines of defense to agree on a risk taxonomy, assign risk ownership and accountability, and avoid duplication between internal audit and risk management reviews. The ORM function maintains the combined assurance map and reports results to the governance committee using a RAG status.
• The distribution of roles in combined assurance across the three lines of defense is –
  • The first line is responsible for reviewing risk and control assessment, testing controls, and attesting to the functionality of risk controls and risk management activities..
  • The second line oversees the risk management activities conducted in the first line, conducts detailed thematic analysis and risk assessment on specific risk types (deep dive), and performs sample testing on controls.
  • The third line conducts periodic internal audit activities of assurance, following the audit cycle.
• This figure shows an example of combined assurance reporting to the board risk committee with green, amber, and red cells indicating satisfactory, attention needed, and unsatisfactory risk ratings, respectively.

  Risk Assessment Units (risk type or assessment scope)	First line review (assessment, testing, attestation)	Second line review (oversight, deep dive, testing)	Third line review (internal audit)
  Cyber risk
  Compliance	no data
  Operational resilience
  Fraud
  Legal
  Third-party management and outsourcing
  Business Unit 1		no data
  Business Unit 2
  Legal entity A			no data
  Legal entity B
  Project 1	no data
  Project 2		no data

External Risk Reporting

• Public disclosure of financial and risk information is addressed by Pillar 3 of the Basel regulatory framework. Basel requires banks to incorporate operational risk information from the standardized approach for calculating their operational risk capital. This involves utilizing internal loss events from the last decade for banks that need to calculate an internal loss multiplier, and parameters from the past three years for determining operational risk capital via the business indicator component, applicable to all banks utilizing this method.
• Operational risk disclosure requirements include three types of information
  1. Qualitative information on operational risk management – This reporting section covers the regulated entity’s governance and risk management arrangements to handle operational risk. The report should detail policies, frameworks, and guidelines for managing operational risk, the structure and organization of the ORM and control function, and the systems and data used to estimate operational risk capital charge. It should also outline the operational risk reporting framework for executive management and the board and describe the risk mitigation and transfer techniques employed for managing operational risk under Pillar 3 regulatory reporting.
  2. Historical losses – Regulated entities must disclose their aggregate operational losses incurred over the past 10 years, based on the accounting date of the losses. This information is necessary for calculating operational risk capital for countries utilizing the internal loss multiplier in the SA. The disclosure format is fixed and determined by the national supervisor, who provides additional guidance. Banks and regulated entities should provide accompanying narratives explaining the rationale for the losses, commenting on losses since the last submission, and disclosing any other material information regarding historical losses or recoveries. However, confidential and proprietary information can be excluded from the disclosure.
  3. Business indicator and subcomponents – The third element of operational risk reporting is crucial for determining operational risk capital because it includes the disclosure of the business indicator and its subcomponents. The template should be used in conjunction with narrative commentary from banks and other regulated entities that elaborates on significant changes noted during the reporting period and the main causes of such changes.
• Regulators follow the principle that what cannot be proven is assumed to be non-existent, as reflected in the popular saying, “Absence of evidence is evidence of absence”. Therefore, risk managers’ verbal assertions are not sufficient confirmation for an auditor or regulator, and they require tangible evidence. Risk reporting and documentation are crucial to demonstrate the presence of risk controls and proper risk governance procedures, serving as proof to regulators and the market.
• Notifications of Incidents to the Regulator – Financial institutions must report significant operational risk events or any breach of conduct to regulators, in addition to notifying law enforcement of internal or external fraud, malfeasance, or terrorist activity. There are four criteria that may trigger the requirement to report operational risk events to regulators –
  • Materiality criteria – The events’ significance in relation to a loss or materiality threshold.
  • Reputation criteria – Any event that has a significant impact on the firm’s reputation.
  • Resilience criteria – Any event that could jeopardize the firm’s ability to continue providing adequate services to its customers and result in serious harm to a firm customer
  • Stability criteria – Any event that could have serious ramifications for the financial system.
• Regulated institutions must be transparent about their operational risks, despite the dilemma of disclosing internal failures. Maintaining trust with regulators is best achieved through transparency, and incidents of significant importance will likely be made public and affect external stakeholders.
• Reporting to the Market and Investors: Risk Section of the Annual Report – In addition to regulatory reporting requirements, financial institutions include information in their annual reports about their risk exposure and risk management practices. While financial risks predominate in these reports, operational risk is gaining traction. Transparency, awareness, and honesty are critical for businesses to appear trustworthy while avoiding unnecessary alarm about potential problems. According to research, firms that communicate their risks transparently and demonstrate competence in addressing them are more positively viewed by stakeholders and have greater trust in their brand and management.
• Operational resilience reporting will soon be added to operational risk reporting, in response to market and regulatory expectations. In the UK, regulated financial firms have begun a three- year transitional period starting in March 2022. By March 2025, they must map and test their important business services to ensure they remain within impact tolerances, invest accordingly, and report their progress to the regulator.