,Question 1
Definition of Operational Risk
Operational risk refers to the possibility of loss resulting from inadequate or failed internal
processes, people, systems, or from external events. Unlike credit and market risks, which
are directly linked to financial transactions, operational risk is broader and arises from the
day-to-day functioning of an organisation. The Basel Committee on Banking Supervision
(BCBS) defines operational risk as “the risk of loss resulting from inadequate or failed
internal processes, people and systems or from external events” and explicitly includes legal
risk, but excludes strategic and reputational risk from the definition (BCBS, 2004).
In the South African context, operational risk has gained increasing prominence following
global financial crises and domestic corporate failures. The King IV Report on Corporate
Governance (2016) emphasises risk governance and identifies operational risk as a critical
dimension of enterprise risk management (ERM). As organisations become more digitised
and reliant on complex systems, the scope of operational risk has expanded to include cyber
risk, information security breaches, regulatory non-compliance, fraud, and disruptions
caused by geopolitical or environmental events (PwC, 2022).
Scholars have debated whether operational risk should be considered a “residual risk”
(emerging after other risks are accounted for) or whether it constitutes a stand-alone
category that requires specific methodologies for measurement and management
(Chernobai, Jorion & Yu, 2011). In practice, financial institutions, including banks regulated
by the South African Reserve Bank (SARB), are required to implement frameworks that
identify, measure, monitor, and control operational risk in line with Basel II and III
requirements.
A key feature of operational risk is its multidimensional nature: it encompasses risks linked to
human error (e.g., employee negligence), system failures (e.g., IT breakdowns), process
inadequacies (e.g., flawed transaction recording), and external shocks (e.g., natural
disasters, pandemics). The COVID-19 pandemic highlighted how operational resilience—the
ability of institutions to withstand and recover from shocks—is integral to operational risk
management (FSB, 2020).
Therefore, operational risk is not merely about avoiding losses but also about sustaining the
organisation’s long-term viability and protecting stakeholder value. A comprehensive
understanding of operational risk involves recognising its causes, mapping its impacts, and
embedding mitigation strategies within the governance and culture of the organisation.
, Draft Design for the Operational Risk Report
An operational risk report is a structured document that captures, analyses, and
communicates an organisation’s operational risk profile. Its design should align with
regulatory requirements, internal governance frameworks, and the principle of transparency
for decision-making. The objective is to provide stakeholders—such as management, board
committees, and regulators—with timely and accurate insights into the institution’s risk
exposures, trends, and mitigation strategies.
A well-drafted operational risk report typically contains the following sections:
1. Executive Summary
This section provides a concise overview of the organisation’s operational risk profile,
highlighting key risks, emerging threats, and overall trends. It should be accessible to
senior executives who may not be specialists in risk management.
2. Risk Identification and Classification
Risks should be categorised under established typologies, for example: internal
fraud, external fraud, employment practices, business disruption, system failures,
and damage to physical assets (BCBS, 2004). Classification allows for consistency in
reporting and comparison across business units.
3. Risk Assessment and Measurement
This section outlines methodologies used to assess risk severity and likelihood, such
as risk scoring models, scenario analysis, or Key Risk Indicators (KRIs). Probabilistic
assessments may be supported with both qualitative and quantitative tools.
4. Risk Mapping and Heat Maps
Visual tools such as risk maps or heat maps can show the distribution of risks across
likelihood and impact dimensions. For example, cyberattacks may rank as high-
impact and high-likelihood, while natural disasters may be high-impact but lower-
likelihood.
5. Loss Data and Incident Reporting
Historical data on operational losses, including root cause analyses, should be
included. This section enhances transparency and helps in calibrating risk models.
6. Mitigation Strategies and Controls
Details of existing control measures, risk responses (avoid, transfer, mitigate, or
Definition of Operational Risk
Operational risk refers to the possibility of loss resulting from inadequate or failed internal
processes, people, systems, or from external events. Unlike credit and market risks, which
are directly linked to financial transactions, operational risk is broader and arises from the
day-to-day functioning of an organisation. The Basel Committee on Banking Supervision
(BCBS) defines operational risk as “the risk of loss resulting from inadequate or failed
internal processes, people and systems or from external events” and explicitly includes legal
risk, but excludes strategic and reputational risk from the definition (BCBS, 2004).
In the South African context, operational risk has gained increasing prominence following
global financial crises and domestic corporate failures. The King IV Report on Corporate
Governance (2016) emphasises risk governance and identifies operational risk as a critical
dimension of enterprise risk management (ERM). As organisations become more digitised
and reliant on complex systems, the scope of operational risk has expanded to include cyber
risk, information security breaches, regulatory non-compliance, fraud, and disruptions
caused by geopolitical or environmental events (PwC, 2022).
Scholars have debated whether operational risk should be considered a “residual risk”
(emerging after other risks are accounted for) or whether it constitutes a stand-alone
category that requires specific methodologies for measurement and management
(Chernobai, Jorion & Yu, 2011). In practice, financial institutions, including banks regulated
by the South African Reserve Bank (SARB), are required to implement frameworks that
identify, measure, monitor, and control operational risk in line with Basel II and III
requirements.
A key feature of operational risk is its multidimensional nature: it encompasses risks linked to
human error (e.g., employee negligence), system failures (e.g., IT breakdowns), process
inadequacies (e.g., flawed transaction recording), and external shocks (e.g., natural
disasters, pandemics). The COVID-19 pandemic highlighted how operational resilience—the
ability of institutions to withstand and recover from shocks—is integral to operational risk
management (FSB, 2020).
Therefore, operational risk is not merely about avoiding losses but also about sustaining the
organisation’s long-term viability and protecting stakeholder value. A comprehensive
understanding of operational risk involves recognising its causes, mapping its impacts, and
embedding mitigation strategies within the governance and culture of the organisation.
, Draft Design for the Operational Risk Report
An operational risk report is a structured document that captures, analyses, and
communicates an organisation’s operational risk profile. Its design should align with
regulatory requirements, internal governance frameworks, and the principle of transparency
for decision-making. The objective is to provide stakeholders—such as management, board
committees, and regulators—with timely and accurate insights into the institution’s risk
exposures, trends, and mitigation strategies.
A well-drafted operational risk report typically contains the following sections:
1. Executive Summary
This section provides a concise overview of the organisation’s operational risk profile,
highlighting key risks, emerging threats, and overall trends. It should be accessible to
senior executives who may not be specialists in risk management.
2. Risk Identification and Classification
Risks should be categorised under established typologies, for example: internal
fraud, external fraud, employment practices, business disruption, system failures,
and damage to physical assets (BCBS, 2004). Classification allows for consistency in
reporting and comparison across business units.
3. Risk Assessment and Measurement
This section outlines methodologies used to assess risk severity and likelihood, such
as risk scoring models, scenario analysis, or Key Risk Indicators (KRIs). Probabilistic
assessments may be supported with both qualitative and quantitative tools.
4. Risk Mapping and Heat Maps
Visual tools such as risk maps or heat maps can show the distribution of risks across
likelihood and impact dimensions. For example, cyberattacks may rank as high-
impact and high-likelihood, while natural disasters may be high-impact but lower-
likelihood.
5. Loss Data and Incident Reporting
Historical data on operational losses, including root cause analyses, should be
included. This section enhances transparency and helps in calibrating risk models.
6. Mitigation Strategies and Controls
Details of existing control measures, risk responses (avoid, transfer, mitigate, or
