Operational risk is the only Basel risk category that touches every line of business, every system, and every process inside a bank. This type of risk lives everywhere a transaction is executed, a system runs, or a person decides. Managing operational risk is the process of identifying, measuring, monitoring, and controlling this exposure with examiner-grade evidence.
The sections below walk through the seven Basel event-type categories, describe the five-step lifecycle, distinguish the framework from the technology, map the three lines of defense, name the regulatory anchors examiners cite, describe what an FI-grade ORM platform should do, and outline the current challenges.
What Is Operational Risk Management?
Operational risk management is the discipline of identifying, assessing, monitoring, and controlling losses arising from inadequate or failed internal processes, people, and systems, or from external events. The definition originates in the 2004 Basel II accord and has been absorbed into the FFIEC IT Examination Handbook that US examiners work from. The same definition holds for credit unions under NCUA supervision and for insurance carriers under NAIC ORSA.
Operational risk management is a second-line function. It owns methodology, taxonomy, and aggregation, but does not execute day-to-day controls (the first line) or provide independent assurance (the third line, internal audit). The second line’s value is framework, challenge, and synthesis.
The Seven Basel Event-Type Categories of Operational Risk
Basel II organised operational risk into seven event-type categories, and that taxonomy is now the standard reference across US banking regardless of whether the institution is internationally active or operates under simpler FFIEC frameworks.
The table below maps each category to a representative loss example, the second-line owner most likely to manage it, and the primary control type that applies in a community or regional bank context.
| Basel II event-type category | Representative bank loss example | Second-line owner | Primary control type |
|---|---|---|---|
| Internal fraud | Teller embezzlement, falsified loan files, unauthorised trading by an employee | Operational risk + fraud function | Segregation of duties, dual control, surveillance |
| External fraud | Wire fraud, ATM skimming, check kiting, account takeover, social engineering | Fraud function | Authentication, anomaly detection, customer education |
| Employment practices and workplace safety | EEO discrimination claim, branch workplace injury, harassment complaint | HR + legal | Policy, training, incident reporting |
| Clients, products, and business practices | Mis-selling of investment products, UDAAP violations, fair-lending breach | Compliance + operational risk | Product approval, sales-practice surveillance, complaint analytics |
| Damage to physical assets | Branch fire or flood, vandalism, natural disaster | Facilities + business continuity | Insurance, BCP/DR plans, physical security |
| Business disruption and system failures | Core banking outage, payments processor failure, cloud provider incident | Technology risk + resilience | Resilience testing, vendor-failover plans, redundant systems |
| Execution, delivery, and process management | Misrouted wire, settlement break, missed regulatory filing, vendor data error | Operational risk | Reconciliation, four-eyes review, exception management |
Loss profiles distribute differently across institution sizes:
- Community bank losses concentrate in external fraud and execution-delivery events.
- Regional banks add weight in business disruption and in clients-products-business-practices events tied to broader product portfolios.
- Globally active banks see loss across all seven, with the long tail dominated by litigation and regulatory matters.
The Operational Risk Management Lifecycle
Most operational risk programs are built around a five-step lifecycle that turns the discipline into a repeatable operating cadence. Each step has a defined output that examiners and internal audit ask for by name:
Identify
Process mapping, scenario workshops with first-line owners, and review of internal and external loss event data populate a risk register that names every material operational risk by Basel category, business unit, and inherent severity.
Assess
Each identified risk is scored on inherent and residual likelihood and severity through a Risk and Control Self-Assessment (RCSA). The RCSA engages first-line process owners, ties risks to controls, and produces a residual-risk score the second line challenges. RCSAs typically run annually with quarterly refresh on higher-risk processes.
Monitor
Key Risk Indicators are defined for the highest-priority risks, with thresholds that trigger escalation when breached. KRIs are leading where possible, rather than purely lagging loss data.
Control
Preventative, detective, and corrective controls are designed, documented, mapped to the risks they address, and tested on a defined cadence. The control library is the bridge between the risk register and the institution’s audit posture.
Report
Board-level reporting integrates loss data, KRI status, control test results, and emerging-risk signals into a quarterly view the board risk committee can act on. Regulator reporting follows the cadences specified in FFIEC, OCC, or NCUA guidance.
The Operational Risk Management Framework
An operational risk management framework is the documented governance scaffolding that makes the lifecycle repeatable, auditable, and defensible to examiners. The framework, the lifecycle, and the technology that supports them are separate.
A complete FI framework includes:
- A risk taxonomy aligned to the Basel categories
- A board-approved risk appetite statement translated into measurable thresholds
- An RCSA methodology
- A mapped control library
- A KRI methodology
- A loss event collection standard
- A scenario analysis approach
- A capital methodology where applicable
- Governance committees and escalation paths
Most US bank frameworks anchor to the FFIEC Operational Risk booklet and, for institutions over $50 billion, to the OCC Heightened Standards in 12 CFR 30 Appendix D. Credit unions anchor to NCUA Supervisory Letter 13-12. Internationally active banks anchor additionally to the Basel SMA.
The framework documents the institution’s choices (what gets captured, at what threshold, by which method) so examiners, internal audit, and the board can trace any output back to a stated methodology.
The Three Lines of Defense in Operational Risk Management
Operational risk management is delivered through the three-lines model:
The first line: Business unit risk owners
Accountable for identifying and managing risk in their processes; they execute the controls and own the residual risk.
The second line: Operational risk function
Owns the framework, methodology, challenge, and aggregation; they do not execute controls but are responsible for the quality of the program.
The third line: Internal audit
Provides independent assurance over the framework’s design and operating effectiveness.
The model is anchored in Institute of Internal Auditors guidance and is referenced explicitly in OCC Heightened Standards (12 CFR 30 Appendix D) for institutions over $50 billion, where the standards require independence of the second and third lines from the first. Smaller institutions adopt the model as best practice rather than as a regulatory requirement.
Regulatory Anchors for Operational Risk Management
The FFIEC IT Examination Handbook Operational Risk booklet is the most-cited reference for community and regional bank exams. The OCC Heightened Standards in 12 CFR 30 Appendix D apply to insured national banks above $50 billion, with smaller banks routinely adopting them as best practice. NCUA Supervisory Letter 13-12 sets enterprise-wide expectations for credit unions.
The Basel framework remains relevant even for institutions outside Basel capital rules. The seven event-type categories, the BCBS “Sound Practices for the Management and Supervision of Operational Risk,” and the Standardised Measurement Approach under BCBS d424 all influence US examiner thinking. The June 2023 interagency third-party risk guidance, issued jointly by the FRB, FDIC, and OCC, extends the operational risk perimeter to vendor and fintech relationships.
For 2026, the rescission of SR 11-7 in April and its reissuance as SR 26-02 / OCC Bulletin 2026-13 brought AI model risk fully into the operational risk umbrella. The Treasury Financial Services Sector AI Risk Management Framework, published February 2026, reinforces the same direction.
Operational Risk Management Software and Platform Capabilities
Operational risk management software is the technology layer that supports the framework and lifecycle. The capabilities expected of an FI-grade risk management system include:
- A unified risk register
- Configurable RCSA workflows
- A mapped control library
- KRI dashboards with threshold alerting
- Loss event capture with investigation workflow
- Scenario analysis tools
- Board-ready reporting
- A regulatory-change feed
Platforms such as Predict360 implement this capability set as connected modules. The operational risk module shares taxonomy and control library with the third-party risk, regulatory change, and audit modules so examiner-facing artifacts trace consistently across domains.
Operational Risk Management Challenges in 2026
Four challenges define the operational risk agenda heading through 2026:
1. Third-party concentration
Post-CrowdStrike, examiners scrutinise vendor concentration and substitutability. Institutions must now show that critical service dependencies have credible backup arrangements.
2. AI model risk
The rescission of SR 11-7 and its reissuance as SR 26-02 / OCC Bulletin 2026-13, together with the Treasury FS AI RMF, brought AI model risk fully into the operational risk umbrella. Institutions deploying AI in lending, fraud, customer service, or operations are expected to integrate model risk into the lifecycle.
3. Operational resilience
Interagency operational resilience guidance for large banks, together with FFIEC business continuity expectations for smaller institutions, has pushed ORM beyond loss prevention into recovery design. Resilience testing, impact tolerances, and substitutability planning are now examiner-asked artifacts.
4. Loss data scarcity
Scenario analysis (structured workshops that imagine the event, estimate severity, and stress-test the control posture) prepare your organization for all possible events.
Frequently Asked Questions
What is the primary objective of operational risk management?
The primary objective is to keep operational losses within the institution’s stated risk appetite while preserving capital, customer trust, and regulatory standing. The objective is loss containment, resilience, and examiner-defensible evidence that the program is working as designed.
How does operational risk management differ from enterprise risk management?
Operational risk management is one of the risk domains that enterprise risk management aggregates. ERM covers credit, market, operational, liquidity, strategic, and reputational risk in a single board-level view. ORM is the second-line discipline that produces the operational-risk component of that view.
What is an operational risk management framework?
An operational risk management framework is the documented governance scaffolding around the discipline: risk taxonomy, appetite statement, RCSA methodology, control library, KRI methodology, loss event standard, scenario approach, and the committees and escalation paths that hold them together.
What are the three lines of defense in operational risk?
The first line (business unit owners) executes controls and owns residual risk in their processes. The second line (the operational risk function) owns framework, methodology, challenge, and aggregation. The third line (internal audit) provides independent assurance over the framework’s design and effectiveness.
The conceptual definition of operational risk has not changed since 2004, but the environment around it has. Third-party concentration, AI model risk, and operational resilience expectations have all expanded the discipline, making it important to continuously refresh your organization’s framework.
Learn more about enterprise risk management through our complimentary datasheet.
Discover how Ask Kaia can help your institution respond with more clarity, consistency, and confidence.
Request Demo- Instant Answers
- Bank-Grade Security
- Regulatory Expertise
- Policy Automation