Operational Risk: What It Means and Why It Matters

Operational risk is defined as the risk of losses derived from inadequate or failed internal processes, people and systems or from external events. In practice, operational risk includes events like internal and external fraud, natural disasters, cybersecurity breaches and any other unforeseen business disruptions.

Operational risk has always been something that banks work to mitigate and account for as part of their ongoing risk management; however, if the U.S. proceeds to fully implement the latest Basel agreement, it would be going further by introducing a new separate capital charge calculation specifically for operational risk into the standardized approach.

  • This would be the first time that the U.S. standardized approach to calculating risk-weighted assets includes an explicit capital charge for operational risk.
  • By incorporating operational risk into the standardized approach, it would additionally potentially subject regional banks as well as foreign banks active in the U.S. to this new capital charge.

Under the Basel Finalization standards, the capital charge for operational risk is determined by the bank’s revenues from the previous three years. This includes income items such as interest income, interest expenses, fee income and expenses, as well as profit and losses from the buying and selling of securities. Additionally, the capital charge can be increased based on a 10-year window of historical losses that constitutes the internal loss multiplier (ILM). Thus, all else being equal, a firm with higher historical losses would face a higher operational risk capital charge. The capital charge for operational risk is a major factor that is expected to contribute to a significant overall increase in capital levels among larger banks under Basel Finalization.

Key Issues:

It is inappropriate to link the current operational risk charge to past historical losses, as large operational risk losses are rare, given that they represent unexpected and unforeseen circumstances, and are not necessarily predictive of future losses. Additionally, as business models change over time, the informational value of past losses diminishes. Therefore, U.S. regulators should consider negating the impact that the ILM would have in a way that E.U. and U.K. regulators have similarly already proposed, as the Basel agreement explicitly provides this option to domestic regulators.

Furthermore, the new capital charge for operational risk would disproportionally penalize banks whose business models rely more on noninterest and fee-based income, such as capital market activities, custodial services and credit cards, rather than interest income, as the calculation for operational risk capital includes a cap for interest income but not a similar cap for fee-based income. This is despite the fact that the first Basel proposal in 2016 contained a cap for fee-based income in order to avoid discriminating against banks that rely on this income more in their revenue mix.

Additionally, adding a specific capital charge for operational risk into the standardized approach disregards the fact that supervisory stress tests already incorporate a component related to a bank’s ability to withstand operational risk losses.


U.S. regulators should assess the Basel methodology to determine operational risk to ensure greater accuracy. Any adopted methodology should not (1) increase the operational risk charge due to past losses, in line with the approaches proposed by E.U. and U.K. regulators, or (2) penalize banks with fee-based business models, similar to what was first proposed by Basel in 2016. Finally, regulators should address the double-counting of operational risk in the Basel Finalization package and in the Fed’s supervisory stress tests.