keep the balance

Operational Risk Management (ORM)

Facebook
Twitter
LinkedIn

Operational risk is the risk of loss resulting from inadequate or failed internal processes, people, systems, or external events.

Operational risk is present in every aspect of business operations, from day-to-day transactions to strategic decisions made by governing bodies.

The management of operational risk in banks in Bosnia and Herzegovina is based on the regulatory framework of two banking agencies, aligned with international Basel standards. The Basel II framework of 2004 formalised this definition and laid the foundation for the systematic measurement and management of this risk within the financial sector.
Today’s Basel IV standards have further refined the methodology and requirements. In this context, the regulator does not view operational risk merely as a technical category, but as an integral part of the overall corporate governance and risk management system. The role of the regulator is not to manage risks on behalf of the bank, but to ensure that the bank has the knowledge, capacity and discipline to manage its own operational risks in a sustainable and responsible manner.

Operational risk is the only risk you cannot eliminate through growth, it grows alongside the organization, the complexity of its processes, and digital transformation.

According to the risk map used for the annual identification of risks for the purposes of ICAAP and ILAAP, banks are required to include all 13 operational risk categories in their analysis:

Misconduct risk

Fraud Risk

 

Employment practices and workplace safety risk

ICT & Security Risk

Physical asset damage risk

Execution, Delivery and Process Management Risk

Legal Risk

Compliance Risk

Outsourcing Risk

AML/CFT Risk

Cyber Risk

Model Risk

Human Resources Risk

Categorizing Operational Risk by Root Cause

Categorizing operational risk by its underlying cause helps institutions focus their efforts and resources where they are most needed, rather than attempting to apply generic measures equally across all threats and weaknesses.

 

Processes

These risks arise from unclear, poorly defined, or inconsistently applied business processes. For example, inadequately maintained documentation, incomplete information, or misaligned procedures may lead to errors in decision‑making or task execution.

Example:
During an internal audit, it was identified that certain updates to client data (e.g., contact information) were not being properly documented. Although no direct financial loss occurred, the event was recorded as a near‑miss operational risk. From a risk and regulatory perspective, such findings are considered important indicators of weaknesses in the control environment.

Controls and procedures that are not consistently applied

 

Human Factor

A significant portion of operational risks is linked to the human factor—errors, lack of training, employee turnover, negligent behaviour, or even intentional fraudulent actions. This type of risk is often underestimated, yet statistically represents one of the most common sources of operational losses.

Example:
A new branch employee incorrectly entered the loan maturity date, resulting in an inaccurate interest calculation. The error was discovered only after a client complaint. The event was recorded as an operational loss and used as a basis for additional staff training and strengthening data‑entry controls.

 

System‑Related Risks

The digitalization of business operations and reliance on IT systems bring numerous challenges: software bugs, inadequate security measures, or outages of critical applications can lead to serious consequences.

Example:
A bank experienced an error in batch processing due to a mismatch between card and current account data, resulting in incorrect interest calculations for a number of clients. The event was reported as an operational incident, and corrective actions included additional IT controls and improvements to pre‑production testing processes.

 

External Events

External factors such as natural disasters, political instability, or disruptions in outsourced services—although outside the institution’s direct control—can have a significant impact on its operations.

 

Example:
A delay by an external vendor in delivering bank cards led to an increased number of customer complaints. Even though the bank did not directly cause the issue, the regulator would classify such situations as outsourcing‑related operational risk, for which the bank remains fully accountable.

The Four Pillars of Operational Risk Management (ORM)

Pillar 1

Risk and Control Self‑Assessment (RCSA)

Risk and Control Self‑Assessment (RCSA) is a fundamental tool through which business lines themselves identify key risks and evaluate the effectiveness of existing controls. The outcome is a set of risk maps that display both inherent and residual risk for each process.

This is typically performed through workshops, interviews with key employees, business process analysis, and a review of historical incident data. The identification process must be comprehensive and systematic—if a risk is not recognized, it cannot be controlled or measured. An ideal approach includes:

 

  • mapping business processes
  • involving risk owners from all departments
  • analysing past incidents and errors
  • identifying weaknesses in control mechanisms

PILLAR 2

Loss Data Collection (LDC)

Loss Data Collection (LDC) systematically records all operational losses above the institution’s defined materiality threshold. Internal loss data is complemented with external industry databases to support the modelling of rare but high‑severity events.

PILLAR 3

Key Risk Indicators (KRI)

Key Risk Indicators are forward‑looking metrics that provide early signals of a potential deterioration in the risk profile. Examples include the number of failed transactions, employee turnover rate, the number of unresolved IT incidents, the percentage of missed regulatory deadlines, and similar indicators.

PILLAR 4

Scenario Analysis

Stress testing and scenario analysis enable institutions to assess the potential impact of rare but high‑impact events such as cyber‑attacks, pandemics, or geopolitical crises. The results feed directly into the calculation and assessment of capital requirements.

Once risks have been identified and assessed, appropriate treatment strategies must be defined:

  • Risk avoidance — eliminating the process or activity that generates the risk
  • Risk reduction — strengthening controls, providing additional training, or introducing automation
  • Risk transfer — using insurance or outsourcing certain functions
  • Risk acceptance — with continuous monitoring and clearly defined risk limits

 

These strategies must be realistic and achievable, with clearly assigned responsibilities and adequate resources.

Reporting

Reporting is a critical final component of the operational risk management process. Without high‑quality and timely reporting, an institution lacks transparency and the ability to make informed decisions.

The role of reporting is multifaceted:

  • Internal management reporting — provides management with accurate information on the current risk profile and the effectiveness of risk treatment measures
  • Regulatory reporting — ensures compliance with supervisory requirements and industry standards
  • Analytical reporting — delivers deeper insights into root causes, trends, and impacts

 

It is now widely recognized that operational risk reporting must include clear narrative commentary: concise, focused on material risks, and directly linked to the institution’s business processes. Structured reporting enables not only the identification of issues but also effective response and strategic decision‑making. Regulators particularly value reports that do not obscure problems, but instead clearly identify them and track remediation until closure.

Roles and Responsibilities in Operational Risk Management

Modern ORM relies on the three‑lines‑of‑defense model, which clearly allocates responsibilities within the organization:

First line of defense – operational risk owners

The first line of defense consists of business units and operational management — all organizational parts of the bank that directly perform business activities and processes.

Roles and responsibilities of the first line:

  • identification of operational risks within their processes
  • recording operational risk events
  • implementation and execution of control measures
  • management of residual risk
  • participation in RCSA processes
  • monitoring KRI indicators
  • proposing and implementing mitigation measures

Business units are the owners of operational risks. This means that:

  • Risk Management is not the owner of operational risk → it is a control function
  • Responsibility for losses and incidents always remains with the business line, i.e., the first line of defense

 

 

One of the most common mistakes in practice is attempting to “shift” operational risk to the risk management function. The risk management function is a control function and performs oversight by establishing the mechanisms listed above. Process and system owners must remain aware of the operational risks arising from the processes they design and operate.

Second line of defense – risk management and compliance control functions

The second line of defense consists of:

  • the risk management function (Risk Management)
  • the compliance function (Compliance)
  • the information security function
  • other specialized control functions

Role of the Risk Management function:

  • development of policies and procedures
  • establishment of the operational risk management methodology
  • coordination of the RCSA process
  • definition of KRI indicators
  • consolidation of the operational risk event database
  • trend analysis and reporting
  • preparation of the bank’s operational risk profile
  • cooperation within ICAAP and ILAAP

 

The second line of defense oversees how this risk is managed and serves as an advisory function and an independent control mechanism aimed at reducing exposure to this type of risk and ensuring regulatory compliance.

Third line of defense – internal audit

The third line of defense is Internal Audit, as a fully independent function.

Role of Internal Audit:

  • independent assessment of the effectiveness of the ORM management system
  • verification of compliance with policies and procedures
  • audit of the RCSA process
  • audit of the operational risk event database
  • assessment of the adequacy of controls
  • reporting to the Management Board and the Supervisory Board

 

Its task is solely to perform independent testing and assessment of the effectiveness of the first two lines of defense, with independent reporting to the Management Board and the Supervisory Board.

The Management Board has operational and executive responsibility for the operational risk management system.

Key responsibilities of the Management Board:

  • establishing the ORM management system
  • adopting policies and procedures
  • ensuring adequate resources
  • implementing regulatory requirements
  • monitoring the bank’s operational risk profile
  • reviewing operational risk reports
  • making decisions on mitigation measures
  • integrating operational risk into business decisions

 

The Management Board is responsible for the functioning of the system in practice, not merely its formal existence. In many institutions, to support proactive operational risk management, an Operational Risk Management Committee is established, consisting of heads of organizational units and sponsored by a Management Board member, most commonly the CRO.

 

The Supervisory Board and its committees have a strategic and oversight role.

Key responsibilities of the Supervisory Board:

  • approving the operational risk management policy
  • overseeing the risk management system
  • reviewing operational risk reports
  • assessing the adequacy of capital for operational risk
  • ensuring the independence of control functions

The Management Board and the Supervisory Board bear ultimate responsibility for the effectiveness of the operational risk management system.

 

Ako želiš, mogu ti sada sastaviti i kompletan objedinjeni završni dio o governance strukturi ORM‑a za blog ili prezentaciju.

Operational risk is not merely a “technical problem of control functions”; it represents a fundamental challenge for every business. Its timely identification, assessment, and treatment require a structured approach, well‑designed controls and, above all, clear and relevant risk indicators. It is also important to recognize that all employees play a key role in preventing operational risks.

Why is a good process important

Without a clear methodology, operational risks remain “invisible” until they materialize through an incident or a loss.

As a result:

  • the likelihood of significant financial losses increases
  • the organization’s reputation is damaged
  • the trust of regulators and clients is weakened

On the other hand, organizations that successfully integrate operational risk management into their strategy:

  • manage change faster and more effectively
  • reduce the number of unwanted (harmful) events
  • build a culture of accountability and transparency

It is also important to emphasize that the process does not end with treatment.

Reporting is what enables the institution to learn, improve its processes, and become more resilient.

In a world where change is rapid, transparency and the ability to respond in a timely manner become the organization’s most important asset.

Types of losses resulting from operational risk

Loss of time – due to correcting system errors, postings, etc., which cannot be quantified

Boundary credit loss – represents procedural and collateral errors, sales practices, legal opinions, etc.

Opportunity loss – income that would have been earned if the operational‑risk‑related event had been avoided

Operational gain – an operational risk event that resulted in a gain

Other losses – losses arising from operational risk events with undefined impact on the general ledger and/or not directly related to the event itself

Effective loss – write‑offs, penalties for breaches of laws and binding rules, court and out‑of‑court decisions and settlements, absence of fees, losses and damage to assets

Provision for potential loss – e.g., ongoing legal disputes with clients, employees, suppliers, etc.

Quickly recovered loss – recovered within e.g. 5 days from the date of occurrence; an example is transferring money to a client twice and then receiving it back; recovered cash shortages except when the 5‑day period crosses into a new financial year, in which case it is treated as an effective loss

Avoided (potential) loss – a loss that could have occurred but was avoided in time; no error, no incident, only the possibility existed

Near miss – an event that could have resulted in a loss but was prevented before actual financial damage occurred; events prevented through timely control

Type of loss

Role

Actual loss

       Capital

Near miss

    Early warning

Potential loss

    Prevention

Capital requirements and exposure to operational risk

Taking into account that the bank is primarily oriented toward profitability, with prudent management of capital and liquidity, operational risk has a significant impact on these processes.

The purpose of operational risk management is to increase the economic and market value of the bank’s assets and capital. This means that the objectives of banks must include: reviewing and controlling data quality, control and monitoring, measuring exposure to operational risk, preparing reports on the frequency and severity of operational risks, and improving methods of assessment, measurement, and minimizing operational risks in order to protect capital.

Banking Agencies in Bosnia and Herzegovina implement Basel II/III standards through the adaptation of EU directives (CRD/CRR), taking into account the specifics of the domestic market. Banks in BiH are required to maintain a minimum capital adequacy ratio of 12% (higher than the Basel minimum of 8%), additionally including regulatory and supervisory buffers. Banks are obliged to calculate a separate capital requirement for operational risk.

The capital requirement for operational risk directly reduces the bank’s available capital for lending and growth. Understanding the quantitative effects is crucial for strategic planning and optimization of the capital model.

 

The share of capital requirements for operational risk ranges from approximately 6.3% to 9.4%. The average share of operational risk is around 7.8% of total capital requirements.

Approach

Complexity 

Capital requirement 

Application

BIA Basic Indicator

Low

15% × 3‑year average gross income

Small banks (Basel II and mostly banks in BiH)

TSA Standardised

Medium

β factors by business lines (12–18%)

Medium‑sized banks (Basel II, potentially some banks in BiH)

AMA Advanced

High

Internal models (LDA, scenarios)

G‑SIB (Basel II, cancelled by Basel IV)

SMA Stand. Measurement

Mid-high

BIC × ILM

EU banks from 2025 (Basel IV / CRR3)

Business Indicator (BI)

Business Indicator (BI) = Interest, Lease and Dividend Component (ILDC) + Services Component (SC) + Financial Component (FC).
The Business Indicator Component (BIC) is obtained by applying marginal rates:

  • 12% for BI below EUR 1 billion,
  • an additional 15% for the range EUR 1–30 billion,
  • and 18% for BI above EUR 30 billion.

 

Internal Loss Multiplier (ILM)

Internal Loss Multiplier (ILM) = ln(e − 1 + (LC/BIC)^0.8)
where LC is the average historical loss multiplied by 15.

 

The European Commission, under CRR3, grants supervisors the discretion to set ILM = 1 for smaller banks, thereby eliminating the penalization for institutions with low or non‑existent historical losses.

AI and Operational Risks

The use of artificial intelligence (AI) significantly transforms the role of operational risk management in institutions, as AI acts both as a powerful enhancement tool and as a source of new risks.

AI as an enabling technology helps redefine the role of operational risk management. Thanks to AI, risk management teams can shift their focus from reactive problem‑solving to proactive risk prediction and mitigation. AI enables automated, real‑time analysis of vast amounts of data to identify anomalies, predict system failures, and detect potential fraud faster and more accurately than is possible through human effort.

This automates many routine tasks, allowing risk professionals to concentrate on more complex, strategic decisions. For example, instead of manually reviewing transactions for suspicious patterns, AI models can automatically flag high‑risk transactions for further analysis, improving efficiency and reducing the likelihood of human error.

However, AI is simultaneously a significant source of new operational risks. This means that the role of risk management must expand to include new skills and strategies to address the unique challenges introduced by AI:

Bias and discrimination risk

AI models may unintentionally perpetuate existing biases in historical data, leading to unfair or discriminatory outcomes in hiring decisions, credit approvals, or service delivery. Risk managers must develop the skills to test and audit AI models for such biases.

Explainability and transparency challenges (“black‑box” risk)

Complex AI models, especially deep learning systems, often function as “black boxes,” making it difficult to explain how a specific decision was reached. This creates risks related to regulatory compliance and accountability. Risk managers must advocate for the development and implementation of explainable AI techniques.

AI‑specific security risks

AI systems can be targeted by new types of cyberattacks, such as adversarial attacks designed to mislead AI models, or data‑poisoning attacks that compromise model training. Risk management must incorporate cybersecurity measures tailored specifically to AI.

Dependency and over‑reliance risk

Excessive reliance on automated AI decisions can create risk if the system fails or produces incorrect outputs in unforeseen circumstances. Risk managers must design systems with appropriate levels of human oversight and fallback mechanisms.

In summary, the role of operational risk management is shifting from a traditional focus on infrastructure and processes to a more comprehensive, data‑driven and technologically advanced approach. This requires adopting new skills and knowledge to effectively leverage the benefits of AI while actively identifying, assessing, and mitigating the unique risks it introduces. Successfully managing these emerging risks is essential for maintaining trust in institutions and ensuring the responsible use of AI.

The objective of operational risk management is not—and must not be—“finding someone to blame,” but rather collecting real and accurate loss data for operational risk events and understanding their root causes, thereby continuously improving processes to mitigate risks.

Timely and accurate reporting of operational risk events ensures a well‑established operational risk management framework as part of the overall risk management system. This means it is a continuous process composed of the interconnected steps described above.

Text prepared by Alisa Bećirbegović and Vildana Hajdarević, with the support of AI tools.

If you notice an error or inconsistency, please let us know at: contact@riska.ba

Pročitajte

KEEP THE BALANCE

November 9, 2025

The reason for this blog arose from two strong feelings that have been following me lately: first, the sudden death of a dear friend, whose

DETALJNIJE >