BIS Paper Analyzes Operational and Cyber Risks in Financial Sector
BIS published a working paper that uses a unique cross-country dataset at the loss event level to document the evolution and characteristics of the operational risk of banks. The paper highlights that better supervision is associated with lower operational losses. It also provides an estimate of losses due to cyber events, which constitute a subset of operational loss events. Cyber losses are a small fraction of total operational losses, but can account for a significant share of total operational value-at-risk.
Representing a significant portion of total bank risks, operational risks are second only to credit risks as a source of losses. Thus, measuring and understanding operational risks, including cyber risks, is critical for both banks and public authorities. The paper uses a unique cross-country dataset from ORX, which is a consortium of financial institutions. The sample contains over 700,000 operational loss events from 2002 until the end of 2017 for a group of 74 large banks with headquarters worldwide. The granularity of the dataset allowed the authors to study the evolution of operational risks through time, compute an operational and cyber value-at-risk for financial intermediaries, document the time lag between occurrence, discovery and recognition of losses, and investigate the link between operational losses, macroeconomic conditions, and regulatory characteristics.
The results of the study show that, after a spike following the Great Financial Crisis, operational losses have fallen in recent years. The spike was largely due to losses arising from improper business practices in large banks that were incurred in the run-up to the crisis but recognized only later. Operational value-at-risk can vary substantially across banks—from 6% to 12% of total gross income—depending on the method used. These numbers are consistent with the actual capital requirements, but notably smaller than the basic indicator approach. The results provide some support for the shift to the standardized approach in Basel III.
The analysis shows that it takes, on average, more than a year for operational losses to be discovered and recognized in the books. However, there is significant variation across regions and event types. For instance, improper business practices and internal fraud events take longer to be discovered. Operational losses are not independent of macroeconomic conditions and regulatory characteristics. The paper shows that credit booms and periods of excessively accommodative monetary policy are followed by larger operational losses. Furthermore, it is to be noted that a higher quality of financial regulation and supervision is also associated with lower cyber losses. Despite representing a relatively minor share of operational losses, cyber losses can account for up to a third of total operational value-at-risk.
Related Links
Keywords: International, Banking, Operational Risk, Value-at-Risk, Cyber Risk, Standardized Approach, Research, BIS
Featured Experts

María Cañamero
Skilled market researcher; growth strategist; successful go-to-market campaign developer

Nicolas Degruson
Works with financial institutions, regulatory experts, business analysts, product managers, and software engineers to drive regulatory solutions across the globe.

Patrycja Oleksza
Applies proficiency and knowledge to regulatory capital and reporting analysis and coordinates business and product strategies in the banking technology area
Previous Article
SRB Chair Outlines MREL Expectations from Banks Amid COVID CrisisRelated Articles
ECB Finds Banks Unprepared for Pillar 3 Climate Risk Disclosures
The European Central Bank (ECB) published results of the 2022 supervisory assessment of climate-related and environmental risk disclosures among significant institutions (103) and a selected number of less significant institutions (28).
NCUA Assesses Credit Union Exposure to Climate-Related Physical Risks
The National Credit Union Administration (NCUA) released a Research Note that examines the exposure of credit unions to climate-related physical risks. In a related development
EBA Issues Multiple Regulatory and Reporting Updates for Banks
The European Banking Authority (EBA) is seeking comments, until July 31, 2023, on the draft Guidelines on the proposed common approach to the resubmission of historical data under the EBA reporting framework.
EC Adopts Regulation on Own Funds, Issues Other Updates
The European Commission adopted Delegated Regulations on own funds and eligible liabilities, on requirements for the internal methodology under the internal default risk model
CDP Platform to Report Plastic-Related Impact, Issues Other Updates
The Carbon Disclosure Project (CDP) announced that its global environmental disclosure platform has enabled reporting on plastic-related impact for nearly 7,000 companies worldwide
IASB to Enhance Reporting of Climate Risks, Proposes IFRS 9 Amendments
The International Accounting Standards Board (IASB) updated its work plan to enhance the reporting of climate-related risks in the financial statements,
BIS Addresses Data Gaps and Macro-Prudential Policy for Climate Risks
The Financial Stability Institute (FSI) of the Bank for International Settlements (BIS) published a brief paper that examines challenges associated with the use of macro-prudential policies to address climate-related financial risks.
FCA Sets Out Business Plan, Launches TechSprint on Greenwashing
The Financial Conduct Authority (FCA) published its business plan for 2023-24. The plan sets out details of the work planned for the next 12 months to achieve better outcomes for consumers and markets
UK Committee Sets Out Recommendations for Next Phase of Open Banking
The Joint Regulatory Oversight Committee (JROC), comprising the Financial Conduct Authority (FCA) and the Payment Systems Regulator (PSR) as co-chairs and the HM Treasury and the Competition and Markets Authority (CMA) as members
ECB Publishes Multiple Regulatory Updates for Banking Institutions
The European Central Bank (ECB) published the results of the 2022 climate risk stress test of the Eurosystem balance sheet,