73. Operational risk is the risk of loss resulting from inadequate or failed internal processes, people, or systems, or external events. This definition includes legal risk and compliance risk but excludes strategic and reputational risk. The framework for operational risk management should cover the bank’s appetite and tolerance for operational risks, and the manner and extent to which operational risk is transferred outside the bank.

74. Operational risk is a recurrent and a material source of losses for many banks but the existing approaches (the Basic Indicator Approach (BIA), the Standardised Approach (SA), and the Alternative Standardised Approach (ASA)) for calculating Pillar 1 operational risk capital may not reliably reflect the nature and scale of potential operational risk losses. The Pillar 1 Standardised Approach for operational risk uses gross income as a measure of capital. Gross income is a risk-insensitive proxy for operational risk capital, which may lead banks to underestimate the risk. This was evident during the economic downturn in 2009, when banks’ income dropped, lowering their regulatory operational risk capital requirement, yet operational risks were either constant or even elevated in some cases. Therefore, banks should ensure that their Pillar 2 capital charge covers operational risks that are not captured by regulatory capital methodologies. The analysis should include a robust and conservative forecast of operational risk losses and respective capital requirements (at least split into conduct and non-conduct risks).

75. Legal risk is considered an operational risk. Each bank is required to analyse, assess, and quantify the impact of legal risk failures on its capital structure. Examples of legal risk include inadequate documentation, legal, regulatory incapacity, the insufficient authority of a counterparty, and contract invalidity/ unenforceability. The Legal department of each bank bear responsibility for the identification and management of this risk. They must consult with internal and external legal counsel. Subsidiaries and branches of major international banking groups typically have in-house legal departments, acting under the guidance of the group, which aims to facilitate the business of the group, by providing proactive, business-oriented advice. The outcome of legal and/or regulatory issues to which the bank is currently exposed, and others, which may arise in the future, is difficult to predict and, consequently, there can be no assurance that the outcome of a legal matters will not be material to the financial condition of the bank.

76. Given the potential impact from operational risk, each bank should evaluate under Pillar 2 risks arising from business conduct risks and money laundering / financing of terrorism. In addition, each bank should consider internal and external operational risks faced by it, including but not limited to operational cyber risk, IT risks, and outsourcing, and each bank is expected to consider ways in which it can improve its operational resilience. Each bank should provide details in the ICAAP report on the outcome of its Risk Control Self-Assessment (RCSA) process to collate bottom-up operational risk drivers across businesses.

77. Each bank should undertake quantitative stress testing based on its historical loss data and operational risk profile.