Operational risk


This chapter sets out the methodology the PRA uses to inform the setting of a firm’s Pillar 2A capital requirement for operational risk.


The approach applies to all PRA Category 1 firms but may be extended to other firms depending on the level of sophistication of the firm’s internal operational risk management.


In determining whether to use the methodology described below to non-Category 1 firms, the PRA takes into account the size and complexity of a firm, as well as the sophistication of a firm’s internal operational risk management. Where a firm is re-assessed as Category 1 or otherwise brought into scope, supervisors will agree a timetable for assessment that is fair, proportionate to the firm’s resources and considers the sophistication of the firm’s internal operational risk management. For firms not in scope, the PRA assesses operational risk on the basis of data provided by the firm, the firm’s own assessment of operational risk and supervisory judgement.

Definition and scope of application


Operational risk is the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events, and includes legal risk.


Pillar 1 standardised approaches for operational risk use gross income as a measure of risk. This is not risk sensitive. During the recent economic downturn, incomes dropped but operational risk exposures, in many cases, remained the same or increased. The PRA therefore assesses operational risk as part of its Pillar 2 review of firms’ capital adequacy.


Conduct risk has become a recurrent and a material source of losses for many firms but the existing approaches (the Basic Indicator Approach (BIA), the Standardised Approach (TSA) and the Alternative Standardised Approach (ASA)) for calculating Pillar 1 operational risk capital do not reflect the nature and scale of recent conduct risk losses.


For the purpose of the PRA assessment conduct risk losses are defined as losses in the Basel loss event category ‘Clients, Products and Business Practices’ (CPBP).9 Currently, conduct and legal losses make up the bulk of CPBP losses. In the current environment CPBP losses are considered a proxy of conduct risk losses.


  • 9. CRR Article 324.


The approach detailed below applies to firms using BIA, TSA or ASA to calculate Pillar 1 operational risk capital requirements.


The approach does not apply to firms on the Advancement Measurement Approach (AMA) unless there are outstanding material remedial actions associated with their AMA approval. In that case additional capital may be required.

Methodology for assessing Pillar 2A capital for operational risk


The approach considers non-conduct risk separately from conduct risk.


Where a firm’s operational risk management and measurement framework are of AMA standard, the firm’s ICAAP will be the main input into the setting of Pillar 2A capital for operational risk.


Sizing capital for operational risk is a significant challenge. The loss distribution is unusually fat-tailed, with infrequent but very large losses, and there is a paucity of data. This problem applies to all operational risks but is especially acute for conduct risk. The loss estimates below do not overcome these fundamental problems but they deliver better outcomes than relying on inadequate Pillar 1 approaches. They provide a simple, transparent and consistent way for the PRA to assess Pillar 2A operational risk across firms.


Conduct risk is not assessed using pre-determined distributions or scalars because of the difficulties in estimating the tail of the loss distribution. Modelling such high-impact but low-frequency losses is extremely challenging. In addition, modelling techniques for extrapolating to the tail rely on the assumption that conduct risk events are independent and recent observed conduct loss patterns show this is not the case.10


  • 10. Two econometric studies provide such evidence: (i) Gillet, Roland, Georges Hübner and Séverine Plunus (2010), ‘Operational Risk and Reputation in the Financial Industry’, Journal of Banking and Finance, Vol. 34, pages 224–35, argues that poor firm management creates an expectation that operational events (in general) are correlated. (ii) Perry, Jason and Patrick de Fontnouvelle (2005), ‘Measuring Reputational Risk: The Market Reaction to Operational Loss Announcements’, unpublished Working Paper, Federal Reserve Bank of Boston, finds evidence of stickiness of internal fraud events.


Pillar 2A capital for conduct risk is informed by: supervisory knowledge of a firm’s exposure to conduct risk; a firm’s largest conduct losses over the past five years; the level of expected annual loss for conduct risk; and conduct-related scenarios where potential exposures over a shorter time horizon (eg five years) are considered. As a result, the determination of additional Pillar 2A capital for conduct risk is driven predominantly by supervisory judgement.


The PRA uses three loss estimates, described below, to inform the setting of a firm’s Pillar 2A capital requirement for non-conduct risk.

  1. (i) The first estimate (C1) is based on a firm’s forecast of its expected losses due to operational risk in the next year(s), extrapolated to estimate the loss at the 1-in-1,000 year confidence level (assuming a given relationship between expected loss and unexpected loss). The expected loss forecasts exclude ‘material conduct and legal risk’. The extrapolation is dependent on the type of business undertaken by a firm, distinguishing between universal banks, predominately domestic banks and wholesale banks.
  2. (ii) The second estimate (C2) is based on the average of the firm’s five largest losses by Basel event type (excluding CPBP) for each year. This calculation is repeated for each of the past five years, and the event type resulting in the largest capital requirement (calibrated at a 1-in-1,000 year confidence level) is used. A Pareto distribution is used to calibrate the operational risk capital for each event type by using a predetermined shape parameter. Currently, the shape parameters are defined by event types but are constant for all firms. The calibration and five-year time horizon might be reconsidered as the PRA obtains more loss data.
  3. (iii) The third estimate (C3) uses a firm’s scenario assessments (excluding scenarios associated with CPBP event types). For each scenario, either one frequency and at least two severity impacts, or at least two annual impact assessments, are used to fit a calibration-free, fat-tailed distribution to determine the annual impact at a 1-in-1,000 year confidence level. The C3 estimate is obtained by summing the five largest annual impacts to which a predefined diversification benefit (determined by the PRA) is applied. The same diversification benefit is applied to all types of firms.


Supervisory judgement is used to determine the operational risk add-on, taking into account considerations such as: the quality of the firm’s own Pillar 2A assessment; the capital range generated by C1, C2 and C3 for non-conduct risk; confidence in the firm’s scenario analysis process and internal loss data; the quality of the firm’s operational risk management and measurement framework; and peer group comparisons.


The Pillar 2A capital add-on is the sum of the capital adjustment for conduct risk and non-conduct risk.



The PRA already collects information on operational risk historical losses from firms participating in the Stress Testing Data Framework (STDF) programme. All significant firms and firms with AMA permission must report the data contained in the operational risk Pillar 2 data items in accordance with Reporting Pillar 2, 2.3, unless those data have already been submitted as part of the STDF programme. Firms are required to submit the data with their ICAAP submissions. ‘Significant firm’ means a deposit-taker or PRA-designated investment firm whose size, interconnectedness, complexity and business type give it the capacity to cause significant disruption to the UK financial system (and through that to economic activity more widely) by failing or carrying on its business in an unsafe manner. The PRA may also request some firms that are not significant to report the same data and will notify the firms accordingly in advance of their submitting an ICAAP document.