Blog Posts Business Management

The changing face of operational risk

Blog: Capgemini CTO Blog

From the ever-present threat of cyber-attack, to the unexpected and sudden impact of a global pandemic, operational risk is a fact of life in the financial industry. And while operational risk management is critical, the practice is still in its infancy.

Despite this immaturity, its relevance is highlighted by the continuous revisions and reviews published by the Basel Committee on Banking Supervision (the Committee). Their more recent being the publication of a consultative paper with proposed updates to the Principles for the Sound Management of Operational Risk (PSMOR), as well as the newly minted Principles for Operational Resilience (POR), both in 2020.

Both documents are at the forefront of current affairs in this industry and offer a glimpse of the regulatory challenges financial institutions will face in the future. In this article, we offer an overview of the updates and new principles, and consider the impact on Finance, Risk and Compliance (FRC) functions.

In short

Additions and changes to the Principles for the Sound Management of Operational Risk include:

The Principles for Operational Resilience aim to:

The PSMOR: and then there were twelve

Since the adoption of the PSMOR in 2011, the operational risks faced by financial institutions have increased and evolved. The current consultative paper addresses this changed landscape in the following twelve principles:

  1. Risk culture
  2. Operational Risk Management Framework (ORMF)
  3. Board of directors: implementation ORMF
  4. Board of directors: risk appetite
  5. Senior management
  6. Identification and assessment of operational risks
  7. Change management
  8. Monitoring and reporting
  9. Control and mitigation
  10. ICT
  11. Business continuity
  12. Disclosure

The following additions are impending:

The BCBS has published a paper on cyber security.

The following changes were proposed:

The POR: brace for impact

The Principles for Operational Resilience were developed and proposed by the Committee to mitigate operational risks and to strengthen operational resilience in this industry. The latest updates aim to enable banks to deliver critical operations through disruption. Their objectives are as follows:

improving operational resilience Promote a principles-based approach to improving operational resilience – the ability of a bank to deliver critical operations through disruption.
initial lessons learned Reflect any initial lessons learned from the impact of the Covid-19 pandemic.
risk management frameworks Ensure that existing risk management frameworks, business continuity plans, and third-party dependency-management are implemented consistently within the organization.

The seven newly designed POR address many critical incidents faced by financial institutions, amongst them the Covid-19 pandemic and a rise in cyber-attacks. The scope lies primarily within:

  1. Governance
  2. Operational risk management
  3. Business continuity planning and testing
  4. Mapping interconnections and interdependencies
  5. Third-party dependency management
  6. Incident management
  7. ICT including cyber security

With respect to ICT, the Committee sets requirements on how the physical and logical design of information technology and communication systems need to be met by banks. This includes the individual hardware and software components, relevant data and the operating environment. Additionally, a documented ICT policy incorporating the increasing issue of cyber security is expected from banks.

When suggesting these principles, the Committee considered third-party activities where failure would lead to the disruption of vital services. This was especially the case with regard to major institutions with a high market share and globally interconnected operations where consequences might represent a serious potential for danger in terms of the non-functioning of the real economy and for financial instability.

Moreover, the POR require that banks reflect on any initial lessons learned from the impact of Covid-19 in order to improve the pain points in their operations. Simultaneously, banks should ensure that their existing risk management frameworks, business continuity plans, and third-party dependency-management are implemented consistently within the organization.

How will these changes affect the FRC function?

There are three distinct challenges: risk culture, roles and responsibilities and risk assessment.

Risk culture includes setting standards and incentives for professional behavior. Roles and responsibilities refer to explicitly delineating the roles and responsibilities of the board and senior management, as well as the Three Lines of Defense, by which we refer to a widely used model for managing risk. Risk assessment comprises choosing and setting up the tools to identify and assess operational risks (e.g. event data, self-assessments, and scenario analyses). Responding to these challenges can require fundamental changes both operationally and institutionally.

At Capgemini Invent, we have many years of expertise in helping financial intuitions ensure regulatory compliance throughout all corporate functions on a global level. We have drawn on this experience to develop enhanced risk management solutions to tackling the three key challenges:

Risk Culture Risk Culture: The concept of a risk culture should be a core part of a company’s strategy. Firms need to establish a mature preemptive risk culture to better manage their risks and reduce risks of failure, even when they are dealing with extreme unexpected events. The building of a risk culture is a dynamic and ongoing process, which enables organizations to resiliently thrive within an uncertain and constantly changing environment. Getting this right can create a competitive advantage by providing the agility to quickly and efficiently navigate through unfavorable market conditions, whether external or internal to the financial industry. Find more details about our preemptive risk culture concept in our Risk Culture Blog.


Roles and responsibilities Roles and responsibilities: Understanding both current and future roles and responsibilities in an organization is the first step in a business optimization process. Organizations need to be clear on their degree of compliance with the recently introduced Basel Committee on Banking Supervision (BCBS) requirements. To support our clients with this, we have developed an extensive governmental and organizational assessment providing guidance on ensuring a compliant corporate structure. The Capgemini Invent Governmental and Organizational Assessment uses customized questions to examine any compliance gap and helps to prioritize remedial actions with the key stakeholders.


Risk assessment Risk assessment: The BCBS formulated specific risk management measures as part of its ICT policy, including access controls, critical information asset protection and identity management, to ensure that appropriate risk mitigation strategies are in place. ICT, and cyber security in particular, is embedded in an evolving threat landscape. A recent study highlights the extent of the average losses for different types of incidents across different economic sectors, as visualized in the diagram below:

Cyberincident and their total losses

An intelligent response

At Capgemini Invent, we have created and use various empirical and analytical tools with enhanced visualization, such as our Incident Management Tool. This intelligent tool supports the identification, capture, and analysis of risks, as well as the elaboration of next actions. It enables our clients to proactively address potential vulnerabilities, promote a faster response to risks, and prevent further incidents. Furthermore, this solid Incident Management Tool provides a dashboard with customizable outputs to track and report incidents. It is compatible with the latest technologies, such as natural language processing, optical character recognition, machine learning, etc. You can find more details about our Incident Management Tool and best practices in our Incident Management Blog.

Inventive Finance, Risk & Compliance from Capgemini Invent helps Finance, Risk and Compliance teams in the financial sector address critical challenges. This article focuses on operational risk.

Stay tuned for further updates on the PSMOR and POR by Capgemini Invent.

This blog is authored by Dr. Rita Motzigkeit and Kerem Cigerli.


Leave a Comment

Get the BPI Web Feed

Using the HTML code below, you can display this Business Process Incubator page content with the current filter and sorting inside your web site for FREE.

Copy/Paste this code in your website html code:

<iframe src="" frameborder="0" scrolling="auto" width="100%" height="700">

Customizing your BPI Web Feed

You can click on the Get the BPI Web Feed link on any of our page to create the best possible feed for your site. Here are a few tips to customize your BPI Web Feed.

Customizing the Content Filter
On any page, you can add filter criteria using the MORE FILTERS interface:

Customizing the Content Filter

Customizing the Content Sorting
Clicking on the sorting options will also change the way your BPI Web Feed will be ordered on your site:

Get the BPI Web Feed

Some integration examples