Operational Risk Reporting

Operations & Procedures Risk Management Last reviewed: 2026-01-15 Owner: Risk Management

Purpose

This document defines the Bank's framework for operational risk reporting. Effective operational risk reporting enables the identification of emerging risks, supports informed decision-making by senior management, and ensures compliance with regulatory expectations regarding risk transparency and governance.

Scope

This framework applies to all operational risk events occurring across the Bank's operations, including but not limited to process failures, system outages, human errors, fraud incidents, legal and compliance breaches, and external events. It covers all business lines, branches, and support functions.

Definitions

TermDefinition
Operational Risk EventAn event arising from inadequate or failed internal processes, people, systems, or from external events, that has resulted in or could have resulted in a financial loss or reputational damage.
Near MissAn operational risk event that did not result in a loss but had the potential to do so.
Key Risk Indicator (KRI)A metric that provides an early warning signal of increasing risk exposure in a particular area.
Loss EventAn operational risk event that has resulted in a quantifiable financial loss to the Bank.

Risk Event Categories

Operational risk events are classified using the Basel II event type taxonomy:

  1. Internal Fraud
  2. External Fraud
  3. Employment Practices and Workplace Safety
  4. Clients, Products, and Business Practices
  5. Damage to Physical Assets
  6. Business Disruption and System Failures
  7. Execution, Delivery, and Process Management

Reporting Procedure

Step 1: Event Detection and Initial Reporting

  1. Any staff member who becomes aware of an operational risk event (including near misses) must report it to their line manager within two (2) hours of detection.
  2. The line manager logs the event in the Operational Risk Management System (ORMS) within four (4) hours of notification, capturing: event description, date and time, business line, estimated loss (if applicable), root cause (preliminary), and immediate remedial actions taken.

Step 2: Impact Assessment

  1. The Operational Risk team reviews each logged event and assigns an impact classification:
Impact LevelFinancial Loss ThresholdAdditional Criteria
Level 1 — MinorBelow USD 10,000No regulatory impact, no reputational exposure
Level 2 — ModerateUSD 10,000 – USD 100,000Potential regulatory interest, limited reputational exposure
Level 3 — SignificantUSD 100,001 – USD 1,000,000Regulatory reporting required, moderate reputational exposure
Level 4 — SevereAbove USD 1,000,000Mandatory regulatory notification, significant reputational exposure, Board notification

Step 3: Investigation and Root Cause Analysis

  1. Level 1 events are investigated by the responsible business line, with findings documented in ORMS within ten (10) business days.
  2. Level 2 and Level 3 events are investigated jointly by the business line and the Operational Risk team, with a formal Root Cause Analysis (RCA) report completed within fifteen (15) business days.
  3. Level 4 events trigger an immediate investigation led by the Head of Operational Risk, with regular status updates to the Chief Risk Officer (CRO) and the Board Risk Committee.

Step 4: Remediation

  1. Each investigation concludes with a set of remedial actions, assigned to specific owners with defined completion dates.
  2. Remedial actions are tracked in ORMS and reviewed monthly by the Operational Risk Committee (ORC).
  3. Overdue remedial actions are escalated to the CRO.

Key Risk Indicators (KRIs)

The following KRIs are monitored monthly and reported to the ORC:

KRIThreshold (Amber)Threshold (Red)
Number of operational risk events>50 per month>100 per month
Total operational losses>USD 500,000 per month>USD 2,000,000 per month
SLA breach rate>5%>10%
System availability (Core Banking)<99.5%<99.0%
Overdue remedial actions>10 items>25 items

Reporting Calendar

ReportFrequencyAudience
Operational Risk DashboardMonthlyOperational Risk Committee
Loss Event SummaryMonthlyCRO, COO
KRI ReportMonthlyOperational Risk Committee
Quarterly Operational Risk ReportQuarterlyBoard Risk Committee
Regulatory Operational Risk ReturnQuarterly / As requiredCentral Bank / Regulator

Related Documents

  • Incident Escalation Matrix
  • Business Continuity Plan Overview
  • Third-Party Risk Assessment
  • Internal Audit Charter

Related Articles

Business Continuity Plan Overview

Overview of the Bank's Business Continuity Plan, including governance structure, critical business functions, recovery priorities, and testing requirements.

Updated 2025-07-30

Disaster Recovery Procedures

Technical procedures for recovering the Bank's critical IT systems and infrastructure following a disaster event, including failover protocols, data restoration, and system validation steps.

Updated 2025-08-18

Incident Escalation Matrix

Defines the escalation pathways, notification timelines, and decision authority levels for operational incidents across all severity classifications.

Updated 2025-11-05