Operational risk has played a role in many of the banking industry scandals taking place over the past two decades. As the financial system has become more interconnected and complex than ever before, the challenge of understanding and mitigating operational risks has increased. Improvements in operational risk management (ORM) have taken on greater focus and visibility within the financial services and other industries. In recent years, the NAIC, through its Solvency Modernization Initiative (SMI), has been exploring ways to increase the regulatory focus on operational risk. Additionally, many large European insurance companies have begun to establish formal ORM programs as a result of the Solvency II regulations. 

Overview: The International Association of Insurance Supervisors (IAIS) defines operational risk as “the risk arising from inadequate or failed internal processes or systems, behavior of personnel, or from external events.” It refers to the risk that results from shortfalls or deficiencies in the management of otherwise quantifiable risk and unforeseen external events that can impact an insurer. Operational risk potentially exists in all business activities and encompasses a wide range of events and actions or inactions, such as fraud, human error, accounting errors, legal actions, and system failures. Many of these problems arise through the conduct of day-to-day business operations and are typically managed with little or no incident. 

Operational risk became recognized as a major risk class in the mid-1990s following several large-scale insolvencies in the banking industry, including Daiwa Bank in 1994 and Barings Bank in 1995. In these cases, significant losses were incurred due to operational risk failures and confidence in the banking system severely declined. In response, the Basel Committee on Banking Supervision (BCBS) released a proposal in June 1999 (A New Capital Adequacy Framework) to replace the 1988 Basel Capital Accord (Basel I), which applied a new risk-sensitive framework to all banks in the U.S. The initial consultative proposal introduced an operational risk category and corresponding capital requirements. The FRB, OCC, and FDIC released the U.S. Basel III Final Reforms in 2023 and included two separate notices of proposed rulemaking (NPRs); the Basel III NPR “allows banks a transition period of three years, starting July 1, 2025.” 

As operational risk has become recognized as a distinct risk category, the value of effectively managing operational risk has increased considerably. In recent years, cyber risk has become a critical operational risk for insurance regulators to address given the increase in cyber incidents, including data breaches, identity theft, ransomware attacks, and denial of service events. Such incidents can have a material impact on capital through restoration and remediation costs, lost revenue, regulatory penalties, and reputational damage. Cyber risk insurance is becoming a more popular product to mitigate this operational risk. 

Operational risk remains difficult to identify and assess as the causes are extremely heterogeneous, making developing statistical models for operational risk challenging. A sound operational risk model extends well beyond the confines of a formula-based quantification. It encompasses a company’s business activities and is an integral part of an efficient enterprise risk management (ERM) framework. An insurer’s underlying operational risk profile should be thoroughly reviewed across its range of business activities in order to identify and estimate the model input requirements. The principal challenge is to combine two essential sources of information: empirical loss data and expert judgment. 

Many companies have been leveraging the experience of the banking industry, which has been focused on operational risk for more than a decade. However, historical data on the frequency and severity of losses are often not available. Thus, uniform historical data upon which operational risk capital charges could be built is lacking. Organizations, such as the Operational Risk Consortium (ORIC), have begun to collect data from participating financial institutions to develop operational risk loss data consortiums. ORIC was founded in 2005 to advance operational risk management and measurement. It facilitates the anonymized and confidential exchange of operational risk data among member firms, providing a diverse, high-quality pool of quantitative and qualitative information on relevant operational risk exposures.