Operational Risk Management

Operational risks are defined in accordance with the CRR as a “risk of losses that are caused by the inappropriateness or failure of internal processes, people and systems or by external events, including legal risks.” This means that the emergence of operational risks can be traced back to these factors or to the faulty interplay between them.

Causes of Operational Risks


Operational risks related to systems frequently emerge in connection with data processing systems, communication systems and general company infrastructure.


Operational risks caused by the “employee” factor usually emerge from inadequate qualitative or quantitative human resources, criminal acts and individual mistakes made by employees. 


Operational risks in connection with processes mainly result from unsuitable methods and models as well as deficient internal communication and structural/procedural organization. 

External Influences

External influences include operational risks mainly due to political decisions or changes in the framework conditions, (natural) catastrophes, contracting parties and external criminality.

Systematizing Operational Risks

To start with, FAS AG will help you and your company systematize operational risks, i.e. defining and delineating the causes of risks, risk events and risk effects.

The second step is to design the implementation of operational risk management with – for the most part – the following components:

  • Risk Identification and Evaluation: The focus here is on the selection of suitable resources for the identification of operational risks such as audit findings, internal/external loss databases, risk assessment, risk and performance indicators, etc. The important aspects in this connection are a sensible combination of past, present and future metrics and a selection with consideration given to cost-benefit analyses.
  • Risk Management: A differentiation is fundamentally made between the following management strategies:
    • Risk acceptance
    • Risk minimization 
    • Risk avoidance
    • Risk transfer

In this connection, it is necessary to arrange the identified operational risks according to the expected amount of losses and then to determine the associated risk management strategies on the basis of loss thresholds.

  • Risk Monitoring and Reporting: The goal of risk monitoring is to implement a system that promptly measures the degree of operational risks and is able to control them accordingly. In addition to the ongoing, internal risk monitoring, a distinction is made between process-independent, external monitoring by auditors, the supervisory authority and internal audit. Meaningful reporting is indispensable for internal and external risk monitoring and must provide information about the status of operational risks in a way suited for the target audience.
  • Stress Tests: In addition to fulfilling regulatory requirements, stress tests are primarily intended for measuring the quality of the established management system for controlling operational risks and identifying weaknesses. The goal is to implement a sensible combination of the status quo and future-oriented stress tests or stress test scenarios.
  • Quantification: To implement the management of operational risks, the goal of quantification is to define a set of meaningful metrics and to measure the amount of their influence regularly. These metrics include:
    • Value-at-risk
    • Conditional value-at-risk
    • Loss distribution approach
    • Indicator approach
    • Scenario analysis

The implementation and measurement of these metrics frequently requires more in-depth knowledge of statistical methods.

If you are interested or have any questions, please contact us.

 Dominik Konold Partner