Operational Risk: Why CROs Still Fly Blind

Among the many operational risk managers and CROs we have worked with — including those in the largest global banks — few, if any, have a real grasp of the relative orders of magnitude of the operational risks their institutions face.

As for operational risk appetite, the situation is often worse. Statements like “thebank has no appetite for money laundering” remain commonplace. But such declarations betray a fundamental misunderstanding: operational risk is not a matter of preference — it is intrinsic to operations themselves. To reject operational risk is to reject operations.

In fact, operational risk has an upside. It is the price — and byproduct — of revenue, innovation, and profitability. Cyber risk, for instance, is not simply a threat to mitigate, but a consequence of digital transformation, which in turn drives customer experience and scale.

What is needed now is a step-change in how we define, measure, and manage operational risk — a transformation not unlike what JPMorgan pioneered in the 1990s with RiskMetrics for market risk.

This transformation begins with a new foundation: the exposure portfolio. Not a portfolio of financial assets, but of productive resources — employees, systems, suppliers, platforms, and even products — each of which can be affected by adverse events. The relevant risks emerge from the nature of the exposed resource.

Thus, operational risk can be redefined: it is the occurrence of an adverse event affecting a productive resource. This includes not only cyberattacks affecting a system or service, but also conduct-related events like class actions stemming from product mis-selling — whether due to flawed design, misleading communication, or market-driven customer dissatisfaction.

Understanding this exposure-based portfolio enables risk managers to quantify what has long been dismissed as “non-modelable.” It creates the conditions to define meaningful, scenario-driven risk appetite — based not on generic statements, but on modeled downside relative to the bank’s operational upside.

In contrast, today’s dominant practice — the Risk and Control Self-Assessment(RCSA) — is largely ceremonial. While RCSA exercises are often mandated by regulators and institutionalized in risk frameworks, they rarely inform real decision-making. They do not quantify exposure, nor do they meaning fully support the articulation of risk appetite. Their value lies in control awareness and compliance box-ticking — not in risk measurement.

To move forward, operational risk must follow the path taken by market and credit risk decades ago: from qualitative assessments and control inventories to quantitative exposure modeling — grounded in real resources, real scenarios, and real financial stakes.

Where the Risk Lives:Turning Exposure into Risk Assessment

Exposure-based operational risk assessment starts with identifying the core resources a bank depends on — not just systems and platforms, but people, products, models, suppliers, and ongoing change initiatives — and the events that could disrupt them.

Each of these resources faces its own set of adverse events. Core banking services and sensitive data are exposed to cyberattacks or technical disruptions. Retail products may face regulatory scrutiny or legal action, whether due to real misconduct or simply as a result of adverse circumstances that shift client perceptions. Trading algorithms are exposed to runaway behavior in abnormal market conditions. Critical suppliers can fail to deliver. And large-scale change projects — such as digital transformations or regulatory upgrades — can be delayed or fail outright, leading to lost revenues, operational strain, and potential client or regulator claims.

By examining each resource and the events it is exposed to, we build a clearer picture of where operational risk resides — and what the consequences might be if things go wrong. This provides the foundation for a quantitative risk assessment, grounded in the real structure of the bank.

But even more important, because scenarios can respond to changes in the environment, they allow the bank to monitor whether it remains within appetite. If exposures evolve — through a new product, a major outsourcing decision, or a strategic pivot — or if external conditions deteriorate, the scenarios adjust accordingly. This makes it possible to assess continuously whether the bank remains within its declared risk appetite, and to react when that boundary is crossed.

Consider a simplified example.

At the start of 2026, the bank sets its overall operational risk appetite at €1billion. Based on the combination of the previous year’s structured risk assessment — adjusted where needed to reflect the bank’s current strategy — a budget of €200 million is allocated to IT and information security risks.

In February, a technical failure disrupts several client-facing services. The total cost, including lost revenues and remediation, reaches €50 million. That amount is deducted from the IT & IS risk budget, leaving €150 million for the remainder of the year.

At the sametime, the CISO reports a significant rise in ransomware attempts across the banking sector. The risk scenarios are updated accordingly, with increased likelihoods and refreshed assumptions about response costs. When the revised simulations are run, the 90th percentile of potential IT & IS losses for the rest of the year now stands at €180 million.

That exceeds the remaining budget. The bank is now out of appetite for IT and IS risk.

At this point, the bank must act — by accelerating mitigation efforts, reallocating risk budget, or both. What it cannot do is ignore the signal. In this framework, risk appetite is no longer a theoretical statement — it becomes aguide for proactive action.

Date What happens Commentary
01.01.2026 A budget of $200m is allocated to IS and IT. This budget is not an expected loss. It is a risk appetite defined at a certain probability level. In our example, the $200m threshold corresponds to a 90% percentile.
15.02.2026 A major technical failure disrupts several client-facing services and results in a cost of $50m. The remaining budget for the rest of the year is $150m. This means that, having already spent $50m, we cannot afford to have now more than 10% chances of spending $150m.
01.03.2026 The CISO warns about an increased risk of ransomware. The scenario models are rerun with these new assumptions, also taking into account that there are now only 10 months to go till end of year. The revised potential loss at the 90% level is now $180m.
Management board meeting What is the situation? At the beginning of the year we have set an appetite of $200m, meaning we were OK with our risk profile, provided that we had less than 10% chance of exceeding a cumulated future loss of $200m in 2026.

But now we have:
  • Already cashed out $50m for an incident
  • A potential future loss of $180m at the 90% probability level
This means that we have now 10% risk of spending $230m at the end of the year. We are out of appetite.

Operational Risk: Why CROs Still Fly Blind

Among the many operational risk managers and CROs we have worked with — including those in the largest global banks — few, if any, have a real grasp of the relative orders of magnitude of the operational risks their institutions face.

As for operational risk appetite, the situation is often worse. Statements like “thebank has no appetite for money laundering” remain commonplace. But such declarations betray a fundamental misunderstanding: operational risk is not a matter of preference — it is intrinsic to operations themselves. To reject operational risk is to reject operations.

In fact, operational risk has an upside. It is the price — and byproduct — of revenue, innovation, and profitability. Cyber risk, for instance, is not simply a threat to mitigate, but a consequence of digital transformation, which in turn drives customer experience and scale.

What is needed now is a step-change in how we define, measure, and manage operational risk — a transformation not unlike what JPMorgan pioneered in the 1990s with RiskMetrics for market risk.

This transformation begins with a new foundation: the exposure portfolio. Not a portfolio of financial assets, but of productive resources — employees, systems, suppliers, platforms, and even products — each of which can be affected by adverse events. The relevant risks emerge from the nature of the exposed resource.

Thus, operational risk can be redefined: it is the occurrence of an adverse event affecting a productive resource. This includes not only cyberattacks affecting a system or service, but also conduct-related events like class actions stemming from product mis-selling — whether due to flawed design, misleading communication, or market-driven customer dissatisfaction.

Understanding this exposure-based portfolio enables risk managers to quantify what has long been dismissed as “non-modelable.” It creates the conditions to define meaningful, scenario-driven risk appetite — based not on generic statements, but on modeled downside relative to the bank’s operational upside.

In contrast, today’s dominant practice — the Risk and Control Self-Assessment(RCSA) — is largely ceremonial. While RCSA exercises are often mandated by regulators and institutionalized in risk frameworks, they rarely inform real decision-making. They do not quantify exposure, nor do they meaning fully support the articulation of risk appetite. Their value lies in control awareness and compliance box-ticking — not in risk measurement.

To move forward, operational risk must follow the path taken by market and credit risk decades ago: from qualitative assessments and control inventories to quantitative exposure modeling — grounded in real resources, real scenarios, and real financial stakes.

Where the Risk Lives:Turning Exposure into Risk Assessment

Exposure-based operational risk assessment starts with identifying the core resources a bank depends on — not just systems and platforms, but people, products, models, suppliers, and ongoing change initiatives — and the events that could disrupt them.

Each of these resources faces its own set of adverse events. Core banking services and sensitive data are exposed to cyberattacks or technical disruptions. Retail products may face regulatory scrutiny or legal action, whether due to real misconduct or simply as a result of adverse circumstances that shift client perceptions. Trading algorithms are exposed to runaway behavior in abnormal market conditions. Critical suppliers can fail to deliver. And large-scale change projects — such as digital transformations or regulatory upgrades — can be delayed or fail outright, leading to lost revenues, operational strain, and potential client or regulator claims.

By examining each resource and the events it is exposed to, we build a clearer picture of where operational risk resides — and what the consequences might be if things go wrong. This provides the foundation for a quantitative risk assessment, grounded in the real structure of the bank.

But even more important, because scenarios can respond to changes in the environment, they allow the bank to monitor whether it remains within appetite. If exposures evolve — through a new product, a major outsourcing decision, or a strategic pivot — or if external conditions deteriorate, the scenarios adjust accordingly. This makes it possible to assess continuously whether the bank remains within its declared risk appetite, and to react when that boundary is crossed.

Consider a simplified example.

At the start of 2026, the bank sets its overall operational risk appetite at €1billion. Based on the combination of the previous year’s structured risk assessment — adjusted where needed to reflect the bank’s current strategy — a budget of €200 million is allocated to IT and information security risks.

In February, a technical failure disrupts several client-facing services. The total cost, including lost revenues and remediation, reaches €50 million. That amount is deducted from the IT & IS risk budget, leaving €150 million for the remainder of the year.

At the sametime, the CISO reports a significant rise in ransomware attempts across the banking sector. The risk scenarios are updated accordingly, with increased likelihoods and refreshed assumptions about response costs. When the revised simulations are run, the 90th percentile of potential IT & IS losses for the rest of the year now stands at €180 million.

That exceeds the remaining budget. The bank is now out of appetite for IT and IS risk.

At this point, the bank must act — by accelerating mitigation efforts, reallocating risk budget, or both. What it cannot do is ignore the signal. In this framework, risk appetite is no longer a theoretical statement — it becomes aguide for proactive action.

Date What happens Commentary
01.01.2026 A budget of $200m is allocated to IS and IT. This budget is not an expected loss. It is a risk appetite defined at a certain probability level. In our example, the $200m threshold corresponds to a 90% percentile.
15.02.2026 A major technical failure disrupts several client-facing services and results in a cost of $50m. The remaining budget for the rest of the year is $150m. This means that, having already spent $50m, we cannot afford to have now more than 10% chances of spending $150m.
01.03.2026 The CISO warns about an increased risk of ransomware. The scenario models are rerun with these new assumptions, also taking into account that there are now only 10 months to go till end of year. The revised potential loss at the 90% level is now $180m.
Management board meeting What is the situation? At the beginning of the year we have set an appetite of $200m, meaning we were OK with our risk profile, provided that we had less than 10% chance of exceeding a cumulated future loss of $200m in 2026.

But now we have:
  • Already cashed out $50m for an incident
  • A potential future loss of $180m at the 90% probability level
This means that we have now 10% risk of spending $230m at the end of the year. We are out of appetite.

Operational Risk: Why CROs Still Fly Blind

Learn More Operational Risk Modelling and XOI

Get the book to delve deeper into the XOI methodology.
"Operational Risk Modeling in Financial Services" provides risk professionals with a forward-looking approach to risk modelling, based on a combination of data and structured management judgement.

Get The Book