Operational risks in banking: what regulations matter and which approach should we recommend ?

 

In 2022, FINMA modernized the banking regulations on operational risks. Since early 2024, the FINMA Circular 2023/1 “Operational risks and resilience – banks” applies. This page of our glossary provides you with the essential information you need to know about operational risk in banking, as well as the standard approach that should now be systematically adopted. 

How do you define operational risk in banks? 

Operational risk is defined in the article 89 of the Capital Adequacy Ordinance as “the risk of loss resulting from the inappropriateness or failure of internal procedures, people or systems, or from external events”. The Ordinance adds that this includes legal risks but excludes strategic and reputational risks. 

What regulatory source currently governs operational risk in the banking sector? 

FINMA Circular 2023/1 entitled “Operational risks and resilience – banks” was adopted on 7 December 2022. It has been formally in force since 1 January 2024 with transitional phases of implementation spanning from 2024 to 2026. These new financial regulations cover two main areas: the overall management of operational risk and the management of specific operational risks.  

The latter includes : 

  • Risks relating to information and communication technologies (ICT risk management);
  • cyber risks ;
  • critical data (with confidentiality, integrity and availability requirements);
  • risks relating to cross-border service activities. 

This recent circular also contains a comprehensive section on the concept of operational resilience. 

Why has FINMA revised its Circular 08/21 on operational risks? 

There are several major reasons why FINMA decided to completely revise Circular 08/21 on operational risks. First, international risk management standards are evolving. Secondly, the major changes brought about by digitalization must be integrated into the risk approach. Finally, the integration of the final Basel III requirements in Switzerland has also led to a revision of the definitions and management of operational risks. 

What is the impact of the final Basel III on operational risk management in banking? 

The Basel Committee’s requirements continue to be incorporated into Swiss banking regulations, with the final Basel III standards due to come into force on 1 January 2025. The Capital Adequacy Ordinance (CAO) has been revised on several points, including operational risks. The changes are designed to strengthen the resilience of the banking system. 

💡We have summarized for you the main key changes in Basel III final, for credit risk, market risk and operational risk. 

What is the Standardised Approach to Operational Risk (SMA)? 

Since the introduction of Basel 3 final in Switzerland, the only way to calculate the capital required for operational risk today is to use the Basel Committee’s Standardised Measurement Approach (SMA). 

Article 90 of the CAO specifies that the standardised approach is based on several indicators: 

  • Business Indicator (BI);
  • the Business Indicator Component (BIC); 
  • the internal loss multiplier (ILM) ; 
  • the “losses” component (LC). 

Article 91 of the same CAO ordinance sets out the method for calculating the minimum capital required to cover a banking institution’s operational risks. This amount is obtained by the following formula: (BI x ILM). 

With the transition to Basel 3 Final, all other methods of calculating capital for assessing operational risk are obsolete. This is the case for the Advanced Measurement Approach (AMA), which can no longer be used to calculate capital required for operational risk.

What does operational resilience mean for a bank? 

The new Circular 2023/1 includes an “operational resilience” dedicated chapter. The implementation of this framework is justified by the higher probability and impacts of phenomena such as 

  • pandemics ; 
  • crises ; 
  • failures ; 
  • cyber-attacks ; 
  • power cuts ;
  • climatic events or natural disasters ; 
  • etc. 

Operational resilience means the ability to identify and protect the bank’s critical function in such a way that they can cope with prolonged disruptions or availability of key resources due to critical situations. Operational resilience is also defined by the bank’s capability to take adequate measures to react, recover and/or adapt during and after such severe but plausible risk scenarios, and to learn from them for the future. 

👉To discover other definitions of RegTech, we suggest you return to the table of contents of our glossary. 

👉If you’d like to find out more about easyReg, take a look at our RegTech solution.