Operational risk handbook

The three lines of defense model is the standard governance framework for risk management in financial institutions. The first line (LOD1) is the business itself — front office, operations, and technology teams who own and manage risk day to day. The second line (LOD2) provides independent oversight, setting standards, challenging the first line's risk assessments, and reporting to senior management. The third line (LOD3) is internal audit, providing independent assurance that the framework is working as intended. In practice, the effectiveness of this model depends on the quality of interaction between lines. LOD1 must feel ownership, not just compliance. LOD2 must add value through challenge, not just bureaucracy. And LOD3 must have the access and expertise to test what matters.

Risk and Control Self-Assessment (RCSA) is the foundational process for identifying and evaluating operational risks. Each business unit assesses its key risks, rates their likelihood and impact, identifies the controls in place, and evaluates whether those controls are effective. A well-run RCSA programme produces a living inventory of risks and controls that informs capital allocation, audit planning, and management attention. Common pitfalls include: assessments that are too generic (not reflecting actual business activities), ratings that are politically influenced rather than evidence-based, and a lack of follow-through on identified control gaps. The best RCSA programmes are those where first-line managers genuinely use the output to manage their operations.

Scenario analysis complements RCSA by exploring low-frequency, high-impact events that may not appear in historical loss data. Workshops bring together business experts, risk managers, and sometimes external facilitators to construct plausible but severe scenarios — a major cyber attack, the failure of a critical vendor, or a significant compliance breach. Each scenario is assessed for potential financial impact and the effectiveness of existing mitigations. The output feeds into capital modelling (particularly under Basel's Advanced Measurement Approach) and informs business continuity planning. The challenge is making scenarios specific enough to be actionable while avoiding the trap of over-precision in inherently uncertain situations.

When operational risk events materialise, the incident management process captures what happened, assesses the impact, identifies root causes, and drives remediation. A mature incident management framework includes clear escalation thresholds (based on financial impact, regulatory implications, or client impact), standardised categorisation using a risk taxonomy, and a structured root cause analysis methodology. The data generated by incident management is invaluable — it validates RCSA assessments, provides empirical input to scenario analysis, and creates a feedback loop that strengthens controls over time. Banks that treat incidents as learning opportunities rather than blame exercises build stronger risk cultures.