Making Operational Risk Visible


An overview of the risk accounting method

b3lineicon|b3icon-bulb-gear||Bulb Gear

Introducing the ‘Risk Unit’ or ‘RU’

The ‘Risk Unit’ or ‘RU’ is the new additive metric, unique to the Risk Accounting method, that is used to quantify and report exposure to operational risk using three core metrics:

  • Inherent Risk: The amount of operational risk in RUs before considering the effects of internal risk mitigation activities and processes (represents maximum exposure to operational risk)
  • Risk Mitigation Index (RMI): A measure of the effectiveness of internal operational risk mitigating activities and processes on a scale of zero to 100
  • Residual Risk: The amount of operational risk in RUs that remains after reducing Inherent Risk by the RMI (represents actual exposure to operational risk)

Calculation of Inherent RUs

The Risk Accounting Calculation Engine calculates Inherent RUs based on two factors:

(1) Exposure Uncertainty Factor (EUF), and

(2) Value Band Weighting (VBW):


Portfolio View of Operational Risks

The Risk Accounting Calculation Engine generates algorithms that convert EUF, VBW and RCSA (Enhanced) inputs into a portfolio view of operational risk exposures in RUs encompassing:

  1. The reporting and analysis of granular and aggregated exposures by multiple categories including group-wide, business line, business organisational component, product, and customer.
  2. Direct comparisons of exposure to operational risk through benchmarking and ranking within and between enterprises (assuming the above tables and associated risk factors are uniformly applied).
  3. Identification and prioritization of risk mitigation action plans with a calculation of the projected risk reduction impact of each plan in RUs.
  4. The setting of operational risk budgets and risk operating limits in RUs across all vertical and horizontal dimensions of the enterprise with the potential for real- or near real-time monitoring of accumulating exposures to risk vs. risk budgets and limits.

The Risk Accounting Calculation Engine

Once determined and approved, product risk factors (EUFs), new-business scaling factors (value table) and RCSA activity and control effectiveness factors and best practice benchmarks require minimal maintenance. These tables, risk factors and benchmarks are set up in the calculation engine.

There are two variables that require periodic input:

  1. The daily amount of new business booked.
  2. Changes in the operating status of risk mitigation activities and controls.

The calculation engine is designed to have maximum operational flexibility and be readily adaptable to the highly complex requirements of large financial institutions. It can be implemented either as a standalone end-to-end solution incorporating risk and control self-assessment (RCSA) or integrated within an existing information infrastructure. It can also be integrated as part of third party solutions from established technology providers, configured using existing platforms or through a de novo in-house development.

The calculation engine can be easily positioned between the data integration layer and the presentation layer (reporting, analysis, dashboarding and alerting tools). It can be deployed in-house, in a third-party cloud, as a physical hardware device or a virtual device on a variety of operating systems and connectivity options. Implementation options vary depending on the complexity of the existing infrastructure, the results that need to be obtained, and time and budget constraints.


1. Exposure Uncertainty Factor (EUF) Table

EUFs are scaled to a value between zero and 20 reflecting each product’s operational complexity and the consequent process burden it imposes on the enterprise. EUFs relative to the activities below, where applicable, are assigned according to the risk criteria and associated risk factors set out in the EUF tables and summed for each product:

  • Processing: number of operational touchpoints along the product’s end-to-end processing cycle.
  • Lending: the relative time and effort required to liquidate collateral in the event of a credit default with reference to the value retention properties and price stability of underlying collateral.
  • Trading: the relative time and effort required to unwind a trading position with reference to the availability and reliability of market prices and rates, and the manner in which the product is traded, e.g., electronic, floor, OTC etc.
  • Treasury: the relative time and effort required to fund a product and manage associated liquidity and interest rate risk with reference to:
    • Banking book: interest rate type (fixed or floating) and maturity.
    • Derivatives: relative degree of complexity.
    • Transactional and trading book: assume marginal Treasury involvement.
  • Selling: whether the product is…
    • an investment product involving the holding of customer monies;
    • directly linked to a sales incentive scheme; and
    • bundled with other products (e.g., a loan with an interest rate swap);
    • …and the product’s relative degree of complexity from a customer perspective.
  • Environment: the product’s relative toxicity, combustibility, and biodiversity.


An important feature of Risk Accounting is that the Risk Accounting Calculation Engine inputs via EUF and VBW tables and enhanced RCSAs are auditable:

  1. EUFs are set and approved during the product approval and review process. Auditors can independently verify that EUFs have been appropriately documented, approved, and consistently applied.
  2. Operational throughput and mapping to the Value Table can be independently verified by auditors against accounting records.
  3. Given that enhanced RCSAs require either a ‘yes/no’ response or the selection of a benchmark from a multiple-choice dropdown box, an auditor can independently verify whether responses are appropriate as there is only one acceptable response.

2. The Value Table

Ascending $ amounts of daily operational throughput, for each product, are assigned a Value Band Weighting (VBW).

The value bands plotted against the VBWs produce a logarithmic curve that depicts how the rate of change in risk decelerates as operational throughput accelerates, primarily due to enhanced automation that naturally occurs as production volumes and values increase. 


3. Calculation of Risk Mitigation Indexes (RMIs) and Residual RUs

Two variable inputs are periodically input into the Risk Accounting Calculation Engine to produce RMIs and Residual RUs by multiple reporting categories including group-wide, business line, business component (cost center), customer, product, legal entity, and location. 

  1. The amount of operational throughput, being daily new business transacted relative to each product, which can be captured either manually or via automated interfaces with accounting systems.
  2. The status of risk mitigation gathered from across the enterprise via risk & control self-assessments (see below) captured at pre-selected organizational levels, e.g., process, production team, department, division etc.

Risk & Control Self-Assessment - RCSA (Enhanced)

The traffic light ‘RAG’ assessments typically used in RCSAs to report the status of risk mitigation activities and processes are replaced either by a binary ‘yes/no’ input indicating the presence or absence of compliance with an industry consensus best practice or through gauging the degree of compliance by reference to a set of predetermined benchmarks. RCSA enhanced inputs are used by the Risk Accounting Calculation Engine’s algorithms to calculate risk mitigation indexes (RMIs) and residual RUs.



In the recent past, most notably during the financial crisis of 2007/8, financial institutions of all sizes around the globe suffered material, sometimes catastrophic unexpected losses. These were invariably due to their inability to effectively identify, quantify, aggregate and report their internal exposures to operational risks. In many instances, the result was extreme accumulations of unidentified and unreported exposures to operational risks that eventually turned into losses. In contrast, external exposures to financial risks have intrinsic monetary value that can be readily identified and quantified in natural currency, aggregated and reported. In short, a financial institution’s amount of exposure to external financial risks is typically known whereas its amount of exposure to internal operational risks is typically unknown.



Exposure to operational risks exists where a financial institution fails to adequately plan, organise, manage and control its internal risk-mitigating activities and processes. In contrast, exposure to financial risks exists where a financial institution intentionally creates external financial exposures with customers, intermediaries and counterparties for a projected return.

Unexpected losses are financial outcomes associated with a financial institution’s failure to accurately identify, quantify, aggregate and report its accumulating exposures to financial and operational risks and, consequently, cannot know whether such exposures are within risk appetite limits approved at the Board level. In contrast, expected losses are stochastically determined accounting estimates of projected financial outcomes associated with accepted financial and operational risks where the amount of accepted risk has been accurately quantified and is within risk appetite limits approved at the Board level.


Key Attributes of Risk Accounting

The Risk Mitigation Index (RMI) is a measure of risk culture as it blends qualitative and quantitative risk attributes from across the enterprise into a single metric. Accordingly, risk governance is focused on planning and implementing strategies aimed at continually improving the RMI.

The risk appetite statement is a schedule of approved risk limits in RUs by business component, product and risk type that are set at the granular operating level and aggregated at the Board level for approval. Risk Accounting supports the budgeting and forecasting of accepted non-financial risks in RUs and monitors and reports accumulating excesses over approved RU limits in near real-time.

The amount of exposure to operational risks expressed in RUs is auditable. Risk Accounting requires business component and process owners to report risk and control status by completing ‘enhanced’ Risk & Control Self-Assessments (RCSAs) where colour-coded ‘RAG’ assessments are replaced with a system of numerically weighted risk factors. Completing an enhanced RCSA requires either picking an applicable risk benchmark from a dropdown box or confirming compliance with an industry-consensus best practice (‘yes’ or ‘no’ input). Consequently, enhanced RCSAs are objective, measurement-based inputs that can be subject to audit which is not the case with standard RCSAs that use a subjective ‘RAG’ assessment metric.


Monetary Value of an RU

One of RASB’s longer term aims is to calculate and publish the monetary value of an RU (RUm) by modelling operational risk loss data correlated with additional context information in the form of Residual Risk RUs. Once determined, the RUm can be used to estimate operational risk related expected losses (Residual Risk RUs x RUm).

Expected losses calculated in this way can be used to risk-adjust audited financial statements, similar to IFRS 9 and CECL accounting provisions for credit risk. This creates the possibility to lobby regulators to adopt the RUm in the determination of regulatory capital requirements for operational risks providing for a more effective balancing of risk sensitivity, simplicity and comparability in capital adequacy calculations.

What Experts Say?

[As published in the “Comments on Risk Accounting” by Henry Stewart Publications 1752-8887 (2016) Vol. 9, 4 413–420 Journal of Risk Management in Financial Institutions]

“…represents a sizeable step forward in the search for a practical global solution to enterprise risk management (ERM)”

“…the London Whale trading loss… Here, the (method) would bloom”

“…a very useful conceptual framework that could serve as a baseline for fulfilling the needs of BCBS 239, with a relatively simple to implement approach”

“…the first mechanism proposed to integrate the major components of risk in a large institution”

Julian Williams, PHD

Durham University Business School

“The integration of accounting and risk measures (both economic and regulatory) makes an important contribution to making risk-adjusted returns transparent”

Robert Mark, PhD

Black Diamond Risk Enterprises

“The framework… harmonizes all quantifiable risks and valuation uncertainties into one consistent framework without getting bogged down with specific risk models, methodologies and calibrations”

Mark Abbott, MA

The Guardian Life Insurance Company of America

“…(the) approach could be a meaningful way of establishing a common metric for operational risk, an area in risk management which, after many years, is still lacking analytical rigour”

Madelyn Antoncic, PhD

Principal Global Investors

“…(the) proposed framework is both novel in addressing the limitations of existing ERM risk measurement frameworks and practical in adapting the control and reporting frameworks that already exist in accounting and general ledger systems”

Roger Chen, CFA, PRM

New York Life Insurance Company

“…I think it is a good way of thinking about the operational risk associated with different underlying risk classes but, as the authors point out in the paper, it is not intended to be a substitute for capital at risk.”

Adam Litke, PhD


Get in touch