What's new

Operational risk categories vs seven operational risk event types


Active Member
Hi @David Harper CFA FRM CIPM ,.

I'm a bit confused as to the difference between Operational Risk Categories (ORCs) and the standard seven operational risk event types. The Basel paper “Operational Risk—Supervisory Guidelines for the Advanced Measurement Approaches says banks can come up with their own ORCs as long as they prove they have created a sufficient amount of them which are not too few or too many and these are used to measure operational risk.

What is the difference ? Are these ORCs mapped to the seven event types ?

Due to the nature and diversity of operational risk, banks define operational risk
categories (ORC) along which they measure their operational risks. A bank’s risk
measurement system and capital charge calculation is greatly influenced by the number of
ORCs used within the model.
Last edited:

David Harper CFA FRM

David Harper CFA FRM
Staff member
Hi @afterworkguinness The bank develops its own catagories, they may not match Basel's categories, but the bank needs to map its categories to Basel's for regulatory reporting. I would expect these categories correlate to the categories used by external database providers, also. Basel's operational risk categories are contained in Annex 9 of the 2004 Basel II Framework, here is the Annex @ https://www.dropbox.com/s/4tq4uynvu7397cr/bcbs128d.pdf?dl=0. You will note the categories go deep to three Levels; or, two levels plus activities, if you like.

But this is all explained quite nicely is the assigned Chapter 7. Internal Loss Data [OR–3] of Operational Risk Management: A Complete Guide to a Successful Operational Risk Framework by Philippa x. Girling, (Hoboken: John Wiley & Sons, 2013). For example,
"Every event should be mapped to the risk event categories being used at the firm. These risk categories should be clearly outlined in the policies, procedures, standards, or guidelines that have been published in the firm for operational risk management. Basel II provides a useful set of seven categories, which most firms have adopted or adapted to meet their own reporting needs. Basel II describes the seven categories as shown in Table 7.1. I have found these seven categories to be remarkably resilient. I have tested them extensively within the financial services industry, but also in firms in other industries. At this highest level, they do seem to effectively capture all types of operational risk events.
USING THE BASEL RISK CATEGORIES: The Basel risk categories must be used to report operational risk events for firms that are required to meet the Basel regulations. However, they can also be used effectively in other ways. Most firms use the same categorization taxonomies for their risk and control self-assessment (RCSA) programs as they do for their loss data. They may also align any key risk indicators (KRIs) and any scenario analysis work with the same categories. While the seven Level 1 categories are mandatory for capital calculation and loss data capture by a Basel firm, the second and third levels are often adapted to better suit those firms."--Girling, Philippa X. (2013-09-17). Operational Risk Management: A Complete Guide to a Successful Operational Risk Framework (Wiley Finance) (Kindle Locations 2394-2399). Wiley. Kindle Edition.