Examples of tools⁴ that may be used for identifying and assessing operational risk include:

• Internal loss data collection and analysis: Internal operational loss data provides meaningful information for assessing a Bank’s exposure to operational risk and the effectiveness of internal controls. Analysis of loss events can provide insight into the causes of large losses and information on whether control failures are isolated or systematic. Banks may also find it useful to capture and monitor operational risk contributions to credit and market risk related losses in order to obtain a more complete view of their operational risk exposure.
• External data collection and analysis: External data elements consist of gross operational loss amounts, dates, recoveries and relevant causal information for operational loss events occurring at organizations other than the Bank. External loss data can be compared with internal loss data, or used to explore possible weaknesses in the control environment or consider previously unidentified risk exposures.
• Risk assessments: In a risk assessment, often referred to as a risk self-assessment, a Bank assesses the processes underlying its operations against a library of potential threats and vulnerabilities and considers their potential impact. A similar approach, risk control self-assessments (RCSA), typically evaluates inherent risk (the risk before controls are considered), the effectiveness of the control environment and residual risk (the risk exposure after controls) are considered. Scorecards built on RCSAs by weighting residual risks provide a means of translating the RCSA output into metrics that give a relative ranking of the control environment.
• Business process mapping: Business process mappings identify the key steps in business processes, activities and organizational functions. They also identify the key risk points in the overall business process. Process maps can reveal individual risks, risk interdependencies and areas of control or risk management weakness. They also can help prioritize subsequent management action.
• Risk and performance indicators: Risk and performance indicators are risk metrics and/or statistics that provide insight into a Bank’s risk exposure. Risk indicators, often referred to as Key Risk Indictors (KRIs), provide insight into the status of operational processes, which in turn may provide insight into operational weaknesses, failures and potential loss. Risk and performance indicators are often paired with escalation triggers to warn when risk levels approach or exceed thresholds or limits and prompt mitigation plans.
• Scenario analysis: Scenario analysis is a process of obtaining expert opinion of business line and risk managers to identify potential operational risk events and assess their potential outcome. Scenario analysis is an effective tool to consider potential sources of significant operational risk and the need for additional risk management controls or mitigation solutions. Given the subjectivity of the scenario process, a robust governance framework is essential to ensure the integrity and consistency of the process.
• Models: Larger Banks may find it useful to quantify their exposure to operational risk by using the output of the risk assessment tools as inputs into a model that estimates operational risk exposure. The results of the model can be used in an economic capital process and can be allocated to business lines to link risk and return.
• Comparative analysis: Comparative analysis consists of comparing the results of the various assessment tools to provide a more comprehensive view of the Bank’s operational risk profile. For example, comparison of the frequency and severity of internal data with RCSAs can help the Bank determine whether self-assessment processes are functioning effectively. Scenario data can be compared to internal and external data to gain a better understanding of the severity of the Bank’s exposure to potential risk events.
• Audit findings: While audit findings primarily focus on control weaknesses and vulnerabilities, they can also provide insight into inherent risk due to internal or external factors. Banks must not solely rely on internal audit to identify operational risks.

⁴ Banks are encouraged to use a range of tools to gain an understanding of their operational risks, in a manner consistent and proportional with the size and complexity of the bank and the operational risks it faces.