Banking Operational Risk Reporting Standards
Uploaded by
Abhishek YadavBanking Operational Risk Reporting Standards
Uploaded by
Abhishek YadavManaging Risk Together
OPERATIONAL RISK REPORTING
STANDARDS (ORRS)
EDITION 2019
VERSION: 1.5
REVISED:
BOARD APPROVED: 1 December 2016
Copyright & Disclaimer Notice
All rights in this document are owned and controlled by ORX. ORX permits it to be used internally by
Members, but not transmitted publicly in whole or in part.
ORX has prepared this document with care and attention. ORX does not accept responsibility for any
errors or omissions. ORX does not warrant the accuracy of the comments, statement or
recommendations in this document. ORX shall not be liable for any loss, expense, damage or claim
arising from this document.
The content of this document does not itself constitute a contractual agreement, ORX accepts no obligation
associated with this document except as expressly agreed in writing.
Operational Riskdata exchanged Association (ORX) [Link] Company Registration No.
c/o Bunions Ballast Ehrler, +44 (0)1225 904 397 CHE-109.982.492
6, rue de Rive, 1204 Geneva
Switzerland
Public
Operational Risk Reporting Standards (ORRS)
This document makes use of Hyperlinks for ease of navigation. Hyperlinks can be activated using Ctrl+Click
with the keyboard and mouse, the cursor may change shape, for example to .
The Table of Contents also contains Hyperlinks.
If ORX Members have queries on the text or would like to raise issues for concern then they should Email
support@[Link] with a description of the issue.
Version Control
1 July 2019 Section 3.2.1Grouped Losses and Sections 3.2.2. Amendments to text to provide
further clarity for reporting to ORX.
No change to the definitions or reporting requirement.
Approved by Definitions Working Group June 2019
28 March 2018 Section 3.2.4 inclusion of Interest and Legal Costs in the Gross Loss Amount,
where no fine is incurred. Updates to example of events not to be reported.
Approved by Definitions Working Group December 2017
1 August 2017 Section 4.3 inclusion of USD for submission of events (aligns with Insight system
business rules)
Section 8 incorporates previously separate appendix to create a single document.
1 December 2016 Board ratified Section 2.2 ORX Requirements and Procedures -reflect the data
quality dimensions listed in the Global Loss Data Quality Assurance Policy and
remove reference to PwC.
27 June 2012 3.2.3 Legal Costs Decision Tree
15 June 2012 1.5 Transitional Arrangements – deleted
3.2.4 Categorisation of Tax related sanctions
10 May 2012 3.2.4 Tax Decision Tree
4.2.2 Negative Revenues becomes Revenue Adjustments
4.2.3 Uncollected Revenues – added example, deleted example
9 December 2011 Board ratifies DWG Recommendations
28 September 2011 3.2.3 Legal Events
20 July 2011 3.4.1 Requirement for Credit Risk-Operational Risk Boundary
30 June 2011 3.1.2 Definition of Legal Risk
Managing risk together Page 2 of 140 [Link]
+44 (0)1225 904 397
Public
Operational Risk Reporting Standards (ORRS)
Table of Contents
1 Introduction ........................................................................................................................................... 6
1.1 Objectives of this document .................................................................................................................. 6
1.2 Document Structure .............................................................................................................................. 7
1.3 Relationship between Global and Sector Databases ........................................................................... 7
1.4 Governance of ORRS ........................................................................................................................... 7
2 Data Quality Governance ..................................................................................................................... 9
2.1 Introduction............................................................................................................................................ 9
2.2 ORX Requirements & Procedures ........................................................................................................ 9
3 What to Report – Definitions & Boundaries ........................................................................................ 11
3.1 Operational Risk .................................................................................................................................. 11
3.1.1 Operational Risk ................................................................................................................... 11
3.1.2 Legal Risk ............................................................................................................................. 12
3.2 Operational Risk Event ....................................................................................................................... 13
3.2.1 Grouped Losses (vs Single Events) ..................................................................................... 13
3.2.2 Linked Events ....................................................................................................................... 15
3.2.3 Legal Events ......................................................................................................................... 17
3.2.4 Tax Events ............................................................................................................................ 20
3.3 Operational Risk Loss ......................................................................................................................... 21
3.3.1 Lifecycle of an Operational Risk Loss ................................................................................... 21
3.3.2 Timing Losses ....................................................................................................................... 22
3.3.3 Pending Losses .................................................................................................................... 22
3.4 Boundary between Operational and Other Risks................................................................................ 23
3.4.1 Credit Risk ............................................................................................................................ 23
3.4.2 Market Risk ........................................................................................................................... 25
3.4.3 Strategic Risk ........................................................................................................................ 26
3.4.4 Project Risk ........................................................................................................................... 27
3.4.5 Business Risk ....................................................................................................................... 27
Managing risk together Page 3 of 140 [Link]
+44 (0)1225 904 397
Public
Operational Risk Reporting Standards (ORRS)
3.4.6 Reputational Risk .................................................................................................................. 28
3.4.7 Liquidity Risk ......................................................................................................................... 28
4 Determine the Operational Risk Loss Amount – Quantification ......................................................... 29
4.1 General Principles ............................................................................................................................... 29
4.1.1 Gross Loss ............................................................................................................................ 29
4.1.2 Recoveries ............................................................................................................................ 30
4.2 Special Cases ..................................................................................................................................... 30
4.2.1 Rapid Recoveries .................................................................................................................. 30
4.2.2 Revenue Adjustment............................................................................................................. 31
4.2.3 Uncollected Revenue ............................................................................................................ 32
4.2.4 Fixed Assets, Investment Assets, and Intangibles ............................................................... 33
4.2.5 Provisions & Reserves .......................................................................................................... 34
4.2.6 Regulatory Action – Fines and/or Penalties.......................................................................... 34
4.3 FX Conversion Rates .......................................................................................................................... 35
5 How to Categorise Operational Risk Losses ...................................................................................... 36
5.1 Business Lines .................................................................................................................................... 36
5.1.1 Corporate Items .................................................................................................................... 36
5.1.2 Events Affecting Multiple Business Lines ............................................................................. 37
5.1.3 Materiality .............................................................................................................................. 38
5.2 Event Types ........................................................................................................................................ 40
5.3 Product Types ..................................................................................................................................... 42
5.3.1 Bundled Products .................................................................................................................. 42
5.4 Process Types..................................................................................................................................... 44
5.5 Large Loss Event Attributes ................................................................................................................ 47
5.6 Country Codes .................................................................................................................................... 48
6 How to Report Exposure Indicators .................................................................................................... 49
6.1 Gross Income ...................................................................................................................................... 49
6.2 Sector Database Exposure Indicators ................................................................................................ 50
Managing risk together Page 4 of 140 [Link]
+44 (0)1225 904 397
Public
Operational Risk Reporting Standards (ORRS)
7 Technical issues: Threshold, History, Coverage, etc. ........................................................................ 51
7.1 Reporting Gross Loss Threshold ........................................................................................................ 51
7.2 Time Period ......................................................................................................................................... 51
7.3 Consolidated Reporting ....................................................................................................................... 51
7.4 Exceptions to Complete Reporting ..................................................................................................... 52
7.5 Submitting Historical Data ................................................................................................................... 52
7.6 Effects of Acquiring or Disposing of Business Units ........................................................................... 53
7.7 Submitting Losses for a New Business Line ....................................................................................... 53
7.8 Stopping Reporting for an Existing Business Line .............................................................................. 53
7.9 Mergers between Members ................................................................................................................ 54
7.10 Leaving ORX ....................................................................................................................................... 54
8 Detailed Descriptions of Data Categories........................................................................................... 55
8.1 Introduction.......................................................................................................................................... 55
8.2 Business Lines .................................................................................................................................... 56
8.3 Event Types ........................................................................................................................................ 67
8.4 Products .............................................................................................................................................. 78
8.4.1 Bundled Products .................................................................................................................. 99
8.5 Processes.......................................................................................................................................... 103
8.6 Large Loss Event Attributes .............................................................................................................. 130
8.6.1 Alleged Causes ................................................................................................................... 131
8.6.2 Jurisdiction / Choice of Law ................................................................................................ 136
8.6.3 Counterparty / Claimant Type ............................................................................................. 137
8.6.4 Role of the Firm .................................................................................................................. 138
8.6.5 Environment Volatility ......................................................................................................... 139
Managing risk together Page 5 of 140 [Link]
+44 (0)1225 904 397
Public
Operational Risk Reporting Standards (ORRS)
1 Introduction
1.1 Objectives of this document
This document describes the standards for reporting Operational Risk losses for consolidation and analysis in
the ORX global database by Members of ORX. These standards may serve as a useful reference for Non-
ORX firms for categorising Operational Risk losses; as such the standards are provided and published as an
industry resource.
This document contains a number of definitions and principles to promote the consistency of reporting and
data categorisation. The Definitions Working Group (DWG) has found it useful to refer to these definitions
and principles when discussing issues around categorisation and various boundaries, in particular between
Operational and Other Risks.
This 2011 edition of the Operational Risk Reporting Standards (ORRS) supersedes and replaces the current
version from 2007. The main changes since the 2007 edition have been the addition of categories for
Products, Processes and additional attributes for Large Losses.
ORX Members are free to adopt varying definitions and methodologies for internal loss recording and
reporting. However, each Member is required to make submissions to the ORX global database following the
uniform standards and definitions set out below.
These standards relate to the ORX global database of Operational Risk losses. A number of Sector
Databases have been, or are in the process of being established by ORX. These Sector Databases may
have particular emphasis on geography or business activity, for example Canada and Investment Banking.
The standards for these Sector Databases may deviate in some way from the standards for the global
database. The relationship between the Global and Sector databases is more completely described in
Section 1.3 on page 7.
Data submission to the ORX global database is made on a quarterly basis. Each time there is a data
reporting cycle, Members will produce and send their data since inception (January 2002 for founding
Members). Members are expected to report their full loss data history. See Section 7.4 “Exceptions to
Complete Reporting” for further reference
ORX is aware that all Members are constantly refining their internal processes for capturing Operational Risk
losses/events. As a consequence of this constant refinement, Members are allowed to modify and/or update
their previously reported records.
A number of aspects around the ORX global database promote anonymity of the individual Members. In
some instances, these aspects relate to the delivery of historic data by new Members, in other instances it
affects the granularity of the reports back to Members. For example, Members provide country level data, but
receive back regional level information. Anonymity and confidentiality around the ORX databases and data
are important and are reflected in the Articles of Association of ORX.
Managing risk together Page 6 of 140 [Link]
+44 (0)1225 904 397
Public
Operational Risk Reporting Standards (ORRS)
1.2 Document Structure
The document is structured to promote clarity and ease of finding details.
Each topic begins with a Principle / Definition section. This is then followed by the reporting Requirement and
Examples. The final parts of the individual topic relate to Cross-References and ORRS Updates. The
examples may be sub-divided into examples of Inclusions and examples of Exclusions.
Details of all categories can be found in the Appendix. These detailed descriptions may include additional
examples as well as notes.
1.3 Relationship between Global and Sector Databases
This document is primarily concerned with the Operational Risk Reporting Standards that apply to the Global
Database. As one of the strategic initiatives for ORX is the development of Sector Databases, it is important
that the relationship between these Operational Risk Reporting Standards and the Sector Databases is clearly
understood and appreciated.
Sector Databases may address a variety of interests, for example geographic or activity. An example of a
Geographic Sector Database is the Canadian database. An example of an Activity Sector Database is
Investment Banking.
Where the Sector Databases primarily have banks as Members and the focus is upon loss data then it is
efficient for these Sector Databases to follow the standards for the Global Database. The efficiency is in
terms of Standards and supporting system infrastructure. This implies that where the standards for the Global
Database change, then these changes will be reflected in the Sector Database.
Where the Members of the Sector Database agree to deviate from the standards for the Global Database they
can do so. For example, a Geographic Sector Database may decide to have a lower reporting threshold. An
Activity Sector Database may decide to have additional Exposure Indicators and additional levels of
granularity in Business Lines or Event Types.
Where the Sector Database does not have banks as Members, for example in the case of insurance
companies (even if they are subsidiaries of banks) then changes will be required. Such changes may be in
the detailed business lines and other data categories, such as Products. For the Sector Databases, the
responsibility for agreeing and documenting the reporting standards belongs to the participants of that
database.
In any case, substantial incremental costs from deviating from the standards of the Global Database may be
reflected in the costs of membership to the respective database.
1.4 Governance of ORRS
Changes to the Operational Risk reporting standards must be approved by the Board of ORX. The Definitions
Working Group has the responsibility for reviewing the Operational Risk Reporting Standards and making
recommendations to the Board of ORX.
Managing risk together Page 7 of 140 [Link]
+44 (0)1225 904 397
Public
Operational Risk Reporting Standards (ORRS)
The Definitions Working Group will review requests from individual Members as well as from the Quality
Assurance Working Group.
The Definitions Working Group has the authority to generate and publish clarifications of definitions or
additional examples of particular situations. The vehicle for these clarifications are the ORRS Updates.
The Definitions Working Group has the authority to recommend substantive changes to the Board of ORX
during the year. This category also includes recommending categories for industry events for Board
endorsement. The vehicle for these substantive statements are the ORRS Updates.
The Definitions Working Group will conduct an annual review of the Operational Risk Reporting Standards.
Changes may be in response to ORRS Updates since the last review.
Managing risk together Page 8 of 140 [Link]
+44 (0)1225 904 397
Public
Operational Risk Reporting Standards (ORRS)
2 Data Quality Governance
2.1 Introduction
This document, the ORX Operational Risk Reporting Standards, is part of a wider effort leading to Members
receiving data from ORX that is fit for purpose. While ORX can support Members in achieving this standard,
only Members can deliver the data that meets or exceeds the standards.
Members use the ORX data for a number of purposes, including:
• direct inputs to Economic or Regulatory capital calculations
• direct inputs or use in validating scenarios
• benchmarking capital calculation results
• supporting decisions in purchasing insurance
• assessing the Operational Risk performance of:
o Businesses
o Product Managers
o Process Owners, and
o Regional Managers
Although this document is updated periodically, Members are encouraged to use the ORRS Update process,
operated by the Definitions Working Group, as a mean of clarifying the categorisation of losses.
In addition to this document ORX supports data quality through processes operated by the Quality Assurance
Working Group (QAWG). The QAWG operates four quality related processes:
1. Data Cycle – Delivery Tests
2. Data cycle – In-Cycle Quality Assurance Testing
3. Periodic Portfolio Review
4. Annual Data Attestation Exercise
These processes are intended to support individual Members in their data deliveries as well as provide
assurance to users of the data that it is fit for purpose.
2.2 ORX Requirements & Procedures
Definition: Data Quality has a number of dimensions. From an ORX perspective the following five
dimensions are assessed during the quarterly data delivery cycles.
1. Accuracy - data is submitted in the correct format and is free of errors
2. Completeness – all aspects of the event are reported for the entire data set
3. Timeliness – data is submitted within the agreed submission window for the respective time period
4. Consistency – data is submitted in adherence to the Operational Risk Reporting Standards
5. Uniqueness – data submitted is free from duplicates
Managing risk together Page 9 of 140 [Link]
+44 (0)1225 904 397
Public
Operational Risk Reporting Standards (ORRS)
The Annual Data Attestation exercise and Periodic Portfolio review are additional processes to ensure data
quality and may have some overlap with the assessments conducted as part of the data cycle, but they also
capture additional features.
The last item is included as an aspect of data quality as the response time by Members can affect the timing
of the publication of data which can have a knock-on impact on the ability of Members to use the data.
Requirement: Members are required to provide data that meets the requirements of the ORX data quality
dimensions 1-5.
Members are expected to conduct an annual data quality review involving an independent party. This
independent party does not have to be an audit function but could be from Credit or another function with
experience of categorising data. If Members are performing data quality reviews for internal and/or regulatory
purposes, then that should also be satisfactory for ORX purposes.
In the case of completeness of reporting, Members should be aware of the choices available for the reporting
of reserves / provisions (Section 3.2.3), especially where litigation is involved.
Background: The QAWG has specified a number of tests to be applied, by the ORX Secretariat, to data prior
to publication to ORX Members as well as the Annual Data Attestation Exercise and Periodic Portfolio
Reviews.
ORX applies a number of pre-defined tests and reviews to the data, prior to distribution. The results of the
tests (on anonymised data) are shared with the QAWG who may request ORX secretariat to raise further
queries with a Member to resolve any concerns raised. The QAWG makes a recommendation as to whether
the data is of adequate quality for publication.
The range of tests is reviewed when issues are brought to the attention of the QAWG by ORX Members.
Managing risk together Page 10 of 140 [Link]
+44 (0)1225 904 397
Public
Operational Risk Reporting Standards (ORRS)
3 What to Report – Definitions & Boundaries
3.1 Operational Risk
3.1.1 Operational Risk
Definition: “Operational Risk (OR) is defined as the risk of loss resulting from inadequate or failed
internal processes, people and systems or from external events. This definition includes legal risk, but
excludes strategic and reputational risk” (see Basel II Accord section V. A. §644).
Cross-reference: In January 2001, the Basel Committee defined Operational Risk as used by ORX above.
This definition has been applied within the respective local regulations, i.e. the European Commission’s
Capital Requirement Directive 2006/48/EC (CRD) for example as “Operational Risk means the risk of loss
resulting from inadequate or failed internal processes, people and systems or from external events, and
includes legal risk.”
Despite such differences in the texts, the definition of Operational Risk within the CRD should be read
consistently with that of the Basel II Accord, meaning that reputational and strategic risks should be excluded
from the scope of Operational Risk. (CEBS, 2009, Compendium). As an introduction to the details of the
topic, the three paragraphs below are quoted from regulatory guidance.
As part of the bank’s internal Operational Risk assessment system, the bank must systematically track
relevant Operational Risk data including material losses by business line. It must have documented, objective
criteria for allocating losses to the specified business lines and event types.
A bank's internal loss data must be comprehensive in that it captures all material activities and exposures
from all appropriate sub-systems and geographic locations. Aside from information on gross loss amounts, a
bank should collect information about the date of the event, any recoveries of gross loss amounts, as well as
some descriptive information about the drivers or causes of the loss event.
A bank must develop specific criteria for assigning loss data arising from an event in a centralised function
(e.g. an information technology department) or an activity that spans more than one business line, as well as
from related events over time.
Managing risk together Page 11 of 140 [Link]
+44 (0)1225 904 397
Public
Operational Risk Reporting Standards (ORRS)
3.1.2 Legal Risk
Definition:
Legal Risk is the risk of loss resulting from exposure to:
1) non-compliance with regulatory and / or statutory responsibilities and/or
2) adverse interpretation of and/or unenforceability of contractual provisions.
This includes the exposure to new laws as well as changes in interpretations of existing law(s) by appropriate
authorities and exceeding authority as contained in the contract. This applies to the full scope of Group
activities and may also include others acting on behalf of the Group. Legal Risk is a component of
Operational Risk.
Cross reference:
Legal Risk includes, but is not limited to; fines, penalties, or punitive damages from supervisory actions, or to
judgments or private settlements (see Basel II Accord Section V. A. §644 - Definition of Operational Risk) or to
the reduction in asset values or cashflows.
Examples - Included in Reporting to ORX
• Change over time, in the interpretation by judiciary, of “treating customers fairly”. This may result in the
original treatment being classified as “unfair”.
• Lack of Duty of Care or Negligence in executing responsibilities.
• Acting improperly in the termination of a finance agreement.
• Inaccurately or incorrectly drafted contracts or errors or omissions in documentation.
• Lack of due diligence on the accuracy of claims or statements in a prospectus for securities and/or
underwriting.
• Use of somebody’s Intellectual Property without appropriate permission(s).
Managing risk together Page 12 of 140 [Link]
+44 (0)1225 904 397
Public
Operational Risk Reporting Standards (ORRS)
3.2 Operational Risk Event
Definition: An Operational Risk event is an event leading to the actual outcome(s) of a business process to
differ from the expected outcome(s), due to inadequate or failed processes, people and systems, or due to
external facts or circumstances.
3.2.1 Grouped Losses (vs Single Events)
Definition: Grouped losses are defined as multiple losses / impacts with the same distinct loss generating
action or trigger.
For risk calculation purposes and ORX reporting purposes these losses have to be aggregated and
considered as a single event. If the event impacts multiple Business Lines, the aggregated losses should be
allocated to the individual Business Lines impacted and then linked to indicate the losses are attributed to a
single event (see Section 3.2.2 Linked Events).
Requirement: An operational risk event may have multiple associated losses or impacts. The first action is to
determine if these losses (impacts) should be grouped and treated as a single event because they originate
from a distinct loss generating action. The second action is to group these losses (impacts) in a single record,
containing all related losses, and classify this according to its specific event characteristics.
A Grouped Loss, involving multiple individual losses (impacts), is likely to come from the same distinct loss
generating action if they have:
• A single Event Type, and
• A single Process (where applicable), and
• A single Jurisdiction, and
• A single Counterparty Type, and
• A single Role of the Firm
They can involve multiple Products.
Additional factors supporting decisions to group losses into a single event include:
• common action or trigger, including the likes of loss or damage to physical assets resulting from a
natural disaster event (e.g. earthquake, tsunami), or a co-ordinated cyber security issue or fraud. With
regard to Fraud, Credit Card frauds may have similarities but are executed by many individuals and so
should not be Grouped. However, where credit card details are used in a co-ordinated way to commit
fraud then these should be Grouped (when there is a high degree of certainty).
• the focus of risk management efforts or changes to the controls following an event, are an indication
that there is a single distinct loss generating action.
• the accounting treatment, for example are the losses aggregated into a single number. Consistency
between the books and records of the firm and reporting losses to ORX supports internal quality
assurance.
Managing risk together Page 13 of 140 [Link]
+44 (0)1225 904 397
Public
Operational Risk Reporting Standards (ORRS)
Members may wish to capture data at a more granular level than the ORX reporting requirement. For
example, the firm may wish to capture the event effects such building repairs, staff overtime, compensation
etc. This additional granularity can support risk management and event mitigation efforts.
Examples - Included in Reporting to ORX
• Repeated mistakes due to a failure in the Business Model, a business process or due to a flawed
product are considered to be a single event ([Link] certain products the bank performs a systematic
rounding to its benefit which is later found to be an abusive market practice). Note: such OR events are
often triggered by retrospective changes in law or interpretation of law.
IL0003 Mis-selling of payment protection insurance. Banks are required to redress (compensate)
customer complaints regarding mis-sold protection insurance. Firms gave customers misleading and
unclear information about products so that they bought insurance that was not needed or was to cover
risks that were greatly exaggerated. The total amount of compensation paid to customers (not per
customer) plus any external legal fees plus any regulatory fines for poor compensation processes are
grouped.
• Multiple refunds to clients are considered a single event when there is a common underlying allegation
irrespective of the resolution of the cases through a class action lawsuit or individual lawsuits / voluntary
settlements (i.e. misstatement of issue prospectus, allegation that bank should have known of the
deterioration of the condition of the financial asset). Such events may have a single provision set aside
for all related claims.
IL0001 Mis-selling of Mortgage Backed Securities (Private Label) Banks reached settlements with
government agencies, trustees and institutional investors over allegations of mortgage backed
securities (MBS) failings i.e. banks misled investors with respect to the quality of and therefore riskiness
of the underlying loans. Fines, compensation and immediate write-down costs should be grouped and
reported as a single event and not reported per security or per investor.
• Fraud losses connected by a common plan of action (e.g., the same scheme being used to defraud
many different victims, which may involve many small transactions or small losses, a common
perpetrator or organized criminal group), are considered a single event.
A cyber data breach, where fraud losses suffered by customers and honoured by the Bank are believed
to be linked to a specific third-party data breach, the losses incurred are to be grouped. While an
individual (ultimately) caused the losses, firms had many different roles in relation to the fraud, e.g. as
Principal, Advisor to third parties and as Agent / Facilitator.
Where a firm has played multiple roles, it is assumed the risk management actions would differ
according to the Role of the Firm and therefore it is likely they will have different Root Causes and the
losses will be Grouped according to the Role of the Firm. This is likely to involve failures in different
processes and different risk management responses.
Managing risk together Page 14 of 140 [Link]
+44 (0)1225 904 397
Public
Operational Risk Reporting Standards (ORRS)
Examples – Excluded from Reporting to ORX
• Multiple errors made by a single individual over a period of time are treated as single events and not to
be grouped.
3.2.2 Linked Events
Definition: A linked event is a single event (which may be comprised of grouped losses) and impacts more
than one Business Line.
Requirement: In cases where an Operational Risk event impacts more than one Business Line; Members
should assign the event to the Responsible Business - the business in which the event began. If responsibility
for an event is factually unclear, then responsibility can be assigned according to one of the following rules
which provide an approximation for splitting an event to more than one Business Line, for example:
• the owner of the transaction, or
• business process out of which the event arose
• the P&L allocation can provide an approximation for splitting an event to more than one Business Line.
It should be noted that the splitting (and linking) of events is not permitted for any other category (e.g. Event
Type, Product or Process).
Where the event impacts multiple lines of business and the Gross Loss amount (single loss or total grouped
losses) is equal to or greater than the threshold for Large Loss Events (currently €10 million), the parent event
is considered a Large Loss Event, for which additional Loss Attribute reporting is required. All other categories
must be the same for all (linked) records reported to ORX.
Example of the relationship between grouped losses and linked events
An earthquake followed by an enormous tsunami caused massive damage to the bank’s buildings, including
ATMs. The event impacts several business lines and multiple losses (impacts) are incurred. For the purpose
of this example indirect recoveries are not taken into consideration.
The losses incurred are:
Grouping of Losses
Communications (press ATM machines Building
Total
releases, phone hot lines) repairs/replacement repairs
Retail Banking
0.25m 3.0m 5.0m 8.250m
Linking the event
BL0301
Commercial Banking
2.0m 2.000m
BL0401
Corporate Items
0.25m 1.0m 1.250m
BL1001
Total 0.50m 3.0m 8.0m 11.500m
Managing risk together Page 15 of 140 [Link]
+44 (0)1225 904 397
Public
Operational Risk Reporting Standards (ORRS)
This event is reported as a:
• A Linked Event: The event affects multiple Business Lines, so there are 3 linked records reported to
ORX, linked using the related reference field.
and
• Grouped Loss: This is considered as one event for the firm with a total loss amount of EUR11.5m
reported against EL0501 Natural disasters & Other Events. The Risk management focus in on
business continuity.
How to report this to ORX:
Event Category
Claimant Code
Volatility Code
Environmental
Counterparty /
Business Line
Related event
Jurisdiction
Gross Loss
Role of the
Firm Code
(L2) Code
(L2) Code
(L2) Code
(Member)
… … … … …
Process
Cause 1
Product
Amount
Ref ID#
Ref ID
Code
a BL0301 EL0501 8250000 PC9900 PD9900 CS0103 CA LS0212 LS0308 LS0406
b BL0401 EL0501 2000000 a PC9900 PD9900 CS0103 CA LS0212 LS0308 LS0406
c BL1001 EL0501 1250000 a PC9900 PD9900 CC0103 CA LS0212 LS0308 LS0406
Examples – Included in Reporting to ORX (Linked events)
• A firm suffers a group-wide cyber-attack, in which hackers steal some personal data from customers
attached to three business lines in a single country. The data was not subsequently used for fraud. The
firm is subsequently fined at a group level EUR 1.55 million by the national data regulator under GDPR
legislation for inadequate data protection. For internal purposes, and for reporting to ORX, the firm
reports this fine as three linked events. The allocation of the gross loss is based on the firm’s internal
assessment of how many customers are impacted.
The fine is a single impact apportioned across the impacted business lines.
Examples – Included in Reporting to ORX (Grouped Loss and Linked events)
• Following an acquisition, a firm took a senior management decision not to pay staff bonuses. The
decision violated contractual requirements and therefore qualified as an operational risk event.
Employees across multiple Business Lines, Products and Jurisdictions were affected.
The firm incurred legal costs and was required to pay the bonuses. These losses should be grouped as
they relate to a single decision that was directly related to the event. The losses should be allocated to
the business lines, based on the distribution of employees across the business lines, and then linked.
ORRS Updates:
ORX ORRS Update - (0011) Loss Allocation Legal Entities (Req) 8 Apr [Link]
ORX ORRS Update - (0012) Loss Allocation Products (Req) 4 March [Link]
Managing risk together Page 16 of 140 [Link]
+44 (0)1225 904 397
Public
Operational Risk Reporting Standards (ORRS)
3.2.3 Legal Events
Definition: Legal events are defined as dispute resolution activities especially with regard to legal risk (see
Section 3.1.2). This may include litigation, arbitration and tribunals.
Requirement: A legal event is not an event type; it is in fact an issue arising from internal causes/failures
and/or external causes. It encompasses all active, passive lawsuit (plaintiff/defendant) as well as out of court
settlement, defence against frivolous and unsubstantiated claims.
Only legal events related to alleged or actual, operational risk events experienced by the Member are to be
reported to ORX.
Reporting Legal Event Costs to ORX
Formal Notification of Action via Court,
Arbitration, Tribunal or Expert Panel
/ Decision to Settle - In or Out of Court
Is the underlying
issue an OR Event?
Win Any costs not reported to ORX
No
Non-OR Event
Lose Any costs + fines not reported to ORX
Win Any costs reported to ORX
Yes
OR Plaintiff
Lose Any costs reported to ORX
No
Win Any costs reported to ORX
OR Defendant
Lose Any costs + fines reported to ORX
For reporting, the event type classification follows the underlying allegation of the claim (for example
“Suitability, Disclosure & Fiduciary” EL0401), the Date of Discovery is either the date the claim is received by
the bank or the event is discovered, the Date of Recognition is the date the first cost has been accounted for
in the P&L and gross loss, for reporting to ORX, includes external lawyers’ fees, court fees, other Litigation
expenses etc. as well as the cost of settlement.
Where the bank initiates (as plaintiff) a legal event the underlying Operational Risk loss must be recorded.
External legal costs are to be reported as they are incurred provided the underlying event is an operational
risk event. The verdict or settlement received from the defendant (if any), is considered a recovery. Where
operational risk event is not alleged or experienced by the Member, then such legal costs are not to be
reported to ORX.
Managing risk together Page 17 of 140 [Link]
+44 (0)1225 904 397
Public
Operational Risk Reporting Standards (ORRS)
If the firm’s costs are to be paid by the counterparty, as determined by the court or tribunal etc., then the
amount paid by the counterparty is treated as a Direct Recovery (it is treated as a Direct Recovery, and not as
a Rapid Recovery, as payment may take more than 5 business days to receive).
In the case that the existence of an underlying Operational Risk event is determined through a court decision,
the event must only be reported at the settlement of the legal event. E.g. a former employee (fund manager)
or partner of the bank is sued for alleged fraud; the court finds no evidence; he was only a poor fund manager.
As there is no underlying Operational Risk event there is nothing to report to ORX.
A Member has the option to report a reserve/provision for a legal event at the settlement date due to concerns
related to “Discoverability” or other legal issues. The event is to be reported as soon as the legal impediment
is removed and/or the case is settled. This rule does not apply when the bank publicly discloses the provision
amount.
Examples – Included (non-exhaustive list) in Reporting to ORX
• Following a legal event, the bank has to bear legal costs, but is compensated by the counterparty. The
costs are to be entered as OpRisk losses (legal costs), the compensation from the counterparty as
direct recovery.
• Following a legal event, the bank has to bear legal costs. The costs are directly paid by the
counterparty to the recipient (law firm, court, etc.). These costs are not included in the gross loss
amount.
• A bank enters a lawsuit on January 1st, legal fees arising during the year and subsequently are
reported to ORX as they are incurred or provided/provisioned for. The settlement amount may be
reported at the settlement date for discoverability reasons.
• Litigation resulting in a loss due to a fraud event (internal or external), where the firm had duty to
prevent (as in forged checks, unauthorized credit card use, control of own employees, etc.).
• Successful legal defences where the full costs are not born by the counterparty.
• Fines and claims following revenue overstatement, accounting errors and mark-to-market errors in
institutions’ financial accounts.
• Violations of employment laws (including laws prohibiting discrimination).
• Losses for which the firm may bear vicarious liability.
• Loss resulting from accident/injury for which the firm may be legally responsible.
• Failure to follow regulatory prescriptions resulting in fines or assessments (taxes, money laundering,
etc.).
• Losses due to retroactive changes in laws or regulations affecting the firm’s business, even though they
may not be avoidable (this constitutes an external impact). (changes in tax jurisdiction etc.).
• Misuse of third-party intellectual property, patents, etc.
• Fiduciary duty/conflict of interest violations.
• Consumer protection law/securities law/common law fraud/commercial conduct violations.
• Contract disputes (e.g. with insurance providers, service providers, outsourcing partners).
Managing risk together Page 18 of 140 [Link]
+44 (0)1225 904 397
Public
Operational Risk Reporting Standards (ORRS)
• Obligation to make client whole for losses resulting from mismanagement of client property or
transactions.
• Refunds (or discounts of future services) to customers caused by Operational Risk events, before the
customers can lodge a complaint, but, for example, after the institution has already been legally
required to refund other customers for the same event.
• If a firm has suffered an Operational Risk loss as a victim (e.g., from unfair competition, contract
violation, etc.) and seeks recovery through litigation.
A trader is dismissed for alleged rogue trading after causing trading losses of €10m. The bank initiates
litigation with the trader, who claims "no wrongdoing". If the trader wins, the loss is not Internal Fraud (EL01),
but could be some other form of Operational Risk or Market Risk. It is not always certain, at the time the
action is initiated, that this is an operational risk event. As a result, the reporting of losses including legal fees
can only take place once the case is settled.
Examples – Excluded from Reporting to ORX
• If there is no underlying OR event then there is nothing to report to ORX, irrespective of whether the
firm has incurred expenses.
• Use of external counsel / attorneys for general advice, document preparation or review, legislative
representation, etc. outside the context of a specific dispute or litigation.
• Technical litigation (inter-pleader, quiet title actions, etc.) in which the firm is not a substantive
stakeholder.
• Court / tribunal / arbitration settlements which are used in certain jurisdictions as a standard procedure
to determine a final payoff to an employee at retirement or when terminating a work contract (without
any allegation of any wrongdoing on any side) whereas in other jurisdictions the amount of a settlement
is determined via defined rules / laws.
• Legal costs and attorney’s fees for credit/collection cases or other disputes not involving an Operational
Risk event.
Cross-Reference:
Definition of Operational Risk Section 3.1.1
Observation & Discovery Date Section 3.3.1
Provisions Section 4.2.5
ORRS Updates
ORX ORRS Update - (0006) Legal Risk No Blame (Req) 10 Dec [Link]
ORX ORRS Update - (0008) Legal Risk External Fees (Req) 10 Dec [Link]
ORX ORRS Update - (IE0013) Payment Protection Insurance (Rec) 7 May [Link]
Managing risk together Page 19 of 140 [Link]
+44 (0)1225 904 397
Public
Operational Risk Reporting Standards (ORRS)
3.2.4 Tax Events
Definition: Tax events are defined as fines (penalties), interest and legal costs imposed by tax authorities on
taxes arising from the bank’s operations, and in addition, the unpaid tax when performing a service on behalf
of clients.
These Tax Events are a consequence of a prior operational risk event that led to the fines (penalties) being
applied by the tax authorities.
Requirement: Tax Events should be allocated to the event category that gave rise to them, for example
EL0402 Improper Business or Market Practices.
The Gross Loss amount for reporting to ORX includes:
Liability for Tax
Bank External
Payment by: (e.g. client, employees)
Fine imposed No Fine imposed
Fine (penalties) OR loss ------ OR loss
Bank Interest OR loss OR loss* OR loss
Legal Costs OR loss OR loss* OR loss
Tax payment Not reported Not reported OR loss
External Fine (penalties)
Interest
Not reported Not reported
Legal costs
Tax payment
*Only when there is a prior underlying OR event
Examples – Included in Reporting to ORX
• When performing a service on behalf of a client, the unpaid tax which can be claimed from the recipient
of the service (i.e. client) is part of the loss, any recovery from a client would be considered as such.
• Withholding Tax claimed by Tax Authorities, not charged to the customer, due to misinterpretation of
regulation or procedural error (when the Banks acts as an agent of the Tax Authorities).
• Tax penalties and associated interest or regulatory fines
• Tax penalties and associated interest incurred when performing a service as an agent on behalf of the
customers are treated as an Operational Risk event.
• A tax related interest payment to Tax Authorities resulting from an erroneous tax calculation (e.g.
technical failure resulting in an incorrect calculation of the tax debt).
Managing risk together Page 20 of 140 [Link]
+44 (0)1225 904 397
Public
Operational Risk Reporting Standards (ORRS)
Examples – Excluded from Reporting to ORX
• A tax related payment (including interest) arising from a divergent interpretation of tax law by the bank
and tax authority, where the original tax calculation was performed in accordance with tax rules. The
bank may be required to make the tax payments (which may span over several accounting periods)
as well as an interest component attributed to the delay.
This is not the result of an underlying operational risk event and is not considered an operational risk
loss.
3.3 Operational Risk Loss
Definition: An Operational Risk loss is a negative and quantifiable impact on the P&L of the firm due to an
Operational Risk event:
Requirement: ORX requires you to report all events where the gross loss is greater-than-or-equal-to
EUR 20,000. It is in the responsibility of a Member to ensure the collection and reporting of all Operational
Risk events where the EUR 20,000 threshold applies. Whether to collect Operational Risk events below EUR
20,000 for internal purposes is left to the Member – at present reporting of these events to ORX is not
necessary.
3.3.1 Lifecycle of an Operational Risk Loss
Definition: Three important dates in the life cycle of an OR event are:
1. Date of Occurrence: the date when the event happened or first began,
2. Date of Discovery: the date on which the firm became aware of event, and
3. Date of Recognition / Accounting Date: the date when a loss or reserve/provision was first recognized
in the P&L
Requirement: ORX requires the submission of three dates (occurrence, discovery, recognition / accounting)
in connection with each event record:
For grouped losses the first date (occurrence, discovery, recognition) always used even if multiple losses are
posted at different times in the General Ledger (Section 3.2.1). The event will subsequently be updated as the
financial impacts are incorporated over time. The dates are generally constant over the lifecycle of an OR
Loss.
Example – Included in Reporting to ORX
• A theft was perpetrated on November 10, 2003 [date (1)]. The theft was identified on December 15,
2003[date (2)]. The loss was booked in the P&L on January 15, 2004 [date (3)]. This event will be
reported as a Q1-2004 loss for ORX.
Example – Excluded from Reporting to ORX
• Losses which are not recognized in the P&L, are not reported to ORX
Managing risk together Page 21 of 140 [Link]
+44 (0)1225 904 397
Public
Operational Risk Reporting Standards (ORRS)
3.3.2 Timing Losses
Definition: Timing losses are due to Operational Risk events which result in the temporary distortion of an
institution’s financial accounts (i.e. material misstatement of the institution’s financial statements).
Requirement: Timing Losses should NOT be included in the ORX submission. However, an initial timing loss
may lead to an OR loss, which must be submitted.
This is a deliberate difference from the CEBS “Compendium of Supplementary Guidelines on implementation
issues of Operational Risk" page 11.
Background: Although Timing losses are not reportable to ORX, it is considered useful for Members to
collect them in their databases for risk management purposes.
Examples – Included in Reporting to ORX
• An accounting error is made which results in the incorrect reporting of financial statements. As a result,
a fine is incurred. The fine is to be reported as an Operational Risk loss event (and NOT the correction
of the financial statements).
• An account error is made which results in the incorrect reporting of financial statements. As a result, a
class action suit is filed, and a settlement is made. The legal loss is to be reported as an Operational
Risk loss event (and NOT the correction of the financial statements).
• In 2011, it was discovered that the P&L has been misstated for two financial years. The company
expects a class action (e.g. as a consequence of a fallen share price) and therefore sets a provision
aside. As this timing loss gives raise to legal risk and the P&L was misstated for over two periods, this
timing loss is reportable to ORX. The reportable amount consists of the amount of the provision NOT
the restatement of the P&L.
3.3.3 Pending Losses
Definition: Pending losses are defined as losses from Operational Risk events which are temporarily booked
in transitory and/or suspense accounts and are not yet recognised in the firms P&L.
Requirement: These events should NOT be reported to ORX,
Examples – Excluded from Reporting to ORX
• Funds are recovered through right of offset – i.e. funds are available in another account held by the
customer and recovered from that other account
• Payment is issued to the wrong counterparty, and the open position is posted to a suspense account.
Managing risk together Page 22 of 140 [Link]
+44 (0)1225 904 397
Public
Operational Risk Reporting Standards (ORRS)
3.4 Boundary between Operational and Other Risks
The definition of “Operational Risk” is broadly worded to include all elements of an Operational Risk. But the
wording could also be interpreted too broadly to include:
• certain non-operational events, as many business risk events from other risk types (details outlined in
sections below) could technically be included within the phrase “inadequate or failed internal processes,
people.”
• events that have OR aspects, but are already included in the capital regimes of other risk types,
especially Credit Risk and Market Risk. The principle here is to avoid double counting.
Therefore, this section intends to provide clear guidance on the boundaries of OR, i.e. to define which events
are reportable and which are not; thus, the following boundary issues are addressed within this section:
• Credit Risk,
• Market Risk,
• Liquidity Risk,
• Strategic Risk,
• Business Risk,
• Project Risk, and
• Reputational Risk.
Requirement: Where the boundary relates to a risk category that also attracts regulatory capital then the
overriding principle is that a firm only provides capital for the loss once. Under these circumstances the
question is one of whether the capital calculation captures the risk / single loss data record. This rationale still
applies even if the firm is using Standardized or Basic Indicator approach to determining capital for these risk
categories.
3.4.1 Credit Risk
Definition: Credit risk is the risk of loss due to counterparty default - failure to meet a contractually pre-
determined obligation.
Requirement: For ORX purposes, all individual Credit losses (provisions or depreciations based on the
Member bank's standards) above a threshold of €500k (a Member may use lower thresholds internally) are to
be reviewed for the existence of an Operational Risk component. Where an Operational Risk component
exists, and the impact is equal to or above €20k, then the event must be reported to ORX. If the OR
component is within the Credit Risk regime (i.e. accounted for in the P&L as a credit loss AND reflected in
Credit Risk Modelling), it is to be flagged as OR driven Credit Risk, if not, it is outright OR.
A Member should report the OR component. If the Member is unable to identify the OR component,
then the full loan amount should be reported as an OR driven credit risk event.
Managing risk together Page 23 of 140 [Link]
+44 (0)1225 904 397
Public
Operational Risk Reporting Standards (ORRS)
Background: It is a Basel requirement for banks to record OR losses within Credit in their OR loss
databases. Such events are characterized by the fact that they are OR by nature, however the loss due to
default is already reflected in the Credit Risk capital calculations. To avoid double-counting, such OR losses
within Credit are to be flagged and to be excluded from OR capital calculations.
Credit losses are usually either booked on specific accounts, or embedded in trading P&L. Thus, it is generally
necessary for the OR function to see to it that employees involved in the credit risk related processes are
trained in recognising operational losses to establish processes for analysis and recording of the OR
component within these losses. As a consequence, for a number of Members, it can be the Credit Risk
Impairment Team that is involved, or even determines whether part of the loss is OR driven Credit risk and
therefore justifies the “C” and reporting to ORX. It is important therefore, that the Operational Risk
management function liaise with their Credit counterparts to promote consistency between firms on the
implementation of the Credit Risk Flag.
As this boundary is both accounting standard dependent and firm specific, it is acknowledged that in some
cases the boundary defining credit losses may be drawn differently in Member firms for the same type of loss.
However, the ambiguity is not considered higher than in the credit processes themselves, i.e. the ambiguity is
acceptable.
ORRS Updates
ORX ORRS Update - (0005) Madoff A (Req) 10 Dec [Link]
ORX ORRS Update - (0009) Trading Bk Risk Boundaries (Req) 5 Nov [Link]
ORX ORRS Update - (0010) Credit-OR Boundary Example (Req) 10 Dec [Link]
Examples – Included in Reporting to ORX (Operational Risks within Credit)
• Collateral failure: failure to properly apply for loan insurance, failure to make a public filing needed to
“perfect” a security interest, failure to monitor collateral and make timely collateral calls, etc. In such
cases, only the lost collateral value is reported to ORX (which may be lower than the full default
amount);
• Procedural failure: where processing errors prevent recovery on a loan or actually enable a loss, as
where a cash advance is made on a credit facility that was earlier cancelled by the loan officer;
• Fraud: loans obtained in a fraudulent transaction;
• Legal issues: loan documents may contain legal defects (invalid clauses, ambiguous terms, etc.);
• Scoring models: errors in scoring models may result in the approval of transactions that would not be
admitted;
• Sales practices: certain sales practices may result in credit defaults.
• For capital purposes, any write-down due to loss of recourse may be considered credit loss.
• OR Losses are incurred because of technical errors by the lead bank in a loan syndicate. Syndicate
Members agree to absorb part of the cost, since they recognize that they could have detected the lead
bank’s error at an earlier date. This is a direct recovery for the lead bank, and a gross loss for the
syndicate Members.
Managing risk together Page 24 of 140 [Link]
+44 (0)1225 904 397
Public
Operational Risk Reporting Standards (ORRS)
Cross-reference: Basel II Accord Section V. A
Para 101 Operational Risk losses that are related to credit risk and have historically been included in banks’ credit
risk databases (e.g. collateral management failures) will continue to be treated as credit risk for the purposes of
calculating minimum regulatory capital under this Framework. Therefore, such losses will not be subject to the
Operational Risk capital charge.
Para 102 Nevertheless, for the purposes of internal Operational Risk management, banks must identify all material
Operational Risk losses consistent with the scope of the definition of Operational Risk (as set out in paragraph 644
and the loss event types outlined in Annex 7), including those related to credit risk. Such material Operational Risk-
related credit risk losses should be flagged separately within a bank’s internal Operational Risk database. The
materiality of these losses may vary between banks and within a bank across business lines and/or event types.
Materiality thresholds should be broadly consistent with those used by peer banks.
3.4.2 Market Risk
Definition: Market risk is defined as the risk of loss due to market prices changes on outstanding positions,
due to discretionary market judgements.
Requirement:
• OR events within a bank that either cause a market risk loss or where market risk drives the severity
are to be reported as an OR loss.
• OR events outside the bank that cause market risk losses within a bank or increase their magnitude are
NOT to be reported. Only exception: External or Internal fraud directly against the bank.
Background: The original Basel II Accord has almost no guidance on the OR/MR boundary, and the ORRS
version from 2007 also has limited coverage. In the meantime, the CEBS has published a compendium and
ORX already has published case law on the topic, addressing major events that have occurred in the
meantime. ORRS is in line with CEBS.
Examples – Included in Reporting to ORX:
• Rogue trading
• Human errors in transactions originated in market areas (e.g. fat finger, buy instead of sell). The
amount to be reported is the amount of the mark-to-market impact in the in the daily (trading) P&L when
discovered plus costs to unwind positions.
• Transaction processing errors (system outages, late execution, static data deficiencies, missed
deadlines)
• Stop loss or position limit violation: losses incurred from failure to properly execute a stop loss, or
excess of approved limits will be considered operational (only the amounts in excess of the stop loss or
limit will be recorded).
• Error in pricing model – methodology or implementation
• Reimburse clients for alleged improper due diligence before fund sales.
• A security is bought when a sale was intended and the error is detected the same day, the market value
on the day of the transaction is utilized for purposes of calculating impact, even if the security is held for
period of time afterwards until a more favourable market environment develops. In this case impact is
determined at the time the event is discovered.
Managing risk together Page 25 of 140 [Link]
+44 (0)1225 904 397
Public
Operational Risk Reporting Standards (ORRS)
Examples – Excluded from Reporting to ORX: (“OR driven MR”)
• Enron balance sheet fraud impacting market price of Enron shares in trading book
• Fraud at an (external) SPV impacting the market price of a security in the bank’s trading book
• Terrorist attack destroying assets of a firm held in private equity portfolio (on bank account)
• Market risk losses (e.g. trading losses, incorrect investment decisions) are not considered OR.
ORRS Updates
ORX ORRS Updates - (0005) Madoff A (Req) 10 Dec [Link]
ORX ORRS Updates - (0009) Trading Bk Risk Boundaries (Req) 5 Nov [Link]
ORX ORRS Updates - (IE0001) Visa (Req) 23 Apr [Link]
Cross-reference: Basel 2 CRD
Operational Risk losses that are related to market risk are treated as Operational Risk for the purposes of
calculating minimum regulatory capital under this Framework and will therefore be subject to the
Operational Risk capital charge.
3.4.3 Strategic Risk
Definition: “Strategic risk is defined as negative effects on capital and earnings due to business policy
decisions, changes in the economic environment, deficient or insufficient implementation of decisions, or a
failure to adapt to changes in the economic environment”.
Strategic risk losses occur when conscious business decisions in an uncertain environment (without any OR
components like process failures or guideline breaches) retrospectively turn out to be wrong. They are often
— but not always — associated with senior management decision making,
Requirement: Strategic Risk Losses are not recordable in the ORX database as they are not OR based on
the Basel definition. This also holds for the strategic components of Project Risk (see section below).
Examples - Excluded from Reporting to ORX
• Decisions to invest in new business lines, products, assets, markets, services, equipment, projects, etc.
• Merger and acquisition decisions.
• Restructuring / staff reduction.
• Regional or local based strategy (opening and closing branches or processing centres, etc.).
• Personnel hiring and termination decisions (unless carried out in a manner that violates legal or
contractual requirements). See event category “Employee Relations” (Section 5.2 and the Appendix) for
a more detailed explanation.
• Goodwill payments: The acceptance for relationship purposes of a loss (or making up for client’s
losses) for which a client bears full responsibility is a strategic decision, and thus is not recordable.
However, this applies only where the client is entirely at fault and the bank has filled its obligations (for
instance reminding the client of their obligations on a timely basis). This does not excuse a case in
Managing risk together Page 26 of 140 [Link]
+44 (0)1225 904 397
Public
Operational Risk Reporting Standards (ORRS)
which the firm books client fees but neglects to send bills for an extended period, and then decides to
“forgive” the obligation when the mistake is finally discovered.
3.4.4 Project Risk
Definition: A project is a temporary endeavour undertaken to create a unique product, service or result.
A project has a definite beginning and end. The end of the project is reached when the project’s
objectives have been achieved or when the project is terminated because it will not or cannot achieve its
objectives, or the need for the project no longer exists.
Project Risk is the Risk that the project does not:
• Provide the agreed functionality, and/or
• Complete within the Budget, and/or
• Complete on time.
Requirement: Based on the definition of Strategic Risk above, project risk losses incurred due to incorrect
judgment and bad decisions are Strategic Risk and thus not reportable to ORX as they are not OR based on
the Basel definition.
Examples – Included in Reporting to ORX:
• “Normal” Operational Risk events that happen during the project are recognised as OR losses and are
reportable to ORX (e.g. late or duplicate payments, frauds, guideline breaches)..For such individual
events the decision as to whether they are included in Operational Risk reporting or not is based upon
considering the event in isolation of any projects.
Examples – Excluded from Reporting to ORX:
• Budget overruns, “scope creep” and project cancellations are not to be reported. The underlying
judgments and decisions are similar to decisions to invest in new business, which may go wrong in a
similar manner.
3.4.5 Business Risk
Definition: Business risk is defined as the risk that volumes may decline, or margins may shrink, with no
opportunity to offset the revenue declines with a reduction in costs. Business Risk captures the risk to the
firm’s future earnings, dividend distributions and equity price.
Requirement: Business Risk losses are not recordable in the ORX database.
Examples of Business Risk – Excluded from Reporting to ORX:
• Business risk measures the risk that a business may lose value because its customers sharply curtail
their activities during a market down-turn, or because a new entrant takes market share away from the
bank.
• This risk increasingly extends beyond balance-sheet items to fee-generating services, such as
origination, cash management, asset management, securities underwriting and client advisory services.
Managing risk together Page 27 of 140 [Link]
+44 (0)1225 904 397
Public
Operational Risk Reporting Standards (ORRS)
• Business Risk incorporates decisions around the mix of cost types, for example variable, semi-variable,
semi-fixed and fixed costs. The cost of postage is a variable cost as it would not be incurred without
having something to post. However, the cost of notifying a counterparty about a transaction is largely
fixed due to the investment in computer systems and that these costs would be incurred even if the
transaction had not been executed.
Cross-reference: (Basel Committee published "Ranges of Practices and Issues in Economic Capital
Frameworks" (March 2009) page 25)
3.4.6 Reputational Risk
Definition: Reputational Risk is defined as the damage to the firm’s reputation with relevant external parties,
such as counterparts, clients, the shareholder community, governments, regulators etc.
Requirement: Reputational Risk is not recordable as an Operational Risk loss. This is true both:
• where the entire impact of an event is reputational; and
• where reputational damage is one impact of an event that also has other, recordable losses (in this
case only the recordable losses are submitted as an OR event to ORX).
3.4.7 Liquidity Risk
Definition: The risk of loss arising from a situation where (1) there will not be enough cash and/or cash
equivalents to meet the needs of depositors and borrowers, (2) sale of illiquid assets will yield less than their
fair value, or (3) illiquid assets cannot not be sold or purchased at the desired time due to lack of market
participants or capacity.
Funding Liquidity Risk is defined as the risk that the firm will not be able to meet efficiently both expected and
unexpected current and future cash flow and collateral needs without affecting either daily operations or the
financial condition of the firm.
Market Liquidity Risk is the risk that a firm cannot easily offset or eliminate a position at the market price
because of inadequate market depth or market disruption.
Requirement: Neither of the two aspects of liquidity risk is reportable to ORX.
Managing risk together Page 28 of 140 [Link]
+44 (0)1225 904 397
Public
Operational Risk Reporting Standards (ORRS)
4 Determine the Operational Risk Loss Amount – Quantification
4.1 General Principles
An Operational Risk event is not subject to ORX reporting unless it has a quantifiable negative impact on the
P&L of the firm. Such impacts may be reflected anywhere in the P&L of the firm, and multiple impacts must
be aggregated for submission. The quantifiable impacts are described below as Gross Losses and
Recoveries (direct and indirect).
Splitting events is allowed when multiple Business Lines are impacted, even if the event is reflected as a
single item in the accounts at Corporate level (see 5.3). In this case related events must be linked. It should
be noted that the splitting (and linking) of events is not permitted for any other category (e.g. Event Type,
Product or Process).
ORRS Updates
ORRS Update - (0011) Loss Allocation Legal Entities (Req) 8 Apr [Link]
ORRS Update - (0012) Loss Allocation Products (Req) 4 March [Link]
4.1.1 Gross Loss
Definition: Gross Loss equals the sum of all P&L impacts related to an Operational Risk event before
recoveries. Operational Risk gains, opportunity losses (Section 4.2.2), internal costs (overtime, bonus etc.)
and timing losses (Section 3.3.2) are not reported to ORX although they may be collected internally by
Member banks.
In a few cases the Gross Loss may be based upon a definable or quantifiable economic impact upon the firm.
Examples include uncollected revenue associated with contractual obligations and depreciated Fixed Assets,
Investment Assets and Intangibles (Section 4.2.4).
Requirement: Gross Loss above the reporting threshold is reportable to ORX.
Examples – Included in Reporting to ORX - For ORX purposes, the following specific items are included in
Gross Loss computation:
• Charges to P&L and write-downs due to Operational Risk events.
• Uncollected Revenues and Negative Revenues.
• External costs of repair or replacement made to restore the firm to its original pre-event position.
• External attorney fees paid in connection with Operational Risk litigation.
• Payments made to third parties for lost use of funds, net of amounts earned on funds held pending a
late payment.
• A single event can cause both positive and negative P&L impacts.
An example is a system outage in a bank, causing all trades in a location to be executed one day later.
This may have a positive impact on some of the trades and a negative impact on others, depending on
market movements and the trade details. These impacts are to be netted, as they are all components of
the Gross Loss (i.e. the positive components are not to be considered recoveries as described below).
Managing risk together Page 29 of 140 [Link]
+44 (0)1225 904 397
Public
Operational Risk Reporting Standards (ORRS)
If the net amount is a loss and exceeds the threshold, it is to be reported. In a special case, this may
even lead to the following submission to ORX: two linked events of €100k (loss) in Global Markets and -
€50k (gain) in Equities. The reference business line should be the one where the losses occurred, as
opposed to any gains).
ORRS Updates
ORX ORRS Update - (0010) Credit-OR Boundary Example (Req) 10 Dec [Link]
ORX ORRS Update - (IE0013) Payment Protection Insurance (Rec) 7 May [Link]
4.1.2 Recoveries
Definition: In some instances, Operational Risk losses can be reduced after–the-fact by recoveries. A
recovery is an independent occurrence, separate in time from the original event, in which funds are recovered
or contributed, usually from or by a third party. Recoveries may be direct or indirect. An indirect recovery is
generally an insurance recovery (capital market products maybe there in the future). A direct recovery is any
payment (other than an indirect recovery) received by the bank which offsets the loss.
Requirement: The reporting threshold for ORX submissions applies to the Gross Loss before any recoveries.
Recoveries can only be recognised if the initial Gross Loss has been recognised in the P&L, i.e. recoveries
are not appropriate for items in suspense accounts.
Direct recoveries are reportable to ORX.
Indirect recoveries are reportable to ORX, including those received from independent, regulated captive
insurance companies (i.e. the indirect recoveries may be accepted by the firm’s local regulator as eligible for
capital reduction).
Examples – Included in Reporting to ORX:
• Payments received from an insurance company as a result of a claim made by the bank against an
insurance policy is an indirect recovery.
• A firm incurs losses for which it initiates legal action (as plaintiff), claiming antitrust violations. Amounts
received in settlement of the litigation represent a direct recovery relative to the original losses, for
example external legal fees. (see Legal Events Section 3.2.3)
ORRS Updates
ORX ORRS Update - (0010) Credit-OR Boundary Example (Req) 10 Dec [Link]
4.2 Special Cases
4.2.1 Rapid Recoveries
Definition: ORX defines a rapid recovery as a P&L loss that is fully or partially recovered within no more than
5 business days from the Date of Recognition.
Requirement: Rapid recoveries are not separately reportable. A Rapid Recovery within the 5 business days
can thus be deducted from the gross loss OR reported as a direct recovery.
Managing risk together Page 30 of 140 [Link]
+44 (0)1225 904 397
Public
Operational Risk Reporting Standards (ORRS)
Examples – Reflected in Reporting to ORX
• Payment made to a wrong counterparty, the counterparty identifies the error and returns the entire
payment within 5 business days of being initially posted to the P&L. As the Initial Loss and the Rapid
Recovery net to €0, the event is considered to be a “near miss”.
• A single error in payment system results in €100,000 being overpaid to two counterparts. One
counterpart returns €65,000 within 2 business days of the overpayment. Gross Loss reported to ORX
is €35,000 (= €100,000 - €65,000).
• A single error in payment system results in €100,000 being overpaid to two counterparts. One
counterpart returns €65,000 within 2 business days of the overpayment. The outstanding €35,000 is
repaid after 15 business days. The Gross Loss reported to ORX is €35,000, with a Direct Recovery of
€35,000.
• For losses from misdirected payments this means that they should only be reported if they have not
been fully recovered 5 business days after they have been booked from suspense account to P&L.
• A misdirected wire transfer is not detected for several months, and once discovered the payment is not
immediately returned on a voluntary basis. The firm books a loss on the P&L. After further negotiation,
the firm is able to regain the funds after more than 5 business days. The event is reportable to ORX,
the recovery is classified as a direct recovery.
• An erroneous wire transfer is made on June 29, the policy of the firm is to book these to P&L. The
provisional P&L on the quarter end shows the wire transfer as a loss. On July 2, the firm recovers all of
the money and makes a prior period accounting adjustment, within the 5-business day window for rapid
recoveries. The net amount after recovery is €0.
In this case the prior period accounting adjustment must be reflected in the amount reported to ORX to
avoid inappropriate volatility in data used by ORX Members due to the use of the provisional accounts
as opposed to the final accounts.
4.2.2 Revenue Adjustment
Definition: Revenue Adjustment is where the impact of an operational risk event is incorporated into the
revenue stream rather than being entered into a general ledger error account or the equivalent.
Requirement: Revenue Adjustments that are negative are to be reported to ORX.
By their very nature the impact of operational risk events resulting in Revenue Adjustments may not be fully
reflected in the General Ledger. As a result, events that generate losses, which have been disclosed
internally and are traceable, will be reported to ORX. It is recognised the Members who use the general
ledger as a reference will not be able to quality assure these Revenues Adjustments with the same degree of
certainty over completeness or amount. As a result, events which have been disclosed internally and are
traceable will be reported to ORX.
Revenue Adjustments which represent gains may be captured by Members to provide a more complete
picture of operational risk events.
Managing risk together Page 31 of 140 [Link]
+44 (0)1225 904 397
Public
Operational Risk Reporting Standards (ORRS)
Examples – Included in Reporting to ORX
• A trader executes a transaction, for a client, the wrong way around, for example a buy instead of a sell.
Upon identification reverses the transaction incurring a loss. The loss is incorporated into the daily P&L
of the trader.
• A trader executes a transaction, as principal, and executes the wrong amount. Upon identification, an
adjustment is made to the position on the firm’s balance sheet incurring a loss. The loss is incorporated
into the daily P&L of the trader.
4.2.3 Uncollected Revenue
Definition: Uncollected revenue is defined as revenue which is not collected due to an operational risk event.
Requirement: Uncollected revenue is reportable to ORX when:
• There is an explicit decision not to collect revenue as a means of compensation following an
operational risk event despite the existence of a contractual obligation on the side of the client.
• It is not realized as a result of an operational risk event and where the client does not have the
contractual obligation to compensate the firm.
• It is not realized as a result of an operational risk event by the firm in the execution of the contractual
obligation.
By their very nature the impact of operational risk events involving Uncollected Revenue may not be fully
reflected in the General Ledger. As a result, events which have been disclosed internally and are traceable
will be reported to ORX. It is recognised the Members who use the general ledger as a reference will not be
able to quality assure these Uncollected Revenues with the same degree of certainty over completeness or
amount. As a result, events which have been disclosed internally and are traceable will be reported to ORX.
Examples – Included in Reporting to ORX
• The bank decides to not charge a client the full fee in compensation for an operational risk event
involving the client caused by the bank. The compensation is the amount to be reported as Gross
Loss. (The bank decides to reduce or waive its fee for the next 6 months to compensate for a separate
operational risk event).
• The bank compensates a client for an operational risk event through a revenue adjustment (suspension
of a fee) rather than a compensation payment. An asset manager has an operational risk event (i.e.
trading error) and compensates the client through a revenue adjustment (waiving or reducing
contractual fees for a period of time).
• The bank charges a lower fee than contractually required due to an operational risk event. The bank
decides not to claim the amount. (The contractual obligation was at 1.9% and the bank charged the
client 0.9% interest due to a setup error and has made a decision not to go after the 1%.) This amount
is to be reported as a Gross Loss.
Examples – Excluded from Reporting to ORX
• A bank issues an invoice to a client. The client does not pay. This constitutes uncollected revenue and
is contained within credit risk. No operational risk event occurred.
Managing risk together Page 32 of 140 [Link]
+44 (0)1225 904 397
Public
Operational Risk Reporting Standards (ORRS)
• A product launch is cancelled due to an operational risk event. The budgeted revenue does not reflect a
contractual obligation. This is an opportunity cost.
• A trader cannot trade due to a power failure. The revenue that the trader wishes to have made is not a
contractual obligation and constitutes an opportunity cost.
• A business unit is suspended due to regulatory sanction from conducting specific types of revenue
generating activities. The uncollected revenues during the period of suspension are opportunity costs
due to the lack of contractual relationship with clients.
• An ATM machine fails over a weekend. Any uncollected revenues that might have been generated are
opportunity costs due to lack of contractual agreement with clients to use one or more ATMs.
• Undercharging or overcharging for products or services as the settlement amount would be treated as a
timing error. E.g. wrongly overcharged interest rates or fees which are later refunded to the client.
Although the event can be caused by operational risk, e.g. procedural failures or human mistakes, this
is a timing error as the balance sheet / P&L is the same as it would have been if the error had not taken
place.
4.2.4 Fixed Assets, Investment Assets, and Intangibles
Definition: The Gross Loss for Fixed Assets, Investment Assets and Intangibles deviates from using “book
value” accounting standards to economic value. Economic value can be considered to be the cost of
replacement. This is due to these accounting standards being established for purposes other than OR
Management purposes.
Requirement: The following rules will apply for ORX reporting:
• If the damaged/lost asset is replaced, the recordable loss amount will be the replacement cost, on a net
present value basis. For this purpose:
1. Replacement cost is determined by the actual invoice or amount paid, or the present value of a new
financing obligation.
2. Relative costs of maintenance or operation (e.g., of a new building versus a destroyed building), are
not to be taken into account.
3. Enhancements are not part of replacement cost, but general improvements in replaced equipment
(e.g., due to interim technological advances) are not “enhancements”.
• If a damaged/lost asset is not replaced, then the market value, if any, of the asset just prior to the event,
will be recorded. In case there is no way to obtain the market value, then the book value will be used.
Note: This means that the loss will deviate from the P&L impact.
Any insurance recovery received will be reported as an indirect recovery.
Background: It is understood that accounting rules for fixed assets and intangibles will vary according to
country. The rules above aim at reporting the economic impact and to ensure that events are reported
similarly without regard to origin.
Examples – Included in Reporting to ORX:
• Destruction of a building that is fully depreciated
Managing risk together Page 33 of 140 [Link]
+44 (0)1225 904 397
Public
Operational Risk Reporting Standards (ORRS)
Examples – Excluded from Reporting to ORX:
• Misreporting of income from assets held in non-Mark-To-Market books (investment assets) usually
creates a timing impact, which can be fully corrected once discovered and which is not subject to ORX
reporting.
4.2.5 Provisions & Reserves
Requirement: A provision or reserve taken for an individual OR Event must be included in the gross loss
reported for the event. The amount reported to ORX should be adjusted in subsequent periods as the size of
the provision/reserve changes.
If a provision is taken for several events whose background or impact is not individually determined, then the
item is NOT reportable until the investigation is complete.
Background: Sometimes the impact of an Operational Risk event is reflected in the P&L by a provision
before it is finally closed out. This occurs most often in litigation matters or in complex events where additional
time for investigation or repair is required.
ORRS Update
ORX ORRS Update - (0010) Credit-OR Boundary Example (Req) 10 Dec [Link]
Cross-reference: See also Section 3.2.3 – Legal Events for the reporting of provisions / reserves that are
subject to on-going actions.
4.2.6 Regulatory Action – Fines and/or Penalties
Definition: Regulatory action is defined as fines, penalties or settlements as a result of failure to follow
regulatory prescriptions.
Requirement: Regulatory action falls in several categories, as listed below. Some categories are recordable
as OR losses and some are not. It should be noted that regulatory action for one event is often composed of
impacts falling in more than one of the categories.
Examples - Included in Reporting to ORX:
• Regulatory fine: Recordable as OR loss.
• Restitution to clients: Recordable as OR loss. Although the underlying idea is disgorgement of profits
(i.e. repayment of profit made in the past that is not considered appropriate by the regulators), it has the
character of backdated change in law, which is recordable.
• Mandatory contribution to fund or specific expenditure: Recordable as OR Loss, as it does not matter
who receives the penalty.
Examples - Excluded from Reporting to ORX
• Close of business for some time (license suspension): not recordable, as this is an Opportunity Cost.
• Cost to fix the identified deficit: Not recordable, because these are generally investments to improve
controls etc.
Managing risk together Page 34 of 140 [Link]
+44 (0)1225 904 397
Public
Operational Risk Reporting Standards (ORRS)
4.3 FX Conversion Rates
Requirement: When reporting to ORX, Members using base currencies other than Euro or USD, must
convert their loss amounts to Euro based on the exchange rate. The conversion should be performed with the
internal booking date. The accounting date / recognition date of the event can be applied in the case where
the internal booking date is not available for every single booking. The internal booking date must be the main
driver for reporting purposes.
Managing risk together Page 35 of 140 [Link]
+44 (0)1225 904 397
Public
Operational Risk Reporting Standards (ORRS)
5 How to Categorise Operational Risk Losses
This section provides an overview of the ORX categorisation dimensions. More detail on the individual
category labels can be found in Section 8 Detailed Descriptions of Data Categories (page 55).
5.1 Business Lines
Definition: Business Lines represent profit centres where the revenues are generated from third parties, not
allocations from other parts of the firm (service centres). In recognition that some events are experienced by
the entire firm, or large part of the firm, there is a specially designated Business Line called “Corporate Items”
(see Section 5.1.1).
The Business Lines used for reporting by ORX Members are similar to those used for reporting to the
supervisors, but not exactly the same as can be seen in Table 1 (page 39) below. It is not expected that any
bank will have organised its business units or business divisions in accordance with ORX or supervisory
business lines, as a result some allocation of Gross Income and OR Losses will be required (see Section
5.1.3 Materiality below).
The general objective of the Business Line attribute is to:
• Encompass the entire transaction / value chain.
• Include activities that may be performed centrally on behalf of the Business Line.
• Include activities that may be outsourced to non-bank group subsidiaries and/or third parties.
Essentially a Business Line has direct or indirect access to all of the resources to be equivalent to an
independent company, for example finance, accounting, HR, IT, capital etc.
Requirement: ORX requires the allocation of all Operational Risk events to a Level 2 Business Line.
Refer to Section 8.2 Business Lines (page 56) for the definitions and examples.
5.1.1 Corporate Items
Definition: The Business Line Corporate Items has been created for purely corporate level items, such as
those affecting the Board of Directors (or the equivalent) as a whole, or as individuals, misreporting financial
statements, or other events at the corporate centre. Corporate Items is meant to be a narrow category and is
not expected to include business losses to avoid specifying ownership or accountability. A Corporate Item
must not be part of an allocation of loss that is an element of an event affecting multiple Business Lines.
The extent of use of this category by Member banks is monitored as an element of the in-cycle quality
assurance. All Members are expected to report fewer than 10% of their total number of events or gross loss in
this category.
As a service centre, Corporate Items does not have any Gross Income. If Gross Income is associated with
the loss, then it must be mapped to a business line that is a profit centre.
Managing risk together Page 36 of 140 [Link]
+44 (0)1225 904 397
Public
Operational Risk Reporting Standards (ORRS)
Event
Multiline
No Model / Allocate
Impact? impacted Business Line
Yes
All Business
No Model as Multiline
Allocate to individual
Lines Impacted?
Business Lines
Yes
Corporate
Centre or
No Model as Multiline
supporting unit Allocate to all Business Lines
impacted?
Yes
Model / Allocate as
Corporate Item
Figure 1 - Decision Tree for Mapping Corporate Items
See Section 3.2.1 Grouped Losses for an Example of Relationship between Grouped, & Linked Losses.
5.1.2 Events Affecting Multiple Business Lines
Requirement: A loss affecting multiple business lines must be reported to ORX as linked losses using a
common reference code.
In some cases, Operational Risk events impact more than one Business Line. ORX Members should attempt
to assign each event to a single business, based on degree of impact, etc. But, where an infrastructure or
similar event impacts significantly different businesses, separate records should be submitted for each line of
business impacted. The “Related event Ref ID” field will be used to indicate which records are linked by
including a common internal reference (this will be converted by the Administrator into a different code when
stored in the ORX database to maintain confidentiality)1.
All individual events being part of a grouped event must be classified within the same event type category.
For each Related event Ref ID only one record is allowed for per level 2 BL/ET combinations i.e. Member
banks must aggregate multiple records in a single level 2 BL/ET combination before submission.
Please note the mapping of one internally reported event allocated to one internal Business Line must not
lead to multiple ORX-Business Line recordings of single events.
1 Two sets of Loss Event Severity reports are delivered:
(a) reports including multi-impact events split by LOB, and
(b) a new set of reports in which events impacting more than one LOB are combined into a single record, with the resulting LOB
called “Multi-Impact.”
This allows event-level modelling of such items and later allocation based on businesses impacted.
Managing risk together Page 37 of 140 [Link]
+44 (0)1225 904 397
Public
Operational Risk Reporting Standards (ORRS)
5.1.3 Materiality
Requirement: The trigger for separately mapping an activity to a Business Line Level 2 begins when the
Number of Losses is equal to or regularly exceeds 1% in a quarterly data delivery. Having begun to map the
activity to the Level 2 Business Line then it must continue in future data deliveries. Changes to historical data
are not required.
It is expected that this test will be applied annually or whenever there is a reorganisation, for example
business acquisition.
Background: It is expected that some degree of sub-allocation will be needed between the firm’s business
units and ORX Business Lines Level 2. It is unreasonable to expect that every loss is mapped exactly to
every ORX Business Line Level 2. In addition to the losses, this would also have implications for the mapping
of Gross Income. As a result, a materiality test is required.
Managing risk together Page 38 of 140 [Link]
+44 (0)1225 904 397
Public
Operational Risk Reporting Standards (ORRS)
Table 1 – Business Lines Type Level 1 & 2 – Basel & ORX
Business Unit Basel Business Lines ORX Business Lines
Level 1 Level 2 Code Level 1 Code Level 2
Investment Corporate Finance Corporate Finance BL01 Corporate Finance BL0101 Corporate Finance
Banking Municipal / Government
BL0102 Municipal / Government
Merchant Banking
Advisory Services BL0103 Advisory Services
Trading & Sales Sales BL02 Trading & Sales BL0201 Equities
Market Making BL0202 Global Markets
Proprietary Positions
BL0203 Corporate Investment
Treasury
BL0204 Treasury
Banking Retail Banking Retail Banking BL03 Retail Banking BL0301 Retail Banking
Card Services BL0302 Card Services
Private Banking
BL09 Private Banking BL0901 Private Banking
Commercial Banking Commercial Banking BL04 Commercial Banking BL0401 Commercial Banking
Payments & Settlements External Clients BL05 Clearing BL0501 Cash Clearing
BL0502 Securities Clearing
Agency Services Custody BL06 Agency Services BL0601 Custody Services
Corporate Agency BL0602 Corporate Trust & Agency
Corporate Trust
Other Asset Management Discretionary Fund Mgt BL07 Asset Management BL0703 Fund Mgt
Non-Discretionary Fund Mgt
Retail Brokerage Retail Brokerage BL08 Retail Brokerage BL0801 Retail Brokerage
BL10 Corporate Items BL1001 Corporate Items
Managing risk together Page 39 of 140 [Link]
+44 (0)1225 904 397
Public
Operational Risk Reporting Standards (ORRS)
5.2 Event Types
Definition: Event Types represent a description of what happened. The Event Types used by ORX are close
as possible to the intent of the Basel Committee, but not exactly the same.
The principal requirement for ORX event classification is to support consistency, according to agreed rules
and definitions. Several means may be available to support the classification process (decision trees, types,
etc.).
Essentially the Event Type label is a response to the question “What happened to give rise to this Operational
Risk loss?” Why it happened would be part of causal analysis and outside the scope of the Event Types.
Requirements: ORX requires the allocation of all Operational Risk events to a Level 2 Event Type.
Refer to Section 8.3 Event Types (page 55) for the definitions and examples.
Managing risk together Page 40 of 140 [Link]
+44 (0)1225 904 397
Public
Operational Risk Reporting Standards (ORRS)
Table 2 - Comparison of Basel and ORX Event Type Grids
Basel ORX
Level 1 Level 2 Code Level 1 Code Level 2
Internal Fraud Unauthorised Activity EL01 Internal Fraud EL0101 Unauthorised Activity
Theft & Fraud EL0102 Internal Theft & Fraud
EL0103 System Security Internal– Wilful Damage
External Fraud Theft & Fraud ext El02 External Fraud EL0201 External Theft & Fraud
Systems Security EL0202 System Security External – Wilful Damage
Employee Practices & Workplace Employee Relations EL03 Employee Practices & EL0301 Employee Relations
Safety Safe Environment Workplace Safety EL0302 Safe Workplace Environment
Diversity & Discrimination EL0303 Employment Diversity & Discrimination
Clients, Products & Business Suitability, Disclosure & Fiduciary EL04 Clients, Products & Business EL0401 Suitability, Disclosure & Fiduciary
Practices Improper Business or Market Practices Practices EL0402 Improper Business or Market Practices
Product Flaws EL0403 Product Flaws
Selection, Sponsorship & Exposure EL0404 Selection, Sponsorship & Exposure
Advisory Activities EL0405 Advisory Activities
Damage to Physical Assets Natural Disasters EL05 Disasters & Public Safety EL0501 Natural disasters & Other Events
EL0502 Accidents & Public Safety
EL0503 Wilful Damage & Terrorism
Business Disruptions & System Systems EL06 Technology & Infrastructure EL0601 Technology & Infrastructure Failures
Failures Failures
Execution, Delivery & Process Transaction Capture, Execution & EL07 Execution, Delivery & EL0701 Transaction Capture, Execution &
Management Maintenance Process Management Maintenance
Monitoring & Reporting Customer Intake EL0702 Monitoring & Reporting
& Documentation
Customer / Client Account Mgt EL0703 Customer Intake & Documentation
Financial Counterparty Event
Vendor Event EL0704 Customer / Client Account Mgt
Managing risk together Page 41 of 140 [Link]
+44 (0)1225 904 397
Public
Operational Risk Reporting Standards (ORRS)
5.3 Product Types
Definition: Products, which also include services, are the sources of revenue for a bank via direct or indirect
fees.
The general objective of the product type attribute is to:
• increase the understanding of the nature of losses and
• facilitate an improvement in transparency within a Member.
• link losses to products for P&L and budget purposes.
• identify chronic or recurring weaknesses, and
• promote value-added dialogue with the businesses and functional areas regarding the impact of their
Operational Risk experience and potential Operational Risk exposure.
Requirements: ORX requires the classification of all Operational Risk events against Level 2 of the product
type. Whether to classify a certain loss to a specific product type depends on what product or service was
involved when the event happened.
Refer to Section 8.4 Products (page 78) for the definitions and examples.
If revenue streams from multiple products were affected, then use the one single product type to which the
event contributing the bulk of the Gross Loss can be attributed. If no single product was involved, or where
the event was so widespread that specifying individual products would no longer be relevant, or would add
little or no value, then classify these losses as ‘not product related’ (e.g. branch or ATM robberies, natural
disaster etc.).
Examples – Included in Reporting to ORX
• Activities carried out by a bank, e.g. accepting and paying cheques, safekeeping of assets,
administration of third-party investment funds;
• Tools provided by a bank, e.g. internet banking, ATMs/ABMs, online wire transfers; debit cards;
• Support/facilitation of client activities, e.g. loans, principal or agent positions for client trades; providing
advice; lending securities.
5.3.1 Bundled Products
Definition: Bundled Products occur in two situations and are defined as follows:
• A bank puts together a bundle or package of products or services; a single fee is charged for the whole
bundle. Some of the products included in the bundle may also be available on a standalone basis and
can be purchased individually.
• A product which is offered on a standalone basis by one bank is provided as an adjunct or incidental
service in association with a ‘primary’ product by another bank.
Requirement: Products and services should be reported on a standalone basis at the most granular level
provided by the categories in the Product Type Attribute.
Managing risk together Page 42 of 140 [Link]
+44 (0)1225 904 397
Public
Operational Risk Reporting Standards (ORRS)
To determine the appropriate Product Type category, Members must identify whether the loss involved a
single or dominant product within the bundle or package of services.
Examples – Included in Reporting to ORX
• Enhanced banking package’ composed of a chequing account, a savings account, a safe deposit box, a
credit card, a line of credit and electronic banking available for €20 per month.
• Bank A offers custody services as a standalone product; Bank B offers prime brokerage services which
include custody.
• Bank J provides custodial services to institutional clients; this includes handling of corporate actions.
Bank Q provides services related to corporate actions on an outsourced basis to other financial
institutions. In the event of a loss involving a corporate action, the appropriate Product Type category
for both banks is PD0802 Corporate Actions Services (Trust/Investment Management)
To support Members and promote consistency when addressing bundled products, a series of decision trees
have been developed (see Appendix).
Table 3 - Product Type Level 1 Labels – Overview
PD0100 Capital Raising Structuring, issuance or placement of securities and similar
instruments, not just for capital raising
PD0200 Corporate Finance Services Advisory Services regarding corporate structure and
strategic decisions
PD0300 Derivatives & Securities Trading & Sale of all securities and derivatives either via an
exchange or over-the-counter.
PD0400 Retail Credit Financing and related services
PD0500 Commercial Credit Financing and related services
PD0600 Deposits Bank account, deposit services, “plain vanilla” investment
products
PD0700 Cash Management, Payments & Client management of cash inflows/outflows; all forms of
Settlements payments; clearing, settlement and exchange services
PD0800 Trust / Investment Management Various services related to administration and management
of estates, trusts, assets, portfolios etc.
PD0900 Investment Products Investment management, execution, administration,
operational management services
PD1000 Brokerage Investment advisory, management and execution services
Other
PD9800 Non-Banking Product Other products/services not generally considered part of a
bank or investment bank’s offering, e.g. insurance
PD9900 Not Product Related Used for situation not involving products or services.
Managing risk together Page 43 of 140 [Link]
+44 (0)1225 904 397
Public
Operational Risk Reporting Standards (ORRS)
5.4 Process Types
Definition: A business process is as a set of coordinated tasks and activities that will lead to accomplishing a
specific organisational goal; i.e. a sequence of interdependent and linked procedures which consume one or
more resources (employee time, energy, machines, money) to convert inputs (data, material, parts, etc.) into
outputs. For classification purposes ORX defines two sets of process groups.
The general objective of the process type attribute is to:
• increase the understanding of the nature of losses,
• facilitate an improvement in transparency within a Member,
• identify sources of loss concentrations,
• identify chronic or recurring weaknesses, and
• promote value-added dialogue with the businesses and functional areas regarding the impact of their
Operational Risk experience and potential Operational Risk exposure.
Requirement: ORX requires the classification of all Operational Risk events against Level 1 of the process
types to be performed as follows:
Assign the (first) process type that was being performed / impacted when the Operational Risk event (not the
OR loss!) occurred:
• consider which stage of the transaction/value cycle was being completed;
• only if the transaction / value cycle was NOT impacted then consider which aspect of corporate activity
was taking place.
Where multiple processes were affected simultaneously, select the process step to which the event
contributing the bulk of the Gross Loss can be attributed. Where no process was involved or where the event
was so widespread that specifying individual processes would no longer be relevant or would add little or no
value, a classification such as ‘not process related’ (e.g. branch or ATM robberies, natural disaster etc.) is
allowed.
A second level of process types exists to support consistent allocation within Members, but is not
implemented at ORX at this time.
Refer to Section 8.5 Processes (page 99) for definitions and examples.
ORRS Updates:
ORX ORRS Update - (IE0013) Payment Protection Insurance (Rec) 7 May [Link]
Managing risk together Page 44 of 140 [Link]
+44 (0)1225 904 397
Public
Operational Risk Reporting Standards (ORRS)
Figure 2 - Diagram of Transaction Life Cycle and Corporate Activities
Table 4 - Process Type Level 1 Labels – Detailed
Transaction Life Cycle
PC0100 Develop, design, and maintain Identify, design, produce and maintain new financial products,
Products or Services services and business capabilities, including the models and
methodologies upon which they are based.
PC0200 Market Products or Services Promote the firm and/or its products and services through
general marketing or advertising, including the production of
standard fees, rates, changes and prices for specific products
and services.
PC0300 Sell or reach agreement to conduct Sell of offer specific products and / or services of the firm in
specific business discussions with individual clients, including the quotation of
firm or indicative fees, rates, charges or the like with the intent
of concluding a specific deal for specific product sales or
service delivery.
PC0400 Take on and maintain Counterparties “On-Board” and maintain client or counterparty accounts,
including related due diligence, data and documentation.
PC0500 Capture and Document Transactions Record transaction specific terms and instructions in the
processing systems of the firm; also produce related
transaction documents.
PC0600 Deliver Products or Services Deliver or fulfil agreed-upon products / services, including set-
up and maintenance of transactions and required
arrangements and agreed-upon non-transaction financial
services (trust administration, financial advisory services, sale
of research as a product, etc.)
PC0700 Perform Settlements and Closing The definitive exchange or transfer of assets, currency or
Activities other property (commonly in exchange for value) and related
transactional mechanics.
Managing risk together Page 45 of 140 [Link]
+44 (0)1225 904 397
Public
Operational Risk Reporting Standards (ORRS)
Transaction Life Cycle
PC0800 Perform Transaction Accounting Record transaction and/or position information in the firm’s
accounting records / general ledger.
Corporate Activities
PC0900 Manage Human resources Manage human resources, apart from direct business
management functions
PC1000 Manage Information Technology Acquire or design / develop information technology and
implement related security and incident response measures.
PC1100 Manage Financial Reporting & Perform financial reporting and control, based on (but not
Taxation including) books and records or general ledger entries made
during Transaction Accounting.
PC1200 Manage Capital, Funding & Liquidity Manage the firm’s capital account, liquidity and balance sheet.
PC1300 Manage Suppliers and Outsourcing Selection, on-boarding, management and oversight of third-
Service Suppliers party vendors and outsourcing service providers.
PC1400 Manage Physical Assets & Facilities Provision and management of physical facilities, equipment
and safe workplace environment.
PC1500 Manage Audit, Compliance, Establish and maintain the firm’s policies, standards,
Governance and Legal procedures, codes of conduct and associat4ed compliance
controls and testing procedures.
PC1600 Manage Risk Systems Establish risk management processes and methodologies
(apart from standard business process and supervisory
controls) to record, monitor, evaluate, control or manage risk
exposures within the firm.
Other
PC9900 Not Process Related Used for situation where no specific process was involved,
include multiple processes, but none dominant.
Managing risk together Page 46 of 140 [Link]
+44 (0)1225 904 397
Public
Operational Risk Reporting Standards (ORRS)
5.5 Large Loss Event Attributes
Definition: Large Losses reported to ORX are to have additional information. The additional descriptions
include:
1. Alleged Causes
2. Jurisdiction / Choice of Law
3. Counterparty / Claimant Type
4. Role of the Firm
5. Environmental Volatility
A Large Loss is defined as a single or Grouped Loss whose Gross Loss is equal to or larger than
€10,000,000.
The objective of this additional information is to:
• Increase the understanding of the nature of losses
• Improve the ability of Members to select relevant external losses for:
- Scenarios and Risk & Control Self-Assessments
- Inclusion in capital calculations or validation of capital estimates
- Benchmarking businesses and functional areas regarding the impact of potential Operational Risk
exposure.
Requirements: ORX requires the Large Loss Attributes to be provided at Level 2 for all large loss events.
While the Alleged Cause may be the result of opinion, possibly supported by a decision tool such as root
cause analysis, the other Large Loss Attributes are statements of fact, for example the role of the firm.
Due to the possible interaction between various Alleged Causes, firms may report 1 to 3 selections for this
sub-category.
Refer to Section 8.6 Large Loss Event Attributes (page 130) for the definitions and examples.
Managing risk together Page 47 of 140 [Link]
+44 (0)1225 904 397
Public
Operational Risk Reporting Standards (ORRS)
Table 5 - Large Loss Attributes Level 1 Labels – Overview
Alleged Causes
CS0100 External
CS0200 People / Staff
CS0300 Governance & Structure
CS0400 Processes
CS0500 Internal Systems Failure
Other Large Loss Attributes
LS0100 Jurisdiction / Choice of Law
LS0200 Counterparty / Claimant Type
LS0300 Role of the Firm
LS0400 Environmental Volatility
5.6 Country Codes
Definition: Country Codes identify where the country OR loss event occurred.
The geographical location of where the loss event occurred is not necessarily where the loss is booked.
When reporting data back to ORX Members the individual country codes are grouped to form regions. These
regions have critical mass to reduce the likelihood that an individual Member can be identified.
ORX uses the 2-letter country code as provided by ISO and used elsewhere in bank systems.
[Link]
Requirement: ORX requires the provision of an ISO two letter country code against all Operational Risk
events.
Examples
• A Japanese client sends an order to Hong Kong for execution of an order in a US Stock on the New
York Stock Exchange. There is an Operational Risk event. The firm should book the loss in Hong
Kong or the USA depending upon where the loss occurred.
• A project taking place in Chile is being undertaken by a German company with funding in the form of
loans in US $ from the London Office of the bank. There is a mis-estimation of interest due by the firm,
not the borrower. The loss occurred in London so the United Kingdom Country Code should be used.
Managing risk together Page 48 of 140 [Link]
+44 (0)1225 904 397
Public
Operational Risk Reporting Standards (ORRS)
6 How to Report Exposure Indicators
Exposure Indicators are used to normalise Loss data, for example €XX Losses per €100 Gross Income. As a
result, the Exposure Indicators are a key element of the data submissions and utility of reports to Members.
Without the Exposure Indicators, it is difficult to benchmark the performance of an individual Member to all of
the Members.
6.1 Gross Income
Definition: Gross Income in the context of OR has been defined in detail in the scope of application of the
Basel II Accord (e.g. Standardized Approach) in line with local accounting principles. All Members are
allowed to follow the respective accounting principles when reporting to ORX. Generally, Gross Income is:
net interest income + net non-interest income. Net non-interest income is generally composed of:
i. fees and commissions receivable less fees and commissions payable,
ii. the net result on financial operations, and
iii. other income.
Gross Income is provided by third parties, not other parts of the group as a reallocation of costs.
This measure is gross of any provisions (e.g. for unpaid interest). The reported Gross income figure excludes
extraordinary or irregular items and income derived from insurance. Realized gains/losses from the sale of
securities held in the banking book are also to be excluded from gross income. Banks may report Gross
Income and its components according to the GAAP standards of their home country.
Requirement: The following general rules apply for Gross Income calculation to be reported quarterly to ORX
as part of the exposure indicators:
• ORX Members will report Gross Income figures according to their local accounting principles and
consistent with the scope of application of the Basel II Accord.
• ORX Members will report total Gross Income for Business Lines for which data submissions are
scheduled to be made.
• Gross Income will be reported only for those parts of the organization for which data submission is
made. Gross Income for Corporate Centre activities must be allocated to the reported ORX business
lines.
• ORX Members will report quarterly Gross Income figures (not year-to-date figures).
It is recognised that for some firms the Gross Income figure is not known at the time that the data submission
is made to ORX. Under these circumstances an estimate can be provided and corrected as part of a later
data submission. The estimates or corrections should relate to the level of activity and not simply be a 6-
month figure divided by 2.
Managing risk together Page 49 of 140 [Link]
+44 (0)1225 904 397
Public
Operational Risk Reporting Standards (ORRS)
6.2 Sector Database Exposure Indicators
Sector databases, for example Investment Banking or Canadian, may also use Gross Income or alternative or
additional Exposure Indicators. These alternative or additional Exposure Indicators will be specified and
documented by the working group overseeing the activities of that sector database.
Managing risk together Page 50 of 140 [Link]
+44 (0)1225 904 397
Public
Operational Risk Reporting Standards (ORRS)
7 Technical issues: Threshold, History, Coverage, etc.
Data submission to ORX is made on a quarterly basis. Each time there is a data reporting cycle detailed
templates and reporting instructions will be provided by ORX. For each data submission Members will
produce and send their data since their first reporting date (for example January 2002 for founding Members).
Members are expected to report their full loss data history.
ORX is aware that all Banks are constantly reviewing and refining their internal processes for capturing and
categorising Operational Risk losses/events. As a consequence of this refinement, Members are allowed to
modify and/or update their previously reported events.
7.1 Reporting Gross Loss Threshold
Requirement: Members are required to report all losses where the gross loss is equal to or greater than
€20,000 as an individual event or an aggregate event amount.
Background: The ORX Board fixes the threshold amount of an event to be reported to ORX. The threshold
applies to the Gross Loss (see Section 4 – Determine the Gross Loss). At present, the amount is €20,000
(loss/event aggregate amount).
Internally, some ORX Members may use a lower threshold to aggregate many small events into a single
periodic record, often for reconciliation purposes. Such aggregated records are not reportable to ORX, even if
their aggregate total exceeds the applicable reporting threshold then in effect.
7.2 Time Period
Requirement: The quarterly submission relates to all events recognized during a given quarter (this is in
addition to reporting historic data). For example, all losses above the threshold occurring in January must be
reported to ORX in the immediately following reporting cycle. Exceptions to this complete reporting relate to
legal concerns.
Reporting periods will be quarterly. A reporting quarter is defined as: January through March; April through
June; July through September; and October through December.
Quarterly reporting will be for the previously completed quarter. Quarterly reporting is performed during a two-
week window after at least six weeks of the previous quarter end. For example, for 2012 first quarter data
was reported 21st May – 1st June.
7.3 Consolidated Reporting
If the reporting entity has an equity investment or ownership of a financial services entity, that is less than
100%, then reporting losses to ORX is not required. The overall materiality of reporting for entities, where
there is less than 100% ownership, is not known and consideration of practical issues need to be taken into
account before this becomes a requirement. If there are any doubts, then these should be raised with the
Definitions Working Group.
Managing risk together Page 51 of 140 [Link]
+44 (0)1225 904 397
Public
Operational Risk Reporting Standards (ORRS)
For Members wishing to report losses for these entities there are two criteria:
1. The legal entity must be a “bank” or a “securities company” or an “asset management company”.
Insurance companies are excluded. Or the legal entity must be performing a service for the bank that
is integral to banking. Examples include activities that are “offshored”.
2. The balance sheet and P&L of the subsidiary must be consolidated with the reporting entity. As a
result, it is generally understood that OR losses of banks where the reporting entity has less than 50%
ownership are not reported to ORX.
Members wishing to report losses for entities that are less than 100% owned also need to ensure that the
impact is not double counted, for example once in the value of the investment and then again in capital
calculations.
7.4 Exceptions to Complete Reporting
Requirement: Members are required to report losses for their complete range of banking activities and
complete geographic coverage of those activities.
Upon joining ORX a new Member may have difficulties in providing data of the appropriate quality across its
full range of activities and locations. Under these circumstances the Member is required to report only for
those activities and locations that meet the quality standards.
Members may find that a newly acquired business unit does not meet the quality standards. Under these
circumstances the Member is expected to keep reporting the loss data that does meet the quality standards
and at a later date add the data from the new business unit.
There must be alignment between the scope of reporting losses and the Exposure Indicators. For example, if
a Member is not reporting losses for the USA then the reported Exposure Indicator must exclude values for
the USA. Or if a Member is not reporting losses for BL0201 (Equities) then the Exposure Indicator reported
for Trading & Sales (BL0200) must exclude the Exposure Indicator values for BL0201.
Members reporting for part of their activities or some of their locations are expected to have plans to enable
them to provide a complete and comprehensive submission to ORX.
7.5 Submitting Historical Data
New historical data due to joining of new Members, mergers or acquiring of new Business Units will be
submitted in historical data cycles to ensure a critical mass for confidentiality reasons. During a historical data
cycle, the Members are requested to submit all their data in accordance with these guidelines. The critical
mass consists of 4 banks. ORX informs the Members whether a cycle is a historical data cycle or not.
Managing risk together Page 52 of 140 [Link]
+44 (0)1225 904 397
Public
Operational Risk Reporting Standards (ORRS)
7.6 Effects of Acquiring or Disposing of Business Units
During the course of business, an ORX Member may decide to acquire a new activity (LoB) or sell an existing
one (e.g. Joint Ventures, newly acquired or sold subsidiary). In those cases, Members must report to ORX as
follows:
• Buying a new Business Unit
1) If the acquired BU keeps historical data & exposure indicators with sufficient quality, then data will
be simply consolidated.
If an acquired unit has credible pre-acquisition loss data, it could be included in ORX; if not,
reporting should start as of acquisition date.
To avoid double counting, a Member should not add pre-acquisition loss history of an acquired
entity, in case this entity was acquired from another ORX Member.
Future exposures (lawsuits, etc.) resulting from actions taken by an acquired entity before
purchase are reportable to ORX as they arise (in general, one buys the latent legal liabilities of a
firm when it is purchased).
2) If the acquired BU does not keep such data, then the reporting will start consolidating data when
capturing procedures are in place with the required ORX quality level.
• Selling an existing BU
If a bank sells a BU, any past losses as well as already submitted exposure indicators attributed to it
shall remain in that bank's data submission. Additionally, any events whose recognition date is after
the decision to sell should be submitted. This includes events occurring after the effective sale date.
Depending upon the terms of the sale, the vendor may indemnify the buyer for certain types of losses
for a given period of time. An example might be fraud that began before the sale but was only found
after the sale. As a result of the indemnification the selling bank is experiencing the OR loss.
7.7 Submitting Losses for a New Business Line
When an existing ORX Member starts a new business in a Business Line that he has not already reported
(e.g. Acquiring of new Business Units or subsidiaries, Extending Business) the new business unit rules of
Section 7.6 apply accordingly.
In addition, the Member informs ORXS about the new Business Line and starts to submit the collected data
(loss data and Exposure Indicators) in the next data cycle. In case of historical data, the specific rules of
Section 7.5 apply.
7.8 Stopping Reporting for an Existing Business Line
For several reasons (Selling BUs, Business Reorganisation, etc) a Member may have the situation that stops
his activities in an already reported Business Line. The Member has to ensure that no new losses can occur in
that Business Line. Informs ORXS and does not report any new losses or exposure indicators attributed to
that Business Line. Any past losses as well as already submitted exposure indicators attributed to it shall
remain in that bank's data submission.
Managing risk together Page 53 of 140 [Link]
+44 (0)1225 904 397
Public
Operational Risk Reporting Standards (ORRS)
7.9 Mergers between Members
During the course of business, an ORX Member may decide to merge with an existing ORX Member. In this
case:
• ORX will consolidate the pre-merger data of the two merging Members in its database.
• A Member will consolidate its data with the pre-acquisition loss history of the acquired Member and
submit for historical data cycles only.
For non-historical data cycles, the acquiring Member should only report post-acquisition loss data. If the
acquired BU does not keep such data, then the reporting will start consolidating data when capturing
procedures are in place with the required ORX quality level.
7.10 Leaving ORX
When a Member leaves ORX its data stays with ORX and continues to be part of the data set reported to
current Members.
Under the Articles of Association, a Member does not have the right to withdraw all or part of the data
reported to ORX. Further, ORX can continue to use the data for reporting to current Members. This promotes
consistency in the time series so that historic data does not suddenly disappear when a Member leaves and it
protects the anonymity of the Member leaving.
Managing risk together Page 54 of 140 [Link]
+44 (0)1225 904 397
Public
Operational Risk Reporting Standards (ORRS)
8 Detailed Descriptions of Data Categories
8.1 Introduction
This Appendix contains details relating to Section 5 – How to Categorise Operational Risk Losses. The
categories for which additional details are provided below are:
1. Business Lines
2. Event Types
3. Product
4. Bundled Products
5. Processes and
6. Large Loss Event Attributes
The additional detail is laid out in a consistent fashion. There is a sub-unit for each Level 1 category, with any
examples, or notes, plus Level 2. The Level 1 & 2 details provide the code as used by ORX, the related label
and a description. The examples and notes are not used in every situation; where they are used, they are
intended to provide an insight into how to use the codes or to provide additional details.
With use, it is expected that the examples and notes will be revised as details are generated to provide
additional clarity or address special cases. These additional details may be supported by ORRS Updates.
Managing risk together Page 55 of 140 [Link]
+44 (0)1225 904 397
Public
Operational Risk Reporting Standards (ORRS)
8.2 Business Lines
The additional details below relate to Section 5.1.
Definition: Business Lines represent profit centres where the revenues are generated from third parties, not
allocations from other parts of the firm (service centres). In recognition that some events are experienced by
the entire firm, or a large part of the firm, there is a specially designated Business Line called “Corporate
Items”.
The general objective of the Business Line attribute is to:
• Encompass the entire transaction / value chain,
• Include activities that may be performed centrally on behalf of the Business Line,
• Include activities that may be outsourced to non-bank group subsidiaries and/or third parties.
Requirement: ORX requires the allocation of all losses to a Level 2 Business Line.
Also refer to Sections 5.1.1 Corporate Items, 5.1.2 Events that affect Multiple Business Lines and 5.1.3
Materiality.
Managing risk together Page 56 of 140 [Link]
+44 (0)1225 904 397
Public
Operational Risk Reporting Standards (ORRS)
Level 1 Name Description
BL0100 Corporate Finance Structuring, issuance or placement of securities and similar instruments, not just for capital raising
Business Line Examples
• Advising Governments or Corporations on raising funds through bond, equity or money market issues
• Advising Governments or Corporations on reorganisations, whether acquisition or disposal
• Administering syndicates for fund raising in an organised and disciplined manner
• Preparation and distribution of documents related to fund raising, e.g. Prospectuses, Financial Statements etc.
Level 2 Name Description
BL0101 Corporate Finance Non-Municipal/Government Clients - Underwriting, Privatisations, Securitisations, Debt (Govt &
High Yield), Equity, Syndications, IPO, Private Placements, Mergers & Acquisitions, Research,
BL0102 Municipal / Government Finance Underwriting – Bonds and/or Syndicated Loans and/or Cashflow / Asset-Backed Securities,
Privatisations & Disposals
BL0103 Advisory Services Strategic planning in terms of Balance Sheet restructuring – acquisitions / disposals, establishment
of subsidiaries for financial optimisation, Tax Planning
Notes
• Customer Axis – Commercial Clients, Financial Institutions, Governments, Municipal Organisations, Supranational Bodies, Multinational Development Banks
Examples of Events being allocated to this Business Line
Managing risk together Page 57 of 140 [Link]
+44 (0)1225 904 397
Public
Operational Risk Reporting Standards (ORRS)
Level 1 Name Description
BL0200 Trading & Sales Products / Positions held in the Trading Book of the firm and Corporate Investments.
(The “Trading Book” is defined by the regulators)
Business Line Examples
Level 2 Name Description
BL0201 Equities Equities, portfolios of equities (including equity indices), cash & derivative products
Flow business, market making, position taking, proprietary positions
BL0202 Global Markets Fixed Income, Foreign Exchange, Money Market, Commodities, Energy, Credit Trading, Own
Positions, Brokerage, Repos & Reverse, Funding, Own Debt, Treasury - cash & derivative
products
Flow business, market making, position taking, proprietary positions
BL0203 Corporate Investments Cross-Industrial Holdings, items held with the long-term intention of sale
BL0204 Treasury / Funding Funding the bank/group; capital management for the bank/group/subsidiaries
Notes
• Customer Axis – Commercial Clients, Financial Institutions, Internal Clients, Governments, Municipal Organisations, Supranational Bodies, Multinational Development Banks
Examples of Events being allocated to this Business Line
– Flawed advice is provided – inadequate due diligence; junior employee without adequate supervision; errors in analysis.
– Poorly managed mandate, scope creep; bank unable to recoup all costs or charge full fees.
– Joint venture investment in trading platform
– Settlement failures
– Losses due to poorly documented OTC derivative contracts
Managing risk together Page 58 of 140 [Link]
+44 (0)1225 904 397
Public
Operational Risk Reporting Standards (ORRS)
Level 1 Name Description
BL0300 Retail Banking Retail Loans, Retail Deposits, Banking Services, Trusts & Estates, Investment Advice, Cards –
Credit & Debit
Business Line Examples
• Retail bank branches, Automated Teller Machines (ATMs)
• Issue and administer cards
• Credit Card Terminals in shops and restaurants
• Individuals, small companies serviced by the Retail Branch network
Level 2 Name Description
BL0301 Retail Banking Retail Loans, Retail Deposits, Banking Services, Trusts & Estates, Investment Advice
BL0302 Card Services Merchant / Commercial / Corporate Cards, Private Label, Credit & Debit Cards
Notes
• Customer Axis – Clients of Retail Banking, may include Small & Medium Sized Enterprises (SME) depending upon how Members allocate this client group, the alternative is
Commercial Banking.
Examples of Events being allocated to this Business Line
– Incorrect calculation of interest payments due on deposit accounts etc.
– Robbery of ATM / Branch
– Credit Card or Cheque Fraud
Managing risk together Page 59 of 140 [Link]
+44 (0)1225 904 397
Public
Operational Risk Reporting Standards (ORRS)
Level 1 Name Description
BL0400 Commercial Banking Project Finance, Real Estate Finance, Export Finance, Trade Finance, Factoring, Leasing,
Loans Guarantees, Bills of Exchange
Business Line Examples
Level 2 Name Description
BL0401 Commercial Banking Project Finance, Real Estate Finance, Export Finance, Trade Finance, Factoring, Leasing,
Loans Guarantees, Bills of Exchange, Other Loans, Deposits
Notes
Customer Axis – Commercial Clients, may also include Small and Medium sized Enterprises depending upon the categorisation used by the Member, the alternative is Retail
Banking. Also includes Municipalities, Governments, and Supranational Organisations based upon the type of transaction.
This Business Line also includes “cash management” as a set of services to allow customers to better manage their account balances/ earn better interest rates on deposits and
investments. This is not the same as Cash Management in BL0501 below.
Examples of Events being allocated to this Business Line
– Incorrect Loan Documentation
– Fraud on Letters of Credit
Managing risk together Page 60 of 140 [Link]
+44 (0)1225 904 397
Public
Operational Risk Reporting Standards (ORRS)
Level 1 Name Description
BL0500 Clearing Financing and related services
Business Line Examples
Level 2 Name Description
BL0501 Cash Clearing Payments & Collections, Funds Transfer, Cheque Processing, Non-Securities Clearing &
Settlement
BL0502 Securities Clearing Securities Clearing & Settlements, including derivatives using Clearing Houses or Central
Counterparties. Includes Commodities Clearing House activity
Notes
• Customer Axis – Commercial Clients, Financial Institutions, Internal Clients, Financial Institutions, Governments, Municipal Organisations, Supranational Bodies, Multinational
Development Banks
Examples of Events being allocated to this Product Type
− Incorrect allocation of securities to multiple accounts operated by one fund manager
− Incorrect position statements and valuations
− Late payment of salaries to staff of Commercial Client
Managing risk together Page 61 of 140 [Link]
+44 (0)1225 904 397
Public
Operational Risk Reporting Standards (ORRS)
Level 1 Name Description
BL0600 Agency Services Bank account, deposit services, “plain vanilla” investment products
Business Line Examples
• Gold Custody
• Payments of coupons / principal on bonds
Level 2 Name Description
BL0601 Custody Services Escrow, Depository Receipts, Securities Lending (Customers), Corporate Actions, Issuer &
Paying Agents, Securities Settlement.
BL0602 Corporate Trust & Agency Prime Brokerage Special Financial Services performed on an Agency Basis. Includes
activities that were previously (2007) coded under “Custom Services”.
Notes
• Customer Axis: Commercial Clients, Financial Institutions, Internal Clients, Financial Institutions, Governments, Municipal Organisations, Supranational Bodies, Multinational
Development Banks
Examples of Events being allocated to this Business Line
– Fines for inadequate segregation of client assets from those of the firm
Managing risk together Page 62 of 140 [Link]
+44 (0)1225 904 397
Public
Operational Risk Reporting Standards (ORRS)
Level 1 Name Description
BL0700 Asset Management Management of individual assets invested in financial instruments on behalf of others (i.e. not
in the bank's own name for its own account) in which the bank has the power to make
investment decisions. This includes activities where each customer's assets are held in a
separate portfolio, as well as those where the assets of different customers are pooled in one
portfolio.
Involves preparing and implementing decisions on investments in securities and other liquid
financial investments (e.g. currencies, money market instruments) and managing these
investments for the customer's account.
Pooled, Segregated, Retail, Institutional, Closed, Open, Discretionary, Non-Discretionary
Business Line Examples
• Create, manage and administer funds
• Pension fund management
• Listed Mutual Funds, Unit Trusts, Investment Trusts
Level 2 Name Description
BL0701 Invalid No longer in use
BL0702 Invalid No longer in use
BL0703 Fund Management Pooled, Segregated, Retail, Institutional, Closed, Open, Discretionary, Non-Discretionary
Notes
Customer Axis
• Commercial Clients, Financial Institutions, Governments, Municipal Organisations, Supranational Bodies, Multinational Development Banks
Examples of Events being allocated to this Business Line
– Investing in instruments outside the investment mandate e.g. OTC Options
Managing risk together Page 63 of 140 [Link]
+44 (0)1225 904 397
Public
Operational Risk Reporting Standards (ORRS)
Level 1 Name Description
BL0800 Retail Brokerage Various services related to administration and management of estates, trusts, assets,
portfolios etc.
Business Line Examples
• Ordering taking system & execution for securities for clients using the Retail Branch network
• Advising retail investors on portfolio construction and performance monitoring
Level 2 Name Description
BL0801 Retail Brokerage Execution Only, Full Service.
Notes
• Customer Axis - Retail clients and Small & Medium Sized enterprises (SME)
Examples of Events being allocated to this Business Line
– Incorrect order execution
– Provision of unjustified performance guarantees
Managing risk together Page 64 of 140 [Link]
+44 (0)1225 904 397
Public
Operational Risk Reporting Standards (ORRS)
Level 1 Name Description
BL0900 Private Banking Private Loans, Private Deposits, Banking Services, Trusts & Estates, Investment Advice
Business Line Examples
Banking services to high net-worth individuals, families and family trusts
Level 2 Name Description
BL0901 Private Banking Private Loans, Private Deposits, Banking Services, Trusts & Estates, Investment Advice.
Notes
• Customer Axis – High Net-Worth Individuals, Families & Family trusts
• The boundary between Retail Banking and Private Banking is determined by the Member and their internal categorisation.
Examples of Events being allocated to this Business Line
– Embezzlement / theft of funds.
– Provision of unjustified performance guarantees
Managing risk together Page 65 of 140 [Link]
+44 (0)1225 904 397
Public
Operational Risk Reporting Standards (ORRS)
Level 1 Name Description
BL1000 Corporate Items Limited category for items than can only be categorised at corporate level
Business Line Examples
− Corporate-level financial reporting events
− Incidents experienced by the Board of Directors (or equivalent) as a whole or individually
− See also ORRS Text Section 3.2.1 Grouped Events for an example applying Grouped, Linked and Corporate Centre Events
Level 2 Name Description
BL1001 Corporate Items Limited category for items than can only be categorised at corporate level.
Notes
Where an event is experienced by multiple business lines they should be reported as Linked Events for the respective business lines
Examples of Events being allocated to this Business Line
– Natural Disaster affects a Regional Office
– Pandemic
Managing risk together Page 66 of 140 [Link]
+44 (0)1225 904 397
Public
Operational Risk Reporting Standards (ORRS)
8.3 Event Types
The additional details below relate to Section 5.2.
Definition: Event Types represent a description of what happened. The Event Types used by ORX are as
close as possible to the intent of the Basel Committee, but not exactly the same.
The principal requirement for ORX event classification is to support consistency, according to agreed rules
and definitions. Several means may be available to support the classification process (decision trees, types,
etc.).
Essentially the Event Type label is a response to the question “What happened to give rise to this operational
risk loss?” Why it happened would be part of causal analysis and outside the scope of the Event Types.
Requirements: ORX requires the allocation of all losses to a Level 2 Event Type.
Background: The Event Type category is not a laundry list of all the possible individual events or causes
relating to an operational risk loss. The key concept is “type” which enables grouping.
Managing risk together Page 67 of 140 [Link]
+44 (0)1225 904 397
Public
Operational Risk Reporting Standards (ORRS)
Level 1 Name Description
EL0100 Internal Fraud Losses due to acts of a type intended to defraud, misappropriate property or circumvent regulations, the law
or company policy, excluding diversity/ discrimination events, which involves at least one internal party
Event Type Examples
− Unauthorised Trading by Front Office
− Collusion with external parties to commit Mortgage or Loan Application Fraud
− Theft of company art works by a member of staff
− Upload of a “logic bomb” onto bank computers by an employee
− Theft of computer files by a member of staff
Level 2 Name Description
EL0101 Unauthorised Activity Exceeding authority when entering into a transaction or approving a transaction
Transaction not reported
Intentional mis-marking of positions
Rogue Trading
EL0102 Internal Theft & Fraud Theft by a member of staff of Intellectual Property or Tangible Assets
Theft / extortion / embezzlement / robbery
Misappropriation of assets
Malicious destruction of assets
Forgery
Cheque kiting
Smuggling
Account take-over / impersonation / etc.
Tax non-compliance / evasion (wilful)
Bribes / Kickbacks
Insider Trading (not on firm’s account)
Includes “for profit” and “not for profit”
Managing risk together Page 68 of 140 [Link]
+44 (0)1225 904 397
Public
Operational Risk Reporting Standards (ORRS)
Level 2 Name Description
EL0103 System Security Internal – Wilful Intentional damage to systems (hardware and/or software) by internal staff due to actions carried out or not
Damage carried out
Theft of data
Includes “Malicious Damage / Systems Security – Wilful Damage Internal” (this was EL0803 in ORRS 2007)
Notes
It may take the result of legal action to distinguish between unauthorised trading and fraud
Managing risk together Page 69 of 140 [Link]
+44 (0)1225 904 397
Public
Operational Risk Reporting Standards (ORRS)
Level 1 Name Description
EL0200 External Fraud Losses due to acts of a type intended to defraud, misappropriate property or circumvent the law, by a third-
party
Event Type Examples
− Fraudulent mortgage or loan application
− Bank robbery
− Hacker attack e.g. Denial of service, uploading of a computer virus or other malware
Level 2 Name Description
EL0201 External Theft & Fraud Theft, Robbery, Forgery, Check / Cheque Kiting
Includes “for profit” and “not for profit”
EL0202 System Security External – Wilful Includes hardware and/or software, Hacking Damage, Theft of Data leading to a monetary loss
Damage Includes “Malicious Damage / Systems Security – Wilful Damage External” (this was EL0802 in ORRS 2007)
Notes
Managing risk together Page 70 of 140 [Link]
+44 (0)1225 904 397
Public
Operational Risk Reporting Standards (ORRS)
Level 1 Name Description
EL0300 Employee Practices & Workplace Losses arising from acts inconsistent with employment, health or safety laws or agreements, from payment of
Safety personal injury claims, or from diversity / discrimination events
Event Type Examples
− Sexual harassment
− “Toxic” workplace
− Legionnaires’ Disease
− Stress
− Asbestos
Level 2 Name Description
EL0301 Employee Relations Compensation, benefit, termination issues
Organised labour activity
EL0302 Safe Workplace Environment General liability (slip and fall, etc.)
Employee health & safety rules events
Workers compensation
EL0303 Employment Diversity & Discrimination All discrimination types
Notes
Managing risk together Page 71 of 140 [Link]
+44 (0)1225 904 397
Public
Operational Risk Reporting Standards (ORRS)
Level 1 Name Description
EL0400 Clients, Products & Business Practices Losses arising from an unintentional or negligent failure to meet a professional obligation to specific clients
(including fiduciary and suitability requirements), or from the nature or design of a product.
Event Type Examples
− Promise of guaranteed performance
− Front running client orders
− Use of unauthorised models e.g. for position valuation or risk estimation
Level 2 Name Description
EL0401 Suitability, Disclosure & Fiduciary Fiduciary breaches / guideline violations
Suitability / disclosure issues (KYC, etc.)
Retail customer disclosure violations
Breach of privacy
Aggressive sales / Mis-selling
Account churning
Misuse of confidential information
Lender liability
EL0402 Improper Business or Market Practices Antitrust
Improper trade / market practices
Market manipulation
Insider trading (on firm’s account)
Unlicensed activity
Money laundering
Vendors / Suppliers
Trade Counterparties
Infringement of Intellectual Property or License Agreements e.g. software
EL0403 Product Flaws Product defects (unauthorised, etc.)
Model errors
Managing risk together Page 72 of 140 [Link]
+44 (0)1225 904 397
Public
Operational Risk Reporting Standards (ORRS)
Level 2 Name Description
EL0404 Selection Sponsorship & Exposure Failure to investigate client per guidelines
Exceeding client exposure limits
EL0405 Advisory Activities Disputes over performance of advisory activities
Notes
Model Error includes errors found in a model after it has completed the model review process and been declared “fit for purpose”
Managing risk together Page 73 of 140 [Link]
+44 (0)1225 904 397
Public
Operational Risk Reporting Standards (ORRS)
Level 1 Name Description
EL0500 Natural Disasters & Public Safety Losses arising from loss or damage to physical assets from natural disaster or other events.
Event Type Examples
Level 2 Name Description
EL0501 Natural disasters & Other Events Earthquakes, Storms, “Acts of God”
EL0502 Accidents & Public Safety Slip & Fall by a Member of the public, pollution by the firm
EL0503 Wilful Damage & Terrorism Vandalism, Terrorism, certain Criminal Activities not covered elsewhere, War, Civil Disturbance /
Riot
Includes “Malicious Damage / Wilful Damage & Terrorism” (this was EL0801 in ORRS 2007)
Notes
Managing risk together Page 74 of 140 [Link]
+44 (0)1225 904 397
Public
Operational Risk Reporting Standards (ORRS)
Level 1 Name Description
EL0600 Technology & Infrastructure Failure Losses arising from disruption of business or system failures
Event Type Examples
Level 2 Name Description
EL0601 Technology & Infrastructure Failure Hardware
Software
Telecommunications
Utility outage / disruptions – power, water.
Notes
Excludes hacker or malware attacks (see EL0200)
Managing risk together Page 75 of 140 [Link]
+44 (0)1225 904 397
Public
Operational Risk Reporting Standards (ORRS)
Level 1 Name Description
EL0700 Execution, Delivery & Process Management Losses from failed transaction processing or process management, from relations with trade
counterparties and vendors
Event Type Examples
− Vendor / Outsourcing Disputes
− Miscellaneous non-client / counterparty disputes
Level 2 Name Description
EL0701 Transaction Capture, Execution & Miscommunication
Maintenance Data entry, maintenance or loading error e.g. data quality issues
Missed deadline or responsibility
Model / system mis-operation e.g. using old data
Accounting error / entity attribution error
Other transaction process task mis-performance
Delivery failure
Collateral management failure
Reference Data Maintenance
EL0702 Monitoring & Reporting Failed mandatory reporting obligation e.g. reporting to Stock Exchanges
Inaccurate external report (loss or fine incurred) e.g. quarterly fillings
EL0703 Customer Intake & Documentation Client permissions / disclaimers missing
Legal documents missing / incomplete / not “fit for purpose” / inadequately executed
EL0704 Customer / Client Account Management Unapproved access given to accounts
Incorrect client records (loss incurred)
Negligent loss or damage of client assets
Managing risk together Page 76 of 140 [Link]
+44 (0)1225 904 397
Public
Operational Risk Reporting Standards (ORRS)
Notes
ORXs approach to Vendor/Supplier triggered events, is to view these in a similar manner to that of a Regulator i.e. to “look through” activities that are outsourced, therefore
effectively making the firm responsible as if they had made the error themselves.
In essence the Vendor event is the cause of the operational risk event and is therefore mapped to the OR event it gave rise to. Hence ORX does not have an equivalent Basel Level
2 category.
Some examples of Vendor event mappings include:
• Supplier issues duplicate invoice, the firm pays out and is not able to recover funds – EDPM Transaction Capture, Execution & Maintenance [firms should have controls to
detect duplicate invoice numbers]
• Supplier providing IT services experiences problems - Technology and infrastructure failures
• Supplier brought into program IT system, coding incorrect (project risk boundary) results in settlement failures – EDPM Transaction Capture, Execution & Maintenance
• Supplier delivers contaminated food – safe workplace environment.
• Supplier commences litigation and is successful in recovering unpaid amounts under contract performance (no client impact) – EDPM Transaction Capture, Execution &
Maintenance or Monitoring and reporting [the firm had inadequate control procures in place for contract monitoring/ vendor management or the contract was not executed
correctly]
• Supplier issues multiple invoice(s) for same service – External Fraud
Managing risk together Page 77 of 140 [Link]
+44 (0)1225 904 397
Public
Operational Risk Reporting Standards (ORRS)
8.4 Products
The additional details below relate to Section 5.3.
Definition: Products, which also include services, are the sources of revenue for a bank via direct or indirect
fees.
The general objective of the product type attribute is to:
• increase the understanding of the nature of losses and
• facilitate an improvement in transparency within a Member
• link losses to products for P&L and budget purposes
• identify chronic or recurring weaknesses, and
• promote value-added dialogue with the businesses and functional areas regarding the impact of their
operational risk experience and potential operational risk exposure
Requirements: ORX requires the classification of all losses against Level 2 of the product type. Whether to
classify a certain loss to a specific product type depends on what product or service was involved when the
event happened.
If revenue streams from multiple products were affected, then use the one single product type to which the
event contributing the bulk of the Gross Loss value can be attributed. If no single product was involved or
where the event was so widespread that specifying individual products would no longer be relevant or would
add little or no value, then classify these losses as ‘not product-related’ (e.g. branch or ATM robberies, natural
disaster etc.).
Managing risk together Page 78 of 140 [Link]
+44 (0)1225 904 397
Public
Operational Risk Reporting Standards (ORRS)
Level 1 Name Description
PD0100 Capital Raising Structuring, issuance or placement of securities and similar instruments, not just for capital raising
Product Examples
• Common or Preferred Stock
• Corporate Bonds
• Convertibles, Warrants
• Mortgage-Backed Securities, Asset-Backed Securities
• Placement of Common Stock for which there is no market place
• Syndicate administration
Level 2 Name Description
PD0101 Equity Issuance The provision of services related to the initial public offering (IPO) or subsequent issuance into the market
of an equity investment for any issuing company. Examples of offering instruments are common or
preferred stock.
PD0102 Bond Issuance The provision of services related to the issuance and placement of debt funding into the market for any
issuing entity. Examples of debt funding instruments are corporate bonds and municipal bonds.
PD0103 Structured Product Issuance The provision of services related to the issuance and placement of structured financial products. Examples
of structured financial products are equity-linked bonds, warrants and convertibles.
PD0104 Securitisations The provision of services related to the issuance and placement of securitisations. Examples of
securitisations are mortgage and asset-backed securities.
PD0105 Private Placements The management of an off-exchange placement of instruments to an investor or a group of investors. The
manager can be acting on behalf of either the investors or the capital raising entity. This management
includes the initial identification of the capital raising entity and the group of investors, due diligence on
behalf of the investors, instrument structuring, the exchange of instruments and funds, and subsequent
support for the financing.
PD0106 Syndications The provision of services in support of a syndicated financing. The syndication agent can act on behalf of
either the investors or the borrower. Examples of these services are due diligence, the creation of the
syndicate, the initial allocation of the syndicate, the coordination of principal, interest and fee cash flows
and ongoing syndicate maintenance.
Managing risk together Page 79 of 140 [Link]
+44 (0)1225 904 397
Public
Operational Risk Reporting Standards (ORRS)
Notes
Customer Axis – Commercial Clients; Financial Institutions; Government / Supranational / Municipal / Public Sectors
Examples of Events being allocated to this Product Type
– Bank is sued because of alleged deficiencies in due diligence or prospectus.
– Errors, oversights or shortcuts in analysis lead to a poorly structured transaction that doesn’t sell well; the bank has to hold or re-price.
– Errors, oversights or shortcuts in due diligence lead to a structure with legal, tax or jurisdictional problems.
– A company for which a private placement is arranged turns out to be fictitious. This is learned only after the transaction is completed and management of the company have
absconded with the funds.
Managing risk together Page 80 of 140 [Link]
+44 (0)1225 904 397
Public
Operational Risk Reporting Standards (ORRS)
Level 1 Name Description
PD0200 Corporate Finance Services Advisory Services regarding corporate structure and strategic decisions
Product Examples
Level 2 Name Description
PD0201 Mergers and Acquisitions The provision of advisory services and/or financing in pursuit of, or in opposition to, mergers and
acquisitions. Also includes disposals.
PD0202 Corporate Advisory Services The provision of specialist advisory services and related research for corporates and other private
commercial entities and government corporations. Examples of services would be advice on funding,
breakups, reorganisations/restructurings, etc.
Notes
Customer Axis – Commercial Clients; Financial Institutions; Government / Supranational / Municipal / Public Sectors
Examples of Events being allocated to this Product Type
– Flawed advice is provided – inadequate due diligence; junior employee without adequate supervision; errors in analysis.
– Poorly managed mandate, scope creep; bank unable to recoup all costs or charge full fees.
Managing risk together Page 81 of 140 [Link]
+44 (0)1225 904 397
Public
Operational Risk Reporting Standards (ORRS)
Level 1 Name Description
PD0300 Derivatives & Securities Trading & Sale of all securities and derivatives either via an exchange or over-the-counter
Product Examples
Spot FX, Mortgage-Backed Securities, Certificates of Deposit, Treasury Bond Futures, Interest Rate Swaps, Equity Index Options
Level 2 Name Description
PD0301 Fixed Income Interest-rate-based securities irrespective of whether they traded on or off exchange (OTC). Examples of
such products are Corporate, Government and Municipal Bonds, Notes and Bills. (Excludes Mortgage-based
products – see Credit Derivatives). This also includes inflation-linked bonds.
PD0302 Equities Equity-based securities irrespective of whether they traded on or off exchange (OTC) on the “pink sheets” or
private placements. Examples of such products are Equities, ADRs, Warrants and Convertibles Bonds.
PD0303 Commodities Commodity-based cash products including energy-based cash products irrespective of whether they are
traded on or off exchange (OTC). Examples of such products are Coffee, Sugar, Agricultural Products,
Metals, Energy, Carbon, and Weather
PD0304 Foreign Exchange & Money Markets Spot and forward foreign exchange products, money market deposits irrespective of whether they traded on
or off exchange (OTC). Examples include cash notes, coins and bullion; and short-term paper (Certificates of
Deposit, Commercial Paper, Trade Bills) and interbank loans and deposits.
PD0305 Repos / Securities Lending The trading and sale of repos and the lending of securities, including reverse repos and securities borrowing.
PD0306 Investment Funds Investment funds and ETFs (exchange-traded funds) defined as pools or portfolios of instruments irrespective
of whether they are traded on or off exchange (OTC). The underlying instruments themselves may or may
not be listed. Examples of the underlying instruments in the pools/portfolios include fixed income, equities,
commodities, money market, mutual funds in some national markets among others. "Asset-Backed
Securities" are not included. The trading and sale of both private equity funds and regulated exchange-
traded funds are included.
PD0307 Interest Rate Derivatives Long and short-dated interest rate-based products irrespective of whether they are traded on or off exchange
(OTC). This also includes securitisation of Interest Rate Derivatives. Examples include swaps, options and
options on swaps; FRAs, futures contracts, derivatives on interest rate / bond indices, warrants and structured
debt products where the majority of the pay-off is linked to interest rates.
Managing risk together Page 82 of 140 [Link]
+44 (0)1225 904 397
Public
Operational Risk Reporting Standards (ORRS)
Level 2 Name Description
PD0308 Credit Derivatives Credit-based products irrespective of whether they are traded on or off exchange (OTC).
Includes Credit Default Swaps and Options and options on swaps, securitised Mortgages (actual or
synthetic), “Asset-Backed Securities”, credit indices, warrants and other credit-based structured debt
products.
PD0309 FX Derivatives Foreign exchange derivative products irrespective of whether they are traded on or off exchange (OTC).
Includes Futures, Swaps, Options, options on swaps or futures, warrants and structured debt products where
the payoff is dominated by movements in FX rates.
May be a single currency pair or a portfolio. Excludes FX forwards which are captured under FX & MM.
PD0310 Equity Derivatives Equity-based derivative products irrespective of whether they are traded on or off exchange (OTC).
Includes futures, swaps, options, options on futures or swaps, warrants and structured debt products, where
the payoff is dominated by movements in equity prices.
The underlying equity risk may be a single equity or a portfolio, such as an equity index
PD0311 Commodity Derivatives Commodity-based derivative products irrespective of whether they are traded on or off exchange (OTC).
Includes futures, swaps options, options on futures or swaps, warrants and structured debt products, where
the payoff is dominated by movements in commodity prices.
The underlying may be a single commodity or a portfolio, such as a commodity index. For a list of
commodities see Commodities above.
PD0312 Other Derivatives Derivatives products on other underlying asset classes and financial variables, irrespective of whether they
are traded on or off exchange (OTC).
Includes futures, swaps options, options on futures or swaps, warrants and structured debt products, where
the payoff is dominated by movements in the underlying risk.
The underlying risk can be property, earthquakes bonds (weather-related products such as wind storms are
Commodity Derivatives), mortality rates, pensions.
This category should also be used for derivatives or structured products where the payoff is based upon the
performance of multiple categories of “cash” products, for example “quantos”, which may be a combination of
equity and FX, or relative performance between fixed income and equity.
Notes
Customer Axis – Commercial Clients; Financial Institutions; Government / Supranational / Municipal / Public Sectors
Managing risk together Page 83 of 140 [Link]
+44 (0)1225 904 397
Public
Operational Risk Reporting Standards (ORRS)
Examples of Events being allocated to this Product Type
– Trades put in backwards; for wrong amount, wrong counterparty, wrong security, on wrong exchanges, with wrong dates, etc.
– Valuation adjustments required because of incorrect pricing/valuation models.
– Rogue trading situations – unauthorised trades, counterparties, markets, instruments, jurisdictions, etc.
– Glitches in trading or limit management systems.
Managing risk together Page 84 of 140 [Link]
+44 (0)1225 904 397
Public
Operational Risk Reporting Standards (ORRS)
Level 1 Name Description
PD0400 Retail Credit Financing and related services
Product Examples
Level 2 Name Description
PD0401 Retail Cards The provision of credit, debit and other forms of card to facilitate payment and, in the case of credit cards, to
extend temporary revolving credit. Includes the servicing of both own-name cards as well as the servicing of
white labelled (branding) card products.
PD0402 Vehicle Loans The provision of loans for the purchase of cars and other vehicles for domestic use, such as boats, secured
by the vehicle. These loans are often originated indirectly by a dealer as opposed to the financial institution
providing the funding.
PD0403 Vehicle Leasing The lease of cars or other vehicles to a user, usually, but not always, with an option to buy when the lease
expires. Leases are often originated indirectly by a dealer as opposed to the financial institution providing
the funding.
PD0404 Student Loans The direct provision of unsecured loans for financing higher education. These are sometimes guaranteed by
a third-party corporation of agency.
PD0405 Mortgages The provision of loans for the purchase of homes and other real estate for personal use secured by the real
estate. These loans are often originated indirectly by a real estate professional brokering the sale as
opposed to the financial institution providing the funding.
PD0406 Home Equity Loans and Lines of The provision of loans or revolving lines of credit for any purpose secured by the equity in a home. These
Credit lines of credit are originated through a broker or directly by the financial institution providing the funding.
PD0407 Other Secured Consumer Loans The provision of other retail loans and consumer credit secured by an asset other than real estate or a
vehicle.
PD0408 Other Unsecured Consumer Loans The provision of other retail loans and overdrafts not secured by an asset.
PD0409 Other Consumer Leasing The provision of leased finance for assets other than those for vehicles.
Managing risk together Page 85 of 140 [Link]
+44 (0)1225 904 397
Public
Operational Risk Reporting Standards (ORRS)
Level 2 Name Description
PD0410 Personal standby letters of credit or Letter of credit or similar arrangement, which represents an obligation to the beneficiary on the part of the
guarantees issuer to repay money borrowed by or advanced to or for the account of the account party, or to make
payment on account of any indebtedness undertaken by the account party, or to make payment on account
of any default by the account party in the performance of any obligation.
Notes
Customer Axis - Retail Clients & Small / Medium Size Enterprises (SME), Private banking clients for all Product Types at Level 2
Examples of Events being allocated to this Product Type
– Loan write-offs where:
• Bank’s underwriting procedures were not followed or not followed completely; loans would not have been extended if procedures had been followed.
• Systems glitches let clients overdraw lines of credit without limits being triggered.
• Collateral or documentation errors preclude the bank from accessing/realising on collateral pledged.
• Fraud – by borrower, bank employee, third-party (e.g. lawyer, appraiser).
– Identity theft involving credit cards
Managing risk together Page 86 of 140 [Link]
+44 (0)1225 904 397
Public
Operational Risk Reporting Standards (ORRS)
Level 1 Name Description
PD0500 Commercial Credit Financing and related services
Product Examples
Level 2 Name Description
PD0501 Commercial & Industrial Loans The provision of funding to a commercial customer, on a revolving basis for general operating purposes
(including inventory and receivables financing and 'floor plan financing'), and on a fixed term basis for
acquisition of plant, equipment and other fixed assets (includes 'fleet financing' and asset-based lending).
PD0502 Commercial Real Estate Loans The provision of financing for the acquisition or improvement of commercial property to be held for
investment/income purposes.
PD0503 Construction, Acquisition & The provision of interim funding to a commercial real estate customer for the development of a site or
Development Loans construction of a building project (residential or commercial) that is intended for resale. Also known as
'builder finance' or 'construction financing'.
PD0504 Commercial Leases Provision of financing to commercial clients, generally for acquisition of equipment, via an agreement which
provides the lessee (the commercial client) the right, for a stated period of time, to use an asset which
continues to be owned by the lessor (financer), in return for a series of payments (lease payments) by the
lessee.
PD0505 Commercial Cards The provision of credit, debit and other forms of cards to commercial clients.
PD0506 Card Merchant Services The provision of operational/ infrastructure support services for credit and debit cards processed by the
merchant.
PD0507 Project Finance Loans The provision of funding for some specific capital project, where recourse is typically limited to the future
cash flows of the project.
PD0508 Trade Finance The provision of time-related financing linked to a specific commercial asset over which the financier
acquires rights including Documentary Letters of Credit and Documentary Collections.
PD0509 Standby Letters of Credit, Bank Provision of a financial guarantee by a bank with respect to its client's financial or other obligations, payable
Guarantees, Bankers’ Acceptances only in the event of non-performance by the client under the terms of the obligation. Can take the form of a
standby letter of credit, a bank guarantee or a bankers' acceptance (short-term negotiable commercial paper
issued by a non-financial corporation but guaranteed by a bank).
Managing risk together Page 87 of 140 [Link]
+44 (0)1225 904 397
Public
Operational Risk Reporting Standards (ORRS)
Level 2 Name Description
PD0510 Factoring The provision of receivables financing and debt collection on a full recourse or a non-recourse basis.
PD0511 Structured Lending The provision of 'non-plain-vanilla' financing to commercial clients, inclusive of 'mezzanine financing' and
'Islamic banking' products.
Notes
Customer Axis – Commercial Clients; Financial Institutions; Government / Supranational / Municipal / Public Sectors
Examples of Events being allocated to this Product Type
– Loan write-offs where:
• Bank’s underwriting procedures were not followed or not followed completely; loans would not have been extended if procedures had been followed
• Systems glitches let clients overdraw lines of credit without limits being triggered
• Collateral or documentation errors preclude the bank from accessing/realising on collateral pledged
• Fraud – by borrower, borrower employee, bank employee, third-party (e.g. lawyer, appraiser)
Managing risk together Page 88 of 140 [Link]
+44 (0)1225 904 397
Public
Operational Risk Reporting Standards (ORRS)
Level 1 Name Description
PD0600 Deposits Bank account, deposit services, “plain vanilla” investment products
Product Examples
Level 2 Name Description
PD0601 Consumer Current Accounts The provision of banking services related to an 'on demand' transactional account. Also
known as 'checking account'.
PD0602 Consumer Notice Accounts The provision of banking services related to an account having access restrictions such as
frequency or notice requirements. Includes time and term deposits, certificates of deposit
(USA), guaranteed investment certificates (Canada) and similar instruments.
PD0603 Commercial Bank Accounts The provision of banking services related to 'on demand' bank accounts, including current
accounts, checking accounts, call accounts and demand deposits.
PD0604 Commercial Time and Term Deposits The provision of fixed-term deposit products to commercial clients.
PD0605 Investment Products The provision of retail investment products, where returns are variable with which life
assurance products can be bundled. Examples include products such as unit trusts, mutual
funds, other equity-linked products, RRSPs (Canadian tax-sheltered retirement savings
program – Registered Retirement Savings Program), ISAs and PEP Schemes (UK-related),
and other similar jurisdictionally specific products.
Notes
Customer Axis:
– PD0601/02 Retail clients + Small & Medium Sized Enterprises (SME), Private banking clients
– PD0603/04 Commercial Clients; Financial Institutions; Government / Supranational / Municipal / Public Sectors
– PD0605 Retail clients + Small & Medium Sized Enterprises (SME)
Managing risk together Page 89 of 140 [Link]
+44 (0)1225 904 397
Public
Operational Risk Reporting Standards (ORRS)
Examples of Events being allocated to this Product Type
– Cheque fraud
– Kiting / Cross-Firing Cheques
– Discrepancies between documentation (contract) with client and:
• Interest rate paid on savings accounts;
• Calculation method for interest on term deposits;
• Service charges levied on bank accounts.
Managing risk together Page 90 of 140 [Link]
+44 (0)1225 904 397
Public
Operational Risk Reporting Standards (ORRS)
Level 1 Name Description
Cash Management, Payments & Client management of cash inflows/outflows; all forms of payments; clearing, settlement and exchange
PD0700
Settlements services.
Product Examples
Level 2 Name Description
PD0701 Retail Cash Management The provision of electronic banking services that support a client in managing his/her cash inflows and
outflows. These include services such as consolidated account balance and transaction reporting; multi-FI
balance reporting; receipt and payment of e-bills; one-off, recurring and deferred electronic payments; inter-
account transfers; direct debit; direct deposit; and automatic balance sweeping and surplus cash investment.
PD0702 Commercial Cash Management The provision of electronic and other banking services that support management of a company's cash
inflows and outflows. These include receivable collection products, disbursement facilitation products,
centralised cash control products and information services.
PD0703 Electronic Payments All forms of payment initiated and executed electronically.
PD0704 Manual Payments All forms of payment initiated manually or by other non-electronic means, irrespective of how the payment is
executed. Typical examples are cheques, travellers cheques or faxed payment instructions.
PD0705 Clearing The matching, aggregating and netting of sets of transactions and the subsequent simultaneous exchange
of securities against cash or transfers of securities free of payment between buyers and sellers.
PD0706 Settlement Settlement - Execution of securities transactions by a Settlement organisation or a custodian for a trading
institution. Settlement includes the simultaneous exchange of securities versus cash and securities
transfers free of payment between a buyer and a seller. It also includes the transfer of securities as the
result of netting by a clearing organisation.
PD0707 Exchange Services The provision of services typically offered by a central exchange, by acting as a principal, taking settlement
risk and all the business risks of the exchange, and by utilising their own platform.
Managing risk together Page 91 of 140 [Link]
+44 (0)1225 904 397
Public
Operational Risk Reporting Standards (ORRS)
Notes
Customer Axis
– PD0701 – Retail clients + Small & Medium Sized Enterprises (SME), Private banking clients
– PD0702 – Commercial Clients; Financial Institutions; Government / Supranational / Municipal / Public Sectors
– PD0703 – All customers
– PD0704 – All customers
– PD0705 – All customers
– PD0706 – All customers
– PD0707 – Commercial Clients; Financial Institutions; Government / Supranational / Municipal / Public Sectors
Examples of Events being allocated to this Product Type
– Permitting accounts of non-wholly-owned subsidiaries to be included in sweep to main account. Company goes bankrupt; subsidiary/other parent sues bank for recovery of
funds
– Pre-Authorised Payments
• Fall off the system; clients incur service charges/embarrassment for not making their payments
• Duplicated; recourse lost, can’t all be recovered
– Wire payments
• Made to wrong counterparty; can’t be recovered
• Wrong amount; can’t be recovered
• Wrong currency; can’t be recovered
• Not made due to systems problems; clients incur service charges/embarrassment for not making their payments
– Settlement breaks/fails are not identified because of a reconciliation backlog; bank makes clients whole
Managing risk together Page 92 of 140 [Link]
+44 (0)1225 904 397
Public
Operational Risk Reporting Standards (ORRS)
Level 1 Name Description
PD0800 Trust / Investment Management Various services related to administration and management of estates, trusts, assets,
portfolios etc. May also include investment management products with “insurance wrappers”
such as life policies, insurance bonds, endowment policies.
Product Examples
Level 2 Name Description
PD0801 Custody Services The safe-keeping of physical and non-physical assets and other items of value on behalf of
customers.
PD0802 Corporate Actions Services The execution of notified events and decisions related to securities on behalf of the security
holder.
PD0803 Corporate Trusts The provision of registrar and agent services on behalf of an issuer.
PD0804 Prime Brokerage The provision of custody, clearance and settlement and other "back office" functions to
trading entities such as hedge funds.
PD0805 Financial and Estate Planning The provision of advisory, planning and related services with respect to wealth management
and estate structures, including tax, legal, and financial advice, and trust, wills, probate and
executor services.
PD0806 Discretionary Portfolio Management The provision of portfolio management services to retail or private banking clients under a
discretionary mandate, allowing the banker to make investment decisions on behalf of the
client.
PD0807 Execution-only Services The provision of execution-only services for a client under a mandate which requires the
client to direct all investment decisions for the private banker.
PD0808 Advisory Portfolio Management The provision of private banking services to clients under the terms of a mandate which may
require some input from the client or where the client may, from time to time, provide some
input.
PD0809 Lombard Credits The granting of credit by banks against pledged items, that is, collateralised credit facilities
secured by assets (cash, securities, life insurance policies) that need to be monitored and
margined.
Managing risk together Page 93 of 140 [Link]
+44 (0)1225 904 397
Public
Operational Risk Reporting Standards (ORRS)
Notes
Customer Axis at Level 2
– PD0801 – All customers
– PD0802 – All customers
– PD0803 - Commercial Clients; Financial Institutions; Government / Supranational / Municipal / Public Sectors
– PD0804 – Financial Institutions
– PD0805 – Private banking clients
– PD0806 – Private banking clients
– PD0807 – Private banking clients
– PD0808 – Private banking clients
– PD0809 – Private banking clients
Examples of Events being allocated to this Product Type
– Assets given into custody are lost.
– There is a delay in dealing with a corporate action notice; client decisions are not advised within the deadline; bank makes clients whole.
– A backlog in the corporate trust area results in out-of-date stockholder lists being used for payment of extraordinary dividends. Not all funds can be recovered.
– There is a failure in the systems supporting the prime brokerage unit; the unit is unable to meet its service-level obligations and is required to pay penalties to clients.
– Tax advice used for estate planning is based on information from the wrong jurisdiction. The bank pays the cost of unwinding and correctly re-establishing structures,
including penalties to tax authorities.
– Churning in discretionary and advisory accounts; client made whole.
– Unauthorised trades in non-discretionary accounts; client made whole.
– Collateral backing Lombard Credits is not monitored; client falls out of margin but no collateral call is made; client defaults.
Managing risk together Page 94 of 140 [Link]
+44 (0)1225 904 397
Public
Operational Risk Reporting Standards (ORRS)
Level 1 Name Description
PD0900 Investment Products Investment management, execution, administration, operational management services
Product Examples
Level 2 Name Description
PD0901 Fund Administration The provision of fund operational management and administration services.
PD0902 Institutional Asset Management - The provision of investment management and execution services on behalf of institutional clients holding
Traditional portfolios of traditional assets such as listed securities.
PD0903 Institutional Asset Management - The provision of investment management and execution services on behalf of institutional clients holding
Alternative portfolios of non-traditional assets such as private equity, hedge funds, derivatives, real estate, etc.
Notes
• Customer Axis - Financial Institutions
Examples of Events being allocated to this Product Type
– Records for two fund clients with similar names are co-mingled; actions are taken for the wrong fund client; fund client made whole.
– A junior employee purchases ineligible securities for the account of an institutional client with a restricted investment mandate. The bank is unable to sell these back into the
market and is required to hold them until liquidity returns to the market
Managing risk together Page 95 of 140 [Link]
+44 (0)1225 904 397
Public
Operational Risk Reporting Standards (ORRS)
Level 1 Name Description
PD1000 Brokerage Investment advisory, management and execution services including Stock Broking
Product Examples
Level 2 Name Description
PD1001 Full-Service Brokerage The provision of full investment advisory services including the provision of research, execution and
margining, offered via a licensed retail brokerage entity or Broker-Dealer.
PD1002 Self-Directed Brokerage The provision of execution-only brokerage services (includes margining), typically in an on-line 'do-it-
yourself' environment, offered via a licensed retail brokerage entity or Broker-Dealer.
Notes
Customer Axis at Level 2
– PD1001 – Retail clients + Small & Medium Sized Enterprises (SME), Private Banking
– PD1002 – Retail clients + Small & Medium Sized Enterprises (SME)
Examples of Events being allocated to this Product Type
– Churning in discretionary accounts; clients made whole.
– Investments in discretionary accounts inconsistent with client profile and investment mandate; clients made whole; penalties; fines.
– Unauthorised trades in non-discretionary accounts; clients made whole; penalties; fines.
– Incorrect securities bought based on misunderstood verbal trading instructions; market moves before this can be corrected; client kept whole.
Managing risk together Page 96 of 140 [Link]
+44 (0)1225 904 397
Public
Operational Risk Reporting Standards (ORRS)
Other
Level 1 Name Description
PD9800 Non-Banking Product Other products/services not generally considered part of a bank or investment bank’s
offering, e.g. insurance
Product Examples
Products outside the standard offerings of banks and investment banks, e.g. insurance.
Level 2 Name Description
Notes
Examples of Events being allocated to this Product Type
– Mis-selling Insurance
– Car Hire
Managing risk together Page 97 of 140 [Link]
+44 (0)1225 904 397
Public
Operational Risk Reporting Standards (ORRS)
Level 1 Name Description
PD9900 Not Product-Related Used for situations where no specific product was involved.
Product Examples
If a product is not linked to a loss event then the 'Not Product-Related' category is selected e.g. Tsunami
Level 2 Name Description
Notes
This category can also be used where an event was so widespread that specifying individual products would no longer be relevant or would add little or no value.
Examples of Events being allocated to this Product Type
– Hurricane or flooding shuts down branches and offices.
– Building cladding material falls from 39th floor of head office building, causes damage to several cars and shops below.
– Employee in purchasing department has been taking bribes from suppliers; cost of bribes reflected in increased contract costs.
– Head office finance group misses deadline for critical tax filings; penalties are paid.
Managing risk together Page 98 of 140 [Link]
+44 (0)1225 904 397
Public
Operational Risk Reporting Standards (ORRS)
8.4.1 Bundled Products
The additional details below relate to Section 5.3.1
Definition: Bundled Products occur in two situations and are defined as follows:
• A bank puts together a bundle or package of products or services; a single fee is charged for the whole
bundle. Some of the products included in the bundle may also be available on a standalone basis and
can be purchased individually.
• A product which is offered on a standalone basis by one bank is provided as an adjunct or incidental
service in association with a ‘primary’ product by another bank.
Requirement: Products and services should be reported on a standalone basis at the most granular level
provided by the categories in the Product Type Attribute. To determine the appropriate Product Type
category, Members must identify whether the loss involved a single or dominant product within the bundle or
package of services.
Managing risk together Page 99 of 140 [Link]
+44 (0)1225 904 397
Public
Operational Risk Reporting Standards (ORRS)
Figure 3 Summary decision tree for losses involving bundles of products / services
Yes Use PD for this product
Single dominant
product
No Use PD for the bundle No PD9800
Non-Banking Product
Yes
Multiple products – No
PD9900
none dominant Not- Product related
Yes
Use PD for the bundle
Figure 4 and Figure 5
Managing risk together Page 100 of 140 [Link]
+44 (0)1225 904 397
Public
Operational Risk Reporting Standards (ORRS)
Figure 4 Decision tree for losses involving Retail Cash Management, Commercial Cash Management, and Servicing Third-Party Investments
A B C D
Choose
>>> Some other
bundled
START bundle or
product >>> PD0701 Retail Cash PD0702 Commercial Cash
HERE Servicing Third Party Investments package of
group Management Management
> >> products and
A, B, C or D
services
See Figure 4
> > >
> > >
> > >
Does loss Does loss Does loss
Does loss involve some form Does loss involve some form PD0804
involve involve involve
of electronically-initiated of electronically-initiated Prime > no > > no > > no >
custody clearing settlement
payment? payment? Brokerage
services? services? services?
>>
>>
>>
>>
>>
>>
>>
yes no yes no yes yes yes
>>
>>
>>
>>
>>
>>
>>
PD0703 PD0701 PD0703 PD0701 PD801
PD0705 PD0706
Electronic Retail Cash Electronic Commercial Custody
Clearing Settlement
Payments Mgt Payments Cash Mgt Services
Managing risk together Page 101 of 140 [Link]
+44 (0)1225 904 397
Public
Operational Risk Reporting Standards (ORRS)
Figure 5 Decision tree for losses involving other bundles or packages of products and services
Choose A B C D
>>>
bundled PD0702
START PD0701 Retail Servicing Third
product >>> Commercial
HERE Cash Party Some other bundle or package of products and services
group Cash
> >> Management Investments
A, B, C or D Management
See Figure 3
> > >
Does loss involve the
Does loss involve one specific product Does loss involve more than one specific
bundle or package
or service within the bundle or > no > product or service within the bundle or > no >
overall vs any specific
package? package?
products or services?
>>
>>
>>
yes yes yes
>>
>>
>>
Is there a Product
Is there a Product Type category for this Can the loss be allocated mostly to a single Type category that
specific product? specific product? corresponds to the
bundle of services?
>>
>>
>>
>>
>>
>>
yes
>> no yes no yes no
>>
>>
>>
>>
>>
Is there a Select
Is there a Product Is there a Product Select that
Select that Product Type PD9900
Type category that Type category that Product
Product Type category for >no> Not
corresponds to the corresponds to the Type
category this specific Product-
bundle of services? bundle of services? category
product? Related
>>
>>
>>
>>
>>
yes no yes yes no
>>
>>
>>
>>
>>
Select Select
Select that Select that
PD9800 Select that PD9900
Product Product
Non- Product Type Not
Type Type
Banking category Product-
category category
Product Related
Managing risk together Page 102 of 140 [Link]
+44 (0)1225 904 397
Public
Operational Risk Reporting Standards (ORRS)
8.5 Processes
The additional details below relate to Section 5.4.
Definition: A business process is as a set of coordinated tasks and activities that will lead to accomplishing a
specific organisational goal; i.e. a sequence of interdependent and linked procedures which consume one or
more resources (employee time, energy, machines, money) to convert inputs (data, material, parts, etc.) into
outputs. For classification purposes ORX defines two sets of process groups.
The general objective of the process type attribute is to:
• increase the understanding of the nature of losses,
• facilitate an improvement in transparency within a Member,
• identify sources of loss concentrations,
• identify chronic or recurring weaknesses, and
• promote value-added dialogue with the businesses and functional areas regarding the impact of their
operational risk experience and potential operational risk exposure.
Requirement: ORX requires the classification of all losses against Level 1 of the process types to be
performed as follows:
Assign the (first) process type that was being performed / impacted when the operational risk event (not
the OR loss!) occurred:
• consider which stage of the transaction/value cycle was being completed;
• only if the transaction / value cycle was NOT impacted then consider which aspect of corporate activity
was taking place.
Where multiple processes were affected simultaneously, select the process step to which the event
contributing the bulk of the Gross Loss value can be attributed. Where no process was involved or where the
event was so widespread that specifying individual processes would no longer be relevant or would add little
or no value, a classification as ‘not process related’ (e.g. branch or ATM robberies, natural disaster etc.) is
allowed.
Managing risk together Page 103 of 140 [Link]
+44 (0)1225 904 397
Public
Operational Risk Reporting Standards (ORRS)
Transaction Life Cycle
Level 1 Name Description
PC0100 Develop, Design and Maintain Identify, design, and produce new financial products, services and capabilities, including the models and
Products or Services methodologies upon which they are based. Products & Services is intended to encompass revenue-
generating activities from third-parties. It also includes the maintenance of existing products, for example
developments in models and methodologies.
Process Examples
• Design (or acquire/license) products, including associated models / methodologies;
• Conduct product due diligence (initial and periodic), including reviews, approvals, suitability restrictions, disclosure requirements, eligibility criteria
• Extends to the assessment of all relevant product risks: market, credit, legal/regulatory, business/ economic, reputational, operational, fiduciary, liquidity, etc.
• Establish product sales targets, strategies, staffing plans, activity limits, etc.
• Develop business requirements for product-specific IT applications
• Establish and maintain product and service-specific infrastructure (non-IT sense) - pricing grids, documentation requirements, policies, procedures, SPVs/conduits (not
transaction-specific)
• Establish and maintain linkage with market utilities such as clearinghouses, exchanges, etc., needed for general business capability
• Establish/maintain general infrastructure (non-IT sense), non-client reference data, third-party distribution arrangements
Level 2 Name Description
PC0101 Market Analysis or Research Research and analyse market needs and competitive offerings;
Research and evaluate market segments and strategies;
Generate and screen new and revised products and services;
Develop preliminary product and service definitions
PC0102 Product Development New Product development; Product Maintenance; Selection of third-party products; Develop contractual
terms / forms; Structuring / Pricing; New Product roll-out / Infrastructure
PC0103 Reference Data Management Product static data maintenance e.g. ISIN codes
Managing risk together Page 104 of 140 [Link]
+44 (0)1225 904 397
Public
Operational Risk Reporting Standards (ORRS)
Notes
• Differentiation is made between product infrastructure and transaction infrastructure. Multi-transaction conduits have been placed in this category; but setting-up special
structuring for bespoke transactions has been included in Deliver Products & Services.
• Reference Data management is placed in this category as part of the .general infrastructure needed to do business, i.e. non-client reference data such as static securities info
(e.g. CUSIPs), market reference data (e.g. interest rates and prices, trading day calendars, holiday calendars, etc.). Reference data management is treated separately because
of its cross-functional characteristics and .multiplier effect. when errors occur.
Examples of Events being allocated to this Process Type
– Shortly after launch of a new cross-border product, it is determined that the infrastructure supporting the product is not adequate to meet AML requirements. Use of the product
is suspended until improved infrastructure can be developed. Costs of the initial infrastructure development and the initial launch are written off.
– Errors, oversights or shortcuts in due diligence lead to a product with legal, tax or jurisdictional problems. The product is terminated. Costs related to development of the
product are written off.
– Modifications to a widely-used product and system changes supporting the modifications are implemented without providing any training to branch employees. When numerous
errors result, it is decided to revert to the original product and systems until such time as training can be developed and rolled out. A six-month delay in launch of the modified
product results. As well, planned service charge increases are deferred.
Managing risk together Page 105 of 140 [Link]
+44 (0)1225 904 397
Public
Operational Risk Reporting Standards (ORRS)
Level 1 Name Description
PC0200 Market Products and Services Promote the firm and/or its products and services, through general marketing or advertising, including the
publication of standard fees, rates charges, and prices for specific products and services.
Process Examples
• Promote the firm and/or its products, services or capabilities through general marketing or advertising
• Promote the firm and/or its products, services or capabilities through non-transaction-specific presentations to individual clients
• Provide non-fee-based research to current or prospective clients
• Publish standard fees, rates charges, and prices for individual products and services (does not include the quotation of specific prices in bespoke situations)
Level 2 Name Description
PC0201 Research - Marketing Particular market strategy - for example inflation is going up, bond yields are expected to go up so sell long
maturity bonds.
PC0202 Publishing Prices quotes This includes, but is not limited to, the publication / reporting of prices on web sites/ portals and
Exchanges, Media (Reuters, Bloomberg and Newspapers), Industry Groups, and Commercial entities
(Markit)
PC0203 Marketing - Other Advertise, position and promote products and solicit customers directly and indirectly and manage cross
business marketing.
Notes
Examples of Events being allocated to this Process Type
– A new service-pricing brochure containing a significant error is published and mailed directly to all retail customers. Under pressure from consumer interest groups and
regulators, the bank decides to honour the erroneous pricing for the period the error was public plus the required disclosure/ notification period for pricing changes.
– Marketing presentations are made to a group of clients for a new product that will compete directly with a new product recently launched by another bank. The clients in
question are considering signing on with the other bank because of extremely favourable product launch pricing. That the product is not yet available is not disclosed to the
clients. Based on the presentations, some clients decide to stick with the bank. When the product is terminated, clients complain to the regulators. The bank is fined for
failure to disclose and for misleading marketing and selling practices.
Managing risk together Page 106 of 140 [Link]
+44 (0)1225 904 397
Public
Operational Risk Reporting Standards (ORRS)
Level 1 Name Description
PC0300 Sell or Reach Agreement to Conduct Sell or offer specific products and/or services of the firm in discussions with individual clients, including the
Specific Business quotation of firm or indicative fees, rates, charges, prices, or the like, with the intent of concluding a specific
deal for specific product sales or service delivery.
Process Examples
• Discuss specific products or services with a specific client, with the intent of reaching an agreement to do specific business
• Quote specific prices, fees, rates, etc.
• Provide transaction-specific disclosures and disclaimers (including via prospectuses, tax or placement memoranda, or similar disclosure documents)
• Conduct transaction-level due diligence, suitability reviews and screening
• Confirm the bank's capacity to enter the transaction (e.g., checking credit, concentration and/or activity limits)
• Obtain transaction-specific approvals
• Amend or renegotiate existing agreements
Level 2 Name Description
PC0301 Advisory or Pitch or Pre-Sales In relation to a specific transaction with a specific customer or group of customers. This could range from a
project finance proposal to advice to an individual retail investor.
PC0302 Pricing & Quotation Providing a transaction price or indication that may only be applicable for a finite time period.
PC0303 Transaction or Limit Check The process of checking limits, facilities and available balances during transaction execution, as well as the
updating of utilisation of such limits and facilities. It includes obtaining specific clearance or authorisation to
action an instruction or order received or transaction being contemplated.
PC0304 Reach Agreement or Receipt of Order Explicit acknowledgement from the counterpart that the specific / individual transaction can proceed under
the agreed terms.
Managing risk together Page 107 of 140 [Link]
+44 (0)1225 904 397
Public
Operational Risk Reporting Standards (ORRS)
Notes
• This process ends with an agreement to proceed (or to not proceed if either the firm or the client declines to enter into the agreement).
• In commoditised product or service offerings, the general customer or services agreement may predetermine many transaction specifics (incl. Standard rates and fees). In
such cases, the scope of sales talk may be greatly reduced, or even eliminated.
• In certain automated or routine transactions, the customer’s indication of agreement may be subsumed in the act of logging onto a transaction processing system (such as an
ATM or on-line facility) and entering data or initiating an action. In such cases, both the terms of the agreement and the decision to proceed may be implicit. This category is
intended to capture risks that arise from activities in which transaction-level sales talk, representations, etc., do exist.
• Sales and Marketing have been separated at members. Boundary cases may be subtle, but substantial risk examples exist in each area
Examples of Events being allocated to this Process Type
– Bank is sued because of alleged deficiencies in due diligence or prospectus related to an offering of securities.
– A glitch in the price feeds in the trading system results in incorrect prices being quoted to the client. The bank honours the price quoted to the client and takes a loss on the
transaction.
– Bank’s underwriting procedures were not followed or not followed completely; loans would not have been extended if procedures had been followed.
– An investment product with a two-tiered return structure is sold to clients without full disclosure of the conditions which must be met to be eligible for the higher return.
Managing risk together Page 108 of 140 [Link]
+44 (0)1225 904 397
Public
Operational Risk Reporting Standards (ORRS)
Level 1 Name Description
PC0400 Take on and Maintain Counterparties Onboard and maintain client or counterparty accounts, including related due diligence, data and
documentation. In this context Counterparties includes Clients / Customers and Trade Relationships.
Process Examples
• Establish and manage relationships with clients, customers, counterparties and trade relationships, in support of existing business or in preparation for potential new or
additional business in the future
• Trade relationships include distribution channel relationships that are neither (i) voluntary outsourcing or vendor arrangements, nor (ii) linkage to market utilities (exchanges,
etc.), both of which are treated separately
• Conduct initial KYC/due diligence (non-transaction/service-specific)
• Document relationship with client, customer, counterparty or trade relationship (non-transaction/service-specific), including:
− Record static client information (names, identifying numbers, custodian associations, etc.)
− Record account elections / beneficiary designations
− Document standard settlement instructions (SSIs)
− Execute non-transaction/non-service-specific client agreements (e.g., client master agreements, ISDAs)
− Set up and approve internal exposure limits (e.g., aggregate credit or concentration exposure ceilings)
• Conduct periodic relationship review and KYC/due diligence (non-transaction/service-specific)
• Coordinate service delivery to client across products or services
• Managing dormant accounts, claims against client assets, and unclaimed assets
• Manage renegotiations and management of delinquent accounts (and, if unsuccessful, special loans, workouts, foreclosure, recovery, etc.)
Level 2 Name Description
PC0401 (New) Client Account Client due diligence (KYC); Client Mandate / Authority; Client Static Data / SSI; Completion of General
Agreements:
The on-boarding of new customer/client/counterparties relationships, including the account relationship
management, the identification and documentation of customer information and related terms of business,
as well as the ongoing review and relationship management. Specifically includes know-your-customer
requirements and customer identification. It specifically excludes any form of credit assessment.
PC0402 Customer Relationship Management or Process of managing the relationship with the counterpart, for example interview of retail clients by branch
Client Services management or surveys. For larger accounts this may include a certain amount of entertainment.
Managing risk together Page 109 of 140 [Link]
+44 (0)1225 904 397
Public
Operational Risk Reporting Standards (ORRS)
Level 2 Name Description
PC0403 Client due Diligence Client-related credit screening and decision; Review creditworthiness (annual) / Rating Review
PC0404 Loan Defaults Monitions; Sanctions; Apply Collateral:
The closure of facilities provided and the repayment of obligations due through the collection and
realisation of assets held, ceded or due as security and/or collateral, following an adverse credit event.
Includes repossession and foreclosure.
Notes
• This process type may occur before, during or after sales negotiations; in case of single-product or single-service contact with client, no separate client master agreement may
exist.
• Customer/client relationships and trade/distribution channel relationships included here. Includes execution intermediaries such as brokers, prime brokers, executing brokers,
custodians/sub-custodians for client positions, etc.
• Suppliers and outsourcing are treated separately. Includes vendors, sales agents, processing agents, outside service providers, sub-custodians appointed by the firm
• Potential additional distinctions among relationship groups left for Level 2 discussion
Examples of Events being allocated to this Process Type
– The new manager of one of the bank’s investment offices identifies apparent irregularities with the annual investment reviews for several elderly clients managed by a
particular investment advisor. There is no evidence of contact with or from these clients for several years, yet annual reviews have been signed off by both the investment
manager and the previous branch manager. As well, the manager’s review identifies that there has been periodic withdrawal activity in the accounts over the years,
coinciding with the scheduled annual review date. Further investigation shows that dividend and coupon income in the accounts was being transferred to an offshore account
beneficially owned by the investment manager and the branch manager.
– Staff in the loan workout group are struggling to deal with sustained increased volumes in delinquent accounts. In several situations, action is not taken quickly enough to
protect the bank’s position.
Managing risk together Page 110 of 140 [Link]
+44 (0)1225 904 397
Public
Operational Risk Reporting Standards (ORRS)
Level 1 Name Description
PC0500 Capture and Document Transactions Record transaction-specific terms and instructions in the processing systems of the firm; also produce related
transaction documents.
Process Examples
• Document all aspects of the transaction-specific agreement between the bank and its client/counterparty with respect to a product or service offering (including amendments)
• Capture detailed terms of the undertaking in the transaction recording systems of the bank
• Prepare and execute agreements and other documents embodying the agreement
• Confirm/affirm and verify transaction details
Level 2 Name Description
PC0501 Capture Transactions Enter transaction data into internal and market systems as necessary.
PC0502 Confirm and Document Transactions • Authentication Checks; Client Reporting / Desk Confirm; Final Confirmation; Confirmation Matching:
• The process of preparing, producing, authorising, executing and protecting all forms of transaction
receipt or advice, documentation, legal contract or acknowledgement and agreement, excluding routine
account/activity statements.
Notes
• Includes receipt and local recording of client-generated instructions or trade specifications via electronic or straight-through-processing (STP) means.
• For commoditised services, the general customer agreement may predetermine many transaction specifics (incl. standard rates and fees), eliminating the need for case-by-
case documentation. In such cases, the scope of transaction capture is narrowed.
Examples of Events being allocated to this Process Type
– Trades put in backwards; for wrong amount, wrong counterparty, wrong security, on wrong exchanges, with wrong dates, etc.
– Discrepancies between documentation (contract) with client and:
• Interest rate paid on savings accounts;
• Calculation method for interest on term deposits;
• Service charges levied on bank accounts.
– Fraud by client, banker or third-party involving false documentation.
Managing risk together Page 111 of 140 [Link]
+44 (0)1225 904 397
Public
Operational Risk Reporting Standards (ORRS)
Level 1 Name Description
PC0600 Deliver Products or Services Deliver or fulfil agreed-upon products and services, including the set-up and maintenance of transactions and
required arrangements, and agreed-upon non-transaction financial services (trust administration, financial
advisory services, sale of research as a product, etc.).
Process Examples
1 Enable financial transactions (both client and proprietary)
• Take preparatory steps to fulfil financial transactions (involving changes in ownership of financial assets, borrowings, derivatives contracts, etc.); but excluding data
capture/ documentation and actual settlement (categorised separately)
• Provide for the transaction-related physical delivery of securities, commodities, etc., where applicable
• Arrange for the availability of assets in lease programs
• Establish transaction-specific structures and facilities (such as SPVs, debt or securities syndicates, etc.)
2 Maintain financial transactions and proprietary assets
• Maintain outstanding financial transactions
• Maintain outstanding proprietary assets
• Implement rate resets, rollovers, and the like
• Calculate and schedule periodic payments, fees and accruals
• Manage transaction amendments
• Manage collateral/margin (accept collateral, establish security interests, monitor positions and issue collateral calls)
• Manage voluntary/involuntary corporate actions and option exercises on proprietary assets
• Mark positions to market
• Manage portfolio positions (hedging, etc.)
• Manage asset retirement, unwinds
• Manage post-transaction asset-disposal activities (bank-owned assets resulting from leasing, foreclosure, collateral quit-claim, etc.)
3 Maintain client assets and deliver non-transaction-based financial services for a fee
• Book, hold, manage and provide safekeeping for client assets (electronic or physical) as a fee-based activity
• Includes monitoring, voluntary/involuntary corporate actions and option exercises
• Perform fee-based tax, accounting or financial management services for clients (e.g., cash management services such as account sweeps, automatic investment of
surplus balances, bulk payment/debit services, lockbox; payroll processing, cash/coin supply, etc.)
• Deliver financial recommendations/reports/research (e.g., financial and investment advisory)
• Perform fee-based trust and fiduciary services
• Prepare and provide valuations and periodic statements/ reports for clients on positions and underlying activities
Managing risk together Page 112 of 140 [Link]
+44 (0)1225 904 397
Public
Operational Risk Reporting Standards (ORRS)
Level 2 Name Description
PC0601 Order Routing The receipt, documentation and actioning of instructions or orders from all parties, across all distribution
channels. It includes any subsequent management and monitoring of unactioned or unexecuted instructions
and orders (would include the presentation of a cheque or card, or the receipt execution of a market order).
The completion of this business function typically initiates further processing and operational activity.
PC0602 Execution or Order Fill Process of actually executing or filling the order, for example making funds available to a borrower via a loan
account, pre-authorising an overdraft facility, completing a transaction with a counterpart (internal or on the
floor of an exchange or electronic marketplace).
PC0603 Position or Portfolio Mgt (proprietary) Exposure Management; Limits; Hedging
PC0604 Cash, Stock & Securities Mgt Borrowing/Lending; Short Covering; Cash / Liquidity Projections; Nostro and Vostro Management
PC0605 Event Management or Corporate Dividends / Coupons; Tax Reclaims; Bonus / Rights; Conversions; Exercises / Barriers; Maturity / Expiration;
Actions (own assets) Fixing / Price resets
PC0606 Fees Admin, Calculation & Application Bill clients/customers for products and services performed per contractual agreements;
Charge client/customer accounts and/or collect fees; Arrange payments to trade counterparties;
Arrange interim and final payments per specific transaction schedules e.g. Interest Rate Swaps, Loans,
Salaries
PC0607 Calculate & Apply Interest The calculation of interest due or payable over relevant periods on the requisite basis and the application of
that interest to the loan, deposit, account, product or position to which it applies.
PC0608 Collateral Management Acquisition of Collateral; Assessment of Collateral; Collateral Mgt (other):
The real-time or periodic valuation of exposure to collateral, collateral held, and margin required and the calling
for margins and collateral and collateral acceptance.
PC0609 Product Control Realised P&L; MTM / IPV; Market Conformity; Provisions / Reserves; Customer Spreads
Incorrect allocation of asset / liability between Trading Book (held for sale/purchase) and Banking Book (held to
maturity).
Incorrect (but approved) model used to value position (asset or liability).
PC0610 Portfolio Mgt (client assets) Segregation of client assets from those of the bank, following the client’s instructions for assets held for
safekeeping
Managing risk together Page 113 of 140 [Link]
+44 (0)1225 904 397
Public
Operational Risk Reporting Standards (ORRS)
Level 2 Name Description
PC0611 Event Management or Corporate Dividends / Coupons; Tax Reclaims; Bonus / Rights; Conversions; Exercises / Barriers; Maturity / Expiration;
Actions (client assets) Fixing / Price resets
PC0612 Safekeeping of Client Assets Physical Safekeeping of Client Assets; Electronic Safekeeping of Client Assets; Filing / Documentation
required
PC0613 Advisory Services The provision of any form of advisory service, as well as the general offering of advice, to external parties. This
function markets products which are usually offered on a revenue generating basis.
PC0614 Customer Statements Assessment of non-transaction related client statements; Prepare and send customer statements
Notes
Three-stream approach recognises:
• Three broad categories of fulfilment/delivery: enablement of transactions, maintenance of transactions and proprietary assets, provision of non-transaction services for a fee.
• Differentiation between client and proprietary activities.
• Providing research for a fee is considered service delivery. Research in support of sales (not for a direct fee), in-house trading, product development or marketing, etc. are
not, and are included in the related categories. Includes receipt and local recording of client-generated instructions or trade specifications via electronic or straight-through-
processing (STP) means.
For commoditised services, the general customer agreement may predetermine many transaction specifics (incl. standard rates and fees), eliminating the need for case-by-case
documentation. In such cases, the scope of transaction capture is narrowed.
Examples of Events being allocated to this Process Type
Process Example 1
– An order for new tractor trailer units related to a fleet lease transaction with a major client is duplicated in error. The bank is able to offload some of the surplus units to
another client but is forced to hold several other units.
– Rogue trading situations – unauthorised trades, counterparties, markets, instruments, jurisdictions, etc.
Process Example 2
– Collateral backing Lombard Credits is not monitored; client falls out of margin but no collateral call is made; client defaults.
– Valuation adjustments required because of incorrect pricing/valuation models.
– Refinancing fees on residential mortgages were calculated incorrectly over a period of several years; clients who refinanced their mortgages during this time were either
overcharged or undercharged. When the error is finally detected, the bank decides to reimburse clients who were overcharged. No retroactive charges will be made for
clients who were undercharged.
Managing risk together Page 114 of 140 [Link]
+44 (0)1225 904 397
Public
Operational Risk Reporting Standards (ORRS)
Examples of Events being allocated to this Process Type
Process Example 3
– Assets given in for custody by a new client are lost.
– Delay in dealing with a corporate action notice; client decisions are not advised within the deadline; bank makes clients whole.
– A backlog in the corporate trust area results in out-of-date stockholder lists being used for payment of extraordinary dividends.
– Systems failure in the prime brokerage unit; the unit is unable to meet its service-level obligations and is required to pay penalties to clients.
– A junior employee purchases ineligible securities for the account of an institutional client with a restricted investment mandate. The bank is unable to sell these back into the
market and is required to hold them until liquidity returns to the market.
Managing risk together Page 115 of 140 [Link]
+44 (0)1225 904 397
Public
Operational Risk Reporting Standards (ORRS)
Level 1 Name Description
PC0700 Perform Settlements and Closing The definitive exchange or transfer of assets, currency or other property (commonly in exchange for value),
Activities and related transactional mechanics.
Process Examples
• Exchange value with respect to a financial transaction
– Includes transactional exchanges, such as securities/cash, securities/securities, cash/cash, instrument/cash, deed/cash
– Exchange methods may include physical delivery, free wires, DVP, etc.
• Move cash or assets in banking or account-related transactions (cheque or cash deposits/withdrawals/funding of loans, etc.)
• Make and receive fee payments in exchange for services
• Redeliver collateral, release lien claims
– Transition-out of assets (mandate lost)
– Manage settlement fails
Level 2 Name Description
PC0701 Payment or Delivery (non-cash/non- Clearing; Payment; Draw-downs; Deliveries from account to account, payments via credit card terminal
physical)
PC0702 Cash Payment or Physical Delivery Retail Foreign Exchange with physical transfer of notes or coins; Physical securities or coupons. Depositing
physical cash into a bank account. ATMs
PC0703 Fails Management The activities around monitoring that payments or deliveries (physical or account transfer) have proceeded
as expected. For example, that funds have been transferred into an account on the due date in exchange
for the delivery of securities.
Notes
Examples of Events being allocated to this Process Type
– Settlement breaks/fails are not identified because of a reconciliation backlog; bank makes clients whole.
– Wire payments made to wrong counterparty, in wrong amount, in wrong currency, etc.
– Counterfeit bonds accepted against cash.
– Loans disbursed to wrong counterparty.
Managing risk together Page 116 of 140 [Link]
+44 (0)1225 904 397
Public
Operational Risk Reporting Standards (ORRS)
Level 1 Name Description
PC0800 Perform Transaction Accounting Record transaction and/or position information in the firm's accounting records/general ledger. Includes
records management and archiving transaction details.
Process Examples
General Ledger Entries
Level 2 Name Description
PC0801 Transaction Accounting All forms of general ledger record keeping associated with transactional activity, including accounting for
transaction activity, holdings, positions or provisions and the generation of account balances. Includes
records management and archiving transaction details.
Notes
Does not include entries made into trade processing systems that directly feed the general ledger, with no separate accounting data entry or position maintenance.
Does not include an error with a client’s accounts which may belong to PC0501 “Capture Transactions”, for example charging the wrong client’s account.
Examples of Events being allocated to this Process Type
– Entries not made, duplicated, made in wrong amount, made to wrong account, made in wrong currency
– Intra-company entries made to wrong units
– An ATM transaction will generate automated entries to the General Ledger - an error in the General Ledger entries
Managing risk together Page 117 of 140 [Link]
+44 (0)1225 904 397
Public
Operational Risk Reporting Standards (ORRS)
Corporate Activities
Level 1 Name Description
PC0900 Manage Human Resources Manage human resources, apart from direct business management functions.
Process Examples
• Recruitment
• Skills management programs
• Compensation and benefits program management
• Performance and behaviour reviews
• Succession planning
• Diversity management
• Lamour-management relations
Level 2 Name Description
PC0901 HR Management Recruitment; Personnel advisory services and development; Staff Departures; Training & Development
PC0902 Remuneration, Expenses and Payroll Payment of salary / bonuses; Other Payments
PC0903 Travel Accidents A member of staff while travelling on company business falls ill (physical or mental) or incurs an injury,
including death.
PC0904 Other HR Issues
Notes
• Does not include day-to-day supervision and task management.
• Process and controls training is considered a part of each business function, not a separate HR activity.
• Compliance training is treated separately
Examples of Events being allocated to this Process Type
Most events involving this Process Type will relate to lawsuits or settlements alleging inappropriate behaviour or practices by bank employees or management with respect to
interaction with employees or HR management.
Managing risk together Page 118 of 140 [Link]
+44 (0)1225 904 397
Public
Operational Risk Reporting Standards (ORRS)
Level 1 Name Description
PC1000 Manage Information Technology Acquire or design/develop information technology and implement security and incident response measures.
Process Examples
• Acquisition, installation, or development of software applications
• Management of off-line technology developments (user-generated spreadsheets, macros, etc.)
• Systems security
• Provision of data and communication networks and infrastructure
• Procurement of information technology hardware
• Management of technology obsolescence
• Management of technology incidents and events
Level 2 Name Description
PC1001 IT Development and Maintenance The development of software applications, the implementation and subsequent maintenance and upgrading of
(including IT Project Mgt) applications, as well as the project management of application projects.
PC1002 IT Implementation The implementation / installation of software and/or hardware in accordance with the instructions. Wiring a
plug for a printer, matching software applications and the operating systems. This can be for software built by
the Member or a purchased application
PC1003 IT Purchasing The specification of the IT requirements, which are filled by the counterparty. Specification of guarantees,
performance standards, resilience etc.
PC1004 IT Security Access Rights; Monitoring; Architecture & Strategy:
The establishment and maintenance of all forms of technology security, including internal and external user
definition and maintenance, as well as creating and maintaining infrastructures to preclude unauthorised
access and access attempts.
PC1005 Implement and Maintain Infrastructure The provision, installation and ongoing maintenance of all forms of technology infrastructure and networks, as
& Networks well as the establishment and ongoing upgrading of technology architectures.
PC1006 IT Production The provision of capacity for processing regular tasks in a batch or real-time processing. That the applications
function as expected.
Managing risk together Page 119 of 140 [Link]
+44 (0)1225 904 397
Public
Operational Risk Reporting Standards (ORRS)
Level 2 Name Description
PC1007 Mgt of IT Incidents or IT Support or The establishment of technology back-up, restoration, storage and minor technical problem resolution
Hotline procedures and facilities, the training of technology staff in technology safeguard and continuity processes and
the ongoing performance of back-up, storage, restoration and maintenance activity. This business function is
a routine process which differs from significant or large-scale technology failures which would initiate business
continuity crisis management.
Notes
Technology incidents - this refers to day-to-day support of technology operation not requiring invocation of continuity or recovery plans
Examples of Events being allocated to this Process Type
– The bank’s ATM system crashes during an upgrade to the ATM system software. The system is unavailable to clients for three days.
– A new client management application for commercial account managers recently acquired turns out to be inadequate for their needs. The system is scrapped.
Managing risk together Page 120 of 140 [Link]
+44 (0)1225 904 397
Public
Operational Risk Reporting Standards (ORRS)
Level 1 Name Description
PC1100 Manage Financial Reporting and Perform financial reporting and control, based on (but not including) general ledger entries made during
Taxation Transaction Accounting.
Process Examples
• Budgeting and forecasting
• Financial accounting and reporting
• Management accounting and reporting
• Financial control
• Tax reporting and management
• Asset and liability classification and accounting treatment (depreciation, write-down, etc.)
Level 2 Name Description
PC1101 Budgeting & Forecasting The development of various cost and revenue budgets, the ongoing collection of actual cost and revenue
information over time and the comparison thereof against budget, the revision of budget and forecast values
and performance measurement and reporting against budget.
PC1102 Management Accounting Management Accounting – P&L, Balance Sheet, Cashflow; Intercompany cross-charging
PC1103 Management Reporting Key performance metrics for the group, location, business, or activity. Includes risk-related metrics.
PC1104 Financial Accounting & Reporting Financial Accounting; External Financial Reporting
PC1105 Taxation The calculation of taxes and duties applicable on both internal and customer activity, the withholding or
deduction of such taxes and dues and the payment or recovery of taxation amounts to/from the applicable
fiscal authorities.
Notes
Does not include financial services performed on a fee basis for clients.
Examples of Events being allocated to this Process Type
– Inaccurate tax reporting is done. Bank is fined by the tax authorities.
– Physical assets are recorded in both the business unit’s records and the bank’s head office corporate records; these are not reconciled on consolidation of records for
depreciation and financial reporting purposes.
– Flaws in the budgeting and forecasting models result in the aggregated budget and forecast for the bank overall being understated.
Managing risk together Page 121 of 140 [Link]
+44 (0)1225 904 397
Public
Operational Risk Reporting Standards (ORRS)
Level 1 Name Description
PC1200 Manage Capital, Funding & Liquidity Manage the firm's capital account, liquidity and balance sheet.
Process Examples
• Issuance of debt and equity
• Stock buy-back programs
• Asset-liability management
• Proprietary investments
• Securitisation of firm assets
• Capital account management/hedging
• Liquidity management
Level 2 Name Description
PC1201 Capital Management & Funding The management of the make-up of capital, including using securitisation and buy-back programs. This
function includes asset liability management. It may also include the calculation and allocation of capital at
risk. Funding includes short-term refinancing and liquidity management.
PC1202 Management of Corporate Investments Investments in Physical (e.g. buildings) and Financial Assets (e.g. Leases) involving the firm's equity and the
investments are not available for immediate sale. Management Accounting; Intercompany cross-charging
Notes
Broadly includes vendors and suppliers, sales agents, bank/FI-appointed sub-custodians; excludes market instrumentalities, clients and trade channel counterparties
In terms of Business Lines, this category may be linked to Trading & Sales / Treasury (BL0204) or / Corporate Investments (BL0203)
Examples of Events being allocated to this Process Type
– A flaw in the liquidity forecasting model results in the bank having to make unplanned supplementary liquidity arrangements, incurring additional costs.
– Incorrect coding in several loan portfolios results in incorrect term information being used to manage the asset-liability balance. The bank incurs additional costs to unwind
inappropriate hedging arrangements and structure new ones
Managing risk together Page 122 of 140 [Link]
+44 (0)1225 904 397
Public
Operational Risk Reporting Standards (ORRS)
Level 1 Name Description
PC1300 Manage Suppliers and Outsourcing Selection, on-boarding, management, and oversight of third-party vendors and outsourcing service providers.
Service Suppliers
Process Examples
• Screening, assessment/due diligence
• Selection, appointment
• Oversight, monitoring, and periodic review
• Negotiation and renegotiation of contracts and service-level agreements
• Accounts payable management
Level 2 Name Description
PC1301 Take on Suppliers & Outsourcing Selection of suppliers including service providers in outsourcing, including selection and suitability
assessment, credit reviews. Contract negotiation, payment and other instructions.
PC1302 Conclusion of Contract Ensuring that contractual processes are completed, for example return or destruction of confidential
information, on-going liability etc.
PC1303 Management & Monitoring All forms of vendor management, contract management, review, service-level agreement management,
outsourcing management and vendor reporting. Includes accounts payable management.
Notes
Examples of Events being allocated to this Process Type
– Employee in central purchasing department has been taking kickbacks from suppliers; cost of kickbacks reflected in increased contract costs.
– A key clause related to consolidated reporting on premises issues is omitted from the contract with the bank’s primary facilities management company. As a result, the bank
incurs additional costs to compile this information in order to have a complete picture of its operational risk experience and meet its reporting commitments to ORX.
Managing risk together Page 123 of 140 [Link]
+44 (0)1225 904 397
Public
Operational Risk Reporting Standards (ORRS)
Level 1 Name Description
PC1400 Manage Physical Assets and Facilities Provision and management of physical facilities, equipment and safe workplace environments.
Process Examples
• Provision of physical facilities, furnishings and supplies
• Provision of non-communication utilities (heating, electricity, water, waste removal, etc.)
• Provision of motor vehicles (for employee use)
• Physical security and surveillance with respect to properties and workplace environments (both on-premises, off-premises on company business, and where applicable during
commutation)
• Environmental and pollution responsibilities related to company workplaces or properties
Level 2 Name Description
PC1401 Facility Management The provision of all forms of facilities, the management of property, lifts, air conditioning ducts, lighting,
electrical wiring, plumbing and other
PC1402 Fleet Management Transport fleet
PC1403 Office Equipment Operate the Asset ledgers for assets that can be moved and are not part of the physical structure of the
building (lifts, air conditioning ducts) computers, printers, photocopiers, chairs, desks, filing cabinets,
shredders. Maintenance and replacement programs.
PC1404 Health & Safety Physical work environment – walls, doors, lifts
Physical work activities e.g. lifting heavy objects, repetitive strain injuries
PC1405 Physical Security All physical and electronic security measures taken to safeguard staff, facilities, premises and assets.
(Excluding IT Security PC1004)
PC1406 Environmental Protection Atmospheric conditions and qualities – temperature and humidity of the workplace, toxic substances –
solvents, asbestos, bacteria and viruses.
Water quality including toxic substances.
PC1407 Other Internal Services Other
Notes
Managing risk together Page 124 of 140 [Link]
+44 (0)1225 904 397
Public
Operational Risk Reporting Standards (ORRS)
Examples of Events being allocated to this Process Type
– To cut down on taxi costs, early last year, the bank implemented a shuttle for employees who need to travel between several downtown office locations for meetings. A fleet
of small buses was acquired for this purpose. Recently, one of the shuttles was involved in a serious accident. Several passengers were seriously injured and two were
killed. Because one of the injured passengers was not an employee [even though the shuttle was supposed to be restricted to employees], the bank’s insurance company
has declined to pay claims related to the accident. The bank is being sued by the passengers affected.
– A set of new security cameras is accidentally dropped during installation. They are damaged beyond repair and must be replaced.
Managing risk together Page 125 of 140 [Link]
+44 (0)1225 904 397
Public
Operational Risk Reporting Standards (ORRS)
Level 1 Name Description
PC1500 Manage Compliance, Legal, Establish and maintain firm policies, standards, procedures, codes of conduct, and associated compliance
Governance and Audit controls and testing procedures.
Process Examples
• Policy development and dissemination
• General corporate governance
• Code of conduct affirmation by employees
• Compliance monitoring and testing
• Whistle-blowing protections
• Compliance training
• Legal advisory and litigation management
• Audit and investigations
• Non-financial regulatory reporting.
Level 2 Name Description
PC1501 Policies, Governance & Monitoring The establishment and maintenance of all policies, procedures and controls, and their documentation and
review. Training in, monitoring of and reporting on conformity with policies, procedures and controls. This
includes provision for whistle blowing, where required. It includes compliance with regulatory requirements
and internal policies and procedures.
PC1502 Non-Financial Regulatory Reporting The reporting of compliance with regulatory requirements other than those concerned with financial
performance. Includes reporting of compliance with security, privacy, money-laundering, consumer protection
and fair lending regulations.
PC1503 Legal Advisory Services All aspects of legal advisory services, offered both internally and externally.
PC1504 Litigation Management The initiation, management and completion of litigation, as well as defence against external litigation efforts.
PC1505 Audit All internal audit activity and the investigation of breaches in control, significant loss or suspected
contravention of policies and procedures.
Managing risk together Page 126 of 140 [Link]
+44 (0)1225 904 397
Public
Operational Risk Reporting Standards (ORRS)
Level 2 Name Description
PC1506 Administration of mandates and Operation of Chinese walls. Register of counterparts “in play” that could be affected by insider dealing.
directorships Integrity in dealing with clients and awareness of potential bias. Register of directorships held by staff and
executive. Provide advice on recusals.
Notes
Examples of Events being allocated to this Process Type
Most losses involving this category will relate to regulator penalties or fines for failures in these processes types.
Managing risk together Page 127 of 140 [Link]
+44 (0)1225 904 397
Public
Operational Risk Reporting Standards (ORRS)
Level 1 Name Description
PC1600 Manage Risk Systems Establish risk management processes and methodologies (apart from standard business process and
supervisory controls) to record, monitor, evaluate, control or manage risk exposures within the firm.
Process Examples
• Develop high-level principles or frameworks regarding the acceptance and management of risk
• Develop risk-specific regimes for recording, monitoring, evaluation, limits-setting, management, and back-testing of risk exposures to the firm (including credit, market,
operational, liquidity, proprietary/business, model and other specified risks)
• Establish and maintain insurance and third-party recovery programs
• Business continuity management
Level 2 Name Description
PC1601 Control & Oversight of Models and The oversight and management of the processes by which models are specified; the documentation and
Methodologies control of adoption for use; the validation; and the ongoing review of models and methodologies. It includes
market risk, credit risk, liquidity, operational risk, capital calculation, pricing and valuation models. It includes
models and processes for setting risk appetites, thresholds and limits.
PC1602 Insurance and Recoveries The maintenance of effective insurance protection, whether internal or external, the regular review of
insurance requirements, recovery against insurance cover where applicable, as well as any recovery from
third-parties.
PC1603 Business Continuity Management The assessment of impact, planning and plan testing necessary to ensure continuity of the essential business
functions in the event of an incident and the support of the subsequent management of incidents and crises.
Notes
• This category is intended to be narrow; applies to structured risk management programs; not to granular management oversight, supervision and process controls.
• Business continuity management includes both workplace, infrastructure and technology recovery as well as crisis management.
Examples of Events being allocated to this Process Type
– Several recently acquired branches are unable to cope with severe weather conditions. The bank is required to send in an emergency ‘SWAT’ team to deal with recovery of
the units and restoration of minimum levels of service.
– The bank incurs unnecessary costs when several subsidiaries ignore the bank’s policy on insurance coverage by purchasing policies that duplicate coverage provided under
the bank’s umbrella corporate insurance programme.
Managing risk together Page 128 of 140 [Link]
+44 (0)1225 904 397
Public
Operational Risk Reporting Standards (ORRS)
Other
Level 1 Name Description
PC9900 Not Process-Related Used for situations where no specific process was involved.
Process Examples
Level 2 Name Description
Notes
Examples of Events being allocated to this Process Type
– Branch or ATM robberies.
– Natural disasters.
Managing risk together Page 129 of 140 [Link]
+44 (0)1225 904 397
Public
Operational Risk Reporting Standards (ORRS)
8.6 Large Loss Event Attributes
The additional details below relate to Section 5.5.
Definition: Large Losses reported to ORX are to have additional information. The additional descriptions
include:
1. Alleged Causes
2. Jurisdiction / Choice of Law
3. Counterparty / Claimant Type
4. Role of the Firm
5. Environmental Volatility
A Large Loss is defined as a single or group of associated losses whose Gross Loss Amount is equal to or
larger than €10,000,000.
The objective of this additional information is to:
• Increase the understanding of the nature of losses
• Improve the ability of Members to select relevant external losses for:
- Scenarios and Risk &Control Self-Assessments
- Inclusion in capital calculations or validation of capital estimates
- Benchmarking businesses and functional areas regarding the impact of potential operational risk
exposure.
Requirements: ORX requires the Large Loss Attributes to be provided at Level 2 for all large losses.
While the Alleged Cause may be the result of opinion, possibly supported by a decision tool such as root
cause analysis, the other Large Loss Attributes are statements of fact, for example the role of the firm.
Due to the possible interaction between various Alleged Causes, firms may report 1 to 3 selections for this
sub-category.
Managing risk together Page 130 of 140 [Link]
+44 (0)1225 904 397
Public
Operational Risk Reporting Standards (ORRS)
8.6.1 Alleged Causes
Level 1 Name Description
CS0100 External Actions by Agents External to the firm
Examples
Level 2 Name Description
CS0101 Not in use
CS0102 Assault by Criminals / Terrorists Phishing Attacks, Denial of Service, Various forms of Fraud by individuals or groups, including Mortgage
Fraud
CS0103 Natural Disasters Floods, Wind, Blizzard, Wild-fire, Storm Surge, Earthquake, Volcanic Eruption
CS0104 Man-Made Disasters Utility Outage, Strike – Transport, Staff, Pollution
CS0105 Political / Social / Cultural Environment Seizure of Assets, Change in acceptable “Norms”, Civil Strife / Riot / War, Special Interest Groups
CS0106 Actions of External Staff Staff at Outsourcers / Suppliers
CS0199 Decline Legal Counsel has advised against providing this information
Notes
− Avoid duplication, look beyond apparent overlaps
− In the case of a lawsuit or settlement, the Alleged Cause category selected should correspond to the underlying or alleged cause and not the dispute resolution mechanism -
litigation
Examples of Events that may be associated with this Alleged Cause
− CS0102 could be linked to Event Types such as External Fraud (EL0200) and various types of physical damage
− CS0104 could be linked to Event Types such as Technology & Infrastructure Failure (EL0600)
Managing risk together Page 131 of 140 [Link]
+44 (0)1225 904 397
Public
Operational Risk Reporting Standards (ORRS)
Level 1 Name Description
CS0200 People / Staff Factors related to actions by Staff / Employees or Management of Staff / Employees of the firm or
consolidated companies
Examples
Level 2 Name Description
CS0201 Inadequate Resources Skills, Numbers of Staff, Loss of Key Staff
CS0202 Not in use
CS0203 Criminal Activity by Internal or External Theft / Fraud / Damage to Systems
Staff
CS0204 Management / Control of Staff Insufficient / Incorrect Communication, Insufficient Direct Supervision
CS0205 Human Error Non-Deliberate - Mis-Understand, Mis-Interpret, Mis-Decision, Mis-Action
CS0206 Unauthorised Activity Deliberate - Mis-Understanding, Mis-Interpretation, Mis-Decision, Mis-Action, or omission of action
CS0207 Workplace Environment Controls / Displays, Tools, Protective Clothing, Shift Patterns, Workload
CS0299 Decline Legal Counsel has advised against providing the information.
Notes
− An approach is to look at the Event and work backwards to the Cause. For example, labour relations
− Avoid duplication, look beyond apparent overlaps
− In the case of a lawsuit or settlement, the Alleged Cause category selected should correspond to the underlying or alleged cause and not the dispute resolution mechanism -
litigation
Examples of Events that may be associated with this Alleged Cause
– CS0203 could be linked to Event Types related to Internal (EL01) or External Fraud (EL02)
– CS0204 could be linked to Event Types related to Employee Practices & Workplace Safety (EL03)
– CS0206 could be linked to Event Types related to Internal (EL01)
Managing risk together Page 132 of 140 [Link]
+44 (0)1225 904 397
Public
Operational Risk Reporting Standards (ORRS)
Level 1 Name Description
CS0300 Governance & Structure Factors related to the Governance and oversight practices of the bank
Examples
Level 2 Name Description
CS0301 Remote Business Unit Business taking place remotely from centre of Business and/or Risk functions
CS0302 Subsidiaries - Control & Consolidation No clear delineation between activities conducted by different business units through the same legal entity
or by the same business units through multiple legal entities.
CS0303 Financial Reporting Failures in financial reports, failure to reconcile p/l accounts or daily cash flow, SOx (Sarbanes-Oxley)
failures
CS0304 Organisational Controls Losses due to failure in organisational structure: no proper escalation process, not adequately or timely
responding to reported problems
CS0399 Decline Legal Counsel has advised against providing the information.
Notes
− Avoid duplication, look beyond apparent overlaps
− In the case of a lawsuit or settlement, the Alleged Cause category selected should correspond to the underlying or alleged cause and not the dispute resolution mechanism -
litigation
Examples of Events that may be associated with this Alleged Cause
– CS0303 could be linked to Event Types related to Execution, Delivery and Process Management (EL07)
Managing risk together Page 133 of 140 [Link]
+44 (0)1225 904 397
Public
Operational Risk Reporting Standards (ORRS)
Level 1 Name Description
CS0400 Processes Factors related to the way that the firm is organised and certain broad management processes
Examples
Level 2 Name Description
CS0401 Organisational Structure Multiple Locations
CS0402 Process Design Complexity, Transparency, Documentation, 'Fit for Purpose'
CS0403 Inadequate Policy / Procedure Not Used, Missing/Unavailable, Incomprehensible, Incomplete, Outdated
CS0404 Inadequate Segregation of Duties Front & Back Office
CS0405 Data Quality Incomplete / Incorrect / Wrong Format / Late
CS0499 Decline Legal Counsel has advised against providing the information.
Notes
− This Alleged Cause relates to the condition or quality of certain processes whereas the Process Type covers types of process, not their condition or quality.
− Avoid duplication, look beyond apparent overlaps
− In the case of a lawsuit or settlement, the Alleged Cause category selected should correspond to the underlying or alleged cause and not the dispute resolution mechanism -
litigation
Examples of Events that may be associated with this Alleged Cause
Managing risk together Page 134 of 140 [Link]
+44 (0)1225 904 397
Public
Operational Risk Reporting Standards (ORRS)
Level 1 Name Description
CS0500 Internal Systems Failures Factors related to inadequacies or failures in internal technology, physical and communication systems
Examples
Level 2 Name Description
CS0501 Hardware - Inadequate Maintenance Cleaning of printers, keyboards, monitors; photocopiers; periodic diagnostics not done.
CS0502 Hardware - Performance Degradation Reduced Functionality, Capacity
CS0503 Software - Inadequate Maintenance Upgrades, patches, enhancements not done.
CS0504 Software - Performance Degradation Reduced Functionality, Capacity
CS0505 Infrastructure - Inadequate Regular maintenance, repairs not done for access, lighting, air quality, lifts, etc.
Maintenance
CS0506 Infrastructure - Performance Reduced performance, availability of access, lighting, air quality, lifts, etc.
Degradation
CS0599 Decline Legal Counsel has advised against providing the information.
Notes
− Avoid duplication, look beyond apparent overlaps
− In the case of a lawsuit or settlement, the Alleged Cause category selected should correspond to the underlying or alleged cause and not the dispute resolution mechanism -
litigation
Examples of Events that may be associated with this Alleged Cause
– Several of the Alleged Causes could be linked to Event Types related to Technology & Infrastructure Failure (EL06)
Managing risk together Page 135 of 140 [Link]
+44 (0)1225 904 397
Public
Operational Risk Reporting Standards (ORRS)
8.6.2 Jurisdiction / Choice of Law
Level 1 Name Description
LS0100 Jurisdiction / Choice of Law Which country’s law or jurisdiction governed the transaction or event?
Examples
− For most events, this will be the country where the event occurs, for example Employee Discrimination. However, for contracts or issues around documentation of a transaction
the choice of Law / Jurisdiction can be different from where the event takes place. For example, a dispute relating to the interest calculation on a loan could be under English /
UK Law even if the dispute is between a French bank and German company the loan is denominated in US$.
− The country attribute (using the two letter ISO code) relates to the country where the loss is booked.
Level 2 Name Description
LS0101 United States of America All States
LS0102 Canada All States
LS0103 Rest of the World All Countries
LS0104 United Kingdom England, Wales and Scotland
LS0105 Western Europe All Countries
(excluding United Kingdom)
LS0106 Unidentifiable Used where the presence of the factor cannot be determined and for events with multiple impacts where
the loss cannot be attributed primarily to one category (treatment is similar to “not product-related” and “not
process-related”)
LS0199 Decline Legal Counsel has advised against providing this information
Notes
Reflects presence of a factor rather than influence by a factor
Managing risk together Page 136 of 140 [Link]
+44 (0)1225 904 397
Public
Operational Risk Reporting Standards (ORRS)
8.6.3 Counterparty / Claimant Type
Level 1 Name Description
LS0200 Counterparty / Claimant Type What type of counterparty or claimant was involved in the event?
Examples
Level 2 Name Description
LS0201 Bank Peer and Non-Peer banks
LS0202 Class Action Groups of clients bringing a single legal action
LS0203 Corporation for Profit e.g. IBM, 3M, Novartis, Porsche, ABB, EDF, Berkshire Hathaway
LS0204 Corporation Not-for-Profit Charities, Supranational e.g. UN, IMF, EBRD
LS0205 Government National / State / Regional / Municipal includes the EU
LS0206 Individual – Private Banking e.g. Bill Gates
LS0207 Individual – Retail e.g. Your Mother
LS0208 Institutional Investor – Hedge Fund e.g. Tiger, Caxton
LS0209 Institutional Investor – Mutual e.g. Fidelity, Aberdeen Asset Management
LS0210 Institutional Investor – Pension Fund e.g. CALPERS, OMERS
LS0211 Regulator Capital, Stock Exchange, Competition, Health & Safety
LS0212 Not Identifiable Used where the presence of the factor cannot be determined and for events with multiple impacts where the
loss cannot be attributed primarily to one category (treatment similar to “not product-related” and “not
process-related”)
LS0299 Decline Legal Counsel has advised against providing this information
Notes
Reflects presence of a factor rather than influence by a factor
Managing risk together Page 137 of 140 [Link]
+44 (0)1225 904 397
Public
Operational Risk Reporting Standards (ORRS)
8.6.4 Role of the Firm
Level 1 Name Description
LS0300 Role of the Firm What role did the Firm take in relation to the transaction?
In what capacity was the bank acting in the transaction underlying this event?
Examples
Level 2 Name Description
LS0301 Advisor M&A mandates, tax structures
LS0302 Agent / Facilitator Distributing another Company's products e.g. Insurance, syndication agent
LS0303 Employer In relation to Individuals, Staff, Consultants
LS0304 Insourcer Bank is the service provider, e.g. 'white label' credit cards such as Store Cards
LS0305 Outsourcer Bank contracted out for a service, e.g. real estate or facilities management, transaction processing, IT
development or support, Consultants
LS0306 Investor (Principal) Equity Owner, Controller, Joint Ventures
LS0307 Position Taking (Principal) Underwriting, Proprietary Positions, Loans, Deposits and other assets / liabilities that use the bank’s balance
sheet – “on or off-balance sheet commitments”
LS0308 Not Identifiable Used where the presence of the factor cannot be determined and for events with multiple impacts where the
loss cannot be attributed primarily to one category (treatment similar to “not product-related” and “not
process-related”)
LS0399 Decline Legal Counsel has advised against providing this information
Notes
Reflects presence of a factor rather than influence by a factor
Managing risk together Page 138 of 140 [Link]
+44 (0)1225 904 397
Public
Operational Risk Reporting Standards (ORRS)
8.6.5 Environment Volatility
Level 1 Name Description
LS0400 Environmental Volatility Was there instability in some aspect of the environment or circumstances in which the bank was operating at
the time of the event?
Examples
Level 2 Name Description
LS0401 Cultural / Social Norms of Acceptable Behaviour
LS0402 Economic Business Cycle, Credit Cycle, Increase in Fraud
LS0403 Market Risk FX, Equities, Bond Prices, Interest Rates, Commodities
LS0404 Credit Risk Fixed and revolving loans, credit lines, credit cards, residential mortgages
LS0405 Political Scapegoats, Seizure of Assets, Cessation of Business, change in host government philosophy/practices
LS0406 Not Identifiable Used where the presence of the factor cannot be determined and for events with multiple impacts where the
loss cannot be attributed primarily to one category (treatment similar to “not product-related” and “not process-
related”)
LS0499 Decline Legal Counsel has advised against providing this information
Notes
Reflects presence of a factor rather than influence by a factor
Managing risk together Page 139 of 140 [Link]
+44 (0)1225 904 397
Public
Operational Risk Reporting Standards (ORRS)
Managing risk together
ORX believes many heads are better than one. We’re here to bring the best minds of the international
operational risk community together.
By pooling our resources, sharing ideas, information and experiences, we can learn how best to manage,
understand and measure operational risk and become less vulnerable to losses.
We work closely with over 90 Member firms to develop a deeper understanding of the discipline and
practical tools.
We set the agenda, maintain industry standards, and garner fresh insights. ORX is owned and controlled,
on an equal basis by its Members.
For more information about ORX, visit our website at [Link]
Managing risk together Page 140 of 140 [Link]
+44 (0)1225 904 397
Public
You might also like
- CH - 6 - Credit - Risk - Measurement - and - Management - DFL1WVONSQ 2023-07-08 17 - 05 - 14100% (2)CH - 6 - Credit - Risk - Measurement - and - Management - DFL1WVONSQ 2023-07-08 17 - 05 - 14362 pages
- Dissertation Main - Risk Management in Banks100% (1)Dissertation Main - Risk Management in Banks87 pages
- ALM and Liquidity Risk Management in BanksNo ratings yetALM and Liquidity Risk Management in Banks60 pages
- Risk Management and Basel II: Bank Alfalah LimitedNo ratings yetRisk Management and Basel II: Bank Alfalah Limited72 pages
- Capital, Liquidity, Recovery and Resolution Plans: Helping You Manage Your SREP FrameworkNo ratings yetCapital, Liquidity, Recovery and Resolution Plans: Helping You Manage Your SREP Framework8 pages
- Key Risk Managemen Issues (5) Liquidity Risk: Sakamaki Tsuzuri JICA Chief Advisor To The State Bank of VietnamNo ratings yetKey Risk Managemen Issues (5) Liquidity Risk: Sakamaki Tsuzuri JICA Chief Advisor To The State Bank of Vietnam63 pages
- CH 7 Operational Risk and Resiliency K4Y46IJXRZNo ratings yetCH 7 Operational Risk and Resiliency K4Y46IJXRZ371 pages
- KPMG Whitepaper Model Risk Management 2016No ratings yetKPMG Whitepaper Model Risk Management 20169 pages
- Operational Risk Management in Banks Regulatory, O 230429 181821 PDF100% (2)Operational Risk Management in Banks Regulatory, O 230429 181821 PDF226 pages
- Capital and Risk Management Report 31 December 2011No ratings yetCapital and Risk Management Report 31 December 2011103 pages
- Operational Risk Management Manual 2013No ratings yetOperational Risk Management Manual 2013121 pages
- Adv Commercial Bank Management: (Operational Risk Management) Teacher: Ismatullah Butt (PHD Candidate)No ratings yetAdv Commercial Bank Management: (Operational Risk Management) Teacher: Ismatullah Butt (PHD Candidate)30 pages
- Risk Management Framework For MCX (Stock Exchange)No ratings yetRisk Management Framework For MCX (Stock Exchange)4 pages
- Risk Management and Basel II: Bank Alfalah LimitedNo ratings yetRisk Management and Basel II: Bank Alfalah Limited72 pages
- Credit Risk Management at National BankNo ratings yetCredit Risk Management at National Bank24 pages
- ALCO and Operational Risk Management at Bank of China100% (1)ALCO and Operational Risk Management at Bank of China17 pages
- Measuring and Managing Operational Risk Under Basel II: Constantinos Stephanou The World Bank100% (1)Measuring and Managing Operational Risk Under Basel II: Constantinos Stephanou The World Bank34 pages
- Operational Risk: Risk Management in BankingNo ratings yetOperational Risk: Risk Management in Banking14 pages
- Operational Risk Reporting Standards v1.4No ratings yetOperational Risk Reporting Standards v1.4134 pages
- Insurance Operational Risk Reporting StandardsNo ratings yetInsurance Operational Risk Reporting Standards89 pages
- ORX Cause & Impacts Operational Risk Reference Taxonomy Summary100% (2)ORX Cause & Impacts Operational Risk Reference Taxonomy Summary9 pages
- Internal Capital Adequacy Process A Framework ForNo ratings yetInternal Capital Adequacy Process A Framework For10 pages
- ORX Scenarios Insights Into Material Risks 2022 Public Report100% (1)ORX Scenarios Insights Into Material Risks 2022 Public Report10 pages
- Scenario Analysis: Part 1: Perspectives and Principles: AMAG Group Industry Position PaperNo ratings yetScenario Analysis: Part 1: Perspectives and Principles: AMAG Group Industry Position Paper18 pages
- Inter Risk Coorelation Within Economic Capital PDFNo ratings yetInter Risk Coorelation Within Economic Capital PDF63 pages
- Inter Risk Coorelation Within Economic Capital PDFNo ratings yetInter Risk Coorelation Within Economic Capital PDF63 pages
- Ey Three Priorities For Fis To Drive A Next Generation Data Governance FrameworkNo ratings yetEy Three Priorities For Fis To Drive A Next Generation Data Governance Framework18 pages
- Risk Return Optimization With Different Risk Aggregation StrategiesNo ratings yetRisk Return Optimization With Different Risk Aggregation Strategies19 pages
- Inter Risk Coorelation Within Economic Capital PDFNo ratings yetInter Risk Coorelation Within Economic Capital PDF63 pages
- Sulfur Recovery From Acid Gas Using The Claus ProcNo ratings yetSulfur Recovery From Acid Gas Using The Claus Proc11 pages
- Minutes of 49th NR LTA Connectivity Meeting Held On 27-08-2021No ratings yetMinutes of 49th NR LTA Connectivity Meeting Held On 27-08-202124 pages
- Real Estate Debt Opportunity - Blue Moon - TeaserNo ratings yetReal Estate Debt Opportunity - Blue Moon - Teaser2 pages
- J H Atkinson, P L Bransby - The Mechanics of Soil - An Introduction To Critical State Soil Mechanics-McGraw-Hill (1982)No ratings yetJ H Atkinson, P L Bransby - The Mechanics of Soil - An Introduction To Critical State Soil Mechanics-McGraw-Hill (1982)395 pages
- The Write Physiology Thinking and Inking.15No ratings yetThe Write Physiology Thinking and Inking.156 pages
- g10 Math q1 Performance Task 4 Geometric SeriesNo ratings yetg10 Math q1 Performance Task 4 Geometric Series2 pages
- In A Representative Sample Grit Has A Negligible Effect On Educational and Economic Success Compared To IntelligenceNo ratings yetIn A Representative Sample Grit Has A Negligible Effect On Educational and Economic Success Compared To Intelligence8 pages
- SEO Strategies for Document OptimizationNo ratings yetSEO Strategies for Document Optimization2 pages
