Operational Risk in Banks: Governance, Quantification Models, and Stress Testing under the Basel SMA

Fatmir Xheladini

doi:10.5281/zenodo.18525416

Authors

Fatmir Xheladini University of Tetovo, Str. Ilinden, nn., 1200 Tetova, North Macedonia

DOI:

https://doi.org/10.5281/zenodo.18525416

Keywords:

operational risk, Basel III, Standardised Measurement Approach, stress testing, loss data, risk governance, operational resilience

Abstract

Operational risk has become a dominant determinant of banking resilience as digitalisation, outsourcing, and interconnected infrastructures increase exposure to ICT outages, cyber incidents, and third‑party disruptions. Although the Basel Committee’s Standardised Measurement Approach (SMA) enhances comparability of regulatory outcomes, banks still require decision‑useful internal measurement supported by disciplined loss‑data pipelines, scenario analysis, and strong governance. This study develops an end‑to‑end operational risk quantification and stress‑testing workflow aligned with SMA logic, covering taxonomy and RCSA, loss data validation and lineage, frequency–severity analytics, scenario design, and translation into an SMA‑style management capital proxy. Using a structured quarterly dataset, results show that capital pressure increases when loss frequency rises or severity shifts upward, and that cyber and third‑party stress scenarios generate disproportionate impacts relative to baseline conditions. The paper provides a board‑level reporting template, model‑governance controls, and a present–future comparison illustrating how control improvements can reduce capital pressure and concentration risk while strengthening operational resilience.

References

Basel Committee on Banking Supervision. (2003). Sound practices for the management and supervision of operational risk. Bank for International Settlements.

Basel Committee on Banking Supervision. (2011). Principles for the sound management of operational risk. Bank for International Settlements. Bank for International Settlements

Basel Committee on Banking Supervision. (2016). Standardised Measurement Approach for operational risk (Consultative document). Bank for International Settlements. Bank for International Settlements

Basel Committee on Banking Supervision. (2017). Basel III: Finalising post-crisis reforms (BCBS 424). Bank for International Settlements. Bank for International Settlements

Basel Committee on Banking Supervision. (2021). Principles for operational resilience. Bank for International Settlements. Bank for International Settlements

European Banking Authority. (2019). Guidelines on ICT and security risk management (EBA/GL/2019/04). European Banking Authority. European Banking Authority+1

European Banking Authority. (2019). Guidelines on outsourcing arrangements (EBA/GL/2019/02). European Banking Authority. European Banking Authority

European Parliament and Council of the European Union. (2022). Regulation (EU) 2022/2554 of 14 December 2022 on digital operational resilience for the financial sector (DORA). Official Journal of the European Union, L 333, 27.12.2022, 1–79. EUR-Lex+1

National Institute of Standards and Technology. (2024). The NIST Cybersecurity Framework (CSF) 2.0 (NIST CSWP 29). U.S. Department of Commerce. NIST Publications+1

Committee of Sponsoring Organizations of the Treadway Commission. (2017). Enterprise risk management: Integrating with strategy and performance (Executive summary). COSO. The IIA Sweden+1

International Organization for Standardization. (2018). ISO 31000:2018 Risk management—Guidelines. ISO. ISO

International Organization for Standardization. (2019). ISO 22301:2019 Security and resilience—Business continuity management systems—Requirements. ISO. ISO

Chernobai, A., Jorion, P., & Yu, F. (2011). The determinants of operational risk in U.S. financial institutions. Journal of Financial and Quantitative Analysis, 46(6), 1683–1725.

Cope, E. W., Piche, M., & Walter, J. S. (2012). Operational loss forecasting: A univariate time series approach. Journal of Operational Risk, 7(3), 3–33.

Cruz, M. G. (2002). Modeling, measuring and hedging operational risk. Wiley.

Cummins, J. D., Lewis, C. M., & Wei, R. (2006). The market value impact of operational risk events. Journal of Banking & Finance, 30(10), 2605–2634.

de Fontnouvelle, P., DeJesus-Rueff, V., Jordan, J. S., & Rosengren, E. S. (2006). Capital and risk: New evidence on implications of large operational losses. Journal of Money, Credit and Banking, 38(7), 1819–1846.

Dutta, K., & Perry, J. (2007). A tale of tails: An empirical analysis of loss distribution models for estimating operational risk capital. Federal Reserve Bank of Boston Working Paper.

Frachot, A., Georges, P., & Roncalli, T. (2001). Loss distribution approach for operational risk. Working paper.

Jorion, P. (2007). Value at risk: The new benchmark for managing financial risk (3rd ed.). McGraw-Hill.

McNeil, A. J., Frey, R., & Embrechts, P. (2015). Quantitative risk management: Concepts, techniques and tools (2nd ed.). Princeton University Press.

Power, M. (2005). The invention of operational risk. Review of International Political Economy, 12(4), 577–599.

Shevchenko, P. V. (2011). Modelling operational risk using Bayesian inference. Springer.

Taleb, N. N. (2007). The black swan: The impact of the highly improbable. Random House.

Yamai, Y., & Yoshiba, T. (2005). Value-at-risk versus expected shortfall: A practical perspective. Journal of Banking & Finance, 29(4), 997–1015.

Basel Committee on Banking Supervision. (2006). International Convergence of Capital Measurement and Capital Standards: A Revised Framework—Comprehensive Version (Basel II). Bank for International Settlements.

Basel Committee on Banking Supervision. (2011). Basel III: A global regulatory framework for more resilient banks and banking systems (Revised version). Bank for International Settlements.

European Banking Authority. (2024). EBA amends its Guidelines on ICT and security risk management measures in the context of DORA application (Press release). European Banking Authority. European Banking Authority

Financial Stability Board. (2021). Principles for operational resilience (Compendium of Standards entry). Financial Stability Board. Financial Stability Board

Daci, E., & Rexhepi, B. R. (2024). The role of management in microfinance institutions in Kosovo: Case study Dukagjini region. Quality – Access to Success, 25(202). https://doi.org/10.47750/qas/25.202.22 ORCID

Rexhepi, B. R., Murtezaj, I. M., Xhaferi, B. S., Raimi, N., Xhafa, H., & Xhaferi, S. (2024). The cost calculation method based on activity is known as the activity-based costing (ABC) method. International Journal of Religion. https://doi.org/10.61707/r9xmrs04 ORCID+1

Rexhepi, B. R., Mustafa, L., Berisha, B. I., Vranovci, S. H., & Sadiku, M. K. (2024). Creating a factoring service specifically designed for small and medium enterprises at Pro Credit Bank in Kosovo. International Journal of Religion. https://doi.org/10.61707/tc834x95 ORCID+1

Rexhepi, B. R. (2024). Investment decisions related to the allocation of capital. Kuey (journal record as listed in ORCID). ORCID+1

Rexhepi, B. R., & Daci, E. (2024). Analysis of the effectiveness of freelance exchanges and their demand among corporate customers in the context of tax regulation. Scientific Bulletin of Mukachevo State University Series Economics (as available via ResearchGate PDF). ResearchGate

International Organization for Standardization. (2019). ISO 22301:2019 Security and resilience—Business continuity management systems—Requirements (Business continuity standard referenced for resilience design). ISO. ISO