According to a new Bank for International Settlements (BIS) paper on operational risks (OpRisk) in the banking sector, major global banks take an average of 251 days to discover the occurrence of operational loss events.  The study uses data from 700,000 operational loss events that took place between 2002 and 2017.  The data came from ORX, a consortium of financial institutions that helps its members benchmark their operational risk management models.

The BIS study also shows that the average time between the occurrence of an OpRisk event, and recognition of related losses, is 435 days. Cyber-risk related losses represent a small portion of OpRisk losses, though cyber value-at-risk (VAR) can account for up to 33% of total operational VAR in banks’ risk models.

Notably, after studying OpRisk losses among 74 large global banks, the authors of the BIS paper finds that, “Internal fraud events and failures as a result of negligence or improper business practices are less likely to be discovered than other events.”   Indeed, the paper reports that it takes an average 448 days before internal fraud events are recognized and responded to as such — and 827 days in the case of improper business practices.Perhaps unsurprisingly, the BIS paper also finds that better supervision is associated with lower OpRisk losses. 

This finding will support arguments in favor of closer scrutiny of non-financial risk by bank regulators, and supervisory activities aimed at culture and conduct related risks. Firms wishing to avoid punitive enforcement actions should work to assure that the speed by which they are able to identify and mitigate such risks exceeds that of their regulators.

Read the paper here