GENERALITIES AND GOOD PRACTICE

Performing root cause analysis of significant operational risk events and near misses is covered in The Principles for the Sound Management of Operational Risk by the Basel Committee on Banking Supervision (BCBS) in its third edition of 2014.¹ BCBS states:

“A noteworthy practice identified by only a few banks was the establishment of an internal threshold (eg $100,000 or €100,000) whereby any operational risk event (ie losses, near‐misses and profitable events) was subject to an exhaustive and standardised root cause analysis by the first line of defence, which in turn was subject to independent review and challenge by the second line of defence. These banks noted that the operational risk management function provides the business line with supporting guidance and a standardised template to ensure a consistent approach. Some banks also noted that the process involved embedding the bank's operational risk taxonomy into the template, so that this information could inform the use of the other operational risk management tools.

Additional noteworthy practices include the first line of defence leading the root cause analysis and creating action items to address any identified control deficiencies, the second line of defence closely monitoring and tracking those action items, and escalating the details of the root cause analysis and resulting action plan for items above a higher internal threshold to senior ...