20.1 INTRODUCTION

In one of our projects, the firm Head of Operational Risk had a strong market risk culture. He hoped that one day he would be able to assess operational risks in the same way as market risks, by assessing risks on individual positions and then aggregating them.

We believe the exposure, occurrence, impact (XOI) models can be used to progress in this direction.

An XOI scenario is defined as a range of possible adverse events. As such, it differs from a usual scenario, as it is not viewed as a particular storyline.

For instance, a usual way of describing a cyber attack scenario would be:

The trading application is down as the result of a powerful DDOS attack, and two days are necessary to go back to normal. During this period, most transactions fees have been lost, and some large institutional clients ask for compensation as some of their transactions could not go through.

The XOI version of this cyber attack scenario is different:

One of the critical applications of the bank is down as the result of a DDOS attack, either powerful and limited in time, or weaker but lasting for several days. During the duration of the attack, part of the revenue dependent on the application is lost, and some clients need to be compensated.

One of the key differences here is that we consider all of the possible applications, that is, all of the possible “objects” or “units” exposed to the occurrence of the scenario.

This means that ...