How do firms use internal and external loss data for operational risk management?
The FRM I curriculum discusses loss data as a foundation for operational risk quantification. I understand you need historical loss events, but how do firms actually collect this data, combine internal and external sources, and use it to estimate future operational risk?
Loss data is the empirical backbone of operational risk measurement. Without reliable loss data, all the models and frameworks are built on guesswork. The FRM curriculum emphasizes both internal and external data sources and their respective strengths and limitations.
Internal Loss Data:
Internal data comes from the firm's own loss event database — every operational loss above a minimum threshold (often $10,000) is recorded.
What gets captured:
- Loss amount (gross and net of recoveries)
- Date of occurrence and date of discovery
- Business line and risk category (using Basel event types)
- Root cause analysis
- Whether insurance recovered any portion
Strengths: Directly relevant to the firm's risk profile, reflects the firm's specific control environment, and available in detail.
Weaknesses: Limited history (most firms have 5-15 years), rare high-severity events may never have occurred internally, and reporting incentives may lead to under-collection (staff may not report losses that make their unit look bad).
External Loss Data:
External data comes from industry databases (ORX, SAS OpRisk Global Data) or public sources (press reports of large operational loss events at other firms).
Strengths: Captures tail events the firm hasn't experienced (e.g., a rogue trading loss of $7 billion), provides a broader picture of operational risk across the industry.
Weaknesses: Other firms' losses may not be relevant to your institution (different size, geography, products, controls). Scaling adjustments are needed — a $2B loss at a $500B bank doesn't directly translate to a $100B bank.
Combining the Sources:
Best practice uses all four elements (the 'four data elements' under the AMA framework):
- Internal loss data → calibrates the body of the loss distribution
- External loss data → informs the tail (extreme loss potential)
- Scenario analysis → supplements where data is sparse
- Business environment and internal control factors (BEICFs) → adjust for forward-looking risk changes
Scaling External Data:
When incorporating external losses, firms typically scale by a size proxy (revenue, assets, or number of employees). A $1B fraud loss at a bank with $800B in assets might be scaled to $250M for a bank with $200B in assets.
Exam Tip: FRM questions often test whether you understand the complementary nature of internal (body) vs external (tail) data and the need for scaling adjustments.
Master operational risk data techniques in our FRM community.
Master Part I with our FRM Course
64 lessons · 120+ hours· Expert instruction
Related Questions
How exactly do futures margin calls work, and what happens if I can't meet one?
How do you calculate the settlement amount on a Forward Rate Agreement (FRA)?
When should I use Monte Carlo simulation instead of parametric VaR, and how does it actually work?
Parametric VaR vs. Historical Simulation VaR — when does each method fail?
What are the core components of an Enterprise Risk Management (ERM) framework, and how does it differ from siloed risk management?
Join the Discussion
Ask questions and get expert answers.