How do banks use scenario analysis to estimate operational risk severity, and what role do expert judgment workshops play?

Operational risk scenario analysis is a forward-looking exercise where subject matter experts estimate the frequency and severity of plausible but extreme operational loss events. While the SMA capital formula relies on historical losses, scenario analysis remains essential for risk identification, stress testing, risk appetite calibration, and internal capital assessment.\n\nScenario Analysis Process:\n\n`mermaid\ngraph TD\n A[\"1. Scenario Identification\"] --> B[\"Select plausible extreme events
based on risk taxonomy\"]\n B --> C[\"2. Workshop Design\"]\n C --> D[\"Assemble cross-functional
expert panel\"]\n D --> E[\"3. Severity Estimation\"]\n E --> F[\"Estimate frequency and
severity distributions\"]\n F --> G[\"4. Bias Correction\"]\n G --> H[\"Apply structured debiasing
techniques\"]\n H --> I[\"5. Integration\"]\n I --> J[\"Incorporate into stress testing
and risk appetite framework\"]\n`\n\nWorkshop Structure -- Worked Example at Meridianbank:\n\nMeridianbank conducts annual scenario workshops for its top 15 operational risk scenarios. One scenario: 'Systemic Cyber Breach with Customer Data Exfiltration.'\n\nPanel composition:\n- CISO and Deputy CISO\n- Head of Fraud Operations\n- General Counsel (litigation cost estimation)\n- Head of Retail Banking (customer attrition impact)\n- Chief Risk Officer (aggregation and correlation)\n- External facilitator (debiasing)\n\nEstimation methodology (modified Delphi):\n\nRound 1 -- Individual estimates (blind):\n| Expert | 1-in-20Y Severity | 1-in-100Y Severity |\n|---|---|---|\n| CISO | EUR 120M | EUR 450M |\n| Fraud Head | EUR 85M | EUR 280M |\n| General Counsel | EUR 200M | EUR 600M |\n| Retail Head | EUR 150M | EUR 500M |\n\nRound 2 -- Discussion: The facilitator reveals the range without attribution. Experts discuss why estimates differ (General Counsel weighted litigation costs heavily; CISO focused on remediation). Estimates converge.\n\nRound 3 -- Final calibrated estimates:\n- 1-in-20 year severity: EUR 140M\n- 1-in-100 year severity: EUR 480M\n- Expected frequency: once every 8 years\n\nCognitive Biases and Countermeasures:\n\n| Bias | Description | Countermeasure |\n|---|---|---|\n| Anchoring | First number dominates | Blind Round 1 estimates |\n| Availability | Recent events overweighted | Provide base rate data |\n| Groupthink | Deference to seniority | Anonymous voting rounds |\n| Optimism | 'It won't happen to us' | Present external loss data |\n| Range compression | Underestimating tail severity | Ask for conditional distributions |\n\nStructured Elicitation Techniques:\n1. Ask for the median first, then the 95th percentile, then the 99th\n2. Use 'reference class forecasting' -- what happened to similar banks?\n3. Present external loss events (scaled for size) as calibration anchors\n4. Use visual aids showing probability distributions to ensure experts understand what '1-in-100 year' means\n\nUses Beyond Capital:\n- Informing cyber insurance purchasing decisions (coverage limits)\n- Setting operational risk appetite statements\n- Designing recovery and resolution plans\n- Board reporting on emerging risk exposures\n\nStudy scenario analysis methodology in our FRM Part II materials.