Basel Committee on

Banking Supervision

OPE
Calculation of RWA for
operational risk
OPE25
Standardised approach

Version effective as of
01 Jan 2023
Updated to include the FAQs published on 5 June
2020 and the FAQ on climate-related financial
risks published on 8 December 2022. FAQs
published on 30 March 2023 added.
This document has been generated on 05/26/2024 based on the Basel Framework data available on
the BIS website (www.bis.org).

© Bank for International Settlements 2024. All rights reserved.

Introduction

25.1 The standardised approach methodology is based on the following components:

(1) the Business Indicator (BI) which is a financial-statement-based proxy for operational
risk;
(2) the Business Indicator Component (BIC), which is calculated by multiplying the BI by a
set of regulatory determined marginal coefficients (αi); and
(3) the Internal Loss Multiplier (ILM), which is a scaling factor that is based on a bank’s
average historical losses and the BIC.

25.2 Operational risk capital requirements (ORC) are calculated by multiplying the BIC and the
ILM, as shown in the formula below. Risk-weighted assets (RWA) for operational risk are
equal to 12.5 times ORC.

Components of the standardised approach

25.3 The BI comprises three components: the interest, leases and dividend component (ILDC);
the services component (SC), and the financial component (FC).

25.4 The BI is defined as:

25.5 ILDC, SC and FC are defined in the formulae below, where a bar above a term indicates that it
is calculated as the average over three years: t, t-1 and t-2:1

Footnotes
1 The absolute value of net items (eg interest income – interest expense) should be
calculated first year by year. Only after this year by year calculation should the average
of the three years be calculated.

25.6 The definitions for each of the components of the BI are provided in OPE10.

25.7 To calculate the BIC, the BI is multiplied by the marginal coefficients (α). The marginal
coefficients increase with the size of the BI as shown in Table 1. For banks in the first bucket
(ie with a BI less than or equal to €1bn) the BIC is equal to BI x 12%. The marginal increase
in the BIC resulting from a one unit increase in the BI is 12% in bucket 1, 15% in bucket 2
and 18% in bucket 3.2
BI ranges and marginal coefficients Table 1

Bucket BI range (in €bn) BI marginal coefficients (αi)

1 ≤1 12%

1/11
 2 1 < BI ≤30 15%

3 > 30 18%

Footnotes
2 For example, given a BI = €35bn, the BIC = (1 x 12%) + (30-1) x 15% + (35-30) x 18% =
€5.37bn.

25.8 A bank’s internal operational risk loss experience affects the calculation of operational risk
capital through the ILM. The ILM is defined as below, where the Loss Component (LC) is
equal to 15 times average annual operational risk losses incurred over the previous 10
years:

25.9 The ILM is equal to one where the loss and business indicator components are equal.
Where the LC is greater than the BIC, the ILM is greater than one. That is, a bank with losses
that are high relative to its BIC is required to hold higher capital due to the incorporation of
internal losses into the calculation methodology. Conversely, where the LC is lower than the
BIC, the ILM is less than one. That is, a bank with losses that are low relative to its BIC is
required to hold lower capital due to the incorporation of internal losses into the calculation
methodology.

25.10 The calculation of average losses in the LC must be based on 10 years of high-quality
annual loss data. The qualitative requirements for loss data collection are outlined in
OPE25.14 to OPE25.34. As part of the transition to the standardised approach, banks that
do not have 10 years of high-quality loss data may use a minimum of five years of data to
calculate the LC.3 Banks that do not have five years of high-quality loss data must calculate
the capital requirement based solely on the BIC. Supervisors may however require a bank
to calculate capital requirements using fewer than five years of losses if the ILM is greater
than 1 and supervisors believe the losses are representative of the bank’s operational risk
exposure.
Footnotes
3 This treatment is not expected to apply to banks that previously used the Advanced
Measurement Approaches for determining operational risk capital requirements
under the Basel II framework.

25.11 For banks in bucket 1 (ie with BI ≤ €1 billion), internal loss data does not affect the capital
calculation. That is, the ILM is equal to 1, so that operational risk capital is equal to the BIC
(=12% x BI). At national discretion, supervisors may allow the inclusion of internal loss data
into the framework for banks in bucket 1, subject to meeting the loss data collection
requirements specified in OPE25.14 to OPE25.34. In addition, at national discretion,
supervisors may set the value of ILM equal to 1 for all banks in their jurisdiction. In case
this discretion is exercised, banks would still be subject to the full set of disclosure
requirements summarised in OPE25.35.

Minimum standards for the use of loss data under the standardised approach

25.12 Banks with a BI greater than €1bn are required to use loss data as a direct input into the

2/11
 operational risk capital calculations. The soundness of data collection and the quality and
integrity of the data are crucial to generating capital outcomes aligned with the bank’s
operational loss exposure. The minimum loss data standards are outlined in OPE25.14 to
OPE25.34. National supervisors should review the quality of banks’ loss data periodically.

25.13 Banks which do not meet the loss data standards are required to hold capital that is at a
minimum equal to 100% of the BIC. In such cases supervisors may require the bank to
apply an ILM which is greater than 1. The exclusion of internal loss data due to non-
compliance with the loss data standards, and the application of any resulting multipliers,
must be publicly disclosed in accordance with the Pillar 3 requirements.

General criteria on loss data identification, collection and treatment

25.14 The proper identification, collection and treatment of internal loss data are essential
prerequisites to capital calculation under the standardised approach. The general criteria
for the use of the LC are as follows.

25.15 Internally generated loss data calculations used for regulatory capital purposes must be
based on a 10-year observation period. If ten years of good quality loss data are not
available when the bank first moves to the standardised approach, a shorter observation
period is acceptable on an exceptional basis (with a minimum observation period of five
years). Note that all years of good-quality data available beyond five years must be
included.

25.16 Internal loss data are most relevant when clearly linked to a bank’s current business
activities, technological processes and risk management procedures. Therefore, a bank
must have documented procedures and processes for the identification, collection and
treatment of internal loss data. Such procedures and processes must be subject to
validation before the use of the loss data within the operational risk capital requirement
measurement methodology, and to regular independent reviews by internal and/or
external audit functions.

25.17 For risk management purposes, and to assist in supervisory validation and/or review, a
supervisor may request a bank to map its historical internal loss data into the relevant Level
1 supervisory categories as defined in Table 2 and to provide this data to supervisors. The
bank must document criteria for allocating losses to the specified event types.
Detailed loss event type classification Table 2

Event-type category Definition Categories (Level 2) Activity examples (Level 3)

(Level 1)

Internal fraud Losses due to acts of a Unauthorised activity Transactions not reported (intentional)
type intended to defraud, Transaction type unauthorised (with monetary
misappropriate property loss) Mismarking of position (intentional)
or circumvent regulations,
the law or company Theft and fraud Fraud / credit fraud / worthless deposits Theft /
policy, excluding diversity/
discrimination events, extortion / embezzlement / robbery
which involves at least Misappropriation of assets Malicious
one internal party destruction of assets Forgery Check kiting
Smuggling Account takeover / impersonation
etc Tax non-compliance / evasion (wilful)
Bribes / kickbacks Insider trading (not on firm's
account)

External fraud Losses due to acts of a Theft and fraud Theft / robbery Forgery Check kiting
type intended to defraud,

3/11
 misappropriate property Systems security Hacking damage Theft of information (with
or circumvent the law, by
monetary loss)
a third party

Employment practices Losses arising from acts Employee relations Compensation, benefit, termination issues
and workplace safety inconsistent with Organised labour activity
employment, health or
safety laws or Safe environment General liability (slip and fall etc) Employee
agreements, from
payment of personal health and safety rules events Workers
injury claims, or from compensation
diversity / discrimination
events Diversity and All discrimination types
discrimination

Clients, products and Losses arising from an Suitability, disclosure Fiduciary breaches / guideline violations
business practices unintentional or negligent and fiduciary Suitability / disclosure issues (know-your-
failure to meet a customer etc) Retail customer disclosure
professional obligation to
specific clients (including violations Breach of privacy Aggressive sales
fiduciary and suitability Account churning Misuse of confidential
requirements), or from
information Lender liability
the nature or design of a
product. Improper business or Antitrust Improper trade / market practices
market practices Market manipulation Insider trading (on firm's
account) Unlicensed activity Money laundering

Product flaws Product defects (unauthorised etc) Model errors

Selection, Failure to investigate client per guidelines

sponsorship and Exceeding client exposure limits
exposure

Advisory activities Disputes over performance of advisory activities

Damage to physical Losses arising from loss or Disasters and other Natural disaster losses Human losses from
assets damage to physical assets events external sources (terrorism, vandalism)
from natural disaster or
other events

Business disruption and Losses arising from Systems Hardware Software Telecommunications Utility
system failures disruption of business or outage / disruptions
system failures

Execution, delivery and Losses from failed Transaction capture, Miscommunication Data entry, maintenance or
process management transaction processing or execution and loading error Missed deadline or responsibility
process management, maintenance
from relations with trade Model / system misoperation Accounting error /
counterparties and entity attribution error Other task
vendors misperformance Delivery failure Collateral
management failure Reference data
maintenance

Monitoring and Failed mandatory reporting obligation

reporting Inaccurate external report (loss incurred)

Customer intake and Client permissions / disclaimers missing Legal

documentation documents missing / incomplete

Customer / client Unapproved access given to accounts Incorrect

account client records (loss incurred) Negligent loss or
management
damage of client assets

Trade counterparties Non-client counterparty misperformance

Miscellaneous non-client counterparty disputes

4/11
 Vendors and Outsourcing Vendor disputes
suppliers

FAQ
FAQ1 How could banks ensure that losses stemming from climate-related financial risks are
identifiable?
Losses due to natural disasters map to the event type category “Damage to physical
assets” from Table 2. However, climate-related financial risks may also cause
operational risk losses in other event type categories. For example, if a bank is
perceived to misrepresent sustainability-related practices or the sustainability-related
features of its investment products, it could lead to litigation cases (event type category
“Clients, products and business practices”). A power cut as a consequence of climate-
related financial risks could cause an interruption to a bank's services and
communications (event type category “Business disruption and system failures”). Where
feasible, losses whose root cause could stem from climate-related risk drivers could be
identifiable from the loss database, for example, by using a flag.

25.18 A bank's internal loss data must be comprehensive and capture all material activities and
exposures from all appropriate subsystems and geographic locations. The minimum
threshold for including a loss event in the data collection and calculation of average annual
losses is set at €20,000. At national discretion, for the purpose of the calculation of
average annual losses, supervisors may increase the threshold to €100,000 for banks in
buckets 2 and 3 (ie where the BI is greater than €1 billion).
FAQ
FAQ1 Should operational loss events from outsourced activities be included in the
operational loss dataset?
For operational losses from outsourced activities, the financial impacts of events
that the bank is responsible for should be included in the dataset as operational
losses. The financial impacts of events that are paid by the outsourcer (rather than
by the bank) are not operational losses to the bank.
FAQ2 When building the loss data set, which exchange rate should be used to convert
losses from foreign subsidiaries of a banking organisation into domestic currency?
Loss impacts denominated in a foreign currency should be converted using the same
exchange rate that is used to convert them in the banking organisation’s financial
statements of the period the loss impacts were accounted for.
FAQ3 How should the minimum threshold for including a loss event in the Loss
Component dataset be applied for events which result in multiple accounting
impacts?
Some operational loss events result in multiple accounting impacts, which can be
loss impacts or recoveries. To determine whether an operational loss event must be
included in the Loss Component calculation dataset, the net loss amount of the
event should be calculated by summing all of the event’s loss impacts inside the ten-
year calculation window and subtracting all recoveries inside the ten-year
calculation window. The accounting date of the impacts is used to determine
whether they are inside the ten year calculation window. If the event’s net total loss
amount is equal to or above EUR 20,000 (or equal to or above EUR 100,000 if that
national discretion is used), the loss event must be included in the calculation

5/11
 dataset. Note that a loss event may not result in a net loss amount above EUR
20,000 (EUR 100,000) in any individual year and still have to be included in the Loss
Component calculation dataset as long as the cumulative impact of the loss event in
the ten year window is equal to or above EUR 20,000 (EUR 100,000).
As an example, consider a bank determining its capital requirements using a Loss
Component calculation window of 2012 to 2021, and assume this bank is subject to
a EUR 20,000 loss threshold. Suppose one loss event results in a loss impact of EUR
16,000 in 2012 and EUR 7,000 in 2013. This loss event must be included in the
calculation dataset because its total impact inside the calculation window is EUR
23,000. On the other hand, a loss event that resulted in a loss impact of EUR
1,000,000 in 2010 (outside of the calculation window), a loss impact of EUR 300,000
in 2013 (inside the calculation window), and a recovery of EUR 500,000 in 2015
(inside the calculation window) should not be included in the calculation dataset
because its net impact inside the calculation window is negative, and thus less than
EUR 20,000.

25.19 Aside from information on gross loss amounts, the bank must collect information about
the reference dates of operational risk events, including the date when the event
happened or first began (“date of occurrence”), where available; the date on which the
bank became aware of the event (“date of discovery”); and the date (or dates) when a loss
event results in a loss, reserve or provision against a loss being recognised in the bank’s
profit and loss (P&L) accounts (“date of accounting”). In addition, the bank must collect
information on recoveries of gross loss amounts as well as descriptive information about
the drivers or causes of the loss event.4 The level of detail of any descriptive information
should be commensurate with the size of the gross loss amount.
Footnotes
4 Tax effects (eg reductions in corporate income tax liability due to operational losses)
are not recoveries for purposes of the standardised approach for operational risk.

25.20 Operational loss events related to credit risk and that are accounted for in credit RWA
should not be included in the loss data set. Operational loss events that relate to credit
risk but are not accounted for in credit RWA should be included in the loss data set.

25.21 Operational risk losses related to market risk are treated as operational risk for the
purposes of calculating minimum regulatory capital under this framework and will
therefore be subject to the standardised approach for operational risk.

25.22 Banks must have processes to independently review the comprehensiveness and accuracy
of loss data.

Specific criteria on loss data identification, collection and treatment

25.23 Building an acceptable loss data set from the available internal data requires that the bank
develop policies and procedures to address several features, including gross loss
definition, reference date and grouped losses.

25.24 Gross loss is a loss before recoveries of any type. Net loss is defined as the loss after taking
into account the impact of recoveries. The recovery is an independent occurrence, related
to the original loss event, separate in time, in which funds or inflows of economic benefits
are received from a third party.5
Footnotes
5 Examples of recoveries are payments received from insurers, repayments received
6/11
 from perpetrators of fraud, and recoveries of misdirected transfers.

25.25 Banks must be able to identify the gross loss amounts, non-insurance recoveries, and
insurance recoveries for all operational loss events. Banks should use losses net of
recoveries (including insurance recoveries) in the loss dataset. However, recoveries can be
used to reduce losses only after the bank receives payment. Receivables do not count as
recoveries. Verification of payments received to net losses must be provided to
supervisors upon request.

25.26 The following items must be included in the gross loss computation of the loss data set:
(1) Direct charges, including impairments and settlements, to the bank's P&L accounts and
write-downs due to the operational risk event;
(2) Costs incurred as a consequence of the event including external expenses with a direct
link to the operational risk event (eg legal expenses directly related to the event and
fees paid to advisors, attorneys or suppliers) and costs of repair or replacement,
incurred to restore the position that was prevailing before the operational risk event;
(3) Provisions or reserves accounted for in the P&L against the potential operational loss
impact;
(4) Losses stemming from operational risk events with a definitive financial impact, which
are temporarily booked in transitory and/or suspense accounts and are not yet
reflected in the P&L ("pending losses").6 Material pending losses should be included in
the loss data set within a time period commensurate with the size and age of the
pending item; and
(5) Negative economic impacts booked in a financial accounting period, due to operational
risk events impacting the cash flows or financial statements of previous financial
accounting periods ("timing losses").7 Material "timing losses" should be included in the
loss data set when they are due to operational risk events that span more than one
financial accounting period and give rise to legal risk.
Footnotes
6 For instance, in some countries, the impact of some events (eg legal events, damage
to physical assets) may be known and clearly identifiable before these events are
recognised through the establishment of a reserve. Moreover, the way this reserve is
established (eg the date of discovery) can vary across banks or countries.
7 Timing impacts typically relate to the occurrence of operational risk events that
result in the temporary distortion of an institution’s financial accounts (eg revenue
overstatement, accounting errors and mark-to-market errors). While these events do
not represent a true financial impact on the institution (net impact over time is
zero), if the error continues across more than one financial accounting period, it
may represent a material misrepresentation of the institution’s financial statements.
FAQ
FAQ1 When an operational loss event results in a provision and, later, that provision turns
into a charge-off, should both be summed in calculating the operational loss
resulting from an operational loss event? For example, if a bank takes a €1 million
provision for a legal event in 2018 and then settles the legal event for €1.2 million in
2019, should both be summed to calculate the operational loss resulting from the
operational loss event?
No. The €1 million provision is an operational loss included in 2018 and the
additional €200 thousand is an operational loss in 2019 (equal to the €1.2 million

7/11
 settlement in 2019 minus the €1 million provision in 2018). There should be no
double counting of the same financial impacts in the calculation of operational
losses. When a bank makes a provision due to an operational loss event, such
provision must be considered an operational loss immediately for the calculation of
the Loss Component. When a charge-off (such as a settlement) eventually takes
place later, only the difference between the initial provision and the charge-off (if
any) should be added to the operational loss calculation.
FAQ2 When a bank refunds a client that was overbilled due to an operational failure, can
the initial overbilling be used to net out the refund?
When a bank refunds a client that was overbilled due to an operational failure, if the
refund is provided in the same financial accounting period as the overbilling took
place and thus no misrepresentation of the institution’s financial statements occurs,
there is no operational loss. If the refund occurs in a subsequent financial
accounting period to the overbilling, it is a timing loss; any operational loss event
that exceeds the threshold of EUR 20,000 (or EUR 100,000 if the national supervisor
has used the national discretion to set this higher threshold) should be included in
the loss dataset. In this case, the prior overbilling is not a recovery.
FAQ3 How should the costs relating to a bank asset that is damaged or destroyed be
defined?
In a case where a bank asset is damaged or destroyed and without prejudice of
additional indirect losses, the losses related to the asset value and the costs of
repair or replacement depend on how the bank proceeds in addressing that damage
or destruction:
(a) In cases where an asset of the bank is damaged or destroyed and the bank does
not replace or repair it, the operational loss amount corresponds to the
reduction in the book value of the asset plus any residual clean-up or disposal
costs
(b) In cases where an asset of the bank is damaged or destroyed and the bank
decides to replace it or repair it fully, then the operational loss amount is the
cost of replacing or repairing the asset plus any residual clean-up or disposal
costs.
(c) In cases where an asset of the bank is damaged and the bank decides to repair it
partially (ie the asset has less book value after repair than prior to the
operational loss event), then the operational loss amount is the cost of repairing
the asset plus the loss of book value of the asset after the repair relative to its
pre-operational loss event book value plus any residual clean-up or disposal
costs.
FAQ4 What is the threshold of materiality for timing losses and pending losses?
Like other operational losses, timing losses and pending losses must be included in
the operational loss event dataset if they are associated with an operational loss
event that exceeds €20,000 (€100,000 upon national discretion) for banks in buckets
2 and 3.

25.27 The following items should be excluded from the gross loss computation of the loss data
set:
(1) Costs of general maintenance contracts on property, plant or equipment;
(2) Internal or external expenditures to enhance the business after the operational risk
losses: upgrades, improvements, risk assessment initiatives and enhancements; and
8/11
 (3) Insurance premiums.

25.28 Banks must use the date of accounting for building the loss data set. The bank must use a
date no later than the date of accounting for including losses related to legal events in the
loss data set. For legal loss events, the date of accounting is the date when a legal reserve
is established for the probable estimated loss in the P&L.

25.29 Losses caused by a common operational risk event or by related operational risk events
over time, but posted to the accounts over several years, should be allocated to the
corresponding years of the loss database, in line with their accounting treatment.
FAQ
FAQ1 What are the conditions for losses (and recoveries) to be grouped into a single
operational loss event?
All operational losses caused by a common underlying trigger or root cause should
be grouped into one operational loss event in a bank’s operational loss event
dataset. Two examples of losses with a common underlying trigger or root cause,
which should be grouped into a single loss event:
Banks should have a clear, well-documented policy for determining the criteria for
multiple losses to be grouped into an operational loss event. In addition, processes
should be in place to ensure that there is a firm-wide understanding of the loss
event grouping policy, that there is appropriate sharing of loss event data across
businesses to implement the policy effectively and that there are adequate controls
(including independent review) to assess ongoing compliance with the policy.

Exclusion of losses from the Loss Component

25.30 Banking organisations may request supervisory approval to exclude certain operational
loss events that are no longer relevant to the banking organisation's risk profile. The
exclusion of internal loss events should be rare and supported by strong justification. In
evaluating the relevance of operational loss events to the bank's risk profile, supervisors
will consider whether the cause of the loss event could occur in other areas of the bank's
operations. Taking settled legal exposures and divested businesses as examples,
supervisors expect the organisation's analysis to demonstrate that there is no similar or
residual legal exposure and that the excluded loss experience has no relevance to other
continuing activities or products.
FAQ
FAQ1 Upon supervisory approval to exclude losses, when should this exclusion take effect?
The calculation of the loss component of the operational risk capital (ORC) should
recognise the effect of exclusion immediately after the supervisory approval. If
supervisors only require the operational risk standardised approach calculation to
be updated annually, but the exclusion is approved prior to an intermediate (eg,
quarterly) update of the bank’s total risk-weighted assets that precedes the annual
update of the operational risk standardised approach, banks should report the
revised operational risk risk-weighted assets in the first update of total risk-weighted
assets post-exclusion.
FAQ2 Can operational risk losses resulting from the reform of benchmark reference rates
be excluded from the operational risk charge based on OPE25.30?
Banks may suffer operational risk losses related to the reform of benchmark
reference rates, particularly if they do not adequately prepare for the transition to
the new rates. For example, losses may be incurred over an extended period of time
9/11
 if banks fail to identify and remediate relevant legacy contracts prior to the
discontinuation of a benchmark rate. Operational risk losses relating to the reform
of benchmark reference rates do not fulfil the criteria for exclusion from the
calculation of operational risk capital requirements laid out in OPE25.30 (ie
characterised as one-off, no longer relevant, no residual exposure). It should,
however, be noted that not all costs related to the implementation of benchmark
rate reforms represent operational risk losses (eg legal fees to alter contracts to
prepare for the new reference rates in accordance with relevant legal rules; or costs
related to adjustments to IT systems). To minimise the risk of operational risk losses,
banks should consider the effects of benchmark rate reform on their businesses in a
timely manner and make the necessary preparations for the transition to the
alternative rates. In doing so, they should maintain a close dialogue with their
supervisory authorities regarding their plans and transition progress, including any
identified impediments.

25.31 The total loss amount and number of exclusions must be disclosed in accordance with the
Pillar 3 requirements with appropriate narratives, including total loss amount and number
of exclusions.

25.32 A request for loss exclusions is subject to a materiality threshold to be set by the
supervisor (for example, the excluded loss event should be greater than 5% of the bank’s
average losses). In addition, losses can only be excluded after being included in a bank’s
operational risk loss database for a minimum period (for example, three years), to be
specified by the supervisor. Losses related to divested activities will not be subject to a
minimum operational risk loss database retention period.

Exclusions of divested activities from the Business Indicator

25.33 Banking organisations may request supervisory approval to exclude divested activities
from the calculation of the BI. Such exclusions must be disclosed in accordance with the
Pillar 3 requirements.
FAQ
FAQ1 Upon supervisory approval to exclude activities from the BI, when should this
exclusion take effect?
Divested activities should be excluded from the calculation of the BI amount used for
the calculation of operational risk capital (ORC) immediately after the supervisory
approval. If supervisors only require the operational risk standardised approach
calculation to be updated annually, but the exclusion is approved prior to an
intermediate (eg, quarterly) update of the bank’s total risk-weighted assets that
precedes the annual update of the operational risk standardised approach, banks
should report the revised operational risk risk-weighted assets in the first update of
total risk-weighted assets post-exclusion.

Inclusion of losses and BI items related to mergers and acquisitions

25.34 The scope of losses and BI items used to calculate the operational risk capital
requirements must include acquired businesses and merged entities over the period prior
to the acquisition/merger that is relevant to the calculation of the standardised approach
(ten years for losses and three years for BI).
FAQ
FAQ1 Upon a merger or an acquisition, when should the inclusion of the losses and BI

10/11
 items of the merged entity or acquired businesses take effect?
Losses and BI items from merged entities or acquired businesses should be included
in the calculation of operational risk capital (ORC) immediately after the merger/
acquisition, and should be reported in the first update of the bank’s total risk-
weighted assets that comes after the merger/acquisition.

Disclosure

25.35 All banks with a BI greater than €1bn, or which use internal loss data in the calculation of
operational risk capital, are required to disclose their annual loss data for each of the ten
years in the ILM calculation window in accordance with the Pillar 3 requirements. This
includes banks in jurisdictions that have opted to set ILM equal to one. Loss data is
required to be reported net of recoveries, both before and after loss exclusions. All banks
are required to disclose each of the BI sub-items for each of the three years of the BI
component calculation window in accordance with the Pillar 3 requirements.

11/11