Knowledge

Basel IV rewrites operational risk

Posted on

by Mario Calcagnini and Maurizio Primanni (Partner & Ceo at Excellence Consulting) for Azienda Banca

2025 marks the beginning of a new era for European banking regulation.
With the entry into force of Regulation (EU) 2024/1623 (CRR III – Capital Requirements Regulation), the implementation of the so-called final Basel III reforms – informally known as Basel IV – is completed. At the same time, Directive (EU) 2024/1619 (CRD VI – Capital Requirements Directive), which will come into force in January 2026, strengthens the framework for governance and risk control, with particular attention to sustainability and consolidated supervision.
The ambition is clear: to make the banking system more robust, transparent, and comparable, limiting regulatory arbitrage between institutions and promoting a culture of resilience.
For Italian banks, this translates into a transformation that involves regulatory capital, the quality and traceability of data, and the way operational risk is measured and communicated. Furthermore, the approach to its management is also changing, leading to a strengthening of “ex ante” control processes aimed at enhancing the capacity for prevention and response to operational risks.

A new logic for capital and operational risk management
One of the key changes is the introduction of the Output Floor, which imposes a lower limit on regulatory capital calculated using internal models. The main effect is to level capital requirements between banks using standardized approaches and those using advanced models, setting a minimum threshold at 72.5% of the requirement resulting from the standardized approach.
The most significant impact concerns operational risk, with the final phase-out of the AMA – Advanced Measurement Approach and the introduction of the SMA – Standardised Measurement Approach. The new method includes a size component (the Business Indicator) and a historical one, based on actual operational losses.
The logic is no longer predictive but retrospective: those who have correctly recorded and classified past events will be rewarded; those who have underestimated loss data collection processes will face a capital penalty.
In this context, the Risk Control Self-Assessment (RCSA) process will gain greater importance, whose main goal is to identify specific risk events directly connected to potential economic losses.
The RCSA serves as a tool for conducting risk and vulnerability scenario analyses of a process, involving organizational structures directly; it helps disseminate the culture of control and is a fundamental management tool aimed at detecting risks “ex ante,” especially when compared with the results of the Loss Data Collection process.
For many banks, including Italian ones, this implies simulations showing increases between 10% and 20% in absorbed capital. In other cases, the impact of the SMA alone affected the CET1 – Common Equity Tier 1 – by more than 40 basis points.
This shift transforms operational risk from a “secondary” category into a strategic lever for capital management.
All of this will lead institutions to delve deeper not only into aspects related to the calculation and monitoring of regulatory capital but also into the assessment of economic capital, as it represents the internal measure of the capital a company must hold to protect itself against extreme and unexpected events that could compromise its financial stability.
In fact, unlike the minimum regulatory requirements imposed by authorities (such as Basel’s), economic capital considers the organization’s specific risk profile, its operational vulnerabilities, and business strategies.

Data collection and quality become critical success factors
With the adoption of the SMA (Standardised Measurement Approach), the ability to reliably collect, track, and aggregate data on operational losses becomes essential. Data granularity, reconciliation between systems (finance and risk), and the quality of internal reporting are elements that will directly influence regulatory capital.
A clear example is operational events related to internal fraud or poorly coded legal disputes, often untracked or excluded from SMA flows. Without adequate taxonomies, data ownership, and traceability (data lineage), the risk is twofold: overestimating the size indicator, underestimating historical losses, and generating capital inefficiencies.
In this context, the adoption of machine learning and artificial intelligence (AI) tools is emerging as a lever to improve operational risk management. Supervised algorithms can support the automatic classification of events, anomaly detection in data, or risk pattern forecasting based on historical series. If correctly integrated into internal processes, these tools can strengthen data governance, improve information quality, and increase the effectiveness of controls.
Numerous Italian banks are responding with dedicated task forces and revisions of event classification frameworks and data governance.

Changes in informational transparency and regulatory reporting (Pillar 3)
Pillar 3 (Basel’s third pillar), i.e., regulatory disclosure to the market and supervision, is evolving into an integrated communication system. With CRR III, banks are required to publish comparable and accessible information not only on credit risk exposures but also on the structure of the Business Indicator and the treatment of operational risk.
This opens a new opportunity: transparency as a reputational lever.
Pillar 3 programs combine automation of flows, ESG narrative consistency, and cross-functional data governance.
Disclosure on operational losses and sensitivity to internal models becomes a distinguishing factor also in terms of competitive positioning.

How to concretely prepare for the entry into force of the new package
The most structured Italian banks are already working on adaptive implementation models. Priorities include updating IT systems to correctly calculate the SMA, reviewing the logic for allocating losses, and integrating operational reporting into Pillar 3 flows. Some have formalized roles dedicated to overseeing data quality in operational risk; others are reviewing the segmentation of business lines in light of Business Indicator requirements.
Adjustment initiatives are not just about compliance: they are investments in solidity and positioning. In particular, some of the largest banking groups have already launched projects linking Basel IV, capital optimization, and efficiency of internal operating structures through digital transformation and artificial intelligence.

Operational risk becomes a key element of resilience
Basel IV changes the relevance of operational risk: from a technical obligation to a central component of banking resilience.
Its measurement is no longer a theoretical modeling exercise, but a test of the institution’s managerial and informational maturity.
For those who will be able to turn this obligation into a lever of efficiency, there will be opportunities for competitive advantage and credibility with supervisory authorities.
Compliance today is no longer just about regulatory adaptation – it has become a strategic exercise, which banks are increasingly required to perform, and technology developments are turning into an opportunity.

Whistleblowing

L’Istituto del “Whistleblowing” è riconosciuto come strumento fondamentale nell’emersione di illeciti; per il suo efficace operare è pero cruciale assicurare una protezione adeguata ed equilibrata ai segnalanti. In tale ottica, al fine di garantire che i soggetti segnalanti siano meglio protetto da ritorsioni e conseguenze negative, e incoraggiare l’utilizzo dello strumento, in Italia è stato approvato il D.Lgs. n.24 del 10 marzo 2023 a recepimento della Direttiva (UE) 2019/1937 riguardante la protezione delle persone che segnalano violazioni.

Il decreto persegue l’obiettivo di rafforzare la tutela giuridica delle persone che segnalano violazioni di disposizioni normative nazionali o europee, che ledono gli interessi e/o l’integrità dell’ente pubblico o privato di appartenenza, e di cui siano venute a conoscenza nello svolgimento dell’attività lavorativa.

Eventuali segnalazioni possono essere inviate, anche in forma anonima, compilando il form disponibile cliccando qui.

Segnalazione

(*) Campi obbligatori