This draft may meet Wikipedia's criteria for speedy deletion because in its current form it serves only to promote or publicise an entity, person, product, or idea, and would require a fundamental rewrite in order to become encyclopedic. However, the mere fact that a company, organization, or product is a page's subject does not, on its own, qualify that page for deletion under this criterion. This criterion also does not apply where substantial encyclopedic content would remain after removing the promotional material as deletion is not cleanup; in this case please remove the promotional material yourself, or add the {{advert}} tag to alert others to do so. See CSD G11.%5B%5BWP%3ACSD%23G11%7CG11%5D%5D%3A+Unambiguous+%5B%5BWP%3ANOTADVERTISING%7Cadvertising%5D%5D+or+promotionG11 If this draft does not meet the criteria for speedy deletion, or you intend to fix it, please remove this notice, but do not remove this notice from pages that you have created yourself. If you created this page and you disagree with the given reason for deletion, you can click the button below and leave a message explaining why you believe it should not be deleted. You can also visit the talk page to check if you have received a response to your message. Note that this draft may be deleted at any time if it unquestionably meets the speedy deletion criteria, or if an explanation posted to the talk page is found to be insufficient. Note to administrators: this page has content on its talk page which should be checked before deletion. Administrators: check links, talk, history (last), and logs before deletion. Consider checking Google. This page was last edited by Patnaim (contribs | logs) at 16:07, 1 June 2025 (UTC) (4 days ago)

Submission declined. If you would like to continue working on the submission, click on the "Edit" tab at the top of the window. If you have not resolved the issues listed above, your draft will be declined again and potentially deleted. If you need extra help, please ask us a question at the AfC Help Desk or get live help from experienced editors. Please do not remove reviewer comments or this notice until the submission is accepted. Where to get help If you need help editing or submitting your draft, please ask us a question at the AfC Help Desk or get live help from experienced editors. These venues are only for help with editing and the submission process, not to get reviews. If you need feedback on your draft, or if the review is taking a lot of time, you can try asking for help on the talk page of a relevant WikiProject. Some WikiProjects are more active than others so a speedy reply is not guaranteed. How to improve a draft Wikipedia:Contributing to Wikipedia – a basic overview on how to edit Wikipedia. Help:Wikitext – how to use the markup Help:Referencing for beginners – how to include references Wikipedia:Article development – how to develop your article Wikipedia:Writing better articles – how to improve your article Wikipedia:Verifiability – make sure your article includes reliable third-party sources You can also browse Wikipedia:Featured articles and Wikipedia:Good articles to find examples of Wikipedia's best writing on topics similar to your proposed article. Improving your odds of a speedy review To improve your odds of a faster review, tag your draft with relevant WikiProject tags using the button below. This will let reviewers know a new draft has been submitted in their area of interest. For instance, if you wrote about a female astronomer, you would want to add the Biography, Astronomy, and Women scientists tags. Add tags to your draft Editor resources Easy tools: Citation bot (help) | Advanced: Fix bare URLs The reviewer(s) who declined this submission will be listed in the page history. Last edited by Patnaim 4 days ago. Resubmit Please note that if the issues are not fixed, the draft will be declined again.

[[Category:AfC submissions by date/<0030Sun, 01 Jun 2025 11:04:00 +00002025611 2025-06-01T11:04:00+00:00Sundayam0000=error>EpSun, 01 Jun 2025 11:04:00 +0000UTC00000420256 UTCSun, 01 Jun 2025 11:04:00 +0000Sun, 01 Jun 2025 11:04:00 +00002025Sun, 01 Jun 2025 11:04:00 +0000: 17487758406Sun, 01 Jun 2025 11:04:00 +0000UTC2025-06-01T11:04:00+00:00202511604151UTC01 pu62025-06-01T11:04:00+00:0030uam300420256 2025-06-01T11:04:00+00:0011amSun, 01 Jun 2025 11:04:00 +0000am2025-06-01T11:04:00+00:0030UTCSun, 01 Jun 2025 11:04:00 +0000 &qu202530;:&qu202530;.</0030Sun, 01 Jun 2025 11:04:00 +00002025611>June 2025|Exposure-based modeling of operational risk]]

Exposure-based modeling refers to a class of quantitative approaches in which risk is represented as the occurrence of events affecting a defined population of exposed units — such as systems, employees, clients, or transactions. This modeling perspective has been discussed in a 2021 report published by ORX, a global operational risk association for financial institutions.^[1]

This approach is relevant to the field of operational risk in banking and insurance, where some traditional financial models may not explicitly incorporate the mechanisms through which losses arise.

In exposure-based models, a risk is typically characterized by:

• a population of exposed units (e.g., employees, clients, systems, suppliers),
• the probability that an adverse event affects a given unit,
• the impact or severity of that event.

This structure is consistent with some academic definitions of risk involving a peril, an object at risk, and its consequences. Such decompositions are common in domains such as insurance, engineering, and finance.^[2][3]

One implementation of this framework is the Exposure–Occurrence–Impact (XOI) method, which formalizes these components and supports quantitative simulation. The method has been applied in operational risk quantification and referenced in professional contexts, including initiatives by the American Bankers Association (ABA),^[4] industry surveys,^[5] and actuarial research recognized by the SCOR actuarial prize.^[6]

Academic literature across several disciplines — including engineering, insurance, sociology, and finance — often defines risk as involving three core elements:

• A peril, or uncertain event that may cause harm (e.g. an accident, system failure, or fraud);
• An object at risk, such as an asset, system, or other item exposed to this peril;
• The consequences of the event, typically expressed in terms of damage or loss to the object.

This three-part decomposition appears in various theoretical frameworks:

• In insurance, a loss exposure is defined as the combination of an asset at risk, a cause of loss (peril), and its financial consequence.^[7]

• In engineering and disaster risk management, Smolka identifies risk as comprising "the hazard, the vulnerability of objects exposed to [it], and the value of the exposed objects".^[8]

• In sociology, Rosa defines risk as "a situation or event where something of human value (including humans themselves) has been put at stake and where the outcome is uncertain".^[9]

• In the relational theory of risk, Boholm and Corvellec define risk as a relationship in which a "risk object" is perceived to threaten a valued "object at risk".^[10]

• In finance, Holton describes risk as "exposure to a proposition of which one is uncertain," highlighting the need for both a valued stake and uncertainty.^[11]

The Exposure–Occurrence–Impact (XOI) method is one implementation of this conceptual model. It applies a formal decomposition of risk into quantifiable components aligned with these theoretical foundations:

• a clearly defined object (exposure),
• the possibility of an adverse event (occurrence),
• and its consequences (impact).

The approach builds on the CPCU-based concept of vulnerability — understood as the conjunction of peril, object, and consequence — and translates it into a quantitative modeling structure.

The decomposition was first introduced in the book Risk Quantification: Management, Diagnosis and Hedging by Condamin, Louisot, and Naim,^[12] and later expanded in the context of enterprise risk management by Louisot and Ketcham.^[13]

The XOI method decomposes risk into three distinct, quantifiable components:

• eXposure (X): The number or list of objects that may be affected by an adverse event. These can be individually identified items (such as buildings, products, or processes), or countable units categorized by type (such as employees, transactions, or clients).

• Occurrence (O): A binary variable indicating whether the peril occurs for a given unit. The probability of occurrence can be estimated using statistical models (e.g., Poisson or binomial distributions), historical incident data, or expert input.

• Impact (I): The severity of consequences if an event occurs for a given object. Impact is typically expressed as a financial loss, which may include direct costs, asset damage, loss of revenue, or compensation payments.

In this framework, units of exposure are generally assumed to be independently subject to the risk event. In cases where this assumption does not hold — such as buildings located in close proximity and exposed to natural disasters — it may be appropriate to define the exposed unit at a more aggregated level (e.g., as a cluster or geographic zone).

The probability of occurrence and the severity of impact may vary depending on characteristics of the exposed unit and the surrounding circumstances. This conditionality enables models to account for heterogeneity in risk exposure and outcomes.

By separating these components, the XOI approach provides a structured framework for scenario-based modeling and facilitates quantitative analysis of risk.

This simple example considers the risk of supplier disruption affecting the operations of an organization.

In the XOI approach:

• The Exposure is defined by the list of key suppliers, structured into tiers (Tier 1, Tier 2, etc.) based on their criticality to the organization or the mitigation measures already in place.
• Each supplier tier is assigned:
  • A probability of disruption (Occurrence),
  • An Impact, calculated as the product of:
    • The estimated daily loss caused by the disruption,
    • The expected time to switch to an alternative supplier or internal solution.

All estimates can be provided as single values, ranges, or basic probability distributions.

This structure enables the aggregation of individual supplier risks into an overall risk profile. It also highlights how resilience actions — such as identifying backup suppliers in advance — can effectively reduce the risk.

The structure of an exposure-based model — particularly the conditional dependencies between variables such as units of exposure characteristics, event probability, and impact — can be effectively represented using a Bayesian network. This graphical approach makes the relationships between model components explicit and facilitates the encoding of expert knowledge, data-driven inference, and modular scenario design. Moreover, Bayesian networks support efficient simulation algorithms which can accelerate the estimation of loss distributions compared to naïve Monte Carlo methods. While the use of Bayesian networks is not a requirement of the XOI methodology, it provides a convenient and interpretable framework that is used for all subsequent examples in this article.

The XOI decomposition is conceptually consistent with the bowtie representation of risk, a visual model widely used in process safety and risk management. The bowtie model and its practical application to risk assessment are widely discussed in process safety literature, including the work of the Center for Chemical Process Safety (CCPS).^[14]

In the bowtie model, the starting point is the notion of a hazard, defined as a condition or activity with the potential to cause harm. It is not yet an event, but rather something that enables a risk to exist. For example, driving a car, storing explosives, or running an automated trading system are all considered hazards — they create situations where something could go wrong.

In the XOI approach, the component Exposure (X) plays a similar role: it represents the object or resource through which a risk can manifest. Without this resource, the risk does not exist. While hazard is typically defined as a dangerous condition or activity, and exposure refers more concretely to what is at risk, the two concepts are closely aligned.

This alignment makes the XOI model fully compatible with bowtie thinking, while extending it into quantitative analysis and scenario simulation.

Once the hazard is defined, the bowtie structure is split into two parts:

• The left side captures initiating threats and their paths to a central event (the “top event”),
• The right side describes the consequences that may follow once the top event occurs.

In the XOI framework:

• Occurrence (O) corresponds to the probability of the top event occurring, potentially as a result of causes or conditions,
• Impact (I) models the magnitude of consequences if the event occurs — corresponding to the right-hand side of the bowtie.

The XOI framework also provides a direct link to the main types of risk mitigation actions:

• Avoidance: acting on Exposure to eliminate or reduce it,
• Prevention: acting on the drivers of Occurrence to lower the probability of the event,
• Protection: acting on the drivers of Impact to reduce the consequences if the event occurs.

One improvement offered by the XOI approach is the ability to identify common drivers of both Occurrence and Impact. For example, in driving, speed increases both the likelihood and the severity of an accident. This type of relationship cannot be directly represented in a traditional bowtie diagram, as the Top Event structurally separates causes from consequences, making it difficult to model factors that simultaneously influence both.

The simulation procedure used in the XOI approach is based on a simple Monte Carlo method, which can be described as follows:

Repeat the following steps a large number of times S (e.g., 1 million simulations):

1. Sample the number of exposed units X from the probability distribution of the Exposure variable.
   1. When the exposure refers to a known list of named objects (e.g., buildings), the value of X is fixed.
   2. When it refers to countable populations (e.g., employees, clients, or transactions), X can be modeled as a random variable and sampled accordingly.
2. For each exposed unit (from 1 to X):
   1. Sample the binary Occurrence variable, which determines whether the unit experiences a loss, using a probability distribution that may be conditional on the unit's characteristics.
   2. If an occurrence is observed:
      1. Sample the Impact of the loss for that unit, using a distribution that may depend on the unit's characteristics, and on other circumstances.
3. Sum the impacts of all events which occurrend during the current simulation run to compute the total loss L_i.
4. Store the value of L_i; after many repetitions, the resulting set {L₁, L₂, ..., L_S} forms an empirical distribution of aggregate losses.

This simulation process provides a flexible way to estimate the loss distribution, even when closed-form expressions are not available.

In more advanced scenarios, dependencies may exist — for example, through common drivers of both Occurrence and Impact, or, more rarely, between Exposure and Occurrence (see the car driving example in the bowtie discussion above).

Operational risk is defined by the Basel Committee on Banking Supervision as “the risk of loss resulting from inadequate or failed internal processes, people and systems, or from external events.” This includes a wide range of events such as fraud, human error, system failures, and natural disasters.

In the banking sector, operational risk has been formally recognized since the introduction of the Basel II regulatory framework, and remains a key component of the risk management process under Basel III and Basel IV standards.

Banks are required to hold capital against operational risk as part of the Pillar 1 minimum capital requirements. Historically, this was calculated using approaches such as the Basic Indicator Approach (BIA), the Standardised Approach (SA), and the Advanced Measurement Approach (AMA). However, these have now been replaced by the revised Standardized Measurement Approach (SMA).

In addition to Pillar 1, banks must conduct an Internal Capital Adequacy Assessment Process (ICAAP), under Pillar 2, to assess whether their capital is adequate given their specific risk profile — including operational risks that may not be well captured by regulatory formulas.

Operational risk is also part of broader processes such as Risk appetite, risk taxonomy, and Scenario analysis, and is increasingly tied to strategic considerations and resilience frameworks.

The following sections describe how the XOI methodology can be applied to the modelling of operational risk in banking. These applications include the construction of structured risk taxonomies, the simulation of risk scenarios for capital and ICAAP purposes, and illustrative use cases such as trading errors and mis-selling events.

This approach is documented in more detail in the book Operational Risk Modelling in Financial Services (Wiley, 2020),^[15].

In the context of operational risk modeling, the XOI method can be used to structure risk identification around a two-dimensional matrix: a cross-tabulation of resources exposed and the events that may affect them. This approach supports a more intuitive and operationally relevant taxonomy of risks.

Operational risk is defined as the occurrence of an adverse event affecting a non-financial productive resource used by the bank in the course of its business. A risk, in this sense, only exists when there is a possible intersection between an event and a resource. This means that generic causes (e.g., economic pressure) or vague consequences (e.g., reputational damage) are excluded from the taxonomy unless they are linked to a clearly identified encounter between an event and an exposed resource.

The matrix-based taxonomy is constructed by identifying:

• Resources: productive, non-financial elements involved in the bank's operations, such as systems, data, premises, clients, or personnel;
• Events: well-defined operational incidents such as errors, fraud, service disruptions, or cyberattacks.

Each cell in the matrix represents a risk scenario: the possibility that a given event impacts a particular resource. While the matrix is presented at a high level, the actual implementation is more granular (considering risks such as "Hacktivists Cyber Attack on Critical Bank Service").

Exposure-based Taxonomy: Resource × Event

Resource / Event	Accident	Attack	Disruption	Error	Fraud	Legal	Conduct
Persons	✔	✔	✔		✔	✔	✔
Third Parties		✔	✔		✔	✔
Material Assets	✔	✔	✔	✔
Intangible Assets		✔	✔	✔
Banking Activities				✔		✔	✔

The XOI approach shares structural similarities with the modelling frameworks used for credit risk and market risk, both of which are quantified under regulatory capital frameworks.

In credit risk modelling, the basic structure often involves:

• an exposure, such as a loan or credit facility,
• an event of default, corresponding to a counterparty’s failure to meet obligations,
• and an impact, typically measured as the Loss given default (LGD).

Similarly, market risk models rely on:

• a portfolio of exposures to market instruments (e.g., equities, interest rates, currencies),
• fluctuations in market prices or volatility as the triggering events,
• and the financial impact resulting from these variations.

The XOI model follows a comparable triplet:

• an exposed resource, which enables the risk to manifest,
• an occurrence, reflecting the realization of an adverse event,
• and the associated impact.

However, there is a key conceptual distinction. In credit and market risk, the resources at stake are financial assets — loans, investments, or capital — which directly relate to the financial function of the bank. In contrast, operational risk — as captured by the XOI approach — typically involves **non-financial resources**, such as employees, processes, systems, or physical infrastructure.

This distinction offers an explanatory perspective on the increasingly common term Non-financial risk, often used interchangeably with operational risk in banking literature. While the consequences of operational risk events are clearly financial (losses, fines, remediation costs), the risks themselves stem from the disruption or failure of non-financial resources. In this sense, the label “non-financial” does not refer to the absence of financial impact, but to the **nature of the underlying resources and mechanisms** involved.

The XOI methodology can be used for the modelling of high-severity, low-frequency risks, which are often addressed through scenario analysis in the context of operational risk management. These risks are typically identified as part of a bank's Internal Capital Adequacy Assessment Process (ICAAP) (ICAAP), its Risk appetite framework, or its resilience planning.

In the XOI approach, each scenario corresponds to a specific combination of:

• a well-defined resource (or asset) exposed to the risk,
• a specific type of adverse event (peril),
• and a mechanism to estimate the impact should that event occur.

The Exposure-Based Taxonomy introduced earlier provides a high-level view of the possible intersections between resources and perils. However, actual scenarios are developed using more granular definitions of resources and events. Each cell of the matrix may lead to one or several distinct scenarios, depending on the bank's exposure profile.

For instance:

• A trading error scenario lies at the intersection of Banking Activities (as the exposed resource) and Error (as the peril). However, the actual modelling involves more specific elements, such as manual input mistakes in trading systems, or human execution errors in capital markets transactions.
• A mis-selling scenario lies at the intersection of Banking Activities and Conduct. In this case, the resource at risk is not the client, but the financial product itself. The XOI perspective considers the product as the vehicle through which the risk materializes. For example, in the widely documented Payment Protection Insurance mis-selling scandal in the UK, it was not individual clients who were independently exposed, but the product line as a whole, due to systemic flaws in its marketing and distribution.

In both cases, the scenario is defined by identifying:

• the relevant unit of exposure (e.g., number of transactions, products sold, or traders involved),
• the occurrence probability, often informed by expert judgment, historical incidents, or benchmarking,
• and the estimated impact, broken down into direct losses, remediation costs, and reputational or strategic effects.

This structured decomposition enables Monte Carlo simulation or other quantitative techniques to produce loss distributions, which can then be used for capital modelling, stress testing, or discussions on risk tolerance.

A trading error scenario typically involves a manual input mistake during the execution of financial market transactions. In the XOI framework:

• The Exposure is defined as the number of trades involving manual input, which may be estimated from trade records or mapped control processes.
• The Occurrence refers to the probability of an input error, such as entering a sell order instead of a buy order, or vice versa. The occurrence rate is generally low but may vary depending on business line, product complexity, and control environment.
• The Impact is defined as the cost incurred in reversing the erroneous trade and executing the correct one, after the error has been detected. This cost depends on:
  • the monetary size of the order,
  • the daily price variation of the asset (sampled from a distribution of historical returns),
  • the number of days between the error and its correction.

A simplified formulation of the impact is:

${\displaystyle {\text{Impact}}=2\times {\text{Order amount}}\times {\text{Daily price variation}}\times {\sqrt {\text{Days until correction}}}}$

The factor 2 reflects the need to unwind the incorrect position and re-enter the intended one, both potentially at adverse market prices.

This structure enables the simulation of cumulative losses from trading errors across a large number of manually entered trades, using Monte Carlo techniques or other quantitative methods.

In the example model above, both the probability of error and the distribution of traded amounts are conditioned on the relevant business unit — which may correspond to a legal entity or a trading desk.

It is worth noting that this model can also produce operational gains when the market moves in a favorable direction between the error and its correction. To reflect a conservative risk assessment, such gains are typically excluded by applying a function such as:

${\displaystyle {\text{Impact}}=\max(0,{\text{Calculated impact}})}$

This ensures that only potential losses are retained in the simulation.

Finally, volatility stress testing is straightforward in this framework: it can be conducted by increasing the standard deviation of the Daily Market Change distribution used in the model.

A mis-selling scenario refers to the marketing or distribution of financial products in a manner that is misleading, lacks transparency, or fails to meet suitability standards — potentially triggering regulatory sanctions, remediation programs, and reputational damage.

In the XOI framework:

• The Exposure is defined as the number of distinct products marketed by the institution. Examples include payment protection insurance (PPI), mobile phone insurance, or specific investment vehicles. Each product is considered an exposure unit because it may independently be subject to governance or disclosure issues that give rise to systemic mis-selling.

• The Occurrence corresponds to the identification of a product as having been sold under misleading, non-compliant, or otherwise flawed conditions. This is a systemic event: when a product is affected, it typically implies a widespread issue over a population of clients and a period of time. The probability of such an occurrence can depend on the product type, internal controls, or past history with similar offerings.

• The Impact is estimated as a fraction of the revenue generated by the product during the mis-selling period, typically multiplied by the duration of the flawed sales practices. In addition to refunds or compensation to customers, one may also consider:
  • Legal and regulatory costs,
  • Potential fines or penalties,
  • Operational costs related to review and remediation efforts.

In the model represented in the diagram above, each product is modeled as a unit of exposure. Conditional on the occurrence of a mis-selling issue, the impact is calculated using the formula:

Impact = Revenue × Complaint Rate × Duration

The use of revenue rather than individual customer data enables a high-level estimation, especially useful for early quantification exercises or macro-level scenario planning.

This model structure is consistent with large-scale events such as the UK Payment protection insurance (PPI) scandal, where the flawed design and sales practices of a single product led to systemic remediation costs across a wide client base.

• Scenario analysis
• Bow-tie diagram
• Non-financial risk
• Factor Analysis of Information Risk (FAIR)
• ORX – Exploring Exposure Based Methodologies