Draft:Exposure-based modeling of operational risk

Submission declined on 2 June 2025 by AlphaBetaGamma (talk). This submission reads more like an essay than an encyclopedia article. Submissions should summarise information in secondary, reliable sources and not contain opinions or original research. Please write about the topic from a neutral point of view in an encyclopedic manner. If you would like to continue working on the submission, click on the "Edit" tab at the top of the window. If you have not resolved the issues listed above, your draft will be declined again and potentially deleted. If you need extra help, please ask us a question at the AfC Help Desk or get live help from experienced editors. Please do not remove reviewer comments or this notice until the submission is accepted. Where to get help If you need help editing or submitting your draft, please ask us a question at the AfC Help Desk or get live help from experienced editors. These venues are only for help with editing and the submission process, not to get reviews. If you need feedback on your draft, or if the review is taking a lot of time, you can try asking for help on the talk page of a relevant WikiProject. Some WikiProjects are more active than others so a speedy reply is not guaranteed. How to improve a draft Wikipedia:Contributing to Wikipedia – a basic overview on how to edit Wikipedia. Help:Wikitext – how to use the markup Help:Referencing for beginners – how to include references Wikipedia:Article development – how to develop your article Wikipedia:Writing better articles – how to improve your article Wikipedia:Verifiability – make sure your article includes reliable third-party sources You can also browse Wikipedia:Featured articles and Wikipedia:Good articles to find examples of Wikipedia's best writing on topics similar to your proposed article. Improving your odds of a speedy review To improve your odds of a faster review, tag your draft with relevant WikiProject tags using the button below. This will let reviewers know a new draft has been submitted in their area of interest. For instance, if you wrote about a female astronomer, you would want to add the Biography, Astronomy, and Women scientists tags. Add tags to your draft Editor resources Easy tools: Citation bot (help) | Advanced: Fix bare URLs Declined by AlphaBetaGamma 4 days ago. Last edited by AlphaBetaGamma 4 days ago. Reviewer: Inform author. Resubmit Please note that if the issues are not fixed, the draft will be declined again.

Submission declined on 1 June 2025 by CoconutOctopus (talk). This submission reads more like an essay than an encyclopedia article. Submissions should summarise information in secondary, reliable sources and not contain opinions or original research. Please write about the topic from a neutral point of view in an encyclopedic manner. Declined by CoconutOctopus 5 days ago.

Exposure-based modeling refers to a class of quantitative risk modeling approaches in which risk is represented as the potential occurrence of adverse events affecting a defined set of exposed units — such as systems, employees, clients, or transactions. The structure typically involves three core components: the population of exposed units, the probability that an event affects each unit, and the impact if such an event occurs. This framework aligns with academic definitions of risk involving a peril, an object at risk, and the associated consequences.^[1][2]

Early developments explored structured expert judgment as an alternative to traditional loss data–based methods, particularly using Bayesian networks as the underlying formalism.^[3][4] These approaches primarily focused on causal analysis, without explicitly identifying exposure as a separate modeling dimension.

In 2010, the SCOR Prize in actuarial science recognized research introducing the concept of exposure for modeling operational risk in the insurance sector.^[5] In 2018, Einemann et al. proposed the EBOR (Exposure-Based Operational Risk) framework in a Deutsche Bank Risk Methodology paper, integrating exposures, drivers, and losses into coherent probabilistic structures.^[6]

In 2020, the American Bankers Association (ABA) developed a cyber risk quantification methodology based on an exposure-based structure, known as the XOI approach, and was awarded the "Industry Initiative of the Year" by Risk.net for this work.^[7] In 2021, the Operational Riskdata eXchange Association (ORX) published a report highlighting exposure-based modeling as a promising avenue for scenario design in contexts such as pandemic risk and key supplier failures.^[8]

The Exposure–Occurrence–Impact (XOI) framework is one of the documented implementations of exposure-based risk quantification. It formally separates the definition of exposure units, the conditional probability of adverse events, and their impacts, thereby enabling structured scenario simulation and transparent risk analysis.^[9]

While the exposure-based paradigm remains less widespread than traditional frequency–severity approaches, it continues to gain traction as an alternative for scenario design, taxonomy building, and the quantification of non-financial risk in the banking and insurance sectors.

Academic literature across several disciplines — including engineering, insurance, sociology, and finance — often defines risk as involving three core elements:

• A peril, or uncertain event that may cause harm (e.g. an accident, system failure, or fraud);
• An object at risk, such as an asset, system, or other item exposed to this peril;
• The consequences of the event, typically expressed in terms of damage or loss to the object.

This three-part decomposition appears in various theoretical frameworks:

• In insurance, a loss exposure is defined as the combination of an asset at risk, a cause of loss (peril), and its financial consequence.^[10]

• In engineering and disaster risk management, Smolka identifies risk as comprising "the hazard, the vulnerability of objects exposed to [it], and the value of the exposed objects".^[11]

• In sociology, Rosa defines risk as "a situation or event where something of human value (including humans themselves) has been put at stake and where the outcome is uncertain".^[12]

• In the relational theory of risk, Boholm and Corvellec define risk as a relationship in which a "risk object" is perceived to threaten a valued "object at risk".^[13]

• In finance, Holton describes risk as "exposure to a proposition of which one is uncertain," highlighting the need for both a valued stake and uncertainty.^[14]

The Exposure–Occurrence–Impact (XOI) method is one implementation of this conceptual model. It applies a formal decomposition of risk into quantifiable components aligned with these theoretical foundations:

• a clearly defined object (exposure),
• the possibility of an adverse event (occurrence),
• and its consequences (impact).

The approach builds on the CPCU-based concept of vulnerability — understood as the conjunction of peril, object, and consequence — and translates it into a quantitative modeling structure.

The decomposition was first introduced in the book Risk Quantification: Management, Diagnosis and Hedging by Condamin, Louisot, and Naim,^[15] and later expanded in the context of enterprise risk management by Louisot and Ketcham.^[16]

The XOI method decomposes risk into three distinct, quantifiable components:

• eXposure (X): The number or list of objects that may be affected by an adverse event. These can be individually identified items (such as buildings, products, or processes), or countable units categorized by type (such as employees, transactions, or clients).

• Occurrence (O): A binary variable indicating whether the peril occurs for a given unit. The probability of occurrence can be estimated using statistical models (e.g., Poisson or binomial distributions), historical incident data, or expert input.

• Impact (I): The severity of consequences if an event occurs for a given object. Impact is typically expressed as a financial loss, which may include direct costs, asset damage, loss of revenue, or compensation payments.

In this framework, units of exposure are generally assumed to be independently subject to the risk event. In cases where this assumption does not hold — such as buildings located in close proximity and exposed to natural disasters — it may be appropriate to define the exposed unit at a more aggregated level (e.g., as a cluster or geographic zone).

The probability of occurrence and the severity of impact may vary depending on characteristics of the exposed unit and the surrounding circumstances. This conditionality enables models to account for heterogeneity in risk exposure and outcomes.

By separating these components, the XOI approach provides a structured framework for scenario-based modeling and facilitates quantitative analysis of risk.

A simple example of exposure-based modeling involves the risk of supplier disruption affecting an organization's operations.

In the XOI framework:

• The Exposure is defined as the list of key suppliers, typically grouped into tiers (e.g., Tier 1, Tier 2) based on their criticality or the mitigation strategies in place.
• Each tier is associated with:
  • A probability of disruption (Occurrence),
  • An estimated Impact, calculated as the product of:
    • The average daily loss resulting from the disruption,
    • The expected time required to switch to an alternative supplier or internal substitute.

Estimates for these parameters can be specified as point values, ranges, or probability distributions, depending on data availability.

This structure enables the aggregation of individual supplier risks into an overall loss distribution. It also highlights how resilience strategies—such as the identification of backup suppliers—can help reduce the likelihood or severity of losses.

The structure of an exposure-based model—particularly the conditional relationships between characteristics of the exposure units, event probability, and impact—can be represented using a Bayesian network. This graphical modeling approach makes dependencies explicit, supports the integration of expert knowledge and empirical data, and enables modular scenario construction. Bayesian networks also allow for efficient simulation techniques, which may improve performance compared to basic Monte Carlo simulations.

Although the XOI methodology does not require a specific modeling tool, the use of Bayesian networks offers a flexible and interpretable structure. For this reason, the examples presented in subsequent sections are illustrated using this format.

The XOI decomposition is conceptually consistent with the bowtie model of risk, a visual framework commonly used in process safety and industrial risk management.^[17]

In the bowtie model, risk is represented as a structure connecting a central event (the "top event") to its potential causes (on the left) and consequences (on the right). The model begins with a hazard, defined as a condition or activity with the potential to cause harm. Examples of hazards include operating a vehicle, storing hazardous materials, or running automated trading systems.

In the XOI approach, the component Exposure (X) plays a conceptually similar role: it refers to the object or condition that allows the risk to materialize. While "hazard" is typically defined in terms of dangerous potential, and "exposure" refers to the at-risk resource or system, both serve as entry points for risk.

Once the hazard is defined, the bowtie diagram separates the risk pathway into:

• The left-hand side: identifying initiating threats and conditions that could lead to the central event,
• The right-hand side: describing the possible consequences if that event occurs.

In this structure:

• Occurrence (O) in the XOI model corresponds to the probability of the central event happening,
• Impact (I) reflects the severity of the consequences — aligned with the bowtie’s right-hand side.

The XOI framework also allows for mapping risk control measures onto this structure, with the following correspondences:

• Avoidance: acts on Exposure, aiming to eliminate or reduce the presence of the risk-enabling resource,
• Prevention: targets the probability of Occurrence, addressing root causes or vulnerabilities,
• Protection: seeks to mitigate Impact through containment, backup systems, or insurance.

In addition, the XOI model supports the explicit representation of variables that influence both the likelihood and severity of an event. For instance, vehicle speed can simultaneously increase the probability of an accident and the resulting damage. This type of dual influence is more difficult to model in a standard bowtie diagram, which structurally separates causes and consequences. The XOI framework accommodates such dependencies more readily, particularly when implemented via probabilistic graphical models.

The simulation procedure used in the XOI approach is based on a simple Monte Carlo method, which can be described as follows:

Repeat the following steps a large number of times S (e.g., 1 million simulations):

1. Sample the number of exposed units X from the probability distribution of the Exposure variable.
   1. When the exposure refers to a known list of named objects (e.g., buildings), the value of X is fixed.
   2. When it refers to countable populations (e.g., employees, clients, or transactions), X can be modeled as a random variable and sampled accordingly.
2. For each exposed unit (from 1 to X):
   1. Sample the binary Occurrence variable, which determines whether the unit experiences a loss, using a probability distribution that may be conditional on the unit's characteristics.
   2. If an occurrence is observed:
      1. Sample the Impact of the loss for that unit, using a distribution that may depend on the unit's characteristics, and on other circumstances.
3. Sum the impacts of all events which occurrend during the current simulation run to compute the total loss L_i.
4. Store the value of L_i; after many repetitions, the resulting set {L₁, L₂, ..., L_S} forms an empirical distribution of aggregate losses.

In more complex models, dependencies may exist between variables. For example, a common driver may affect both the probability of occurrence and the severity of impact. In some cases, the level of exposure itself may influence the likelihood of events, as in situations involving system overload or crowding effects.

Operational risk is defined by the Basel Committee on Banking Supervision as “the risk of loss resulting from inadequate or failed internal processes, people and systems, or from external events.” This includes a wide range of events such as fraud, human error, system failures, and natural disasters.

In the banking sector, operational risk has been formally recognized since the introduction of the Basel II regulatory framework, and remains a key component of the risk management process under Basel III and Basel IV standards.

Banks are required to hold capital against operational risk as part of the Pillar 1 minimum capital requirements. Historically, this was calculated using approaches such as the Basic Indicator Approach (BIA), the Standardised Approach (SA), and the Advanced Measurement Approach (AMA). However, these have now been replaced by the revised Standardized Measurement Approach (SMA).

In addition to Pillar 1, banks must conduct an Internal Capital Adequacy Assessment Process (ICAAP), under Pillar 2, to assess whether their capital is adequate given their specific risk profile — including operational risks that may not be well captured by regulatory formulas.

Operational risk is also part of broader processes such as Risk appetite, risk taxonomy, and Scenario analysis, and is increasingly tied to strategic considerations and resilience frameworks.

The XOI methodology can be used to support the design of a risk taxonomy and the construction of quantifiable scenarios, which are reviewed in the following sections.^[18]

In the context of operational risk modeling, the XOI method can be used to support the construction of a two-dimensional taxonomy based on the intersection of exposed resources and potential adverse events. This approach offers a structured and operationally relevant way to organize risk scenarios.

Operational risk is viewed here as the occurrence of an adverse event impacting a non-financial productive resource used in banking operations. In this framework, a risk scenario is defined only when there is a potential intersection between a specific event and a clearly identified exposed resource. Broad drivers such as economic pressure or generic consequences such as reputational impact are excluded unless tied to a defined encounter between an event and a resource.

The taxonomy is built by identifying:

• Resources: productive, non-financial components of the organization, including systems, data, premises, clients, and personnel;
• Events: specific types of operational incidents such as errors, fraud, service disruptions, or cyberattacks.

Each cell in the matrix represents a risk scenario: the possibility that a given event impacts a particular resource. While the matrix is presented at a high level, the actual implementation is more granular (considering risks such as "Hacktivists Cyber Attack on Critical Bank Service").

The XOI approach shares structural similarities with the modeling frameworks used for credit risk and market risk, both of which are addressed under regulatory capital requirements.

In credit risk modeling, the typical framework involves:

• an exposure (e.g., a loan or credit facility),
• a default event, such as a counterparty's failure to meet contractual obligations,
• and an impact, often measured through Loss given default (LGD).

In market risk modeling, the structure includes:

• a portfolio of exposures to market variables (e.g., equities, interest rates, currencies),
• price fluctuations or volatility as the triggering mechanisms,
• and a resulting impact in the form of gains or losses on positions.

The XOI approach adopts a comparable tripartite structure:

• an exposed resource, enabling the risk to materialize,
• an occurrence, representing the realization of an adverse event,
• and the resulting impact associated with that event.

A key distinction lies in the nature of the exposures. In credit and market risk, exposures consist of financial assets — such as loans, investments, or trading positions — which directly reflect the financial activity of the institution. In contrast, operational risk, as modeled in the XOI framework, involves non-financial resources, including employees, systems, processes, or infrastructure.

This distinction helps clarify the rationale behind the term Non-financial risk, used in regulatory and industry discourse. While operational risk events often lead to financial consequences (e.g., losses, fines, remediation costs), they originate from disruptions or failures affecting non-financial elements. In this context, the term “non-financial” refers not to the absence of financial consequences, but to the nature of the resources through which the risk is expressed.

The XOI methodology can be applied to the modeling of high-severity, low-frequency risks, which are commonly addressed through scenario analysis in the context of operational risk management. These risks are typically identified as part of a bank's Internal Capital Adequacy Assessment Process (ICAAP), its risk appetite framework, or broader resilience planning initiatives.

In the XOI approach, each scenario corresponds to a specific combination of:

• a defined resource (or asset) exposed to the risk,
• a particular type of adverse event (or peril),
• and a method for estimating the impact if the event occurs.

The exposure-based taxonomy introduced earlier provides a high-level view of potential intersections between resources and perils. However, actual scenarios are constructed using more granular definitions. Each cell in the taxonomy may correspond to one or more concrete scenarios, depending on the institution's operational profile.

For example:

• A trading error scenario lies at the intersection of Banking Activities (as the exposed resource) and Error (as the peril). Its modeling typically involves specific elements such as manual input mistakes in trading systems or execution errors in financial markets.
• A mis-selling scenario lies at the intersection of Banking Activities and Conduct. In this case, the resource at risk is not the client, but the financial product itself. The XOI perspective treats the product as the medium through which risk materializes. For instance, during the Payment Protection Insurance (PPI) mis-selling scandal in the UK, the exposure stemmed from systemic flaws in product design and distribution rather than from client behavior.

Each scenario is structured by specifying:

• the relevant unit of exposure (e.g., number of transactions, traders, or products sold),
• the estimated probability of occurrence, informed by internal data, expert input, or external benchmarks,
• and the expected impact, which may include direct financial losses, remediation costs, and indirect consequences such as reputational or strategic effects.

This decomposition enables the use of Monte Carlo simulations or other quantitative techniques to generate loss distributions, which can inform capital adequacy, stress testing, and risk appetite discussions.

A trading error scenario typically involves a manual input mistake during the execution of financial market transactions. In the XOI framework:

• The Exposure is defined as the number of trades involving manual input, which may be estimated from trading records or mapped control processes.
• The Occurrence refers to the probability of an input error, such as entering a sell order instead of a buy order, or vice versa. The occurrence rate is generally low but may vary depending on the business line, product complexity, and control environment.
• The Impact corresponds to the cost incurred in reversing the erroneous trade and executing the correct one after detection. This cost depends on:
  • the monetary size of the order,
  • the daily price variation of the asset (sampled from a distribution of historical returns),
  • the number of days between the error and its correction.

A simplified formulation of the impact is:

${\displaystyle {\text{Impact}}=2\times {\text{Order amount}}\times {\text{Daily price variation}}\times {\sqrt {\text{Days until correction}}}}$

The factor 2 reflects the need to unwind the incorrect position and re-enter the intended one, both potentially at unfavorable market prices.

This structure enables the simulation of cumulative losses from trading errors across a large number of manually entered trades, using Monte Carlo techniques or similar methods.

In the example model above, both the probability of error and the distribution of traded amounts are conditioned on the relevant business unit — which may correspond to a legal entity or a trading desk.

It is also worth noting that this model can theoretically produce operational gains if the market moves in a favorable direction between the error and its correction. To ensure a conservative risk estimate, such gains are typically excluded by applying a function such as:

${\displaystyle {\text{Impact}}=\max(0,{\text{Calculated impact}})}$

Volatility stress testing can be performed by modifying the standard deviation of the Daily Market Change distribution used in the simulation.

A mis-selling scenario refers to the marketing or distribution of financial products in a manner that is misleading, lacks transparency, or fails to meet suitability standards — potentially triggering regulatory sanctions, remediation programs, and reputational damage.

In the XOI framework:

• The Exposure is defined as the number of distinct financial products offered by the institution. Examples may include payment protection insurance (PPI), mobile phone insurance, or specific investment vehicles. Each product is treated as a unit of exposure, since it may independently present governance or disclosure weaknesses that can result in systemic mis-selling.

• The Occurrence corresponds to the identification of a product as having been marketed under flawed, non-compliant, or misleading conditions. This is typically treated as a systemic event: if a product is affected, the issue often spans many customers and sales over time. The probability of such an occurrence can depend on the product type, sales practices, internal controls, and regulatory environment.

• The Impact is estimated as a fraction of the revenue generated by the product over the mis-selling period. In addition to direct customer compensation, it may include:
  • Legal and regulatory costs,
  • Fines or penalties,
  • Operational expenses related to review and remediation.

In the diagram above, each product is modeled as a unit of exposure. If a product is affected, the impact is calculated using the formula:

${\displaystyle {\text{Impact}}={\text{Revenue}}\times {\text{Complaint Rate}}\times {\text{Duration}}}$

This structure is consistent with large-scale conduct risk events such as the UK Payment Protection Insurance (PPI) scandal, in which systemic flaws in the product design and sales process led to widespread redress across a broad customer base.

• Scenario analysis
• Bow-tie diagram
• Non-financial risk
• Factor Analysis of Information Risk (FAIR)
• ORX – Exploring Exposure Based Methodologies