Further Reading

Chapter 12: Operational Risk and Technology Risk Management

Essential Reading

Federal Reserve / OCC (2011). Supervisory Guidance on Model Risk Management (SR 11-7 / OCC 2011-12). The foundational document for model risk management in US financial services. Free at federalreserve.gov. Despite its age, this remains the primary reference for model governance expectations — and is increasingly applied to ML models in compliance.

BCBS (2023). Basel Framework — Operational Risk. The consolidated Basel Framework's operational risk chapters — covering SMA calculation, governance, loss data, and scenarios. Free at bis.org/basel_framework.

FCA/PRA (2021). Building Operational Resilience (PS21/3). The UK regulators' policy statement implementing operational resilience requirements — including important business services, impact tolerances, and testing requirements. Free at fca.org.uk and bankofengland.co.uk. Essential for UK-regulated firms.

DORA — Regulation (EU) 2022/2554.* The text of the Digital Operational Resilience Act. Available at eur-lex.europa.eu. Essential for EU-regulated institutions and ICT providers serving them.

For Practitioners

OCC/Fed/FDIC (2023). Interagency Guidance on Third-Party Relationships: Risk Management. The comprehensive US regulatory framework for third-party risk management. Free at occ.gov. Covers the full lifecycle of third-party relationships with detailed guidance on due diligence, contracting, and monitoring.

NIST (2024). Cybersecurity Framework 2.0 (CSF 2.0). Updated NIST framework for cybersecurity risk management — the primary US reference for financial institution cybersecurity programs. Free at nist.gov/cyberframework. CSF 2.0 adds the "Govern" function and supply chain risk provisions.

ORX (Operational Riskdata eXchange). Annual Banking Loss Report. Annual industry operational risk loss data — essential for scenario calibration and benchmarking. Available to ORX members; summary data at orx.org.

Deloitte. DORA Implementation Guide. (2024) Practitioner guide to DORA implementation — covering each of the five pillars with practical compliance steps. Available at deloitte.com.

For the Curious

Knight, F. (1921). Risk, Uncertainty and Profit. Hart, Schaffner and Marx. The foundational economic text distinguishing "risk" (quantifiable) from "uncertainty" (unquantifiable) — relevant to understanding why operational risk, especially tail risk, is inherently difficult to model.

Taleb, N.N. (2007). The Black Swan: The Impact of the Highly Improbable. Random House. Taleb's critique of standard risk models' inability to capture extreme events — directly relevant to the limitations of operational risk scenario analysis and the inadequacy of historical loss data for tail risk estimation.

Petrov, I., & Kalesnik, V. (2021). "Model Risk in Quant Finance." Journal of Portfolio Management, 47(1). Academic analysis of model risk specifically in quantitative finance — relevant to the model risk management framework discussion in Section 12.6.

King, J.L. (2001). Operational Risk: Measurement and Modelling. Wiley. Foundational text on operational risk quantification — covers loss distribution approaches, scenario analysis, and Basel framework development.

Regulatory Primary Sources

Technology References