Time for a paradigm change: Problems with the financial industry's approach to operational risk

Organizational and risk cultures in the financial industry are argued to be the root cause of banking problems. It is concerning that financial regulators and practitioners still consider the industry to be seriously fragile in several respects, particularly to operational risks and risks associated with digital transformation and innovation—not that the risks of organizational misconduct have disappeared. The rescue of Credit Suisse in 2023 confirms this. This paper employs extant theories of organizational culture, learning, and action to critically evaluate the existing risk paradigm in banking and to highlight its deficiencies, which practitioners can only address by questioning the flawed assumptions and dysfunctional values and behaviors found to be endemic in banks. However, business and risk practitioners are also married to institutional approaches that focus on assessing risk and measuring historical losses to allocate regulatory capital, rather than forward‐looking approaches to measure and manage risk. This requires a paradigm change. This paper presents a novel risk measurement and accounting methodology, Risk Accounting, to help underpin such change. Risk accounting measures risk exposure in quantitative and qualitative terms and can be implemented using an AI‐enabled digital architecture that could solve endemic problems with risk data aggregation and analysis. Significantly, risk accounting enables a financial value to be placed on risk exposures at a granular level. This level of transparency provides an incentive to change behaviors in banks and support cultural change while providing a basis for a paradigm change in the way operational risk is managed.

multiple related institutions (cf.Curti, Frame et al., 2022).Researchers argue that current approaches to managing operational risks may have systemic consequences (Berger et al., 2022;Hughes, 2021Hughes, , 2023)).Also, the financial crisis laid bare the reality that while financial profits are privatized and protected, losses that exceed regulatory capital allocations tend to be socialized (de Jongh et al., 2013), with the costs borne by society (Kourabas, 2021).An increase in poverty and negative effects on the environment are also linked to financial crises (Antoniades & Antonarakis, 2022).
The UBS-Credit Suisse (CS) rescue merger in 2023 is a more recent example of the consequences of operational risk.Operational risk events in CS between 2020 and 2022, including money laundering, misconduct involving corruption, tax evasion, and corporate espionage, led to the failure of the bank (Böni et al., 2023).The externalized costs of CS's failure included "a wealth transfer from CS stockholders" to "UBS stockholders" of $1.1 billion.However, the estimated cost to the Swiss taxpayer was between $6 and 7 billion (Böni et al., 2023, p. 1).Furthermore, CS staff lost over $400 million in bonuses and are suing the state regulator (Walker et al., 2023).In addition, UBS also planned to make between 30,000 and 35,000 staff redundant.Significantly, the total cost of the merger was estimated at $17 billion (Inman, 2023).It is noteworthy that UBS was rescued in October 2008 by the Swiss government and the Swiss National Bank providing a capital injection of $60.09 billion, as UBS was "too big to fail."In both the CS and UBS rescues, regulatory capital was insufficient to enable the banks to recover from poor business decisions and misconduct.These examples also provide evidence that banking losses tend to be externalized and borne by society (Chassagnon & Vallet, 2021).
While the UBS-CS case is conspicuous, a study by the US Federal Reserve Bank of New York on 35 large bank holding companies (BHCs, i.e., global and domestic systemically important banks) operating in the United States revealed that "in the most recent Dodd-Frank Act Stress Test, the severely adverse scenario projected operational risk losses for the thirty-five participating BHCs of $135 billion, or 23 percent of the $578 billion in aggregate losses projected for these firms over the nine quarters ending in March of 2020" (Afonso et al., 2019, p. 1).CS was one of the 35 banks, as was UBS.Clearly, these estimates were in the extreme and it is unlikely that they would materialize.Take, for example, that the Basel III Monitoring Report in February 2023 indicated the following: In total, €522.6 billion of gross and €470.8 billion of net operational risk losses have been reported over the past 10 years.Operational risk gross losses were €70.5 billion in 2012 and peaked in 2014 at €81.0 billion.Since then, gross losses have decreased significantly to €29.5 billion in 2021, the lowest value of the past 10 years (BCBS, 2023, p. 82).
In contrast, if we consider the ORX1 report on losses submitted by 82 active member firms in 2021, 85,585 operational risk loss events were recorded totaling €20.3 billion in gross losses.In considering the Basel Committee on Banking Supervision (BCBS) and ORX reports, a difference of just €9.5 billion in 2021 between the ORX's reported losses for its 82 members and the total figure reported in the Basel III Monitoring Report is interesting and raises a question regarding the accuracy of the BCBS figures.Nevertheless, the downward trend in losses reported by both may be at an end as the 2023 ORX loss report states that "more sophisticated technology and low-risk fraud had led to a reported loss number of 76,620 events in 2022, a 26.4% rise of 16,020 from the previous year," a return to levels reported in 2017 (Zampano, 2023).The BCBS report (2023, p. 82) also highlights the risks posed by IT viz."banks still face risk due to the digitalization that amplifies IT risk." As societies and economic systems are affected by financial and operational risk events, financial institutions are obligated by regulators to allocate capital to cover any losses that arise (Aldasoro et al., 2020).The BCBS report revealed that 30 Global Systemically Important Bank (G-SIBs) collectively held €3019 billion of Common Equity Tier (CET) 1 capital to cover potential losses.There is an opportunity cost to high levels of regulatory capital being held by banks, which in the case of operational risk in 2022 is approximately 12.8% of the Minimum Required Capital (MRC).Ceteris paribus, large complex banks incur the greatest operational risk and losses at a significant cost to society (Curti, Frame et al., 2022).As the BCBS (2023, pp. 83-84) report points out there exists "a positive correlation between size and an above average operational risk profile."The CS example illustrates that "too big to fail" systemically important banks are still not immune to high-impact operational risks and the current levels of MRC are insufficient to protect society from the externalities of failure.
The overarching focus of banks and their risk functions is on performing operational risk capital (ORC) allocation calculations based on risk-weighted assets, which in the case of operational risk in banks is second only to financial credit risk (Aldasoro et al., 2020).Thus, unlike other industries, the financial sector tends to be preoccupied with measuring the ex post external and internal losses associated with operational risk (Giannone, 2018;Pakhchanyan, 2016), as opposed to understanding why such events happened or taking ex ante measures to mitigate the consequences of risk events and related losses (Hughes, 2021(Hughes, , 2023)).In addition, financial institutions are notoriously secretive and appear to disclose to regulators only what they are legally required to and even then regulatory transparency is in question.Thus, opacity, asymmetric information, and secret-keeping appear to be characteristic of banks (Dang et al., 2017;Jackson & Kotlikoff, 2021).One of the consequences of this is a paucity of research into the reality of operational risk practice in and across the industry.However, there is sufficient knowledge of practice to argue that a paradigm change is required.
in Europe and the United States in collaboration with, or with the participation of, major financial institutions, including G-SIBs, standards bodies, and industry associations, such as the Enterprise Data Management Council, and, also, UK and EU regulators, such as the Bank of England and the Financial Conduct Authority (FCA).He also participated as a member of the European Commission's Directorate-General for Financial Stability, Financial Services and Capital Markets Union (DGFISMA)'s Regulatory Obstacles to Financial Innovation Expert Group from June 2018 to December 2019.His field research from 2018 to 2022 also saw the participation of two EU-funded Research Fellows.Thus from 2012 to 2022, extensive research data and insights were gathered under Non Disclosure Agreement (NDA), Chatham House Rule or through personal conversations and correspondence.
The second author has extensive experience in leadership positions in IT operations and professional services firms advising on operational risk problems and solutions across industry sectors but with a particular focus on the financial industry, particularly G-SIBs.He is professionally qualified in accounting (ACMA), risk management (PRM), and financial engineering (CQF).His experience in operations and risk advisory positions provides him with a unique, applied, perspective.This paper is the culmination of the authors' research on the current operational risk paradigm.
The remainder of this paper presents a critical perspective on the extant operational risk paradigm.We begin by examining theories on organizational and risk culture, institutional theory, and organizational learning to critique the current operational risk paradigm and highlight its deficiencies.We then discuss and offer practical insights into how operational risk culture and practice might be transformed to provide the basis for a paradigm shift.Central to this is a risk accounting approach that employs a new metric called Risk Units or RUs to help quantify nonfinancial risks and help aggregate and report risk exposures.Significantly, it puts a financial value on product, process, system, and people risk at a granular level.We also present an overview of AI-enabled digital architecture to implement the risk accounting approach and address ongoing risk data integration issues.

THEORETICAL PERSPECTIVES ON RISK CULTURE AND THEIR APPLICATION IN FINANCIAL INSTITUTIONS
Financial institutions are obliged to comply with the Revisions to the Principles for the Sound Management of Operational Risk published by the Bank for International Settlements' BCBS (2020a).Principle 1 is the cornerstone and states "The board of directors should take the leading role in establishing a strong risk management culture, implemented by senior management.The board should establish and regularly review and approve core policies (including risk management, compensation, code of conduct or ethics policies).Through these policies, the board and senior management should establish a corporate culture guided by strong risk management, set standards and incentives for professional and responsible behaviour, and ensure that staff receives appropriate risk management and ethics training."As with all regulatory principles, the devil is in the detail and it is generally left to regulated entities to, in this case, institute cultural change in their organizations.However, the larger and more complex the organization the greater the difficulty in instituting a "strong risk management culture." This paper's analysis of the state of operational risk practice draws upon the extant theory of organizational culture and its focus on organizational learning and behavior (Argyris, 2010;Schein, 2004), to support its thesis that a paradigm change is required in the practice of operational risk management.Schein's (2004) and Argyris and Schön's (1996) theories of culture and learning complement each other, as they are grounded in organization theory and institutional theory (Scott, 2013).Organizational and institutional theories include the concepts of institutional logics (Lounsbury et al., 2021) and social and institutional mechanisms (Gross, 2009) to explain institutional, organizational, and cultural change (Scott, 2013).Thus, they provide rich theoretical lenses to study and assess risk culture (Almandoz, 2014;Kunz & Heitz, 2021;LaBriola, 2019).Figure 1 summarizes complementary theoretical perspectives on organizational culture and the social construction of institutions.An organizational risk culture will, following Schein (2004), be based on implicit underlying assumptions, and be manifested in espoused values and artifacts.Schein states (2004, p. 36): Though the essence of a group's culture is its pattern of shared, basic taken-for-granted assumptions, the culture will manifest itself at the level of observable artifacts and shared espoused beliefs and values.In analyzing cultures, it is important to recognize that artifacts are easy to observe but difficult to decipher and that espoused beliefs and values may only reflect rationalizations or aspirations.To understand a group's culture, one must attempt to get at its shared basic assumptions, and one must understand the learning process by which such, basic assumptions come to be.
Schein explains how organizational learning and other structural and processual mechanisms (Gross, 2009) institutionalize and maintain organizational cultures.However, he argues that organizational cultures can be assessed through analysis of espoused values and artifacts.(An alternative perspective is by examining institutional logics and mechanisms-see LaBriola, 2019; Marquis et al., 2006;Thornton et al., 2012.)Schein points to Argyris and Schön's theoretical and empirical work on organizational learning and behavior and the conflicts and contradictions between an organization's espoused theories and theories-in-use to elaborate his theory.Schein (2004, p. 362) also maintains that "discrepancies…almost always surface between the espoused values and the observed behavioral artifacts" of organizations.Schein (2004, p. 18) places particular emphasis on the need to unpack the learned "patterns of beliefs, values, and assumptions" that are manifested in "behavioral norms" that underpin action.
Figure 2 displays the central concepts in the learning and behavior literature relevant to organizational culture.Elements of the model are drawn from the work of Schein (2010), Argyris (2004), and Argyris andSchön (1978, 1996) as well as the literature on banking culture adduced in this paper (see Agnese & Capuano, 2021;Blake, 2022;Kane, 2016;Kunz & Heitz, 2021;Thakor, 2021, for examples).Argyris andSchön (1978, 1996) identify two types of behavior in individuals and organizations: Model I behavior, which is associated with single-loop learning, and Model II behavior, involving double-loop learning.In Model I organizations, managers are typically defensive and competitive and avoid objective evaluation of their fundamental assumptions, values, norms, and actions.Motivated cognition, bias, ambiguity, inconsistency, and convenient lacunae prevent managers and professionals in financial institutions from learning about threats and vulnerabilities (Blake, 2022).According to Argyris andSchön (1978, 1996), the socialization of Model I assumptions and beliefs shape behavioral norms and actions and result in particular cultures where the values-in-use are not the organization's espoused values (Argyris & Schön, 1978, 1996;cf. Schein, 2010).However, Model II behaviors are underpinned by double-loop learning, which leads to changes in people's assumptions, beliefs, values, and behaviors, and ensures that espoused values reflect those informing action in the organization (Schein, 2010).In this situation, an organization's espoused theories (of action) = theories-in-use.We note, however, that research indicates that under certain circumstances individuals and organizations may be immune to change (Bochman & Kroth, 2010).

Espoused theory and the management of operational risk in banking
The BCBS identifies governance policies as a primary organizational mechanism to institute risk cultures and to subsequently maintain them (BCBS, 2020a).Governance policies are further elaborated in other artifacts such as documented standards and procedures and controls.Policies, standards, and procedures are part of a bank's risk management framework and represent its espoused values in shaping and influencing its risk culture.Kunz and Heitz's (2021) review of the literature on operational risk culture identifies the expected external mechanisms of regulations and market pressures (coercive mechanisms), professional and ethical standards (normative mechanisms), and national culture (cognitive mechanisms).Specific internal mechanisms are organizational structure, accountability, supervision, incentives, communication, and hiring, in addition to formal controls over people, processes, and systems.Critical researchers argue that large banks pay lip service to regulatory prescriptions on cultural change.Furthermore, their proclamations and attestations of regulatory compliance and cultural change are argued to be without foundation (Blake, 2022;Kane, 2016).Consequently, Eceiza et al. (2020, pp. 11-12) state that the current operational risk paradigm focuses "on reporting risk issues, often in specialized forums removed from day-to-day assessment.Many organizations have thus viewed operational-risk activities as a regulatory necessity and of little business value." Table 1 summarizes what this paper argues is the espoused theory (Argyris & Schön, 1978, 1996) of operational risk management in the financial industry.Briefly, espoused theory is what organizations say they do, theory-in-use is what they actually do.This framework was developed from the extant literature indicated by supporting references and recent analyzes (see Tables 1 and 2: see also Girling (2022) and Hughes (2021Hughes ( , 2023) ) for a general overview of the framework elements).The framework references the institutional pressures from regulators along with regulatory and normative perspectives on the importance of risk culture, risk governance, risk management structure, the roles of policies, standards and procedures, the identification, assessment and control of risk, the activities and data elements of an operational risk information system, and the mandated measurement and risk modeling approach.

The extant paradigm or operational risk theory-in-use
The scale of operational risk losses incurred by financial institutions following the financial crisis is regarded as "staggering" by Curti, Frame et al. (2022).Banks are systemically vital to the social and economic health of countries and the global economy.However, the continued socialization of bank losses, to which operational risks are a significant contributor, is of concern viz."The negative externalities from bank losses have been significant, including reduction in credit provision, disruption to specific markets, withdrawal of certain socially beneficial products, and financial exclusion as a consequence of "de-risking", plus a significant diminution of trust in the financial system" (Sands et al., 2018, p. 6).
The private and confidential nature of banking leads to an information asymmetry where public data are argued not to reflect the true nature of operational risks and their costs to the industry and society at large (Abdymomunov et al., 2020).Curti, Frame et al. (2022, p. 2) state that "[in] contrast to the publicly available data commonly used in the operational risk literature, [they] utilize confidential supervisory data that are significantly richer and more comprehensive."Based on this data set, a study of the 34 largest US banks estimated incurring operational losses of "$281 billion to operational risk, more than a quarter of their net income over the same period ($915 billion)" (Curti, Frame et al., 2022, p. 1224).Another study estimated that the top 35 US banks had estimated worstcase operational risk losses of $135 billion over the 27-month period to March 2020 of the Dodd-Frank Act Stress Test by the Federal Reserve (Afonso et al., 2019).It is clear, however, that this worst-case scenario did not materialize as the BCBS Monitoring Report stated that annual losses declined to about $30 billion (BCBS, 2023).The CS failure and others that occurred in 2022-2023 should see this figure revised upward as will the 26.4% increase in operational risk events in 2022 reported by the ORX (Zampano, 2023).Mark Cooke former Group Head of Operational Risk at HSBC and former Chairman of ORX casts doubt on low estimates and reporting figures as he argues that "existing risk reporting systems are simply failing to cope with 'the new normal' and that risk events are going unreported and -worse -undetected altogether" (Hoefer et al., 2020).
Significantly, operational risk losses are argued to be due to poor governance structures and policy making (Curti, Frame et al., 2022), poor management decision making (Chernobai et al., 2020;Curti, Fauver et al., 2022), incompetence, negligence, poor training, or lack of accountability (Berger et al., 2022), and cognitive biases (Shefrin, 2016).Curti, Frame et al. (2022, p. 1254) therefore conclude that "the largest BHCs could benefit from tightening risk management practices and standards with regards to operational risk." Table 1 presented a stylized account of the espoused risk management paradigm.The doubts that supervisors and risk practitioners have as to the current paradigm's fitness of purpose are supported by the reported losses cited above, indicating systematic mismanagement, particularly by the larger and more complex institutions.Table 2 presents evidence from regulators and practitioners of chiefly Model I behaviors in banks.These are representative of the theory-inuse of operational risk practice, as opposed to the espoused theory that banks promote publically (Argyris & Schön, 1978).
TA B L E 1 Espoused framework for managing operational risk in financial institutions.

Regulators
The Basel Committee on Banking Supervision (BCBS, 2006(BCBS, , 2012) ) Basel Accords II and III address the issue of operational risk in banking.The BCBS perspective finds explicit expression in the Principles for the Sound Management of Operational Risk and its revision (BCBS, 2011(BCBS, , 2020a)).A related set of Principles for Effective Risk Data Aggregation and Risk Reporting were published in 2013 (BCBS, 2013(BCBS, , 2018)).The Basel Accords and related principles are implemented as national regulations by the Central Banks of member nations of the Bank for International Settlements (BIS).
Regulators define operational risk in financial institutions as follows: "Operational risk is defined as the risk of loss resulting from inadequate or failed internal processes, people, and systems or from external events.This definition includes legal risk, but excludes strategic and reputational risk" (BCBS, 2011, p. 3).In articulating the Revisions to the Principles for the Sound Management of Operational Risk, the BCBS states "that further work is necessary to strengthen banks' ability to absorb operational risk-related events, such as pandemics, cyber incidents, technology failures or natural disasters, which could cause significant operational failures or wide-scale disruptions in financial markets" (BCBS, 2020a, p. 1).

Risk culture
Risk culture "promotes an increased attention to risk considerations throughout the organization" (Bockius & Gatzert,in press,p. 1).Analyzable dimensions of culture include "tone from the top," "risk awareness and comprehension," "accountability," "communication and escalation," and "manifestation in decisions and actions" (see also Kunz & Heitz, 2021).Institutional coercive (policies, standards, and controls), normative (values and commitments), and cognitive (perceptions and biases) mechanisms all shape and influence the effectiveness of risk culture.Financial institutions, therefore, espouse values that are congruent with positive and effective risk cultures.In a speech titled Just a few bad apples?The importance of culture and governance for good banking, Andrea Enria, Chair of the Supervisory Board of the ECB to Conference of the Federation of International Banks in Ireland, Dublin, 20 June 2019 states: "The first line of defence is where a cultural shift is needed most, and still lags behind at many banks.The frontline business units, at all levels, should continuously check whether their behaviour is in line with the declared values and desired conduct of the bank." Risk governance BCBS principles 1-5 (BCBS, 2011(BCBS, , 2020a) ) focus on this dimension to sound operational risk management in banks.Operational risk governance is viewed as top-down in structure and involves the board and senior management team who are responsible for (a) the risk culture, (b) the institution and review of operational risk management framework (ORMF), (c) ensuring senior management develop a risk governance structure and apply the ORMF policies, processes, and systems, and (d) the approval and review of the firm's operational risk appetite and tolerance.

Risk management structure
Risk management structures adhere to the three lines of defence model (3LoD).Central to this is the management of operational risk by a risk function headed by the Chief Risk Officer with oversight by related risk committees. 1.According to the BCBS (2011, p. 4), in the first line of defence "business line management is responsible for identifying and managing the risks inherent in the products, activities, processes and systems for which it is accountable."Business managers should identify and assess "the materiality of operational risks inherent in their respective business units;" establish "appropriate controls to mitigate inherent operational risks" and assess "the design and effectiveness of these controls;" ensure they have "adequate resources, tools and training" and monitor and report on their unit's "operational risk profiles" within the "established operational risk appetite and tolerance statement;" and, finally report "residual operational risks not mitigated by controls, including operational loss events, control deficiencies, process inadequacies, and non-compliance with operational risk tolerances" (BCBS, 2020a, p. 3-4).
2. The second line of defence is the corporate operational risk function (CORF) which fulfills an oversight role by providing an "independent view regarding business units' (i) identified material operational risks, (ii) design and effectiveness of key controls, and (iii) risk tolerance."It should also (i) question "the business unit's implementation of the operational risk management tools, measurement activities and reporting systems, and providing evidence of this effective challenge;" (ii) develop "operational risk management and measurement policies, standards and guidelines," (iii) monitor the unit's "operational risk profile," and also (iv) provide training and support risk awareness.Finally, the CORF "typically engages relevant corporate control groups (e.g., Compliance, Legal, Finance and IT) to support its assessment of the operational risks and controls" (BCBS, 2020a, p. 4).It is also typically charged with business continuity planning and information security.
3. According to the BCBS, "The third line of defence provides independent assurance to the board of the appropriateness of the bank's ORMF.This function's staff should not be involved in the development, implementation, and operation of operational risk management processes by the other two lines of defence" (BCBS, 2020a, p. 4).Hence, the structures, processes, activities, and artifacts of the first two lines delineated above should be subject to internal audit to ensure that they are fit for purpose. (Continues)

Element Description
Policies, standards, and procedures Financial institutions are required to have clearly articulated and well-documented policies, standards, procedures, and guidelines that implement regulatory principles, provisions, and requirements.The legal compliance function will play a lead role in ensuring this aligns with the regulations and perform regulatory change management (Girling, 2022;Hughes, 2021).

Risks and controls
The identification and classification of risks and controls is a key dimension in an ORMF.One output of this process is the development of a firm-specific taxonomy of operational risks.BCBS Operational Risk Principles 6-9 provide guidance on the risk and control requirements.Inter alia, Principles 6-8 mandate "comprehensive identification and assessment of the operational risk inherent in all material products, activities, processes, and systems to make sure the inherent risks and incentives are well understood."Additional requirements cover risk-related change management processes and the need to "regularly monitor operational risk profiles and material operational exposures" (BCBS, 2020a, p. 10).Principle 9 demands firms to have a "strong control environment that utilises policies, processes and systems; appropriate internal controls; and appropriate risk mitigation and/or transfer strategies" (BCBS, 2020a, p. 14).Banks attest to compliance with these principles.

Operational risk information system
A typical operational risk information system in a financial institution is based on four types of data identified by the BCBS (2020a, p. 1): 1. Internal loss data.This involves the collection of operational risk event and loss data, as well as external loss data from other banks.These data enable firms to (a) model capital allocation; (b) evaluate risk events and consequences; (c) perform risk mitigation; (d) understand operational risk exposure and severity; and (e) legitimize operational risk practices.
2. Risk and control self-assessments (RCSAs).These are typically qualitative evaluations by first-line managers as to their perceptions of the threats to and vulnerabilities of their business activities and their abilities to achieve desired business outcomes without disruption and of the effectiveness of the controls in place to mitigate risks.Internal loss data provide historical data on which to develop hypotheses inductively.Thus, RCSAs are expected to be based on situational analysis by business managers and professionals to identify and assess current or future threats and vulnerabilities and also to evaluate current controls and/or suggest modifications to effectively mitigate risk.
3. Scenario analysis.Operational risks are categorized as high-frequency, low-impact or low-frequency, high-impact (Zhu et al., 2019).The latter incur significant losses for institutions, culminating in systemic risks for larger banks (Berger et al., 2022).The purpose of scenario analysis is to identify and assess the possibility of high-severity operational risk tail events of certain categories and combinations in and across business lines.

Key risk indicators (KRIs).
KRIs help "track operational risk exposure and provide early indications of potential severe losses," such that they may be prevented (Andersen et al., 2016, p. 289).Effective indicators include information on underlying causes.They also provide indications of risk event frequency and severity.However, financial institutions tend to employ hundreds of metrics.Consequently, "typical KRIs provide limited information regarding the reason for the changed level of operational risk exposure" for example, "number of customer complaints, staff turnover, number of transactions" (Andersen et al., 2016, p. 292).

Operational risk measurement and modeling
This involves the calculation of the capital required by the Basel Accords to cover operational losses.Subject to regulatory approval, more sophisticated banks adopted the advanced measurement approach (AMA) to reasonably estimate unexpected losses based on the combined use of internal and relevant external loss data, scenario analysis, and bank-specific business environment and internal control factors (BEICFs).The AMA is a quantitative modeling technique that relies on loss history to infer a loss distribution from which the likely amount of operational risk exposure in a severe stress scenario is deduced.Alternatively, banks apply the Standardized Measurement Approach (SMA), which involves the selection of one of the following: (1) The Basic Indicator Approach (BIA); (2) The Standardized Approach (SA); (3) The Alternative SA; and (4) the AMA (Girling, 2022;Migueis, 2019).In a consultative paper, the Basel Committee on Banking Supervision stated, "The inherent complexity of the AMA and the lack of comparability arising from a wide range of internal modeling practices have exacerbated variability in risk-weighted asset calculations and have eroded confidence in risk-weighted capital ratios.The Committee has therefore determined that the withdrawal of internal modeling approaches for operational risk regulatory capital from the Basel Framework is warranted" (BCBS, 2016, p. 1).In its place, an SA was proposed that "combines the Business Indicator (BI), a simple financial statement proxy of operational risk exposure, with bank-specific operational loss data" (BCBS, 2016, p. 3) TA B L E 2 Disclosing the theory-in-use in operational risk management.

Regulators
The "Dear CEO" letter in September 2021 from the United Kingdom's Prudential Regulatory Authority dealt with the Thematic findings on the reliability of regulatory reporting.It states: "Overall, we were disappointed to find significant deficiencies in a number of firms' processes used to deliver accurate and reliable regulatory returns.It was clear that multiple firms did not treat the preparation of their regulatory returns with the same care and diligence that they apply to financial reporting shared with the market and counterparties.For some firms, there had been a historic lack of focus, prioritisation, and investment in this area."a This is indicative of significant problems in data governance of operational systems in banking organizations and highlights poor operational risk management practice.Thus, the BCBS' recent focus on principles for risk data aggregation, operational risk, and resilience (BCBS, 2018(BCBS, , 2020a,b),b).

Risk culture
In 2022, another "Dear CEO" letter pointed toward the same issues as being an issue for financial and operational resilience.It stated that "deficiencies in banks' risk management governance and frameworks, many of which were symptoms of a broader root cause and manifestations of an inappropriate internal risk culture where lessons from the global financial crisis had not been sufficiently learnt."b The research findings on change in risk culture are mixed.All agree on the need for a strong risk culture across the organization and not just in the risk function (Agnese & Capuano, 2021;Bianchi et al., 2021;Bockius & Gatzert, in press).Regulators and supervisory agencies, who have better access to data on financial institutions, voice concerns about dysfunctional banking and risk cultures (Curti, Frame et al., 2022).The late Prof. Kane (2016, p. 26) points out that: "The artifacts of a culture may change quickly, but the norms of a culture resist change fiercely": He, like Professor Blake (2022), is scathing of the continued bad behavior and lack of cultural change at large banks and advocates punitive sanctions by regulators to punish senior executives to motivate a change that ensures that behaviors and cultural artifacts map to espouse values.

Risk governance
Banking and finance are two areas of human endeavor for which there is no common disciplinary language.Andrew Haldane, who was Chief Economist at the Bank of England in 2021, termed this a banking "Tower of Babel."c This is mirrored by a digital "Tower of Babel," that is, impacting the risk management and compliance reporting of all banks.Adequate risk governance is frustrated by the absence of a common language (reflected in heterogeneous, incompatible operational and risk data) (Butler & O'Brien, 2019a), the dominant culture in investment banking (Blake, 2022;Wilmott & Orrell, 2017), and the siloed nature of the risk supervision and audit (Hughes, 2023).In addition,"[b]oard-level risk committees at many banks have neither the clout nor the expertise to push back against corporate leadership, risk professionals say, a weakness that should be addressed in the wake of the recent bank collapses" (Vanderford, 2023).Psillaki et al. (2023) report that little seems to have changed in terms of governance and risk culture in European banks since the financial crisis, as the same banks performed poorly during the pandemic (cf.Blake, 2022).
Risk management structure Many practitioners and industry observers are of the opinion that the three lines of defence model (3LoD) has problems with its implementation in the financial industry (Bantleon et al., 2021;Hughes, 2023).According to Hoefer et al. (2020) "the 3LoD has failed to fully deliver on this promise [in banking] …Industry observers have pointed out various problems with the 3LoD model.Most critiques focus on confusion regarding roles and responsibilities across the three lines, leading to coordination challenges, broken processes, and inaccurate reporting."They add forcefully "Most 3LoD frameworks fail to acknowledge 'the company behind the chart' or to take into account the dynamics of social influence ('culture') that drive propensity for misconduct.As such, they do little to permit for active insight into the likelihood of risk events.With a focus instead on maintaining 'systems of record' by which to track process driven exercises, conduct risk management becomes a Kabuki theatre in which tick-box efforts are valued over efficacy." Davies and Zhivitskaya (2018, p. 39) cite an observation by a board member of a financial institution to underscore a major criticism of what is a normative theory: "my problem with it is when fundamentally the responsibility for the risk gets taken away from the business because ultimately it's the business that manages the risk.[…] the three lines of defence is useful but cannot take away the responsibility and accountability from the firm" (see also Bantleon et al., 2021).This accords with the authors' experiences in the field since 2012.

Policies, standards, and procedures
We find that the legal compliance function in financial institutions ensures that policies, standards, procedures, and guidelines are articulated and well-documented and implement regulatory principles, provisions, and requirements.However, this is treated as a compliance activity in banks underpinned by document management systems (Deloitte, 2021).Nevertheless, provenance issues in mapping governing regulations to policies down to related controls to prevent or mitigate people, processes, and systems failures remain a major problem for banks (Butler & O'Brien, 2019a). (Continues)

Risks and controls
According to Hughes (2023, p. 183) banks' "risk governance and controls are weak" and "significant risks are knowingly or unknowingly created and accepted by bankers, with limited assurance that they will be properly identified, quantified and reported to boards, senior management, regulators, investors and other stakeholders… There are few industries where such operating conditions would be tolerated…" "It is now recognized that it was wrongheaded to believe that a historical, mathematically modelled view of the past would prevent too much risk from being taken.Complex financial transactions executed in real-time in the absence of effective risk controls have the potential to trigger a cocktail of risk exposures that can cascade far beyond the balance sheet or accounting values of underlying transactions and certainly beyond capital provisioned on historic financial data" (Hughes, 2023 p. 81).The growth and complexity of products, the processes that deliver them, and related digitalization and outsourcing, are now recognized as significant sources of operational risk (Curti, Frame et al., 2022;Eceiza et al., 2020) 2016) demonstrates, psychological biases and bounded rationality play a significant role, with behavioral risk now recognized as a significant issue for managing operational risk (Blake, 2022;Bott & Milkau, 2017;Faugere & Stul, 2021).

Operational risk information system
Operational risk information systems serve the needs of the operational risk function for reporting purposes.Our unpublished research indicates that the digitalization of financial services completely ignored the need to support the risk information needs of business managers and professionals in the first line of defence.Furthermore, there are limitations and issues with the use of internal loss data: "It is an inescapable fact that an operational loss event is bad news for somebody and the first instinct of line management when dealing with bad news is to bury it."In addition, "most non-financial risk loss events are captured randomly in loss event databases without attaching standardized risk rating or exposure details" (Hughes, 2023, p. 137).Thus, there is a need to focus more on operational risk event-rich descriptions, contexts, and derived indicators.However, the three other categories of data used for operational risk management are equally problematic.Risk and control self-assessments (RCSAs) are notoriously prone to behavioral risk and bias: "Whereas assessment based metrics can provide a vital source of risk intelligence at the operating unit level, they are inherently subjective and are not aggregable or comparable along the vertical and horizontal dimensions of an enterprise" (Grody & Hughes, 2016, p. 14).It is now standard practice across the industry to use a Red, Amber, Green (RAG) rating approach for operational risk management which has significant limitations, as Grody and Hughes (2021) argue.Scenario analysis is a useful tool in the hands of the risk-aware expert: However, Shefrin (2016) demonstrates the tendency to underestimate or misjudge risks due to availability bias; intuitive judgments influenced by risk perceptions based on fear or overoptimism; stereotypical thinking and failure to understand randomness; confirmatory bias and rejection of evidence that challenges their views; finally, they also underestimate their ability to control risks.Problems with RCSAs and scenario analysis are exacerbated by an absence of information support and misuse in the hands of those who fail to be aware of or understand bias or risk analysis principles.Key risk indicators (KRIs) are the final problem area: Andersen et al. (2016, p. 290) argue that financial institutions "are generally not satisfied with their KRI frameworks.One reason for this could be the limited guidelines available on establishing a set of effective indicators that reflect and monitor operational risk exposure in an efficient manner."They (Andersen et al., 2016, p. 289) find that "high-frequency and tail events can be related to a shared set of causes which can be exploited for the identification and evaluation of two categories of KRIs: (1) shared causes that constitute major risk drivers; and (2) high-frequency events providing a strong indication of changes in exposure to low-frequency, high-severity events."Financial institutions have not, generally, implemented the type of governance, risk, and compliance information system required to address the information needs of the first and second lines of defence.The information needs of the latter are generally catered for, with business managers in the first line generally neither held responsible nor accountable for the risks they incur, through incompetence, misconduct, or bias, "as explicit and dynamic quantification of exposure to risk" is not being captured in the systems of record (Hughes 2023, p. 145). (Continues)

Operational risk measurement and modeling
A recent survey found that 80% of European banks do not model their operational risk capital allocation (Woodall, 2020).This raises a question as to the analysis of past losses.As indicated, BCBS (2016) advocates the Standardized Approach (SA) that combines the Business Indicator (BI), a simple financial statement proxy of operational risk exposure, with bank-specific operational loss data.This approach is subject to criticism from both industry and regulators (Hughes, 2021(Hughes, , 2023;;Migueis, 2019;Sands et al., 2018).According to Sands et al. (2018 p. 1), Basel III is not "effective in creating appropriate incentives and loss absorbency to minimize negative externalities from operational risk events"…and is "almost entirely backward-looking, while operational risks are constantly evolving and the drivers of the biggest losses defy mechanistic prediction from historical data."Furthermore, the SA "curtails potential risk sensitivity by excluding forward-looking elements from the capital calculation.Also, no empirical evidence has been provided by the BCBS to justify the risk sensitivity or the appropriateness of the calibration of the new approach" (Migueis, 2019, p. 309).Thus, researchers are "skeptical about the predictive quality of historical loss data for events such as regulatory penalties, major frauds and rogue traders-and given that these types of operational losses dominate overall operational risk losses, skeptical about the value of historical loss data in predicting future operational risk losses" (Sands et al., 2018 p. 16).If financial institutions are failing to identify, measure and assess operational risks, and failing to comprehensively and diligently identify and record losses, then the SA approach will fail to provide an adequate approach to managing operational risk.The BCBS (2023) points out that most Group 1 banks and G-SIBs use the Advanced Measurement Approach (AMA) to calculate capital requirements for various reasons.Migueis (2019, p. 302) states that the "AMA's main flaws are its vulnerability to gaming, lack of comparability, and complexity."Inter alia, Migueis (2019, p. 303) advocates an approach with "well-specified accounting quantities," that is, forward-looking, risk-sensitive, and "accurately tracks risk" because it "will produce stronger incentives to minimize risk" (cf.Hughes, 2021Hughes, , 2023)).

DISCUSSION: TOWARDS A NEW PARADIGM FOR OPERATIONAL RISK IN BANKING
This section provides insights into what we believe are three complementary dimensions to a paradigm change in financial institutions: cultural change; a novel risk accounting approach; and an information systems architecture to underpin both.

Organizational culture
The European Central Bank's (ECB) Supervision Newsletter in February 2023 synopsized the European Banking Authority's (EBA) Guidelines on Internal Governance to highlight key dimensions of a strong risk culture (ECB, 2023).Figure 3 presents the key elements that "are based on extensive supervisory reviews over the past few years, including bankspecific deep-dives and horizontal analyses."The ECB is clearly concerned about the need for cultural change in banking and wishes to keep this on the agenda, particularly with the CS problems appearing on its radar about this time in 2023.It must be noted that the academic and practitioner literature is generally silent on the progress of G-SIBs and large, complex banks in changing their cultures.Thakor (2021, p. 63) states that "[t]here does not appear to be systemic evidence on how bank culture has changed since the financial crisis.Given the elevated regulatory focus on safety and soundness and the heavier reliance on stress tests and capital regulation, one suspects a shift toward more safety-oriented cultures.But this conjecture awaits empirical testing."As the CS case demonstrates, it could have benefitted from an integrated risk management approach to understanding the operational risks that led to its failure (eight events from February 2020 to June 2022) (Böni et al., 2023): "Integrated risk management is the identification and assessment of the collective risks that affect firm value, and the implementation of a firm-wide strategy to manage those risks" (Meulbroek, 2002, p. 55).Böni et al. (2023) posit that the risk culture and operational changes CS made postcrisis appear to have been insufficient to avoid, control, or mitigate the serious operational risks that led to its failure.Thakor (2021) uses the competing values framework to categorize bank culture as being either safety-focused with behaviors that emphasize control and collaboration, or growth-focused that emphasizes create (innovate) and compete behaviors.All banks display these four dimensions, but those with strong risk cultures are posited as being safetyfocused.Thakor does not, however, make the link to safety culture theory, which "explains how social environments directly influence risk practices" (Leaver & Reader, 2019, p. 462).Instead, he defines culture in legalistic terms as "a set of explicit and implicit contracts and (often unwritten) rules of conduct that determine how people in the organization behave."Leaver and Reader apply safety culture theory to study misconduct in financial trading by six banks operating in the United Kingdom and supervised by the FCA in the period following the financial crisis to 2014.They argue that the safety culture at the banks was negatively impacted by deficiencies in institutions' policies and practices on organizational communication, management commitment to safety, risk management, rules and regulations, system implementation, and organizational incentives.Interestingly, UBS and CS were two of the banks studied.The dimensions identified by Leaver and Reader confirm those articulated by the EBA and ECB.
More recent research by Suss et al. (2021), from the Bank of England again, confirms the link between poor organizational culture and high bank risk, as does a comprehensive survey by Luu et al. (2023) using the competing values framework.The relevance of these two studies is that Suss et al. identify a nonintrusive approach to assessing a bank's risk culture, while Luu et al. offer a complementary approach.While the normative models, frameworks, and theories discussed above, and others besides, provide a solid basis for organizational change, institutional theory, in particular, has much to offer in identifying and demonstrating how coercive, normative, and cultural-cognitive mechanisms can be usefully applied in concert to bring about institutional change in behavior, to have firms commit to Model II behaviors, as opposed to Model I.However, Thakor (2021, p. 71) argues that "preaching the importance of ethics to banks or even imposing penalties on banks for ethical transgressions may not be as effective as higher capital requirements in generating more ethical behavior" (see also Blake, 2022;Kane, 2016).
From a safety culture perspective, the social environment from which banking and finance professionals emanate may need to be considered.Take, for example, banking and finance professionals will have been educated in economics and finance in business schools.A seminal study by Ferraro et al. (2005) demonstrates the influence of economic theory in shaping fundamental assumptions of self-interest, distrust, and the avoidance of social responsibility in business.This is argued to influence behaviors in graduates that are carried over to their professional lives in business and finance (cf.Friedland & Jain, 2022).The results of an experimental study on the ethical behavior of bankers finds bank professionals honest in normal social situations but when their professional identity is made salient, they tend to be more "dishonest than nonbanking professionals."The authors conclude "that the prevailing business culture in the banking industry weakens and undermines the honesty norm, implying that measures to re-establish an honest culture are very important" (Cohn, Fehr, and Maréchal, 2014, p. 86).Thus, van Hoorn (2015, p. 253) concludes that "the financial services industry has been providing an environment highly conducive to unethical behavior.The practical implication is that fixes to the financial system can only come from improved regulatory design." In contrast, new research by Deter and van Hoorn (2023, p. 1) concludes that "the average financial risk preferences of finance professionals are mostly shaped by individuals entering the industry.As such, policies aimed at changing risk preferences in the finance industry should be targeted at recruitment .., it suggests that recruitment policies can play a crucial role in shaping the risk preferences of finance professionals."Individuals in banking come from diverse national cultures, which also exert an influence on risk taking (Ashraf et al., 2016) and may confound top-down efforts at culture change in global banks (Kane, 2016).A recent research monograph by a Professor of Finance at the City University of London is emphatic, however, in its conclusions: I have argued in this paper that there is a common underlying cause [of misconduct], namely playing the Great Game.The banking and wider financial services industry attracts a certain class of individual, one who is prone to overconfidence, excessive risk-taking, and, in some cases, psychopathic behavior.Such people tend to like complexity for its own sake, but do not fully understand the implications of that complexity in the design of the financial products they sell, in particular, the implications for the stability of the financial system as a whole.Further, they do not care: they are only interested in gaming the system to maximize rent extraction for themselves (Blake, 2022, p. 45).
Clearly, changing risk culture is more complex than most assume, as there exists a recalcitrant group of individuals in all banks, across national cultures, that are responsible for the low-frequency high-impact risk events that were witnessed at CS between 2020 and 2022.Thus, we argue that strong external and internal incentives, along with sanctions for noncompliance (Kane, 2016), as well as objective evidence, provided by digital technologies, of behavioral change (to Model II, if possible), and the application of integrated risk management and controls speaks to the ECB model and research conducted at the Bank of England (Leaver &Reader, 2019 andSuss et al., 2021), and the concerns voiced by Blake (2022).

Toward a digital enterprise risk accounting paradigm
The current approach to operational risk management in large banks is generally backward-looking and focuses chiefly on quantitatively modeling historical losses to estimate regulatory capital.While digital technologies such as AI are being employed to detect suspicious activities such as fraud and antimoney laundering (Stears & Deeks, 2023), operational risk management approaches have yet to be digitized.Thus, "banks are operating suboptimal systems of operational risk management due to the lack of atomic exposure quantification, aggregation, valuation, accounting and reporting in financial statements" (Hughes, 2023, p. 28).
Figure 4 summarizes the key elements and properties of the Risk Accounting Standards Board (RASB) Risk Accounting approach to measuring and assessing nonfinancial risk.The architect of the approach, Peter Hughes, published the architecture and method (including worked examples) in two books (Hughes, 2021(Hughes, , 2023) ) and related articles.We first provide a short overvew of this approach and then integrate this into an AI-based Enterprise Data Fabric architecture.
To begin this brief presentation of the risk accounting approach, we note that Hughes (2021Hughes ( , 2023) ) based his method on two basic propositions.First, the Risk Unit (RU) is posited as a nonfinancial metric to help quantify nonfinancial risks.As implemented in risk accounting, the RU is "a common, additive metric that expresses all forms of operational risk and is used to quantify, aggregate, and report exposures to operational risks" (Hughes, 2023, p. 189).Second, the focus of operational risk exposures in banks relates to the people, processes, and systems that enable "the transfer of products and services to, or the execution of trades with, third party customers, counterparties, or intermediaries" (Hughes, 2023, p. 18).Risk exposures in banks originate in the following business activities and their enabling people, processes, and systems: transaction processing, funding, lending, trading, interest rate management, and selling-reference data also play a major role throughout.A combination of manual, semiautomated, and automated processes enabled by digital technology-based systems characterize these activities and present various levels of risk exposure from manual-high to automated-low, depending on the monetary (£,$,€) size and volume of transactions.Typical unexpected losses associated with failed people, processes, and systems include but are not confined to, credit losses, trading losses, regulatory penalties, and fines, as well as court-imposed sanctions, out-of-court settlements, compensation to customers and counterparties, and also asset write-offs.Firms generally keep a record of losses on file and subscribe to loss databases such as ORX, to enrich internal loss data.
The Risk Accounting Calculation Engine for nonfinancial risk answers two questions: (1) What are the product risks, expressed as an Exposure Uncertainty Factor (EUF) 0-20?; and (2) What are the product $ values, based on daily new business and expressed as Value Band Weights (VBW) for the purposes of calculation?This helps express product exposure in RUs and risk exposures and losses in accounting values (£, $, €, etc.).EUF values are scaled in the range of 0-20 reflecting the complexity of a product and the risks inherent in the operational activities that underpin it, scaled, for example, by the number of processes involved in a product's life cycle.For example, Fixed Term Deposits might score 6, as six processes are involved, while Equities are scaled at a factor of 13.The value bands in the worked example (Hughes, 2023, p. 223) are numbered 1-22 and scaled logarithmically (2.0-163.6) to reflect the degree of automation of large-scale transactions and the deceleration of risk as operational throughput increases due to digitization.
Hence, the calculation for Inherent Risk is: To calculate Residual Risk in RUs and loss values, the Risk Mitigation Index (RMI) for each product and process/activity is calculated.This is performed using the Enhanced Risk and Control Self-Assessment (E-RCSA) approach.Hughes (2021Hughes ( , 2023) ) provides detailed E-RCSA questionnaires based on the product, process/activity/business unit, systems, risk, and control categories presented in the text and appendices.These are based on the RASB's and Peter Hughes's extensive experience, and we believe they possess empirical fidelity with structures, activities, processes, and products across retail and investment banks.These are the business component categories identified by Hughes and they contribute to the development of the taxonomies presented in Figure 5.The E-RCSA is meant to be completed by the business person responsible for a particular business product, process, or system and will reference other people within their area of responsibility.Thus, although implicit in risk accounting, it is relatively easy to create a people taxonomy and populate this in the enterprise or risk accounting knowledgebases.Scores in the E-RCSA are scaled from 0 to 100.Residual Risk is calculated as follows: Note the scaling of Inherent The EUF, RMI, and E-RCSA models described above are not static; they can enable risk measurement and management in real time.First, Hughes (2021Hughes ( , 2023) ) made provisions for the volume of product turnover each day to be recorded in the model, either manually or imported automatically from accounting systems.Second, the status of risk mitigation measures may be updated periodically via E-RCSA or in the architecture in Figure 5, using AI and algorithms, for example, to detect suspicious activities and assess controls, whether it concerns fraud or manipulation of products or trading accounts, or attempted cyber breaches of IT assets and infrastructures.Third, the losses assigned by risk accounting to failed people, processes/products, and systems can be compared with and validated by internal and external loss databases.
We discovered in assessing the Risk Accounting methodology from publications, presentations, and demonstrations (2021)(2022)(2023), that the Calculation Engine and its knowledgebase are highly transparent and auditable.Adopting banks can customize and make firm-specific various aspects of risk accounting to be congruent with their business models, vocabularies, taxonomies, business architecture (activities and processes), and systems.They can also add these dimensions in the "tables" or knowledgebases that underpin the EUF, VBW, RMI, and E-RCSA.The principles of the Risk Unit or RU and the allocation of accounting/monetary values to risk exposures are the core of the model and its strength.
One obvious advantage of the approach is that it helps break down the barriers caused by the three lines of defence (3LoD) model, in that its setup and maintenance will involve the active participation of business units, down to a granular level of staff participation, including accounting and finance professionals, risk professionals, compliance professionals, IT (cybersecurity, knowledge engineers, and data scientists), and business professionals in order to design, populate, and complete the tables or knowledgebases.
Unlike the risk assessment approaches advocated by the BCBS, granular, aggregable data on the risk and loss exposures of products and processes/business activities, expressed in RU and £,$,€, provide first-line business professionals, managers, and the C-suite and board, with drill-down risk exposure and loss information at a truly granular level.The Appendix of this paper provides examples of product summaries from a product risk and a processing risk perspective.These are a sample of the risk, control, and loss exposure information views provided by Risk Accounting's Calculation Engine.Hughes (2023, p. 195) argues that risk accounting, through the "risk mitigation index (RMI) is a measure of risk culture as it blends qualitative and quantitative risk attributes from across the enterprise into a single metric."Research in institutional theory finds that informational mechanisms enable change in cognitive frames and provide coercive and normative pressures on actors (Butler et al., 2023;Butler & Hackney, 2021;Campbell, 2004).Hence, risk accounting can help provide granular transparency and incentivize first-line business staff to minimize risk-taking and enhance controls.Furthermore, risk appetite statements can be expressed in RUs, by business unit, activity/process, products, and risk type at a low level that can be aggregated meaningfully to the board.Also, the third line of defence audit function will be better empowered as E-RCSAs are objective risk reporting instruments, rather than subjective RAG estimates, and the Risk Accounting Calculation Engine's algorithms and output are fully transparent and auditable.

3.2.1
A note on AI-enabled enterprise data fabric for risk accounting Hughes (2023) points out Risk Accounting's Risk Calculation Engine can be scaled with different digital technologies.As large banks and particularly G-SIBs typically have hundreds, if not, thousands of siloed information systems and related databases, risk data integration is a major challenge, as indicated above.Banks have recently begun adopting data fabric technology to address their data integration problem.Hernandez (2022) points out that a "data fabric improves upon existing data infrastructure, often by adding automation to the data-management process.It operates as an integrated layer-the fabric-of data and connecting processes, and it implements analytics over metadata assets (that is, the data that provides more information about other data)." Semantic technologies, such as ontology-based knowledgebases, increasingly empower enterprise data fabrics with data integration and enhanced AI capabilities, such as those required to identify and remediate suspicious activities and cyber threats, as well as powerful risk analytics (Butler & O'Brien, 2019a,b).An ontology is simply a human-and machine-readable metadata model, which when combined with a graph database, is called a knowledgebase.When used for data integration, a knowledgebase provides the backbone for a data fabric.Machine learning (ML) and Natural Language Processing (NLP) abilities are significantly enhanced using these technologies (Butler & O'Brien, 2019b;Butler et al., 2023).Thus, we argue that ontologies, ML and NLP technologies provide the ideal technology stack on which to base a risk accounting approach because they provide a solution to the risk data aggregation problem and open the possibility of employing AI agents to enhance risk and control assessments (cf.Paech et al., 2019).Figure 5 presents an enterprise risk accounting AI-based architecture that builds on our research on applying digital technologies to address enduring problems in risk management and compliance reporting.

CONCLUSION
The challenge facing the financial industry in addressing the problems with its approach to operational risk is significant.Following the financial crisis in 2007/2008, regulators expected that banks would learn from their mistakes and institute the necessary cultural and organizational changes to make their governance structures, policies, and processes effective to address the challenges of managing operational risk in the digital age.However, this clearly has not happened given the "staggering" and persistent costs to financial institutions of operational risk losses and the opportunity costs of allocating risk capital to cover possible loss exposures.Thus, the costs of operational risks to financial institutions remain considerable.While risk events and losses have declined over the past 10 years (BCBS, 2023), the ORX 2023 report indicates that there was a significant rise in 2022.This is concerning as some argue that the costs of low-frequency, high-impact events are borne chiefly by society, because they typically exceed regulatory capital provisions, as was the case recently with Credit Suisse.However, we also point out that there are significant externalities and indirect second-order costs to consumers and businesses due to service disruption, inconvenience, data loss, and losses from fraud, to mention a few (Curti, Frame et al., 2022;Mukunda, 2018).
The assessment and management of financial and operational risks are hampered in the financial industry in that operational risk management is, for the most part, divorced from both the firm-specific first-line and third-party critical operations that deliver financial services.One reason for this is that risk and compliance departments are isolated, siloed support functions in what has become known as the second line of defence (Birindelli & Ferretti, 2017;Harvey et al., 2021).This has significant consequences for the management of risk at an enterprise level.Why?Because the analysis in Table 2 and related discussion on organizational culture indicates that business managers and operations staff in the front-, middle-and back-offices are failing to engage in managing the risks they control, except for participation in largely ceremonial and ineffective risk self-assessment and reporting.Hence, those governing financial institutions do not have an integrated enterprisewide view of their risks and exposures in real time (Bantleon et al., 2021;Berger et al., 2022;Curti, Frame et al., 2022;Hughes, 2023).The evidence provided above indicates that financial institutions are unable to manage their risks or control risk factors efficiently or effectively-and the bigger the bank, the bigger the problem (Berger et al., 2022;Curti, Frame et al., 2022).Even more troubling is that risk management at enterprise, business unit, and function levels continues to involve widespread manual curation of risk data.
While bank employees note that bank culture has changed, Macartney (2019) observes key areas where important cultural change has not taken place, as fines and penalties proved wholly ineffective, and any political interest in change in the United States and the United Kingdom waned after 2010.This paper provides evidence that many banks have failed to sufficiently change important aspects of their organizational cultures and institute appropriate risk cultures and behaviors (Blake, 2022;Thakor, 2021).While our field research and practical experiences confirm that most bankers appear to behave ethically and morally, we observe, and the available evidence confirms, that banks are failing to change from dysfunctional Model I risk management behaviors, where adherence to the dominant theory-in-use on operational risk exhibits single-loop learning, to Model II behaviors, and second-loop learning.Thus, we believe that banks do not critically question their business models, value systems, assumptions, recruitment practices, and operating norms and are not learning through double-loop processes to address systemwide problems of operational risk (see Argyris, 2010;Argyris & Schön, 1978, 1996;Schein, 2004) or issues with ethical or moral agency (Selznick, 1992).This failure to transform adequately is most visibly observed in the dig-italization of financial services, which is a double-edged sword, in that while digitalization enhances service delivery, it brings higher levels of complexity and new threats and vulnerabilities to operational activities.As indicated, digitalization could also enhance monitoring and control and help to identify amoral, unethical, or "rogue" bankers even within banks where the "pursuit of and desire to capitalize upon yet not publicize an occupational culture stressing a 'riskand-win' ethos" dominates (Wexler, 2010, p. 1) and where banks continue to recruit professionals with assumptions, values, commitments, and behaviors that are incongruent and will never be aligned with the ethical and desired risk culture of postcrisis banks (Blake, 2022).This is perhaps why Macartney (2019, p. 1) observes the "cultural problems facing the Anglo-American banking simply will not go away."Hughes (2023, p. 181) therefore points out that if regulators and "bank's board and C-Suite executives believe that promoting a positive risk culture is an acceptable substitution for effective measurement-based risk control and reporting they are seriously deluded." There is an upside to digital innovation as indicated in Figure 5 and the new paradigm of risk accounting.It presents an AI-enabled digital architecture that could solve problems with risk data aggregation and analysis.However, the risk accounting approach goes further than this.Not only is it capable of providing a unit of risk (RU) to help quantify nonfinancial risks and aggregate and report risk exposures, but it also puts a financial value on product, process, system, and people risk at a granular level.This level of transparency provides an incentive to change behaviors in banks-as Hughes argues "what gets measured gets managed."Thus, the implementation of risk accounting provides more powerful incentives than regulatory capital requirements associated with Basel II and III's backward-looking advanced measurement approach (AMA).Hence, a risk accounting approach supports cultural change in banks while providing a basis for a paradigm change in the way operational risk is managed across the enterprise.And just as management and cost accounting provide firms across industries with unit costs to help manage operations, a risk accounting approach provides firms with the RU, that is, aggregable and analyzable, with associated risk exposure monetary values.
In conclusion, one of the reviewers of this paper noted that because acute or high-impact operational risk losses are externalized to customers and other stakeholders, there are few business incentives to change to approaches that address the chronic levels of systemic operational losses.Thus, banks accept extraordinary levels of high-frequency low-impact operational losses, whose aggregation are, nevertheless, very significant.Given the current levels of institutional recalcitrance, we believe a paradigm change in the financial industry will require a supporting regulatory framework that obliges banks to digitize operational risk processes and introduce tighter standards with respect to the management and mitigation of operational risk.

F
I G U R E 1 Unpacking the concept of organizational culture.F I G U R E 2 Theories of action and learning.

F
I G U R E 3 ECB risk culture.3LoD, three lines of defence model.
Risk and RMI values to make the residual RUs cognitively meaningful (see the Appendix examples).

F
The role of risk accounting in enterprise operational risk (adapted from Hughes (2023)).AI, artificial intelligence; NLP, Natural Language Processing.