Global Risk Reset: Inside the 2021 BIS Operational Risk Overhaul
What the revised BIS Operational Risk Principles mean for financial institutions.
In March 2021, the Bank for International Settlements (BIS) released a landmark update to its Principles for the Sound Management of Operational Risk (PSMOR), a decade after the 2011 version. Much more than a routine refresh, this update reflects profound changes in the financial ecosystem, driven by digitalisation, cyber threats, pandemic disruptions, and an evolving regulatory landscape.
In this post, I unpack the updated framework, highlight key changes, and explain why every risk professional, auditor, compliance officer, and board member should care.
Why This Update Matters
The 2021 revision aligns the BIS principles with the finalised Basel III operational risk framework, but it also goes much further. It tackles 21st-century concerns: ICT (Information and Communication Technology) risks, cyber resilience, third-party dependence, and the strategic imperative of operational resilience.
Financial institutions can no longer afford to view operational risk management as a backward-looking compliance exercise. The new principles demand a forward-leaning, integrated, and tech-savvy approach.
The 2021 BIS Principles – At a Glance
The updated framework consists of 12 principles (up from 11 in 2011), grouped into three key categories:
I. Governance
Governance – Board and senior management must ensure operational risk is governed at the enterprise level.
Operational Risk Management Framework (ORMF) – A structured, integrated framework is required across all units and geographies.
Risk Appetite and Tolerance – Institutions must define, review, and monitor their operational risk appetite.
II. Risk Management
Identification and Assessment – Institutions must continuously identify and assess operational risks inherent in all material products, activities, and systems.
Monitoring and Reporting – Systems must enable real-time monitoring and clear reporting of exposures and incidents.
Control and Mitigation – Effective controls must be designed, implemented, and regularly tested.
Change Management (New) – Banks must manage risks arising from material internal or external changes.
ICT Risk and Resilience (New) – Technology and cyber risks must be actively managed with sound ICT governance.
Third-party Risk Management – Outsourcing and supplier risks require robust due diligence and ongoing oversight.
III. Resilience and Disclosure
Business Continuity Planning – Institutions must prepare for and recover from operational disruptions.
Operational Resilience (New) – A new standalone principle emphasises the capacity to continue critical operations through extreme stress.
Disclosure – Meaningful public disclosure of operational risk exposures and mitigation strategies is encouraged.
Then vs. Now: Key Differences from the 2011 Version
What This Means in Practice
These changes are not just cosmetic—they redefine how operational risk should be managed.
Digital risk becomes central: Cyber incidents, system failures, and third-party dependencies are now seen as systemic threats.
Change is risky: Launching a new app or migrating to the cloud? Regulators want evidence that you’ve managed the risk.
Continuity isn’t enough: It’s not just about recovering—it's about designing resilient-by-default operations.
The board is on the hook: Governance must be demonstrable, informed, and proactive.
Outsourcing ≠ Outsourced Risk: You can delegate tasks, not accountability.
Strategic Implications for Risk Professionals
For CROs, compliance teams, and risk managers, the 2021 principles demand a rethink of both tools and mindset:
Embed ICT and cyber risk metrics in your operational risk dashboards.
Develop impact tolerances for critical business services, not just departments.
Recalibrate your risk appetite statement to include resilience metrics.
Review vendor governance frameworks to ensure they meet new expectations.
Elevate change management from a tech issue to a core risk discipline.
Closing Thoughts: Beyond Compliance
The 2021 PSMOR is more than a checklist—it’s a blueprint for future-ready risk management. It asks financial institutions to move from risk control to risk culture, from compliance to capability, and from disaster recovery to sustained resilience.
For banks navigating fintech disruption, geopolitical uncertainty, cyber threats, and climate risk, this new framework offers both structure and strategic direction.
Are you ready?
Stanley Epstein writes about fintech, banking risk, compliance, and the evolving global regulatory landscape. If you found this useful, consider subscribing and sharing with your network.
Take your expertise to the next level. Whether you're focused on fintech, banking, operational risk, global payments, or blockchain, my CPE-certified Illumeo courses deliver real-world insights grounded in decades of experience as a banker, business analyst, and trainer. If you found this article valuable, you'll gain even more from the structured, practical training in these online courses. Click the “My Illumeo Courses” link below to explore.