The following sections provide a description of the methodology used as part of the Supervisory Review and Evaluation Process (SREP) for assessing the operational risk and the information and communication technology (ICT) risk of significant institutions (SIs). The ECB uses a standardised risk-based methodology to assess these risks.
1 Introduction
The SREP operational and ICT risk methodology:
- is applied proportionately to SIs, taking into account the nature, scale and complexity of their activities;
- supports Joint Supervisory Teams (JSTs) performing risk-based supervision, while it provides sufficient flexibility to cater for bank-specific elements, which means that the frequency, scope and depth of assessments vary according to European banking supervision and bank-specific priorities;
- is comprehensive and includes backward and forward-looking perspectives that consider all relevant risk components and their possible mitigants;
- is consistent with the European Banking Authority (EBA) guidelines on the SREP and is used to assess whether banks are complying with the ECB’s supervisory expectations;
- draws on best practices and is periodically updated to ensure alignment with the EBA’s SREP guidelines and any relevant changes to regulations.
For the purposes of this document:
“Operational risk” is the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events.
“ICT risk” is the risk of loss related to the use of network and information systems, which, if it were to materialise, might compromise the security of (i) the network and information systems, (ii) any technology-dependent tool or process, (iii) operations and processes, or (iv) the provision of services, by producing adverse effects in the digital or physical environment.
“Operational resilience” is the ability of a bank to deliver critical operations through disruption. This ability enables a bank to identify and protect itself from threats and potential failures, respond and adapt to, as well as recover and learn from disruptive events to minimise their impact on the delivery of critical operations through disruption.
Operational risk and ICT risk are assessed as being risks to capital (Element 3) and included in the SREP (Figure 1).
Figure 1
Overview of the SREP methodology

Operational risk and ICT risk are assessed separately. The assessment of both risk categories is based on (i) a quantitative assessment that considers the inherent risk (risk level), and (ii) a qualitative assessment that considers the management and control framework (risk control) (Figure 2). In the risk level assessment, JSTs assess risks or vulnerabilities that could have an impact on prudential elements of the institution if they were to materialise. During the risk control assessment, JSTs assess whether credit institutions have adequate processes and systems in place to identify, measure, evaluate, monitor, report and mitigate the level of operational and ICT risk.
The risk level assessment for operational risk is performed by JSTs in three phases (the ICT risk level assessment includes only Phases 1 and 3):
- Phase 1: supervisors collect data from the bank and assess the materiality of the risks;
- Phase 2: an automated anchoring score is generated based on common key risk indicators;
- Phase 3: supervisors carry out a more in-depth operational and ICT risk assessment, taking into account supervisory judgement regarding the specificities of the bank and applying constrained judgement.
The risk control assessment for both operational risk and ICT risk focuses on the Phase 3 review of bank risk management arrangements.
Constrained judgement is applied by combining the risk level and risk control results into an operational risk score and an ICT risk score.
The two risk profiles are then combined in an overall operational and ICT risk assessment. The supervisory judgement is summarised in an overall operational and ICT risk score of between 1 and 4 (with qualifiers) and a rationale for that score.
Figure 2
Overview of the SREP operational and ICT risk assessment

The SREP methodology is rooted in relevant EBA guidelines, EU regulations and documents in which the ECB communicates its supervisory expectations, as well as established industry standards relating to operational risk and ICT risk.
2 Phase 1 – Data gathering
The SREP assessment is performed on the basis of a wide range of quantitative and qualitative information sources. Quantitative data are of particular importance for fostering consistency and comparability.
The risk level assessment relies on quantitative indicators derived from the data received as a consequence of the implementing technical standard on supervisory reporting, supplemented by the collection of additional supervisory data (such as responses to the ECB’s regular IT Risk Questionnaire). Additional information considered by JSTs can include internal management data available in banks’ internal reports, such as internal capital adequacy assessment process (ICAAP) reports and internal audit reports.
The risk control assessment for both operational risk and ICT risk draws on similar information and data sources to those described above, including documents created by the credit institution itself, internal SSM documentation, information from external sources and any other relevant sources.
3 Phase 2 – Anchoring
The purpose of Phase 2 of the operational risk assessment is to produce an automatic anchoring score for the institution’s operational risk level. The Phase 2 score is risk-based and the methodology is applied consistently across all SIs. It serves as a starting point for JSTs to consider more detailed bank-specific circumstances and thus apply expert judgement. The Phase 2 methodology captures various dimensions (e.g. historical operational risk losses) to ensure that the preliminary assessment of an institution’s operational risk profile is sufficient and comprehensive. The Phase 2 score does not aim to capture all idiosyncratic elements linked to a bank’s operational risk profile. These aspects are considered during the in-depth assessment performed by JSTs in Phase 3. The ICT risk assessment does not rely on a Phase 2.
4 Phase 3 – In-depth assessment
Phase 3 gives JSTs the flexibility to consider institution-specific aspects of the various risk drivers, following a consistent risk-based framework. This comprehensive assessment results in final scores that reflect the institution’s specific operational and ICT risk level and risk control.
During the Phase 3 assessment, JSTs take into account insights gained from on-site inspections, deep dives, horizontal analyses (such as targeted or thematic reviews) when available, and other information and data gathered during Phase 1. Peer comparison is also embedded in this assessment and supported by internally available tools. The assessment performed in Phase 3 should be proportionate to the institution’s level of operational and ICT risk, and should be risk focused.
Figure 3
Modular structure of the operational and ICT risk assessment

For the assessment of both operational risk and ICT risk, JSTs select the modules to assess in a given year based on their expert judgement, taking into account multi-year planning carried out by the JSTs according to the Multi-Year Approach (MYA).
JSTs should make full use of the assessment outcomes for the following modules to score the overall operational risk level of the bank:
- Conduct risk, client, product and business practices (CPBP) risk and internal fraud risk
- Execution, delivery and process management risk
- External fraud risk
- Employment practices and safety risk and business disruption risk
- Reputational risk
- Third-party risk level
JSTs should make full use of the assessment outcomes for the following modules to score the overall operational risk control of the bank:
- Governance and organisational framework
- Strategy and risk appetite
- Internal control framework
- Risk management and mitigation
- Framework for internal capital allocation
- Third-party risk control
- Business continuity
JSTs should make full use of the assessment outcomes for the following modules to score the overall ICT risk level of the bank:
- ICT security risk
- ICT availability and continuity risk
- ICT change risk
- ICT data integrity risk
- Third-party risk level
JSTs should make full use of the assessment outcomes for the following modules to score the overall ICT risk control of the bank:
- ICT governance and ICT risk management
- ICT operations (incl. incident management)
- Software acquisition, software development and project management
- Information security management
- Third-party risk control
- Business continuity
Further details on each of these modules are provided below.
When performing the assessment, JSTs should also consider that weaknesses in other areas such as governance, risk controls or ICT systems (e.g. an inadequate or non-existent control system) increase the potential exposure to money laundering and terrorism financing (ML/TF) risk. Measures taken by EU anti money laundering and counter terrorism financing (AML/CFT) authorities (e.g. investigations, procedures, fines and penalties imposed by the AML/CFT authorities) affect the reputation of the bank. These are therefore material areas that may impact the prudential elements of a supervised entity and are relevant for the purpose of the operational risk assessment.
On concluding their operational and ICT risk assessment, JSTs draw conclusions on the operational resilience of institutions, including their digital operational resilience. Operational resilience starts with the premise that disruptions will occur and focuses on building capabilities to deal with such events when they materialise. This should be done through a critical operations lens, encouraging institutions to prioritise what is critical to them and the financial system, and understanding the interconnections and interdependencies involved in delivering those operations. To form a view on the operational resilience, JSTs are encouraged to focus on the Basel Committee on Banking Supervision principles for operational resilience, including governance, operational risk management, business continuity planning and testing, mapping of interconnections and interdependencies of critical operations, third party dependency management, incident management and ICT resilience. The methodology is structured in such a way so as to prevent double counting effects between the operational resilience score and the operational and ICT risk assessment scores.
4.1 Operational risk level modules
JSTs should make full use of the assessment outcomes for the following modules:
Conduct risk, client, product and business practices risk, and internal fraud risk: the JSTs’ assessments include, but are not limited to, the extent to which the institutions are exposed to any form of:
- fraudulent activity carried out by or in collusion with an employee or agent;
- financial damage in connection with the institution’s products;
- (a) improper or aggressive business practice, (b) misconduct, or (c) compliance breaches.
Execution, delivery and process management risk: the JSTs’ assessments include, but are not limited to, the extent to which the institutions are exposed to:
- any form of process, execution or service delivery failure;
- errors made during the preparation, production, maintenance or disclosure of reports that could result in a failed mandatory reporting obligation or in inaccurate external reports;
- specific process risks, e.g. with regard to (i) material projects, (ii) organisational transformation or change, or (iii) corporate events.
External fraud risk: the JSTs’ assessments include, but are not limited to, the extent to which the institutions are exposed to:
- fraud committed by a client or an external party in relation to their lending, payments or investment transactions;
- external physical fraud;
- risk arising from a client suffering losses as a result of fraud by a third party;
- risk arising from an external party using fictitious or stolen personal information.
Employment practices and safety risk and business disruption risk: the JSTs’ assessments include, but are not limited to, the extent to which the institutions are exposed to:
- risk arising from acts inconsistent with employment, health or safety laws or agreements, from the payment of personal injury claims, or from issues relating to diversity or discrimination;
- risk arising from natural disasters or other events, or from external actions by individuals or groups of people.
Reputational risk: the JSTs’ assessments include, but are not limited to, the extent to which the institutions are exposed to:
- current or prospective risk affecting their earnings, own funds or liquidity arising from damages to their reputation.
4.2 Operational risk control modules
JSTs should make full use of the assessment outcomes for the following modules:
Governance and organisational framework: the JSTs’ assessments include, but are not limited to, the extent to which the institutions:
- have an independent operational risk control function with adequate resources and stature, roles and responsibilities;
- have an operational risk control framework that is properly documented, approved by the management body, implemented and adequately reviewed by the internal audit function;
- have a risk committee that includes members of the management body, meets regularly and covers operational risk;
- have effective risk management committees at the corporate and business unit levels, which meet regularly and cover operational risk;
- have policies and processes that define, evaluate and manage the exposure to operational risk, and whether these are in place throughout the organisation to manage operational risk across all material products, activities, processes and systems in accordance with their risk appetite and tolerance statement;
- have an adequate involvement of their management body in defining and approving policies and processes for the management of operational risk.
Strategy and risk appetite: the JSTs’ assessments include, but are not limited to, the extent to which the institutions:
- have a risk appetite and tolerance statement for operational risk that is adequate in terms of content, which is approved and reviewed by the management body, as well as being properly embedded in their overall operational risk strategy and policies;
- have a risk appetite and tolerance statement that properly articulates tolerance levels for all material operational risk event types that they are exposed to.
Internal control framework: the JSTs’ assessments include, but are not limited to, the extent to which the institutions:
- have a risk identification process that is comprehensive and operationally effective in understanding and capturing all material operational risks inherent in their products, activities, processes and systems;
- have an operational risk incident management system that ensures a consistent and efficient handling of incidents during day-to-day business to limit the impact and prevent recurrence;
- have a strong control environment, including policies, processes and systems to ensure that controls are designed, implemented and operating effectively, and are reported on in a coherent and aggregated manner;
- appropriately manage findings, actions and lessons learnt;
- have operational risk reports that are comprehensive, accurate, consistent and actionable across business units and products.
Risk management and mitigation: the JSTs’ assessments include, but are not limited to, the extent to which the institutions:
- adequately manage and mitigate internal fraud risk, product risk, the risk of improper and aggressive business practices, conduct risk and compliance risk;
- adequately manage execution, delivery and process management risk with a view to preventing or mitigating execution, delivery and process failures;
- adequately manage and mitigate external fraud risk;
- adequately manage and mitigate employment practices and workplace safety risk, as well as business disruption risk.
Framework for internal capital allocation: the JSTs’ assessments include, but are not limited to, the extent to which the institutions:
- adequately quantify and allocate internal capital for operational risk from both an economic and normative perspective.
4.3 ICT risk level modules
JSTs should make full use of the assessment outcomes for the following modules:
ICT security risk: the JSTs’ assessments include, but are not limited to, the extent to which the institutions are exposed to ICT security risk, and the extent to which ICT security risk materialised during the assessment period or is foreseen to materialise in the future. In addition:
- the assessment relies on information points such as the number of external companies with access to internal systems or data, the number of data breach security incidents that resulted from the connection of end-user devices to the corporate network, and the dependency of critical processes on no longer supported end-of-life systems.
ICT availability and continuity risk: the JSTs’ assessments include, but are not limited to, the extent to which the institutions are exposed to ICT availability and continuity risk, and the extent to which ICT availability and continuity risk materialised during the assessment period or is foreseen to materialise in the future. In addition:
- the assessment relies on information points such as the location(s) of important ICT operations or data centres, the number of times ICT continuity or disaster recovery plans have been triggered, and the annual unplanned downtime of critical ICT systems.
ICT change risk: the JSTs’ assessments include, but are not limited to, the extent to which the institutions are exposed to ICT change risk, and the extent to which ICT change risk materialised during the assessment period or is foreseen to materialise in the future. In addition:
- the assessment relies on information points such as the overall complexity and scale of their ICT landscape, the nature of any large business or ICT transformation programs in progress, and the risk associated with any ongoing mergers and acquisitions.
ICT data integrity risk: the JSTs’ assessments include, but are not limited to, the extent to which the institutions are exposed to ICT data integrity risk, and the extent to which ICT data integrity risk materialised during the assessment period or is foreseen to materialise in the future. In addition:
- the assessment relies on information points such as the number of end-user developed applications supporting critical services, the number of significant invalid data modification incidents, and the number of annual incorrect data submissions.
4.4 ICT risk control modules
JSTs should make full use of the assessment outcomes for the following modules:
ICT governance and ICT risk management: the JSTs’ assessments include, but are not limited to, the extent to which the institutions:
- have an ICT strategic plan aligned with the business strategy;
- have a sufficiently comprehensive ICT or digital operational resilience strategy;
- have sound ICT policies, guidelines and procedures to properly drive the work of the ICT function(s);
- ensure that sufficient ICT-related capabilities (human and technical resources) and budget are available to support the ICT strategy, the development of new projects, the recurrent maintenance, the ICT security and the risk management;
- have clearly defined roles and responsibilities for ICT personnel (including the management body and its committees), considering the principle of independence;
- have defined and implemented a risk management framework and associated processes that are able to identify vulnerabilities and threats to information;
- conduct ICT internal audit reviews with a frequency and scope commensurate with the risk exposure of the supervised entity;
- ensure their ICT internal reporting provides all the relevant information to the relevant recipients, allowing them to properly identify, assess, monitor and manage the institution’s ICT risk, considering the approved risk appetite.
ICT operations: the JSTs’ assessments include, but are not limited to, the extent to which the institutions:
- have a complete ICT asset inventory that is properly maintained and regularly updated and reviewed;
- have an ICT asset inventory that allows the identification of critical assets and the corresponding recovery requirements;
- have in place an adequate availability and capacity management framework, and formally documented processes for analysing, approving and treating ICT availability and continuity risks;
- have an adequate incident and problem management process;
- have an adequate ICT change and release management process.
Software acquisition, software development and project management: the JSTs’ assessments include, but are not limited to, the extent to which the institutions:
- have a comprehensive ICT project and program management framework commensurate to their organisational set-up, activities and resources;
- have processes to ensure that acquired (purchased) software applications and systems meet current business requirements and are aligned with the overall ICT architecture, while controlling risks stemming from deployment;
- develop software applications in a controlled manner, ensuring alignment with the overall ICT architecture, business needs and strategy.
Information security management: the JSTs’ assessments include, but are not limited to, the extent to which the institutions:
- have the information security policies, standards and guidelines properly documented, approved by management, implemented and communicated to all staff;
- grant access to ICT assets only to properly identified, authenticated and authorised individuals;
- identify and mitigate vulnerabilities impacting ICT systems in a timely manner;
- have adequate protection measures in place to safeguard ICT systems, at the network and end-point levels, for information in transit and at rest;
- have procedures in place for collecting, logging and analysing security-relevant events in order to trigger actionable security alerts or initiate the security incident process;
- act upon security incidents in a timely manner, with the appropriate involvement of senior management and (as applicable) external entities;
- have designed and implemented adequate physical access and environmental security policies to protect data availability, authenticity, integrity and confidentiality against unauthorised physical access or environmental risk;
- classify assets and data according to established policy and procedure, with clear responsibility and accountability for assets and data;
- have controls in place to prevent unauthorised data leakage.
4.5 Third-party risk and business continuity modules
The SREP methodology for operational risk and ICT risk assesses both ICT and non-ICT components of third-party risk and business continuity in dedicated modules. JSTs follow internal guidance to assess how these modules might impact operational risk and ICT risk to a greater or a lesser extent.
Third-party risk level: the JSTs’ assessments include, but are not limited to, the extent to which the institutions:
- rely on third-party service providers and the extent to which these are used to support critical or important functions (i.e. whether a defect or failure in performance would materially impact the soundness or continuity of banking and payment services and activities);
- can easily replace third-party service providers or reintegrate the functions contracted out;
- rely on one or more third-party service providers with respect to one or more categories of function;
Third-party risk control: the JSTs’ assessments include, but are not limited to, the extent to which the institutions:
- have an adequate governance framework for third-party risk management, considering their size, complexity and business strategy, which encompasses the entire life cycle of arrangements;
- have adequate processes and resources in place to monitor and assess the performance of third-party service providers.
Business continuity risk control: the JSTs’ assessments include, but are not limited to, the extent to which the institutions:
- have clearly defined roles and responsibilities, as well as a clearly defined decision-making process, for business continuity management;
- have ensured that the management body and senior management are ultimately responsible for business continuity, with effective accountability mechanisms in place;
- have adequately identified and prioritised critical processes, systems and resources, considering their size, complexity and business strategy/model;
- have identified these critical processes, systems and resources on the basis of objective and measurable criteria;
- have adequately developed and tested their business continuity plans;
- have adequately developed, tested and maintained disaster recovery plans.
© European Central Bank, 2024
Postal address 60640 Frankfurt am Main, Germany
Telephone +49 69 1344 0
Website www.bankingsupervision.europa.eu
All rights reserved. Reproduction for educational and non-commercial purposes is permitted provided that the source is acknowledged.
For specific terminology please refer to the SSM glossary (available in English only).
HTML ISBN 978-92-899-6935-2, doi:10.2866/4271382, QB-01-24-037-EN-Q