Tashkent, Uzbekistan (UzDaily.com) — In an era marked by rapid development of financial technologies, the digitalization of banking services, and heightened geopolitical instability across the region and beyond, operational risk management in banks and financial institutions has become more critical than ever.

As the market evolves, so do regulatory requirements and expectations surrounding operational risk. In late 2024, Uzbekistan’s Central Bank became a member of the International Operational Risk Working Group (IORWG) — a move that will enable the regulator to adopt more sophisticated regulatory practices grounded in international standards.

According to the Basel Committee, operational risk is defined as the risk of loss resulting from inadequate or failed internal processes, people, and systems, or from external events. In a digitalized world, IT system failures, data breaches, or human error can lead to severe financial and reputational consequences.

Automation: Proceed with Caution

Many financial institutions are actively exploring advanced automated operational risk management systems, particularly for building operational risk event databases (OREDs), performing automated self-assessments, and analyzing incidents.

However, before rushing to adopt such solutions, banks are strongly advised to first establish a robust and mature operational risk management (ORM) framework. This includes defining clear processes, methodologies, and roles for assessing, analyzing, monitoring, and mitigating operational risks.

A well-structured approach will not only ease the integration of automated systems and the selection of compatible software vendors, but also ensure alignment with evolving regulatory expectations. For example, regulators may introduce the Basel-standardized capital approach for operational risks, which requires a solid understanding of historical operational loss data — something that is difficult to achieve without a functioning data collection system in place.

Operational risk affects all levels and departments within an institution, as potential sources of risk can emerge anywhere. Hence, it’s essential to cultivate a risk-aware culture from the outset. This includes providing training on ORM methodologies, escalation mechanisms, and cross-functional collaboration.

Key Components of an Operational Risk Management Framework

The foundation of any ORM framework lies in the identification and assessment of risks — the first steps in the risk cycle that require active participation across the entire institution.

Given the nature of operational risk, early-stage risk assessments are often expert-based, relying on qualitative inputs. A core mechanism here is Risk and Control Self-Assessment (RCSA) — where employees identify, document, and evaluate risks and the effectiveness of existing controls.

Various RCSA methods exist — from working groups and surveys to checklists and structured interviews. When well-implemented, the RCSA process offers a first approximation of the institution’s risk profile, highlighting areas of concern, frequent control failures, and high-risk processes.

Even in its qualitative form, the RCSA process is critical for systematizing data collection and ensuring coherent operation across all elements of the ORM framework.

A central component of the system is the Operational Risk Event Database (ORED) — a unified repository of all recorded risk incidents. The earlier an organization begins to collect and consolidate such data (including insights from RCSA), the more efficiently it can evaluate risk trends and strengthen its mitigation efforts.

Without a high-quality database and historical data, implementing advanced automation may prove ineffective or even counterproductive.

A Strategic Imperative for the Uzbek Banking Sector

Uzbekistan’s banking sector now faces the critical task of ensuring high-quality risk governance and client protection. Operational risk management should not be viewed as a compliance formality, but as a strategic priority.

A systematic ORM approach will lay a strong foundation for future automation, supporting sustainable, efficient, and compliant operations in a complex and fast-evolving financial landscape.

Authors:

Ilya Namis — Manager, Head of Operational Risk Advisory for Financial Institutions, EY Caucasus and Central Asia
Nikita Rybin — Senior Consultant, Risk Advisory for Financial Institutions, EY Caucasus and Central Asia