4.1 This chapter sets out the methodology the PRA uses to inform the setting of a firm’s Pillar 2A capital requirement for operational risk.

4.2 The approach applies to all PRA Category 1 firms but may be extended to other firms depending on the level of sophistication of the firm’s internal operational risk management.

4.3 In determining whether to use the methodology described below to non-Category 1 firms, the PRA takes into account the size and complexity of a firm, as well as the sophistication of a firm’s internal operational risk management. Where a firm is re-assessed as Category 1 or otherwise brought into scope, supervisors will agree a timetable for assessment that is fair, proportionate to the firm’s resources and considers the sophistication of the firm’s internal operational risk management. For firms not in scope, the PRA assesses operational risk on the basis of data provided by the firm, the firm’s own assessment of operational risk and supervisory judgement.

Definition and scope of application

4.4 Operational risk is the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events, and includes legal risk.

4.5 Pillar 1 standardised approaches for operational risk use gross income as a measure of risk. This is not risk sensitive. During the recent economic downturn, incomes dropped but operational risk exposures, in many cases, remained the same or increased. The PRA therefore assesses operational risk as part of its Pillar 2 review of firms’ capital adequacy.