Strategically categorizing cyber threats is essential for ensuring they are managed effectively and capitalized correctly within the broader Operational Risk framework. Digital threats are primarily classified under two specific event types:

𝗘𝘅𝘁𝗲𝗿𝗻𝗮𝗹 𝗙𝗿𝗮𝘂𝗱: This category explicitly includes malicious external acts such as financial losses or data breaches resulting from hacking damage and the theft of information.

𝗦𝘆𝘀𝘁𝗲𝗺 𝗮𝗻𝗱 𝗜𝗧 𝗙𝗮𝗶𝗹𝘂𝗿𝗲𝘀 This classification covers a range of internal technological vulnerabilities, including hardware or software failures, inadequate IT resources, errors in system development, and the resulting disruption of services.

This dual‑categorization approach ensures that distinct types of digital events are not only identified but are also actively monitored through targeted performance metrics.

𝗠𝗼𝗻𝗶𝘁𝗼𝗿𝗶𝗻𝗴 𝗮𝗻𝗱 𝗠𝗲𝗮𝘀𝘂𝗿𝗲𝗺𝗲𝗻𝘁 𝘃𝗶𝗮 𝗥𝗶𝘀𝗸 𝗜𝗻𝗱𝗶𝗰𝗮𝘁𝗼𝗿𝘀

To actively manage the threats within the External Fraud and System and IT Failures categories, the framework employs a pair of corresponding quantitative measures known as Operational Risk Indicators (OPRs). These indicators quantify the financial impact of specific threats by measuring the share of minimum capital required to cover associated losses. The key indicators for digital threats include:

𝗢𝗣𝗥_𝟳: This indicator tracks the share of the operational minimum capital required to cover losses specifically attributed to external fraud, a category that directly includes hacking incidents.

𝗢𝗣𝗥_𝟴: This indicator monitors the share of capital allocated to cover losses resulting from business disruptions and system failures, providing insight into the institution's technological resilience.

The data gathered from these indicators serves as a direct input for evaluating and strengthening the institution's internal control environment.

𝗧𝗵𝗲 𝗢𝗯𝗷𝗲𝗰𝘁𝗶𝘃𝗲: 𝗘𝗻𝗵𝗮𝗻𝗰𝗶𝗻𝗴 𝗖𝗼𝗻𝘁𝗿𝗼𝗹 𝗮𝗻𝗱 𝗦𝘁𝗮𝗯𝗶𝗹𝗶𝘁𝘆

Ultimately, this framework serves as a tool for enhancing institutional resilience against a landscape of evolving digital threats. The core management philosophy is that a higher recorded frequency or impact of events in these OPR categories signals a need for improved internal controls. While Operational Risk is recognized as an unavoidable aspect of business, it is managed through rigorous data collection on both high‑frequency/low‑cost events and low‑frequency/high‑impact events. Particular focus is given to those events with the potential to have a destabilizing effect on the institution.

This approach provides a robust method for assessing and capital‑weighting digital threats, fully integrating them into the institution's risk management structure through the established lenses of external fraud and systemic reliability.