Banks need higher operational risk capital

Operational risk is no longer a secondary concern for Bangladesh's banking sector. Under the Basel framework, it refers to the risk of loss resulting from inadequate or failed internal processes, people and systems, or from external events. It includes legal risk but excludes strategic and reputational risk. In practice, this means a bank may be damaged not only by borrowers who fail to repay or by movements in interest rates and exchange rates, but also by forged documents, weak controls, staff collusion, poor governance, cyberattacks, system failures, political pressure, vendor lapses and natural disasters. These are not routine back-office irritants. In Bangladesh, they have become central threats to banking stability.
The urgency is clear from the latest default-loan picture. By March 2026, defaulted loans in the banking sector had reportedly climbed to Tk 5.88 trillion, equivalent to 32.26 per cent of total outstanding loans. This represented an increase of Tk 314.87 billion in only three months from December 2025. Total outstanding loans stood at Tk 18.24 trillion. The deterioration was also broad-based, with non-performing loans rising across most scheduled banks during the first quarter of 2026. This is not merely a weakness of a few troubled lenders. It is a sector-wide warning about asset quality, governance, recovery discipline and risk management.
The conventional explanation is that Bangladesh has a credit-risk problem. That is true, but incomplete. In formal regulatory classification, defaulted loans remain credit risk because the immediate loss arises from a borrower's failure to meet contractual obligations. But the supervisory diagnosis cannot stop there. Many of the credit losses appearing in Bangladesh's loan books have operational-risk origins. They have emerged from weak origination, poor documentation, compromised collateral valuation, related-party lending, management override, delayed audit response, ineffective monitoring and politically protected default. The accounting loss may sit under credit risk, but the causal chain often begins in failed processes, failed people controls and failed governance.
This distinction matters. The argument is not that non-performing loans should simply be reclassified as operational risk. That would be technically incorrect and would blur Basel risk taxonomy. The more precise argument is that Bangladesh's NPL crisis contains a significant operational-risk component that has not been adequately recognized in supervision, capital planning or bank governance. When a loan is approved on fictitious documents, renewed despite warning signs, rescheduled under influence or monitored only on paper, the final default is merely the visible outcome. The control failure occurred much earlier. Treating such losses only as credit events leads banks to focus on recovery and provisioning while ignoring the institutional weaknesses that produced the loss.
The issue becomes even clearer in the case of wilful default. Classical credit risk assumes that a borrower may be unable to repay because of business failure, cash-flow stress or adverse economic conditions. Wilful default is different. It often involves borrowers who have repayment capacity but choose not to repay, or who divert funds, conceal cash flows, misuse collateral, transfer assets or rely on influence to escape discipline. Such conduct cannot survive without internal process failure and governance failure inside banks. A borrower may initiate misconduct, but a bank's people, systems and controls determine whether that misconduct is detected, prevented, escalated or silently accommodated. In Bangladesh, too many cases suggest accommodation rather than prevention.
This is why Bangladesh Bank's move to Risk-Based Supervision, effective from January 1, 2026, is highly significant. Risk-Based Supervision changes the supervisory question from 'Has the bank complied with the checklist?' to 'Does the bank understand, measure, monitor and control its material risks?' This shift is especially important for operational risk because many operational weaknesses are not visible in traditional compliance files. A bank may appear orderly on paper while suffering from captured decision-making, weak IT controls, poor audit follow-up, unreliable data and ineffective board oversight. Under RBS, such weaknesses should affect supervisory ratings, intervention intensity and capital expectations.
Banks, however, cannot rely on supervision alone. Operational risk discipline must be embedded in their own governance structures. Boards should approve operational risk appetite, review key risk indicators, demand root-cause analysis of repeated failures and hold management accountable for delayed remediation. Internal audit must move beyond manual sampling and checklist inspection toward data-driven, risk-based review. Risk management and compliance functions need independence, skilled staff and direct access to board committees. Operational risk should not be treated as a clerical matter belonging to audit, compliance or IT departments. It is a business risk that can destroy capital, confidence and institutional credibility.
Key Risk Indicators should become a standard part of this discipline. Banks should track loan documentation exceptions, unauthorised disbursements, loans approved without proper credit information checks, overdue audit findings, management override of controls, staff turnover in risk and compliance roles, cybersecurity incidents, system downtime, failed login attempts, vendor service breaches, regulatory penalties and complaints per thousand transactions. These indicators should be linked to thresholds, escalation rules and remediation deadlines. More importantly, they should influence supervisory assessment and internal capital planning. A dashboard that does not lead to action is not risk management.
The capital question now deserves serious reconsideration. Basel minimum capital requirements are international floors, not ceilings. Bangladesh's special circumstances justify additional operational risk capital under the supervisory review process of Risk-Based Supervision. The sector faces unusually high default loans, governance fragility, wilful default, political interference, weak recovery culture, legal delays, cyber vulnerability and climate-related disruption. These conditions may create operational loss patterns that standard Basel capital formulas do not fully capture. A Bangladesh-specific operational risk capital add-on, linked to each bank's actual risk profile, would therefore be prudent. It would not contradict Basel; it would apply Basel's risk-sensitive spirit to local reality.
This add-on must be designed carefully to avoid double counting. Banks already hold provisions and capital against credit losses. An operational risk capital add-on should not mechanically punish the same default twice. Instead, it should be tied to measurable control weaknesses that increase the probability or severity of operational losses. Relevant indicators may include high documentation exceptions, repeated regulatory findings, unresolved audit issues, weak cyber controls, abnormal related-party exposure, governance breaches, persistent system failures, excessive wilful-default concentration and poor operational loss reporting. Banks with strong controls, transparent data and credible remediation should face lower add-ons. Banks with recurring weaknesses should hold more capital until those weaknesses are corrected.
The broader capital stress in the sector strengthens this case. Public reporting in 2026 showed that Bangladesh's banking system entered the year with serious capital weakness, while policymakers emphasized the need to replenish bank capital for reforms to take hold. Governance reform, recovery reform and supervisory reform all require a capital base that can absorb loss. But higher operational risk capital must not become a substitute for reform. Capital can absorb losses; it cannot prevent fraud, political interference or board capture by itself. Bangladesh Bank should therefore combine capital add-ons with mandatory remediation plans, operational loss databases, scenario analysis, cyber resilience testing, climate-risk mapping, stronger fit-and-proper enforcement and board-level accountability.
Bangladesh's banking system is paying the price for years of treating operational risk as an administrative afterthought. Credit risk may record the loss, but operational risk often creates the conditions for it. Under Risk-Based Supervision, Bangladesh now has an opportunity to correct this blind spot. Higher operational risk capital should be used not as a blunt punishment, but as a risk-sensitive supervisory tool that prices weak controls, rewards credible remediation and strengthens institutional resilience. In Bangladesh's circumstances, requiring more capital for banks with higher operational risk is not regulatory excess. It is prudence catching up with reality.
Bangladesh's banking system is paying the price for years of treating operational risk as an administrative afterthought. The consequences now appear in default loans, capital erosion, fraud, cyber exposure and public distrust. The lesson for bankers and central bankers is direct: credit risk may record the loss, but operational risk often creates the conditions for it. Under Risk-Based Supervision, Bangladesh has the opportunity to correct this blind spot. That opportunity should include stronger governance, sharper KRIs, credible enforcement and, where justified, additional operational risk capital beyond Basel minimums. In Bangladesh's circumstances, that is not regulatory excess. It is prudence catching up with reality.

The writer is Professor at Bangladesh Institute of Bank Management (BIBM), Dhaka; and Chairman, Dnet. ahsan@bibm.org.bd