Successful operational risk reporting

Overcoming challenges to effectively collect incident data

A streamlined risk reporting process? Access our template

Original content provided by 

BDO Belgium

In our previous articles in the BDO Risk Blueprint series, we explored the foundations of strong risk management – from establishing your framework and risk appetite to developing appropriate taxonomies, conducting thorough assessments, and implementing the Three Lines of Defence. Now we turn to a critical yet often challenging aspect of risk management: getting people in your organisation to actually report operational risks. 

Even with the best frameworks in place, your risk management system can only be as effective as the information that flows through it. When operational incidents and near misses go unreported, you lose valuable opportunities to identify control weaknesses, learn important lessons, and prevent future losses. 

In this article, we explore the three main barriers to effective risk reporting and provide practical strategies to overcome them.

Discover our risk blueprint video's

The three barriers to effective risk reporting

The challenge with operational risk reporting often goes beyond the commonly cited “blame culture”. Through years of industry experience, we identified three distinct barriers that prevent effective reporting: 

Barrier 1: not knowing what to report 

The first and most fundamental barrier is simply lack of clarity about what is a reportable incident. When you are building your risk culture and you want to encourage your staff to report operational risks, don't assume they are trying to hide information. More often, they simply don't know what criteria determine whether something should be reported. 

This uncertainty creates hesitation and inconsistency. Without clear guidelines, your staff may either under-report (missing valuable risk insights) or over-report (creating noise that obscures important signals). The solution begins with providing specific, actionable guidance on what makes a reportable event in your organisation. 

Barrier 2: complex processes with no perceived value 

Even when people know what to report, they often face reporting processes that are overly complex or time-consuming. When reporting requires navigating complicated systems or filling out lengthy forms, people naturally hesitate – especially if they perceive no direct benefit from their effort. 

As one risk professional aptly described it: “asking the business to report centrally without feeding back the results is like asking people to type on a keyboard without a screen.” The absence of visible outcomes naturally leads to disengagement and reduced reporting quality. 

Barrier 3: fear of blame and additional workload 

The final barrier involves the anticipated consequences of reporting. This includes the often-discussed “blame culture,” where people fear being held responsible for incidents they report. However, it also includes concerns about the extra work that reporting might generate: investigations to conduct, documentation to complete, or corrective actions to implement. 

This barrier remains significant even in organisations that have established a positive risk culture. The solution involves not only creating a supportive environment but also designing efficient follow-up processes that don't unnecessarily burden those who report incidents.

Designing an effective reporting system

Overcoming these barriers requires thoughtful design of your reporting system. Before launching any campaign to encourage staff reporting, consider these three critical design decisions: 

step 1
What to report: determining your scope

Your first design decision involves what types of events should be included in your reporting scope. While financial losses are typically mandatory (especially for regulated entities), consider expanding your scope to include:


  • Near misses: incidents that were avoided by pure luck rather than by proactive controls. Reporting these events is a hallmark of mature risk management, as they highlight control gaps without the adverse consequences of actual incidents.
  • Accidental gains: unexpected positive outcomes from errors, such as directional trade mistakes that result in profits when markets move favourably. These are often underreported but provide equally valuable insights into control weaknesses.
  • Control weaknesses: situations where controls are found to be inadequate but have not yet resulted in incidents.

Tip: remember that while a more comprehensive scope provides better risk insights, it also requires greater organisational maturity to implement effectively.

step 1
How to report: structuring your process

The second design decision concerns how your reporting process will operate. Common approaches include: 


  • Centralised reporting: having a dedicated risk function handle the documentation of incidents reported by the business. A specific retail bank successfully implemented this approach with a team of five dedicated staff managing incident collection and recording bank-wide. This significantly simplified the process for business units, who simply needed to call or email the risk team when incidents occurred. 
  • Integrated reporting: collecting incident information from existing sources such as IT logs, reconciliation breaks, and issue tracking systems. This reduces the reporting burden while improving comprehensiveness. 
  • Decentralised reporting: having business units document their own incidents, either through risk champions or direct staff reporting. 
  • Standalone systems: using dedicated risk software or spreadsheets for incident reporting, though this can create challenges in integrating with broader management information systems. 
step 1
Impact measurement: financial and beyond

The third design decision involves what impacts you measure and report: 


  • Financial vs. non-financial impacts (reputation, service continuity, customer experience) 
  • Actual vs. potential impacts 
  • Reporting thresholds that align with your risk appetite

These decisions should reflect your organisation's risk appetite and regulatory requirements while remaining proportionate to your resources.

Making reporting easy and valuable 

To overcome the first two barriers – uncertainty about what to report and cumbersome processes – focus on simplification and clear guidance.

Be economical in the information you collect. Follow the golden rule of reporting: the value of information must exceed the cost of collection. 
Collect only the minimum meaningful information needed for effective risk management. This typically includes: 

  • Date and time 
  • Location or business unit 
  • Event description 
  • Event type 
  • Impact (actual and potential) 
  • Immediate response actions 
  • Causes and control failures  
  • Action plan when needed 

Use structured formatted files like drop-down menus based on your risk taxonomy rather than free-text fields. This not only speeds up reporting but also creates more comparable data for analysis. Consider limiting free-text fields to just one comment section. 

Connecting To Existing Sources

Integrate with existing sources where possible. Rather than creating entirely new reporting processes, leverage data from sources like: 

  • General ledger entries 
  • Event logs in other services 
  • Legal provisions 
  • Customer complaints 
  • IT incident logs 
  • Quality assurance reviews 

This approach not only reduces the reporting burden but can also demonstrate to regulators that your incident database is comprehensive rather than relying solely on voluntary reporting. 

Creating value through effective feedback

To overcome the perception that reporting provides no value to those doing the reporting, implement a robust feedback loop: 

Return analysed information to business units regularly. Show them not only their own incident trends but also comparative data from peer units. This creates value by: 

  • Allowing the business departments to verify the information they reported 
  • Providing insights from comparison with peers 
  • Creating healthy competition between departments for quality 
  • Demonstrating that their reporting efforts lead to tangible outcomes 

A simple periodic report showing the number of incidents, their financial impact, and loss-to-income ratios can be highly effective. The loss income ratio – operational losses as a percentage of operating income – provides a useful benchmark for comparison. A typical benchmark across industries is approximately 2%, though this tends to decrease with greater business automation. 

Effective operational risk reporting does not happen by accident – it requires thoughtful design that addresses the three fundamental barriers we have explored. By providing clear guidance on what to report, creating simple processes, and demonstrating value through feedback, you can build a reporting system that captures vital risk information while engaging your business units as active participants. Remember that the ultimate goal of reporting is not documentation for its own sake, but creating insights that drive better decision-making and control improvements.
Ariane ChapelleBDO Risk management

Different approaches for different incidents

Operational risk has a distinct distribution pattern that requires different approaches for different types of incidents: 

Segregate Large and Small Losses

Managing mass losses: the power of pattern detection 

"Mass losses" are the numerous small incidents that occur frequently in most organisations. 
For these: 

  • Look for patterns that might signal structural problems – the “leaking taps” in your organisation 
  • Consider using artificial intelligence for pattern detection across large datasets 
  • If no concerning patterns emerge, treat these small incidents as a normal cost of business to be factored into pricing 

Addressing max losses: learning from significant events 

“Max losses” are the rare but significant incidents that can have material impact. For these: 

  • Ensure immediate reporting, though this typically happens naturally as these events are too big to hide 
  • Conduct thorough root cause analysis (which we will explore further in our article on bow-tie analysis) 
  • Develop and track specific action plans to address identified weaknesses 

This dichotomy in operational risk – many small losses and few large ones – demonstrates why average-based metrics can be misleading. Your approach should reflect this reality rather than treating all incidents equally. 

Roles and responsibilities in operational risk reporting 

Clear accountability is essential for effective reporting. Within the Three Lines of Defence model we discussed previously: 

First Line (Business Operations): 

  • Has primary responsibility for alerting and reporting incidents 
  • Analyses incidents to identify appropriate action plans 
  • Implements improvements to address identified weaknesses 

Second Line (Risk Function): 

  • Provides guidance and support to business units 
  • Ensures consistent reporting standards
  • Aggregates and contextualises information for management 
  • Provides feedback to business units on reporting trends and insights 

Third Line (Internal Audit): 

  • Provides independent assurance and oversight of the reporting process 
  • Validates the effectiveness of the reporting system 

This clear categorisation of responsibilities ensures your reporting is comprehensive without creating unnecessary duplication of effort.

Setting up an incident data collection process and policy for a local bank

Read our case study

Do you you want to find out how to correctly respond to your risks once you reported them? 

Feel free to contact our experts for more information.

Check out our other risk blueprint articles