What is APS 115 and who does it apply to?

APS 115 is APRA's Prudential Standard on Capital Adequacy for Operational Risk. It applies to all authorised deposit-taking institutions (ADIs) in Australia, requiring them to hold regulatory capital against operational risk losses using either the standardised measurement approach or an approved internal model.

How is the Business Indicator calculated under APS 115?

The Business Indicator (BI) is calculated as the sum of three components: the Interest, Leases and Dividends Component (ILDC), the Services Component (SC), and the Financial Component (FC). Each component uses specific income statement items averaged over three years to produce a size-based proxy for operational risk exposure.

What are the seven Basel loss event categories for operational risk?

The seven Basel loss event categories are: (1) Internal Fraud, (2) External Fraud, (3) Employment Practices and Workplace Safety, (4) Clients, Products and Business Practices, (5) Damage to Physical Assets, (6) Business Disruption and System Failures, and (7) Execution, Delivery and Process Management.

What is the three lines of defence model in operational risk?

The three lines of defence model separates operational risk responsibilities: the first line (business units) owns and manages risks day-to-day; the second line (risk and compliance functions) provides oversight, frameworks, and challenge; and the third line (internal audit) provides independent assurance that the framework operates effectively.

What internal loss data must ADIs collect under APS 115?

ADIs must maintain a comprehensive internal loss data collection process covering all material activities and exposures. This includes gross loss amounts, recoveries, date of event, date of discovery, causal factors, and mapping to Basel event type categories. APRA expects a minimum of five years of quality loss data for capital calculation purposes.

Operational Risk Management for Australian ADIs: APS 115 Capital, Loss Data, and the Three Lines Model

By Pranjal | March 2026 | 9 min read

Operational risk remains the fastest-growing capital charge for Australian banks. From cyber incidents and system outages to conduct failures and process errors, APRA expects ADIs to quantify these risks, hold capital against them, and embed robust governance across the organisation. This guide covers the key pillar: APS 115 Capital Adequacy: Operational Risk, along with the internal loss data requirements and the three lines of defence model that underpins it all.

GoComply scans your policies against 125 rules covering APS 115, CPS 230, CPS 234, and 35+ other Australian financial regulations. Ask the AI chatbot any question about operational risk capital requirements.

What Is APS 115?

APS 115 is APRA's prudential standard requiring ADIs to hold regulatory capital specifically for operational risk. It sits within the broader capital adequacy framework (APS 110) and mandates that every ADI calculate an operational risk capital charge using an approved approach. The standard aligns with the Basel III finalisation reforms, which replaced the previous basic indicator and advanced measurement approaches with a single Standardised Measurement Approach (SMA).

The core principle: the more complex an ADI's operations and the larger its historical losses, the more capital it must hold. This creates a direct financial incentive to manage operational risk effectively.

The Standardised Measurement Approach (SMA)

Under APS 115, the operational risk capital requirement is driven by two inputs:

Business Indicator Component (BIC) -- a size-based proxy derived from the income statement
Internal Loss Multiplier (ILM) -- an adjustment based on an ADI's actual loss history

The formula is: ORC = BIC x ILM, where the BIC increases with the scale of the ADI and the ILM adjusts up or down based on whether actual losses exceed or fall below what the BIC alone would suggest.

Business Indicator Calculation

The Business Indicator (BI) is the sum of three components, each calculated from three-year averages of financial statement items:

Component	Inputs	What It Captures
ILDC (Interest, Leases & Dividends)	Net interest income, dividend income, lease income	Credit intermediation risk
Services Component (SC)	Fee income, fee expense, other operating income/expense	Fee-based activity risk
Financial Component (FC)	Net P&L on trading book, net P&L on banking book	Market and treasury risk

The BI is then mapped to marginal coefficients across three buckets. Larger ADIs face higher marginal rates, reflecting APRA's view that operational risk scales super-linearly with institutional size and complexity.

Internal Loss Data Requirements

APRA requires ADIs to maintain a comprehensive internal loss data collection framework. This is not optional -- loss data quality directly affects the capital charge via the Internal Loss Multiplier. Key requirements include:

Minimum threshold: All operational risk losses above AUD 20,000 must be captured
Data fields: Gross loss amount, recoveries (insurance and other), date of event, date of discovery, date of accounting impact
Mapping: Every loss event must be classified to one of the seven Basel loss event categories
History: At least 5 years of quality loss data, with 10 years preferred for SMA calculation
Validation: Independent review of loss data completeness and accuracy, at least annually
Grouping: Related loss events stemming from a common cause must be grouped and treated as a single event

Poor loss data quality is one of the most common APRA findings during supervisory reviews. Incomplete capture or misclassification directly inflates the capital charge -- or worse, understates it, leading to enforcement action.

The Seven Basel Loss Event Categories

Every operational risk loss must be mapped to one of these categories. Understanding them helps ADIs design controls and allocate capital accurately:

Category	Examples	Typical Impact
1. Internal Fraud	Unauthorised trading, theft by employees, intentional mismarking	Direct financial loss, regulatory penalty
2. External Fraud	Card fraud, cyber attacks, identity theft, forgery	Customer losses, remediation costs
3. Employment Practices & Workplace Safety	Discrimination claims, WHS incidents, unfair dismissal	Legal costs, compensation
4. Clients, Products & Business Practices	Mis-selling, fee-for-no-service, market manipulation, KYC failures	Remediation programs, fines
5. Damage to Physical Assets	Natural disasters, terrorism, vandalism	Property/infrastructure repair
6. Business Disruption & System Failures	IT outages, software bugs, utility disruptions	Revenue loss, customer impact
7. Execution, Delivery & Process Management	Settlement failures, data entry errors, reporting mistakes	Financial loss, regulatory breach

For Australian ADIs, Category 4 (Clients, Products & Business Practices) has historically generated the largest losses by dollar value, driven by the Royal Commission remediation programs and ongoing conduct risk issues. Category 2 (External Fraud) continues to grow as cyber threats escalate.

The Three Lines of Defence Model

APRA expects all ADIs to operate a clear three lines model for operational risk governance. CPS 220 (Risk Management) and CPG 220 set the foundation, but APS 115 relies on it for capital adequacy purposes:

First Line: Business Units

Own and manage operational risks within their activities
Implement controls and maintain risk and control self-assessments (RCSAs)
Report loss events promptly and accurately
Escalate breaches and near-misses to second line
Maintain process documentation and key risk indicators (KRIs)

Second Line: Risk and Compliance Functions

Design and maintain the operational risk management framework (ORMF)
Set policies, methodologies, and risk appetite for operational risk
Challenge first-line risk assessments and control effectiveness
Aggregate and report operational risk exposures to the Board
Oversee loss data quality and capital calculation integrity
Monitor regulatory change and translate into framework updates

Third Line: Internal Audit

Independently assure the effectiveness of both first and second lines
Test the ORMF design and operating effectiveness
Validate loss data collection processes
Report findings directly to the Board Audit Committee
Follow up on remediation of identified deficiencies

Board and Senior Management Responsibilities

Under CPS 220 and APS 115, the Board must:

Approve the ORMF and ensure it is adequate for the ADI's risk profile
Set operational risk appetite with quantitative and qualitative measures
Receive regular reporting on operational risk exposures, loss trends, and capital adequacy
Ensure adequate resourcing of the second and third lines
Hold senior management accountable via the Financial Accountability Regime (FAR) for operational risk outcomes

Senior management must implement the Board-approved framework, ensure loss data completeness, and maintain an operational risk culture where reporting failures and near-misses is encouraged rather than penalised.

APRA Enforcement: Recent Examples

APRA has demonstrated willingness to act on operational risk failures:

Medibank (2024): APRA imposed a $250 million capital adjustment following the 2022 cyber breach, citing deficiencies in information security governance under CPS 234. The adjustment was only lifted after independent verification of remediation.
Optus/telco sector (2023-24): While not an ADI, APRA used the incident to publicly warn regulated entities about concentration risk in critical service providers -- directly relevant to APS 115 loss scenario analysis.
Major bank conduct remediation (2018-2025): Billions in remediation costs from fee-for-no-service and mis-selling (Category 4 losses) fundamentally reshaped operational risk capital requirements across the sector.
CBA AUSTRAC (2018): The $700 million penalty for AML/CTF failures remains the largest operational risk loss event in Australian banking history, classified under Category 4.

APRA's approach is clear: inadequate operational risk management leads to higher capital charges, enforceable undertakings, and public accountability. ADIs that invest in robust frameworks, quality loss data, and genuine three lines governance are rewarded with lower capital requirements.

Practical Steps for ADI Compliance

Audit your loss data: Confirm capture thresholds, completeness across all Basel categories, and data quality validation processes
Review BI calculation: Ensure the three-year averages feeding the Business Indicator are accurate and reconciled to audited financials
Stress-test the ILM: Model how changes in loss experience affect your capital charge -- this quantifies the ROI of risk reduction
Strengthen first-line ownership: Ensure business units have trained risk champions and that RCSA processes are meaningful, not tick-box
Upgrade loss event reporting: Implement real-time capture with automatic escalation triggers and root cause analysis workflows
Align with CPS 230: Operational risk capital, business continuity, and critical operations management are now deeply interconnected

Scan your operational risk framework

Upload your ORMF, loss data policy, or RCSA templates and get instant gap analysis against APS 115, CPS 220, and CPS 230.

Try GoComply Free

This article is for informational purposes only and does not constitute legal or compliance advice. Consult qualified professionals for your specific obligations. GoComply's AI scanner covers 125 rules across 38 regulations with 110 knowledge base sources.