Management objectives

The Bank, following the regulatory guidelines and best practices, has defined a Comprehensive Risk Management System, whose main objective is to promote a healthy and safe banking environment.

The function of Operational Risk is to guarantee the adequate administration of this risk, to achieve its understanding, to identify the operative risks present in the activities of the organization, to reinforce controls, to reduce the number of incidents or events, and to minimize monetary losses.

Methodology and management framework:

The Corporate Risk Management has defined a methodology and an operational risk management framework that allows carrying out the identification, measurement, mitigation, monitoring, control and information of said risk in order to minimize the levels of losses due to this. All bank staff must apply this methodology and is responsible for the proper management of operational risks associated with their areas and activities.

This methodology and management framework are fully detailed in the Operational Risk Manual, which has been approved by the Risk Directive Committee and BICSA Board of Directors.

The methodology consists mainly of the following stages:

  • Identification: The risks or threats inherent in the bank´s processes and products and can cause losses are identified.
  • Measurements: The identified risks are measured based on the impact and probability of inherent and residual occurrence. Also, the collection of events and incidents of operational risk is carried out.
  • Mitigation: Definition and implementation of action plans (for cases in which risks exceed an acceptance limit).
  • Monitoring and control: Follow-up on the defined action plans for the mitigation of the identified or occurred risks, as well as the corresponding follow-up on the key risk indicators (KRI). Also, as part of this stage, tests of the effectiveness of controls are carried out.
  • Information: Periodic reports are generated and presented on the result of the management carried out and the level of operational risk to which the Bank is exposed.

The management framework to guide the objectives and essential components of operational risk management are composed as detailed below:

Phase 1 – Culture

Stage in which all the staff of the organization is made aware of the importance of Operational Risk management through periodic training.

Phase 2 – Qualitative Management

Stage in which the organizational structure, policies, identification of risks and prioritization of responses, development of indicators, self-assessments and evaluation of Operational Risks in the Bank’s new initiatives, products and / or services and significant improvements to these are defined.

Phase 3 – Quantitative Management

Stage in which the data capture and maintenance, collection of losses, calculating the capital requirement for operational risk, internal model validation and risk prevention of management information occurs.

Main Achievements

Since the implementation of the operational risk management in the bank, the main achievements obtained can be listed below:

  • Strengthening the culture of operational risk based on continuous training of employees that allows them to understand and assimilate the importance of this concept from each of their work areas.
  • The satisfactory implementation of an organizational structure for the management of Operational Risk that includes, among others:
    • An Operational Risk Department that reports to the Corporate Risk Management and this one to the Risk Directive Committee.
    • The existence of an Operational Risk Administrator, in each of the bank’s work areas, who is responsible for recording the events and incidents that occur in the department. Additionally, this collaborator proactively identifies measures and monitors the risks exposure of the area.
    • Functional Managers and Process Owners are responsible for creating and promoting a culture of Operational Risk Management within their area of ​​responsibility, perform operational risk self-assessments in their processes and when applicable, develop action plans to mitigate them and ensure that business strategies and objectives are met.
    • The alignment of BICSA’s subsidiaries under a single Operational Risk Management model.
  • A robust database compilation of events and incidents for operational risk, classified by type of loss and business lines of the organization as defined by Agreement 011-2018 of the Superintendence of Banks of Panama.
  • The strengthening of control processes and activities in the bank’s operations for the prevention of risks, prioritizing and classifying the defined processes, in order to apply a methodological approach according to the level of risk of each process based on the cost-benefit ratio of the time and resources involved in applying different methodologies in relation to the impact on the Bank.
  • Perform management and minimization of operational risk that allows maintaining low levels of monetary losses due to operational risk over the years.
  • Include in the business management the process of identifying operational risks prior to the launch of a new product, service or activity offered by the entity.
  • The identification and monitoring of improvement opportunities, resulting from the various reviews and evaluations that are part of the Operational Risk Management, in conjunction with the Process Management Department and other areas through Process Improvement Circles.
  • Implementation and monitoring of key risk indicators (KRIs) and other process management metrics.
  • The incorporation of Business Continuity Management as an integral part of the Operational Risk Management.
  • The implementation of the Model Internal Validation Methodology in the Bank.
  • The implementation of the “Operational Risk Events and Incidents Forum”, where the analysis of the most relevant events and incidents is presented.
  • Implementation of the methodology and its application for the stress exercise of the capital requirement for operational risk

Management results

At BICSA, the operational risk management is supported by the identification of risks or threats, which are identified through self-assessments, and the events and incidents monitoring. As of December 31, 2023, the following can be observed:

Threat distribution detected by type of risk:

Events and incidents distribution by type of risk:





Operational risk capital requirements

Banco Internacional de Costa Rica, S.A. calculates the Operational risk capital requirements in accordance with the provisions of Chapter VI of Rule N° 11-2018 of the Superintendency of Banks of Panama. The minimum operational risk capital requirements are determined by multiplying the operational risk-weighted assets established above by the capital coefficient for the due date.

Results as of December 31, 2023:


Operational risk-weighted assets

Operational risk capital requirements

BICSA Panamá



BICSA and subsidiaries



(In millions of dollars)