Case study: incident data collection process and policy

Home
Insights
Cases
2025
Setting up an incident data collection process and policy for a local bank

A local bank in Belgium, part of a bigger group, wanted to formalise and standardise its incident data collection for operational risks. This would provide better visibility into business operations and ensure alignment with market practices.

When they called on BDO for help, they were facing a challenging lack of operational incident reporting from the business. At the origins of this was both a lack of clear guidance on what to report and a cumbersome process that discouraged the business to report these incidents to the central risk management function.

Challenge

The headquarters of the group required some visibility on what was happening in the business while at the same time facing increasing pressure from the regulator.

Our client needed assistance in setting up a simple yet effective way to report incidents. They needed a system that allows the risk function to analyse quickly the incidents as well as a process easy and clear enough for the business to comply with.

BDO’s tailored approach & solutions

Methodology

We started by reviewing the methodology for incident collection, making it more straightforward and clearer for the business with higher loss thresholds for mandatory reporting. We used incident reporting category fields aligned with the risk taxonomy. These were made available through drop down menus which makes the process slicker and faster.

Paradoxically, adopting higher reporting thresholds led to improve the comprehensiveness of reporting. The businesses were encouraged to report only the incidents that mattered and, therefore, felt more compliance to the process. Drop-down menus and formatted categories sped up the reporting time, making it easier for the entities and encouraging comprehensiveness of incident data collection.

Documentation

The new methodology was documented in an updated policy dedicated to incident data collection. The policy clarified the guidance of the types of operational incidents to report, as well as the motivation for comprehensive reporting.

The benefits for the business were clearly highlighted in the policy: having better insights into potential risks and, in return, receiving standardised reports from the risk function that compare their risk position with that of their peers.

Communication

The third and very important step of process modification after the method and documentation is the communication about it. So, we created a round of short training and communication slides distributed to the different entities to familiarise them to the new process and encourage their adoption as soon as possible.

Setting up an incident data collection process and policy for a local bank

Impact & results

As a result, the client was satisfied with its new process which simplified the incident data collection and gathering of information through standardised categories, enhanced communication, and better thresholds.

Check out our full Risk Blueprint video series

This video series delivers tons of expertise and knowledge on the essentials of risk management.

Go watch our video series