read-original-btn">Read Original Paper →

About the Authors and This Research

This study was co-authored by Gualter Couto, a senior professor of finance with an h-index of 17 and over 901 cumulative citations—placing him among the more influential voices in European banking regulation research—and Kevin Medeiros Bulhões, whose work focused on the empirical application of Basel II methodologies in Portugal. The paper was published in 2008, precisely when Basel II's full implementation was being tested across European banking systems, making it one of the earlier empirical benchmarks for comparing operational risk capital calculation methods using actual institutional data.

The study selected a sample of Portuguese domestic banks and applied all three Pillar I operational risk methodologies—the Basic Indicator Approach (BIA), the Standardized Approach (SA), and the Alternative Standardized Approach (ASA)—to quantify the differences in minimum capital requirements under each. While the regulatory landscape has since evolved through Basel III and the Basel III finalization (often called Basel IV), the foundational logic this research established—that methodology selection creates measurable capital efficiency differences—remains a key reference point for risk quantification practitioners today.

Core Findings: Three Methodologies, One Strategic Lesson

The central contribution of this research is its empirical demonstration that the three Basel II operational risk methodologies produce materially different minimum capital requirement outcomes for the same institution. This is not a theoretical difference—it has direct financial implications.

Finding 1: Methodology Complexity Drives Capital Efficiency

The Basic Indicator Approach is the simplest: multiply the three-year average of gross income by a fixed alpha coefficient of 15% to arrive at the capital charge. The Standardized Approach applies differentiated beta coefficients (ranging from 12% to 18%) across eight defined business lines, allowing institutions with lower-risk business mixes to achieve a lower capital requirement. The Alternative Standardized Approach further permits retail and commercial banking units to substitute loan volume for gross income as the exposure indicator, potentially reducing capital requirements for institutions with large retail books. The study found that moving from simpler to more sophisticated methods produced quantifiable capital requirement differences, validating Basel II's design intent: institutions that invest in more accurate risk measurement are rewarded with regulatory capital efficiency.

Finding 2: Convergence of Regulatory and Economic Capital Requires Risk Sensitivity

One of Basel II's stated policy goals—emphasized by Couto and Bulhões—was to narrow the gap between regulatory capital (mandated by supervisors) and economic capital (internally assessed by institutions as truly needed to absorb unexpected losses). Basel I's flat risk weights created systematic misalignments: some institutions over-capitalized relative to actual risk; others under-capitalized. The risk-sensitive methodologies of Basel II, applied in this study to real Portuguese bank data, demonstrated that institutions capable of accurately measuring their operational risk profile could achieve a much closer alignment between regulatory requirements and genuine risk exposure. This principle—that precise quantification enables better capital allocation—is directly transferable to ISO 22301 BCM design, where Business Impact Analysis (BIA) data quality determines the credibility of RTO and RPO targets.

Finding 3: Progressive Methodology Evolution is Both Incentivized and Necessary

Basel II's framework explicitly incentivized institutions to evolve from basic to advanced methodologies by offering capital relief to those adopting more sophisticated measurement tools. The study's empirical analysis quantified this incentive for Portuguese banks. The implication for modern BCM practitioners is direct: organizations that invest in more rigorous operational risk quantification—whether for financial regulatory compliance or for ISO 22301 BCM purposes—gain both strategic accuracy and, in many regulatory contexts, demonstrable compliance efficiency. Taiwan's financial sector, where the FSC (Financial Supervisory Commission) reported a non-performing loan ratio of 0.15% and a loan loss reserve coverage ratio of 914.33% as of January 2025, reflects decades of disciplined risk quantification culture. Non-financial enterprises can and should adopt the same discipline within their BCM frameworks.

Implications for Taiwan BCM and ISO 22301 Practice

The parallel between Basel II's operational risk architecture and ISO 22301's BCM requirements is more than conceptual. Both frameworks share three structural principles that Taiwan enterprises should internalize:

Principle 1 — Tiered Methodology Selection: Just as Basel II offers three progressively sophisticated operational risk methods, ISO 22301 BCM implementation can be structured in tiers. Organizations new to formal BCM may begin with qualitative BIA frameworks to quickly establish a BCP baseline, then evolve toward quantitative financial impact modeling as institutional data matures. The key is having a documented roadmap for methodology evolution—not treating the initial approach as permanent.

Principle 2 — Data-Driven RTO/RPO Targets: Basel II's core innovation was replacing rule-of-thumb capital estimates with risk-sensitive calculations. ISO 22301 requires the same discipline for RTO (Recovery Time Objective) and RPO (Recovery Point Objective) setting. RTO/RPO targets that cannot be traced to quantified BIA findings—financial loss per hour of downtime, maximum tolerable period of disruption (MTPD), resource recovery costs—are vulnerable to challenge during audits and, more critically, during actual crisis response. Winners Consulting Services Co. Ltd. consistently finds that organizations with quantified BIA data achieve RTO accuracy rates significantly higher than those relying on expert judgment alone.

Principle 3 — Anticipating Regulatory Convergence: Japan's FSA recently updated supervisory guidelines to strengthen cyber risk governance across all categories of financial institutions. Macau has introduced a Risk-Based Capital Framework for the insurance sector. These regional signals suggest that within 3 to 5 years, Asia-Pacific regulators will extend operational risk governance expectations beyond the financial sector. Taiwan enterprises that proactively establish ISO 22301-compliant BCM mechanisms—with auditable, quantified BIA documentation—will be positioned ahead of anticipated regulatory demands, rather than scrambling to comply reactively.

The concept of unconditional coverage from VaR validation is analogous here: just as a risk model must demonstrate that its predicted failure frequency matches actual outcomes across all conditions, a BCP must demonstrate coverage across all credible disruption scenarios—not just the most likely ones.

How Winners Consulting Services Co. Ltd. Helps Taiwan Enterprises Act on These Insights

积穗科研股份有限公司（Winners Consulting Services Co. Ltd.）provides end-to-end ISO 22301 BCM implementation services, from gap analysis and BIA design to BCP documentation, crisis simulation exercises, and certification support. Our methodology directly reflects the quantification-first philosophy validated by research such as Couto and Bulhões (2008).

Quantified BIA to Drive Defensible RTO/RPO: We design BIA processes that capture financial, operational, regulatory, and reputational impact dimensions—producing RTO/RPO targets supported by data rather than assumptions.
Tiered Operational Risk Scenario Libraries: Mirroring Basel II's multi-method approach, we build scenario libraries covering process failures, system outages, personnel disruptions, and external events—ensuring BCP scope matches the institution's actual risk profile.
ISO 22301 Certification in 7 to 12 Months: Our structured implementation program guides Taiwan enterprises from current-state assessment through mechanism design, documentation, tabletop and live exercises, internal audit, and third-party certification—typically within 7 to 12 months depending on organizational scale.

Winners Consulting Services Co. Ltd. offers a complimentary BCM Mechanism Diagnostic to help Taiwan enterprises assess their current BCM maturity and identify the most efficient path to ISO 22301 certification.

Learn About Our BCM Services → Request Your Free BCM Diagnostic →

Frequently Asked Questions

How does Basel II's three-tier operational risk methodology relate to setting RTO and RPO targets under ISO 22301?: Basel II's progression from the Basic Indicator Approach (15% of gross income) to Standardized and Alternative Standardized methods mirrors ISO 22301's expectation that BIA methodology should grow in sophistication as organizational data matures. Organizations that begin with qualitative RTO/RPO estimates should plan to evolve toward quantified financial impact modeling—calculating cost per hour of disruption, supply chain cascade effects, and regulatory penalty exposure—to produce RTO/RPO targets that will withstand both internal audit and third-party ISO 22301 certification review. Winners Consulting recommends a structured BIA methodology review every 24 to 36 months.
What are the most common gaps Taiwan enterprises discover when building an ISO 22301 BCM framework?: The three most common gaps are: (1) absence of historical business disruption records, making quantitative BIA impossible; (2) RTO/RPO targets set by executive consensus rather than BIA data, creating credibility gaps during certification audits; and (3) BCP documentation that addresses technology recovery but neglects people, facilities, and supply chain dependencies. Addressing these gaps requires a structured gap analysis (typically 4 to 6 weeks) that benchmarks current practices against ISO 22301 clause requirements, particularly Clauses 8.2 (Business Impact Analysis) and 8.4 (Business Continuity Plans).
What does ISO 22301 actually require, and how long does certification realistically take for a mid-sized Taiwan enterprise?: ISO 22301 requires organizations to establish, implement, maintain, and continually improve a BCM system covering: leadership commitment (Clause 5), risk assessment and BIA (Clause 8.2), BCP development (Clause 8.4), exercise and testing (Clause 8.5), and performance evaluation (Clause 9). For a Taiwan enterprise with 100 to 500 employees, a realistic certification timeline is 9 to 12 months: Month 1 for gap analysis, Months 2 to 4 for BIA and mechanism design, Months 5 to 8 for BCP documentation and exercises, and Months 9 to 12 for internal audit, management review, and Stage 1/Stage 2 certification audits.
What investment is realistically required, and how should Taiwan enterprises measure BCM return on investment?: For a mid-sized Taiwan enterprise, BCM implementation investment typically encompasses external consulting fees, internal team time (estimated at 20% to 30% of core team capacity during the project), and third-party certification fees. ROI should be measured across three dimensions: (1) financial—reduction in losses during disruption events, which studies suggest can reduce actual recovery costs by 40% to 60% for organizations with tested BCPs; (2) commercial—contractual compliance with customers and supply chain partners increasingly requiring ISO 22301 certification; and (3) regulatory—proactive positioning ahead of anticipated operational risk governance requirements from Taiwan's FSC and sector-specific regulators. A 3-year ROI framework is recommended for justifying BCM investment to executive leadership.
Why should Taiwan enterprises choose Winners Consulting Services Co. Ltd. for BCM and ISO 22301 implementation?: Winners Consulting Services Co. Ltd. (積穗科研股份有限公司) combines ISO 22301 Lead Auditor credentials with deep practical BCM implementation experience across Taiwan's financial, manufacturing, technology, and services sectors. Our consultants translate international research frameworks—including the operational risk quantification logic validated in studies like Couto and Bulhões (2008)—into executable BIA processes and BCP documents calibrated to each client's business model and risk profile. We offer a complimentary BCM Mechanism Diagnostic as a no-commitment first step, allowing enterprises to assess their current maturity before committing resources. Our structured implementation program consistently delivers ISO 22301 certification outcomes within 7 to 12 months, with ongoing support for annual review cycles and continuous improvement.

About the Paper Referenced in This Article

The analytical perspectives in this article are based on the following academic research. All interpretations represent the independent analysis of Winners Consulting Services Co. Ltd. and do not represent the positions of the original authors. Readers are encouraged to access the original research directly.

Basel II : operational risk measurement in the portuguese Banking sector and an evaluation of the quantitive impacts (Bulhões, Kevin; Couto, Gualter, arXiv, 2008)
Original Paper: https://core.ac.uk/download/161804282.pdf

---

バーゼルII操作リスク計量化が台湾BCM・ISO 22301実務に示す戦略的示唆

積穗科研股份有限公司（Winners Consulting Services Co. Ltd.）は、台湾の業務継続管理（BCM）専門コンサルティング機関として、BulhõesとCoutoが2008年に発表したポルトガル銀行業界におけるバーゼルII操作リスク計量化の実証研究が、ISO 22301 BCMフレームワークの設計において今なお重要な示唆をもたらすと考えています。なぜなら、バーゼルIIの核心的ロジック——「精緻な計量化が資本効率と監督適合性の両立をもたらす」——は、BCP（業務継続計画）におけるRTO/RPO目標設定の合理性を担保するためにまったく同様に適用できるからです。

論文出典：Basel II : operational risk measurement in the portuguese Banking sector and an evaluation of the quantitive impacts（Bulhões, Kevin; Couto, Gualter, arXiv, 2008）
原文リンク：https://core.ac.uk/download/161804282.pdf

Source Paper

Basel II : operational risk measurement in the portuguese Banking sector and an evaluation of the quantitive impacts（Bulhões, Kevin、Couto, Gualter，arXiv，2008）

Read Original Paper →

FAQ

Basel II的操作風險三種方法論，對台灣企業建立BCM機制有什麼實際參考價值？: Basel II所確立的三層次操作風險方法論（基本指標法、標準化方法、替代標準化方法）為台灣企業提供了一個清晰的「量化複雜度梯度」概念，對BCM實務的啟示是：企業應依自身規模、資源與風險複雜度，選擇對應層次的業務衝擊分析（BIA）方法。初期可採較簡化的定性評估框架快速建立ISO 22301 BCP基礎，但隨著企業成長，應逐步引入量化損失模型，使RTO/RPO目標更具數據支撐力。方法論的選擇不是一次性決定，而是隨企業韌性成熟度持續演進的過程。積穗科研建議企業每2至3年重新審視BIA方法論的適用性。
台灣企業導入ISO 22301時，最常在操作風險量化上遇到什麼挑戰？: 最普遍的挑戰是缺乏歷史損失數據，導致操作風險無法有效量化。ISO 22301要求企業透過BIA識別關鍵業務功能並設定合理的RTO/RPO，但若無結構化的事件紀錄機制，BIA結論往往淪為主觀估算。建議台灣企業在BCM機制建立初期，同步設計「業務中斷事件登錄制度」，系統性累積內部損失數據。此外，許多企業混淆「業務衝擊」與「操作風險」的定義邊界，導致BCP計畫涵蓋範圍不完整。積穗科研在輔導過程中，會協助企業釐清風險分類架構，確保BCP能有效對應企業實際面臨的操作風險輪廓。
ISO 22301業務持續管理認證的核心要求是什麼？具體導入需要多長時間？: ISO 22301的核心要求涵蓋：(1) 管理階層承諾與BCM政策制定；(2) 範疇界定與風險評估；(3) 業務衝擊分析（BIA）及RTO/RPO目標設定；(4) BCP業務持續計畫的文件化建立；(5) 演練與測試機制；(6) 持續改善循環。導入時程方面，規模較小（100人以下）的台灣企業，在資源集中投入的情況下，通常需要6至9個月完成機制建立並取得第三方認證；中型企業（100至500人）則通常需要9至12個月。積穗科研建議企業在第一個月完成現況差距分析，第二至第四個月完成BIA與BCP框架設計，第五至第八個月完成文件化與演練，第九至第十二個月進行內部稽核與認證審查。
建立符合ISO 22301的BCM機制需要投入多少資源？預期效益如何評估？: 資源投入因企業規模與現有管理成熟度而異。以台灣中型企業為基準，初次建立ISO 22301 BCM機制的專案成本，通常涵蓋外部顧問費用、內部人員時間成本（估計每月約佔核心團隊工時的20%至30%）及第三方認證費用三大部分。從效益面評估，ISO 22301認證帶來的量化效益包括：降低業務中斷事件造成的財務損失、縮短實際復原時間（部分企業實測可縮短40%至60%）、以及提升客戶與供應鏈夥伴的信任度。質性效益則包括：強化主管機關及投資人的信心、降低關鍵人員異動的知識斷層風險，以及提升企業整體治理評分。建議企業以3年期ROI框架評估投資回報。
為什麼找積穗科研協助業務持續管理（BCM）相關議題？: 積穗科研股份有限公司（Winners Consulting Services Co. Ltd.）是台灣專注於業務持續管理（BCM）與ISO 22301認證輔導的顧問機構，具備跨金融、製造、科技及服務業的豐富輔導經驗。我們的顧問團隊兼具ISO 22301主導稽核員資格與實務BCM規劃背景，能將Basel II等國際風險管理研究的量化方法論，轉化為台灣企業可立即執行的BIA流程與BCP文件。積穗科研提供從現況診斷、機制設計、BCP撰寫、演練規劃到認證陪跑的一站式服務，協助企業在7至12個月內完成ISO 22301認證。我們同時提供免費BCM機制診斷，讓企業在無風險的前提下評估自身的BCM成熟度，再決定下一步的資源投入方向。

← Back to Insights

Was this article helpful?

Related Services

▶Business Continuity Management 📋ISO 22301 BCM

Risk Glossary

View all glossary →

Want to apply these insights to your enterprise?

Get a Free Assessment

Insight: Basel II : operational risk measurement in the portuguese Ba