Abstract: Operational risk is fundamentally different from all other risks taken on by a bank. It is embedded in every activity and product of an institution, and in contrast to the conventional financial risks (eg market, credit) is harder to measure and model, and not straightforwardly eliminated through simple adjustments like selling off a position. While it varies considerably, operational risk tends to represent about 10–30 per cent of the total risk pie, and has grown rapidly since the 2008–2009 crisis. It tends to be more fat-tailed than other risks, and the data are poorer. As a result, models are fragile — small changes in the data have dramatic impacts on modelled output — and thus required operational risk capital is unstable. Yet the US regulatory capital regime, the central focus of this paper, is surprisingly more rigidly model-focused for this risk than for any other. The authors are especially concerned with the absence of incentives to invest in and improve business control processes through the granting of regulatory capital relief, and make three, not mutually exclusive, policy suggestions. First, address model fragility directly through regulatory anchoring of key model parameters, yet allow each bank to scale capital to their data using robust methodologies. Secondly, relax the current tight linkage between statistical model output and required regulatory capital, incentivising prudent risk management through joint use of scenarios and control factors in addition to data-based statistical models in setting regulatory capital. Thirdly, provide allowance for real risk transfer through an insurance credit to capital, encouraging more effective risk sharing through future product innovation. Until the understanding of operational risks increases, required regulatory capital should be based on methodologies that are simpler, more standardised, more stable and more robust.