In August 2018, the Bank of Ghana revoked the licenses of five commercial banks in a single day. No external shock. No market crash. The cause was inadequate operational risk management — poor governance, weak internal controls, and the absence of structured risk frameworks eroding institutions from the inside.
That episode cost Ghanaian taxpayers over GHC 12 billion. It also permanently changed what West Africa's regulators expect from risk managers.
In 2026, those expectations are enforceable — and the CBN and BoG are in full supervision mode.
The two forces redefining ORM in 2026
Two parallel developments are making operational risk the defining compliance challenge across Nigeria and Ghana right now.
Capital pressure in Nigeria. On March 28, 2024, the CBN announced a sweeping recapitalization directive with a March 31, 2026 deadline. Minimum paid-up capital requirements jumped to 500 billion Nigerian naira (NGN) for international banks, NGN 200 billion for national banks, and NGN 50 billion for regional banks. According to S&P Global Ratings, the sector-wide capital shortfall was approximately NGN 2.5 trillion. Banks raising that capital through M&A or rights issues must simultaneously prove to the CBN that their risk governance is strong enough to steward it.
Basel III alignment across both markets. Nigeria and Ghana are both advancing toward Basel III's standardized approach to operational risk. The Bank of Ghana joined the Basel Consultative Group of the BCBS in 2021, signaling an unambiguous regulatory direction. This changes what risk teams are expected to produce, report, and evidence to supervisors — not at some future date, but now.
What each regulator specifically requires
CBN vs. Bank of Ghana: Operational Risk Management Requirements at a Glance
| Requirement | CBN (Nigeria) | BoG (Ghana) |
| Risk Framework | Mandatory under Basel II/III and ICAAP | Mandatory under Risk Management Directive (Act 930) |
| Cybersecurity Assessment | Annual submission to CBN by Feb 28 | Mandatory cyber-resilience controls |
| Outsourcing Risk | Third-party and agent banking guidelines | New Outsourcing Directive — effective July 2025 |
| NPL Threshold | 5% maximum | 5% maximum — December 2026 deadline |
| Board Accountability | Capital planning and governance | Must approve and review risk strategy annually |
| Enforcement | License revocation, fines, executive dismissal | Dividend/growth restrictions, license revocation |
Nigeria: what the CBN is watching
The CBN's Risk-Based Cybersecurity Framework, effective July 2024, creates specific documentation obligations: annual risk assessments, a cybersecurity risk control self-assessment submitted to the CBN by February 28 each year, and formal quantification of the financial impact of cyber risks. This is not a guideline — failure to comply triggers regulatory sanctions.
Enforcement in 2024 made the CBN's posture clear. Heritage Bank's license was revoked for insolvency. Fidelity Bank was fined NGN 555.8 million for data-privacy breaches. Over 4,000 BDC licenses were withdrawn for AML/CFT failures. In January 2026, the CBN added a new operational directive: banks must reduce fraud response times to under 30 minutes.
Key point: Recapitalization isn't just a capital event — it's an operational risk event. Banks going through mergers or acquisitions face elevated people risk, systems integration risk, and control gaps during transition. Risk teams must be in the room from day one, not after the deal closes.
Ghana: what the BoG is watching
The BoG's Risk Management Directive requires all Regulated Financial Institutions (RFIs) to maintain frameworks that identify, measure, evaluate, control, mitigate, and report all material risks — with demonstrated evidence that those systems actually function.
In 2025, the BoG added two more layers. Its NPL reduction notice (BG/GOV/SEC/2025/23) mandates banks to stay below a 5% NPL ratio by December 2026, with dividend and growth restrictions for those that breach it. And the Outsourcing Directive, effective July 2025, requires banks to formally assess, approve, and risk-manage all outsourced functions — including core processes delegated to third-party vendors.
Where most banks still fall short
Research published in late 2024, examining 23 Ghanaian banks over 18 years, found a direct correlation between inadequate operational risk management and bank failures, takeovers, and reduced profitability. A separate study on Basel III implementation identified the top challenges risk staff report: unclear roles across the three lines of defense, inconsistent reporting, and weak risk culture communication.
In Nigeria, the recapitalization wave introduces new operational exposure. Post-M&A integration — systems, people, data, and processes under significant time pressure — is one of the highest-risk periods any bank goes through. And it routinely receives less risk oversight than credit or market exposures.
The common thread in both markets: Risk data is still largely manual in many institutions. Spreadsheets. Disconnected tools. No real-time KRI monitoring. This creates the exact data quality and latency problems that regulators flag in every examination cycle.
What risk managers need to do — now
This is where regulatory expectations translate into concrete actions. Not someday — before the next examination cycle.
Formalize your risk identification and measurement process. Both the CBN and BoG expect structured, documented risk registers that link operational risks to controls — and evidence that this information flows to the board. If it lives in spreadsheets, that is the first gap to close. A structured operational risk management system allows teams to centralize risk registers, link controls, and generate audit-ready reports.
Build and monitor KRIs systematically. Key Risk Indicators are the early warning system supervisors want to see working. Transaction error rates, system downtime, fraud loss ratios, staff turnover in control functions — these need defined thresholds and escalation triggers, not periodic manual reviews. This is not optional under Basel III alignment; it is the expected standard.
Close the cybersecurity documentation gap. For Nigerian banks specifically, the CBN's cybersecurity self-assessment is an annual deliverable with a hard deadline. If it is not documented and structured, that is a live regulatory exposure. Mapping controls to ISO 27001 is the most direct path to building that structure.
Review your outsourcing risk inventory. Ghanaian banks need to assess every outsourced function against the BoG's 2025 Outsourcing Directive — materiality classification, prior approval where required, and explicit reflection in the operational risk framework. The BoG expects evidence of this at examination.
Include risk in M&A integration planning from day one. Nigerian banks undergoing mergers or capital raises must treat integration itself as an operational risk event, with dedicated risk workstreams for people dependencies, data migration, and control gaps during transition.
What regulators are actually looking for
Beyond specific requirements, the supervisory lens across West Africa has shifted — from checking compliance boxes to assessing whether risk management is genuinely embedded in how an institution operates.
As noted in Africa's New Regulatory Horizon, regulators across the continent are moving decisively from reactive, crisis-driven oversight to forward-looking, risk-sensitive supervision. In an examination, that translates to four concrete questions:
- Does the board receive structured ORM reporting — not just compliance updates?
- Are KRI thresholds calibrated to the bank's stated risk appetite?
- Does the risk function have enough independence to escalate issues without interference?
- Has the bank tested its resilience through documented stress scenarios and business continuity exercises?
Institutions that can answer yes to all four — with documented evidence — are in a fundamentally different position with their regulator than those that cannot. The difference matters for licensing decisions, for supervisory ratings, and increasingly, for access to capital markets.
The CBN's March 2026 recapitalization deadline is the most visible pressure point for Nigerian banks. But it sits inside a broader shift: both regulators are building banking systems where operational risk is a board-level governance discipline, not a back-office function.
Banks that build structured, technology-supported ORM functions now — rather than waiting for the next examination cycle — will do more than satisfy their regulators. They will make better decisions, absorb shocks more effectively, and be better positioned as West African markets continue to integrate into the broader African financial system.
The 2018 license revocations in Ghana were a warning. In 2026, the expectation is that the lesson has been internalized.
Want to see how Pirani's ORM system maps to CBN and BoG requirements? Book a demo →
Get to know the fundamental principles of Basel in banking
South Africa & Ghana: The Continent’s Regulatory Laboratories
Emerging Risks in Africa: PAPSS, Cybersecurity, Fintech & Climate
From Compliance to Resilience: 2026 Redefines Risk Management in Africa
Navigating Risk Management in Banking: A Complete Guide
No Comments Yet
Let us know what you think