Operational Risk · Field Manual

How to Rob
a Bank

A Field Manual for Spotting Loopholes in Banking Processes Before Someone Else Does

Banks spend billions on compliance. And yet banks are robbed every day - not with masks and guns, but with system logins, vendor IDs, and the quiet cooperation of people who just followed the process.

"If you can't understand how to rob your own bank, you won't know how to protect it."

15 chapters. 15 banking functions. Each opens with a first-person heist narrative - operationally grounded, no jargon. Then the same loss told again with no criminal: a broken process, a misconfigured system, a rate table that was wrong from day one. Every chapter closes with the full diagnostic toolkit to stop it happening in your institution.

Built on the PILC Process Integrity Lifecycle - a proprietary nine-stage framework developed over 25 years of practitioner work around the world - and mapped to a 15×15 control matrix that produces a board-ready risk heat-map in two hours.

Request Full Proposal See All 15 Chapters ↓

$485.6B

Global fraud losses, 2023

Nasdaq / Oliver Wyman, 2024 Global Financial Crime Report

$4.76

True cost per $1 lost to fraud

LexisNexis Risk Solutions True Cost of Fraud Study, 2024

$206B

Spent on compliance globally p.a.

LexisNexis / Forrester Financial Crime Compliance Study, 2023

98–99%

Of banks saw compliance costs rise in 2023

Forrester / LexisNexis, 2023

What makes it different

The gap no other book fills

Perpetrator's lens, protector's toolkit

The only operational risk book where you first experience the exploit from inside it, and then get every tool needed to close it. The first-person heist narrative is not a literary device but an honest, direct way to make a control gap real to someone who has never experienced one.

The negligence twin - unique in risk literature

A heist is mirrored by the same loss with no criminal - the same money going out of the same door, but without a fraudster. These could be broken processes, rate table errors, or systems that generated losses by design. The difference between fraud and operational error is intent. The controls that prevent one generally prevent the other. We haven't come across an existing risk text that makes this argument structurally, chapter by chapter.

Built on PILC - a proprietary nine-stage framework PILC

The Process Integrity Lifecycle maps every fraud mechanic and operational error to the stage where it originates and not where it surfaces. Negligence concentrates at Stages 1–4 (design decisions made before money moves). Fraud activates at Stages 5–7 (where legitimate processes create cover). Controls collapse at Stage 8. Governance debates what was visible all along at Stage 9. Developed and validated across 25 years of practitioner engagement around the world: both as a banker handling one's own processes, and a consultant helping others fix or build theirs.

Workshop-native - 90 minutes, one chapter, real output

Each chapter is a complete facilitated session which can be a review for current processes, or a discussion to build new ones. The heist is read aloud, red flags are circled, and RCSA entries are written. Owners and dates are assigned before the room empties. No implementation phase required. The book can be a delivery vehicle, not the preamble to one.

Written for the room that decides, not just the room that manages

This is a rare operational risk book written for CEOs, boards, and audit committee chairs who need to understand the threat without becoming risk specialists. Framework books have tools but no story. Finance narratives have story but no tools. This book has both, and is one where you can hand it to a board chair on a long-haul flight and have them return with five questions they have never thought to ask before.

The 15 chapters

15 banking functions. 15 heists. 15 fixes.

Each chapter covers a distinct functional area of a modern bank, paired with a negligence twin and the full Anti-Heist Toolkit. Click any locked toolkit item to register for notification when it goes live.

The Anti-Heist Toolkit

What every chapter equips your team with

Six to eight assets per chapter, QR-linked from the printed book. Free essentials included with purchase. Full institutional toolkit available at publication.

Diagnostic questionnaire

Identify your institution's specific exposure to this chapter's failure mode before you run the workshop session.

Interactive · Free with book

RCSA template

Ready-to-paste RCSA entry: Risk → Key Control → Rating → Residual → Action Plan. Copy directly into your register.

Excel download · Free with book

Risk heat-map

Stage-by-stage view of where this risk hides and where controls give false comfort. Formatted for board packs.

Visual PDF · Free with book

Implementation guides

Step-by-step control remediation sequenced by PILC stage. Includes owner assignment and evidence requirements per control.

PDF · Institutional toolkit

RACI matrix

Editable responsibility matrix mapping First, Second, and Third Line obligations for each control area in the chapter.

Editable template · Institutional toolkit

SQL / code samples

Detection query templates for the chapter's key red flags. Vendor-agnostic and annotated for adaptation to your environment.

GitHub-style · Institutional toolkit

Video walkthrough

15–20 minute facilitated guide for running the chapter as a workshop session. Timing notes and discussion prompts included.

Video · Institutional toolkit

Chapter cross-reference

Mapped links to related risk patterns across the other 14 chapters. For thematic reviews by Basel event type or PILC stage.

PDF · Free with book

Proprietary frameworks

The intellectual backbone

Five original frameworks developed over 25 years of practitioner work. Not new labels for existing concepts. Each validated across multiple banking contexts around the world.

PILC

Process Integrity Lifecycle

Nine-stage model from Business Design to Reporting and Governance. Maps every fraud mechanic and error to where it originates. The diagnostic backbone of every chapter and the 15×15 matrix.

Risk 3D

Intent · Capability · Action

Connects risk management to real business outcomes across three dimensions. Designed as a fast-diagnosis overlay on COSO or ISO 31000 - not a replacement. Works as both shield and growth lever.

IMAGE

Identify · Measure · Account · Govern · Evaluate

Five-step risk methodology for moving from recognition to action. Introduced in The Handbook of Global Corporate Treasury (Wiley). Applied across multiple jurisdictions and institution types.

Lead-3D

Goals · Knowledge · Action

Leadership framework for risk-aware decision-making across all three lines of defence. Originally developed for financial sector leaders. Extends naturally to risk culture building.

7 Properties

Seven Properties of Invisible Loss

Familiar · Designed-in · Distributed · Trusted · Quiet · Unnamed · Fragmented. Explains why significant losses remain undetected. Different subsets appear in different chapters; this variation is the diagnostic value.

The PILC - nine stages

Stage 1

Business & Process Design

Where negligence originates through design choices accepted unknowingly. The upstream source of most downstream losses.

Stage 2

System Selection & Solution Design

Where gaps are accepted and limitations are embedded. Negligence most concentrated here.

Stage 3

Configuration & Testing

Rules, parameters, UAT. Configuration shortcuts that become permanent design debt.

Stage 4

Deployment & Change Management

"We'll fix it post-go-live" commitments. The ones that never get honoured.

Stage 5

Transaction & Position Processing

The blast radius moment - where the actual loss action occurs. Fraud activates here.

Stage 6

Monitoring & Customer Service

Where red flags appear - and get normalised into the wallpaper of daily operations.

Stage 7

Correction & Exception Handling

The critical convergence point. Where process lapses create chaos that fraudsters exploit as cover.

Stage 8

Reconciliation & Closure

Where numbers get adjusted to reconcile. Controls collapse here in less mature organisations.

Stage 9

Reporting, Audit & Governance

Mature organisations debate controls proactively here. Immature ones argue reactively - after the loss.

The 15×15 control matrix

A board-ready heat-map in two hours

15 functional areas mapped against 15 universal control tests. Completed with evidence-based ratings in a facilitated session, it produces a full institutional risk heat-map ready for your board pack. The sample below shows the chapter and Basel mapping layer with indicative control ratings. Actual ratings are completed against your own evidence.

Ep.	Chapter	Setting	Primary Basel L1	Secondary	SoD	M-C	Access	KYC/AML	Recon	IEV	Escalation

SoD = Segregation of Duties · M-C = Maker-Checker Quality · IEV = Independent Economic Verification · Full 15×15 matrix in book and institutional toolkit

Scope note

This book focuses on three Basel Level 1 event types: Internal Fraud, External Fraud, and Execution Delivery & Process Management (EDPM). Where CPBP (Clients, Products & Business Practices) appears in the matrix - specifically in Chapters 11 and 13 - it reflects that conduct and process failures in those chapters share identical control roots with the three primary event types. The book addresses these chapters through that shared control lens, not as a conduct risk treatment.

Who this is for

Written for the room that decides

◆

CEOs & Managing Directors

A clear view of where institutional losses originate, in operational language that survives a 45-minute read on a long-haul flight.

◈

Board & Audit Committee

The five questions a technically correct RCSA never asks, which are surfaced in every chapter. Use them verbatim in your next governance conversation.

◉

Chief Risk Officers

The PILC framework and 15×15 matrix as a rapid diagnostic overlay on any existing RCSA programme, without replacing it.

◧

Business & Operations Heads (1LoD)

Ready-made RCSA entries, fix-it-now checklists, and tech quick wins. One 90-minute session per function, with evidence attached.

◎

Internal Audit & QA

Each heist is a table-top test script. The red flags are a sampling frame. Control weak spots show where evidence of testing is most likely to be absent.

⬡

Fintech Operators

Risk culture foundations for organisations building banking products without institutional controls legacy. Directly applicable to licensing and regulatory examination preparation.

The author

Rajiv Rajendra

Risk Warrior · Singapore

25 years working at the intersection of banking operations, risk management, and leadership development around the world. Began at Citibank, where work focused on building operations, fixing processes, and advising clients on managing risk.

Founder of Lead-3D, a risk and leadership consultancy working with banks, fintechs, and central banks across multiple jurisdictions. Creator of the PILC, Risk 3D, IMAGE, and Lead-3D frameworks. Author of The Handbook of Global Corporate Treasury, where the IMAGE methodology was first published by Wiley, and Lead-3D, published by Penguin Random House.

Trained risk and compliance professionals at central banks and major commercial banks around the world. Active workshop facilitator whose training programmes are the live prototype for every chapter in this book. Visiting Professor at two large institutions with rich legacies.

Former Citi PILC Creator Risk 3D IMAGE Framework Lead-3D Wiley Author Penguin Random House Central Bank Training Global work experience

Request the Full Proposal

Full book proposal, sample chapters (E01, E05, E11), and the 15×15 control matrix available for immediate review.

rajiv.rajendra@lead-3d.com → For publisher and institutional enquiries · Singapore, 2026

How to Roba Bank