AbstractThe improvement of banks' operational risk management frameworks concerns new requirements addressed in the Basel II Framework, a new capital adequacy regulation proposed by the Basel Committee on Banking Supervision (BCBS). Basel II will apply to internationally active banks and to all banks and investment firms in the EU via transposition of a new Directive into national regulations.By doing so, the national financial supervisory authority, Commission de Surveillance du Secteur Financier (CSSF) in Luxembourg, and a public research centre, Centre de Recherche Public Henri Tudor (CRPHT), have engaged in a joint research project that investigates solutions conformant to ISO/IEC 15504 for assessing operational risk management frameworks implemented in banks.The ISO/IEC 15504 requirements can meet the CSSF's expectation on consistent, transparent and sound risk assessments, as well as the expectation on promoting enhancements in institutions' risk management practices without dictating the form or operational detail of their policies and practices.Moreover, although the domain is largely outside the scope of software and systems engineering, the ISO/IEC 15504 process assessment standard provides for an adequate solution to the so‐called supervisory review process. This adequacy is validated through the structure of Basel II and financial domain requirements. Last but not least, we will show that ISO/IEC 15504 provides an adequate approach to assessing institutions in two sub‐domains, namely, the domain of credit operational risk management and the domain of IT risk management (including IT security risks management). Copyright © 2007 John Wiley & Sons, Ltd.