Operational Risk

Operational risk is the risk of losses caused by flawed or failed processes, policies, systems or events that disrupt business operations.

Owais Siddiqui
28 Sept 2022
2 min read
Updated

Operational risk is one of the three main categories of risk that banks and other organisations must manage, alongside credit and market risk — but it's the broadest and, in some ways, the hardest to pin down. It covers the everyday risk that something inside the business goes wrong. This guide explains what operational risk is, the categories it covers, why it's challenging, and how it's managed — in clear, plain language. It's relevant to anyone studying risk management, banking or finance.

What is operational risk?

Operational risk is commonly defined (following the Basel framework) as the risk of loss resulting from inadequate or failed internal processes, people and systems, or from external events. In other words, it's the risk that the organisation's own operations — or events outside it — cause a loss. Unlike credit risk (a borrower defaulting) or market risk (prices moving against you), operational risk arises from how the business runs: its processes, its staff, its technology, and the world around it. Notably, the standard definition includes legal risk but generally excludes strategic and reputational risk.

What operational risk covers

Operational risk is wide-ranging. The Basel framework identifies several broad event categories, which together give a good sense of its scope:

  • Internal fraud — losses from dishonest acts by employees.
  • External fraud — losses from fraud by outside parties (including cyber fraud).
  • Employment practices and workplace safety — losses from employment disputes or unsafe conditions.
  • Clients, products and business practices — losses from improper or negligent dealings with clients, or faulty products.
  • Damage to physical assets — losses from disasters or other physical events.
  • Business disruption and system failures — losses from technology or infrastructure failing.
  • Execution, delivery and process management — losses from failed transaction processing or process management.

From human error and IT outages to fraud and natural disasters, almost any way a business can stumble falls under operational risk.

Some real-world examples

Operational risk becomes concrete when you look at how it actually causes losses. A "fat-finger" trading error, where a dealer mistypes an order, can cost millions in seconds. A major IT outage can stop a bank processing payments for days, with both direct costs and reputational damage. A rogue trader hiding unauthorised positions is internal fraud on a grand scale. A cyber-attack that steals customer data or funds is external fraud. Mis-selling a product to customers can lead to huge compensation bills under "clients, products and business practices". And a natural disaster or fire damaging premises is the physical-asset category. These examples show why operational risk is taken so seriously: the losses can be sudden, severe and varied, and they don't depend on markets or borrowers at all.

Why operational risk is challenging

Operational risk is harder to handle than credit or market risk for a few reasons. It's difficult to quantify — unlike market risk, there isn't always clean data or a neat model, and many of the biggest operational losses are rare but severe events that are hard to predict. It's diverse, spanning everything from a mistyped trade to a cyber-attack, so no single control addresses it. And it's often tied to human behaviour and culture, which are inherently hard to measure. These features make operational risk a particular focus of attention — and a reason strong controls and a healthy risk culture matter so much.

How operational risk is managed

Managing operational risk follows the general risk-management cycle, applied to operations:

  • Identify the operational risks the organisation faces.
  • Assess their likelihood and potential impact.
  • Control and mitigate — through robust processes, internal controls, segregation of duties, system resilience, staff training and insurance.
  • Monitor — using tools such as key risk indicators (KRIs), internal loss-event data, and scenario analysis to track exposure and spot emerging problems.

Underpinning all of this is a strong risk culture — an environment where people take risk seriously, report issues, and act with care. Because operational risk lives in everyday activity, everyone in the organisation plays a part in managing it. The Basel framework also requires banks to hold capital against operational risk, reflecting its potential to cause serious losses.

Frequently asked questions

What is operational risk?

The risk of loss from inadequate or failed internal processes, people and systems, or from external events — risk arising from how a business runs, as distinct from credit or market risk.

What does operational risk include?

A wide range — internal and external fraud, employment and workplace issues, client/product/business-practice failures, damage to physical assets, business disruption and system failures, and process-management failures.

Why is operational risk hard to manage?

It's difficult to quantify, diverse in nature, often driven by human behaviour and culture, and includes rare-but-severe events that are hard to predict.

How is operational risk managed?

By identifying, assessing, controlling (through processes, controls and resilience) and monitoring it (with KRIs, loss data and scenario analysis) — underpinned by a strong risk culture, and capital held against it.

Build risk skills with Learnsignal

Operational risk is part of modern risk management. Learnsignal's tutor-led ACCA and CIMA courses build the risk and governance foundations behind it — with flexible, supported online study that fits around work.

This page was last updated:

Owais Siddiqui

Expert Tutor at Learnsignal

Qualified professional with years of experience in teaching and helping students achieve their accounting qualifications.

View all posts by Owais Siddiqui

Subscribe to Our Newsletter

Join over 30,000+ Learnsignal students and get regular insights delivered to your inbox.

Ready to Start Your Risk & Quantitative Finance Journey?

Join thousands of successful students who have achieved their qualifications with Learnsignal.

Ready to get started?

Join 100,000+ students across 130 countries. Choose a plan that fits your goals — cancel anytime.

View Pricing