What is Operational Risk?
February 7, 2025
What is Operational Risk?
Operational risk refers to the risk of losses or damage to the bank’s reputation resulting from inadequate or failed internal processes, people, systems, or external events. It includes a wide range of factors such as human errors, IT system failures, fraud, legal and regulatory compliance issues, supply chain disruption, and external incidents like natural disasters or cyber-attacks.
Key Learning Points
- Operational risk is the risk of losses (or damage to a bank’s reputation) due to inadequate or failed internal processes, people, systems, or external events
- The Basel Committee on Banking Supervision (BCSC) has defined several categories for operational risk, including: Internal fraud, external fraud, employee practices and workplace safety, clients, products, and business practices, damage to physical assets, business disruption and systems failures, and execution, delivery, and process management
- Assessing operational risk involves identifying potential risks, conducting detailed risk assessments to evaluate their likelihood and potential impact
- Operational risk requires ranking and prioritizing the risks, assessing existing mitigation strategies, and continuously monitoring and reviewing the effectiveness of these strategies
Understanding Operational Risk
Operational risk is a type of business risk that arises from the day-to-day operations of an organization. It can have significant and wide-ranging impacts, including financial losses, reputational damage, legal or regulatory penalties, and operational disruption.
Causes of Operational Risk
The causes of operational risk include human errors, IT system failures, fraud, legal and regulatory compliance issues, supply chain disruptions. It also includes external incidents like natural disasters or cyber-attacks.
The 7 Categories of Operational Risk
The Basel Committee on Banking Supervision has defined a set of risk event categories for operational risk known as the Basel Risk event categories. These categories are:
- Internal fraud: risks arising from acts of fraud committed by individuals within the organization
- External fraud: risks associated with fraudulent acts committed by people external to the organization
- Employee practices and workplace safety: risks related to employment practices, including issues such as discrimination, harassment, workplace accidents, and health and safety concerns
- Clients, products, and business practices: risks associated with the products and services offered by the organization and the practices employed in conducting business
- Damage to physical assets: risks arising from physical damage to the organization’s assets such as buildings, equipment, and infrastructure
- Business disruption and systems failures: risks related to disruptions in business operations and failures of internal systems and processes
- Execution, delivery, and process management: risks associated with failures in the execution, delivery, and management of processes and systems
How to Assess Operational Risk
To assess operational risk, banks typically follow a systematic and comprehensive process that involves several key steps:
- Identification: identify the potential operational risks that are most significant to the bank’s operations
- Risk assessment: conduct a detailed risk assessment to evaluate the likelihood of each risk occurring and the potential impact if the risk did occur
- Risk ranking and prioritization: rank and prioritize the top operational risks according to their level of potential impact and likelihood
- Risk mitigation: assess existing risk mitigation strategies and controls, and where required, develop and implement strategies and controls
- Monitoring and review: continuously monitor and review the effectiveness of risk mitigation strategies and controls
How to Manage Operational Risk
Managing operational risk involves designing and implementing robust policies, procedures, and internal controls to prevent, detect, and mitigate identified risks. This may include deploying technology solutions, conducting training and awareness programs, and establishing risk monitoring and reporting mechanisms.
How Operational Risk Management Works
Banks continuously monitor and review the effectiveness of their risk mitigation strategies and controls through ongoing monitoring of key risk indicators, conducting internal audits and assessments, and staying abreast of changes in the internal and external environment.
Risk Assessment
A detailed risk assessment is conducted to evaluate the likelihood of each risk occurring and the potential impact if the risk did occur. This assessment considers factors such as the frequency and severity of past incidents, the effectiveness of existing controls, and emerging trends in the industry.
Risk Ranking and Prioritization
Based on the risk assessment, banks rank and prioritize the top operational risks according to their level of potential impact and likelihood. This helps in allocating appropriate resources and attention to the most significant risks.
Risk Mitigation Strategies
After identifying and prioritizing the top operational risks, banks assess existing risk mitigation strategies and controls, and where required, develop and implement strategies and controls. This involves designing and implementing robust policies, procedures, and internal controls to prevent, detect, and mitigate the identified risks.
What are the Steps in the ORM Process?
Although Banks are required to hold regulatory capital to reduce the risk of bankruptcy from an operational risk event, banks also have to have internal policies and structures to reduce the risk of operational risk events occurring within their organization. The Basel Committee on Banking Supervision has also published a set of principles, which it feels are relevant for banks to consider when determining how operational risks are managed within their organization
Strong Risk Culture
Establishing a robust culture of risk management and ethical business practices helps banks minimize potentially damaging operational risk events. Additionally, it equips them to handle such events more effectively. Employees within an organization typically model their behavior based on management’s example. Therefore, the board of directors should implement a code of conduct or an ethics policy to address conduct risk.
Operational Risk Management Framework (ORMF)
Banks must have a Comprehensive Operational Risk Management Framework. The board and management should understand the operational risks of their products, services, activities, and systems. This is essential for sound risk management. Banks should create and maintain an Operational Risk Management Framework integrated into their overall risk processes.
Governance
The board of directors should review and approve the operational risk management framework to ensure the bank handles risks from market changes, environmental factors, and new products or activities. Risk appetite and tolerance statements for operational risk should be created by the board and aligned with the bank’s strategic and financial plans.
Governance Structure
The principle of governance extends to the bank’s risk appetite and risk tolerance. Statements regarding risk appetite and tolerance for operational risk should be formulated under the authority of the board of directors and should be aligned with the bank’s strategic and financial plans, both short- and long-term.
Identification & Assessment
Risk identification and assessment are essential components of a successful operational risk management system and contribute to operational resilience. Senior management must ensure thorough identification and assessment of all operational risks inherent in the bank’s material products, activities, processes, and systems to ensure that the risks and incentives are clearly understood.
Change Management
Operational risk in banks changes when they start new activities, develop products, enter unfamiliar markets or jurisdictions, modify business processes or technology, or operate far from the head office.
Monitoring and Reporting
Monitoring and reporting are key aspects of managing operational risk. Senior management should establish a process for regularly monitoring operational risk profiles and significant operational exposures within the bank. They should ensure that reports are comprehensive, accurate, consistent, and actionable across business units and products.
Control and Mitigation
Banks need to implement a robust control environment that uses policies, processes, systems, and suitable internal controls along with risk mitigation and risk transfer strategies. Internal controls are intended to offer reasonable assurance that a bank’s operations will be efficient and effective, its assets will be protected, it will generate reliable financial reports, and it will comply with relevant laws and regulations.
Information and Communication Technology (ICT) Risk
Banks must prioritize Information and Communication Technology (ICT) risk by integrating a robust ICT risk management program within their operational risk framework. Effective ICT performance and security are crucial for proper business operations and achieving strategic objectives.
Challenges and Shortcomings of Operational Risk Management
Operational risk management faces several challenges and shortcomings.
- One significant challenge is the difficulty in aligning operational risk management (ORM) with enterprise risk management (ERM) strategies. This misalignment can lead to gaps in identifying, assessing, and mitigating risks effectively.
- Another challenge is the rapidly evolving risk landscape, which includes new activities, products, and markets. This evolution requires continuous monitoring and updating of risk management processes to ensure they remain effective.
- Data quality is also a critical issue. Poor data quality can hinder the accurate assessment and management of risks, leading to ineffective risk mitigation strategies.
- Regulatory compliance is another area where operational risk management can fall short. Non-compliance with regulations can result in legal penalties and operational disruptions.
- Finally, human factors such as errors, fraud, and inadequate training can significantly impact the effectiveness of operational risk management.
What are Some Examples of Operational Risk?
Examples of operational risk events include:
- Internal fraud, like embezzlement and insider trading
- External fraud, like theft and hacking
- Employee practices and workplace safety, like discrimination, workplace accidents
- Clients, products, and business practices, like mis-selling of products, non-compliance with regulations
- Damage to physical assets, like natural disasters, fires
- Business disruption and systems failures, like IT system outages, supply chain disruptions
- Execution, delivery, and process management, like errors, delays, inefficiencies
Download our free Financial Edge Operation Risk cheat sheet which has categorized the risk into the 7 main categories.
Operational Risk vs. Other Types of Risk
Operational risk is distinct from other types of risk, such as credit risk and market risk. While credit risk involves the risk of loss due to a borrower’s failure to repay a loan, and market risk involves the risk of loss due to changes in market prices, operational risk arises from the day-to-day operations of an organization and includes factors such as human errors, IT system failures, fraud, and external incidents.
Conclusion
Operational risk encompasses a wide range of potential issues arising from internal processes, people, systems, or external events. Effective management of these risks involves identifying, assessing, and mitigating them through robust policies, procedures, and continuous monitoring. By doing so, organizations can minimize financial losses, reputational damage, and operational disruption.