Operational Risk:
In today’s dynamic business environment, organizations are exposed to a wide range of risks.
Among these, operational risk is particularly significant because it arises from within the
organization itself. Unlike credit or market risk, which depends on external economic variables,
operational risk stems from internal processes, people, systems, or unforeseen events.
Managing it effectively is crucial for the stability and long-term sustainability of any enterprise,
especially in sectors like banking, healthcare, and manufacturing.
1. Definition of Operational Risk and How It Differs from Other Risks
Operational risk is defined by the Basel Committee as:
“The risk of loss resulting from inadequate or failed internal processes, people, systems, or from
external events”
This includes everything from fraud, system breakdowns, and human error to external
disruptions like natural disasters or pandemics.
How it differs from other types of risk:
Risk Type Description Example
Credit Risk Risk of loss due to a borrower's failure to A borrower defaulting on a bank
repay a loan. loan.
Market Risk Risk due to changes in market variables Stock market crash reducing
like interest rates or stock prices. investment portfolio value.
Operational Risk from internal failures in systems, System outage in a bank halting
Risk people, or processes. customer transactions.
Example:
In 2012, Knight Capital Group, a U.S. financial services firm, lost $440 million in 30 minutes due
to a software glitch that caused the firm’s trading system to malfunction. This is a classic case of
operational risk due to system failure.
�Sources of Operational Risk
Operational risks originate from multiple internal and external sources:
a. System Failures
Failure of IT infrastructure or software can halt operations, cause data loss, or lead to financial
loss.
Example: In 2018, TSB Bank (UK) suffered a major IT failure during a systems migration.
Customers lost access to online banking for weeks, resulting in thousands of complaints and a
reputational crisis.
b. Fraud and Misconduct
This includes internal fraud (by employees) and external fraud (by customers, hackers, etc.).
Example: The Wells Fargo scandal (2016) involved employees creating over 2 million fake
accounts to meet sales targets. The bank was fined over $185 million and faced massive
reputational damage.
c. Human Error
Mistakes due to negligence, fatigue, or lack of training can have severe consequences.
Example: In 1999, NASA lost the Mars Climate Orbiter because one team used imperial units
while another used metric. This simple error caused the spacecraft to burn up in Mars'
atmosphere — a $125 million loss.
d. Process Failures
Poorly designed or outdated processes can lead to operational disruption.
Example: In 2013, Target (USA) suffered a massive data breach affecting over 40 million
customers due to poor internal controls over its payment system.
e. External Events
These include pandemics, terrorism, cyber attacks, or natural disasters.
Example: The COVID-19 pandemic caused massive disruptions in global supply chains and
forced companies to adapt to remote work, revealing both technological and operational gaps.
�Risk Measurement Techniques
Measuring operational risk is difficult because it doesn’t always follow a predictable pattern.
However, the following tools help organizations assess and manage it effectively:
a. Loss Event Data (LED)
Historical data on past losses helps identify high-risk areas.
Example: A bank tracking internal fraud cases over 5 years may find that most incidents
occurred in retail branches with weak controls. This data helps target improvements.
b. Scenario Analysis
It involves creating hypothetical but plausible risk events and estimating their potential impact.
Example: A hospital may simulate a scenario where their database is hacked, causing loss of
patient records, and estimate the cost of recovery, legal penalties, and reputational loss.
c. Risk and Control Self-Assessments (RCSA)
Employees assess their own departments’ processes to identify vulnerabilities.
Example: An airline’s operations team may report that its baggage tracking system is outdated
and error-prone, prompting upgrades before major loss occurs.
d. Key Risk Indicators (KRIs)
These are metrics that act as early warnings for increasing risk.
Example: A spike in customer complaints in an e-commerce platform could signal growing
operational issues in logistics or customer service.
Mitigation Strategies
Once identified and measured, operational risks must be mitigated through strategic actions.
Common mitigation strategies include:
a. Internal Controls
These involve policies and procedures that ensure tasks are carried out correctly and safely.
Example: Banks use dual authorization systems for wire transfers, ensuring that no single
employee can complete a large transaction alone.
b. Compliance Frameworks
�Ensure the organization adheres to laws and industry regulations.
Example: Pharmaceutical companies implement Good Manufacturing Practices (GMP) to
comply with health regulations and avoid recalls.
c. Business Continuity and Disaster Recovery Plans (BCP/DRP)
These ensure that critical operations continue even after a disruption.
Example: After the 9/11 attacks, many Wall Street firms adopted stronger disaster recovery
plans by setting up remote data centers and backup offices in different cities.
d. Employee Training and Awareness
Regular training helps staff recognize and avoid risky behavior.
Example: Cybersecurity training helps employees avoid phishing scams, reducing the risk of
data breaches.
e. Technology and Automation
Modern systems can reduce human error and improve process efficiency.
Example: Amazon uses AI and robotics in its warehouses to minimize errors in order fulfillment
and improve speed.
Conclusion
Operational risk is an unavoidable part of running any organization, but it can be managed with
foresight, planning, and robust systems. Unlike financial risks, operational risk is often rooted in
internal inefficiencies, mistakes, or unforeseen events. As seen in cases like TSB’s system
failure, Wells Fargo’s fraud scandal, or the COVID-19 pandemic, failure to address operational
risk can lead to enormous financial and reputational damage.
Organizations must continuously assess their vulnerabilities, learn from past events, and
strengthen their internal controls. By using tools like loss event data, scenario analysis, RCSA,
and key risk indicators, and by implementing strong mitigation strategies, businesses can
ensure resilience and long-term success in an uncertain world.
