Operational Risk: 7 Examples of Risk Management

Operational risk is the risk of loss due to failed internal processes or external events at a business, bank, or other financial institution. Operational risk involves the legal risks in response to the disruption of day-to-day business operations; it does not involve reputational risk or strategic risks.

A bank, insurance company, or financial institution uses operational risk as a metric to aggregate types of potential business disruption or breakdown in everyday business processes. The Basel Committee on Banking Supervision’s seven categories of operational risk include:

1. 1. Business disruption and system failure: A sorting error causing an interruption in business continuity and preventing the fulfillment of orders, or a system crash in a business heavily dependent on automation, are operational risk events for retail, logistics, and shipping industries, among others.
2. 2. Clients, products, and business practices: A company selling a faulty new product, either knowingly or unknowingly, or engaging in anti-competitive practices through price-fixing or illegal mergers, would be engaging in a high degree of operational risk.
3. 3. Damage to physical assets: Natural disasters or human errors can damage business units. If a tornado destroys a warehouse or an employee accidentally damages a computer server, the potential loss of the company assets forms an operational risk exposure.
4. 4. Employment practices and workplace safety: If there is a violation of standards in workplace safety, illegal outsourcing of protected jobs, or flouting of regulatory rules, the company’s potential liability in fines and lawsuits is another form of operational risk.
5. 5. Execution, delivery, and process management: If there is a flaw in the data entry process, an accounting error, or another problem in the business’s ability to meet its obligations, a company risks experiencing losses.
6. 6. External fraud: If a client defrauds a financial services company or a hacker steals valuable information by exploiting lax cybersecurity, the losses incurred could be severe.
7. 7. Internal fraud: This is when an employee or employees committing a type of fraud, such as embezzlement, damages a business. A member of senior management stealing company assets or committing insider trading would also fit in this category.

Improper management of operational risk can affect the levels of financial risk in business, but the two categories are considered distinct. Financial risk refers to the potential for a company to fall short of its financial obligations, such as paying down its debts, meeting weekly payroll obligations, or maintaining a proper level of investment in company infrastructure. Thus, financial risk refers to the quality of investments, overall fiscal strategy, capital requirements, and chances of maintaining consistent revenue. Credit risk and market risk are types of financial risk.

Mitigation of operational risk is an essential part of business operations. Companies will often employ specialists that focus specifically on risk assessment, or hire outside consultants to assess potential loss events. Below are some of the methodologies for building a solid risk management framework:

1. 1. Do a self-assessment. Operational risk management (ORM) will differ significantly from industry to industry and even from business to business. To begin the process of mitigating risk for internal control, identify the specific operational risk profile and the key indicators of potential risk in your industry. Risk identification will help lead your operational risk measurement plan.
2. 2. Gather Information. When you have a reliable action plan in place, the next step is to ensure you will have access to the information necessary to assess different factors and their levels of risk accurately. Good business decision-making is dependent on good information, so budget for adequate data collection.
3. 3. Make quantitative decisions. One of the challenges of an operational risk assessment process is that it is difficult to put a specific number on risk measurement. The more data you have, the better chance you have to make a quantitative decision about what your company is willing to take on, in terms of risk appetite.
4. 4. Empower your employees. When you know the different types of operational risk your business faces, share that information and the plan for risk mitigation with the stakeholders. A well-run company will have business line managers overseeing operational risk at all levels, from human resources to supervisory levels. Some companies might employ specific roles, like chief risk assessment officers or compliance managers, whose job is to monitor and help manage risk levels and business activities.
5. 5. Model and adjust. Circumstances will change with time, even in relatively stable industries, and it’s essential to update your ORM process accordingly. Perform scenario analysis with different forecasting models and key risk indicators to see how a risk factor might impact your business. It’s also good to compare risk loss data from other related business environments. Do periodic check-ins to see if your risk management team needs additional support. Be ready to do a real-time recalculation of the risk-to-reward ratio and your risk control measures as the business grows.
6. 6. Have a backup plan. Expert risk assessment models cannot anticipate every event or accurately measure the risk of operational loss that may ensue. It’s always a good idea to have contingency plans in place for when something goes wrong. Effective operational risk management will go a long way in keeping your business resilient.

Get the MasterClass Annual Membership for exclusive access to video lessons taught by business luminaries, including Sara Blakely, Chris Voss, Robin Roberts, Bob Iger, Howard Schultz, Anna Wintour, and more.