What is Operational Risk?

Operational risk is one of the more confusing categories of risk that affect commercial businesses. This is because it is often not clear what exact risks are classified as operational risks.

In this article, we will try to provide a clear explanation of the kinds of risks that the term ‘operational risk’ encompasses.

A commonly used definition of operational risk is…

‘The risk of loss resulting from inadequate or failed internal processes, people and systems, or from external events.’

The Basel Committee on Banking Supervision

Operational risks are a broad category of risks that businesses face. This category of business risk largely covers the human side of risk but also covers a large variety of other risks. Operational risks can be either internal or external to a business and are usually generated by people, processes, systems, technology, and external events.

Previously defined as all business risks that are not credit or market risk, operational risk differs from market risk and credit risk in that it is not willingly incurred by a business or driven by market forces.

While it is difficult to pin down exactly what operational risks a business may face, it is helpful to look at them as the risks that a company does not choose to take on as an inherent part of its line of business.

What is Market Risk?

Market risk is the risk that a business will be negatively affected by a change to market conditions in a market in which it operates. Examples of market risk are changes to prices (this could be for something a company produces or a commodity it buys, for example), changes to interest rates, or changes to currency exchange rates.

What is Credit Risk?

Credit risk is the risk that a borrower will default on a debt. A company, when owed money by a debtor, can suffer a complete or partial loss of this money as a result of a default on the part of the debtor. In addition to this, credit risk also covers the risk that the company will experience cash flow disruption and costs associated with debt collection in the course of business.

What Types of Operational Risk are There?

Operational risk can be divided into two broad categories. Those are risks that are internal to a business and risks which are external to a business.

Internal Operational Risks

The most frequently quoted internal operational risks are…

Operational Process Failures

Errors, such as errors in accounting, data entry, or the dissemination of incorrect information can prove to be costly when they are related to fundamental areas of the business. As an extreme example, in 2020 a clerical error at Citigroup led to an inadvertent transfer of hundreds of millions of dollars (around 900 million) to the wrong recipient which was not recovered.

As well as these kinds of operational failures, there are a huge variety of others that can arise. A failure to relay information to the necessary recipients, for example, could lead to incorrect courses of action being followed.

Business System Failures

Failures of the systems on which a business relies in order to operate can often be costly. A common modern example is failures in IT systems. For some companies, a failure in IT systems can not only cause internal operations to halt but can also cause income to be paused. The October 2021 Facebook outage, for example, affected Facebook, WhatsApp and Instagram cost almost $100,000,000. While most firms will lose much less than this, IT system failures can be a serious operational risk.

As well as IT failures, machinery breakdowns, or failures in utility supply amongst other things, can all cause financial loss. A failure of water supply within a production plant, for example, could cause a halt in production.

Strategic Failings

Strategic failings can occur when an organisation’s management elects to follow a strategy that is detrimental to a company’s overall performance. If, for example, the management of a firm chooses to pursue sales in a market in which a company is not properly suited, the company will be likely to be unable to meet this aim. As a result of this, income will be reduced and the business will suffer.  

In many definitions, strategic risk is not actually included within operational risk but is classed as a type of risk of its own.

Internal Fraud and Other Criminal Activity

The risk of fraud or other criminal activity taking place within an organisation can be of major concern.

The theft of funds or assets by staff is, unfortunately, one major risk associated with employing staff. In many cases, this can go unnoticed and have a very detrimental effect over a long course of time. As well as theft from the firm, there is also the risk that employees will commit acts of fraud, bribery, tax evasion, or other criminal acts within the course of business. In many cases, a company can incur a very high cost as a result of this type of activity.  

Health and Safety and Workplace Practice Failings

Accidents or events which cause claims to be made against a company can prove to be very costly. Compensation for isolated accidents or claims made on a larger scale is all examples of operational risk which can mainly be attributed to human failings within systems of management.

As well as failures in the management of health and safety, failures to follow workplace practices that prevent actions, such as discrimination, can prove to be costly.  

External Operational Risks

The most frequently quoted external operational risks are…

Industrial Accidents

Accidents that prevent a company from operating normally can all prove to be costly. If, for example, a production facility is damaged by a fire that takes place on a neighbouring property this could completely close operations for a period of time. Alternatively, accidents that affect transport networks may cause a delay in the supply of materials needed for production.

These events take place without a company having any involvement but can still have a detrimental effect on its financial performance.

Natural Events

Similarly, natural events can cause disruption to the normal operation of a business. In some instances, such as the 2011 tsunami in Japan, natural events can be particularly devastating and have very long-lasting effects. However, other natural events are more isolated or less drastically economically damaging while still being significant for certain businesses.

Generally speaking, damage to a firm’s assets and damage to supply and distribution networks are the biggest problems that arise as a result of natural events.

External Fraud

It is not only fraud and criminal activity within a firm that can affect its financial performance. As with a company’s own staff, there is a risk of being affected by criminal activity which takes place outside of a company. Again, theft and fraud can both lead to direct financial losses. On top of this, nowadays, there is a serious risk posed by hacking and information theft. The theft of information has been of particular notoriety in recent years with a number of different companies being affected.

Health Crises

The coronavirus pandemic has been an event of huge magnitude to many businesses with high costs for many and long-lasting implications for the value of some firms. While it may seem to be an isolated incident, many commentators predict that health crises may now continue to have a bigger impact on global and localised trade. Additionally, while health crises, like the coronavirus pandemic, may be rare in places like Europe and America, in other parts of the world they are more common.

Intentional Acts of Sabotage

As with criminal activity, intentional acts of sabotage made within the course of the war, a period of civil disorder, or act of terrorism may also cause damage to a company’s assets or affect its ability to do business by disrupting a business’ networks.