Operational Risk

Business, Legal & Accounting Glossary

Definition: Operational Risk


Operational Risk

Quick Summary of Operational Risk


Operational Risk is the risk that will impose unexpected losses on an organization due to unexpected issues. These losses are due to a computer system failure, internal fraud, legal risk, and natural disasters among others, and are exacerbated by a lack of internal processes that would minimize the financial. A Risk Manager must conduct a Risk assessment of any new processes that will be added into the system to ensure the risks do not outweigh the benefits.




Full Definition of Operational Risk


The Basel Committee (2004) defines operational risk as: the risk of loss resulting from inadequate or failed internal processes, people and systems, or from external events.

The committee indicates that this definition includes legal risk but excludes systemic risk and reputational risk.

During the 1990s, financial firms and other corporations focused increasing attention on the emerging field of financial risk management. This was motivated by concerns about the risks posed by the rapidly growing OTC derivatives markets; publicized financial losses, including those of Barings Bank, Orange County and Metallgesellschaft; regulatory initiatives, especially the Basel Accords.

During the early part of the decade, much of the focus was on techniques for measuring and managing market risk. As the decade progressed, this shifted to techniques of measuring and managing credit risk. By the end of the decade, firms and regulators were increasingly focusing on risks “other than market and credit risk.” These came to be collectively called operational risks.

This catch-all category of risks was understood to include:

  • Employee errors,
  • Systems failures,
  • Fire, floods or other losses to physical assets,
  • Fraud or other criminal activity.

Firms had always managed these risks. The new goal was to do so in a more systematic manner. The approach would parallel – and be integrated with – those that were proving effective with market risk and credit risk.

The task appeared daunting. Financial institutions and regulators had had to dedicate considerable resources to managing market risk and credit risk, and those were well-known narrowly-defined risks. Operational risk was anything but well defined. People disagreed about the specific contingencies that should be considered operational risks – should legal risks, tax risks, management incompetence or reputational risks be included? The debate was more than academic. It would shape the scope of initiatives to manage operational risk.

Another problem was that operational contingencies don’t always fall into neat categories. Losses can result from a complex confluence of events, which makes it difficult to predict or model contingencies. In 1996, the Crédit Lyonnais trading floor was destroyed by fire. This might be categorized as a loss due to fire. It might also be categorized as a loss due to fraud – investigators suspect employees deliberately set the fire in order to destroy evidence of fraud.

The Basel Committee outlined basic practices in a (February 2003) paper Sound Practices for the Management and Supervision of Operational Risk. That paper, together with efforts by researchers and risk managers at major banks have helped to shape emerging risk management practices for operational risk.

Most operational risks are best managed within the departments in which they arise. Information technology professionals are best suited for addressing systems-related risks. Back-office staff are best suited to address settlement risks, etc. However, overall planning, coordination, and monitoring should be provided by a centralized operational risk management department. This should closely coordinate with market risk and credit risk management departments within an overall enterprise risk management framework.

Contingencies broadly fall into two categories:

  • Those that occur frequently and entail modest losses;
  • Those that occur infrequently but may entail substantial losses.

Accordingly, operational risk management should combine both qualitative and quantitative techniques for assessing risks. For example, settlement errors in a trading operation’s back-office happen with sufficient regularity that they can be modelled statistically. Other contingencies affect financial institutions infrequently and are of a non-uniform nature, which makes modelling difficult. Examples include acts of terrorism, natural disasters, and trader fraud. Qualitative techniques include:

  • Loss event reports,
  • Management oversight,
  • Employee questionnaires,
  • Exit interviews,
  • Management self-assessment, and
  • Internal audit.

Quantitative techniques have been developed primarily for the purpose of assigning capital charges for banks’ operational risks. Much work in this field was performed by regulators developing the Basel II accord on bank capital adequacy. Early results were reported in a (January 2001) consultative document, which was included in a package of documents outlining the proposed Basel II accord. Extensive industry feedback on that document lead the committee to issue a follow-up (September 2001) working paper on operational risk. A subsequent (April 2003) consultative document made further modifications to Basel II. The final Basel II accord was released in 2004.

Basel II allows large banks to base operational risk capital requirements on their own internal models. This has spawned considerable independent research into methods for measuring operational risk. Techniques have been borrowed from fields such as actuarial science and engineering reliability analysis.

Contingencies of an infrequent but potentially catastrophic nature can, to some extent, be modelled using techniques developed for property & casualty insurance. Contingencies that arise more frequently are more ammendable to statistical analysis.

Statistical modelling requires data. For operational contingencies, two forms of data are useful:

  • Data on historical loss events, and
  • Data on risk indicators.

Loss events run the gamut – settlement errors, systems failures, petty fraud, customer lawsuits, etc. Losses may be direct (as in the case of theft) or indirect (as in the case of damage to the institution’s reputation).

There are three ways data on loss events can be categorized:

  • Event
  • Cause
  • Consequence

For example, an event might be a misentered trade. the cause might be inadequate training, a systems problem or employee fatigue. Consequences might include a market loss, fees paid to a counterparty, a lawsuit or damage to the firm’s reputation. Any event may have multiple causes or consequences. Tracking all three dimensions of loss events facilitates the construction of event matrices, identifying the frequency with which certain causes are associated with specific events and consequences. Even with no further analysis, such matrices can identify for management areas for improvement in procedures, training, staffing, etc.

Risk indicators differ from loss events. They are not associated with specific losses, but indicate the general level of operational risk.

Examples of risk indicators a firm might track are:

  • amount of overtime being performed by back-office staff,
  • staffing levels,
  • daily transaction volumes,
  • employee turnover rates,
  • systems downtime.

From a modelling standpoint, the goal is to find relationships between specific risk indicators and corresponding rates of loss events. If such relationships can be identified, then risk indicators can be used to identify periods of elevated operational risk.

Once operational risks have been—qualitatively or quantitatively—assessed, the next step is to somehow manage them.

Solutions may attempt to:

  • avoid certain risks,
  • accept others, but attempt to mitigate their consequences, or
  • simply accept some risks as a part of doing business.

Specific techniques might include: employee training, close management oversight, segregation of duties, purchase of insurance, employee background checks, exiting certain businesses, and the capitalization of risks. Choice of techniques will depend upon a cost-benefit analysis.


Cite Term


To help you cite our definitions in your bibliography, here is the proper citation layout for the three major formatting styles, with all of the relevant information filled in.

Page URL
https://payrollheaven.com/define/operational-risk/
Modern Language Association (MLA):
Operational Risk. PayrollHeaven.com. Payroll & Accounting Heaven Ltd.
March 29, 2024 https://payrollheaven.com/define/operational-risk/.
Chicago Manual of Style (CMS):
Operational Risk. PayrollHeaven.com. Payroll & Accounting Heaven Ltd.
https://payrollheaven.com/define/operational-risk/ (accessed: March 29, 2024).
American Psychological Association (APA):
Operational Risk. PayrollHeaven.com. Retrieved March 29, 2024
, from PayrollHeaven.com website: https://payrollheaven.com/define/operational-risk/

Definition Sources


Definitions for Operational Risk are sourced/syndicated and enhanced from:

  • A Dictionary of Economics (Oxford Quick Reference)
  • Oxford Dictionary Of Accounting
  • Oxford Dictionary Of Business & Management

This glossary post was last updated: 26th April, 2020 | 0 Views.