Operational Risk

Operational risk is the risk of loss resulting from inadequate or failed internal processes, people, systems, or from external events, including legal and compliance risk but excluding strategic and reputational risk in many regulatory frameworks.

Expanded Explanation

1. Technical Function and Core Characteristics

Operational risk refers to loss events that arise from day-to-day operations rather than from market, credit, or liquidity exposures. It includes failures in process execution, human error, internal or external fraud, technology breakdowns, and disruptions caused by external incidents.

Regulators and standards bodies define operational risk to support consistent identification, measurement, and capital allocation. Many frameworks categorize operational risk events into standardized buckets such as internal fraud, external fraud, employment practices, clients and business practices, damage to physical assets, system failures, and execution and process management.

2. Enterprise Usage and Architectural Context

Enterprises use operational risk classifications and taxonomies to structure risk and control assessments, scenario analysis, key risk indicators, and loss data collection. These practices support regulatory capital calculations in sectors such as banking and inform Enterprise Risk Management (ERM) across industries.

In technology and data architectures, operational risk management connects to IT service management, cybersecurity, business continuity, and internal control frameworks. Organizations map operational risk exposures to business processes, applications, infrastructure components, and third-party services to support monitoring, reporting, and governance.

3. Related or Adjacent Technologies

Operational risk management often relies on Governance, Risk, and Compliance (GRC) platforms that consolidate risk registers, control libraries, incident data, and workflow. These platforms integrate with Security Information and Event Management (SIEM), identity and access management, and IT service management systems to capture relevant events.

Standards and methodologies such as ERM frameworks, internal control frameworks, and business continuity and resilience standards provide reference models for organizing operational risk practices. In regulated sectors, supervisory guidelines define expectations for operational risk frameworks, data, and model governance.

4. Business and Operational Significance

Operational risk management supports the continuity and reliability of services, protection of customers and employees, compliance with laws and regulations, and the safeguarding of assets. It also supports determinations of regulatory capital and insurance coverage in applicable industries.

Senior management and boards use operational risk reporting to understand exposure to process failures, technology outages, cyber incidents, fraud, and external disruptions. This reporting informs decisions about control investments, outsourcing, resilience planning, and product or process design.