Operational Risk and Its Importance as a Risk Function
The importance of operational risk has been highlighted by several high-profile events, such as the collapse of Barings Bank in 1995 due to rogue trading by Nick Leeson. I won’t name and shame anyone (UBS) but the city has hardly learned its lesson. Operational risk has emerged as a critical component of risk management frameworks within institutions. Unlike market, credit, or liquidity risk, which are primarily concerned with wholesale or counterparty financial metrics, operational risk focuses on the losses arising from internal processes. I have had experiences with each risk team within a firm, and it felt right to start this series of risk articles with this one because of its striking importance in our daily lives.
Understanding Operational Risk and Its Significance
Every day, we rely on others. Whether it’s the tube to get us to work, Man United’s starting XI to dictate our weekend’s joy or our laptop to create PowerPoints or join calls. The outsourcing of our duties creates a network of third parties and systems that we must constantly monitor. So, checking TFL delays or blocking Mark Goldbridge on X would be the anecdotal controls we can put in place for the above scenarios.
The Basel Committee on Banking Supervision (BCBS) defines Operational risk as “the risk of loss resulting from inadequate or failed internal processes, people, and systems or from external events.” Keep the BCBS in mind; they’re super important for banks. This broad definition encompasses a wide range of risk events, from internal fraud and rogue trading to cyber-attacks and natural disasters. These events highlight how operational risk can have severe implications for an organisation’s stability and viability. When I sat on an Operational Risk Management (ORM) desk at a bank in the city, I learned that firms have tolerances for certain operational events and you get a feel for what the risk appetite of that firm is.
Risk managers come to understand that appetite for risk is just the aggregate of individual behaviours and human psychology. Modern day rogue traders, as they’re so labelled, often time never have the malice or intention to dig their division or firm a grave, but fall victim to the human condition of covering mistakes and gambling on fixing things themselves.
Controlling for risk
Operational risk events can vary widely, from HR failures and Crowdstrike disasters to deliberate acts of misconduct and fraud. These events have unique likelihoods and impact materiality which are recorded and tracked by the firm to develop their worst-case losses framework. Understanding ORM involves distinguishing between inherent risk—the risk that exists in the absence of any controls or risk mitigation measures—and residual risk, which is the risk remaining after such measures have been implemented.
The difference between inherent and residual risk raises the importance of controls. Effective controls make sure people are responsible for their remedial actions so that operational risk events don’t happen again. To continue my analogy from earlier, if my Scouse colleague from work texts me live scores of United losing to Liverpool on the weekend, I bestow upon him the ownership of the risk of my weekend being ruined – and so I remind him to not text me on weekends (remedial action). When a firm has open conversations with each business function about what risks they own, it successfully delegates and collaborates on building operational resilience within the firm.
Operational resilience has gained prominence due to the increasing frequency and sophistication of cyber-attacks, natural disasters, and other disruptive events. Regulatory bodies worldwide are now requiring financial institutions to demonstrate robust operational resilience frameworks that ensure continuity of critical services under a wide range of scenarios.
Third-Party Risk Management (TPRM) is another area of increasing importance within operational risk management. As organisations rely more heavily on third-party vendors for critical services—such as cloud computing, payment processing, and customer service—their exposure to third-party risks has grown significantly. The concern is whether we have unbiased ways to verify that when I check the TFL app for delays, it will be reliable.
How can we stay ahead of the curve then?
Key Risk Indicators (KRIs) are forward-looking metrics(KPIs are backward looking) used to provide an early signal of increasing risk exposure in various areas of an organisation. For instance, a sudden increase in client complaints might indicate potential issues in customer service processes, which could, in turn, escalate into a larger operational risk event if not addressed promptly. I’ll touch on just how important KRIs are for the other risk management functions later on in this series, or as they would call them in their world- early warning indicators.
Remember, ORM does not exist in isolation; it is intrinsically linked with other types of risks. For example, internal system failures in credit assessment processes can lead to inaccurate credit ratings, resulting in greater credit risk exposure. We need to have a view on how a firm prepares for changes in regulatory reporting such as the BCBS upcoming transition for reporting capital charges differently next year through a new regulation – Fundamental Review of the Trading Book (FRTB). As such, ORM will be keeping a close eye on this external event as a risk they will need to provide controls for so that residual risk is low when FRTB goes live.
Similarly, The Digital Operational Resilience Act (DORA), enacted by the European Union, is set to play a pivotal role in shaping the operational risk strategies of financial institutions going forward. DORA establishes a regulatory framework aimed at ensuring that financial entities can withstand, respond to, and recover from all types of information and communication technology (ICT)-related disruptions and threats. DORA emphasises the importance of testing operational resilience through regular, advanced testing exercises that simulate extreme but plausible scenarios, aligning with the broader goals of operational risk scenario stress testing.
Cyber-attacks, in particular, have emerged as a critical operational risk in the digital age, with institutions facing frequent threats from hackers seeking to steal data, disrupt services, or hold firms hostage. The really interesting thing I found was that firms need to brace for these situations and be realistic about what they would do. For example, history has often found that paying the ransom amount ex ante is more economically viable than trying to keep pride intact whilst incurring devastating recovery losses. The game theory of the situation is hilarious when you hear these ‘black hat’ hacker groups claim that reneging on the ransom deal would be – wait for it – against their business ethics.
Conclusion
ORM is much more than just one of the lines of defence but an understanding of human psychology, business ethics and open lines of communication. We can all learn from ORM to improve the productivity of our daily lives and hold ourselves accountable for being ethical and aware of our processes and how they affect others.
Written by Alok Jadva
Produced by Madhav Bhimjiyani