Operational Risk

What Is Operational Risk?

Operational risk is a form of risk caused by failed processes, people, systems, controls, or external events rather than by normal market movements alone. Firms do not lose money only when markets move against them. They also lose money when systems break, controls fail, data are wrong, fraud occurs, or key operations cannot function when needed.

This kind of risk shows up across banks, brokerages, insurers, fund managers, payment companies, and ordinary operating businesses. A company can have a promising strategy and still suffer major damage from weak execution.

Key Takeaways

• Operational risk comes from internal breakdowns or external disruptions, not just from prices changing in the market.
• Examples include fraud, cyberattacks, processing errors, weak controls, vendor failures, and disaster-related disruptions.
• Operational risk often becomes visible through losses, fines, service outages, or damaged customer relationships.
• Official supervisory frameworks commonly treat legal risk as part of operational risk because control failures often lead to legal exposure.
• Strong systems and internal controls do not eliminate operational risk, but they can reduce how often small failures become large losses.

How Operational Risk Works

Operational risk appears when a firm's day-to-day machinery does not work as intended. A payment may be processed incorrectly. A cyberattack may shut down access to customer accounts. A model may use flawed data. A third-party vendor may fail at a critical moment. A trader, employee, or contractor may violate policy or commit fraud. In each case, the loss does not come primarily from a normal market move. It comes from how the organization operates.

Operational risk is often tied to process discipline, internal controls, governance, systems resilience, staffing, and contingency planning.

Why Operational Risk Matters Financially

Operational risk can turn into direct financial loss, regulatory penalties, litigation, reputational damage, and customer attrition all at once. A business interruption may cut revenue. A control failure may require restitution. A cyber event may create recovery costs and legal exposure. Even when the original failure is operational, the consequences often spread into other risk categories.

Operational weakness can undermine the quality of earnings. A company may look profitable until one breakdown reveals that controls were not as strong as the market assumed.

Operational Risk Versus Market Risk

Market risk is the risk that broad asset prices, rates, or sentiment move against an investment. Operational risk is different. It is about how the organization functions. A stock market selloff is not operational risk by itself. A brokerage failing to settle trades correctly during that selloff is operational risk.

The solutions differ. Diversification helps against many market exposures. It does not fix weak controls inside a company.

Operational Risk and Legal or Regulatory Exposure

Operational risk often sits close to regulatory risk and legal risk. A weak process can cause a compliance failure. A broken control can create an unenforceable record, a customer dispute, or a regulatory finding. Official banking guidance often treats legal risk as part of the broader operational-risk framework for that reason.

In practice, firms rarely experience these risks one at a time. A single failure in people, systems, or controls can trigger losses across several categories.

Common Examples

Examples include payment errors, settlement breaks, accounting mistakes, internal fraud, third-party outages, cybersecurity incidents, natural-disaster disruptions, weak access controls, and poorly supervised new products. A manufacturer may face operational risk from supply-chain breakdowns. A bank may face it from control failures in loan servicing. A brokerage may face it from a technology outage during heavy trading.

What ties these situations together is that the problem comes from execution and resilience, not only from market direction.

The Bottom Line

Operational risk is the risk of loss caused by failed processes, people, systems, controls, or external events. Even a sound business or investment strategy can produce bad financial outcomes when execution breaks down or a firm cannot keep its operations functioning under stress.