7 Operational Risk Examples & Mitigation Strategies
Your company may never eliminate operational risk, but you can minimize it. Make this high-stakes process easier by learning from examples and tested steps for managing risk.
In the wake of Silicon Valley Bank’s March 2023 failure, there was plenty of finger-pointing. But as pundits criticized their business strategy and C-suite decisions, one area flew under the radar. Could better internal controls on day-to-day activities have prevented SVB’s meltdown?
“I can’t say whether they didn’t recognize or chose to ignore these early warning signs—I wasn’t in the room,” commented Damion McIntosh, a senior lecturer in finance at Auburn University. “But a formal and effective risk management framework would have prompted questions like ‘Who are these depositors? Are they core depositors who are likely to leave their money in our bank for a long period of time? Can we count on them to keep their money with us should we face challenging times?’”
Like other large financial institutions, SVB relied on people, processes, and technology to run seamlessly. When any one of those components breaks down, small mistakes can cascade into big problems. Potential breakdowns like this and the threats they present comprise the idea of operational risk.
In this article, we’ll cover what operational risk is, examples of how it can impact your business, and how to manage it.
Download Our Risk Mitigation Plan Template
What Is Operational Risk?
Operational risk is the threat of operational loss or organizational breakdown due to either failed internal processes, human error, bad policies, system failures, or external events. Operational risk focuses on how you manage risk within the organization, even if the actual threat is external.
For example, natural disasters are outside any company’s control. But how you maintain and recover operations is your responsibility. Say your company is storing important documents for clients in a region prone to summer wildfires. Losing those documents in a fire would be an operational risk. And mitigation strategies for that risk profile would include offsite digital backups and fireproof safes.
The evolution of operational risk
Operational risk is not a new methodology—we humans have always made mistakes. But over the past few decades, the business processes of operational risk have gained traction and formal strategies.
The Basel Committee on Banking Supervision, a leading group on financial services oversight, has laid the groundwork for standardized management. Since their founding in 1974, they’ve released three sets of recommended rules, known as the Basel Accords. Over the years, many other industries have adopted their concepts and recommendations.
How does operational risk differ from other types of risk?
In many cases, businesses will willingly take on a certain amount of market risk, credit risk, or strategic risk in exchange for potential reward. Enterprise risk management (ERM) focuses on these types of business risks, using a strategic framework to balance them against potential gains.
On the other hand, most companies avoid operational risk at all costs. There’s no benefit to accepting it. And unlike other risks, you can’t entirely eliminate threats to your operations. As long as you employ imperfect people and imperfect processes, risk will exist. The best you can do is minimize disruption, which is the goal of operational risk management.
7 Examples of Operational Risk
Operational risk may look different depending on your industry. Here are seven common threats to your company’s operational resilience and their potential impacts.
1. Internal fraud
The Association of Certified Fraud Examiners estimated that internal fraud cost companies $3.6 billion in 2022. And that total represents only the known cases.
Internal fraud can take many forms, including:
- Misappropriating employer assets or funds
- Financial statement fraud
- Engaging in corrupt activities such as bribes or kickbacks
It might not be worth chasing small amounts of cash missing from a register. But more complex schemes, like falsifying invoices or writing off receivables, can put a big dent in a company’s books. Developing proper controls around company finances and assets is critical to fraud prevention.
2. External fraud
Fraud isn’t just an internal problem. Bad actors outside your company can also inflict severe damage. The umbrella of external fraud covers:
- Cyberattacks that steal data or damage information systems
- Financial schemes like check kiting or document forgery
- Theft of physical assets like inventory or equipment
Cybercrimes are a particularly urgent class of external fraud. Prevention is vital as hacking and data breaches become increasingly common—and expensive to remedy. IBM estimates that the average cost of a data breach is $4.45 million. Investing in network security and employee training is key to minimizing that risk.
3. Process management failures
A single business day involves countless sets of ingrained processes. Sometimes, process failures can lead to operational risk.
- Flawed process: The process can’t correctly address its intended use. For example, if a company has a procedure for data entry without any proofreading, there’s a high risk of failure.
- Misapplied process: A process exists, but employees aren’t following it. If a restaurant policy called for throwing out chicken after an hour, but cooks ignored the rule, it would lead to a risk of foodborne illness.
Consider the example of Silicon Valley Bank and their depositor vetting. Time will tell whether the process was flawed or applied incorrectly. However, the operational risk existed, internal controls missed the failure, and the risk materialized, playing a role in their loss events.
4. Employment and safety practices
Companies of every size and shape have to follow basic laws. While some industries have specific or stringent workplace safety regulations, most companies must adhere, at a minimum, to:
- Basic safety laws, such as OSHA regulations
- Fair hiring and anti-discrimination policies
- Compensation rules such as minimum wage, on-time payroll, and taxes
Running afoul of those regulations poses both operational and financial risks. Say, for example, your construction company operates in Arizona. You’re trying to finish a massive project in August and decide to skirt OSHA’s heat regulations. At best, you’re risking penalties or fines from OSHA. At worst, you’re putting your employees in potentially fatal danger.
5. Technological failure
Dealing with technological failures is likely already part of your business continuity plan. But it’s also a key operational risk in an increasingly digital world. Consider the technology your company needs to run, such as:
- Internet access and internal network
- Phone system
- Server infrastructure
- Software licenses
- Artificial intelligence error
Outages can range from annoying to devastating. And the effort you put into mitigating the risk should correspond. For example, if a regional bakery’s website goes down for a few hours, it won’t have a huge impact. They might lose a potential customer, but investing in redundant web hosting would be overkill.
But for a hospital, losing electricity is a life-or-death situation. Most hospitals avoid that risk by having a robust generator system to sustain them through a power outage.
6. Damage to physical assets
Whether you’re a brick-and-mortar chain or an e-commerce brand, you have critical physical assets. From servers, inventory, and real estate to heavy machinery or the business site itself, there are a variety of threats that could damage your assets:
- Natural disasters like hurricanes or earthquakes
- Vandalism and petty crime
- Terrorism or significant civil unrest
- Employee negligence or misuse
Risk mitigation plans should focus on the likely causes of damage. For example, an energy company operating in developing countries may need to harden property against unstable civil or political environments. On the other hand, a factory in rural Oklahoma should consider tornadoes and winter storms as operational risks.
7. Business practices
Sometimes, you create operational risks through the course of doing business. An activity could be illegal, immoral, or exist in a gray area. But you’re risking negative consequences, whether legal or reputational risks, by undertaking it as a part of normal operations.
Let’s say you’re running a startup clothing brand. You haven’t had time to build an audience organically, but you want to market an upcoming new product. You decide to buy an email list from a data broker and use it for advertising, even though you don’t have consent. This action creates a heightened level of risk, opening you to CAN-SPAM complaints and hefty fines.
Steps to Building an Operational Risk Management Program
Operational risk is a subset of your company’s overall threat landscape. But that doesn’t mean it’s a narrow scope. Operational risk touches everything from cybersecurity to human resources to physical security. So, getting organization-wide buy-in is critical if you want an effective operational risk management (ORM) program.
Like most business threat assessments, developing an operational risk management program is a multi-step process involving all stakeholders:
The first step towards risk control is to detect, describe, and catalog everything that could go wrong during normal operations. Review all systems, assets, business decisions, and internal processes for potential risk exposure.
It’s essential to involve all stakeholders in this risk identification process—and the steps to follow. Things rarely go precisely according to plan, and team members need to be connected, or they risk siloed decision-making.
Next in the ORM framework is to perform an operational risk assessment on the threats you’ve identified. If your organization doesn’t already have a formal process, key risk indicators are a good starting point. They quantify risk events, how likely they are to occur, and the impact if the threat becomes a reality.
With limited resources to mitigate risks, you must prioritize the most likely and most impactful ones. For essential business operations, a business impact analysis can help you fully understand the consequences of a given threat.
Once you’ve determined your risk appetite and which risks to address, develop internal checks to control them. Solutions can range from process automation or added oversight to enhancing training programs.
For example, say you’ve identified financial statement fraud as a key operational risk. You’d need to consider some of the following to mitigate the risk:
- Oversight: You already have an accountant preparing the statements and the CFO reviewing them; would another executive review step help prevent risk?
- Automation: Can your accounting software perform automated checks to ensure the outputs on financial statements match the inputs coming into the system?
- Third-party support: Would periodic external audits be worth the cost when compared against the potential risk?
The management of operational risk is an iterative process. You’ll want to monitor your operational risk management strategies using key metrics to ensure they’re effective. And it’s important to look for new risks that develop as your company’s operations evolve. Using the five-step risk management lifecycle, you can position your company to survive and thrive through whatever life throws your way. Make risk management a step in your organizational documentation procedures to keep your risk in check.
The Continuous Journey of Minimizing Operational Risk
The ORM process might seem daunting. You start the process knowing that a perfect outcome is nearly impossible. And at each step, you’re performing self-assessment and contending with complex interactions among people, technology, and operations.
However, minimizing operational risk becomes more manageable as your internal controls mature. Fewer problems slip through the cracks. As employees buy into processes, they understand the value and cohesively work toward a safeguarded environment. Your company might never eliminate operational risk, but you can minimize it with proper planning and procedures.