7 Operational Risk Examples & Mitigation Strategies

In the wake of Silicon Valley Bank’s March 2023 failure, there was plenty of finger-pointing. But as pundits criticized their business strategy and C-suite decisions, one area flew under the radar. Could better internal controls on day-to-day activities have prevented SVB’s meltdown?

“I can’t say whether they didn’t recognize or chose to ignore these early warning signs—I wasn’t in the room,” commented Damion McIntosh, a senior lecturer in finance at Auburn University. “But a formal and effective risk management framework would have prompted questions like ‘Who are these depositors? Are they core depositors who are likely to leave their money in our bank for a long period of time? Can we count on them to keep their money with us should we face challenging times?’”

SVB relied on people, processes, and technology to run seamlessly like other large financial institutions. When any of those components breaks down, small mistakes can cascade into big problems. Potential breakdowns like this and the threats they present comprise operational risk.

In this article, we’ll cover what operational risk is, examples of how it can impact your business, and how to manage it.

What Is Operational Risk?

The Basel Committee on Banking Supervision, a leading group on financial services oversight, has laid the groundwork for standardized management. Since their founding in 1974, they’ve released three sets of recommended rules, known as the Basel Accords. Over the years, many other industries have adopted their concepts and recommendations.

How does operational risk differ from other types of risk?

In many cases, businesses will willingly take on a certain amount of market risk, credit risk, or strategic risk in exchange for potential reward. Enterprise risk management (ERM) focuses on these types of business risks, using a strategic framework to balance them against potential gains.

On the other hand, most companies avoid operational risk at all costs. There’s no benefit to accepting it. And unlike other risks, you can’t eliminate threats to your operations. As long as you employ imperfect people and imperfect processes, risk will exist. The best you can do is minimize disruption, which is the goal of operational risk management.

7 Examples of Operational Risk

Operational risk may look different depending on your industry. Here are seven common threats to your company’s operational resilience and potential impacts.

1. Internal fraud

The Association of Certified Fraud Examiners estimated that internal fraud cost companies $3.6 billion in 2022. And that total represents only the known cases.

Internal fraud can take many forms, including:

• Misappropriating employer assets or funds
• Financial statement fraud
• Engaging in corrupt activities such as bribes or kickbacks

It might not be worth chasing small amounts of cash missing from a register. But more complex schemes, like falsifying invoices or writing off receivables, can put a big dent in a company’s books. Developing proper controls around company finances and assets is critical to fraud prevention.

2. External fraud

Fraud isn’t just an internal problem. Bad actors outside your company can also inflict severe damage. The umbrella of external fraud covers:

• Cyberattacks that steal data or damage information systems
• Financial schemes like check kiting or document forgery
• Theft of physical assets like inventory or equipment

Cybercrimes are a particularly urgent class of external fraud. Prevention is vital as hacking and data breaches become increasingly common—and expensive to remedy. IBM estimates that the average cost of a data breach is $4.45 million. Investing in network security and employee training is vital to minimizing that risk.

3. Process management failures

A single business day involves countless sets of ingrained processes. Sometimes, process failures can lead to operational risk.

• Flawed process: The process can’t correctly address its intended use. For example, if a company has a procedure for data entry without proofreading, there’s a high risk of failure.
• Misapplied process: A process exists, but employees aren’t following it. If a restaurant policy called for throwing out chicken after an hour, but cooks ignored the rule, it would lead to a risk of foodborne illness.

Consider the example of Silicon Valley Bank and their depositor vetting. Time will tell whether the process was flawed or misapplied. However, the operational risk existed, internal controls missed the failure, and the risk materialized, playing a role in their loss events.

4. Employment and safety practices

Companies of every size and shape have to follow basic laws. While some industries have specific or stringent workplace safety regulations, most companies must adhere, at a minimum, to:

• Basic safety laws, such as OSHA regulations
• Fair hiring and anti-discrimination policies
• Compensation rules such as minimum wage, on-time payroll, and taxes

Running afoul of those regulations poses both operational and financial risks. Say, for example, your construction company operates in Arizona. You’re trying to finish a massive project in August and decide to skirt OSHA’s heat regulations. At best, you’re risking penalties or fines from OSHA. At worst, you’re putting your employees in potentially fatal danger.

5. Technological failure

Dealing with technological failures is likely already part of your business continuity plan. But it’s also a critical operational risk in an increasingly digital world. Consider the technology your company needs to run, such as:

• Internet access and internal network
• Electricity
• Phone system
• Server infrastructure
• Software licenses
• Artificial intelligence error

Outages can range from annoying to devastating. And the effort you put into mitigating the risk should correspond. For example, if a regional bakery’s website goes down for a few hours, it won’t have a huge impact. They might lose a potential customer, but investing in redundant web hosting would be overkill.

But for a hospital, losing electricity is a life-or-death situation. Most hospitals avoid that risk by having a robust generator system to sustain them through a power outage.

6. Damage to physical assets

Whether you’re a brick-and-mortar chain or an e-commerce brand, you have critical physical assets. From servers, inventory, and real estate to heavy machinery or the business site itself, there are a variety of threats that could damage your assets:

• Natural disasters like hurricanes or earthquakes
• Vandalism and petty crime
• Terrorism or significant civil unrest
• Employee negligence or misuse

Risk mitigation plans should focus on the likely causes of damage. For example, an energy company operating in developing countries may need to harden property against unstable civil or political environments. On the other hand, a factory in rural Oklahoma should consider tornadoes and winter storms as operational risks.

7. Business practices

Sometimes, you create operational risks through the course of doing business. An activity could be illegal, immoral, or exist in a gray area. But you’re risking negative consequences, whether legal or reputational risks, by undertaking it as a part of normal operations.

Let’s say you’re running a startup clothing brand. You haven’t had time to build an audience organically, but you want to market an upcoming new product. You decide to buy an email list from a data broker and use it for advertising, even though you don’t have consent. This action creates a heightened risk, opening you to CAN-SPAM complaints and hefty fines.

Steps to Building an Operational Risk Management Program

Operational risk is a subset of your company’s overall threat landscape. But that doesn’t mean it’s a narrow scope. Operational risk touches everything from cybersecurity to human resources to physical security. So, getting organization-wide buy-in is critical if you want an effective operational risk management (ORM) program.

Like most business threat assessments, developing an operational risk management program is a multi-step process involving all stakeholders:

Risk identification

The first step towards risk control is to detect, describe, and catalog everything that could go wrong during normal operations. Review all systems, assets, business decisions, and internal processes for potential risk exposure.

It’s essential to involve all stakeholders in this risk identification process—and the steps to follow. Things rarely go precisely according to plan, and team members need to be connected, or they risk siloed decision-making.