Operational Risk Types and Examples
Operational risk is the danger of loss from failure in people, processes, systems, or external shocks—everything that isn’t market or credit risk. A bank suffering a fraud scheme, a trading platform crash, a cyberattack, or a regulatory fine is facing operational risk. The Basel accords quantified it; modern firms measure it in the millions or billions.
Basel’s four-pillar framework
Basel III and subsequent regulatory guidance organize operational risk into four pillars:
- People risk — fraud, misconduct, talent loss, inadequate skill
- Process risk — failed workflows, control gaps, documentation errors
- Systems risk — IT outages, data breaches, software bugs
- External events — natural disasters, cyber threats from outside, regulatory action
This taxonomy is not watertight—a single incident often spans multiple categories—but it gives institutions a vocabulary for measurement and capital allocation.
People risk
People risk is the damage caused by human action or absence. It includes both deliberate misconduct and negligent failure.
Fraud and embezzlement
The stereotypical operational risk loss. Rogue traders like Nick Leeson at Barings Bank (1995) or Jerome Kerviel at Société Générale (2008) circumvented controls, hid losses, and cost their employers billions. Neither was acting with explicit authorization; both exploited trust and control weaknesses.
Embezzlement by finance staff—pocketing client funds, wire transfers to false accounts—is less dramatic but steady. Insurance claims, customer refunds, and legal costs follow.
Compliance failure and regulatory sanctions
A bank’s sales team deliberately mis-sells products (e.g., LIBOR manipulation, unsuitability of swaps) or fails to file required reports. The loss is a regulatory fine plus remediation costs. Wells Fargo’s fake account scandal (2016) cost the bank billions in fines, settlements, and reputation damage—a people and process failure in tandem.
Key person risk and turnover
Loss of a critical employee—a portfolio manager, compliance officer, or risk specialist—can impair operations. If the departing person takes client relationships or proprietary knowledge, losses are compounded. High turnover in control functions (compliance, audit, risk) is a control weakness itself.
Process risk
Process risk stems from flawed, missing, or unenforced procedures.
Failed transaction handling
A settlement team fails to reconcile a trade correctly, leaving a $500 million position open or settled to the wrong counterparty. A mortgage originator fails to verify income documents, leading to loan defaults and legal liability.
Control gaps
A firm has no daily reconciliation between cash paid and cash recorded. A trader can misreport positions unchecked. An accounts payable team can pay fictitious invoices. The loss is discovered weeks or months later.
Documentation and legal exposure
A derivative contract lacks proper documentation, and when a counterparty defaults, the firm cannot establish its legal claim to collateral. A loan agreement has ambiguous prepayment terms, leading to disputes and litigation.
Change management failure
A firm rolls out a new trading system without thorough testing. Traders encounter bugs, miss orders, or lose connectivity. Losses and client complaints accrue. Or a regulatory change is misinterpreted, and the firm operates in violation until audited.
Systems risk
Systems risk is technology failure—outages, data loss, and malicious compromise.
IT infrastructure and availability
A data center fails, and trading, settlement, and customer-facing systems go offline for hours. Lost revenue, client exodus, and remediation costs are material. Knight Capital (2012) experienced a software deployment error that lost $440 million in 45 minutes.
Cybersecurity breaches
Hackers infiltrate a bank’s systems and steal customer data (personally identifiable information, account numbers). The firm faces regulatory fines, credit monitoring costs, lawsuits, and reputational damage. Equifax paid $700 million to settle a 2017 breach affecting 147 million people.
Data integrity and model risk
A firm’s risk model has a hidden bug that underestimates tail loss. Or data is corrupted, and reconciliation takes days to resolve. In fast-moving markets, stale or wrong data can trigger cascading losses.
Legacy systems
Firms often run old mainframes that staff no longer understand. A single expert retiring creates a single point of failure. Upgrades are expensive and risky; downtime carries catastrophic costs.
External events
External operational risk is loss from events beyond direct control.
Natural disasters and business continuity
An earthquake, hurricane, or pandemic disrupts operations. If a firm’s backup systems are in the same location as primary systems, or if staff cannot work remotely, recovery is slow. 9/11 forced many financial firms to activate backup trading floors in New Jersey and elsewhere; losses and disruptions lasted weeks.
Cyber threats from organized actors
State-sponsored or criminal groups target financial institutions for espionage, extortion, or disruption. A distributed denial-of-service (DDoS) attack floods a firm’s website with traffic, knocking it offline. Ransomware encrypts critical files, forcing payment or lengthy recovery.
Regulatory and legal action
Regulators initiate investigations, fines, or enforcement actions. A settlement can cost millions and restrict the firm’s business (e.g., losing a banking license in a jurisdiction, or facing trading restrictions).
Third-party failures
A vendor’s system fails, disrupting services the firm relies on. A custodian loses client assets. A clearing house becomes insolvent. MF Global (2011) held $1.2 billion of client segregated funds that went missing when the firm failed—operational risk in custody and clearing.
Measurement and quantification
Loss data collection
Firms maintain operational risk event databases, logging losses (or near-misses) by category, cause, and amount. Over time, patterns emerge: fraud is frequent but small; system failures are rare but large; process gaps cause steady baseline losses.
Value-at-risk and capital
Basel III requires banks to hold capital to cover operational risk. The standard approach uses a formula:
Operational risk capital = 15% × (Gross income averaged over 3 years)
More sophisticated firms use Advanced Measurement Approaches (AMA), which model loss distributions and tail risk separately for people, process, systems, and external events.
Scenario analysis
Risk teams conduct workshops: “What if a key trader commits fraud?” or “What if our primary data center floods?” They estimate potential loss and design controls to mitigate.
Key risk indicators (KRIs)
Firms track leading indicators: number of open audit items, staff turnover, failed compliance tests, unresolved exceptions. If KRIs spike, it signals rising operational risk and triggers control reviews.
Real-world impact: a composite example
A large asset manager experiences a multi-category operational risk loss:
- People: A senior portfolio manager on a $5 billion fund is discovered to have created and hidden unauthorized positions.
- Process: The compliance and risk teams failed to catch the unauthorized activity because daily reporting was not fully reconciled.
- Systems: The firm’s order entry system did not enforce pre-trade limits (a configuration error introduced during a systems upgrade).
- External: Regulatory authorities launch an investigation and fine the firm $50 million.
Total loss: unauthorized position close-out ($30 million), regulatory fine ($50 million), reputational damage (assets under management decline by $2 billion), and remediation and litigation costs ($20 million). Total operational loss: ~$100 million+.
This scenario is not unusual; it illustrates how operational risk losses cascade.
Why operational risk matters
Operational risk is no longer a “tail event” that firms ignore in favor of market and credit risk. Major financial institutions fail or nearly fail from operational breakdown, not market moves. Regulatory frameworks now demand explicit measurement, capital allocation, and continuous improvement. A firm’s ability to manage operational risk—through technology investment, control discipline, and culture—directly affects its returns and survival.
See also
Closely related
- Reputational Risk — damage to brand and client trust from public failures
- Execution Risk — failure to complete a trade or transaction correctly
- Counterparty Risk — loss if the other party to a contract defaults
- Cybersecurity Risk — exposure to data breaches and malicious attacks
- Compliance Risk — failure to adhere to laws and regulations
Wider context
- Risk Management — disciplines and frameworks for identifying and controlling risk
- Capital Adequacy — regulatory minimum capital holdings
- Systemic Risk — risk that failures cascade across the financial system
- Business Continuity Planning — readiness for disruption and recovery