Operational Risk

Operational risk is the risk of loss arising from inadequate or failed internal processes, people, systems, or external events. It encompasses fraud, unauthorized activity, business disruption, legal or regulatory action, data breaches, and any loss that does not stem from market-risk or credit-risk.

The wide net of operational risk

Unlike market-risk and credit-risk, which are market-facing and relatively easy to define, operational risk is everything else. The taxonomy includes:

• Fraud and theft. A rogue trader hiding losses, embezzlement, or a dishonest employee stealing client assets.
• Process failure. A calculation error that leads to a pricing mistake, a trade that is entered incorrectly, or a settlement that fails to happen.
• System outage. A data centre goes down, a trading system crashes, or a cybersecurity breach exposes customer data.
• Human error. A critical person leaves with no succession plan; a team makes a high-stakes decision without proper review.
• Regulatory and legal. Fines for compliance breaches, lawsuits from clients, or enforcement action by regulators.
• External events. A natural disaster, a terrorist attack, a pandemic, or a geopolitical shock that disrupts normal operations.
• Model risk. A value-at-risk model is wrong, leading to catastrophic losses because risk was mismeasured — see model-risk.
• Third-party failure. A vendor, outsourcer, or subcontractor fails to perform, and no contingency plan is in place.

Many of these overlap; the boundary between model-risk and operational risk is blurred. The key is that operational risk is not about the market moving against you; it is about something inside your organization or supply chain breaking.

Why operational risk matters

Historically, major financial disasters have been as much operational as they have been about market-risk or credit-risk. The 2012 collapse of MF Global was operational risk — client funds were misappropriated. The 2008 crisis exposed massive operational failures at major banks: inadequate risk controls, bad models, and ignored warning signs. The 2021 ransomware attack on Colonial Pipeline was operational risk with economy-wide impact.

Regulators have made operational risk increasingly important. Under Basel capital standards, banks must calculate a capital requirement for operational risk in addition to credit and market-risk. The calculation is crude — it is usually a percentage of gross income — but it signals that regulators view operational risk as material and preventable through good discipline.

Managing operational risk

Most operational risk mitigation is structural and boring:

• Segregation of duties. No one person can execute and settle a trade; separate teams must handle each step.
• Limit systems. A trader cannot buy or sell more than a preset amount; the system refuses the order automatically.
• Independent review. A second set of eyes examines large transactions, unusual patterns, or complex products.
• Redundancy. Critical systems have backups; important functions have contingency staffing.
• Training and culture. People must understand compliance, ethics, and risk; culture matters more than policies.
• Insurance. Errors and omissions insurance, directors and officers insurance, and cyber insurance transfer some risk to insurers.
• Outsourcing. Offload to vendors whose core business is that function and who have better scale and controls.

For a hedge fund or large mutual fund, operational risk management includes custody arrangements (keeping client assets at an unaffiliated bank), audits (independent verification of valuations and holdings), and business continuity planning (what happens if key staff are gone tomorrow).

The irreducible minimum

No amount of controls eliminates operational risk entirely. A determined fraud artist can defeat almost any control system. A sufficiently severe earthquake can shut down a city. The goal is not zero risk but a sensible level of control that is proportionate to the size and impact of the risk. A small local bank might accept higher operational risk than a systemically important global institution.

For investors, the main protection is simple: diversify across managers and institutions whose operational risk profiles differ, understand the track records and cultures of places you entrust money to, and avoid concentrated positions in any single institution, no matter how well-controlled it appears.

See also