This article includes a list of general references, but it lacks sufficient corresponding inline citations. (October 2007) |
Categories of |
Financial risk |
---|
Credit risk |
Market risk |
Liquidity risk |
Investment risk |
Business risk |
Profit risk |
Non-financial risk |
Basel Framework International regulatory standards for banks |
---|
Background |
Pillar 1: Regulatory capital |
Pillar 2: Supervisory review |
Pillar 3: Market disclosure |
Business and Economics Portal |
Operational risk is the risk of losses caused by flawed or failed processes, policies, systems or events that disrupt business operations. Employee errors, criminal activity such as fraud, and physical events are among the factors that can trigger operational risk. The process to manage operational risk is known as operational risk management. The definition of operational risk, adopted by the European Solvency II Directive for insurers, is a variation adopted from the Basel II regulations for banks: "The risk of a change in value caused by the fact that actual losses, incurred for inadequate or failed internal processes, people and systems, or from external events (including legal risk), differ from the expected losses".[1][2] The scope of operational risk is then broad, and can also include other classes of risks, such as fraud, security, privacy protection, legal risks, physical (e.g. infrastructure shutdown) or environmental risks. Operational risks similarly may impact broadly, in that they can affect client satisfaction, reputation and shareholder value, all while increasing business volatility.
Previously, in Basel I, operational risk was negatively defined: namely that operational risk are all risks which are not market risk and not credit risk. Some banks have therefore also used the term operational risk synonymously with non-financial risks.[3] In October 2014, the Basel Committee on Banking Supervision proposed a revision to its operational risk capital framework that sets out a new standardized approach to replace the basic indicator approach and the standardized approach for calculating operational risk capital.[4]
Contrary to other risks (e.g. credit risk, market risk, insurance risk) operational risks are usually not willingly incurred nor are they revenue driven. Moreover, they are not diversifiable and cannot be laid off. This means that as long as people, systems, and processes remain imperfect, operational risk cannot be fully eliminated. Operational risk is, nonetheless, manageable as to keep losses within some level of risk tolerance (i.e. the amount of risk one is prepared to accept in pursuit of his objectives), determined by balancing the costs of improvement against the expected benefits. Wider trends such as globalization, the expansion of the internet and the rise of social media, as well as the increasing demands for greater corporate accountability worldwide, reinforce the need for proper risk management.
Thus operational risk management (ORM) is a specialized discipline within risk management. It constitutes the continuous-process of risk assessment, decision making, and implementation of risk controls, resulting in the acceptance, mitigation, or avoidance of the various operational risks. ORM somewhat overlaps quality management[5] and the internal audit function.