Operational Risk

Risk Management
intermediate
5 min read
Updated Feb 20, 2026

What Is Operational Risk?

Operational risk is the risk of loss resulting from inadequate or failed internal processes, people, and systems, or from external events (like natural disasters or cyberattacks).

Operational risk is the "unknown unknown" of business. It is not the risk that your strategy is wrong; it is the risk that your execution fails. In a bank, this could mean a teller stealing cash, a software update deleting customer data, or a fire destroying a data center. In trading, it is often called "execution risk." It is the gap between the decision to trade and the successful settlement of that trade. While market risk can be hedged (e.g., buying put options), operational risk is harder to manage because it is often human-centric. People get tired, make typos, or act maliciously. Systems get hacked or bugged. Operational risk management focuses on minimizing the probability and impact of these failures through robust systems and procedures.

Key Takeaways

  • Unlike market risk (prices moving) or credit risk (borrowers defaulting), operational risk is inherent to the *running* of the business.
  • It includes human error ("fat finger" trades), fraud (rogue traders), IT failures (system crashes), and legal risks.
  • The Basel Accords require banks to hold capital specifically to cover potential operational losses.
  • For individual traders, operational risk includes internet outages, power failures, or platform glitches preventing trade execution.
  • Mitigation involves redundancy (backup systems), strict controls (dual authorization), and insurance.

Categories of Operational Failure

The Basel Committee categorizes these risks into seven event types:

  • Internal Fraud: Employee theft, insider trading, rogue trading.
  • External Fraud: Robbery, hacking, forgery.
  • Employment Practices: Discrimination suits, workers' compensation claims.
  • Clients, Products, & Business Practices: Fiduciary breaches, aggressive sales tactics (e.g., Wells Fargo account scandal).
  • Damage to Physical Assets: Natural disasters, terrorism.
  • Business Disruption: System failures, utility outages.
  • Execution & Process Management: Data entry errors, failed reporting, collateral mismanagement.

Real-World Example: Knight Capital

In 2012, Knight Capital Group, a major market maker, deployed new software code. The Error: A technician forgot to copy the new code to one of the eight servers. When the system went live, that one server reactivated old, defunct testing code. The Event: The rogue server started buying high and selling low rapidly, executing millions of accidental trades in 45 minutes. The Loss: Knight lost $440 million—nearly $10 million per minute. The Outcome: The firm was insolvent and was acquired by a competitor. A simple operational failure (deployment error) destroyed a billion-dollar company in under an hour.

1Step 1: Failed software deployment.
2Step 2: Rogue algorithm executes trades.
3Step 3: Loss accumulation rate: $10M/minute.
4Step 4: Total Loss: $440M.
5Step 5: Result: Bankruptcy.
Result: Operational risk can be terminal.

FAQs

They use "Key Risk Indicators" (KRIs) like the number of failed transactions, staff turnover rates, or customer complaints. They also use historical loss data to model "Value at Risk" (OpVaR)—estimating the potential financial impact of a disaster event.

Yes, it is currently the largest component. Ransomware attacks, data breaches, and denial-of-service (DDoS) attacks fall squarely under operational risk. Financial firms spend billions annually on cybersecurity to mitigate this.

Yes. Companies buy policies for "Errors and Omissions" (E&O), "Directors and Officers" (D&O) liability, and Cyber Insurance. However, insurance rarely covers the full reputational damage caused by a major failure.

It is a classic operational risk event where a trader accidentally inputs the wrong data (e.g., buying 1,000,000 shares instead of 1,000). See the dedicated glossary term for "Fat Finger Error."

The Bottom Line

Operational risk is the grit in the gears of finance. It is inevitable—machines break, people make mistakes, and nature is unpredictable. However, it is manageable. Successful organizations and traders obsess over "resilience." They build redundant systems, enforce strict checklists, and maintain a culture of compliance. For the individual investor, managing operational risk means acknowledging that technology is fallible and having a "Plan B" for when the screen goes dark. In a high-stakes environment, reliability is just as valuable as profitability.

Related Terms

Execution RiskFat Finger ErrorInternal Controls

More in Risk Management

Advance RateAdverse SelectionAlternative Risk Transfer (ART)Annualized VolatilityAnnuity RiderAsset-Liability Management (ALM)Bank GuaranteeBankruptcy HierarchyBankruptcy RecoveryBankruptcy Risk
Back to GlossaryBrowse All Risk Management

At a Glance

Difficultyintermediate
Reading Time5 min
CategoryRisk Management

Key Takeaways

  • Unlike market risk (prices moving) or credit risk (borrowers defaulting), operational risk is inherent to the *running* of the business.
  • It includes human error ("fat finger" trades), fraud (rogue traders), IT failures (system crashes), and legal risks.
  • The Basel Accords require banks to hold capital specifically to cover potential operational losses.
  • For individual traders, operational risk includes internet outages, power failures, or platform glitches preventing trade execution.

Explore Further

Risk ManagementMarket StructureBanking