Home Topics Operational Risk What is operational risk?
Explore IBM's operational risk management solution Subscribe to AI topic updates
Illustration shows pictogram collage with clouds, pie chart and graphs

Published: 23 May 2024
Contributor: Cole Stryker

What is operational risk?

Operational risk is a summary of loss resulting from inadequate or failed internal processes, people and systems or from external events.

It is one of the key types of risk that businesses and organizations face, alongside strategic risk, credit risk and market risk. Operational risk management (ORM) involves identifying, assessing and mitigating these risks to reduce the likelihood and impact of potential losses.

These are just a few examples of operational risks that can blindside a business if it is unprepared to manage such risks:

  • A small business faces a cash flow crisis because of delayed payments from key customers, leading to difficulties in meeting payroll and operational expenses. 
  • A fast-food chain faces a public relations crisis after a viral video shows unsanitary conditions in one of its restaurants, leading to a drop in customer trust and sales. 
  • A software company faces a lawsuit over intellectual property infringement, leading to legal costs, potential damages and a halt in product development. 

Every company faces many kinds of operational risks, ranging from those largely within the organization’s control, such as the risk of failing to comply with regulations, to factors that are completely outside the company’s ability to even predict, like an unanticipated pandemic outbreak.

As operations grow in complexity, for example, involving many types of operations across many systems and countries, the organization’s exposure to risk increases, making it more likely that some sort of operational failure will occur and impact the organization’s reputation or bottom line.

Get insights to better manage the risk of a data breach

Learn how breaches are identified and the impact of security AI and automation.

Related content

Gartner® Market Guide to GRC Tools for Assurance Leaders

Types of operational risk

The types of risks involved in various business practices can be broadly categorized. Here are 6 categories commonly used to break out different types of risk.

Process risk

These risks are related to the efficiency and effectiveness of internal processes. For example, errors or delays in processing transactions, inadequate procedures for handling customer complaints, supply chain breakdowns or failures in internal controls.

To avoid process risks, organizations can improve workflows by introducing automation powered by artificial intelligence (AI) to reduce the chances of slowdowns, outages and shortages. Documentation of processes can also help senior management to see where improvements can be made.

People risk
This encompasses risks associated with employees, such as a deficiency in human resources, or any kind of human error, fraud or misconduct. Examples include:
  • unauthorized trading by employees (internal fraud) 
  • vendor breach of contract (external fraud)
  • errors in data entry
  • workplace accidents
  • failure to comply with regulatory requirements due to lack of training.
To mitigate people risks, companies take steps to bring a sufficient quantity of highly skilled, well-trained and ethical people and arrange them within the organization in such a way as to facilitate successful collaborations in an environment characterized by workplace safety.
Systems risk

Sometimes called “technology risk,” this refers to risks stemming from the use of technology and systems within an organization. Risk events might include bugs, system failures, cyberattacks or other cybersecurity failures, data breaches or inadequate IT infrastructure.

Systems can break down or be compromised in innumerable ways, and it’s up to chief technology officers (CTOs), chief information officers (CIOs), chief data officers (CDOs), and IT managers to help ensure that systems are safe, secure and running smoothly.

Financial risk

Financial risk encompasses the risk of financial loss from financial decision-making, such as insufficient cash flow to meet operational needs, bad investments or the risk of partners failing to fulfill their financial obligations to the organization.

Strategic risk

This is a catch-all term used to describe any business risk resulting from strategic initiatives. Mergers and acquisitions, new product offerings and branding changes, all of these business decisions involve some element of risk.

External events

These are risks arising from external factors beyond the control of the organization. Examples include natural disasters impacting physical assets, political instability and breakdown of financial services or failure of large financial institutions, sudden regulatory changes or pandemics.

Events that might trigger business disruptions occur outside the four walls of the organization all the time, and even though they can’t always be prevented, it’s up to operations managers to develop ways to anticipate them, quickly respond and maintain business continuity.


Operational risk assessment

Operational risk assessment is the process of identifying, analyzing and evaluating the risks associated with the day-to-day operations of an organization. Operational risk cannot be avoided all the time. The goal of operational risk assessment is for stakeholders to identify risks, evaluate the level of risk and find ways to mitigate risks.

Risk identification

The first step is to identify potential risks within the organization's operational processes, systems and activities.

This involves gathering information and examining any operational elements and any risks they might involve that would impede the achievement of the organization's objectives. 

Brainstorming, employee interviews and documentation review can be used to identify risks.

Risk analysis

When risks have been identified, operations managers can analyze them to assess their likelihood and their potential impact on the organization.

This involves evaluating the frequency and severity of each risk and determining the acceptable level of risk exposure.

Various analysis techniques, such as risk matrices, scenario analysis and historical data analysis can be used to assess risks.

Risk evaluation

After analyzing risks, they are evaluated to prioritize them based on their significance to the organization.

Risks are typically categorized according to their severity and likelihood, allowing organizations to focus their resources on addressing the most critical risks first.

Risk evaluation involves considering factors such as the organization's risk tolerance, regulatory requirements and strategic objectives. Organizations quantify risk with key risk indicators (KRIs).

Risk treatment

When risks have been assessed and prioritized, organizations develop and implement risk treatment strategies to manage and mitigate risk effectively.

Risk treatment strategies might include risk avoidance, risk reduction, risk transfer or risk acceptance. Organizations might also implement controls and safeguards to minimize the likelihood and impact of identified risks.

Ongoing review

Operational risk assessment is an ongoing process, and risks should be regularly monitored and reviewed via internal audit to help ensure that risk management strategies remain effective.

This involves tracking changes in the organization's operational environment, assessing the effectiveness of implemented controls and updating risk assessments as needed.

Continuous monitoring and review allow organizations to adapt to evolving risks and maintain an effective risk management framework over time.

Risk tolerance, risk appetite and risk profile

Understanding the differences between risk appetite, risk tolerance and risk profile is crucial for effective management of operational risk. 

Risk appetite is broad and strategic, defining the overall approach to risk-taking. Risk tolerance is more specific, setting acceptable risk levels for particular areas. The risk profile provides a snapshot of the current risk landscape.


Risk appetite

This is the overall level of risk that an organization is willing to accept in pursuit of its strategic objectives. It reflects the organization’s attitude toward risk-taking and its capacity to bear the risk of loss without jeopardizing its core mission and objectives. It aligns with long-term goals and strategy and can be expressed from low to high.

Risk tolerance

This is the specific level of risk that an organization is prepared to accept in a particular area or for a specific project. It provides more detailed thresholds within the broader ORM framework set by the risk appetite. Risk tolerance is typically expressed in more defined, measurable terms such as maximum acceptable loss or variance from budget.

Risk profile

A risk profile is a comprehensive summary of the types and levels of risk an organization currently faces. It includes an assessment of the likelihood and potential impact of various risks and how they are being managed.

The risk profile reflects the present risk exposure and risk management effectiveness, providing a complete picture of the risk landscape. The profile is regularly updated to reflect changes in the risk environment, emerging risks and the effectiveness of risk controls.

Risk mitigation strategies

When risks have been identified, assessed and prioritized, organizations can work toward mitigating these risks. This process breaks out into several categories. Effective operational risk management involves choosing the optimal response to risk based on severity, immediacy and many other factors.

  • Risk avoidance: Identify activities that are too risky and consider avoiding unnecessary risks if they lie outside the scope of the organization’s risk appetite.

  • Risk reduction: Implement measures to reduce the likelihood or impact of risks. This can include defining metrics, enhancing internal controls, improving business processes and developing ORM processes.

  • Risk transfer: Transfer the risk to a third party through insurance, outsourcing or contractual agreements.

  • Risk acceptance: Accept certain risks if they are within the organization’s risk appetite and it is not cost-effective to mitigate them further. Help ensure that there are plans to manage and monitor these accepted risks.
Operational risk management software

Operational risk management programs can be enhanced by the use of ORM software, which is designed to help organizations identify, assess, mitigate and monitor operational risks across their business operations, all in one environment.

ORM programs provide self-assessment tools for capturing and documenting various types of risk and allow users to record risk controls. Beyond identification, risk management software offers the ability to assess risks by using various analytical techniques like risk scoring methodologies and risk matrices.

When they’ve identified and assessed risks, users can use tools to mitigate and control them to reduce their likelihood and impact. When operational losses inevitably occur, risk management processes can help managers track incidents and determine responsibilities and remedies.

Software can also help with compliance management by offering tools for tracking laws, regulations and standards, and pinpointing areas where a company might have a compliance gap. Risk management software can also integrate with enterprise risk management (ERM) and other systems for risk data sharing and to streamline collaboration across cross-functional teams.

Related products
IBM OpenPages®

IBM OpenPages is an AI-driven governance, risk and compliance platform built to help organizations manage risk and regulatory compliance challenges.

Explore IBM OpenPages

IBM OpenPages® Operational Risk Management

Gain the confidence you can achieve your business objectives in a world of dynamic risk with the IBM OpenPages Operational Risk Management module.

Explore IBM OpenPages Operational Risk Management

Risk management consulting

By using scalable operations and intelligent workflows, we help clients achieve priorities, manage risk, fight financial crime and fraud, and meet changing customer demands while satisfying supervisory requirements.

Explore IBM risk management consulting
Resources What is GRC?

Governance, risk and compliance (GRC) is an organizational strategy to manage governance and risks while maintaining compliance with industry and government regulations.

What is threat management?

Threat management is a process that is used by cybersecurity professionals to prevent cyberattacks, detect cyberthreats and respond to security incidents.

How to build a successful risk mitigation strategy

The only way for effective risk reduction is for an organization to use a step-by-step risk mitigation strategy to sort and manage risk, ensuring the organization has a business continuity plan in place for unexpected events.

Take the next step

Simplify data governance, risk management and regulatory compliance with IBM OpenPages—unified and highly scalable AI-powered software for governance, risk and compliance.

Explore IBM OpenPages Book a live demo