Mastering Operational Risk: A Guide for Financial Institutions

From cybersecurity and product and service innovations to third-party risk and human error, financial institutions are navigating an increasingly complex environment – one where operational risk poses a fundamental threat to safety and soundness. 

Operational risk can be overwhelming as it touches nearly every facet of a financial institution (FI), from internal staff to outside relationships with vendors and partners. In this guide, we'll break down operational risk, its sources, its impact, and tangible ways your FI can mitigate operational risk.   

Let's get started.

What is operational risk?

Operational risk is the risk of financial loss when processes, people, or systems fail. Sometimes it’s the result of external events like a power outage, fire, or flood. Other times it’s an internal issue, such as fraud, a hardware or software failure, or an accounting error. 

Every type of FI can reap operational risk losses. For example, a credit union may suffer losses due to catastrophic weather events or a cyberattack. A fintech may be a victim of fraud from internal or external sources or a human error related to not following internal policies. A bank might suffer system outages. Regardless of the cause, operational risk events can harm an FI of any size.   

That’s why all the prudential regulators, including the Office of the Comptroller of the Currency (OCC), National Credit Union Administration (NCUA), Federal Deposit Insurance Corporation (FDIC), and Federal Reserve, frequently highlight operational risk.  

Sources of operational risk

 Operational risk can be traced to a variety of areas, including:   

• Cybersecurity threats. Cyber issues such as ransomware and AI-enabled phishing attacks are on the rise. According to the International Monetary Fund (IMF), the size of extreme losses due to cyber-related incidents has more than quadrupled to $2.5 billion since 2017.
  
  
• Technology outages. In July 2024, what was supposed to be a routine update from a prominent cybersecurity company caused a global outage that affected FIs, as well as airlines and other industries. Other examples of tech outages include hardware or software issues and data center failures. 
  
  
• Natural disasters. These kinds of disasters can have a ripple effect on risk within an FI. Since Hurricane Helene left a trail of destruction in the Southeast, FIs have been assessing the damage, from communicating with customers and members to ensuring the safety of their employees. 
  
  
• Geopolitical tensions. A growing concern in recent years, geopolitical tensions, including wars and trade sanctions, can lead to increased operational risk. 
  
  
• Staffing challenges. Since the pandemic, the gap in information technology (IT) skills has widened, contributing to a significant talent shortage affecting FIs across the country.
  
  
• Human error. This type of oversight often occurs when staff doesn’t have correct information. For instance, employees who need access to the latest and most accurate product and pricing information may misprice items, potentially losing revenue or inadvertently creating costly fair lending issues due to discriminatory pricing errors. Failing to train staff on policies or procedures can also contribute to human error. 
  
  
• Third parties. While many operational risks are internal, they can also come from third-party vendors. In 2023, 60 credit unions were impacted by a ransomware attack on a third-party disaster recovery/business continuity solution provider. Ransomware attackers managed to breach the business continuity plan (BCP) company, but the fallout didn't end there. The incident also affected another division of the parent company, a data processor for credit unions, resulting in significant outages.  

The impact of operational risk

We've mentioned some examples of losses associated with operational risk, but let's delve deeper into its effects.   

Regulatory consequences 

Regulatory non-compliance can have severe consequences, most notably penalties and enforcement actions. Regulators may also limit your ability to generate revenue by restricting the number of profitable activities your institution can engage in, which, in turn, could snowball into financial losses.   

Financial losses

We've all seen headlines like "Major Bank Loses Millions Due to Risk Oversight." While a seven or eight-figure loss can significantly impact a large financial institution, any size loss can be catastrophic for a smaller institution. Combine steep regulatory fines with losses from fraud, cyberattacks (which average about $5.9 million to correct), and other risk sources, and the losses can build.    

Loss in consumer trust   

According to Forrester's US Financial Services Customer Trust Index Rankings, 2023, consumer trust in US financial services remained weak and largely unchanged in 2023. While 2024 shows signs of improvement, maintaining consumer trust is still a significant hurdle for FIs. If customers or members don’t feel like your institution is reliable, they will bank somewhere else. 

Reputational damage  

Where there's a lack of trust, the risk of reputational damage may also be possible. Poor management decisions, employee actions, and issues with third parties can make you an undesirable partner, leading to issues like consumer attrition and difficulty attracting new partnerships and investors.  

How to manage operational risk  

Navigating operational risk requires a strategy and execution plan. Operational risk management is the continuous process a financial institution uses to manage risks within its business functions — "continuous" being the keyword.   

The risk management lifecycle is a critical tool assessing and understanding the right management strategy for your FI.  

The risk management lifecycle  

Successful risk management requires the key stakeholders to have context and understand the scope of risk. Since operational risk is a broad category, a financial institution needs to gather background information, including company procedures and documentation, before engaging in the risk management lifecycle. Manage operational risk with the five-step risk management process.   

1. Identify risk: FIs face a host of risks, some of them more obvious than others. To identify potential risks, organizations can check industry trends, past risk reports, and regulatory updates, including guidance from federal regulators and the Federal Financial Institutions Examination Council (FFIEC). Holding roundtable discussions with other departments and key stakeholders, including senior management, can also be helpful for identifying risks. Once as many operational risks as possible have been identified, putting all the data in one central platform for current and future reference is crucial. 
   
   
2. Assess risk: Once risks have been identified, it’s time to conduct a risk assessment. Risk assessments quantify inherent risk, which exists naturally when there are no safeguards to avoid trouble, and residual risk, which remains after accounting for risk management controls. It’s important to remember that risk is dynamic, so your risk assessments will need to be updated continually.
   
   Related: Risk Assessments 101: The Role of Probability & Impact in Measuring Risk
   
   
3. Mitigate risk: Operational risk can be mitigated by controls, which are measures, processes, or mechanisms that reduce the likelihood of an operational risk event occurring and/or minimize its impact. Examples of controls include firewalls, employee training, policies and procedures, audits and compliance reviews, and access controls.   
   
   
4. Monitor risk: Evaluate the effectiveness of the controls and the risk environment. An FI can establish thresholds and a plan for responding to new information. For instance, you can establish an early warning system with Key Risk Indicators (KRIs) with clear thresholds for deciding when action is required and when a wait-and-see approach is more suitable.
   
   
5. Report on risk: It is essential to respond to all risk assessment and remediation efforts promptly. Communication is also key. Ensure your risk assessments are effectively communicated throughout the institution. Focus on the highlights and key points, especially when reporting to the board and management. Risk management needs to be ingrained in the institution's culture; otherwise, it's merely a formality.  

For more information on creating and overseeing an effective operational risk management strategy, see our article Creating Reliable Risk Assessments.   

Understanding and effectively managing operational risk is crucial for maintaining regulatory compliance, minimizing financial losses, preserving consumer trust, and protecting an institution's reputation. By implementing a comprehensive operational risk management strategy and continuously identifying and addressing potential risks, financial institutions can mitigate the impact of operational risk and safeguard their long-term success.

Want more tips on managing and monitoring operational risk? Download the Enterprise Risk Management Buyer’s Guide.