Published by Jessica Weisman-Pitts
Posted on July 8, 2022
5 min readLast updated: February 5, 2026
Add as preferred source on Google
By Karl Viertel
Until recently, many financial services institutions may have viewed operational risk as a “side project” compared to market and credit risks these organizations manage on a daily basis. The rise of new types of operational risk, the increased reliance on a more complex supply chain of vendors and the velocity of threats materializing have led to an increased focus on operational risk management from FSI’s as well as regulators. Unfortunately, identifying and quantifying these risks still remains a very manual process in many cases.
The continuous increase in operational risk is a direct consequence of various factors:
Many financial services institutions and regulators alike are recognising that the currently established manual processes are no longer sufficient, nor cost effective, when dealing with this level of risk. Additionally, the fragmentation of GRC tools deployed across many organizations adds an enormous burden to risk management processes, making it very difficult to gain real-time risk insights.
So, what exactly is so unique about operational risk?
Operational risk can be a direct result of many potential sources, unlike market risk. They can have significantly varying impact, from health and human safety to reputational damage. Additionally, quantification can be particularly challenging. The expertise and skills needed to accurately quantify operational risk are as varied as the sources. Historical values require an enormous amount of context to be relevant enough to correlate.
Some financial services institutions refer to operational risk as a non-financial risk. It is important to mention that fraud, data privacy protection, cyber security, ESG and infrastructure risks fall under this category.
Operational risk is manageable as long as the organization keeps its losses within the same level of risk tolerance (risk appetite), determined by balancing the costs of risk mitigation against the expected outcome benefits.
Tackling operational risk consists of five individual steps that will most likely arm your organization with an effective risk management process:
Essentially, these steps would repeat each time a new major risk event surfaces.
Implementing the five steps detailed above into your risk management framework will guide your organization into a much more efficient risk management process. Further key components in the risk management framework of any financial services institution should be:
Ensuring the efficiency of a fully integrated risk management framework requires continuous monitoring and it is the responsibility of the organization to ensure that the risk process established provides comprehensive coverage across the different risk event types (including operational risk) in order to perform ongoing assessments of not just the individual components, but the overall framework’s success.
Selecting an easy-to-use solution that ensures high user adoption in order to engage key risk stakeholders on an ongoing basis is critical. It needs to convey a tone emphasizing and encouraging an active risk culture within the organization using agile methods of interaction. Furthermore, the solution must also be able to provide a methodical approach for quantifying risk exposure and appetite, without being highly rigid. Additionally, when identifying risks, the solution must be able to support scalable assessment capability, rather than relying on manual sample-based approaches.
Executed correctly, integrated risk management will enable organizations to focus their spend on risk mitigation rather than risk identification and management.
Karl Viertel is responsible for Mitratech’s global GRC business as Managing Director of the business unit. After working in the technology and risk divisions of Accenture and Deloitte, Karl co-founded one of the first RegTech companies – Alyne, in 2015. In late 2021, Alyne was acquired by the legal and risk software leader Mitratech.
Operational risk refers to the potential for loss resulting from inadequate or failed internal processes, people, and systems, or from external events. It encompasses various risks including fraud, data breaches, and system failures.
Risk management is the process of identifying, assessing, and controlling threats to an organization's capital and earnings. It involves implementing strategies to minimize potential risks.
A risk assessment is a systematic process to evaluate potential risks that may be involved in a projected activity or undertaking. It helps organizations understand and prioritize risks.
Mitigation measures are actions taken to reduce the severity or impact of identified risks. These can include implementing controls, changing processes, or providing training.
Explore more articles in the Business category
