Operational risk management is the discipline of identifying, assessing, monitoring, and controlling losses that arise from inadequate or failed internal processes, people, and systems, or from external events.
This definition comes directly from the Basel Committee on Banking Supervision and has been absorbed into the FFIEC IT Examination Handbook that US bank examiners work from. Every other framing of operational risk management is anchored back to this concept.
This article unpacks what that definition means in practice for a US bank or credit union. Read this when you need a clean conceptual answer and follow the suggested links when you need the operating-model depth.
Operational Risk vs Operational Risk Management
The two phrases are often used interchangeably, and that conflation is the most common source of incomplete control programs.
- Operational risk is the exposure (the potential for loss arising from the seven Basel event types)
- Operational risk management is the discipline that addresses that exposure through a defined lifecycle, taxonomy, and control library.
For example, a wire transfer that is misrouted to the wrong beneficiary is operational risk. The review process that should have caught the keystroke error, the daily reconciliation that flagged the discrepancy, the incident response that recalled the funds, and the post-mortem that updated the control library are all operational risk management.
The distinction matters because examiners and board directors often ask risk leaders to “report on operational risk.” A mature program reports both:
- The loss profile by event type
- The control posture that produced the event
The Seven Categories of Operational Risk
The Basel II accord organised operational risk into seven event-type categories, and that taxonomy is now the standard reference across US banking regardless of whether the institution is internationally active.
The table below maps each Basel event-type category to a representative loss example from a community or regional bank, the second-line owner most likely to manage it, and the typical control type that applies.
| Basel II event-type category | Representative bank loss example | Typical control type |
|---|---|---|
| Internal fraud | Teller embezzlement, falsified loan files, unauthorised trading | Segregation of duties, dual control, surveillance |
| External fraud | Wire fraud, ATM skimming, check kiting, account takeover | Authentication, anomaly detection, customer education |
| Employment practices and workplace safety | EEO discrimination claim, branch workplace injury | Policy, training, incident reporting |
| Clients, products, and business practices | Misselling of investment products, UDAAP violations, fair-lending breach | Product approval, sales-practice surveillance, complaint analytics |
| Damage to physical assets | Branch fire or flood, vandalism, natural disaster | Insurance, BCP/DR, physical security |
| Business disruption and system failures | Core banking outage, payments processor failure, cloud provider incident | Resilience testing, vendor-failover plans, redundant systems |
| Execution, delivery, and process management | Misrouted wire, settlement break, missed regulatory filing, vendor data error | Reconciliation, four-eyes review, exception management |
No institution’s loss profile distributes evenly across all seven categories. Community banks see external fraud and execution-delivery events dominate, while regional and large banks add weight in business disruption and clients-products-business-practices losses.
The Primary Objective of Operational Risk Management
The primary objective of operational risk management is to keep operational losses within the institution’s stated risk appetite while preserving capital, customer trust, and regulatory standing. Risk appetite, in this context, is a board-approved statement of how much operational loss the institution is prepared to absorb.
Operational risk management is a second-line discipline that feeds into the institution’s broader enterprise risk program, which in turn supports the strategic plan. ORM provides ERM with the loss data, control posture, and emerging-risk signals needed to roll a credible aggregated risk view up to the board.
The objective shifts across institution sizes:
- A community bank prioritises avoidable-loss reduction and examiner-readiness
- A regional bank adds operational resilience as a co-equal objective
- A globally active bank operating under the Basel Standardised Measurement Approach adds capital optimisation
The Operational Risk Management Lifecycle
Most operational risk programs are built around a five-step lifecycle that turns the discipline into a repeatable operating cadence:
Identify
The first step locates the institution’s operational risk surface through process mapping, scenario workshops, and review of internal and external loss events. The output is a populated risk register that names every material operational risk by Basel category, business unit, and inherent severity.
Assess
Each identified risk is scored on inherent and residual likelihood and severity, typically through a Risk and Control Self-Assessment (RCSA) that engages first-line process owners directly. The RCSA is the artifact examiners ask for first when they review the operational risk function.
Monitor
Key Risk Indicators (KRIs) are defined for the highest-priority risks, with thresholds that trigger escalation when breached. The second line tracks loss events and near-miss data on a continuous basis to validate that the assessed posture matches the actual experience.
Control
Preventative, detective, and corrective controls are designed, documented, and mapped to the risks they address, and tested on a defined cadence. The control library is the bridge between the risk register and the institution’s audit posture.
Report
Board-level reporting integrates loss data, KRI status, control test results, and emerging-risk signals into a quarterly view the board risk committee can act on. Regulator reporting follows the cadences specified in FFIEC and OCC supervisory guidance.
The lifecycle is what makes operational risk management and reduction an operating discipline rather than a periodic exercise.
Frequently Asked Questions
What is the primary objective of operational risk management?
The primary objective is to keep operational losses within the institution’s stated risk appetite while preserving capital, customer trust, and regulatory standing. The objective is loss containment and resilience. The risk appetite statement, board-approved and translated into KRI thresholds, is the anchor that defines what “within appetite” means.
What is the difference between operational risk and operational risk management?
Operational risk is the exposure event possibilities while operational risk management is the discipline that addresses the exposure through a defined lifecycle, taxonomy, control library, and reporting cadence. The first is what could happen; the second is the structured program that minimises how often it happens and contains the damage.
What is operational risk management in banks?
In a US bank, operational risk management is a second-line function that owns the framework, methodology, and aggregation across the seven Basel categories (internal fraud, external fraud, employment practices, clients-products-business-practices, damage to physical assets, business disruption, and execution-delivery-process management). The function reports to the chief risk officer and operates under FFIEC supervisory guidance, OCC Heightened Standards for larger banks, or NCUA expectations for credit unions.
What does an operational risk manager do?
An operational risk manager owns the framework, methodology, and second-line challenge for a defined risk surface. The role designs and runs RCSAs, maintains the control library, sets KRIs, reviews loss events and near misses, prepares board and regulator reporting, and coordinates with the first-line business owners and the third-line internal audit function.
Operational risk management is the discipline that keeps the seven Basel event-type exposures within the institution’s risk appetite. It runs through a five-step lifecycle, is governed by a documented framework anchored in FFIEC and Basel II, and is assured under the three lines of defense.
Readers who want to see how ORM fits inside the institution’s overall risk architecture should review our article on how to create a risk management plan that ties ORM to enterprise risk management.
Stay informed about the latest in compliance and risk management technology.
Sign Up- GRC Insights
- Industry Updates
- Product Information
- Additional Resources