Operational risk can be defined as a set of uncertainties and dangers a company faces when carrying out its activities in a certain segment.

Authors such as Kingsley, et al. (1998), Duarte Jr. (2000), and Crouhy, Galai, and Mark (2004) understand operational risk as failures in operational processes and procedures originating in the internal or external environment and generally associated with incorrect management of resources and events that impact company operations. Duarte Jr. adds that operational risk can be subdivided into three categories: operations risk, personnel risk and organizational risk.

Operational risk refers to the possibility of losses caused by failures or inadequacies in processes, people, or systems, or by external events. This type of risk is inherent to all companies and manifests itself in different ways, from human error and fraud to system failures and natural disasters.

The main characteristics of operational risk include:

• Financial, legal and image impact: in addition to financial losses, operational risk can affect the company’s image, leading to the loss of customers, a decrease in market confidence, or even legal proceedings.
• Multidimensionality: operational risk covers a wide range of events and circumstances. This includes internal problems, such as process errors and failures in systems or equipment, and external factors, such as natural disasters and regulatory changes.
• Interdependence: operational risks are generally interconnected. A software failure can result in errors in operational processes and vice versa.
• Difficulty in measuring: unlike financial, market, or credit risks, which can be quantified with financial models, operational risk is more difficult to measure, due to its qualitative nature and the variability of the events that cause it.

Operational risks can, in sum, derive from people; internal processes; failures in operational procedures, systems or technology; or external events, such as natural disasters, pandemics, and regulatory changes.

Given the great diversity of types of operational risk, its mitigation involves a set of actions to minimize the probability of adverse events occurring in the company, in operational terms, and their impacts. It is easy to imagine how mitigating operational risks in a bank requires different initiatives than mitigating operational risks in an oil refinery or a hospital.

When it comes to mitigating operational risks, some of the main initiatives may include:

• People Management: training the workforce, to ensure that everyone knows best practice and appropriate operational procedures, and fostering a work environment that promotes ethics and transparency.
• Risk Identification and Assessment: implementing a robust system to identify, evaluate and prioritize operational risks using risk maps that define risk factors present in workplaces, capable of causing damage to employee health. Tools such as Risk Analysis and Self-Assessment Control are useful for identifying gaps and risks inherent in operations.
• Internal Controls: developing and implementing effective internal controls to prevent and detect errors and fraud. This includes segregating functions, regular internal audits, and documenting operating procedures.
• Information Technology: using reliable IT systems, with strict cybersecurity measures, implementing regular backups, maintaining disaster recovery plans, and continuous monitoring to quickly detect and respond to failures.
• Contingency Plans: developing and maintaining updated contingency plans for the continuity of operations and disaster recovery. These plans must be validated regularly to ensure their effectiveness in emergency situations.
• Compliance and Conformity: monitoring regulatory changes and ensuring that the company is in compliance with all current legislation relevant to its area of ​​activity. This includes implementing compliance programs and carrying out periodic external audits.
• Monitoring: establishing a system of continuous monitoring and regular reporting on the status of operational risks through the development of key risk indicators (KRIs) and transparent communication with the board of directors, administrators, etc.
• Risk Management Culture: promoting a business culture that values ​​risk management at all levels. This involves making employees aware of the importance of risk management.

Operational risk management is a critical activity for all companies regardless of size or sector of activity. Effective mitigation of this risk requires an integrated approach that aligns identification, assessment, internal controls, training, and technology use, within a business culture focused on risk mitigation. By adopting these practices, companies are able to not only reduce the probability and impact of adverse events, but also improve resilience and responsiveness, ensuring business continuity and success.

CROUHY, M.; GALAI, D.; MARK, R. Gerenciamento de Risco: Abordagem Conceitual e Prática: Uma Visão Integrada dos Riscos de Crédito, Operacional e de Mercado. Rio de Janeiro: Qualitymark, São Paulo: SERASA, 2004.

DUARTE JR, A. M. “Riscos: Definições, tipos, medição e recomendações para o seu gerenciamento.” Working paper, São Paulo: IBMEC, 2000.

KINGSLEY, S.; ROLLAND, A.; TINNEY, A.; HOLMES, P. “Operational Risk and Financial Institutions: Getting Started.” In: Operational Risk and Financial Institutions. London: Risk Books, 1998.