5.3 Operational, Strategic & Other Risk

Operational Risk

Operational risk is the risk of loss resulting from inadequate or failed internal processes, people, and systems, or from external events. This four-part definition (from the Basel framework) is the standard one to memorize. Examples by category:

• Process — a flawed reconciliation lets errors slip through; a broken approval workflow
• People — human error, fraud, key-person dependence, lack of training
• Systems — IT outages, cyberattacks, data-corruption, failed software deployments
• External events — natural disasters, pandemics, supplier failure, regulation

Unlike financial risk, operational risk usually has only downside and is managed mainly through internal controls, redundancy, training, and business-continuity planning rather than hedging.

Strategic and Other Risk

Strategic (business) risk threatens the firm's core business model and competitive position — disruptive technology, shifting customer demand, a failed merger, or a misjudged market entry. It is the hardest to hedge and is owned at the board and executive level.

Legal and compliance risk arises from breaking laws, contracts, or regulations, exposing the firm to fines, sanctions, and litigation. Reputational risk is the threat of lost trust among customers, investors, and the public; it often follows an operational, ethical, or compliance failure and can destroy value faster than the original event. These risks compound: a data breach (operational) can trigger fines (compliance) and customer flight (reputational).

Value-at-Risk (VaR)

Value-at-risk (VaR) estimates the maximum loss a position or portfolio is expected to suffer over a defined time horizon at a stated confidence level. It has three inputs: a loss amount, a time period, and a probability.

A 95% one-day VaR of $1 million means that on a normal day there is a 95% chance losses will not exceed $1 million — equivalently, losses should exceed $1 million on only about 5% (1 in 20) of days.

The major weakness: VaR says nothing about how bad losses get in that worst 5% tail. It can lull managers into ignoring catastrophic but rare events, which is exactly what stress testing addresses.

Scenario, Sensitivity, and Stress Testing

These three tools are easy to confuse; the distinctions are tested:

Sensitivity analysis isolates which assumption matters most; scenario analysis builds a small set of internally consistent futures; stress testing pushes to extreme tail conditions to expose breaking points the other two might miss.

Cost-Benefit of Risk Mitigation

Every control, hedge, or insurance policy has a cost, and ERM requires that the cost be justified by the risk it removes. The decision rule mirrors the response logic from Section 5.1:

• Estimate expected loss = probability of the event × its impact
• Estimate the cost of the mitigation (controls, premiums, lost flexibility)
• Apply the control only when expected loss reduction exceeds its cost

A worked example: a control costing $40,000 a year that cuts an expected annual loss from $100,000 to $30,000 reduces expected loss by $70,000 — a net benefit of $30,000, so it is worth implementing. Over-controlling a trivial risk wastes resources just as surely as ignoring a major one destroys value.

Risk Monitoring and Key Risk Indicators

ERM is continuous, not a one-time exercise. Key risk indicators (KRIs) are forward-looking metrics that signal rising exposure before a loss occurs — for example, employee-turnover rate (people risk), system-downtime minutes (systems risk), or days-past-due on receivables (credit risk). KRIs differ from key performance indicators (KPIs): KPIs look back at results, while KRIs look ahead at the likelihood of future loss.

A strong monitoring program sets thresholds on each KRI, escalates breaches, updates the risk register, and feeds the COSO review & revision component so responses stay aligned with a changing risk landscape.

Measuring and Pricing Operational Risk

Operational risk is often described by frequency (how often events occur) and severity (loss per event). High-frequency, low-severity losses — small processing errors — are predictable and budgeted as a cost of doing business. Low-frequency, high-severity events — a major fraud or system failure — are the ones that threaten survival and justify insurance or strong controls.

A simple expected-loss estimate multiplies the two: probability of an event × average loss given the event. Comparing expected loss against the cost of a control returns directly to the cost-benefit rule. Reputational and strategic risks resist this neat math because their impact is delayed, diffuse, and hard to quantify — which is why qualitative scenario analysis and board-level judgment carry more weight for them than for credit or market risk.

Choosing a Monitoring Cadence

Not every risk warrants the same attention. High-velocity risks — cyber threats, market exposures — need near-real-time KRIs and frequent reporting, while slow-moving strategic risks may be reviewed quarterly or annually by the board. ERM directs scarce monitoring resources toward the risks most likely to breach appetite, and the information, communication & reporting component ensures the right risk data reaches the right decision-makers in time to act.