Welcome » IT Booklets » Management » Risk Overview » Operational / Transaction Risk
Although management needs to be aware of all potential risks, operational risk is the primary risk associated with information technology. Operational risk (also referred to as transaction risk) is the risk of loss resulting from inadequate or failed processes, people, or systems. The root cause can be either internal or external events. Operational risk is present across all business lines.
Operational risk may arise from fraud or error. Management's inability to maintain a competitive position, to manage information, or to deliver products and services can also create and compound operational risk. Weak operational risk management can result in substantial losses from a number of IT threats including business disruptions or improper business practices.
An institution should properly identify, measure, monitor, and control operational risk. Management should distinguish the operational risk component from other risks to enable a stronger focus on operational risk mitigation. The board should ensure a program exists to manage and monitor this risk. The program should address the institution's tolerance for risk, the effectiveness of internal controls, management's accountability in regards to risk mitigation, and the processes needed to manage IT effectively.
Operational risk includes not only back office operations and transaction processing, but also areas such as customer service, systems development and support, internal controls and processes, and capacity planning. Operational risk from IT also affects credit, compliance, strategic, reputation, and market risks. Management should be aware of the implications of operational risk including:
IT management should have a corporate-wide view of technology. It should maintain an active role in corporate strategic planning to align technology with established business goals and strategies. It also should ensure effective technology controls exist throughout the organization either through direct oversight or by holding business lines accountable for IT-related controls. From a control standpoint, management should assess risks and determine how to control and mitigate the risks. Management should continually compare its risk exposure to the value of its business activities to determine acceptable risk levels.