Operational risk is a very broad concept and it is very difficult to agree on one common definition that fits everyone’s needs. Operational risk primarily focuses on risks arising from failures in processes, systems, and people, and can also include things such as fraud, legal risk, etc.

One of the most widely used definitions of operational risk is the one provided in Basel II.

According to Basel II, operational risk is defined as the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events. This definition includes legal
risk, but excludes strategic and reputational risk.

In the above definition, legal risk includes, but is not limited to, exposure to fines, penalties, or punitive damages resulting from supervisory actions, as well as private settlements.

Basel’s definition of operational risk is used primarily for the purpose of capital adequacy. Basel Committee does recognize that the term operational risk can have different meaning for different banks, and therefore allows banks to adopt their own definition of operational risk, provided that the key elements of Basel Committee’s definition are included.

It is important to note that this definition is based on the underlying causes of operational risk. It seeks to identify why a loss happened and at the broadest level includes the breakdown by four causes: people, processes, systems and external factors. This “causal-based” definition, and more detailed specifications of it, is particularly useful for the discipline of managing operational risk within institutions. However, for the purpose of operational risk loss quantification and the pooling of loss data across banks, it is necessary to rely on definitions that are readily measurable and comparable. Given the current state of industry practice, this has led banks and supervisors to move towards the distinction between operational risk causes, actual measurable events (which may be due to a number of causes, many of which may not be fully understood), and the P&L effects (costs) of those events. Operational risk can be analyzed at each of these levels.