Welcome » IT Booklets » Management » Risk Overview » Operational / Transaction Risk
Although management needs to be aware of all potential risks,
operational risk is the primary risk associated with information
technology. Operational risk (also referred to as transaction risk)
is the risk of loss resulting from inadequate or failed processes,
people, or systems. The root cause can be either internal or
external events. Operational risk is present across all business
Operational risk may arise from fraud or error. Management's
inability to maintain a competitive position, to manage
information, or to deliver products and services can also create
and compound operational risk. Weak operational risk management can
result in substantial losses from a number of IT threats including
business disruptions or improper business practices.
An institution should properly identify, measure, monitor, and
control operational risk. Management should distinguish the
operational risk component from other risks to enable a stronger
focus on operational risk mitigation. The board should ensure a
program exists to manage and monitor this risk. The program should
address the institution's tolerance for risk, the effectiveness of
internal controls, management's accountability in regards to risk
mitigation, and the processes needed to manage IT effectively.
Operational risk includes not only back office operations and
transaction processing, but also areas such as customer service,
systems development and support, internal controls and processes,
and capacity planning. Operational risk from IT also affects
credit, compliance, strategic, reputation, and market risks.
Management should be aware of the implications of operational risk
IT management should have a corporate-wide view of technology.
It should maintain an active role in corporate strategic planning
to align technology with established business goals and strategies.
It also should ensure effective technology controls exist
throughout the organization either through direct oversight or by
holding business lines accountable for IT-related controls. From a
control standpoint, management should assess risks and determine
how to control and mitigate the risks. Management should
continually compare its risk exposure to the value of its business
activities to determine acceptable risk levels.