Operational Risk: Strategies for Mitigation and Resilience

Many companies face some level of risk in doing business; even minor risks can become significant challenges when left unchecked. Implementing operational risk management strategies can help your organization mitigate risk and build resilience for whatever the future has in store.

Risk mitigation strategies can help teams avoid losing productivity or money due to human factors, equipment malfunction, ethical scandal, or cybersecurity attack, among others. Explore some of the common sources of operational risk in this article, and discover how to craft operational risk management strategies that help your company achieve its organizational goals. 

Leaders at 4,300+ companies develop their talent with Coursera

Learn more

What is operational risk?

Operational risk describes factors contributing to the possibility of loss from insufficient or failed internal procedures, personnel, systems, or external events impacting a company's routine operations [5]. It can also provide a competitive edge by allowing organizations to take informed risks while achieving improved brand recognition and organizational performance. 

Risk may be an unavoidable cost of doing business, but many things that can go wrong for a company are avoidable. Robust operational risk management strategies allow you to identify future problems before they occur or stop them from ballooning into a bigger, more severe issue. It also helps your organization build resiliency by mitigating risks and preparing for an uncertain future. You can also use operational risk management (ORM) processes to better understand the business environment you’re operating in and make more informed decisions. Another benefit of ORM is its ability to demonstrate the proactive measures you are taking to guard your employees', investors’, and customers' interests. 

Common sources of operational risk

You can simplify the concept of operational risk across all companies and industries by placing it into three primary categories: people, equipment, and production. Nearly all examples of operational risk come from one or more of these three elements. Below, explore specific examples of how each category contributes to operational risk. 

Human factors

The people involved with your company can be significant contributors to operational risk. Human elements include your staff or employees. This category also includes customers, vendors, and other key players, such as shareholders. 

Some examples of how people can pose an operational risk include: 

• Human error, caused by lack of ability, training, or compliance

• System failures and technology limitations

• Poor staff training

• Employee theft or other internal fraud

• Insider trading or other ethical concerns

• Poor employee conduct

• Workplace safety risks

Production or process

The next area where your company can face operational risk is product production or service delivery to your customers. This category includes anything that can disrupt your production or cause you to provide a product or service below your standards. Some examples of operational risk associated with production include: 

• Lack of raw materials or components

• Shipping and storage risks

• Business process disruption

• Incomplete documentation

• Inadequate business processes

Equipment or technology

The third category of operational risks is equipment and technology. If equipment fails, it can cost your company time and money to work around and fix the problem. Technology also invites operational risk and exposes your company to potential cyberattacks or data breaches. Some examples of equipment or technology operations risks include: 

• Downtime associated with equipment failure or maintenance

• Data breaches and malicious cyber attacks

• Communication problems due to equipment failure 

• Risk related to new tech like artificial intelligence or automation

Benchmark your talent with global skill insights

See how millions of learners in 100 countries are strengthening critical skills.

Global Skills Report

Operational risk management strategies

Creating an operational risk management strategy will likely look slightly different from company to company and within various industries because your ORM strategy should meet your company’s specific challenges. The basic five-step approach involves determining your appetite and tolerance for risk, identifying risk, assessing the potential danger, finding ways to reduce and mitigate the risk, and monitoring the solution if something changes. 

Risk appetite and tolerance

Risk appetite refers to how much risk your company is willing to take on to continue growing and thriving. Risk tolerance is another critical element to define because it determines how much deviation the organization is willing to tolerate and sets boundaries accordingly. 

Before determining your operational risk management strategy, you should understand how much risk your company's critical stakeholders will tolerate. Sometimes, it will be necessary to accept risks because the potential payoff or benefit is significant enough to justify them. Understanding your company’s risk appetite and tolerance can help you find the right balance. 

Risk identification 

Once you have a consensus on your risk appetite, the next step in creating your operational risk management strategy is to identify the unique operational risks you face. In this step, you can analyze the potential disruptions your company could face, focusing on disruptions affecting your critical processes. You might look at trends in past losses and incidents, as well as any changes in the industry’s overall operating environment, including technological advancements or regulatory changes. 

Risk assessment

After compiling your company's operational risk, you can assess those factors to determine which are crucial to address. Consider how likely these scenarios are to happen and how significant the impact would be on your company, ultimately assigning them a high, medium, or low priority. This step of the process helps you focus on the most pressing operational risks so you can work to mitigate the problems likely to damage your company. 

Risk reduction

Next, you will work to mitigate risk, starting with the highest priority and moving towards the lowest. Each operational risk will have its own mitigation strategy. Some potential risk reduction strategies include: 

• Transferring risk through insurance policies or by outsourcing company activities to a third party. 

• Avoiding behaviors that will cause operational risk, such as working with a risky vendor. 

• Putting policies in place to control risk, such as taking steps to secure a network so you are not at risk for cyberattacks. 

Lastly, you may accept some risk after weighing the potential benefits of the operational risk and determining whether the process is worth pursuing despite the risk as part of your organization’s risk tolerance. 

Risk monitoring

The last step is to monitor your risk management processes. In an ever-changing business landscape, your risk mitigation strategies could stop being effective over time, or you may need to adapt them to keep pace with those changes. You can help keep your company safe from operational risk by monitoring the policies in place and making updates when needed. When you implement a new technology or piece of equipment, for example, you should consider beginning again at step one to identify, assess, and mitigate potential risks associated with the equipment. 

Develop custom courses tailored to your business

Meet your mission-critical learning needs with world-class content from participating industry and academic Coursera Partners.

Course Builder

Who uses operational risk management strategies?

Companies of all kinds rely on risk management professionals to manage operational risks, including those stemming from financial, regulatory compliance, training, and technological risks. If you are interested in a career in the field, some examples of titles along this career path include risk analyst, operational risk manager, and vice president of operational risk. 

Operational risk analyst

Average annual base salary: $80,798 [1]

Job outlook (2022 to 2032): 10 percent [2]

Education requirements: Operational risk analysts may hold an associate degree, but employers typically prefer those with a bachelor’s or master’s in fields like math or economics. 

Operational risk analysts use ORM strategies to identify, analyze, and recommend ways for your organization to mitigate its risks. They may work in financial areas and help a company create a portfolio that reflects their risk tolerance, researching and recommending investments and other financial strategies. They might also work with HR to create employee training programs and other departments to ensure regulatory compliance, among other tasks.

Operational risk manager

Average annual base salary: $127,347 [3]

Job outlook (2022 to 2032): 10 percent [2]

Education requirements: Operational risk managers likely need to earn a bachelor’s degree in business administration, accounting, or a similar field. Some employers may prefer a CFA (chartered financial analyst) or CFE (certified fraud examiner) certification. 

An operational risk manager uses strategies similar to those of a risk analyst. They typically examine business processes, technology, changing regulations, and other factors to help a company avoid risk in varied business areas. Depending on the role in operational risk, this position could target a single facet of the business or take a broad approach with duties that touch nearly all company departments. 

Vice president of operational risk 

Average annual base salary: $172,998 [4]

Job outlook (2022 to 2032): 10 percent [2]

Education requirements: Vice presidents of operational risk likely need to earn a master’s degree in business administration or risk management. Many employers also require ten or more years of experience in risk management positions. 

The vice president of operational risk, sometimes called the chief risk officer (CRO), often oversees the risk management department. They also develop and execute a strategic ORM plan and may work with a team of risk officers, while reporting to the executive director or CEO. 

Getting started with Coursera

Companies face operational risk due to human factors, equipment malfunction, technological vulnerabilities, and business process breakdowns. Operational risk management strategies can help you identify and analyze these threats to organize an effort to keep those risks at an acceptable level. Set your teams up for success in analyzing risk levels with upskilling from Coursera for Business.

Enable your employees to analyze and interpret data to drive faster, better business decisions with the Data & Analytics Academy on Coursera. Offering hands-on learning and expert instruction from leading organizations like Stanford, Google, Microsoft, Meta, the University of Michigan, and more, Coursera’s Data & Analytics Academy empowers employees at every level to build foundational data literacy while also equipping existing data teams with expert-level training in machine learning, AI, and other emergent fields. Explore Coursera for Business to learn how we can work together to build data proficiency across your organization.