By Penny Cagan, Part-Time Lecturer in the Enterprise Risk Management Program, School of Professional Studies
My career has mostly followed the trajectory of the emergence of operational risk as a formal discipline in financial institutions. It was a heady time around the year 2000 when I attended various forums dedicated to shaping the future of the discipline, including the critical task of defining and naming what was previously managed through the credit risk discipline.
The definition that the Basel Committee of the Bank of International Settlements decided upon was the following: “the risk of loss resulting from inadequate or failed internal processes, people, and systems or from external events.” The definition gave an early indication of how broad and challenging it was to manage a firm’s end-to-end operational risks.
This was on the heels of the landmark Barings PLC event, when a rogue trader in Singapore managed to take down a 200-year-old bank. It was a moment when the industry and the global regulatory communities came together out of acknowledgment that this risk that was previously defined by what it wasn’t (“all other risks” that were not credit or market risk) was substantial enough to warrant its own definition, framework, and, with a lot of pushback from the banking community, regulatory capital charge. To give the discipline a name was an important development in establishing its credibility.
Eventually, in June 2004, the Basel II Framework was finalized by the Basel Committee on Banking Supervision, which introduced the Operational Risk Capital charge. This resulted in a more-than-two-decade dance between the banking and the regulatory communities concerning the amount of operational risk capital a bank would be required to put aside. But the overall impact was much more significant than regulatory capital—which was significant in its own right—as the management framework continued to evolve and influence many more sectors than solely banking. Today, many corporate-sector firms have established enterprise risk management functions that include the management of their operational risks because, first and foremost, they want to mitigate errors, operational vulnerabilities, and associated losses.
The discipline has grown from its humble beginnings of collecting internal bank losses to incorporate many subspecialties, including the risk management of technology, cyber, third parties, data, models, business continuity, fraud, people, customers, and transaction processing. There is no better place for a student of Columbia’s Enterprise Risk Management program to land than in an enterprise or specialty operational risk program.
We have come a long way, but there are still some misconceptions that plague the discipline. I have heard them all: “Operational risk methods, including risk assessments, are backward-looking and tell me what I already know. Operational is a back-office function that checks the box to meet regulatory requirements. Operational risk is less critical to a banking institution than the financial risk disciplines.” I would like to set the record straight and respond to some of the common misperceptions.
Operational Risk: Misperception vs. Reality
Misperception: Operational risk, unlike financial risk, is not a factor in a bank’s safety and soundness.
Reality: Operational risk directly impacts safety and soundness. Cyber, tech, fraud, and processing failures can destabilize an institution. Barings is a clear example. In addition, operational processes underlie many financial and regulatory risks.Misperception: Operational risk management is solely driven by bank regulations.
Reality: Strong operational risk management protects a firm’s reputation and ability to mitigate recurrent losses. Corporates across sectors manage it to protect their reputation through enterprise risk management functions, and not just to meet regulatory demands.Misperception: Operational risk management is a cost center with little added value.
Reality: When effective, operational risk management teams are strategic advisors and culture carriers promoting strong risk culture and helping the business operate with resiliency.Misperception: Operational risk is difficult to measure.
Reality: It can be measured. A standard method is to link quantitative thresholds to qualitative risk appetite statements and monitor against them to manage exposures and set boundaries for accepting losses.Misperception: Operational risk is backward-looking, focused on past loss events.
Reality: While collecting historical operational risk loss data is important, operational risk is very much a forward-looking discipline. Tools like scenario analysis, KRIs, peer loss reviews, and tracking industry trends help identify and articulate emerging risks.
Views and opinions expressed here are those of the authors and do not necessarily reflect the official position of Columbia School of Professional Studies or Columbia University.
About the Program
The Master of Science in Enterprise Risk Management (ERM) program at Columbia University prepares graduates to inform better risk-reward decisions by providing a complete, robust, and integrated picture of both upside and downside volatility across an entire enterprise.
Fall 2025 application deadlines for the M.S. in Enterprise Risk Management program are March 15, 2025, for applicants with international documents, and May 1, 2025, for the final deadline. Learn more here.
