The Basel guidelines are the gold standard when it comes to identifying and managing operational risks. This is the reason why every organization tries to align its risk management practices with those recommended by the Bank of International Settlements. The guidelines provided are quite exhaustive.

The Bank of International Settlements has recommended that every operational risk can be classified into one of the seven categories.

In this article, we will have a closer look at those seven categories as well as how this categorization helps in better risk management.

1. Internal Fraud: The first and most obvious cause of operational risk is internal fraud. This means that at least one internal party may conspire with other internal or external parties in order to intentionally cause loss to the organization. There are several motives behind internal fraud.

   For instance, an internal party may intentionally want to misappropriate property owned by the company. In other cases, they can simply be taking more risks by trying to circumvent the systems which have been built.

2. External Fraud: Companies have to deal with a wide variety of third parties. It is possible that some of these third parties may not have the intention of having a fair and honest deal with the company.

   Instead, they may intend to defraud the company by swindling money from them or by getting the company to break the law. In such cases, there are no internal parties involved in the fraudulent activity.

3. Employment Practices and Workplace Safety: Workplace lawsuits such as those based on non-adherence of laws regarding gender or ethnic diversity can be put in this category.

   The company may not have condoned the behavior of its erring employee. However, it will be held responsible and may have to pay monetary damages.

   Companies may also have operational risks arising from non-compliance with policies regarding the health and safety of workers.

   As a result, they may have to pay damages to the injured or otherwise aggrieved personnel.

4. Clients, Products, and Business Practices: A company may face operational risk because of the clients it chooses to work with.

   For instance, consulting companies like Arthur Andersen were penalized for fraud when their employees were found to be in cahoots with the perpetrators of the Enron fraud.

   Similarly, a company may have to face operational risk because of non-compliance with its duties towards the client.

   Investment banks have been penalized for wrongfully advising their clients to buy certain securities when they were themselves in the process of selling out those securities.

   Companies manufacturing products may also face lawsuits if they sell defective products which do not work as intended.

5. Losses to Physical Assets: Organizations all over the world spend a lot of money on creating physical assets. Companies have to spend money in order to build factories, buy machinery, vehicles, or other assets that may be required by their business.

   However, these assets may get destroyed in riots, terrorist attacks, or even acts of God.

   Since building these assets requires a significant capital outlay, the losses may also be significant. This is the reason why effective operational risk management is necessary in such cases.

   It is important to note that physical information technology assets such as servers and computers are also included in this category even though there is a separate category for physical assets.

6. Business Disruption: Organizations all over the world have become global in nature. This has been made possible by technology which has been an enabling factor. It is important to realize that since the business is driven by technology, it can also be disrupted by technology.

   If a company faces any outage or data theft that arises because of the improper functioning of its business systems, it could face severe losses. These losses could be related to lost business revenue. However, they could also be related to lawsuits that may arise because of the data which has been compromised.

7. Delivery and Process Management: Companies may also face operational risks because they may not be able to follow through on the promises that they have made in their contracts.

   For instance, a company may be under obligation to manufacture and deliver a certain quantity of goods.

   However, it may not be able to follow through on its promise because of the inability to procure raw material because of a labor strike.

   Alternatively, it may have wrongly estimated the time required to complete the task and may have overcommitted. This too can lead to losses in the form of fines, penalties, demurrages, and lost reputation. It is for this reason that these scenarios should also be included in the list of operational risks and attempts should be made to avoid them or mitigate them if they do arise.

   This framework is extremely useful for companies trying to identify their operational risks. Since all risks can be classified in these seven buckets, they serve as the topic for brainstorming.

   Also, this makes the risk identification process standardized across companies.