Operational and Cyber Risk in Banking Explained

Not every bank loss comes from bad loans or rate moves — many come from things going wrong internally. Operational risk covers everything from a rogue employee to a ransomware attack to a botched system migration. As banks become technology companies that happen to hold money, cyber risk has surged to the front of this category. This guide explains operational and cyber risk and how banks manage them.

What is operational risk?

Operational risk is the risk of loss resulting from inadequate or failed internal processes, people, and systems, or from external events. Unlike credit or market risk, which come from taking deliberate financial positions, operational risk is largely the risk of things going wrong in running the business. It spans a huge range: internal and external fraud, processing errors, system failures, legal and compliance breaches, physical disasters, and increasingly, cyberattacks. It is pervasive, hard to eliminate, and present in every activity a bank undertakes.

Operational risk is now formally recognised in capital rules and sits alongside credit and market risk in the framework covered across our banking hub.

What are the main categories of operational risk?

Operational risk is usually broken into categories: fraud, both internal (by staff) and external (by criminals); process failures, such as errors in execution, settlement, or record-keeping; system failures, including IT outages and technology breakdowns; people risks, from human error to misconduct to key-person dependence; legal and compliance failures, including breaches that bring fines and litigation; and external events, from natural disasters to, crucially, cyberattacks. Each category demands its own controls, but all share the feature that the loss comes from operations rather than from financial market or credit exposure.

Why has cyber risk become so critical?

Banking now runs on technology and data, making cyber risk one of the most serious threats a bank faces. A successful cyberattack can steal customer data, drain funds, disrupt critical services, or hold systems to ransom — and unlike many operational failures, it can do so at scale and at speed, affecting millions of customers in hours. The threat is constant and evolving, with sophisticated criminal and even state-sponsored attackers. The interconnectedness of the financial system also means a cyberattack on one institution or a shared service can ripple outward, making cyber risk a systemic as well as an individual concern.

How do banks manage operational and cyber risk?

Banks manage operational risk through layered controls: robust processes with checks and segregation of duties to prevent fraud and error; resilient, redundant systems to withstand failures; strong cybersecurity — encryption, access controls, monitoring, and defence against intrusion; rigorous testing of changes; staff training and a culture of risk awareness; and clear incident-response and business-continuity plans for when something does go wrong. They also hold regulatory capital against operational losses. The aim is both to reduce the likelihood of incidents and to limit the damage and recover quickly when they occur, because no amount of prevention makes operational risk zero.

What is operational resilience?

Regulators increasingly emphasise operational resilience — not just preventing incidents but ensuring the bank can keep delivering critical services through disruption and recover quickly. This shifts the focus from ‘stop everything bad’ (impossible) to ‘survive and continue when bad things happen’ (achievable). Banks must identify their most important business services, set tolerances for how much disruption is acceptable, and prove they can stay within those tolerances even under severe but plausible scenarios like a major cyberattack or system failure. Operational resilience accepts that incidents will occur and demands the bank be built to withstand them.

How do banks handle third-party and outsourcing risk?

Banks rely heavily on third parties — cloud providers, software vendors, payment processors — which extends operational and cyber risk beyond the bank’s own walls. A failure or breach at a critical supplier can disrupt the bank as surely as an internal one, and concentration on a few major providers creates systemic exposure. Banks manage this through due diligence on suppliers, contractual controls, monitoring, and contingency plans for supplier failure. Regulators scrutinise outsourcing arrangements closely, because the bank remains responsible for services even when it relies on third parties to deliver them. Managing the extended supply chain is now a central part of operational risk.

How do banks measure and model operational risk?

Operational risk is harder to quantify than credit or market risk because it does not arise from measurable financial positions. Banks approach it through several methods: collecting loss data on past operational incidents to understand frequency and severity; risk and control self-assessments, where business units identify their operational risks and the controls against them; key risk indicators that signal rising risk; and scenario analysis of severe but plausible operational events, such as a major cyberattack or fraud. These feed both the management of operational risk and the calculation of capital held against it. The challenge is that the most damaging operational events — a catastrophic cyber breach, a massive fraud — are rare, so historical data may not capture the true tail risk, requiring judgement and scenario thinking alongside the numbers.

What are the most damaging types of operational loss?

While most operational incidents are small and frequent — minor errors, isolated fraud — the danger lies in the rare, severe events. Large-scale internal fraud or rogue trading can inflict massive losses. Major conduct and compliance failures have cost banks enormous penalties, sometimes among the largest losses they have ever suffered. Severe cyberattacks can disrupt services, expose millions of customers’ data, and erode trust at scale. Critical system failures can halt operations and payments. These tail events, though rare, can dwarf years of routine operational losses and even threaten a bank’s viability or reputation. This is why banks focus heavily on preventing and limiting the severe-but-rare events, not just managing the high-frequency, low-impact ones, and why capital is held against the possibility of a catastrophic operational loss.

How is the cyber threat landscape evolving for banks?

The cyber threat facing banks intensifies continuously. Attackers range from opportunistic criminals to organised crime groups and state-sponsored actors, using ever more sophisticated techniques — ransomware, social engineering, supply-chain attacks, and exploitation of new technologies. As banks digitise further, adopt cloud services, and connect through open banking and APIs, the attack surface grows. Criminals also exploit the human element, targeting staff and customers through phishing and fraud. Meanwhile, the interconnectedness of the financial system means an attack on a shared service or major provider could affect many institutions at once. Banks respond with constantly evolving defences, threat intelligence, and resilience planning, but the reality is an ongoing arms race in which staying ahead requires continuous investment, because the threat never stands still and a single major breach can be devastating.

Why is operational risk now central to bank capital and supervision?

Operational risk was historically a secondary concern behind credit and market risk, but a series of large operational losses — major frauds, enormous conduct penalties, and damaging cyber incidents — pushed it to the forefront. It is now formally included in the capital framework, requiring banks to hold capital specifically against operational losses, and supervisors scrutinise operational risk management and resilience closely. The recognition reflects reality: in a digitised, heavily regulated banking world, the risk of a catastrophic operational or cyber event is as real a threat to a bank’s survival as a wave of loan defaults. This elevation of operational risk to equal standing with the traditional financial risks is one of the significant shifts in how bank risk and capital are now understood and managed.

How do banks build a strong operational risk culture?

Technology and controls matter, but operational risk is ultimately managed by people, so culture is decisive. A strong operational risk culture is one where staff understand the risks in their work, follow controls rather than bypassing them for convenience, feel able to report errors and near-misses without fear, and treat risk management as everyone’s responsibility rather than a compliance department’s job. This is built through clear accountability, training, leadership that visibly prioritises doing things safely over doing them fast, and incentives that do not reward cutting corners. Many operational failures — fraud that went unchallenged, errors that were hidden, warnings that were ignored — trace to weak culture rather than absent controls. A bank where people genuinely care about operating safely catches problems early; one where they do not eventually suffers an incident that the best technical controls could not prevent.

What is the systemic dimension of cyber and operational risk?

Operational and cyber risk are increasingly systemic, not just individual, concerns. The financial system depends on shared infrastructure — payment systems, clearing houses, and a small number of major technology and cloud providers — so a severe operational failure or cyberattack on a critical shared service could disrupt many institutions at once. A successful attack on a key piece of market infrastructure could halt payments or trading across the system. Concentration on a few dominant cloud and technology providers means a single major outage or breach could ripple widely. Regulators now treat operational resilience and cyber security as financial-stability issues, requiring critical institutions and infrastructures to be robust and conducting system-wide exercises to test responses. This systemic lens reflects the reality that in a digitised, interconnected financial system, an operational or cyber event at one critical node can threaten the stability of the whole, making it a concern far beyond any single bank.

Frequently Asked Questions