How operational risk management works

Operational risk management requires systematic identification and control of business risks. Here’s how we approach compliance management.

Every business faces risks. That’s not controversial. Honestly, what’s controversial is how few organizations manage those risks with anything resembling a real system. Most of them rely on messy spreadsheets, tribal knowledge, and the hope that nothing goes sideways during an audit.

I’ve spent over a decade building Tallyfy, and risk is a topic that shows up constantly in discussions we’ve had with operations teams - especially in financial services, which makes up about 17% of our implementations. The pattern I keep seeing? People know they need risk management. They just don’t know where to start.

The Basel Committee on Banking Supervision defines operational risk as “the risk of loss resulting from inadequate or failed internal processes, people, and systems, or from external events.” That covers a lot of ground - business continuity plans, environmental risk, crisis management, IT failures, people-related risks, and everything in between.

And all of that needs to be managed. The question is how.

Why bother with operational risk management

Let me be blunt. If you’re running a business without some form of structured risk management, you’re gambling. Maybe you’ve been lucky so far. Luck runs out. Can you just wing it? Not for long.

The FDIC has noted that operational risk isn’t new - it’s existed since the inception of banking. But what’s changed is the complexity. Digital systems, remote work, AI tools, third-party vendors - every layer adds new failure modes.

Here’s what a structured approach to operational risk management gives you:

• Better reliability in day-to-day operations
• Stronger decision-making when risks show up
• Fewer losses from risks nobody bothered to identify
• Earlier detection of fraud and unlawful activities
• Lower compliance costs over time
• Less damage when things do go wrong

In feedback we’ve received from teams in regulated industries, the organizations that take risk management seriously don’t just survive audits. They spend less time preparing for them. What used to be a multi-week scramble becomes a straightforward verification process, because the controls are already documented and running.

That last point is worth sitting with. OK, that’s a bit reductive. The cost of risk management isn’t really the cost of doing it. It’s the cost of not doing it.

Three levels you need to understand

Not every risk situation demands the same response. The US Navy (of all places) figured this out decades ago, and their framework is worth borrowing. There are three levels of operational risk management, and picking the right one matters:

In-depth is the gold standard. You take the time to plan thoroughly before launching a new project or business venture. Staff training, new policies, new procedures - everything gets documented and tested. In an ideal world, you’d do this for everything. We don’t live in an ideal world.

Deliberate is the middle ground. Routine safety checks, performance reviews, periodic assessments during the life cycle of a project or business operation. It’s not glamorous work, mind you, but it catches problems before they become disasters.

Time-critical is exactly what it sounds like. You’re in the middle of operational change, and you’ve got limited time to assess risks before consequences start hitting. The Navy’s framework for this is simple: assess the situation, balance your resources, communicate risks and intentions, then do and debrief.

Most organizations I’ve talked to default to time-critical mode for everything. Turns out, that’s backwards. You should be spending most of your effort on in-depth and deliberate risk management so that time-critical situations are rare.

Four stages that matter

Whatever level you’re operating at, the actual process of managing operational risk follows four stages. Skip any of them and the whole thing falls apart.

Risk identification comes first. This sounds obvious, but it’s where most organizations stumble. You need input from every level of the business - the risks that floor staff see are completely different from boardroom risks, and both are real. IBM estimates that operational risk spans everything from data breaches to system failures, and the only way to find them all is to ask broadly.

Risk assessment is where you figure out which risks matter most. This requires both quantitative thinking (how likely is this? how expensive?) and qualitative judgment (how would this affect our reputation? our people?). The assessment drives prioritization. You can’t fix everything at once, so you need to know what to fix first.

Measurement and mitigation is where controls get built. This is where Tallyfy tends to come into the picture for many teams, because risk controls need to be repeatable, trackable workflows - not one-off actions that someone might forget. You’re putting systems in place that limit exposure and reduce potential damage.

Monitoring and reporting closes the loop. Whatever you put in place needs ongoing verification. Are the controls working? Are new risks emerging? This isn’t a one-and-done exercise. McKinsey’s research on intelligent automation makes the point that most organizations lack the infrastructure for continuous monitoring - they manage risk in fragmented, periodic bursts instead of as a living process. Which is a bit nuts, when you think about it.

Here’s something that drives me a little crazy. Everyone’s rushing to throw AI at their risk management - AI-powered monitoring, AI-driven assessments, AI everything. But KPMG’s research on AI in risk management points to a truth most vendors won’t tell you: if your underlying risk process is broken, AI just makes it break faster and at larger scale. An AI model trained on bad risk data produces bad risk assessments - just more of them, more quickly. The pattern we keep running into is teams buying expensive AI risk tools before they’ve even mapped out who does what when a risk event fires.

This is the mega trend I keep coming back to. AI doesn’t redesign your process. It runs it at 10x speed, flaws included. Before you automate anything, you need to define what “good” looks like - what’s the workflow, who’s responsible at each step, what triggers an escalation, what gets documented and where. At Tallyfy, we’ve built our entire approach around this principle - document the process first, track it in real-time, and only then think about automation.

We’ve observed that operations teams who nail down their risk management workflows before adding any technology end up with dramatically better outcomes than those who buy fancy tools and hope for the best. The technology should serve the process. Not the other way around.

Getting the governance right

The FDIC observed something telling after the 2008 financial crisis and the bank failures of 2023: institutions with poor corporate governance and risk management practices were more likely to fail. Not “slightly more likely.” Significantly more likely.

We got this wrong at first - we assumed teams would naturally layer governance on top of their workflows, but what showed up again and again during onboarding calls is that teams who skip governance structure end up rebuilding their risk workflows from scratch within six months. Good governance for operational risk management means a few things:

Your board or leadership team needs to own risk culture. Not delegate it. Own it. The Basel Committee’s principles are clear on this - the board should establish and regularly review core risk policies, and senior management should build that into how the organization actually works.

You need a three-lines-of-defense approach. Business units own their risks (first line). Risk management and compliance functions provide oversight (second line). Internal audit provides independent assurance (third line). This isn’t just banking jargon - it applies to any organization that takes risk seriously.

Written policies matter more than you think. I’m probably biased here since Tallyfy exists to turn policies into trackable workflows, but the organizations that struggle most with governance, risk, and compliance are the ones where policies live in binders nobody reads. If your risk controls aren’t embedded in the actual work people do every day, they’re decorative. Does that count as risk management? No.

Example Procedure

Firewall and Security

1Check your current firewall status

2Turn on firewall protection for all network types

3Set rules based on network location

4Document what you've got right now

5Figure out what actually needs access

+3 more steps

View template

Example Procedure

Preferred Vendor Evaluation and Approval Workflow

1Audit current vendor inventory and active contracts

2Categorize vendors by spend volume and business risk

3Define vendor qualification and approval criteria

4Evaluate and score vendor candidates

5Publish approved vendor list and train employees

+1 more steps

View template

Example Procedure

Multi-Tier Purchase Approval Authority Matrix Workflow

1Supplier approval (Tier 1 - Manager Level)

2Purchase authorization (Tier 2 - Director Level)

3Vendor acknowledgement and PO confirmation

4Define approval thresholds by tier

5Assign approvers by role and backup coverage

+3 more steps

View template

Real failures worth learning from

Theory is nice. Examples are better.

Delta Air Lines lost over $500 million in 2024 when a vendor software update crashed their crew-tracking systems, canceling 800+ flights. That’s an operational risk failure - not in their core business, but in a system they depended on. The risk was real, it was identifiable in advance, and it could have been mitigated with better vendor management workflows.

JPMorgan Chase’s “London Whale” incident in 2012, involving trader Bruno Iksil, is another textbook case. Flawed risk processes and detection system failures led to massive trading losses. The risk management process itself was the problem.

The 2025 Verizon Data Breach Investigations Report found that 60% of breaches involved human actions - mistakes, credential misuse, or malicious intent. Not sophisticated hacking. People following broken processes, or no process at all.

Every one of these was preventable. Not with better technology. With better processes.

What to do next

The US Department of Defense boiled operational risk management down to four principles:

• Accept risk when benefits outweigh the cost
• Accept no unnecessary risk
• Anticipate and manage risk by planning
• Make risk decisions at the right level

Simple. Not easy, but simple.

If you’re starting from scratch, pick one area of your business where risk keeps you up at night. Map the process. Identify what could go wrong. Build controls into the workflow. Monitor whether those controls are working. Then move on to the next area.

In discussions we’ve had with compliance officers at investment management firms, we hear repeatedly that the hardest part isn’t building the risk framework. It’s maintaining it. That’s where having your risk management workflows in a system like Tallyfy - where steps are tracked, deadlines are enforced, and nothing falls through the cracks - makes the difference between a framework that works and one that slowly rots in a shared drive somewhere.

Don’t wait for a crisis to take this seriously. By then, you’re already in time-critical mode, and your options are limited.