Operational risk is defined as the risk of loss arising from inadequate or failed internal processes, human errors, system failures or external events (BCBS, 2006). Unlike financial or credit risks, operational risk is directly related to the way an organization operates on a daily basis.

The characteristics of operational risk are as follows:

It is multidimensional: It can arise from people, processes, technology or external factors.
It is difficult to quantify: In relation to financial risks, it is difficult to define precisely in monetary terms.
It is constantly evolving: Especially with the advancement of technology.
It can affect multiple areas: E.g., reputation, cost, legal issues.
Two important frameworks are used internationally for risk management:

ISO 31000 (2018): Provides general guidance for risk management in any organization. It emphasizes governance, leadership, and the integration of risk management into strategy and processes.

COSO ERM (2017): This framework focuses on integrating risk management into decision-making. It includes eight elements: internal environment, objective setting, event recognition, risk assessment, risk response, controls, information and communication, and monitoring.

Research on the Issue

Effective operational risk management requires a systematic, multi-disciplinary approach. The following areas are critical to reducing and addressing such risks.

The organization’s culture is a foundation for preventing operational risks. Management must create an environment where transparency, accountability, and proactive thinking are embedded at all levels (COSO, 2017). In the public sector, this is inextricably linked to the concept of accountability, while in the private sector with reputation and corporate responsibility.

The identification and assessment of operational risks is a key stage in the process. Tools such as risk matrices, heat maps and failure scenarios are used to assess the probability and impact. The public sector often implements such practices within the framework of national risk strategies, while the private sector integrates them into the business continuity management (ERM) strategy. The main concern of each management is to ensure the Going Concern, i.e. the uninterrupted continuation of the corporate activity or organization.

Control mechanisms are the “last line of defense” against operational risks. The structure of an effective internal control includes dual controls (segregation of duties), automated control systems through ERP and the monitoring of critical processes in real time.

In the public sector, Independent Audit Authorities (e.g. the Court of Auditors) and Internal Audit Units play a crucial role, while in the private sector, Audit Committees and lines of defense are crucial for the management of Operational Risk in an organization. One of the main pillars of Internal Audit is risk management.

IT risk management is equally crucial today. Digitalization entails new vulnerabilities. The implementation of IT security policies (e.g. ISO/IEC 27001), continuous system monitoring and staff training reduce the likelihood of cyberattacks. Especially in the public sector, where there is important citizen data and classified information, the protection of systems is crucial for safeguarding public trust.

Many operational risks arise from human errors. Continuous training of personnel in the organization’s internal policies, procedures and ethical values ​​contributes to reducing errors and improving crisis management. Specifically, in the public sector, the need for human resource modernization is particularly acute, as there is a significant shortage of trained and specialized personnel, while in the private sector, many companies invest in compliance training and behavioral risk management programs to meet their current needs. Relationships with external suppliers, contractors and partners can introduce operational risks. Risks such as dependence on a single supplier, lack of transparency in contracts or non-compliance of third parties with legal requirements can create serious problems. The creation of a third-party evaluation framework, clear contractual commitments and continuous performance evaluation are good practices for both sectors.

Compliance with applicable legislation (tax, labor, environmental, etc.) and regulatory requirements is another key area of ​​risk prevention. The operation of the office