2.1 Defining the Concept of Operational Risk

A “risk” is defined by ISO 31000:2009 as “the effect of uncertainties on (achieving) objectives” [1]. Our world can indeed not be perfectly predicted and life and businesses are always exposed to uncertainties, which have an influence on whether objectives will be reached or not. Risks are double-sided: we call them negative risks if the outcome is negative, and positive risks if the outcome is positive. It is straightforward that organizations should manage risks in a way that minimizes the negative outcomes and maximizes the positive outcomes. Such management is called risk management RM) and contains, among other things, a process of risk identification, analysis, evaluation, prioritization, handling, and monitoring (see, e.g., Meyer and Reniers [2]), aimed at controlling all existing risks, whether known or not, and whether they are positive or negative. In this book, to make it workable, “operational risks” are assumed to arise from involuntary undesirable events within an organizational context. The rest of the book will thus be concerned with taking decisions regarding the management of these undesirable events and thereby considering economics-related issues.

The adoption of consistent risk management processes within a comprehensive framework can help to ensure that all types and amounts of risk are managed effectively, efficiently, and coherently across an organization. ...