Study operational risk for CISI Risk in Financial Services, with a UK-specific reading frame built around the official chapter structure and exam weighting.
Operational risk is one of the most practical chapters on the paper because it turns process failure into financial-services judgement. The exam expects candidates to recognise that loss can arise from people, process, systems, external events, or third-party weakness, and that operational risk management is about control design, resilience, incident response, and learning, not just post-loss classification. The strongest answers connect incidents to framework weakness and then to a credible control response.
| Check | What matters |
|---|---|
| Official topic weighting | 15% |
| Core distinction under pressure | separate the operational event from its downstream consequences, then choose the strongest framework, measurement, and control response. |
| Strongest use of this page | read it before timed sets so failed processes, cyber events, outsourcing weakness, and conduct spillovers do not blur together |
| UK note | Keep the UK frame active: operational resilience, outsourcing, incident reporting, conduct risk, three lines of defence, KRIs, scenario analysis, stress testing, and GBP when a monetary example is needed. |
The exam usually tests whether the candidate can move from event to framework. A payment failure, cyber incident, mis-booked trade, or weak outsourcing control may create reputational, conduct, or financial consequences, but the first task is to identify the operational root and decide how it should be governed.
It also tests whether you understand that measurement supports judgement. Loss data, scenarios, control assessments, KRIs, and self-assessment tools are useful only if they improve prevention, escalation, and resilience.
| Section | Main exam angle |
|---|---|
| Definitions of operational risk | If a loss follows people, process, systems, or external-event weakness, operational-risk framing is usually the starting point |
| Operational risk policy | If the question is about ownership, scope, or standards, policy and governance are central |
| Operational risk framework | If the issue is how the firm organises identification, monitoring, reporting, and challenge, think framework rather than one-off control |
| Operational risk identification | If the firm is trying to discover where failures may emerge, mapping, assessment, and event capture matter |
| Operational risk assessment and measurement | If metrics or loss data appear, ask what they actually tell management about exposure and control quality |
| Managing operational risk | If the stem asks what to do next, the answer usually lives in mitigation, resilience, escalation, or control redesign |
Operational risk is usually framed around loss arising from inadequate or failed internal processes, people, systems, or external events. At this paper level, the exam uses that definition to build boundary discipline. The candidate should not mistake every loss for credit or market risk when the primary cause is process failure.
Conduct consequences can sit beside operational loss. That is why stronger answers often classify the root cause as operational while acknowledging that the wider impact may reach customers, regulators, or reputation.
Policy matters because it sets scope, accountabilities, escalation expectations, and baseline control standards. A strong operational-risk policy is not a glossary document. It tells the business what must be identified, recorded, reported, challenged, and remediated.
Questions here often test ownership. If responsibility is unclear between business lines, risk, compliance, and internal audit, the framework will weaken even before an event occurs.
The framework turns policy into working control architecture. It may include risk and control self-assessment, incident capture, KRIs, scenario analysis, governance committees, reporting, and challenge by second-line functions.
The exam usually rewards answers that treat operational risk as recurring management discipline rather than as an annual review exercise. The framework exists to support identification, escalation, and remediation before losses become systemic or customer-harming.
Identification tools matter because firms need to know where errors or disruptions are most likely. Process mapping, issue logs, incident histories, control reviews, vendor assessments, and change programmes all help expose weak points.
Third-party and technology dependencies are common themes. A firm can believe a control has been outsourced when in reality only the task has moved and the accountability remains.
Measurement helps management decide where attention is needed most. Loss-event data, near-miss analysis, KRIs, scenarios, and control scoring all provide different forms of evidence. None of them is perfect in isolation.
The stronger answer normally knows what the metric is for. A KRI is not the same as a loss record. A scenario is not the same as historical evidence. A near-miss can be valuable because it reveals latent weakness before a full loss crystallises.
Management includes mitigation, control redesign, incident response, business continuity, lessons learned, and governance escalation. The exam often tests whether the candidate knows that fixing the visible event is not enough if the root cause remains.
Operational resilience overlaps strongly here. A firm may not be able to stop every disruption, but it should be able to identify important services, understand dependencies, and respond in a way that limits intolerable harm.
flowchart TD
A["Operational event or near miss"] --> B["Root-cause identification"]
B --> C["Control and policy assessment"]
C --> D["Measurement through losses, KRIs, and scenarios"]
D --> E["Escalation and remediation"]
E --> F["Resilience improvement and monitoring"]
A UK wealth manager suffers a failed third-party software update that misroutes client cash transfers and creates £2.4 million of remediation cost. Which is the strongest next-step judgement?
Answer: C.
The event is operational in origin and requires root-cause analysis, vendor-control review, escalation, and resilience improvement. Outsourcing the task does not remove the firm’s accountability.