Mastering operational risk

'This book belongs in every risk manager's and line of business head's library.'
(Risk Management Association Journal)

Preface - First Edition

Risk management has taken a knock over the last few years, as the financial crisis has unfolded. But perhaps the problem was not so much a failure of risk management as such, as its absence from strategic and other decisions.

That is why we believe Mastering operational risk is both timely and a reminder that good risk management is fundamental to good business management. And, as we show in Chapter 2, good operational risk management can bring real business benefits. It is as much about opportunities as it is about threats. So it demands imagination and the flexibility to adapt to a rapidly changing risk environment.

Operational risk emerged as a risk discipline in its own right in financial services in the early 1990’s. However, it was influenced by events in the ‘hazard’ industries and took on board methods which were already being used in energy, nuclear, space, transport, where operational risk as we now know it, was simply good risk management.

For us, operational risk goes far beyond operations and process to encompass all aspects of business risk, including strategic and reputational risks. Its management is not a complicated science, as much as a very human art which lies at the heart of all business decisions.

Mastering operational risk came about because we both passionately believe that there is a need for a book which sets out a practical framework for operational risk management, rather than one which is academic and quantitative in its approach. It has been written by practitioners for practitioners.

Given our professional backgrounds, and given where operational risk management has been developed over the last decade, Mastering operational risk is grounded in financial services, but the core elements are equally applicable to all sectors and to all those who have to make business judgements. Since operational risk covers all aspects of business and involves everybody who works in the business or deals with it, we hope that it will provide useful tips for the beginner as well as the seasoned professional.

The core of the book is a risk management framework which provides a practical structure for managing this most slippery of risks. At its heart lie the critical processes of risk and control assessment and the use of loss events and indicators, all within an overarching governance structure. It tackles head-on the thorny subject of operational risk appetite – for a risk which takes in the unknown unknowns as well as the known unknowns. And although this is a book fundamentally about management, it also covers ways in which operational risk can be modelled and measured. It includes a business approach to modelling operational risk, which places the tool of modelling back in the hands of management, using the fundamental operational risk processes.

Of course, stuff happens which is unavoidable. But unavoidable does not mean unmanageable. That is why we have included chapters on both reputation risk – and how to deal with reputation crises – as well as business continuity. And as so much of operational risk is ultimately down to people failures, people risk is a key risk which is fully covered in its own chapter. Mastering operational risk represents the distillation of two lifetimes of experience in operational risk management, during which we have enjoyed so many conversations with friends and colleagues about taming this exotic beast. A number of them have been kind enough to read individual chapters or in other ways to provide invaluable advice and suggestions: Rees Aaronson, Andrew Bryan, Ian Hilder, Mark Johnson, Charlotte Kiddy, Tim Landsman, Roger Miles, John Naish, Bruce Nichols, John Renz, Nick Symons. To them go our especial thanks. Any sins of omission or commission, though, are entirely our own. Special thanks also to our editor, Chris Cudmore, who has provided much needed encouragement and guidance.

Finally, we should like to thank our families for their constant support and for having to live lives, probably more than most, surrounded by operational risk.

'At last we have a book which offers a systematic and logical methodology for implementing an operational risk management programme.'
(Philip Martin, former Chairman of the Institute of Operational Risk)

'A well-written and valuable addition to the risk practitioner's library.'
(ALARM - The Public Risk Management Association)

How to buy

Paperback and e-book versions in English: - for 35% discount

Paperback version in Chinese:
Posts & Telecommunications Press (

© John Thirlwell 2004-14. All rights reserved.
Any reuse in whole or part requires our consent
Design by