Operational risk is the risk of loss resulting from inadequate or failed internal processes, people, and systems, or from external events. The Basel Framework uses that definition and states that it includes legal risk but excludes strategic and reputational risk. The PRA has used the same core formulation in its operational risk materials.
In the financial crime environment, operational risk is significant because many financial crime failures are not caused by an absence of rules, but by failures in how controls operate in practice. Weak onboarding workflows, poor data quality, screening errors, investigation backlogs, ineffective escalation, technology outages, third-party failures, staff misconduct, and poor governance can all create exposure to money laundering, fraud, sanctions breaches, market abuse, or regulatory failures. In other words, financial crime risk is often realized through operational weakness. The FCA’s operational resilience materials focus on firms’ ability to prevent, adapt, respond, recover, and learn from disruption, which is closely linked to how financial crime controls perform under stress.
From a professional perspective, operational risk in financial crime should not be understood narrowly as an IT or process issue. It includes failures in human judgment, inadequate staffing, poor control design, weak handoffs between teams, model or rule miscalibration, recordkeeping breakdowns, and external disruptions affecting critical services. Because financial crime controls are embedded in daily operations, operational risk becomes the practical channel through which those controls either succeed or fail. This is an inference supported by the Basel definition’s focus on processes, people, systems, and external events, together with the FCA’s operational resilience framework.
This is why operational risk is highly relevant across the full financial crime lifecycle. At onboarding, it may appear as incomplete customer due diligence, weak beneficial ownership verification, or poor sanctions screening. During account use, it may appear as missed alerts, delayed investigations, payment-processing errors, or poor fraud response. In governance terms, it may appear as unclear ownership, weak management information, insufficient testing, or failure to remediate known issues. The PRA’s operational risk materials explicitly link capital and prudential treatment to risks arising from failed internal processes, people, systems, and external events, which fits this broader control view.
A key distinction is that operational risk is not the same as financial crime risk, but it often amplifies financial crime risk. A customer may be inherently high risk, but whether that risk becomes a regulatory breach or loss event often depends on operational execution. A sanctions-screening rule may exist, but if the system is poorly configured or data is incomplete, the control may fail. A fraud alert may be generated, but if the investigation queue is overwhelmed, the payment may still go out. This is an inference from the cited operational risk definition and the FCA’s resilience focus on firms’ ability to continue important services through disruption.
Technology and third-party dependence make this especially important today. Many financial crime controls depend on screening engines, transaction-monitoring platforms, data feeds, case-management tools, and outsourced or cloud-based services. A disruption affecting those services can quickly become a financial crime issue if firms lose the ability to screen, monitor, escalate, or evidence decisions. The Bank of England’s 2026 operational resilience page stresses that firms should assume disruptions will occur and be able to continue important services within tolerances.
A mature framework therefore treats operational risk and financial crime control as closely connected disciplines. Firms should understand which important services and control processes are critical to AML, fraud prevention, sanctions compliance, and market conduct; where the main operational vulnerabilities sit; what dependencies exist on data, systems, vendors, and people; and how the firm will continue to operate if those elements degrade or fail. The FCA’s operational resilience framework and the Basel operational risk standard both support this focus on control performance under real-world conditions.
Ultimately, operational risk matters in the financial crime environment because it is often the practical reason why control frameworks fail. Financial crime controls are only as strong as the processes, people, systems, and external dependencies supporting them. For that reason, operational risk should be seen not as a separate prudential topic, but as a core determinant of whether fraud, AML, sanctions, and wider financial crime controls work in practice.
