Operational risk has long been defined as the risk of loss resulting from inadequate or failed internal processes, people and systems, or from external events. In other words, it is a risk type built around how failure is produced, not just how it is reported.
That sounds obvious. In practice, it often is not.
A control failure.
A conduct issue.
A data problem.
A service disruption.
A third-party incident.
A resilience event.
The organisation records what happened, assesses the impact, assigns ownership and raises actions.
But that still leaves a more important question unanswered: what made the event possible in the first place?
That is the question many firms still do not explore deeply enough.
Because non-financial operational risk is not simply event-led. It is inherently causal.
To understand it properly, firms need to look beyond the incident itself and examine the causes, conditions, drivers and control dynamics that allowed it to materialise.
Causes are not the same as events
One of the most important distinctions in operational risk is also one of the most frequently blurred.
Causes are not the same as events.
Events are incidents that produce unintended or undesirable consequences and impacts. Causes are the drivers of those unintended or undesired outcomes.
That distinction matters because too many organisations investigate the event as if it were its own explanation. A system failed. A person made an error. A control was missed. A process was not followed.
But these are often only the most visible points in a much wider causal picture.
Causes include the conditions, happenings and circumstances that affect outcomes inside the business processing environment. Some sit close to the event. Others are embedded more deeply in the process, operating model, governance structure or control environment.
Mature risk analysis, therefore, has to do more than describe what happened. It has to examine why it became possible.
Operational risk materialises through causes, events and consequences
A useful way to think about non-financial operational risk is through a simple sequence:
Cause → Event → Consequence
Causes sit upstream.
Events happen in the middle.
Consequences emerge downstream.
The event is the point at which something crystallises. The cause is what drives it. The consequence is what the organisation then has to absorb, manage or explain.
That sounds simple, but it is often missed in practice. Firms tend to concentrate heavily on the event and the consequence, while paying much less attention to the pattern of causes surrounding them.
Yet that pattern is where the real insight usually sits.
In operational risk, causal conditions are always present somewhere in the business environment. Under some circumstances, they combine to produce an event. Some causes may be harmless on their own, but become dangerous when other conditions are also present. Others may persist for long periods before they connect to an incident at all.
That means events should not generally be treated as isolated failures. They are more often the visible result of a causal structure the organisation has not fully understood.
Exploring causality means looking beyond one neat answer
Organisations often search for a single root cause because it creates a cleaner narrative.
But operational risk rarely behaves that neatly.
Some events do have a clear trigger. Even then, a wider pattern of background causes often contributes to why the event occurred, why it was not prevented and why the impact became more severe.
Causes often occur in chains or networks. Some drive the event directly. Others drive one or more other causes. Some act as triggers, some as environmental conditions, and others as exacerbators once the event is already underway.
The same factor may play more than one role.
A period of high volume, for example, may act as a general process stress factor, the driver of a specific operational error, and a loss amplifier while the issue remains uncorrected.
This is one of the most important views on causality in operational risk. Failure is rarely just linear. It is often cumulative, conditional and systemic. The order and composition of causal chains can vary from incident to incident, even where the event type appears similar.
That is why two apparently similar incidents may need very different responses. The event may look the same. The causal pathway may not be.
Why the business environment matters
Causes are not abstract. They are usually associated with particular business processes or activities. They sit inside the way work happens.
They can be found in process design, workload and capacity, role clarity, handoffs between teams, system limitations, governance gaps, escalation failures, tolerance of workarounds, fragmented control ownership, poor-quality data and badly aligned incentives.
This matters because operational failures are rarely detached from the environment that produced them.
A process issue is not just a process issue if governance tolerated ambiguity around ownership. A human error is not just human error if the task design made the mistake predictable. A missed control is not just a local lapse if the broader control architecture was poorly aligned to the actual risk pathway.
That is why causal analysis must be tied to the real operating environment, not treated as a post-incident labelling exercise.
Controls only make sense when matched to causality
A cause-and-effect model also helps explain the role controls are supposed to play.
Preventative controls sit upstream, intended to stop (or prevent) causes from developing into events.
Detective controls sit around the event itself, intended to identify that something has happened or is happening.
Corrective (or remedial) controls sit downstream, intended to contain damage, restore control and reduce the consequences.
Around all of this sit broader directives, oversight and governance controls, shaping how the organisation sets expectations, allocates accountability, monitors weaknesses and responds to patterns over time.
That matters because controls are often assessed in a binary way: did the control exist, and did it operate?
But that is not always the most useful question.
A better question is whether the control structure made sense against the causal reality of the risk.
Did the preventative controls address the actual upstream drivers?
Did the detective controls provide visibility at the right speed?
Did the corrective controls contain the consequences before they compounded?
Did oversight and governance controls surface the broader pattern early enough to matter?
If a control framework is not aligned to how risk materialises, it may look complete on paper while remaining weak in practice. A risk and control assessment that identifies, say, 5 controls focused on a specific risk does little to reduce exposure to that risk if all the controls are directive (policies and procedures), oversight (end of day reconciliation) or corrective (past due escalation) in nature.
The 5 Whys and other ways to analyse causality
There is nothing wrong with root cause analysis or the 5 Whys as disciplines. In fact, they remain useful precisely because they force a deeper look beneath the surface event.
The 5 Whys is simple in structure but powerful in intent. By repeatedly asking why something happened, it pushes teams beyond the first visible explanation and towards the underlying conditions that allowed the event to occur. Its value is not in the number five. Its value is in the discipline of not stopping at the first plausible answer.
That matters because too many reviews still stop too early.
Human error.
Failure to follow process.
Insufficient oversight.
System limitation.
These may all be true. They are rarely sufficient.
A shallow analysis explains the event at the point it became visible. A stronger analysis works backwards and sideways through the causal chain.
Why was the process difficult to follow?
Why did the operating environment make the error more likely?
Why was the issue not visible sooner?
Why were the control weaknesses tolerated?
What other process areas may contain similar conditions?
The 5 Whys can help with that, but it is not the only useful lens. Root cause analysis, causal mapping and other structured approaches can all support better understanding when they are used to explore the system, not simply close the issue.
That is the difference between identifying a failure and understanding its causes.
Why this matters now
This matters now because non-financial operational risk is becoming more interconnected, more technology-enabled and more difficult to analyse through surface-level reporting alone.
Firms are operating across more complex technology estates, more third-party dependencies and more fragmented accountability structures. Automation and AI are increasing speed and scale, but also reducing visibility into how some vulnerabilities build. At the same time, boards and regulators are asking harder questions about resilience, governance, control effectiveness and accountability.
In that environment, descriptive reporting is not enough.
A firm may know that an event occurred without understanding the conditions that made it possible. It may close the issue without addressing the network of causes beneath it. It may add more controls without improving the logic of the control environment itself.
That is why causality matters now.
Not as an abstract theory, but as a practical discipline for understanding how operational risk actually materialises.
How firms should look at it
A more mature approach starts with a different question.
Not just what happened?
But:
What causes were already present in the process environment?
Which factors acted as triggers?
Which conditions made the event more likely?
Which factors amplified the impact once it occurred?
Which controls were meant to interrupt that pathway?
And where might similar conditions already exist elsewhere?
That is what it means to explore causality properly.
It is not about turning every incident review into an academic exercise. It is about improving the organisation’s ability to see patterns, understand pathways and intervene earlier.
From incident reporting to causal insight
The most mature organisations understand that the event is rarely the whole story.
It is the visible point at which a deeper set of causes finally becomes impossible to ignore.
That is why non-financial operational risk is such an important lens for firms now. Not because it adds another category to monitor, but because it reveals whether the organisation truly understands how its risks materialise.
Until firms get better at analysing causes, they will continue to treat events as if they were isolated failures.
And until they stop doing that, many of the same operational problems will keep returning in slightly different forms.
Because the event may change.
But the causal conditions beneath it often remain.
Stay up to date with the latest stories from the world of governance, risk, audit and compliance >>>
