A factory line stops, a currency moves against you, a strategy bet ages badly, a video of your staff goes viral for the wrong reason. All four are "risk", but treating them as one problem with one owner and one solution is how good organisations get blindsided. The first discipline of risk management is sorting threats into kinds that behave differently.

The quick version

  • Operational risk is loss from your own machinery failing, broken processes, human error, system outages or external shocks to operations. The textbook line is "inadequate or failed internal processes, people and systems, or external events."
  • Financial risk is loss through money itself, credit (people don't pay you), liquidity (you can't pay your bills), and market moves (rates, prices, currencies going the wrong way).
  • Strategic risk is the risk you take on purpose by choosing a direction, a market that shrinks, a competitor that leapfrogs you, a bet that doesn't pay off. It is the one category you cannot eliminate, because avoiding it means avoiding the strategy.
  • Reputational risk is the damage to how stakeholders see you, usually a consequence of one of the other three, but it can outlast and outweigh the original loss.

The idea in depth: four risks, three defences

The cleanest definition of operational risk comes from banking regulation, where it has been pinned down precisely. The Basel Committee on Banking Supervision defines it as "the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events", a definition that deliberately includes legal risk but excludes strategic and reputational risk (see the Basel framework via the Bank for International Settlements). That exclusion is not an oversight; it is the whole point. Basel separated the categories because they need different tools. Operational losses are tracked, capitalised against, and reduced through controls. Strategic and reputational risks are not the sort of thing you hold capital against, they are managed through judgement and governance.

So the first move is simply to name which risk you are looking at before you reach for a response. A late supplier is operational. A customer who can't pay is financial. A product nobody wants in three years is strategic. A botched apology that trends on social media is reputational. The same incident can be more than one, but you cannot manage what you have not classified.

An honest limitation. The Basel definitions were written for banks, and the neat boundaries blur in practice. A data breach is operational (a failed system) and financial (the fine) and reputational (the customers who leave) all at once. Use the categories as lenses, to make sure no angle goes unexamined. They are not watertight boxes that each threat has to fit into exactly one of.

Why the four behave differently, the Kaplan & Mikes lens

If Basel tells you what the categories are, the most useful framework for what to do about them comes from Robert Kaplan and Anette Mikes. In "Managing Risks: A New Framework" (Harvard Business Review, June 2012), they argue that risks fall into three groups that each demand a different style of management, and that most failures come from applying the wrong style.

  • Preventable risks arise inside the organisation and add no upside, fraud, errors, process breakdowns. These map closely to operational risk, and the right response is rules, controls and a strong compliance culture. You want to drive them toward zero.
  • Strategy risks are the ones you accept voluntarily to earn a return, a new market, a big product bet. These are strategic risk, and you cannot rule-book them away. Kaplan and Mikes argue they need open discussion and active management, not avoidance.
  • External risks come from outside and are beyond your control, a pandemic, a regulatory shift, a recession. The tool here is scenario planning and stress testing, because you cannot prevent them, only prepare.

The practical payoff is the warning embedded in the framework: a rules-and-compliance mindset that works beautifully for preventable risk is actively harmful when pointed at strategy risk, because it suppresses the very conversations that surface the danger. So the move is to ask of any risk: is this one to prevent, to discuss and steer, or to prepare for? Then resource it accordingly. Reputational risk sits across all three, it is most often the downstream consequence of a preventable failure handled badly, or a strategy bet that offended a stakeholder you forgot to count.

flowchart TD
  A(["A threat appears"]) --> B{"What kind is it?"}
  B -->|"Own machinery fails"| C(["Operational
→ controls, prevent"])
  B -->|"Money in/out"| D(["Financial
→ hedge, limits, reserves"])
  B -->|"A bet we chose"| E(["Strategic
→ discuss & steer"])
  B -->|"Outside our control"| F(["External
→ scenarios, stress test"])
  C --> G(["Reputational fallout?
handle the story, not just the loss"])
  D --> G
  E --> G
  F --> G
Classify first, then choose the defence, and watch every path for the reputational tail. Leaders Loop

Reputational risk: the one that compounds

Reputational risk deserves separate billing because it follows different rules. The Basel Committee defines it as "the risk arising from negative perception on the part of customers, counterparties, shareholders, investors... or regulators that can adversely affect a bank's ability to maintain existing, or establish new, business relationships and continued access to sources of funding" (Bank for International Settlements). Notice what that definition is really about: not the original loss, but the second-order loss, the customers, investors and partners who walk away because of how something looked.

That second-order quality is why reputation is asymmetric. The line often attributed to Warren Buffett, "it takes 20 years to build a reputation and five minutes to ruin it", captures the asymmetry even if its precise origin is debated. Trust accrues slowly and collapses quickly, so reputational risk cannot be insured or capitalised away like a financial exposure; it can only be governed. The move is to treat the response to any serious incident as a risk event in its own right, most reputational damage is done not by the original failure but by the cover-up, the slow apology, or the tone-deaf statement that follows.

Reputation is rarely destroyed by the failure itself. It's destroyed by how the organisation behaves in the hours after.

This is also where strategic and reputational risk meet, which is why the careful work of naming your risk appetite matters: deciding in advance how much of each kind you are willing to carry stops you discovering your limits in the middle of a crisis.

A worked example

Take a mid-sized online retailer, call it Harbour & Lane. (Illustrative figures throughout; this is a teaching example, not a real company.) One Friday, a botched software deployment takes the checkout offline for six hours during a promotion. Watch the single incident travel through all four categories.

Operational first: a failed internal system, textbook operational risk. The direct cost is the engineering scramble and, say, an illustrative £80,000 in lost sales for the afternoon. Financial next: a key supplier had been promised payment tied to that day's revenue; the shortfall creates a short, sharp liquidity pinch. Then strategic: the outage exposes that the company bet on a fragile, home-grown checkout to save money, a strategy risk that was accepted, quietly, two years earlier. And finally reputational: customers who hit the error post about it, and the brand's first instinct is to stay silent.

flowchart LR
  A(["Bad deploy
checkout down 6h"]) --> B(["Operational loss
~£80k sales (illustrative)"])
  B --> C(["Financial
liquidity pinch on supplier"])
  B --> D(["Strategic
fragile checkout bet exposed"])
  B --> E(["Reputational
silence makes it worse"])
  E --> F(["Customers leave:
the lasting cost"])
One operational failure cascades into financial, strategic and reputational risk, the tail outweighs the original loss. Leaders Loop

The £80,000 is the cheapest part. A leader who has classified the risk sees four jobs, not one: restore the checkout (operational), bridge the supplier payment so a relationship isn't lost (financial), reopen the buried decision about the fragile platform (strategic), and, fastest of all, get a plain, human acknowledgement out before silence becomes the story (reputational). Handle only the first and you have fixed the symptom while the most expensive risk runs unmanaged.

Frequently asked questions

What is the difference between operational and strategic risk?

Operational risk is loss from your own machinery failing, a process, a person or a system breaking down, or an external event hitting your operations. You did not choose it and it carries no upside, so you try to prevent it. Strategic risk is loss from a direction you deliberately chose, a market, a product, a model, where you accepted the risk because of the return on the other side. You cannot prevent strategic risk without abandoning the strategy; you manage it by discussing it openly and steering.

Is reputational risk really separate, or just a consequence of the others?

Both. It is almost always triggered by an operational, financial or strategic event, but it behaves so differently that it earns its own category. The original loss is usually bounded and one-off; the reputational loss can compound, drive away customers and investors, and outlast the incident by years. The Basel framework recognises it as distinct precisely because you manage it through governance and communication, not through controls or capital.

Why does Basel exclude strategic and reputational risk from operational risk?

Because they need different tools. Operational risk can be measured, tracked as loss data, and capitalised against. Strategic and reputational risk resist that treatment, you cannot meaningfully hold a capital buffer against "we chose the wrong market" or "customers lost faith in us." Keeping them separate stops organisations from pretending a problem of judgement is a problem of controls.

How do these four relate to financial risk specifically?

Financial risk is its own family, credit (counterparties don't pay), liquidity (you can't meet obligations), and market risk (rates, prices and currencies moving against you). It overlaps with the others at the edges: an operational failure can create a financial loss, and a strategic bet has a financial dimension. But the tools are specific to money, hedging, limits, reserves, diversification, which is why it is worth naming distinctly rather than folding into "operational."

If a single incident is all four at once, does the classification even help?

That is exactly when it helps most. A multi-headed incident is precisely where leaders fix the visible part and miss the expensive part. Running the event through all four lenses forces you to ask "and what's the financial exposure? the strategic signal? the reputational tail?" rather than declaring victory once the system is back up. Classification is a checklist against tunnel vision.

Related in the Toolkit

Knowing the four types is the entry point; the rest of the Risk Management track turns it into a system, deciding how much of each you will carry (enterprise risk management & risk appetite), and scoring each threat by how likely and how damaging it is (risk identification & assessment).

Where to go next