Operational Risk vs. Compliance: Knowing the Difference

In the "Three Lines of Defense" model that governs modern banking, the Second Line of Defense (2LoD) is responsible for oversight and challenge. Within this second line, two giants sit side by side: Operational Risk and Compliance.

In many smaller organizations, these departments are lumped together, sometimes even under a single "Head of Risk & Compliance." While they are cousins, they are not twins. They have distinct mandates, distinct methodologies, and distinct cultures. Confusing them can lead to gaps in your control environment.

Compliance: The Guardian of the Rules

Compliance is primarily concerned with external obligations. Its reference point is the law, the regulation, and the rulebook.

• The Source: Laws (e.g., The Patriot Act, GDPR), Regulations (e.g., MiFID II, PSD2), and Regulatory Guidance (e.g., FCA Handbook).
• The Focus: "Are we allowed to do this?" "Did we follow the rule?"
• Key Domains: Anti-Money Laundering (AML), Sanctions, Consumer Protection (Consumer Duty), Market Abuse, Data Privacy.
• The Mindset: Binary. You are either compliant or you are not. (mostly).

If a bank fails to screen a payment against a sanctions list, that is a Compliance failure. The regulator will fine you because you broke the law.

Operational Risk: The Guardian of the Process

Operational Risk is concerned with internal failures. Its reference point is the process, the system, and the person.

• The Definition: The Basel Committee defines OpRisk as "The risk of loss resulting from inadequate or failed internal processes, people, and systems, or from external events."
• The Focus: "What could go wrong?" "Is this process robust?" "Is the system stable?"
• Key Domains: IT Failure, Cyber Security, Fraud (Internal & External), Data Entry Errors, Health & Safety, Business Continuity.
• The Mindset: Probabilistic. "What is the likelihood of this happening, and what is the impact?"

If a bank's payment system crashes because of a bug in a software update, that is an Operational Risk failure. You didn't necessarily break a law (initially), but you failed to execute your business.

The Intersection: The "Twin Peaks"

While distinct, these two risks overlap significantly. This is where the confusion—and the danger—lies.

Example: The Sanctions Screening Crash Imagine your sanctions screening software crashes due to a server overload.

1. OpRisk View: This is an IT System Failure (Availability Risk). The root cause was poor capacity planning.
2. Compliance View: Because the system was down, we processed payments without screening them. This is a Sanctions Breach (Regulatory Risk).

Here, an Operational Risk failure caused a Compliance failure. This causality chain is common. Most regulatory breaches are not caused by evil bankers trying to break the law; they are caused by broken processes and bad systems (OpRisk) that allow the breach to happen.

Unified Taxonomy: The RCSA

To manage this effectively, banks need a unified Risk & Control Self-Assessment (RCSA). The business (First Line) should not have to answer one questionnaire for the Risk team and a different one for the Compliance team. That leads to "Audit Fatigue."

Instead, you need a single taxonomy:

• Process: International Payments.
• Risk: Failure to screen (OpRisk/Compliance hybrid).
• Control: Automated Fircosoft Screening.
• Tagging: Tag this risk as both "IT Risk" and "Financial Crime Risk."

The Role of Culture

• Compliance Culture is often about "Permission." Can we do this? It acts as a brake.
• OpRisk Culture is about "Resilience." Can we do this safely and reliably? It acts as a shock absorber.

Conclusion

For a COO or CEO, understanding this distinction is vital.

• If you are worried about fines and jail time, talk to Compliance.
• If you are worried about losing money, crashing systems, and reputational embarrassment from errors, talk to Operational Risk.

You need both. A bank that is perfectly compliant but cannot process a payment because the system is down will fail. A bank that has perfect uptime but launders money for cartels will be shut down. The art of the 2LoD is balancing these two guardians to ensure the bank is both safe and sound.