skip to main content

In a broad sense, operational risk includes any risks you’d encounter in your operations processes. In a technical EHS sense, it’s the risk of loss resulting from inadequate or failed internal processes, people, and systems or from external events.

5 Main Types of Operational Risk

There are five main types of operational risk. (There are others, such as financial risk or reputational risk, but these are the big ones.)  

  • People risk – Risk of incidents from/to the people of an organization (being unqualified or poorly trained, irresponsible, etc.) 
  • Process risk – Risk of incidents from an organization’s internal processes 
  • Systems risk – Risk of incidents from an organization’s internal systems (physical or digital) failing 
  • External events risk – Risk of incidents from something out of the organization’s control  
  • Legal and compliance risk – Risk of legal ramifications from an organization’s actions or inability to meet compliance  

How Do Operational Risk Incidents Occur?

Incidents can occur from just one of the above risks or from a combination in varying degrees. 

How do organizations manage their operational risks? By developing and implementing a risk management program so that any risks they have can be controlled or mitigated, and to minimize the consequences of an incident occurring. When organizations don’t have a strong risk management program, or one at all, things can go terribly wrong.  

Remember the Thunder River Rapids incident? Four guests of Dreamworld theme park in Australia died on a water rapids ride, because the park management hadn’t addressed multiple risk factors

People Risk  

The employee operating the ride at the time of the incident had not been fully trained on the job, wasn’t shown how to shut down the ride, and wasn’t told where the emergency shutdown button was. It was her first day, by the way.  

Park management also did a shoddy job of inspecting, auditing, monitoring and maintaining the ride, cutting the maintenance and repair spending and deferring to third parties who weren’t qualified to perform these tasks. 

Process Risk  

The ride was designed and built by the park in the 80s, and in 1990, the ride’s conveyor belt was altered so that 2/3 wooden slats that made up the belt were removed. This alteration had no Management of Change review, and there was no documentation as to why this change was made.  

The ride’s shutdown system involved a four-button sequence on the main control panel, but it didn’t actually shut the ride down immediately. The panel also had no clearly marked buttons or instructions. The emergency stop button for the ride was in a separate location from the main panel, and operators were instructed to only use the emergency stop button if they can’t reach the main control panel.  

Systems Risk  

The ride itself malfunctioned multiple times earlier on the day of the incident; the water pumps beneath the “river” kept tripping, causing the ride’s water level to drop. The pumps were reset each time, but at one point the water was so low that an empty raft became stuck on the conveyor belt rails while the ride continued to run. The next raft, which carried six people, hit the empty raft, flipped and caused the fatal injuries of four of those people.  

In the early 2000s, this exact event happened during a test run of the ride. One pump tripped, the water level lowered, and a raft flipped. The theme park could have installed a detection and shutdown system for a small cost, which would have stopped this incident from happening again, but they didn’t.  

Legal and Compliance Risk  

Because theme park management took no actions in addressing these risks, they faced serious legal (and financial!) ramifications after this incident occurred, including dozens of civil lawsuits, pleading guilty to 3 counts of failure to comply with health and safety duty, which cost $1.5B each. And, just in 2020, the parent company of the theme park was fined $2.8M for breaching the Work Health and Safety Act.  

Reputational Risk  

While the financial consequences were mighty, an incident like this can send long-lasting ripples of suspicion and distrust from people across the world, including potential paying customers and potential employees. While the park is still in business today, this horrible incident will always be associated with the place. You can’t google “Dreamworld”, without the autofill suggestions including “incident/accident/disaster.” Would you be excited to go to a theme park that had “disaster” in its search results? 

Tragically, this all could have been avoided if the theme park had simply noted the risks as they appeared and implemented ways of dealing with them–repairing or rebuilding the conveyor belt per engineer and regulatory approvals, updating the ride’s control panel, thoroughly training their employees and not giving them complicated jobs on their first day.  

The good news is that there’s a way to stop this type of incident from happening yet again – by assessing operational risks and implementing a risk management program to control those risks. Hopefully, Dreamworld has made serious changes to their operations to improve their safety since the Thunder River Rapids incident. It’s imperative for organizations to take their operational risks seriously and address them proactively—if they don’t, they’re not taking the safety of their people seriously. 

How Do I Develop a Risk Managament System?

It’s much simpler (and cheaper) to deal with operational risks before they become incidents. But how do you get started with developing your own risk management system? Take a look at our library of resources, like webinars, online courses, guides, eBooks and infographics to see how our in-house risk experts identify, assess, address and control operational risks and improve safety. Or reach out now to discuss first steps toward developing your risk management program.