The trouble with risk lists and risk registers is that all the risks appear independent of each other. However, in the same way that causes lead to risks and then to impacts, risks are interrelated and interdependent. The segmentation described in the last chapter between causes, risks and impacts is purely for convenience. The distinction between people, processes, systems and external events is a way to order the causes of operational risks, in keeping with the Basel definition. Similarly, for convenience, the impacts of operational risks are defined as financial loss, reputation damage, compliance breach, customer detriment and sometimes disruption of services. But risks transcend categories, and it is a mistake to assume they behave independently. In reality, everything is connected, which is why so many firms are confused when it comes to defining causes, risks and impacts.

Risk networks are a promising and growing resource in firms with more mature operational risk management. Also known as risk connectivity and sometimes risk visualization, these networks provide risk managers with useful insights. They highlight the dependencies and other connections between different risks, and are not just tools for risk modelers and quantitative analysts.

The best‐known user of risk networks is probably the World Economic Forum (WEF). Every year, in its global risk report, published on its website (weforum.org), WEF presents a network view ...