CPCU 500 explains that enterprise risks are grouped into four major quadrants: hazard, financial, operational, and strategic. Correctly identifying the quadrant is essential because each type of risk requires different management techniques and oversight.
Operational risk specifically addresses uncertainties that arise from an organization’s internal processes, procedures, systems, and people. This includes breakdowns in workflow, inadequate internal controls, system failures, compliance gaps, human error, fraud, or poorly designed policies. Because the question explicitly refers to procedures, systems, and policies, it directly matches the definition of operational risk under the CPCU 500 framework.
Hazard risk involves accidental losses such as property damage, bodily injury, or liability exposures—risks that are often insurable. Financial risk focuses on uncertainties related to market conditions, credit, liquidity, capital structure, or interest rate changes. Strategic risk arises from high-level decisions affecting the organization’s long-term direction, such as mergers, acquisitions, or market expansion.
Operational risk is closely tied to day-to-day execution. CPCU 500 emphasizes that strong governance, internal controls, training, and well-designed systems are key tools for managing operational risk. When procedures and systems fail, the organization may experience service disruptions, regulatory penalties, reputational damage, or financial loss. Therefore, the correct quadrant in this case is Operational risk.
