IROKO TECHNOLOGIES · EST. 2025 · BOSTON

Operational Topology

Understanding how risk actually propagates through modern enterprises.

James Hardy

Co-Founder, Iroko Technologies

Former Global Head of Operational Resilience, State Street Corporation

Operational Topology — white paper cover

Operational risk frameworks have done important work. They create accountability, support regulatory oversight, and give boards a structured view of non-financial exposure. But as enterprises have become more digital, interconnected, and dependent on shared platforms, those frameworks reveal an important limitation: they classify risk better than they represent how risk actually moves.

Most operational risk frameworks decompose exposure into domains such as technology, facilities, vendors, cyber, and process control. Those domain assessments are then aggregated into an overall view of risk. That approach is useful, but incomplete. Operational risk does not respect organizational or risk-domain boundaries. In modern enterprises, some of the most consequential exposures arise not from a single weak component, but from the structure of dependencies through which services are delivered.

Resilience disciplines have long recognized the importance of understanding how services depend on people, processes, technology, third parties, infrastructure, and locations. But that dependency view has only partially entered operational risk management in a systematic way. The result is a gap: operational risk often lacks the structural foundation it needs, while resilience planning is forced to build on an incomplete risk base.

This paper argues that operational risk management needs a structural lens. That lens is operational topology: the dependency network through which an organization actually delivers services and through which exposure builds, moves, and concentrates. Operational topology makes visible dependency importance, concentration, substitutability constraints, inherited exposure, and propagation paths that no individual domain assessment can reveal on its own.

The argument is not for replacing existing operational risk frameworks. It is for extending them. Domain-based assessments still matter, but on their own they can understate exposure because they do not fully represent the dependencies through which risk is inherited across the operating model.

A central question follows: if operational risk is shaped not only by the condition of individual components, but also by the way those components are connected, should frameworks explicitly measure that structure instead of merely documenting it?

Keep reading

Free PDF · 16 pages