The risk of direct or indirect loss resulting from inadequate or failed internal processes, people and systems or from external events’ (Basel Committee on Banking Supervision 2001). The definition includes the legal risk but excludes strategic and reputational risk. It encompasses: ‘people’ risks (ineffective management); internal and external fraud; failure to comply with laws and regulations; damage to physical assets; business disruption through IT failure; transaction processing failures; and outsourcing weaknesses. The move towards operational risk management is FSAdriven. Firms will have to comply with the policy on systems and control from 2004. Financial businesses are able to insure against the risk by purchasing a ‘basket’ insurance, with fewer exclusions, over and above the more traditional insurances. The basket includes cover under: professional indemnity; directors’ and officers’ liability; broad form me and computer crime; unauthorised trading; employment practices liability; pension trust liability; organisational liability; broad form external fraud.