CPCU 500 emphasizes anticipating breakdowns in how an organization operates, including disruptions that originate outside the organization but still affect its ability to deliver products and services.Operational riskcommonly includes categories such as systems risk, process risk, performance risk, and external event risk. The key to this question is identifying that the trigger is not an internal failure at the auto manufacturer, but a disruptive event occurring in the external environment that impacts operations through the supply chain.

Here, anearthquakedestroys the facilities of the manufacturer’smain supplierof mufflers. A natural disaster is an external event, and the resulting interruption is a classicsupply chain disruption. Even though the loss physically occurs at the supplier’s site, the auto manufacturer experiences operational consequences such as production delays, inability to meet delivery schedules, increased costs to source alternative parts, potential penalties, and reputational harm. This aligns directly withexternal event risk, which includes losses caused by events outside the organization’s direct control (for example, natural catastrophes, political events, terrorism, or major third-party outages).

By contrast,systems riskrelates to failures of IT systems or infrastructure,process riskinvolves breakdowns in internal procedures and controls, andperformance riskfocuses on failures to meet objectives due to people or execution issues. Because the initiating cause is an external catastrophe affecting a third party, the correct classification isexternal event risk.