As information technology (IT) systems become increasingly embedded in the operating environments that they support, IT-related failures can have significant impacts on organizations. Such failures are due to IT-related operational risk. While much has been done in research and practice concerning risks related to IT system development and implementation, there is minimal work concerning threats to operational IT systems. As such, a formal definition and understanding of IT-related operational risk and its sub-categories is lacking. Additionally, the unavailability of empirical data on risk events in operational IT systems has precluded investigation into the economic impact of such events. The little work that has been conducted regarding IT-related operational risk mainly concerns security-type risks such as malicious attacks and data leakage incidents, while other risk types, such as software failures and operator errors, have received less attention. This dissertation responds to these gaps by defining and formalizing IT-related operational risk and its sub-categories in the context of the IT business value and IT risk literature. It also offers the first empirical analyses of IT-related operational risk by examining changes in market values due to actual risk events. Further, it determines the aspects of an IT system’s operating environment that are most likely to be associated with certain risk types. Such findings provide guidance regarding the identification of relevant risk factors, and shed light on whether IT or business management is responsible for risks associated with operational IT systems.