Operational Risk &
Operational Risk Management

Operational risk management

This post discusses operational risk and operational risk management. In this post, you will understand the meaning of operational risk and the management of operational risks.

 

WHAT IS AN OPERATIONAL RISK?

Operational risk is the possibility of business operations failing due to inefficiencies or breakdowns in a firm’s internal processes, people, and systems. Human error and external events (such as regulatory changes) are common sources of such risk. The Basel Committee on Banking Supervision described operational risk as loss resulting from inadequate or failed internal processes, people, systems, or external events. As such, operational risk captures business continuity plans, environmental risks, crisis management, process systems and operations risks, people-related risks and health and safety, and information technology risks. All these risks need to be managed, and the more sophisticated the approach to risk management, the more chance the business must thrive and grow.

Operational risk relates to the production process. No business is immune to operational risk. In any business task or function, the risk may arise from internal process failures or gaps, human error, system failures, or external risks imposed by customers, suppliers, natural disasters, regulatory changes, or geopolitical shifts. Operational risk may include legal risks, risks to human capital and physical business assets, or risks to the bottom line of the business. Typically, strategic and reputational risks are not included in the definition of operational risk, but they may be adversely impacted when operational risks remain unchecked for too long.

 

TYPES OF OPERATIONAL RISK

Operational risk is associated with how businesses function internally and broadly covers the following categories:  

1. Fraud – e.g., bribery, misuse of assets and tax evasion,

2. Other criminal activity – e.g., data theft and hacking, 

3. Workplace policies and safety – e.g., discrimination, staff health and safety,

4. Products and business practice – e.g., product defects and market manipulation,

5. Physical assets – e.g., vandalism, natural disasters, and equipment maintenance, 

6. Business disruption – e.g., utility downtimes and IT system failures, and 

7. Process management – e.g., accounting errors, data entry errors, and non-reporting.

These risks present varying threat levels to business – from a minor inconvenience to potentially jeopardising its existence. The company should be aware of the potential impacts of operational risk.

 

IMPACTS OF OPERATIONAL RISK

Operational risks are not typically revenue-driven or willingly incurred, unlike other business risks. Some organisations accept them as an unavoidable cost of doing business. However, an organisation can reduce its risk exposure and operating costs by developing a sound operational risk management strategy for its business.

If operational risks materialise, they may cause significant damage to a business, including:

  • Outright loss: – e.g., costs of dealing with system failure and processing error; 
  • Regulatory overhead: – e.g., costs of audits and mandated investigations; and 
  • Reputational damage – e.g., arising from fraudulent activity and unfair practices.
 

OPERATIONAL RISK MANAGEMENT

Operational Risk Management is a way to get a holistic view of a company’s risk footprint throughout the supply chain – and everyone across the organisation has a role to play in making an organisation’s safety culture the best it can be. Operational risk management is a methodology for organisations looking to put real oversight and strategy into place when managing risks. 

To achieve organisational and operational risk goals, companies must work together to mitigate risk, and that includes a need for:

1) Corporate leaders make safety part of their value structure by initiating and driving a safety culture.

2) Engineers to apply inherently safe design principles.

3) Maintenance engineers verify isolations while reliability engineers maintain asset uptime.

4) Operators to start up, shut down and respond to abnormal conditions.

5) Procurers, suppliers, and transporters to understand their contribution to delivering and managing quality spare parts, materials and services that prevent the loss of containment.

 

Effective operational risk management helps business organisations to:

1. Prevent unexpected operational loss,

2. Cut compliance or auditing costs,

3. Detect unlawful activities, and

4. Minimise exposure to future risks.

 

BENEFITS OF OPERATIONAL RISK MANAGEMENT

Operational risk management is beneficial to business organisations. Operational risk management is an essential step for every company that is looking to avoid potentially damaging issues. Benefits of Operational Risk Management include:

1. Improvement of the reliability of business operations.

2. Improvement of the effectiveness of risk management operations.

3. Strengthening of the decision-making process regarding the management of risks.

4. Reduction in losses caused by poorly identified risks.

5. Early identification of unlawful activities.

6. Lower compliance costs.

7. Reduction in potential damage from future risks.

 

HOW OPERATIONAL RISK MANAGEMENT WORKS

The first stage of any operational risk management strategy is understanding the nature of a business and its risks. The business will be susceptible to risks different from that of a company that creates technology for vending machines. Manage a company that runs water ski lessons.

There are three levels of operational risk management organisations can adopt:

1. In-depth: As the name suggests, this is the kind of risk management that we would all be undertaking in an ideal world, as it will deliver the best results and practically makes risk a thing of the past – not wholly because not every risk is foreseeable. 

2. Deliberate: This is still not a ‘panic station’ in the world of risk management but is undertaken at various stages during the life cycle of a project or a business and can come in the form of routine safety checks or performance reviews.

3. Time-Critical: Operational Risk Management often requires urgent attention. During operational change, it is usually done when there is a limited time to act before the potential consequences of unknown risks manifest.

 

OPERATIONAL RISK MANAGEMENT PRINCIPLES

Four essential principles govern all actions associated with operational risk management. Here are the four principles of operational risk management that apply to all organisational tasks and operations at all levels of responsibility:

1. Do not accept unnecessary risk.

2. Make risk decisions at the appropriate level.

3. Accept risk when benefits outweigh the costs.

 4. Integrate operational risk management into planning at all levels.

 

OPERATIONAL RISK MANAGEMENT PROCESS

There are five stages of operational risk management: risk identification, risk assessment, measurement and mitigation, and monitoring and reporting.

Step 1: Risk Identification

Operational risks must be identified to ensure effective management and control. Risk identification starts by understanding the organisation’s objectives. 

Step 2: Risk Assessment

Risk assessment is a systematic process for rating risks of likelihood and impact. The outcome of the risk assessment is a prioritised listing of known risks. 

Step 3: Risk Mitigation

The company should investigate strategies and tools that reduce, mitigate, or eliminate the threat. The risk mitigation step involves choosing a path for controlling specific risks. All risks have three components: the probability of occurrence, the severity of the hazard, and people and equipment’s exposure to the risk. In the Operational Risk Management process, there are four options for risk mitigation: risk transfer, risk avoidance, risk acceptance, and risk control.

Step 4: Implement Risk Control

Once the risk mitigation choice decisions are made, the next step is implementation. Management must formulate a plan for applying the selected controls by ensuring the availability of resources (including materials and personnel) to facilitate a robust operational risk management framework. 

Step 5: Monitoring and Review

Once controls are in place, the process must be monitored and reviewed regularly to ensure its effectiveness. Control monitoring involves testing the control for appropriateness for design, implementation, and operating effectiveness.

 

KEYS TO REDUCING A FIRM’S OPERATIONAL RISK

The proposed mitigation strategy for most risks usually includes creating new business processes or adjusting existing ones. Businesses that have already embraced workflow automation can easily create new workflows, alter approval requirements, and create monitoring dashboards to ensure compliance with operational risk management procedures – the system enforces compliance with the latest risk mitigation procedures. Some businesses promulgate new policies and procedures by email in the immediate aftermath of an incident that impacts operational risk. 

When defining new workflows to deal with specific operational risks, there are a few guiding principles to keep in mind:

1. Identify and divide tasks,

2. Assign tasks to the right people,

3. Streamline and automate business processes,

4. Brainstorm the exceptions,

5. Measure performance and exceptions, and

6. Adopt an ongoing approach.

 

THE 7-STEP APPROACH TO MITIGATE OPERATIONAL RISK MANAGEMENT

Operational risks impact the reputation and financial stability of a business significantly. A robust risk mitigation strategy will result in various operational failures, leading to crises in organisational management. That is why many companies invest in designing a robust risk management framework. Operational risks are best discovered, controlled, and mitigated using a seven-step approach. It supports multiple facets and can alleviate numerous risks concurrently. 

Here is the 7-step approach to mitigate operational risk management:

1. Task segregation.

2. Curtailing complexities in business processes: Reducing complexity in different business processes mitigate operational risks.

3. Reinforcing organisational ethics.

4. The right people for the right job.

5. Regular monitoring and evaluation.

6. Periodic risk assessment.

7. Look back and learn.

 

See video on Operational Risk and Operational Risk Management: https://youtu.be/s2ogL-1wdaE

VIDEO TIMESTAMPS

00:00 – Introduction
01:07 – Operational risk
04:20 – Types of operational risk
05:35 – Impacts of operational risk
06:27 – Operational risk management
09:34 – Benefits of operational risk management
10:28 – How operational risk management works
11:48 – Operational risk management principles
13:53 – Operational risk management process
20:28 – Keys to reducing a firm’s operational risk
23:56 – The 7-step approach to mitigate operational risk management
27:08 – Conclusion

 

Consulting and Services