In much the same light as the management of market risk and credit risk is vital to preserve a business. Many banks and firms see operational risk and its management only as a response to the requirements of regulators.
They see operational risk from a totally different viewpoint to the management of market risk and credit risk. The latter two are accepted as being vital to ensure the survival of the business, while operational risk is seen as something else entirely. For many businesses the management of operational risk is perceived as a nuisance with added costs and other inconveniences imposed by some outside bureaucrat.
Of course this perception is totally wrong.
In this article we are going to examine the 8 key issues that one needs to keep in mind when managing operational risk. Let us begin with a definition of operational risk.
“Operational risk is the risk of loss resulting from inadequate internal processes, people, and systems or from external events”.
Operational risk can be equated in a broad sense with unexpected risk, meaning that while we may have a pretty good feel for risks such as credit risk or market risk which can often be anticipated with a fair amount of accuracy, when we get to the operational side this usually is pretty much an unknown quantity.
Let’s look a little more closely at the elements of this definition. What do we understand by some of its components?
“People” – People are employees; our workers. Employees can make mistakes. These could be intentional or unintentional. People also often fail to follow correct procedures which can result in losses.
“Processes” – All business activities are made up of processes. These may be complex sequences of events such as one finds in a factory engaged in manufacture or a more simple sequence of tasks involved in taking an order and dispatching the goods to a purchaser. All activities involve procedures. Just think of all the detail involved in the procedure that we all follow each and every day when we wake up and get ready to leave home to go to work. If there are deficiencies in an existing procedure, or if no procedure is defined, this could result in losses.
“Systems” – Most procedures require the use of outside apparatus. These could be computer systems or machinery or tools. Getting back to our waking up “process” something like our toothbrush can be seen as such a system.
“External events”– Our processes take place in the wider world. This environment is constantly under threat of disruption. Disruptions could be bad weather, natural disasters, pandemics, political turmoil, social unrest and so on.
Within this context there are eight key issues that need to be addressed if management of Operational Risk is to be effective.
- Internal Environment. The internal environment relates to how the firm sets the tone and what is called its “risk appetite”. This relates to the firms’ policy in relation to risk and the extent to which the firm is prepared to accept risk. Remember that risk cannot be eliminated entirely but it can be mitigated.
- Setting Objectives. Based on the firm’s defined risk appetite explicit objectives can now be set in terms of “risk events” and their management.
- Event Identification. This is a definitive list of what risks the firm faces and how they can be identified.
- Risk Assessment. It is vital that in reviewing the risks these have to be understood in terms of the dangers that they present to the firm. This assessment requires an analysis of and an understanding of what these risks are.
- Risk response. What is the firm going to do about the risk? What actions is it going to take to reduce and mitigate these risks or to compensate for the potential loss?
- Control Activities. This is part of the risk management process that in advance develops plans to respond to these previously identified risks.
- Information and communication. A vital part of managing risk is effective communication and information to people both inside and outside the organization in relation to the roles and the responsibilities they have in responses to the various risks.
- Monitoring. This is the ongoing process of reviewing and evaluating the business processes and the effectiveness of the risk management programme.
Managing Operational Risk is a continual task. It is not something one does and then simply forgets about. It has to be practiced all the time. To use an old adage “Operational risk management is a journey, NOT a destination.”
Learn more about how Empowered Systems’ Connected Risk product can assist you with your operational risk and compliance journeys: https://empoweredsystems.com/connected-risk/.