On company’s risk dashboard, the signal for operational risk should be flashing red. Over the past ten years, losses from operational risk have soared. Companies that want to achieve a sustainable and profitable business need to focus on building a framework to manage operational risk.
What Is Operational Risk?
Operational risk summarizes the risks a company undertakes when it attempts to operate within a given field or industry. Operational risk is the risk not inherent in financial, systematic or market-wide risk. It is the risk remaining after determining financial and systematic risk, and includes risks resulting from breakdowns in internal procedures, people and systems.
This broad definition covers a myriad of non-financial risks, including conduct risk, fraud, cyber, vendor risk, privacy, unauthorized trading and information security.
Building an Operational Risk Framework
Operational Risk Framework is the totality of the structures, methodology, procedures and definitions that an organization has chosen for designing, implementing, monitoring risk management throughout the organization.
The foundations include the policy, objectives, mandate and commitment to manage risk. The organizational arrangements include plans, relationships, accountabilities, resources, processes and activities.
The risk management framework is embedded within the organization's overall strategic and operational policies and practices.
Every organization should have a set of formal policies to manage and control of all financial and non-financial risks – the so-called risk universe.
The risk universe is the full range of risks that could positively or negatively affect the ability to achieve long-term objectives.
Risk Management policies provide practical direction on how to safeguard the business from events with excessive operational, financial or reputational impact.
Are you interested in learning more?
Join hundreds of your peers in studying the online course:
Risk Management & Internal Control Policy
Managing Operational Risk
Operational risk is the risk of losses that may occur due to inadequate or malfunctioning internal processes or systems, human error, criminal behavior or external events. Operational losses may have a direct impact (i.e. give rise to a quantified economic or financial loss) or an indirect impact (i.e. lower sales, opportunity costs or productivity losses in the future that may be hard to establish accurately).
Operational risks relate to areas such as integrity and fraud, crime prevention, human resources management, information and communications technology, information security (including risk of innovative multimedia), business continuity management, physical security and outsourcing.
Operational risk can be summarized as human risk; it is the risk of business operations failing due to human error. It changes from industry to industry, and is an important consideration to make when looking at potential investment decisions. Industries with lower human interaction are likely to have lower operational risk.
Operational risk focuses on how things are accomplished within an organization and not necessarily what is produced or inherent within an industry. These risks are often associated with active decisions relating to how the organization functions and what it prioritizes. While the risks are not guaranteed to result in failure, lower production or higher overall costs, they are seen as higher or lower depending on various internal management decisions.
Risk Management Cycle
A strong risk culture depends equally on a strong risk management framework and staff awareness, attitude and conduct. It is therefore important that personnel understands and follows the risk management cycle.
A strong risk culture depends equally on a strong risk management framework and staff awareness, attitude and conduct.
It is therefore important that personnel understands and follows the risk management cycle.
Risk management is a dynamic process, which needs constant focus and attention.
- There can be no single prescription for all the times
- Decisions have to be made at short notice
- Positions may have to be acquired and shelved
- Views may have to be change very often
All these point out the complex nature of the risk management process.
Risk Management starts with identification. What risks are present or are emerging? This is more difficult than it sounds. It forces us to think about complex situations beyond our actual experience. Risks seldom occur twice in exactly the same way.
The leading companies have specific frameworks and tools, which enable us to identify risks.
Having identified the risks you face, it is important, as far as possible, to attribute a value of those risks.
Some risk can be easily quantified like exchange risk, interest rate risk, and market risk. They can be measured using mathematical or statistical tools like value at risk etc.
Some risk like country risk, operational risk, and reputation risk cannot be mathematically deduced. They can only be qualitatively compared and measured. Therefore, it is very important to identify and appreciate the risk and quantify.
Risk measurement tools seek to capture variations in earnings, market value, losses due to default etc., arising out of uncertainties with different risk elements.
Having measured the risks you need to decide how much risk you are prepared to take.
Mitigating business risk is meant to lessen any negative consequence or impact of specific, known risks, and is most often used when business risks are unavoidable.
For example, an automaker mitigates the risk of recalling a certain model by performing research and detailed analysis of the potential costs of such a recall. If the capital required to pay buyers for losses incurred through a faulty vehicle is less than the total cost of the recall, the automaker may choose to not issue a recall.
Similarly, software companies mitigate the risk of a new program not functioning correctly by releasing the product in stages. The risk of capital waste can be reduced through this type of strategy, but a degree of risk remains.
You then need to review the outcomes from the process. Risk monitoring is a major element of risk management. Generally, it is mentioned as the last element, but certainly not less important than any other element.
Risk management is just like any other management function and therefore includes a process of organizing and planning.
Once the basic risk management plan is in place, monitoring risk means to review and update it continuously.
Easy Guide to Build a Framework to Manage Operational Risk
Here is an easy step-by-step guide for organizations looking to improve their management of operational risk:
1. View Risk As An Enterprise-Wide Challenge
By managing risk enterprise-wide, a company will develop a unified picture for decision-makers and improve the organization’s ability to manage risk effectively. Adopting an operational risk management approach helps companies achieve greater risk reduction by optimizing resources.
2. Standardize The Risk Assessment, Quantification, And Prioritization Processes Across The Enterprise
This allows managers to make meaningful and better decisions regarding operational risk. Once operational risk management structure have been established by an organization adequate procedures should be designed and implemented to ensure execution of and compliance with these policies at business line level.
3. Integrate Risk Awareness Into The Culture
A risk management program relies on the workers to execute; if the workforce doesn’t buy in, the program will fail. An organization’s top management must identify, assess, decide, implement, audit and supervise their strategic risks. There should be a strategic policy at the board level to focus on managing risk all levels and conscious efforts should be made to ensure that these policies are communicated at all levels and across entire company. When an organization reliably and regularly applies operational discipline, a ripple effect of benefits occurs, each having the power to unleash rapid and continuous improvement as well as waves of innovation. Ideally, operational discipline becomes a part of a company’s culture, driving significantly improved results.
4. Build A Standardized Framework With Controls, Escalations, And Contingency Plans To Manage Risk
This allows organizations to ensure and create value for their stakeholders, employees, and customers. Consistently high-performing companies benefit from “doing it right every time,” but they then leverage their error-free operations to focus on and address other critical operational improvements within the organization that allow it to reach operational excellence.
5. Collaborate Across Functional Departments To Jointly Manage Risks
This allows different viewpoints to get a look at the problem, which helps to ensure risk is managed from all angles. It is important that the resulting roadmap be standardized across the company. Standardization reduces variations that can lead to ineffectiveness and ensures that every worker who is charged with the responsibility of improving a process approaches it in the same way, using the same techniques, which enables effective implementation. This prevents numerous departments, sites and functions across the company from “re-inventing the wheel,” which only adds to corporate costs.
6. Utilize Software To Maximize Your Operational Risk Management Program
Technology helps to sift through the reams of data and highlight important and relevant information from the useless and unnecessary. There are modern GRC tools that help you to improve compliance and gain efficiencies. Such software takes an inventory of your assets, risk factors and metrics and ‘cross-relates’ them to business processes, projects and KPIs. The result is actionable analytics and reliable, automated reporting on operational and strategic risks.
7. Centralize The Storage And Dissemination Of Risk Information
There are two benefits to implementing such a system: data accessibility and increased risk exposure to employees. With centralized storage, organization’s data can be consolidated and replicated to data centers for disaster recovery and long-term. Such a policy based management driven model saves companies time, money, and mitigates operational risks.
I hope that this easy guide to build a framework to manage Operational Risk will help you to assimilate risk management practices into processes, systems and culture. Please share your comments, your views and case studies on what works and what doesn't in your practice.
Are you interested in learning more?
Join hundreds of your peers in studying the online course: