Operational risk is something all organisations have to deal with. It is inherent in all business activities, and can include fraud, physical damage, business disruption, transaction failures, legal and regulatory breaches, employee health and safety hazards. If not carefully managed and monitored, it may result in financial losses for the organisation as well as market share loss and reputational damage. To stay effectively in business, therefore, and remain competitive in order to continue creating value, organisations need to take operational risk management (ORM) seriously. Failed policies, processes, systems or substandard staff performance may ultimately affect the firm’s bottom line.
But effective ORM is also capable of identifying opportunities amid adversity. Identifying risks and recognising possible business opportunities which may emerge, could be a deciding factor in whether the organisation remains in business, in an environment which grows more challenging by the hour. Operational risk is usually part of a chain reaction that leads to greater risk that results in organisational failure. The term is sometimes used to refer to the risk in operating an organisation as well as the processes used; ORM therefore focuses on protecting the organisation from business disruptions because this has a direct impact on its ability to create value, i.e., its long-term prosperity.
Adversity, whether in the form of economic crises, natural disasters, political turmoil, acts of terrorism or full-on threats to global health, have a way of pushing organisations into a downward spiral of uncertainty and consequently, decreasing competitiveness. This directly affects their sustainability and growth; the longer they remain in that situation, the harder it becomes to extricate themselves. But leaving aside catastrophes and natural disasters beyond the firm’s control, any organisation will want to reduce or mitigate its most damaging risks to acceptable levels – hence the need for constant monitoring. Even small issues or slipshod oversight over controls could snowball into larger risks.
They could then manifest in organisational failure, damaging both a company’s financial health and its reputation. These are just some of the myriad, game-changing risks that businesses need to manage. But managing risks responsibly and effectively is easier said than done. Perhaps the best approach is to recognise that effective ORM creates the resilience to withstand adversity because when dealing with ORM, every aspect of the organisation’s objectives has to be considered. The operational risk management framework it puts in place will therefore require components that will enable it to identify, assess, measure, mitigate, monitor and document these risks.
In this way, the firm will be able to determine what to do with the risk, i.e., whether to accept it as part and parcel of doing business, or manage it so that any loss incurred is bearable or may be recouped. Making decisions about what to do with risk is the responsibility of senior management and the board, which sets the appropriate policy. Establishing the correct operational risk management guiding principles from the outset will go a long way towards successfully embedding an operational risk management framework to help achieve the organisation’s objectives.
Besides making it clear to stakeholders, including staff, customers and suppliers, that “this is how we do things,” having well-defined ORM signals that the company has foresight and is prepared to deal with eventualities to the best of its abilities and resources. Effective ORM combines the capacity to prepare for risk with the ability to cope with what happens next so that business can continue uninterrupted, or at least carry on at a level which does the least damage. This puts the firm at an advantage and increases investor confidence; it can also result in better brand recognition and strengthen its reputation.
Applying ORM principles also raises awareness of employees, and helps them have a more positive perception of risk, while they improve their management of it. They may start to see the impact of the hazards which come with the risks, and develop a better appreciation of the benefits of effective ORM. But the application of ORM needs to be proactive, systematic and across the board, for it to function effectively and impact positively on the organisation’s prosperity. Planning for the mitigation of operational risks means planning for optimum utilisation of corporate resources; it indicates that board and management are performing professionally, taking care of the organisation’s interests and practising good governance.
Most businesses today are aware of the need for more stringent ORM, given that the operating environment has become increasingly volatile, uncertain, chaotic and ambiguous. Conditions are challenging, and likely to remain so for a while. Cyberattacks, fraud, forgery, identity theft – there has been an upswing in all of these in recent years. The pandemic has not made the situation any easier; many firms are stretching resources to the limit just to remain going concerns. Sometimes having to put in tighter controls is the last thing they can afford.
But researchers opine that the biggest challenge may be the availability and quality of information that is required to identify, assess and manage risks effectively. The right information is crucial to the decision-making process; and making the right decision is imperative to supporting the organisation’s efforts to sustain its prosperity.
