What keeps CEOs, COOs, CIOs and CFOs up at night? It’s not just members of the C-Suite; nobody can sleep if they think they will wake up to a natural disaster, or a pandemic. The thought of systems and processes, and the people who run them, failing, is terrifying to those who manage such operations. But that is the risk that all organisations, even not-for-profit ones, take when they set up shop. Operational risk, unlike other kinds of risk, has no associated returns. On top of that, it is constantly changing. What may be an operational risk today, may not be one tomorrow – so that further complicates matters. Operational risk also affects all components of an enterprise; it is an enterprise-wide risk.
Rule of thumb dictates higher returns for higher risk, but this does not apply with operational risk. Higher operational risk is therefore not desirable. What exactly is operational risk? It is the risk of losses resulting from inadequate or failed internal processes, people and systems, or caused by external events over which the organisation may not have control. Because it is an enterprise-wide risk, it has to be managed in an integrated manner, not limited to a subsidiary, department or unit which is perceived to be operationally riskier than others. Operational risk management (ORM) cannot work effectively if the organisation is divided into silos.
ORM used to be undertaken in an un-coordinated manner by individual departments or units before, as it was thought that each of these knew their operational risks best, and were therefore in the best position to mitigate them. But it was later realised that in a silo environment, the various approaches by separate units or departments to ORM would result in a decrease in their effectiveness or even worse, cancel each other out. With a multitude of approaches, the different units would tend to work at cross-purposes, resulting in duplication of efforts or a waste of resources. At its core, ORM seeks to identify the various operational risks, and understand how they can occur.
An assessment of its impact is then made, and the levels of control required are identified. Resources are then allocated for it. This is a continuous process because operational risks do not remain the same; they are dynamic, and may shift in response to internal and external environments. ORM entails constantly being on top of things, being vigilant and keeping a finger on the pulse of the organisation and its environment. Organisations need to be aware of what is going on outside their industry too, and ascertain if what happens outside their business can impact negatively on them. In parallel, the organisation has to ensure that internal systems, processes and procedures are functioning as intended.
It is a constant juggle; risks need to be identified as they shift, and clear ownership of each of these must be established. Risk managers should help identify these and support strategy, regardless of whether they can be controlled or not. The importance of knowing of these risks, cannot be underestimated as nobody knows the velocity at which they can change. Prevention is always better than intervention. Intervention may be too late. Risk managers need to establish prevention measures by helping to formulate policy and aligning it with controls while maintaining other functions. They should also ensure the development of an appropriate risk culture and awareness.
If something can go wrong, it will. ORM essentially reduces the impact of any untoward event by mitigating the risks associated with it and creating awareness of the possibility of such an incident. It ensures that regulations are complied with, and helps the organisation determine the most effective measures that will mitigate the situation in the most cost-effective manner. These measures will also go a long way in determining the organisation’s risk appetite and risk tolerance. A risk appetite statement, especially, will help align operations better, as it lays out what is acceptable and unacceptable risk.
Everyone in the organisation should be aware of what the organisation’s risk appetite is. This establishes the boundaries within which the firm can operate, and guides decision-making. It is also linked to effective management, good corporate governance, transparency of operations, and the organisation’s responsibility to its stakeholders. To enable all this, ORM needs constant watchfulness to ensure that all systems are performing. Risk and Control Self-Assessment (RCSA) may be applied to evaluate if processes, procedures, and controls are up to scratch and functions as intended.
At the end of the day, ORM is about making the business more efficient, keeping it running as smoothly as possible, in a sustainable way. As with most risk-related matters, there is no one-size-fits-all solution; there are only methods that can be applied according to the situation, and the nature of the business. There are a multitude of factors to consider, and these inevitably vary between industries, companies, business units and departments – hence the need for extensive coordination for ORM to function effectively. But even the best laid plans can go awry; perhaps the most effective ones are based on a deep, clear understanding of what the business is, and how fast it can pivot in times of adversity.