The 8 operational risk taxonomy that you should know
Operational risk, the loss resulting from inadequate or failed internal processes, people and systems, or other external events is essentially juggling every aspect of operations; everything passes through your hands, and you cannot afford to take your eyes off the objects you’re juggling for even a second. As environments grow more complex and volatile and as market uncertainty increases, tighter, more stringent management is becoming necessary – but many firms are finding themselves barely able to keep up. For numerous organisations today, operations under control has become a daily struggle. Risks which occur while the business is in operation need to be managed, and it often has to be done on the fly, quickly and with as little disruption as possible.
The taxonomy of Operational risk can be organised into eight main categories: fraud, non-compliance with regulations, legal and liability losses, information security breaches, physical security breaches, inappropriate business practices, disaster recovery and business continuity and human resources. Bribery, theft of assets or funds (or even stationery) constitutes internal fraud, whereas incidents involving forgery or identity theft for instance, are considered external fraud. Operational risk management is what has to be applied to mitigate these disruptions and try, as far as possible, to ensure business as usual but it does not adequately describe the continual cyclical process which includes the risk assessment, risk decision-making and implementation of risk controls that are necessary to keep operations on track.
With operations, risk can appear, unanticipated, from any part of the organisation, not just disruptions to production or hacking of its networks. The firm may unknowingly be in breach of contract; or its overseas subsidiaries may not be complying with foreign regulations; or some of its products may be defective or being falsely advertised. Threats and challenges confront all businesses. A major area of operational risk in the current environment is disaster recovery and business continuity, particularly in the event of pandemics (e.g. Covid-19), natural disasters like earthquakes, floods or tsunami and human-made events like strikes, riots or war.
With so much to juggle, where does the Operational Risk Manager even start? There are three points to keep at the forefront of operational risk management: maintain your business infrastructure such as information systems, organisational policy, internal controls and risk management; ensure your internal audit function is functioning; and price your operational risk management appropriately. Ideally, the organisation should do a thorough risk assessment, decide on how to treat the risks, monitor implementation and review the outcomes. As far as possible, the firm needs to identify and assess the challenges it anticipates, and make decisions regarding the risks presented by these, implement the necessary controls and have continuous supervision.
It should determine if the necessary resources are available to address these challenges, and how to obtain them if they are not. These resources may be in physical form such as special equipment or human resources, or the time that existing staff have to allocate to establishing a viable operational risk framework. Proper documentation and reporting, which are critical, also takes time and resources.
The mere thought of having to put all these in place may be off-putting; the question that forms in most minds is inevitably, Is All This Really Necessary? No, it is not. But the more effective controls are in place, the easier it will be to mitigate potentially disruptive events. When one thinks of all the things that could happen, and the fallout from those events, and contextualise them within the current business and market environment, the realisation that you need all the help you can get, will be overwhelming. And because you know your business, there’s nobody who can help you better than yourself.
Some benefits of operational risk management may not be immediately obvious but two major benefits are the potential reduction of operational losses and lower compliance/auditing costs. Additionally, the comprehensive assessment of the organisation’s systems which comes with operational risk management will help detect shortfalls and problems early, and allow more effective early mitigation, thereby reducing the firm’s potential risk exposure. Organisations are likely to see improvements, and as the organisation improves, so will the confidence of shareholders and stakeholders.