The gargantuan scope of Operational Risk Management
What constitutes Operational Risk (OR)? Just about anything. It can be as localised as a plumbing problem that makes the office toilets unusable,
or new software that disrupts office systems across the organisation and its subsidiaries in different jurisdictions while making it difficult for customers to transact online. OR can be a nightmare, but with vigilance, care, planning and the application of Operational Risk Management (ORM) principles, organisations can mitigate nightmarish scenarios and minimise the fallout from risks that come with the territory. That’s what OR is: the risk of losses because of inadequate or failed processes, people and systems, or external events.
From the definition, it is clear that the scope of ORM, like the problems it must manage, is extensive. With ORM, there is no “higher risk, higher return” option either. High risk is always bad, with ORM; the less operational risk there is for the organisation to deal with, the better. More risk inevitably means that things will get worse. On top of that, operational risks are constantly changing, shifting in intensity and consequence. What starts out as a minor operational risk may balloon into a major one in a matter of hours, such as heavy rain in one part of the country which then delays deliveries of much-needed manufacturing components.
Some parts of an organisation may appear to be more prone to operational risk than others but overall uncertainty and the speed at which events occur, are two reasons why ORM cannot be strategised for or implemented more in one subsidiary, business unit or department at the expense of others. ORM has to be a balanced, organisation-wide effort. If each unit undertakes its own ORM, it increases the possibility of duplicating mitigative/preventive efforts; or, even worse, one measure may end up cancelling out another. ORM will definitely not work if everyone keeps to their own silos. It has to be an integrated effort as operations affect all aspects of an enterprise.
However, the need for integration notwithstanding, there should be clear ownership of operational risk wherever it is applied. This requires the appointment of people who will be responsible for ORM, who understand the operational risks that confront each subsidiary, unit or department. They need to identify the risks in their respective areas, and faithfully report the risk events which happen regardless of how bad it could make them appear. Operational risk is all-pervasive; things will happen regardless of how many mitigative measures are in place. The risk will remain, although the severity of the impact may be mitigated if proper steps are taken beforehand.
There is no denying that ORM is a gargantuan task but broken down into its different components, it becomes doable. ORM is an ongoing activity because situations and environments continuously experience change; there should be a review/feedback component built into ORM for evaluation of the measures taken. The organisation’s Risk and Control Self-Assessment (RCSA) should be applied, to determine what ORM components need tweaking. Remember that prevention is always better than intervention; constant monitoring is necessary – not only to ensure that things are running as intended, but also for an eye to be kept on monitoring the cost of ORM.
“What gets measured gets managed” applies here. This need for consistent, ongoing vigilance where ORM is concerned, makes it necessary for risk professionals to be at the forefront of developing the organisation’s risk policy, and ensuring that it is aligned with controls. Overall, the idea is to maintain oversight so as to keep the organisation running smoothly, regardless of the dynamics of the environment it operates in. Everyone in the organisation needs to be aware of the operational risks they face in their particular area, and how it ties in with the overarching risks of the firm. And they need to realise that sharing information is more effective than keeping it carefully under wraps.
