Operational risk relates to losses resulting from inadequate or failed internal processes, people and systems, or external events. These may occur in an organisation’s day-to-day operations, and may involve internal resources and systems, procedures and the organisation’s employees. Operational risk may also result in data loss, equipment malfunction or high staff turnover. These could all impact negatively on the business, and, by extension, how the organisation is able to implement its strategy. Risks like these need to be reduced or mitigated so that the business will be impacted as little as possible, should they occur.
The firm’s internal practices, policies and systems may not adequately prevent losses, as environmental conditions are also in play. However, if operational risks are allowed to carry on unmitigated over a period of time, the firm may see substantial losses. For instance, occasional instances of pilferage may occur but staff may not report these due to oversight issues or the lack of controls. If these ‘small’ instances continue, they could snowball into big losses for the firm, and more serious impacts, such as reputational damage in the long term.
Operational risk managers help their organisations mitigate risks stemming from internal processes and procedures, systems and networks, and the workforce. They do this through investigating the processes, procedures, systems and networks in order to determine where controls should be implemented or tightened. Operational risk managers are crucial to the firm because of the due diligence which they conduct in the process of carrying out their duties. This information keeps board and management abreast of areas of potential risk, and flags possible pitfalls and potholes to avoid; mitigative measures can thus be put in place.
The work of the operational risk manager also extends to analysing the causes of operational risks or failures, and developing appropriate measures for mitigation. To do this, they will have to review and evaluate new or revised processes to ensure suitability. Measuring and monitoring, gathering risk-related data, and identifying operational risk trends for their respective industries are also among the many critical tasks of the operational risk manager. Depending on their individual organisation’s requirements and the type of industry they are in, the work of the operational risk manager will vary but their primary responsibility will not change: to ensure effective mitigation of operational risks and improve the firm’s processes.
The nature of the job requires an operational risk manager to have above-average skillsets as the roles and responsibilities of the operational risk manager are extensive. He/she needs to be able to identify and mitigate potentially damaging risks before untoward events occur. Being constantly abreast of organisational and industry developments is imperative, as operational risk managers need to have a handle on what is going on with the business at any point in time, and be prepared to advise how best to deal with it. The ability to monitor, review and communicate the impact of the risk is a must; today’s business environment is dynamic and changes faster than risks can be identified.
Firms that see a need for an operational risk manager will have to source for candidates with a range of skills, including analytical ability, technical proficiency and emotional intelligence. These candidates will also need a thorough understanding of process, risk and control design. Besides these, they should also have knowledge of governance; experience in data management and technological processes is also desirable. In addition, they will need interpersonal skills for interaction with staff at all levels as well as sound business judgement and strong analytical skills. The job will require people who can think independently, work without supervision but engage with board and management when required.
Operational risk is a relatively recent field but a demanding one. Many organisations have failed in this key area because operational risk is complex and involves different types of risk – fraud, insider trading and cyber risk, among others – which are themselves becoming more sophisticated. The general business environment and how business is conducted today is changing as well, spurred by digitisation and automation, machine learning and artificial intelligence. These in turn have the ability to spark other issues like decision bias and unethical use of information.
Operational risk managers need to be problem-solvers, investigators and analysts. They need to identify and evaluate risks, investigate their root cause(s) and offer mitigative solutions – tasks often complicated by limited timeframes and the need for detailed documentation. The role also includes understanding and being able to comply with regulatory obligations. Organisations looking for operational risk managers should seek people who are concerned about making improvements to processes and procedures, be constantly on the lookout for ways to do things better – and be prepared to ask the hard questions to get the job done.