What do you need to know about operational risks?
For every day that it “lives,” a company will inevitably face risk, internal and external. Sometimes these “come with the territory” but they can also be of the organisation’s own making. There is no business that can operate totally without risk. All businesses experience it; albeit with differences in intensity and velocity, perhaps. Some businesses deal with risks that may be unique to them and their respective industries; others may have risk areas in common, but risk is inherent in any business. Risks that emerge in the course of doing day-to-day business in any industry are called operational risks. These could extend from something that goes wrong with the organisation’s systems, procedures or people, to outside factors stemming from the country’s economy, natural environment or political conditions.
It’s because of people
Operational risk is primarily human risk because it is tied significantly to human-dependent processes, procedures and functions. The success of these is largely premised on human efficiency. The higher the possibility of human error, the greater the operational risk. For instance, automated equipment may fail because of poor manual maintenance. This failure is an operational risk. Employees who steal from the company, or capitalise on their positions in it to commit fraud or steal confidential information, also constitute operational risk. Besides theft, fraud and systems failures, operational risk includes inadvertent errors made by employees in the course of their duties. These are all considered operational risks and can cause major disruption to the business.
Even if they cause minimal disruption, this can compound over time to produce major headaches. While most organisations to some extent are tolerant of human error, there are limits to this. Operational risk assessment helps companies set their risk appetites, i.e., how much risk they can bear, and establish measures that will help them identify risk areas and set up mitigative action. But operational risk management is not just for helping businesses get through their day-to-day operations without major incident; if there are no proper mitigative procedures in place, the firm will inevitably develop a reputation for poor operational risk management, which will be damaging in the long run. Operational risk management strategy therefore must include business continuity and disaster recovery plans.
Security has a vital role
In this age of instant communication, these plans should cover confidentiality and information security as well, because miscommunication and fake news can be just as damaging to a company’s reputation, as natural disasters could be to its physical set-up. Cyber and data security are one of the top priorities of companies as transactions worth billions are done electronically every day. Part of operational risk where cybersecurity is concerned, is effectively managing the fallout of cyberattacks which may cause long-lasting, expensive damage. Together with beefed-up cybersecurity will come even more technological changes which may be as disruptive as the disruptions they are intended to mitigate. This means heightened operational risk, particularly if this advanced technology fails.
Threats at every turn
Assessing operational risk is not a simple task. In addition to systems and equipment failure is the threat of internal and external fraud, both of which result in operational losses. Fraud is a major operational risk and is particularly insidious as it can take on many forms, depending on the creativity of the person perpetrating it. The added danger of fraud is that besides causing financial loss, it is potentially indicative of a significant security breach with other implications, such as loss of confidential data which may prove detrimental to the company’s long-term competitiveness. Theft of data may affect the firm’s R&D efforts for instance, which may delay its plans to bring new products to market, thus diminishing its future revenue stream.
Fraud can also be perpetrated by external parties like contractors to whom certain operations processes have been outsourced. Some examples of such outsourced contracts include the maintenance of specialised industrial equipment, IT services like the building of websites, or financial services like salaries, billing and collections, where external parties would require access to internal networks and confidential information in order to perform the services. As companies increasingly depend on outsourcing to streamline their operations and improve their efficiency, they are becoming increasingly vulnerable to the related operational risks as well.
Sometimes impossible to anticipate
While many threats originate internally, external factors can cause equal damage – and are sometimes completely beyond the control of the firm. As unlikely as it may seem, some companies actually do have contingency plans in place in the event of physical attacks, especially if they have subsidiaries in politically unstable countries. Their assets in these hotspots are at risk and will need protection if business is to continue. Besides natural disasters, physical disruptions also include actual sabotage of company equipment, damage to assets or strikes that interfere with business.
As anything that may cause business disruption is an operational risk, putting mitigative measures in place is something of a necessity but the cost of such measures and the resources that have to be allocated will depend on the firm’s priorities and its risk appetite. It will also depend on whether or not the firm sees itself as a part of its chosen industry for the long haul. If it feels invested enough, it will institute measures to mitigate operational risk, to ensure it does maintain its competitive edge and positioning.