Whose Role Is It To Manage Operational Risk?
What is operational risk? It is usually defined as the prospect of loss resulting from inadequate or failed procedures, systems or policies or other external events. Generally, it is understood to be the uncertainties and hazards that an organisation has to deal with in the course of its day-to-day business activities. These can range from minor – small, anticipated, accepted human errors – to major events like fraud and corruption leading to bankruptcy, which have devastating, long-term consequences. Operational risk can also be human resource-related, such as frequent absenteeism; or stem from cybersecurity attacks, leading to loss of confidential data. Internal and external fraud are considered operational risks as well.
Natural disasters such as typhoons, landslides and earthquakes are also operational risks, as are technology risks pertaining to automation and artificial intelligence. Categories notwithstanding, poor operational risk management is detrimental to firms; left unchecked, it can destroy a firm’s reputation and cause extensive financial damage. Regardless of similarity of operations or industry, each organisation has risks which are unique to its own situation. While a certain amount of operational risk such as employee error or system failure is almost always accepted as par for the course by organisations, proper strategies should be in place to manage it nevertheless.
Operational risk can manifest in the form of product failure, health & safety issues, supply chain or logistics problems, loss of talent, or even the failure to comply with specific regulations in certain jurisdictions. All these could lead to disruptions to the business and, subsequently, its continued operation and ability to generate revenue. Appropriate internal controls of processes and procedures should be instituted in order to manage these risks effectively, starting with the identification of areas where the organisation is most vulnerable, and aligning this with the organisation’s risk appetite to determine its capacity for risk.
A firm’s objectives, its internal processes and procedures and the environment it operates in, are constantly evolving; its risks change in tandem. There is a need, therefore, to continuously monitor, report and review operational risk and compliance measures, for instance, and determine if they are fit for purpose. This begs the question of who should be in charge of all this. While internal audit has the responsibility of ensuring the overall integrity of the internal controls that keep operations humming, management and the board should establish a culture that supports robust operational risk management.
This may take the form of codes of conduct or written policies that clearly outline the organisation’s expectations when it comes to staff performance of their duties, the enforcement of rules, and the consequences of not adhering to instructions and guidelines. Management should ensure that the appropriate level of training is made available to staff who require it. Operational risk pertains to how things are done; it reflects human-made processes and procedures, and is therefore also very much a human risk, or the risk of business failing because of human error. It varies from one industry to another, and within industries themselves.
Subject matter experts opine that if overlooked, such risk, regardless of size, will lead to the manifestation of greater risks that may negatively impact the firm’s reputation and bottom line. Risks like business continuity, environmental risk, crisis management, occupational health & safety, and even IT, can be subsumed under operational risks. Managing it has become a complex, challenging task due to its extended scope. Because operational risk management includes oversight of many elements and is primarily human-focused, appropriate governance is essential for it to be effective. An organisation’s operational risk management framework must have the necessary processes of measurement.
To ensure that it can be effectively implemented, it needs to cover risk identification, risk assessment, measurement & mitigation, and monitoring & reporting. Risk identification should involve staff at all levels of the business for comprehensive results. Risk assessment should be done qualitatively and quantitatively, and prioritised according to frequency and severity. The organisation can then decide what controls to put in place to mitigate them. Monitoring and reporting is instituted to ensure that the mitigative measures in place are suitable and functioning as intended. This calls for close cooperation between those dealing with operational risk management and internal audit.
Since operational risk relates to an organisation’s internal processes, it inevitably focuses on the risks that have the most impact on the firm, and the staff who are responsible for these risks by virtue of being in their respective positions. The operational risk management governance structure is generally risk-averse and concentrates on protecting the organisation, its assets and value-creating abilities. Business environments are never static; operational risks follow suit. Any significant changes therefore need to be reported to the board and senior management. Operational risk governance enables senior management to guide and direct operational risk strategy.
Operational risk, therefore, has to be managed by the board and senior management, supported by checks and balances set in place through policies, frameworks, processes and procedures which they determine. When done right, operational risk is capable of positioning the organisation to optimise its resources, improve reliability of business operations and reduce losses. It also deals with fraud, thus protecting the firm from damage. Above all, it strengthens the decision-making process of board and management where risk is concerned, and demonstrates to stakeholders that it is just as prepared for crisis and loss, as it is for sustainability, growth and competitiveness.