Operational Risk

Operational risk refers to the risk of losses resulting from errors or inefficiencies in a business’s everyday operations. It’s a type of unsystematic risk, meaning it’s specific to a particular business or industry. This is opposed to systemic risks in overarching political or economic processes.

‍

It's a core factor for risk management in banking.

In general, the operational risk framework includes five dimensions:

‍

‍

We’ll now briefly describe how each of these relate to operational risks.

‍

‍

Operational risk related to people typically comes down to problems of either quality or quantity. In terms of quality, a company may not have staff members with the appropriate skill sets to solve specific challenges, for example. In terms of quantity, for comparison, a company may get caught with not enough employees on duty to handle high-volume business periods.

‍

This problem is largely handled by hiring or activating more employees. However, that comes with further complications: selecting appropriate candidates, training them properly, enticing them to stay with the company, and so on.

‍

‍

Every business has processes: sequences of tasks that must be followed in order for the company’s operations to run correctly. Operations risk tends to happen here when companies don’t refine their processes or don’t fully document what must be done for them.

‍

This can happen if a company experiences high turnover. For example, new employees keep coming in who aren’t totally familiar with how things should be done at the company.

‍

‍

Systems refers to the software and hardware a company uses to help manage its operations. Operation risk can happen here because these systems are improperly configured, out of date, or not designed to handle what a company needs them to do. Risk can also be related to a business’s systems not being as efficient as one or more of its competitors.

‍

‍

Risk to a company’s operations can also come from outside the company itself. Sometimes it’s simply related to the nature of business, such as partnered businesses not fulfilling their contractual obligations. Other times, it can be related to things like environmental factors, such as storms or other inclement weather that can prove to be obstacles for a company’s logistics.

‍

‍

This is sometimes called operating risk related to legal and regulatory compliance. It’s about deficiencies in processes and systems that leave them vulnerable to being exploited for criminal activities.

‍

These threats often come from outside a company, such as cybercriminals taking advantage of bugs or other loopholes in the company’s system security. However, they can also come from inside a company, such as employees conspiring to steal money by taking advantage of a lack of internal process controls.

‍

The categories above can be broken down into more specific types of operational risk. Here are seven common operational risk examples.

‍

• Shady business practices: Companies that engage in misleading advertising, selling defective products (knowingly or not), or ignoring regulatory business requirements (such as doing anti-competitive things like price-fixing) have a higher degree of operational risk.
• Technological failures: Businesses that rely heavily on computer systems to automate their processes face increased operational risk of a software error or hardware damage causing the system to function improperly – or even shut down.
• Adverse environmental conditions: Depending on what industry a business is in and where it’s located, things like inclement weather or natural disasters can pose an operational risk to the company’s logistics or physical infrastructure.
• Lack of workplace safety: Failing to address incidents or hazards that threaten employees’ physical or mental health constitutes operational risk. It may cause high employee turnover, and even penalties from regulatory agencies.
• Faulty process execution: Human errors in data entry, accounting, and other everyday business tasks create operational risk. They can cause a company to miss meeting its obligations, or mislead managers into choosing ineffective business strategies.
• External fraud: Companies with insufficient cybersecurity, identity verification/authorization, and fraud detection incur operational risks. They are vulnerable to clients abusing them to launder money, hackers looking to steal sensitive information, and other types of fraudsters.
• Internal fraud: A lack of internal process controls can create operational risks for internal fraud. Employees may conspire to embezzle funds, or senior management officials may abuse their positions to misappropriate assets or use privileged information to gain unfair advantages.

‍

So how does a business deal with operational risk? We’ll discuss that next.

‍

Fortunately, operational risk is something that can be avoided – or at least controlled. Here is a standard operational risk management framework for identifying and dealing with operational risk.

‍

‍

1. Identify Current Risks and Anticipate Future Ones

The first step in managing operational risk is to brainstorm everything that could reasonably go wrong with a business, based on what industry it’s in and how it specifically operates. This should involve employees from every level of the organization in order to cover all the different dimensions of operational risk.

‍

It should also consider what risks may present themselves down the road, due to both changing external circumstances and possible business moves the company might make. If these risks do come up, the company will already have an idea of whether it will want to try to avoid or mitigate them, or else just accept them.

‍

‍

2. Assess and Prioritize Risks

The next step is to do an operational risk assessment. This involves a company conducting a data-driven evaluation of factors such as:

‍

• How likely each identified risk is to cause a problem
• How soon each risk is expected to cause a problem
• How severe each of these problems is likely to be
• The potential upsides of accepting certain kinds of risks

‍

Based on these estimations, a company can make a series of decisions regarding its risk management strategy. These include:

‍

• Which order to address risks in
• Which level of the business should address a certain risk
• Whether to accept, mitigate, or avoid a particular risk

‍

‍

3. Put Risk Mitigation Measures into Action

Once a company has prioritized which risks to act on and which actions to take, it needs to actually start putting the controls in place. Some risks may be able to be avoided entirely, while others may have to be simply reduced to levels that the company can tolerate.

‍

Another strategy is to delegate responsibility for risks to outside parties, such as insurance companies. And some risks may simply be accepted because their costs are far outweighed by their benefits.

‍

‍

4. Monitor and Report on Ongoing Risk Management Efforts

Operational risk management is an ongoing process. So it’s essential to monitor both risks and the controls on them continually. In some cases, risks may need tighter controls. In other cases, risk controls may be too costly and need to be relaxed for a better risk-reward balance. This is especially true because the amount of threat that certain types of risks represent for a business can increase or decrease, based on changing circumstances.

‍

Also, remember that these changing circumstances aren’t always totally predictable. So it can be useful for a business to have a contingency plan in place if an unforeseen obstacle presents itself.

‍

‍

The good news is that a business can control operational risk to a certain extent. However, it involves a continuous process of data-gathering, analysis, decision-making, and revision based on feedback. It makes sense to get help with it from tools such as Unit21’s consolidated risk management platform. To see how it can help your organization manage risk, contact us to book a demo.

‍

‍