Different businesses encounter varying types of risks specific to what industries they’re in, where they are in the world, and how they conduct their daily operations. Collectively, these factors are known as operational risk.
This article will offer an operational risk definition, including the main categories of operations that tend to subject a business to risk. It will also outline some examples of operational risks based on these categories, and offer a framework for managing operational risk.
Operational risk refers to the risk of losses resulting from errors or inefficiencies in a business’s everyday operations. It’s a type of unsystematic risk, meaning it’s specific to a particular business or industry. This is opposed to systemic risks in overarching political or economic processes.
In general, the operational risk framework includes five dimensions:
We’ll now briefly describe how each of these relate to operational risks.
Operational risk related to people typically comes down to problems of either quality or quantity. In terms of quality, a company may not have staff members with the appropriate skill sets to solve specific challenges, for example. In terms of quantity, for comparison, a company may get caught with not enough employees on duty to handle high-volume business periods.
This problem is largely handled by hiring or activating more employees. However, that comes with further complications: selecting appropriate candidates, training them properly, enticing them to stay with the company, and so on.
Every business has processes: sequences of tasks that must be followed in order for the company’s operations to run correctly. Operations risk tends to happen here when companies don’t refine their processes or don’t fully document what must be done for them.
This can happen if a company experiences high turnover. For example, new employees keep coming in who aren’t totally familiar with how things should be done at the company.
Systems refers to the software and hardware a company uses to help manage its operations. Operation risk can happen here because these systems are improperly configured, out of date, or not designed to handle what a company needs them to do. Risk can also be related to a business’s systems not being as efficient as one or more of its competitors.
Risk to a company’s operations can also come from outside the company itself. Sometimes it’s simply related to the nature of business, such as partnered businesses not fulfilling their contractual obligations. Other times, it can be related to things like environmental factors, such as storms or other inclement weather that can prove to be obstacles for a company’s logistics.
This is sometimes called operating risk related to legal and regulatory compliance. It’s about deficiencies in processes and systems that leave them vulnerable to being exploited for criminal activities.
These threats often come from outside a company, such as cybercriminals taking advantage of bugs or other loopholes in the company’s system security. However, they can also come from inside a company, such as employees conspiring to steal money by taking advantage of a lack of internal process controls.
The categories above can be broken down into more specific types of operational risk. Here are seven common operational risk examples.
So how does a business deal with operational risk? We’ll discuss that next.
Fortunately, operational risk is something that can be avoided – or at least controlled. Here is a standard operational risk management framework for identifying and dealing with operational risk.
The first step in managing operational risk is to brainstorm everything that could reasonably go wrong with a business, based on what industry it’s in and how it specifically operates. This should involve employees from every level of the organization in order to cover all the different dimensions of operational risk.
It should also consider what risks may present themselves down the road, due to both changing external circumstances and possible business moves the company might make. If these risks do come up, the company will already have an idea of whether it will want to try to avoid or mitigate them, or else just accept them.
The next step is to do an operational risk assessment. This involves a company conducting a data-driven evaluation of factors such as:
Based on these estimations, a company can make a series of decisions regarding its risk management strategy. These include:
Once a company has prioritized which risks to act on and which actions to take, it needs to actually start putting the controls in place. Some risks may be able to be avoided entirely, while others may have to be simply reduced to levels that the company can tolerate.
Another strategy is to delegate responsibility for risks to outside parties, such as insurance companies. And some risks may simply be accepted because their costs are far outweighed by their benefits.
Operational risk management is an ongoing process. So it’s essential to monitor both risks and the controls on them continually. In some cases, risks may need tighter controls. In other cases, risk controls may be too costly and need to be relaxed for a better risk-reward balance. This is especially true because the amount of threat that certain types of risks represent for a business can increase or decrease, based on changing circumstances.
Also, remember that these changing circumstances aren’t always totally predictable. So it can be useful for a business to have a contingency plan in place if an unforeseen obstacle presents itself.
The good news is that a business can control operational risk to a certain extent. However, it involves a continuous process of data-gathering, analysis, decision-making, and revision based on feedback. It makes sense to get help with it from tools such as Unit21’s consolidated risk management platform. To see how it can help your organization manage risk, contact us to book a demo.