Know your operational risks
By CPA Calistus Wekesa (PhD)
Being a good steward of business today requires financial institutions to truly get out in front of those high impact risks. Doing the upfront work necessary to identify risks and put in place strategies to minimize the chances of loss is becoming more and more important, especially as the damage to people, brands, and profits becomes amplified in today’s connected world. Operational risk is defined as the risk of loss resulting from inadequate or failed processes, people and systems or from external events.
There is a huge variety of specific operational risks. By their nature, they are often less visible than other risks and are often difficult to pin down precisely. Operational risks range from the very small, for example, the risk of loss due to minor human mistakes, to the very large, such as the risk of bankruptcy due to serious fraud. Operational risk can occur at every level in an institution. The type of risks associated with business and operation risk relates to:
- Business interruptions
- Errors and/or omissions by employees
- Product failures
- Health and safety issues
- Failure of IT systems
- Loss of key staff
- Loss of key suppliers
Operational risks are generally within the control of the institution through risk assessment and risk management practices, including internal control and insurance.
All financial institutions are familiar with operational failures and should already have plans and processes in place for the management of these risks. The most obvious day-to-day problems that affect every financial institution include failure to reconcile payments and receipts, transactions entered incorrectly by staff, a key traction system failure following the upgrade of a computer system and external events such as a power failure.
Knowing your operational risks is the obvious first step. But managing and mitigating risks is the best approach. Here are some key considerations:
Identifying Operational Risks
First and foremost, identifying the risks to your business operations is instrumental. Operational risk sources may be internal or external to the business and are usually generated by people, processes and technology. Identification is one of the most important areas of managing risk. Failure to identify risk will certainly mean that no action is taken to manage that risk. There are a number of different techniques that can be used to identify risk. A common method used in risk identification is the use of workshops to ‘brainstorm’. This can be used at different levels of the institution and can identify a large number of risks in a short time. Process mapping and self-assessment questionnaires are other common methods used to identify operational risks. To keep ideas flowing, it is important to keep identification sessions focused on identifying risks and not to move on to evaluate the risks. Operational risks are largely based on procedures and processes, so it lends itself to the use of audit for risk identification purposes. A risk-based audit can be used as a tool to identify risks, as well as a method of reporting to the board on the effectiveness of the institution’s risk management framework.
Risk Measurement & Assessment
Various methods may be used to assess the severity of each risk once it has been identified. One of the reasons for measuring risk is that it allows the most significant risks to be prioritized. The result or impact of a risk occurring may be financial loss, damage to reputation, process change or a combination of these. One of the simplest ways to measure risks is to apply an impact and likelihood matrix which provides an overall risk rating.
One of the issues with measuring risk is that there are objective or subjective risks. Many risks are subjective and qualitative, rather than objectively identifiable and measurable. For example, the risks of litigation, economic downturn, loss of key employees, natural disasters and loss of reputation are all subjective judgments. There is an important distinction between objective, measurable risks and subjective, perceived risks. Some of the key factors that influence this distinction are:
- How recently the risks have occurred
- How visible the risks are
- How management perceives the risks
- How the institution establishes formal or informal ways of dealing with the risks.
The analysis can be either quantitative or qualitative, but it should allow for comparison and trend analysis. One of the issues with risk assessment is that traditional risk assessment techniques often focus on those elements that can be quantified easily. Such techniques fail to address all critical drivers of successful risk management.
When considering the impact of operational risk there are three primary areas that affect business activity.
Property exposures – these relate to the physical assets belonging to or entrusted to the business.
Personnel exposures – these relate to the risks faced by all those who work for and with the business, including customers, suppliers, and contractors.
Financial exposures – these relate to all aspects of the institution’s ability to trade, whether profitability or not, and cover internal and external exposures of all types. Financial exposures also include intellectual property, goodwill, and patents. Once the risks and the controls have been identified the next step is to determine the current risk profile When assessing the impact from any single threat, two factors are generally considered: Likelihood, or how probable is it for a risk event to occur; and outcome, what would be the overall consequences if that risk event occurred. All risks should be evaluated in this manner on a case-by-case basis. In an operating business environment with limited resources for risk mitigation, this evaluation can help determine priorities.
Evaluating the Risk
Risk evaluation is used to make decisions about the significance of the risks to the institution and whether each specific risk should be accepted or treated. When looking at operational risk management, it is important to align it with the institution’s risk appetite. The risk appetite will be influenced by the size and type of institution, its capacity for risk and its ability to exploit opportunities and withstand setbacks.
Risk Mitigation and control
Once the risks have been identified, assessed and measured, preparation through risk mitigation is key. In having the proper security and defenses in place, suitable to the specific risks you face, you may actually win the fight before a risk incident occurs. Having proper safety measures in places, such as physical security, CCTV, access controls, training, alarm system/hold-up devices, as well as effective processes and procedures will make your institution a hard target, and can help to drive away those determined risks. The level of controls should match the level of risks within a process.
Monitoring and Reporting
Operational risk management requires ongoing monitoring of risks and concise, timely communication to the governing board, senior managers, employees, and regulators. Regular risk reports on operational risk events allow financial institutions management to better understand and assess the operational risk profile of the institution and allocate required resources effectively to safeguard against unexpected increases to risk events.
Audit and Testing
A risk-based audit can use the following methods to assess risks:
- Intuitive or judgmental assessment
- Risk assessment matrix
- Risk ranking. The best approach to identifying operational risk is to look for critical
The best approach to identifying operational risk is to look for critical dependencies in people, processes, systems and external structures. Once identified, the dependencies can be managed or engineered by adding fail-safes and system redundancies. Other approaches may include physical inspection and incident investigation.
Risk mitigation is a continual process and must be adaptable to continued threats. Auditing the measures and processes put in place, for suitability and employee compliance. Scenario-based testing can also help assess effectiveness, or perhaps even identify better ways to do things.
Critical success factors in operational risk management are:
Clearly identified govern, board and senior management to support, own and lead on risk management
- Development and implementation of a framework for risk management that is transparent and repeatable
- Risk is actively monitored and frequently reviewed
- Management ofrisk isfully entrenched in the management process and consistently applied
- Clear communication with all employees
- Management of risks is closely connected to the achievement of objectives.
- Staff training is a good way to increase the quality of customers’ services. Note That: hoping it doesn’t happen is a bad business strategy. As the saying goes…,
“Hope is not a strategy!” Dr. Wekesa is a regular columnist and comments on governance issues.