Understanding the many aspects of operational risk

There’s no reward without risk. Operational risk exists in every business. However, the nature of operational risk may vary depending on the specifics of the company.

Operational risk is an important concern for companies of all types, and a serious concern for banks and other financial institutions. In the financial services industry, losses tied to operational risks have been elevated ever since the 2008 financial crisis, according to McKinsey & Company.

Operational Risks vs. Other Types of Risk

Operational risks include risks that are tied to the daily operations of a business. It is a fairly broad category of risk that encompasses many different issues, and definitions may vary somewhat from organization to organization. Nevertheless, operational risk is distinct from other types of risks that impact companies.

For example, operational risk is different from financial risk or credit risk involving financial losses and loans. Operational risk is also typically seen as different from market risk, which involves risks associated with investments in financial markets, and from strategic risk, which involves the company’s strategic objectives.

Operational Risks Defined

According to the definition adopted by the Basel Committee on Banking Supervision, “Operational risk is defined as the risk of loss resulting from inadequate or failed internal processes, people, and systems or from external events. This definition includes legal risk but excludes strategic and reputational risk.”

The Basel Committee also identified seven key loss event types, according to the Federal Deposit Insurance Corporation:

1. Risks tied to internal fraud, which may include events such as employee theft.
2. Risks tied to external fraud, which may include events such as forgery.
3. Risks tied to employment practices and workplace safety, which may include workers’ compensations claims and discrimination claims.
4. Risks tied to clients, products and business practices, which may include fiduciary breaches.
5. Risks tied to damage of physical assets, which may include criminal acts and natural disasters.
6. Risks tied to business disruption and system failures, which may include hardware or software failures.
7. Risks tied to execution, delivery and process management, which may include data entry errors or vendor disputes.

The Root Causes of Operational Risks

We all hope that everything will go according to plan, but this is rarely the case. In the course of everyday business operations, problems can arise, and these problems may be significant enough to disrupt operations and prevent the organization from reaching its goals.

Operational risks can stem from external events. These may include natural disasters that threaten to disrupt operations, but are out of the company’s control. Terrorists, vandals, cybercriminals, fraudsters and other criminals may also contribute to a company’s operational risks.

However, many operational risks are internal. In many cases, operational risks come down to the mistakes, oversights or malfeasance of the people involved in a company’s operations.

Some loss events may be caused intentionally. For example, an employee may break company policy by engaging in illegal discrimination or by engaging in unethical financial practices.

Other events may be accidental or the result of negligence. An employee may fail to maintain equipment properly, resulting in equipment failure. Or an employee’s lax cybersecurity practices may result in data breaches or give cybercriminals an entry. A failure to carry out procedures carefully could also result in administrative mistakes or injuries.

The Evolving Nature of Operational Risk

Organizations have always faced risk tied to operations, but the nature of some operational risks has been changing in recent years.

New laws and regulations can impact issues related to liability and fiduciary duty, for example. Advances in technology, while largely beneficial, can lead to problems if workers don’t understand how to maintain equipment or use systems correctly. Climate change and civil unrest may lead to additional external threats.

And so on. The constantly changing nature of operational risk means that risk managers must always be looking forward.

The Challenges of Operational Risk Management

Because of the broad nature of operational risk, it can be harder to assess than other types of risk – but this might be changing.

With the rise of big data and predictive analytics, operational risk managers have new tools at their disposal.

According to The Future of Operational Risk Management, operational risk models have traditionally focused on estimating conservative capital so the organization can absorb losses. However, this backward-looking approach may be giving way to a new model. Instead of sticking to losses that have already occurred, future models may draw on additional data to assess patterns and behaviors that may contribute to loss events. This allows the organization to make changes to prevent losses, rather than just responding to the losses that have already occurred.

Risk Management Strategies

Operational risk cannot be eliminated entirely, but operational risk management is still possible by taking the following steps:

1. Assess operational risks. What internal systems and processes could fail? What external events could disrupt operations? How would various loss events impact the organization, including the organization’s reputation and financial stability?
2. Quantify operational risks. Various methods can be used to achieve operational risk quantification.
3. Predict operational risks. The use of data and predictive analytics can identify patterns associated with loss events.
4. Conduct audits. Periodic audits can be used to assess operational risk and the effectiveness of current risk management tactics. For example, a company can test its team’s understanding of and vulnerability to phishing attacks by sending some test phishing emails and monitoring how employees respond.
5. Create policies to reduce and prevent operational risk losses. How can processes be changed to make fraud, equipment failure and other loss events less likely?
6. Develop plans to respond to problems that arise. If a loss event does occur, what resources will be needed to minimize the damage? How will emergency response plans be carried out?
7. Communicate risk issues. Keep management and directors in the loop regarding operational risk management.
8. Transfer risk. Risk exists, but your organization doesn’t need to take on any more risk that is necessary. Risk may be transferred through the use of strong contracts with vendors and other third parties, as well as insurance products that provide protection against various operational risks.

Identifying and mitigating operational risk is an important step in helping your company scale and grow. To learn more, contact our Risk Management team.