Managing operational risk

Contemporary businesses are particularly keen to develop business strategies that align with risk evolution. Photo:

Contemporary businesses are particularly keen to develop business strategies that align with risk evolution. Photo:

In recent years, we have seen a tremendous surge of interest in measuring and managing operational risks, both as a result of regulatory developments in corporate governance and capital adequacy, as well as due to a growing realisation that an enterprise-wide view of risk management is simply good business (those familiar with ISO9001 Quality Management Systems would be aware that the latest 2015 issue focuses on managing risk).

The wave of well-publicised corporate failures over the past years can generally be traced to an operational risk, rather than to market, credit or insurance risks. Indeed, it would be no exaggeration to state that most major economic global meltdowns of the past few decades were caused by operational risk failures.

In response, regulators across the continents have revised corporate governance standards to hold directors responsible for managing all risks, including market, credit, insurance, legal, technology, strategic and regulatory. Note, in this regard, the Basel Committee’s proposal for an operational risk capital charge for banks to protect against “…failed internal processes, people and systems, or from external events”. All this has led to a greater commitment to, and focus on, the need for reliable methods for measuring and managing operational risks.

So, what does managing operational risk entail? In a nutshell, this involves getting a clear oversight of your systems, processes and people, to prevent failures that lead to costly financial and reputational damage, as we have observed above.

Operational risks have three major characteristics. First of all, they are endogenous, i.e. they are specific to the facts and circumstances of each company. They are shaped by the technology, processes, organisation, personnel and culture of the company. By contrast, market, credit and insurance risks are generally driven by exogenous factors.

Secondly, operational risks are dynamic, continuously changing with business strategy and organisational evolution, as well as processes, technology and competition. And, finally, it is safe to say that the most cost-effective strategies for mitigating operational risks involve changes to business processes, technology, organisation and personnel.

Contemporary businesses are particularly keen to develop business strategies that align with risk evolution. Characteristically, the process begins with an assessment of factors that can spring uncertainties and which can also impact existing and future business objectives. Organisations need to ensure that fail-proof assurances are in-built into the process design to prevent or minimise opportunities for risk to occur in the first instance.

This would generally need to be complemented by effective controls that must exist at all stages. The earlier the controls are established in the risk journey, the more effective the risk detection and mitigation mechanism will be. Generally speaking, operational risks are best discovered, controlled and mitigated using a multiple-faceted approach which can alleviate numerous risks concurrently.

Regulators across the continents have revised corporate governance standards to hold directors responsible for managing all risks

The first step in this process has to be the effective segregation of tasks and duties. This acts as a primary deterrent against internal theft and risks related to fraud. Essentially, measures in this regard prevent one individual from taking advantage of the myriad aspects of transactions and business processes or practices. This should be followed by a concerted effort to simplify business process, primarily curtailing manual activities, as well as the number of people and exceptions that feature during the implementation of business processes. Reducing complexity in different business processes radically mitigates operational risks.

The third step involves the reinforcement of a corporate culture in terms of organisational ethics. Every single stakeholder in an organisation needs the direction and comfort of a strong ethical compass, based on personal values and principles, as well as values embedded in a strong corporate culture.

Although all this might seem obvious, having the right people in the right jobs can reduce issues pertaining to business process execution and skill, as well as technology usage. Measures in this regard also result in proper workforce utilisation, adherence to timelines, enhanced quality and consistency, and fewer errors and process breakdowns.

Once the right people are in place, it is time to put the spotlight on monitoring and evaluating business processes on a regular basis through the use of key performance indicators. KPIs can prove critical for the timely detection and mitigation of risks, provided they are continuously monitored and reviewed. They also help identify and manage discrepancies proactively and effectively.

Too many organisations appear to stumble when it comes to effecting periodic assessments of all facets of operational risks. This kind of corporate discipline,which could involve, among others, the routine gauging of regulatory obligations, IT assets, skills, competencies, processes and business decisions, allows companies to be risk-ready, apart from proving critical in supporting organisational management.

Like any individual, learning from past experience, especially mistakes, helps organisations develop and grow stronger. Risk incidents and related remedial measures employed in the past can contribute to some of the most effective strategies to counter future risks. In general, previous risk occurrences also help to implement a stronger, proactive operational risk management framework and support real-time changes that suit the current operating scenario.

All the above should be tied up by an effective monitoring and reporting process, with particular emphasis on timely reporting of key information to senior management and the board of directors, to support proactive management of risks. A culture of risk awareness and open communication will prove invaluable towards effective operational risk governance and towards making sure that your organisation features in the headlines for the right reasons.

Joseph Micallef is a partner and chief operations officer at Beat, a Maltese niche-based consulting firm specialising in the provision of project management, strategic advice and business transformation solutions.

Comments not loading? We recommend using Google Chrome or Mozilla Firefox with javascript turned on.
Comments powered by Disqus