In recent years, we have seen a tremendous surge of interest in measuring and managing operational risks, both as a result of regulatory developments in corporate governance and capital adequacy, as well as due to a growing realisation that an enterprise-wide view of risk management is simply good business (those familiar with ISO9001 Quality Management Systems would be aware that the latest 2015 issue focuses on managing risk).
The wave of well-publicised corporate failures over the past years can generally be traced to an operational risk, rather than to market, credit or insurance risks. Indeed, it would be no exaggeration to state that most major economic global meltdowns of the past few decades were caused by operational risk failures.
In response, regulators are holding directors responsible for managing all risks, including market, credit, insurance, legal, technology, strategic and regulatory.
The regulator focus on operational risk and its adequate capital charge has raised the need for reliable methods for measuring and managing operational risks.
So, what does managing operational risk entail?
In a nutshell, this involves getting a clear oversight of your systems, processes and people, to prevent failures that lead to costly financial and reputational damage, as we have historically observed.
Operational risks have three major characteristics:
- First of all, they are endogenous, i.e. they are specific to the facts and circumstances of each company. They are shaped by the technology, processes, organisation, personnel and culture of the company. By contrast, market, credit and insurance risks are generally driven by exogenous factors.
- Secondly, operational risks are dynamic, continuously changing with business strategy and organisational evolution, as well as processes, technology and competition.
- And, finally, it is safe to say that the most cost-effective strategies for mitigating operational risks involve changes to business processes, technology, organisation and personnel.
Contemporary businesses are particularly keen to develop business strategies that align with risk evolution. The key is to develop the approach that begins with an assessment of factors that can spring uncertainties and which can also impact existing and future business objectives. Organisations need to ensure that fail-proof assurances are in-built into the process design to prevent or minimise opportunities for risk to occur in the first instance.
This would generally need to be complemented by effective controls that must exist at all stages. The earlier the controls are established in the risk journey, the more effective the risk detection and mitigation mechanism will be. Generally speaking, operational risks are best discovered, controlled and mitigated using a multiple-faceted approach which can alleviate numerous risks concurrently.
However, too many organisations appear to stumble when it comes to effecting periodic assessments of all facets of operational risks.
By shifting the focus to risk-enabled performance management, organisations can concentrate on uncertainty holistically, rather than just identifying and measuring risks individually.