The last years have witnessed a revolution in technology, increased availability of data, and a take-off in business models. These forces have all changed the way businesses service customers, partner with third parties, and operate internally. Clear shifts in the way organizations conduct business resurrect the need for enhanced operational risk management.
This article lay out what operational risk management processes and operational risk management solutions might fit the bill, enabling businesses to keep up with the new risk landscape.
Operational risk defined
So, what operational risk are we talking about? Operational risk arises from a wide range of activities like acts of frauds, errors, negligence, violations, technological failures, process deficiencies, systems flaws, terrorism and vandalism, natural disasters, like floods, earthquakes, etc.
But what is operational risk, specifically? Operational risk has been defined as the risk of loss resulting from inadequate or failed internal processes, people, and systems or from external events.
Each of those categories deserves special comment:
- People risk. People risk tends to refer to the management of employee’s behavior and human resources, which are regarded as major sources of the operational risks. For instance, overworked employees and poorly trained may inadvertently expose errors that lead to operational risk.
- Internal operations. It’s long been held that the key driver of risk is internal procedures and processes. But although operational risk is inherent to internal processes, it can often be difficult to differentiate the risk caused by people and those that are due to the failure of the internal processes.
- External events. External events as a source of operational risk are sure to be beyond the control of individual organizations.
- Systems risk. Different processes and systems support operations, e.g., human resource management and IT systems. All these systems require different components to operate; what’s more, they’re increasingly third-party operated.
Poorly and complex designed systems may lead to a rise of operational risk due to their unfit for purpose and malfunction; and the range of problems experienced when they fail might include fraud, processing errors, and data security failures.
Operational risk management process
Although historically associated with the finance services sector, operational risks aren’t unique to any one sector. Indeed, there’s increasing need to manage operational risks across the entire economy.
To this end, many organizations have been prioritizing risk management systems. What does the operational risk management process look like? According to the Basel Revised Principles from 2021, they should like the following:
Identification and assessment
Recognizing and evaluating risks are fundamental aspects of robust operational risk management that directly enhances operational resilience. Effective risk identification considers internal and external factors, contributing to a comprehensive understanding of the risk landscape. This understanding allows organizations to allocate risk management resources and strategies more efficiently.
To this end, senior management should ensure thorough identification and assessment of operational risks across all significant products, activities, processes, and systems to ensure clear comprehension of inherent risks and incentives.
Monitoring and reporting
Senior management should implement a process to regularly monitor operational risk profiles and material operational exposures. Appropriate reporting mechanisms should be in place at the board of directors, senior management, and business unit levels to support proactive management of operational risk. The entity should ensure that its reports are comprehensive, accurate, consistent, and actionable across business units and products.
To this end, the first line of defense should ensure reporting on any residual operational risks, including operational risk events, control deficiencies, process inadequacies, and non-compliance with operational risk tolerances. Reports should be manageable in scope and volume by providing an outlook on the company’s operational risk profile and adherence to the operational risk appetite and tolerance statement.
Reporting should also be timely. An organization should be able to produce reports in both normal and stressed market conditions. The frequency of reporting should reflect the risks involved and the pace and nature of changes in the operating environment.
The results of monitoring activities should be included in regular management and board reports. Reports generated by or for supervisory authorities should also be reported internally to senior management and the board of directors, where appropriate.
Operational risk reports should describe the company’s operational risk profile by providing internal financial, operational, and compliance indicators, as well as external market or environmental information about events and conditions that are relevant to decision making.
Control and mitigation
Companies should have a strong control environment that relies on policies, processes, and systems; appropriate internal controls; and appropriate risk mitigation and/or transfer strategies.
These internal controls should be designed to provide reasonable assurance that the company will have efficient and effective operations, safeguard its assets, produce reliable financial reports, and comply with applicable laws and regulations.
A sound internal control program consists of four components that are integral to the risk management process:
- Risk assessment
- control activities
- Information and communication
- Monitoring activities
Control processes and procedures should include a system for ensuring compliance with policies, regulations, and laws.
Controls processes and procedures should address how the company ensures operational resilience is maintained in both normal circumstances and in the event of disruption, reflecting respective functions’ due diligence, consistent with the company’s operational resilience approach.
An effective control environment also requires an appropriate separation of duties. In addition to separation of duties and dual controls, organizations should ensure that other traditional internal controls are in place, as appropriate, to address operational risk.
Effective use and sound implementation of technology can contribute to the control environment (More below). However, the use of technology-related products, activities, processes, and delivery channels can expose an organization to operational risk and the possibility of material financial loss, as well.
Consequently, an organization should have an integrated approach to identifying, measuring, monitoring, and managing technology risks along the same precepts as operational risk management.
Digital software to manage operational risk
How to establish such an integrated approach? Well, companies looking to bring automation to the management of potential risks that could cause operational failures or disruptions to their normal operations are well advised to consider centralized resilience workspaces that provides a holistic view of risks, streamlines operational risk-related processes, and fosters effective stakeholder collaboration and communication.
The operational risk management software features to consider include:
Objectives
Align risk management initiatives with organizational objectives to ensure risks are managed in a way that aligns with your objectives so you can effectively manage threats and capitalize on opportunities.
Risks and controls library
Get a head start with a pre-existing library of potential operational risks and corresponding control measures, inspired by the best industry practices to save time in recognizing and recording operational risks.
Audits
Gain oversight into the ongoing management of risk controls as they are implemented and maintained in your operational environment, using scheduled audits that personnel can complete from anywhere, on any device.
Reporting
Create custom reports that summarize historical data with charts, recommendations, and sign offs. Export these as PDF or Word documents and share with stakeholders and executives to enable them to make informed decisions, manage threats, and benefit from opportunities.
Obligations
Keep track of your compliance obligations with ease using a centralized register that enables you to monitor breaches and collaborate with your team to ensure compliance throughout your organization.
Risk assessments
Proactively identify, assess, and manage operational risks through a centralized workspace that provides a holistic view of risks, and streamlines risk assessment processes while fostering effective stakeholder collaboration and communication.
Document management
Streamline the risk document management process by leveraging centralized document management functionality to ensure personnel have the right information at their fingertips.
Analytics
Consolidate data to gain valuable insights and visualize it through interactive dashboards, charts, risk matrices, and maps in real-time, from any device.
Not sure where to turn, though? Request a demonstration of Noggin’s next-gen risk management software today.
.svg)
.svg)
.svg)