Operational risks span every aspect of the enterprise and operational risk management (ORM) is a vital function to identify, quantify, strategize, and act to avoid, mitigate, and control risks.
Operational risk management, given the catastrophic consequences of risks, should be a strategic function with representation from all the essential functions and business units. Even among well-run companies, ORM remains a weak link. There is a lot of confusion about operational risk as it is a relatively nascent discipline and the origins and popularity are far from certain.
Risk, as they say, is not just risk managers’ job. It is everyone’s job.
Definition of Operational Risk:
At a simplistic level, doing business involves operational risk, and hence operational risk spans the entire gamut of business operations.
Operational risks encompass that are within organizational boundaries and control as well as external factors. Internally, risks include employee or contractor misconduct or other moral hazards, product liability, information leaks, systems failures, lax controls, and process leakages. Externally, the operational risks include supply chain disruptions, price volatility, cyberattacks, and natural disasters, etc.
Why Risks Occur?
The fact is a business cannot altogether avoid risk. However, the variety, velocity, and volume of threats are undoubtedly dependent on specific factors of a company. That is the reason two firms in the same industry may face different types of risk, as well as the magnitude of the impact of the risk, may diverge.
Complex Business and IT Landscape:
Companies that have grown via inorganic means or those that have had a hockey stick growth exhibit attributes such as business and technology silos, redundancy and replication, ambiguous ownership and accountability, and lack of transparency and visibility. In such cases, the operational risk rises exponentially.
Convoluted Processes:
Processes never operate based on the standard operating procedure. Most processes have multiple variations – because of systems limitations to the uniqueness of cases, established sets of behaviors, and tribal knowledge.
Without a firm understanding of how the company’s operations perform, operational risk creeps up from unexpected corners.
Centralized Risk Function:
One of the gravest mistakes corporations commit is thinking that risk is a compliance function and centralize it into a monolith called LRC (Legal, Risk, and Compliance). Unlike compliance, risks exist everywhere and manifest in forms that are not business as usual. While legal and compliance areas do lead to risk, the threats are more omniscient and omnipresent.
ORM Is a Mandate, not an Interwoven Process:
When corporate leadership thinks a set of guidelines without the guardrails is sufficient to mitigate risk, they are entirely wrong. Mandates and proclamations seldom reign in the risk. Without risk management is an integral layer from strategy to operations, from HR to Information Technology, risks manifest in unexpected ways and cause severe distress.
Implementing Operational Risk Management Structures and Programs:
Decouple it from an Omnibus Department:
Treating risk as a non-core function and combining it with a bunch of others – legal, regulatory affairs, risk, compliance, and governance – will diminish the focus and allow for risk to creep in and cause significant losses to the enterprise. When an omnibus department head is spreading their attention on several things, risk often fades into the background until a substantial impact event occurs.
Elevate ORM to the COO Scorecard:
As mentioned before, the risk is not just come middle office function. Operational risk management has to be front and center and including it as a key performance indicator on a C-suite executive – either the CFO or the COO will bring the appropriate importance and attention to the matter.
The reason for this elevated caution is that while the monetary damages from a risk incident may be affordable or transferable (to an insurance company), at times, the impact on the franchise is devastating.
Elevating the risk management function and staffing it with the right resources provides a safety net that is immeasurable.
Establish ORM as a Technology-enabled, Data-Driven Function:
Today, a slew of technologies allows the management to keep tabs on operations and the consequent risks. Modern BPM (business process management) allows for business activity monitoring and analytics systems to combine disparate data to provide a holistic set of metrics to monitor risk. While technology does increase certain risks as a whole, it is an omniscient force multiplier in managing operational risks.
Let ORM Not become a Prosecutor:
One of the reasons risk management is feared and frowned upon in corporate settings is often there is a desire to assign the blame. Of course, if there are bad actors and intentional damage, it is quite essential to find out the culprit. But in most cases, where risk permeates the day to day, without any evil intent, and manifests unbeknownst to anyone, ORM should function as a protector, not just as a prosecutor.
Companies need to think about risk in a structured and systematic way. That is where an operational risk management framework (ORM Framework) will prove to be invaluable. Below is a simple operational risk management framework, and you may modify and adapt to your enterprise needs.
Operational Risk Management (ORM) Framework:
Components of the Operational Risk Management Framework:
- Identify Risks: Risks can emanate from anywhere, at any time, and from anyone. So, a robust approach to identifying risk is a foundation for risk management. As they say, an ounce of prevention is better than a pound of cure. To identify risks, enterprises should consider incentivizing those that bring forth the risks – even before they have had a chance to take root.
- Assess Risks: Risk assessment must be multi-dimensional. Risk managers must consider several aspects such as: what is the source of risk, what is the probability of occurrence, the potential magnitude of impact, what prevention/mitigation steps may be possible, and what measures may be feasible once the risk event occurs.
- Decide on Risk Management Strategy: While prevention and mitigation are worthy steps, companies never rely on always being able to eliminate risks or nipping them in the bud. Hence, the fundamental strategies are to a) assume the risk b) transfer the risk or a combination thereof often with a stop loss.
- Monitor: Irrespective of the strategy on how to handle risk, once a threat is identified and quantified, monitoring it constantly is vital. A risk register and various business activity monitoring and analytics systems can help in this regard.
- Measure: As risks evolve, so does the impact of such events. Hence, measurement of the probability and impact is not a one-time task, but an ongoing process. Continuously updating risk exposure allows for highlighting the state and status of risks but also leads to reevaluating the decisions on whether to assume or transfer a particular risk.
- Report Risks: Risk registers, risk graphs and scorecards on executive dashboards, and a monthly risk management summary are ways to communicate the state or operational risks to the key decision-makers. It is possible to report on most risks in real-time or almost real-time.
How ORM can become a Value-Added Function:
- Shift from a reactive stance to a proactive mode. Instead of waiting for risks to happen and then respond, companies can anticipate, eliminate, mitigate, and effectively manage risks. An active risk management function is a vital strategic imperative.
- It is risk “management,” not just risk avoidance. The perception should change from “risk” from being a four-letter word (pardon the pun), to one of “risk management” as in calibrating the amount of risk based on the nature of risk, the probability, and the likely impact. Without taking risks, enterprises will stagnate and calcify. Help the associates understand that risk management is a constant balancing exercise, and at an optimal level, it can turbocharge company growth.
- Whatever risk framework you use, please ensure it conforms and aligns with the nature of the company, the maturity of operations, and the business/IT complexity.
- Rely on sophisticated systems that are already in place for other purposes – such as BPM, Analytics, and Transactional systems to beef up the risk management function.
- Allow inherent flexibility for the risk management function to evolve to the needs of the enterprise within the context of market, regulatory, technological, and societal trends.
Benefits of a Strong Operational Risk Management Function:
A robust operational risk management function can benefit the enterprise in several ways:
- Better Capital Allocation: Knowing the risk the company is taking and an understanding of the corresponding rewards will allow for better capital budgeting and resourcing decisions.
- Improve Brand and Corporate Equity: Strong risk management will help boost the company brand equity as well as corporate equity, which in turn will result in better valuation and improvement in employee and customer loyalty.
- Dynamism and Resiliency: Risk management will foster a sense of vitality and flexibility into enterprise decision-making and boost innovation efforts. Over time, proper risk management controls will increase business resiliency.
- Operational Efficiency: Managing risks also will help solve process bottlenecks, chokepoints, performance issues, and allow for operational optimization.
How does your enterprise manage operational risk? Please share your thoughts.