Talking about Operational Risk
My friends at MetricStream (I am doing some webinars and training classes with them), through their SVP of industry solutions, have shared some thoughts on levels of integration in operational risk management. This was published by the Global Association of Risk Professionals (GARP).
I have some problems putting labels on risk. Some like to categorize different sources of risk, from strategic risks to financial risks, credit risks, market risks, procurement risks, IT risks, operational risks, and so on.
I prefer to think about what you need to happen and what you need not to happen to be successful.
I prefer to think about the uncertainties between where you are and where you want to be.
But, let’s talk about operational risk.
Basel II and Solvency II define operational risk as (emphasis added by me):
“the risk of a change in value caused by the fact that actual losses, incurred for inadequate or failed internal processes, people and systems, or from external events (including legal risk), differ from the expected losses.”
GARP’s definition is similar:
“Operational risk is defined as the risk of loss resulting from inadequate or failed processes, people and systems or from external events. This definition includes legal risk, but excludes strategic and reputational risk.”
Investopedia defines it as
“A form of risk that summarizes the risks a company or firm undertakes when it attempts to operate within a given field or industry. Operational risk is the risk that is not inherent in financial, systematic or market-wide risk. It is the risk remaining after determining financing and systematic risk, and includes risks resulting from breakdowns in internal procedures, people and systems.”
The Risk Management Association (RMA) has some useful words on the topic:
“Operational risk is defined as the risk of loss resulting from inadequate or failed internal processes, people, and systems, or from external events, but is better viewed as the risk arising from the execution of an institution’s business functions. Operational risk exists in every organization, regardless of size or complexity from the largest institutions to regional and community banks. Examples of operational risk include risks arising from hurricanes, computer hacking, internal and external fraud, the failure to adhere to internal policies, and others.”
The US Federal Reserve has a similar view:
“Operational risk arises from the potential that inadequate information systems, operational problems, breaches in internal controls, fraud, or unforeseen catastrophes will result in unexpected losses. Although operational risk does not easily lend itself to quantitative measurement, it can result in substantial costs through error, fraud, or other performance problems. The growing dependence of banking organizations on information technology emphasizes one aspect of the need to identify and control this risk.”
In other words, simpler words, operational risk is when your people, processes, organization, and people don’t work the way you want.
In other words, operational risk is present every time somebody, or some system, has to act (or not act).
So the key to managing operational risk is through controls that will either prevent such failure to act as desired, or detect such a failure in sufficient time to prevent an undesired impact on objectives.
Those controls include hiring the right people; training and continuing to develop them; providing sufficient supervision, information, resources, and authority to perform; guiding them in terms of desired ethical behavior and desired practices through policies, standards, and procedures; ensuring that risk is considered in decision-making; and monitoring operations and controls – and so much more.
When you think of operational risk as when the dynamic, constantly moving, enterprise fails to work as desired, I for one don’t think of managing it by performing periodic assessments. A point-in-time snapshot when everything is moving is not realistic.
Yet, organizations and consultants continue to focus on point-in-time assessments and reviews by management and the board.
MetricStream makes one good point in their GARP article: if you are going to assess risks periodically, recognize both the integration and aggregation of risk.
A failure in one area can affect the operations and success of another.
A single failure in, for example, information security can affect the achievement of objectives across the organization.
I understand that risk management solutions (such as those offered by MetricStream, SAP, Resolver, and others) help organizations integrate and aggregate risk assessment.
But, let’s not forget that operational risk arises when people or systems don’t do what you want – and that needs to be addressed in the field, where (as MetricStream correctly points out) the risk source lies.
When you are considering that every action and decision across the organization relies on humans (humans design and code computer systems), and humans are fallible and prone to error, the likelihood of someone doing something you don’t want is high.
How can you make any kind of list of operational risks, and assess and evaluate them, when everything and anything can fail? How can your list ever be complete?
Isn’t it better to provide managers and decision-makers with the tools and guidance they need to make intelligent decisions, controls that provide reasonable assurance that their mistakes will either be limited or caught quickly, management that hires and retains the best people, and a culture that not only celebrates mistakes but is resilient when it comes to human error?
I welcome your comments.