Home > Audit, Compliance, COSO, Governance, GRC, ISO, Risk > Talking about Operational Risk

Talking about Operational Risk

My friends at MetricStream (I am doing some webinars and training classes with them), through their SVP of industry solutions, have shared some thoughts on levels of integration in operational risk management. This was published by the Global Association of Risk Professionals (GARP).

I have some problems putting labels on risk. Some like to categorize different sources of risk, from strategic risks to financial risks, credit risks, market risks, procurement risks, IT risks, operational risks, and so on.

I prefer to think about what you need to happen and what you need not to happen to be successful.

I prefer to think about the uncertainties between where you are and where you want to be.

But, let’s talk about operational risk.

Basel II and Solvency II define operational risk as (emphasis added by me):

“the risk of a change in value caused by the fact that actual losses, incurred for inadequate or failed internal processes, people and systems, or from external events (including legal risk), differ from the expected losses.”

GARP’s definition is similar:

“Operational risk is defined as the risk of loss resulting from inadequate or failed processes, people and systems or from external events. This definition includes legal risk, but excludes strategic and reputational risk.”

Investopedia defines it as

“A form of risk that summarizes the risks a company or firm undertakes when it attempts to operate within a given field or industry. Operational risk is the risk that is not inherent in financial, systematic or market-wide risk. It is the risk remaining after determining financing and systematic risk, and includes risks resulting from breakdowns in internal procedures, people and systems.”

The Risk Management Association (RMA) has some useful words on the topic:

“Operational risk is defined as the risk of loss resulting from inadequate or failed internal processes, people, and systems, or from external events, but is better viewed as the risk arising from the execution of an institution’s business functions. Operational risk exists in every organization, regardless of size or complexity from the largest institutions to regional and community banks. Examples of operational risk include risks arising from hurricanes, computer hacking, internal and external fraud, the failure to adhere to internal policies, and others.”

The US Federal Reserve has a similar view:

“Operational risk arises from the potential that inadequate information systems, operational problems, breaches in internal controls, fraud, or unforeseen catastrophes will result in unexpected losses. Although operational risk does not easily lend itself to quantitative measurement, it can result in substantial costs through error, fraud, or other performance problems. The growing dependence of banking organizations on information technology emphasizes one aspect of the need to identify and control this risk.”

In other words, simpler words, operational risk is when your people, processes, organization, and people don’t work the way you want.

In other words, operational risk is present every time somebody, or some system, has to act (or not act).

So the key to managing operational risk is through controls that will either prevent such failure to act as desired, or detect such a failure in sufficient time to prevent an undesired impact on objectives.

Those controls include hiring the right people; training and continuing to develop them; providing sufficient supervision, information, resources, and authority to perform; guiding them in terms of desired ethical behavior and desired practices through policies, standards, and procedures; ensuring that risk is considered in decision-making; and monitoring operations and controls – and so much more.

When you think of operational risk as when the dynamic, constantly moving, enterprise fails to work as desired, I for one don’t think of managing it by performing periodic assessments. A point-in-time snapshot when everything is moving is not realistic.

Yet, organizations and consultants continue to focus on point-in-time assessments and reviews by management and the board.

MetricStream makes one good point in their GARP article: if you are going to assess risks periodically, recognize both the integration and aggregation of risk.

A failure in one area can affect the operations and success of another.

A single failure in, for example, information security can affect the achievement of objectives across the organization.

I understand that risk management solutions (such as those offered by MetricStream, SAP, Resolver, and others) help organizations integrate and aggregate risk assessment.

But, let’s not forget that operational risk arises when people or systems don’t do what you want – and that needs to be addressed in the field, where (as MetricStream correctly points out) the risk source lies.

When you are considering that every action and decision across the organization relies on humans (humans design and code computer systems), and humans are fallible and prone to error, the likelihood of someone doing something you don’t want is high.

How can you make any kind of list of operational risks, and assess and evaluate them, when everything and anything can fail? How can your list ever be complete?

Isn’t it better to provide managers and decision-makers with the tools and guidance they need to make intelligent decisions, controls that provide reasonable assurance that their mistakes will either be limited or caught quickly, management that hires and retains the best people, and a culture that not only celebrates mistakes but is resilient when it comes to human error?

I welcome your comments.

  1. Deb
    June 17, 2014 at 10:59 PM

    From a ‘doer’ perspective, much as we/risk practitioners may not like to ‘label’ risks, ground level reality is that the mandate of certain groups may extent to looking deep into only certain kinds of risks. [For instance, internal audit shops in certain situations/organizations may be mandated (whether or not by, and sometimes in spite of, a documented audit charter!) to look into only operational risk, mostly by management ‘consensus’.] As such, it sometimes helps to be clear on the kind of risk/s we’re dealing with, and focus energies on that (while fighting battles elsewhere to expand the domain itself). Also, demonstrated excellence in looking into one or more kinds of risks may sometimes foster greater credibility (also, confidence) in dealing with other kinds of risks (for instance, ‘strategic risks’?).

    The aspect of integration and aggregation of risk is something perhaps not given its due in most instances (subject to some honorable exceptions), something perhaps well-demonstrated in well-known cases of the 2008 mortgage crisis. It’s in things like this that perhaps going ‘deep’ rather than ‘wide’ could generated disproportionate (and welcome) dividends.

  2. June 18, 2014 at 1:24 AM

    Perhaps the reason why some will categorize different sources of risk, e.g. from strategic risks to financial risks, credit risks, market risks, procurement risks, IT risks etc, is an effort to ensure that all major risks are identified and given due consideration. At the end of the day all these, regardless of what label they carry, are Risks that can impact negatively on the organisation and hence need to be effectively managed. It is a good idea to “think about what you need to happen and what you need not to happen to be successful”. And labelling risks for instance, as strategic risks; financial risks, credit risks, market risks, procurement risks, IT risks etc. does not eliminate that approach. All that it means is that assessment of what you need to happen and what you need not to happen to be successful is done per focus area e.g. Marketing; IT etc. It is for this reason that at the end of the day some organisations have Risk Committees where all the risks identified per focus area are tabled, assessed, integrated and aggregated.
    Knowledge of the fact that “every action and decision across the organization relies on fallible humans” should be used to develop brilliant control measures. It is when people lack or neglect vital information that they develop irrelevant and/or inadequate control measures. For instance, knowing that humans are prone to error why not consider automating processes as much as possible to minimise human intervention in the processes?

  3. Don B
    June 19, 2014 at 4:52 AM

    Why do you use the word “people” twice in your definition of operational risk?

    • Norman Marks
      June 19, 2014 at 6:47 AM

      Because I am human as well

  4. June 22, 2014 at 10:33 AM

    Norman, thanks much for the post. I have become an “evangelist” on Human capital risks (sorry for adding to the other risk groups) or people risks. I continue to preach that processes and methodologies are the robotics of the risk management discipline for anyone can follow processes/procedures etc, But it is the person and their risk intelligence and culture that counts..
    Please continue to share, I look forward to reading your thoughts.

  5. June 23, 2014 at 7:38 AM

    Don’t you think there is a clear connection here with Mises’ Human Action?

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: