Managing Operational Risk – What every professional needs to know

Stanley Epstein's Profile

Operational risk is probably one of the most misunderstood risks in the whole of the risk spectrum.

While risks such as “credit risk”, “liquidity risk”, “market risk” are easily understood by business and other professionals, “operational risk” is a poor relation when it comes to grasping what it really means. 

The starting point, of course, is to define what we mean when we speak about operational risk. 

My favourite definition is that formulated by the “Basel Committee on Banking Supervision” in its “Principles for the Sound Management of Operational Risk” (BIS - June 2011).

The definition reads;

“Operational risk is defined as the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events.”

The Basel definition goes on to state operational risk includes legal risk, but excludes strategic and reputational risk. However, I want to keep the focus on the first part of the definition.

There are of course many other definitions of operational risk. They all have the same common base – loss resulting from inadequacies or the failure in internal processes, people, systems or arising from external events.

Therefore, it should be clear that outside of the normal business risks virtually everything else is an operational risk.  

Operational risks are to be found everywhere, not only in the business world. Operational risk is there when you jump in the shower in the morning, or when you cross the road, or when your office server system goes down or when you have a power outage.

Under the Basel Accords Operational Risk is specifically broken down into a range of seven distinct categories. Let us explore them briefly to get a feel for the full scope of what operational risk covers.

The first category is internal fraud. This includes intentional misreporting or deceptions, employee theft and Insider trading on an employee’s own account.

Moving on we go to external fraud. This includes events such as robbery, forgery, and things like damage from computer hacking.

Then there is employment practices and workplace safety. This category covers the whole HR field in all its facets and includes issues like workers compensation claims, violation of employee health and safety rules, organized labor activities, discrimination claims, and general customer liability issues.

Clients, products and business practices is another operational risk category. This is an exceptionally wide area with many sub-categories. Some of the most important are things like fiduciary breaches, the misuse of confidential customer information, improper trading or business activities on the firm’s account, money laundering, and the sale of unauthorized products

The next category is damage to physical assets. This includes damage that could arise from events like terrorism, vandalism, earthquakes, fires and floods and simple human error. This category is concerned with external events.

The seventh category is the execution, delivery and process management. This covers the whole “operations” domain. The sort of problems that come up here cover things like data entry errors, collateral management failures,  incomplete legal documentation,  unapproved access given to client accounts, non-client counterparty miss performance, and computer vendor disputes.

Finally, we have business disruption and system failures. These are the nuts-and-bolts failures, like when something breaks down or does not work properly. It covers things like, hardware and software failures, equipment breakdowns, telecommunication problems, and utility outages.

Once we understand what operational risk is, we are ready to begin managing it. At a high level the risk management process is relevantly simple – Identify, Evaluate, Manage. In reality, it is a lot more complicated than this.

Our on-line training course, “Key Elements in Managing Operational Risk” is a systematic approach covering the fundamental steps required to manage operational risks. This is based on the three core approaches to operational risk management expanding into critical sub-issues such as risk analysis, risk appetite, probability, impact, risk mitigation process, with its prioritization and establishing responsibility for the whole process.

In this training course, you are going to achieve a number of key learning objectives, such as …. 

  • ·Discover the processes used in the management of operational risk,
  • ·Identify the different types of operational risks,
  • ·Explore and understand the methods used in identifying and evaluating the different operational risks, and
  • ·Understand critical issues such as risk analysis, risk appetite, probability, impact, the risk mitigation process, prioritization and risk management responsibilities.

Check out the course Key Elements in Managing Operational Risk: