ComplianceOnline

Managing Operational Risks - 5 Best Practices to Follow


    Implement the right operational risk management structure that reduces the risk of losses stemming from failed internal controls or adverse external events.

    The uncertain environment in which businesses operate today - constantly changing regulations, expanding global footprints, volatile market conditions, unpredictable socio-economic upheavals as well as natural disasters - has made it increasingly necessary for organizations to ensure they have a robust and effective system to manage operational risks. These risks cannot be discounted by the modern, international organization - the cost of ignoring them can be catastrophic in terms of reputational and financial damage. This article details five best practices that organizations can adopt in order to manage operational risks more effectively.


    Business Continuity and Scenario Planning

    What is Operational Risk?

    The Basel II accord on banking supervision defined operational risk as the risk of loss resulting from inadequate or failed internal processes, people and systems or from external events. Legal risk would be included in this definition according to the Basel committee, but not strategic or reputational risk.

    Operational Risk Failures

    The following types of events would be considered operational risk failures (source: Basel Committee)

    Internal Fraud Losses due to acts of a type intended to defraud, misappropriate property or circumvent regulations, the law or company policy, excluding diversity/ discrimination events, which involves at least one internal party.
    External Fraud Losses due to acts of a type intended to defraud, misappropriate property or circumvent the law, by a third party
    Employment Practices and Workplace Safety Losses due to acts of a type intended to defraud, misappropriate property or circumvent the law, by a third party
    Clients, Products and Business Practices Losses arising from an unintentional or negligent failure to meet a professional obligation to specific clients (including fiduciary and suitability requirements), or from the nature or design of a product.
    Damage to Physical Assets Losses arising from loss or damage to physical assets from natural disaster or other events.
    Business Disruption and System Failures Losses arising from disruption of business or system failures
    Execution, Delivery and Process Management Losses from failed transaction processing or process management, from relations with trade counterparties and vendors

    5 Best Practices to Follow in Operational Risk Management

    1. Develop, Implement and Maintain a Framework for Operational Risk Management
    2. As operational risk in present in all business products, activities, processes and systems and is by nature complex, it is important to have an operational risk management framework that is fully integrated into overall risk management processes of the organization. Integration should happen across all organizational levels, including those at group and business vertical levels as well as into new business products, activities, processes and systems.

      The framework should be well documented in the policies approved by the Board and should include definitions of operational risk and operational loss. The documentation should include:

      • The governance structures that manage operational risk as well as reporting lines and who's accountable
      • All risk assessment tools and how they are to be used
      • Full, detailed description of the organization's operational risk appetite and tolerance. Thresholds/limits for inherent and residual risk as well as approved risk mitigation strategies and instruments should be included
      • Approaches to establishing and monitoring thresholds for inherent and residual risk exposure
      • Risk reporting structure and Management Information System (MIS)
      • A common taxonomy of operational risk terms to ensure consistency in the identification or risks, exposure rating and risk management objectives
      • Independent review and assessment of operational risk
      • Requirements for policy review when material change in operational risk profile of the organization occurs

      The Board of Directors has the responsibility of establishing, approving and regularly reviewing the operational risk framework for effectiveness.

    3. Design the Right Operational Risk Governance Structure
    4. A robust and effective operational risk governance structure is crucial in management of operational risks. The Basel committee recommends that senior management develop such a structure and get the sign-off of the Board of Directors before implementing it across the organization.

      The operational risk governance structure should take into account the size, nature, complexity and risk profile of an organization and its activities. The following should be taken into consideration when designing such a structure:

      • The committee in charge of operational risk management can either be the enterprise level risk committee itself or a sub-committee of the same. This depends on the size of the organization and its complexity. Smaller organizations can use a flatter organizational structure that oversees operational risk directly within the board's risk management committee
      • The composition of the committee should be a mix of members with expertise in business as well as financial activities and independent risk management. The operational risk committee can also include independent non-executive board members
      • The operational risk committee should hold meetings at regular intervals and have adequate time and resources to have productive discussions and make meaningful decisions.
      • Records of committee operations should be full and detailed enough to allow proper reviews and evaluation of the committee's effectiveness

    5. Use Right Tools to Identify and Assess All Operational Risks
    6. The basic foundation of a sound operational risk management system is proper identification and assessment of operational risks. It is the responsibility of the senior management to carry out these tasks. Thorough risk assessment will allow an organization to better understand its risk profile and utilize risk management resources more effectively. The following tools can be used to identify and assess operational risks:

      • Audit Findings - These can provide insight into inherent risks - both internal and external
      • Internal Loss Data Collection and Analysis - Data relating to internal operational losses provides good information to assess exposure to operational risk and effectiveness of internal controls
      • External Data Collection and Analysis - External data such as gross operational loss amounts, dates, recoveries and causal information for operational loss events at other organizations can help in determining the operational risks
      • Risk Self Assessments (RSA) - In these assessments, an organization assesses processes underlying its operations against potential threats and vulnerabilities and considers their impact
      • Risk Control Self Assessment (RCSA) - These evaluate inherent risk (risks that exist before controls are applied), the effectiveness of the control environment and residual risk (risk exposure after controls are implemented)
      • Business Process Mapping - Can help in identifying the key risk points in the overall business process. This can reveal individual risks, risk interdependencies, and areas of control or risk management effectiveness
      • Risk and Performance Indicators - These provide insight into status of operational processes, which in turn can provide information about operational weaknesses, failures, and potential loss
      • Scenario Analysis - An effective tool to consider potential sources of significant operational risk and need for additional controls or mitigation solutions
      • Measurement - Larger organizations can use output of risk assessment tools as inputs into models that estimate operational risk exposure, thus quantifying risks.
      • Comparative Analysis - Comparing results of various risk assessment tools to provide a better view of an organization's operational risk profile

    7. Implement an Approval Process for New Products and Processes that Assesses Operational Risks
    8. Exposure to operations risks increases when an organization:

      • Engages in new activities
      • Develops new products
      • Enters new and unfamiliar markets
      • Implements new business processes or technology systems
      • Participates in businesses that are geographically distant from headquarters

      In order to mitigate these operational risks, organizations must have approval policies and procedures that consider:

      • Inherent risks in the new product, service and activity
      • Changes in operational risk profile, appetite and tolerance
      • Required controls, risk management processes, and risk mitigation
      • Residual risk
      • Changes to risk thresholds/limits
      • Metrics to monitor the risks associated with a new product or activity

    9. Maintain a Robust Operational Risk Reporting Mechanism
    10. All those involved in operational risk management - the Board, senior management, business verticals - should be part of a robust reporting mechanism. The organization should ensure that operational risk reports are:

      • Comprehensive
      • Accurate
      • Consistent and
      • Actionable across all business lines and products

      It's important to remember that reports should be manageable in scope and volume. Operational risk failures can occur if effective decision making is impeded by either excessive or scarce data.

      Operational risk reports can include internal financial, operational and compliance indicators as well as external market factors and environmental information. They should also include:

      • Any breaches in the organization's risk appetite and tolerance statement
      • Changes in risk threshold/limits
      • Details of recent significant internal operational risk events and losses and
      • External events that can impact the organization as well as its operational risk capital

    How can governance, risk and compliance training help?

    The areas highlighted above are just a small part of the wide range of practices and processes in the GRC domain. Subjects such as governance, risk and compliance are multi-faceted and complex and can be better understood after attending a training course such as the ones offered by ComplianceOnline. Our courses are available as live webinars, training recordings and in-person seminars. We also offer customized training courses developed in conjunction with organizations that wish to train large groups of their employees.

    If you need customized training courses or specialist GRC consulting services, please contact us through email [email protected] or
    call us at this toll-free number: +1-888-717-2436