Operational Risk

Dr Mahesh Kumar T
 The Operational Risk - Introduction

The Basel Committee defines the operational risk as the "risk of loss resulting
from inadequate or failed internal processes, people and systems or from
external events".
This definition includes human error, fraud and malice, failures of information
systems, problems related to personnel management, commercial disputes,
accidents, fires, floods... In other words, its scope seems so wide you do not
immediately perceive the practical application.
Moreover, the concept of operational risk appears at first glance not very innovative,
since the banks did not wait for the Basel Committee to organize their activities in
the form of procedures, and to develop internal audit departments to verify the
correct application of these procedures. However, spectacular failures, like Baring's
(The Global Investment Management Firm), have attracted the attention of
regulators on the need to provide banks with prevention and coverage mechanisms
against operational risks (through the allocation of dedicated capital).
 The Operational Risk - Introduction

The implementation advocated by an increasing number of studies on this subject

is to consider as an actual operational risk:
❖ any event that disrupts the normal flow of business processes
❖ and which generates financial loss or damage to the image of the bank (although
the latter outcome has been explicitly excluded from the definition of the Basel
Committee, it still remains a major concern).
Proactive management of operational risk, in addition to allowing compliance with
the requirements of the Basel Committee, necessarily leads to improved production
conditions:
streamlining of processes which results in increased productivity, improved quality
leading to a better brand image. In particular, such an approach allows the
development of quantitative tools which define measurable objectives for operational
teams in terms of reduction of operational risks.
 Risk map
The first step in the process of monitoring operational risk is to establish a risk map.
This map is based on an analysis of business processes, which we cross with the
typology of operational risks.
A business process is a set of coordinated tasks, which aim at providing a product or
service to customers. The definition of business processes primarily corresponds to a
business-oriented analysis of the activity of the bank, and not to an organizational
analysis.
Determining the business processes thus starts with the identification of the different
products and services, then the actors (who may belong to different entities within the
organization) and the tasks involved in providing these products.
Then, to each step of the process, we assign the incidents likely to disrupt its
unfolding and prevent the achievement of its objectives (in terms of concrete results, or
in terms of time). For each event, risk is assessed in terms of:
▪ Probability of occurrence,
▪ Resulting loss in case of realization.
Risk map
Each event with possible risk must be assigned to a risk category (making future data
analysis easier and faster) and, in organisational terms, to the business line where the
incident would occur. The Basel Committee has defined standard lists:
The classification of risks must match the high-level view desired by the
management, it must allow synthetic analyses that are transverse to all
activities and as such should be established by a central risk management
department.
On the other hand, in order to be realistic and useful, the analysis of business
processes and of incurred risks must be entrusted to relevant operational staff.
They will use a rigorous framework, identical for all, but which allows them to describe
their activities.
Finally, the map would not be complete if it did not come with the identification of key
risk indicators: these are quantifiable elements that may increase the likelihood
of the occurrence of a risk : number of transactions processed, absenteeism
rate, etc. This concept is at the core of the so-called "scorecard method"
 Internal fraud – Acts of fraud committed internally in an organization go against its
interest. Losses can result from intent to defraud, tax non-compliance,
misappropriation of assets, forgery, bribes, deliberate mismarking of positions and
theft.
External fraud – External frauds are activities committed by third parties. Theft,
cheque fraud, and breaching the system security like hacking or acquiring
unauthorized information are the frequently encountered practices under external
fraud.
Employment practices and workplace safety – Non-compliance to employment or
health-and-safety laws and regulations are grave operational hazards in any
organization.
Incompetent maintenance of employee relations takes a toll on employees,
claiming their well-deserved compensation and benefits. Unethical termination criteria
and discrimination are other operational risks that subject institutions to serious
financial and reputational damage.
Clients, products, & business practice – Organizations fail to meet promises
made to their clients as a result of unintended circumstances rising from negligent
practices. Privacy and fiduciary breaches, misuse of confidential information,
suitability issues, market manipulation, money laundering, unlicensed activities and
product defects are very common practices that lead companies to face lawsuits.
There are many intentional and unintentional malpractices exercised in the business
world. Entrepreneurs should learn the do’s and don’ts before starting up.

Damage to physical assets – These are losses incurred by damages caused to

physical assets due to natural disasters or other events like terrorism and vandalism.
Rapid and unexpected changes in climatic conditions have been a constant cause of
concern in the business world for more than a decade in recent history.
 Business disruption and systems failures – Supply-chain disruptions and
business continuity have always been a big challenge for banks. System failures
(hardware or software), disruption in telecommunication, and power failure can all
result in interrupted business and financial loss.
Execution, delivery, & process management – Failure in delivery, transaction or
process management is an operational risk that has the potential to bring loss to a
business. Errors in data entry, miscommunication, deadline misses, accounting
errors, inaccurate reports, incorrect client records, negligent loss of client assets and
vendor disputes are operational risk events that could bring about legal threats to the
organization.
Operational risks can be mitigated efficiently if bankers learn the core operational
vulnerabilities of their businesses, and set the risk indicators accordingly. And the right
way of dealing with it is to educate employees to analyze and manage operational risks
on a daily basis.
Operational risk causes are evolving periodically and banks need to develop an
innovative eye to tackle them. Poor management of operational risks can also damage
the credibility, reputation and finances of an organization.
Why is Operational Risk Management (ORM) Important?
Operational risk, in the context of risk management, has become more significant now
than ever before. An effective ORM program, aligned with strategic business goals and
objectives, is essential for an organization to stay resilient in today’s fast-changing risk
environment. Here are a few reasons why ORM is important for businesses:
1. Effective identification and assessment of key operational risk exposures: ORM
enables an organization to identify, measure, monitor, and control its inherent risk
exposures. Elements like risk assessment, loss event management, and key risk
indicators play an important role; enabling the organization to evaluate the gaps arising
from risk and control frameworks.
2. Efficient allocation of operational risk capital: With a streamlined operational risk
management process, efficient allocation and utilization of operational risk capital can be
ensured.
3. Timely operational risk management information: A robust ORM program, supported
by software solutions, can help decision-makers gain effective, real-time visibility into
ongoing risk management efforts, critical and high-priority risks, and areas of concern.
This helps them accelerate the decision-making process significantly.
Why is Operational Risk Management (ORM) Important?

4. Risk-aware culture: An ORM program implemented across the enterprise with support
from the top management and leadership goes a long way to improve an organization’s
risk-aware culture and environment. Organizations with a risk-smart workforce are able to
better identify risks in a proactive manner, enabling them to stay ahead of the curve.

5. Continuous risk management and resilience: Operational risk management is not a

one-time exercise but an iterative and ongoing process. Continuous review and
monitoring of the ORM program helps an organization not only stay on top of the evolving
risks but also improve its preparedness for the unknown unknowns.
Most Common ORM Challenges

Failure to Detect New Risks

Lack of a Common Understanding of Operational Risk
Lack of Skilled Resources
Difficulty in Representing the Impact of Operational Risks in Monetary or
Business Terms
Data Inconsistency
Operational Risk Framework
Identification of Risk
The risk identification and assessment process is a critical part of effectively managing risks
or events as part of an organization’s operational risk.

Risks are identified, and then classified by risk category. Each risk is then assessed based on
its impact, and prioritized in order to direct management focus toward the most important,

The process consists of 4 simple steps conducted by a Risk Committee:

1. Identify potential risks that could impact the organization and classify each risk into
categories.
2. Rate each risk based on impact and likelihood, and provide rationale and understanding
of root causes related to each risk (additional criteria can be rated- some processes
include ‘speed of onset’ and ‘vulnerability’).
3. Prioritize top-rated risks to ensure the right ones are managed going forward.
4. Develop specific action plans to address the risks.
 Operational Risk Framework
Escalation:
Incident Escalation Protocols: Establish clear protocols for escalating significant risk
events or breaches to senior management or the board to enable timely decision-making.
Crisis Management Plans: Develop and test crisis management plans for severe
operational risk events, outlining roles, responsibilities, and communication strategies.
Remediation:
Corrective Action Plans: Develop action plans to address identified weaknesses or
incidents, including deadlines and assigned responsibilities.
Post-Incident Reviews: Conduct root cause analysis of incidents to identify underlying
causes and implement measures to prevent recurrence.
Follow-Up: Regularly follow up on remediation efforts to ensure corrective actions are
completed and effective.
Top-Down Approach Vs Bottoms Up Approach
to Operational Risk Assessment
The identification of operational risks is one of the most crucial steps in
managing risks. The failure to identify risks almost certainly means that the
organization will not take any action to mitigate them. Hence, to identify risks,
a thorough scan of the entire organization and its operating environment is
necessary. This is the reason that companies often use a combination of a
top-down approach as well as the bottom-up approach in their bid to identify
operational risks.
Top-Down Approach Vs Bottoms Up Approach
to Operational Risk Assessment
The top-down level of risk identification starts with the actions of the senior management.
This is because the data required to conduct the top-down analysis is not available to people
working at lower levels. Top-down risk identification is generally done by the senior
management in seminars. The major process owners of the organization try to brainstorm about
what could go wrong with their operations.

These sessions include scenario generation exercises wherein the executives are supposed to
come up with the probable scenarios that the external environment can bring up and the response
that the organization would give in each case. Generally, the top-down approach considers
emerging technology and global risks in their meetings. This type of risk analysis happens
quite infrequently. This is because the external environment does not change very often.
Top-Down Approach Vs Bottoms Up Approach
to Operational Risk Assessment
The bottom-up approach to risk management is the opposite of the top-down approach. This is
because the bottom-up approach is often undertaken by supervisors and mid-level
management. However, they take their inputs from the lowest levels of workers. Process
mapping and interviews are some of the most common techniques which are used in bottoms-up
management. This is because the idea is to map the entire process at a granular level. Interviews
help identify the most common threats to which the process is vulnerable.

Also, it is the job of the management to conduct an operational risk analysis to identify key
people and systems which can cause a systemic breakdown in the organization. This risk
identification focuses on how technology and people can be deployed to provide optimum
results for the company. However, there is an inherent issue with the bottoms up approach.
Many times, managers are too engrossed in finding their individual risks.
Top-Down Approach Vs Bottoms Up Approach
to Operational Risk Assessment
Hence, this is conducted on a very micro level. The end result is the identification of a series of
disjointed risks. These risks may not have any pattern to them and maybe at a very low level.
Hence, formulating an organization-wide approach to mitigating these risks might become
difficult in such an environment. The frequency of this process is quite high. Companies often
conduct half-yearly or annual risk audits in order to identify the risks and create plans to
mitigate them.
Reports

“Executives today face many challenges to their businesses, from uncertain economic growth
to the speed of technological change. Add the clear and present risks of cyberattacks,
changing customer behaviors, and you have a landscape in which the first-line owners of risk
must also take the lead in managing that risk.” (PwC, 2017)

“Properly implemented, Risk Management can provide strategic and operational

opportunities by focusing activities on what is important to an organization. Risk
management creates value by providing opportunities for process improvement; controlling
the risks that can hurt the organization most, breaking down silos, and helping the
organization achieve its objectives” (Wallis, 2014).
Best Practices to Follow in Operational Risk Management

Develop, Implement and Maintain a Framework for Operational Risk Management

Design the Right Operational Risk Governance Structure

Use the right Tools to Identify and Assess all Operational Risks

Implement an Approval Process for New Products and Processes that Assesses

Operational Risks

Maintain a Robust Operational Risk Reporting Mechanism