Operational Risk: Definition and Drivers

In the previous few articles, we have studied about the concepts of risk management in general. However, merely understanding general risk management is not enough for modern-day risk professionals. The challenging environment of today requires people to specialize in the different types of risk management. Out of all the different types of risks that are commonly studied, the organization has the maximum control over operational risk. Hence, in the next few articles, we will try to understand what operational risk really is and how it impacts the decision-making within the organization.

Definition of Operational Risk

For many years, there was no agreed-upon definition of operational risk. This meant that all organizational risks were classified into market risks and credit risks. The risks which could not be classified as either was often included in the category of operational risks. Obviously, this categorization was wrong and hence has faced severe criticism over the years. Over time, a new more acceptable definition for operational risks was arrived at. The same has been mentioned below.

Operational risk is defined as the potential loss which can occur because an organization has failed or inadequate processes, inadequate or failed systems, and/or incompetent people in the organization. It is important to note that the financial loss from the risk consists of any operational loss that may arise as well as any costs involving litigation. Reputational risks and brand management have been categorically excluded from the definition of operational risk since they are considered separately within the risk paradigm.

Drivers of Operational Risk

The above definition makes it clear that there are four major causes of operational risk. They are as follows:

1. People: Companies are supposed to be careful about whom they hire to work for them. The integrity of their permanent employees, as well as their contractors, is considered to be the responsibility of the company. A system of internal checks and balances needs to be built in order to help the company avoid operational risks. The Sarbanes Oaxley act provides some guidelines about how much risk can be avoided.

2. Processes: Companies are required to ensure that their processes work as intended. They should have a detailed idea about the flow of events in these processes. It is the job of the company to hire process improvement experts to recognize and close the gaps in the process at the earliest.

3. Systems: Organizations hold critical data in their systems. This data may belong to third parties such as banks, customers, vendors, and so on. Hence, it is the responsibility of the company to ensure that adequate data security is in place. Companies should create secure systems which prevent unauthorized data access in these systems. The systems should also be created in such a manner that they are safe from external hacking.

4. External Events: Lastly, there is always a chance that some external activity disrupts the operations of a business. The disruption caused by the COVID-19 pandemic is a prime example of this risk. Companies are expected to have detailed business contingency plans in place which allow them to continue operations even if such events occur.

Examples of Operational Risks

Many organizations have faced loss because of operational risks. Most of the time the losses are small. Hence, they are not reported in the media. As a result, awareness about these losses is not increased. However, in some cases, the losses are quite significant and hence end up being reported in the media. Some examples of these high profile adverse events related to operational risk are as follows:

There have been several financial frauds such as Enron, Worldcom, Bernie Maddoff scam, or the scam involving Raj Rajaratnam. These are all premier examples of how a group of incompetent or dishonest people is able to cause grievous loss to their organizations. Sometimes the loss is so severe that these organizations cease to exist as a result! The recent scam involving Facebook and Cambridge Analytica can also be included here because here too the actions of some contractors ended up harming the organization.

There are many examples wherein the systems of organizations have failed and as a result, the organization has suffered significant losses. For instance, many technology companies have been victims of cyber attacks in the recent past. Companies like Adobe, eBay, Equifax, and even LinkedIn have been found themselves at the center of many data leaks. This is also the case with many banks and financial institutions. Since data is vital to the performance of business activities in this organization, these data breaches have significantly impacted the business of these companies.

Lastly, there are many examples wherein processes set by organizations have failed. For instance, companies like Renault and Hyundai have been in the news. This is because some of their internal checks and balances failed. Their quality assurance team was not able to properly classify vehicles. As a result, faulty vehicles were sold. The end result was that these faulty vehicles had to be recalled and the organization had to suffer significant operational harm even if the reputational harm is not considered.

The bottom line is that there a clear and concise definition of operational risk which is in place. The drivers and causes of operational risk are also well known. It is this knowledge that enables the measurement and management of operational risks in the organization.