Risky business
Risk and business are inextricably linked. It is common knowledge that risks and rewards are directly proportional. Successful business performance is the entrepreneurs’ reward for the risk that they have undertaken in setting up and running the enterprise.
If risk is being so handsomely rewarded, it is only logical that there is a high degree of skill required in handling it appropriately.
While risks come in all shapes and sizes the major risks faced by a business can be classified into four broad categories-
1. Strategic- risk of not staying the course.
2. Operational- day to day risks
3. Compliance- risk of contravening laws
4. Reputational- risk of damaging the brand value
Our focus here will be on exploring the various aspects of operational risks as they cut across functions and affect everyday functions.
What’s that?
By definition, operational risk refers to the risks associated with an entity’s regular operations. It is the risk of failure due to inefficiencies or breakdown in internal processes, people, and systems.
An interesting thing about operational risks is that they can be actively linked to the decisions made by a company and the way it functions.
Where does it come from?
Operational risk stems from four major sources:
a/ Systems: This is a broad category encompassing structures that keep an entity functioning – mainly digital systems. The risk here can arise due to multiple aspects of the system like incapability to handle scale, unreliability caused by bugs/ errors or being outdated because of a reluctance to upgrade in line with current trends. An ideal example would be the recent fiasco where Tamilnad Mercantile Bank TMB accidentally credited INR 9,000 crores into the account of a cab driver, clearly highlighting the vulnerability of its systems.
b/ People: Staff shortages and skill shortages are key risks here. While the latter affects an entity’s ability to handle complex tasks, the former impacts the capacity of operations.
Additionally, even if new talent can be onboarded rapidly, there always remains the risk of value misalignment and the need to provide role specific training, among others. Strategy& estimates the cost of appointing an inappropriate CEO as $100 Bn for global conglomerates.
c/ Processes: A process consists of a series of steps carried out to achieve a particular outcome. The most obvious risk here is that the steps may not be performed in the desired sequence leading to inadequate outcomes at best and harmful ones at worst. Oversight and collusion are indicative of passive/ active human actions that destroy processes.
Another risk is that the process design itself may be flawed. This can be observed in younger organizations that are yet to discover best practices or mature ones that aren’t up to date with trends.
d/ External factors: Not all operational risks need to be a result of internal actions. They could also be a result of external events. Natural disasters, geopolitical risks like sanctions, default by customers are examples of operations being hampered by external factors.
How bad is it?
Firstly, completely eliminating operational risk or any kind of risk for that matter is a myth. There are simply too many moving pieces to be able to confidently claim that we have eradicated it.
Also, as discussed earlier, risk is not arbitrarily bad. It serves as a key differentiator between companies that scrape by and those that proactively manage risks.
Is there anything we can do?
We can always do something about everything. When comes to risks in general and operational risks in particular, mitigation is dependent on properly identifying, categorizing, and then building mechanisms to mitigate them.
1/ Identify
Experience has shown organizations that the worst outcomes come from risks that they have knowingly or unknowingly ignored. In this context, identification of all possible risks becomes imperative in order to design a comprehensive mitigation program. Two possible ways to go about this are:
a/ A top- down approach is one that originates from the senior management. Since they have visibility over the entire operations as well as strategic context, they can go about exhaustively mapping the kinds of operational risks that threaten the enterprise.
b/ The bottom- up approach involves getting the execution and mid- level employees to give their insights on the potential risks. This helps in getting to the very basics of operations to detect process / system related risks close to the source. Understanding role dependencies can also highlight people risks.
An observation at this juncture would be that no identification program can be exhaustive, so the key is making it an iterative effort instead of a one-time one.
2/ Categorize
Not all operational risks warrant the same kind of response. In the interest of optimizing the limited resources that an organization has; some sort of categorization is necessary.
Another point to note is that categorization must be specific to the organization. This is because the risks faced, appetite and resources available to mitigate vary significantly across entities. Though an organization may have a framework available to it (like the Basel framework for banks), this can serve as a valuable starting point without compromising the need to incorporate specific elements from its own experience.
Illustratively, an operational risk matrix based on likelihood of occurrence and severity of impact on business operations will show 3 major categories of risk:
Cat A: Operational risks with a high probability of occurrence along with catastrophic consequences for the enterprise. For an entity in a warzone like Ukraine/Afghanistan, the external factor risks are huge and would classify as a Cat A risk.
Cat B: Here, the likelihood of occurrence is lower, and the impacts are not as severe as Cat A risks.
Cat C: Risks with the lowest likelihood of occurrence and minimal impact are categorized here.
It may be pertinent to note that the above are only 3 major categories in a 3x3 matrix. There will be other kinds of risks like one with high likelihood of occurrence but low impact. The major categories will however serve as a guide on the treatment of these other categories.
The granularity of this matrix depends on the needs of the organization. The 3x3 can easily be extended to a 5x5 to accommodate varying degrees of occurrence and impact as the organization’s risk function matures.
3/ Manage/Mitigate
The actions taken till this point are to enable us in designing the most comprehensive yet agile mitigation mechanism. A successful program starts with minimizing operational risks at source, managing ones that exist, monitoring them stringently and making the process dynamic to bring any new risks into the framework. The essential elements observed across successful programs are:
Accept not – fear not: The US Chief of Naval Operations illustrates this point in their operational risk management principles by advocating avoidance of unnecessary risks and acceptance of only those risks where benefits outweigh costs. Basic rationale here is to only take on a risk that can potentially benefit the organization.
When in doubt-transfer: The second line of defense must ideally be to transfer operational risks. This forms the basis of the insurance industry. For a suitable fee, insurers will mitigate risks like natural disasters, default by creditors, mistakes/ frauds by employees. By transferring risks, organizations can focus on actively managing those risks that are more pressing and harder to track.
People are the source- they can also be the solution: Earlier, we discussed people as a major source of operational risks and the ‘human factor’ as a base constituent of this kind of risk. However, people can also help manage risks. This is highlighted by the growing importance attached to the CRO position. Many attribute the absence of a CRO as a major cause of the recent SVB downfall that sent shockwaves across the global economy.
In addition to top hires, it is also imperative to direct a steady stream of top talent to this division. A report by McKinsey & Co titled "The future of operational-risk management in financial services” suggests hiring specific profiles based on the kind of risks that are foreseen. This will ensure that subject matter experts and experience are on hand to deal with situations effectively.
In data we trust: There is still a reliance on many highly subjective operational-risk detection tools, centered on self-assessment and control reviews which have been ineffective in detecting critical operational-risk categories. Another danger is that they miss low-frequency, high-severity events, such as misconduct among a small group of employees.
Here is where data can step in with its objectivity. Since collection of data is now routine, spotting patterns and deriving insights on the likelihood of occurrence of events, employee behavior etc. becomes possible. On the basis of data, baselines can be established and metrics like KRIs can be built to monitor the risk tolerance threshold.
KRIs are metrics that track the riskiness of any activity in relation to overall business objectives. They measure the delta in risk exposure over time. It is essential that KRIs are linked to an action in the risk mitigation program and assigned to an action owner. Illustratively, if an organization wants to reduce risk of customer defaults, one risk it faces may be the persona of the buyer and an appropriate KRI would the percentage of exposure to customers with low credit ratings.
Another thing to be mindful of for KRIs and data as a whole is that the maximum value can be derived by deriving indicators that are current or leading as they help in pre-empting risk events. While lagging indicators are also useful in understanding shortfalls, they must always be converted into leading ones by establishing patterns to their occurrence.
Leverage technology
Having established an elaborate framework and onboarded a competent team, all that is needed to get them firing is technology. Technology can be leveraged all the way from risk avoidance to risk monitoring and management. A few such cases are discussed here.
a/The use of RPA can substantially reduce risks arising from human errors.
b/Use of AI tools in the risk assessment process can help circumvent the limitations and subjectivity of the teams involved.
c/Real time monitoring and alert systems enable timely identification and response when time for human intervention may be unavailable.
d/ Certain types of operational risk like cyber-risks originate and need to be dealt with in the technology realm.
e/ Finally in case of an adverse event that escapes the framework, technology can be a lifesaver in ensuring business continuity. Imagine a scenario where a catastrophic earthquake wipes out the on-premise data systems. A cloud-based backup would be a lifesaver from a data perspective especially for the digital first businesses of today.
Is that it?
When it comes to risks in general and operational risks in particular, we cannot be exhaustive. That is the very nature of risks. Yet, we must endeavor to minimize, manage, and mitigate as best as we can. Dynamism and objectivity are the key tenets of robust risk management.
Our take
Many a times, there is a tendency to postpone or altogether bypass risk management, viewing it as only a cost center without any observable benefits/ inflows. The hiring of a CRO or setting up a risk management team with the requisite tech spends may seem onerous.
Here is something to consider: it is the risk function that affords an entity the luxury of carrying on ‘business as usual’. That makes it, without a doubt, money well spent.
