Managing Operational Risk for Organisations

Recent history is marked by catastrophic corporate events that have their roots in operational failures. To name a few, Toyota, British Petroleum (BP) and Barings are some of the global companies that had paid the price for their operational failures.

The recent financial crisis has resulted in increased regulatory scrutiny, loss of public confidence and highlights the fragility of a company’s reputation and brand.

For financial institutions, the renewed interest illustrated in the developments of regulatory requirements such as Solvency II and Basel III, suggest that there is a growing concern to provide them with a robust risk management framework and guidelines to address operational risks.

What is ‘Operational Risk’?

Basel II defines operational risk as ‘the risk of direct or indirect loss resulting from inadequate or failed internal process, people and systems’. This illustrates the many potential sources of risks, ranging from quality failure, product failure to fraudulent activities, people and technological risks

Corporate disasters rarely find their roots in a single cause, but are often triggered by a combination of human errors, IT failures or rash business decisions. When left unmonitored these seemingly minor events, which are often overlooked, can quickly snowball and result in severe and unwanted consequences.

A lack-of-control culture and environment is often the culprit in letting risk slip through management and board oversight. The pressure to meet financial or performance targets, the illusion of control, cognitive biases and risk misconception also contribute to ineffective operational risk management.

Stakeholders can be lulled into complacency by a series of previous near misses or low impact events. Operational risks are commonly perceived as high frequency and low impact risks which are harmless and easy to manage. However, if not properly managed, these risks can ‘mutate’ into operational ‘black swans’ that can hinder the achievement of strategic objectives.

Approach to Operational Risk Management

An effective operational risk framework will equip an organisation with a robust defence system where risk, role and responsibilities are played out differently at different levels of the organisation.

Given the different risk environment and maturity of risk management practices in various organisations, clearly there can be no one-size-fits-all approach to managing risks.

Below are strategies organisations can adopt to build and sustain their operational risk management efforts:

Create the tone from the top

The first step to building a healthy risk culture begins with leadership. An organisation’s risk culture cannot only be moulded if the change is coming from the risk management function alone.

Key to building the desired risk culture is communication. Communication is not about imposing by force, but rather educating employees on a ‘what’s-in-it for me’ message.

It is also crucial that leadership demonstrates an active role in managing risks and not merely rubber-stamping risk reports. A sustainable programme such as incorporating risk practices into policies and procedures should be established to foster a culture of risk management throughout the organisation. This will help build awareness and competency in managing risks.

Define your appetite for risk

Many companies may be satisfied with their existing internal control environment. However, further analysis often reveals that there are either too many or too few controls because they are set independently from the business objectives of the organisation. The overriding principles are that the appetite for risk must be clearly defined, aligned with corporate objectives and embedded within the business processes

Companies must accept the imperfection of people, processes and technology and that errors and ineffective operations may lead to losses. Balancing the possible loss with the cost of mitigating the imperfections will help them assess their operational risk appetite. Hence, this balance will determine the acceptable level of risk that will support and not slow down business growth.

Cascade risk and controls ownership and accountability

People are crucial to the success of an operational risk management framework. An important design principle of operational risk management is cascading operational risk roles and responsibilities to the business, thereby building a robust first line of defence.

Companies should also provide line management with the relevant tools and systems. They should also align risk management to the compensation model to promote greater awareness and ownership of risks.

Tools such as risk and control self assessment programmes and the formal appointment of business risk owners ‘mandates’ the business owners to play an active role in assessing the risk and control environment, this goes a long way in building a sustainable business.

Organisations should embed operational risk management into their daily operations and critical decision-making processes. For example, they can implement policies that require risks to be considered and assess outcomes after adjusting for risk. These policies will encourage the business to go beyond the traditional financial consideration when making business decisions.

Understand and focus on the root cause

One of the greatest challenges faced by organisations in sustaining their risk management efforts is the lack of a systematic and disciplined approach to manage risk data. Management should not be expected to take risk-adjusted decisions without accurate and timely risk data and information.

Financial institutions, specifically insurers, are still largely using qualitative and descriptive methods to assess, analyse and aggregate operational risks. There is a need to balance this approach with more quantitative methods. For example, stress testing, scenario analysis and correlation matrices.

Underlying a sustainable programme is the effective use of technological enablers to allow management to have access to real-time risk information to support decision-making.

Risk analytics requires companies to consider a more structured approach to collect and archive knowledge within the organisation. This is supported by a sustainable business process management system to ensure that data collection processes are sustainable and practical.

Many tend to misinterpret near misses as successful management, rather than as an operational hiccup, which sends a warning to the business. Near misses are an important source of data that allow companies to take a more proactive approach to managing emerging risks.

An effective loss and near-miss management system, including the timely escalation of such events, will substantiate risk analysis, provide trends and insights into potential emerging issues and ultimately support management to make data-based decisions.

To achieve this, organisations should encourage their employees to report loss events and near misses to uncover the root causes of events so that lessons can be learnt and applied more systematically.


Ultimately, managing operational risks is about ensuring the sustainability of the business. Organisations should have in place business continuity management (BCM) programmes, as it is unlikely they will have the resources or ability to recover 100% of their operations immediately upon a disruption.

They should also conduct a business impact analysis to prioritise their critical processes, establish scenarios and allocate the right resources to sustain their critical processes.

We live in a world where increased regulation and reputation risk continues to top the list of company concerns. Managing operational risks therefore requires a robust approach, both qualitatively and quantitatively. Incorporating people, processes and IT into overall risk management activities will help balance compliance activities with strategic opportunities.


Related reading