Operational risks in business
Given the evolving global risk landscape, organizations are increasingly looking for ways to identify and manage operational risks effectively.
Most organizations understand that they assume risks related to the people and processes they employ. So, there will always be some level of operational risk, given that people and processes aren’t perfect. What’s more, innovative technologies and the massive amount of available data have changed not only customer interactions but also how businesses operate internally.
With this in mind, companies need to understand the evolving business operational risks they could be exposed to, as well as how they can be mitigated in order to prevent them from negatively impacting their organizations.
The good news is that technology has also expanded operational risk management capabilities. There are more analytical tools, extended data sets, and other sources of information. Artificial intelligence and machine learning models can identify patterns and take operational risk management to a new level, reducing the likelihood of operational failure and the damage that comes with it.
What is operational risk?
The definition of operational risk, generally, is the risk that people, processes, and technology will interact in unintended ways and produce unwanted outcomes. These range from chronic inefficiencies to disastrous failures accompanied by news headlines that can damage a company’s reputation.
Types of operational risks
When trying to understand the meaning of operational risk, it’s helpful to have a basic sense of the different types of risk. Operational risks are usually broken down into five categories:
1. Technology Risk is the risk of system failure due to design flaws or unintended interaction between systems or disruption due to hardware outages or software failure.
2. Process risk is the risk of poorly designed processes that don’t use technology effectively and don’t have appropriate checks and control points.
3. People risk comes from the decisions and non-decisions, actions, and non-actions of employees, customers, and other human resources, both internal and external.
4. Legal and Compliance Risk comes from internal and external regulations such as tax laws and human resource laws or sanctions lists.
5. External Event Risk comes from events outside of the organization’s control, such as natural disasters or power grid failures.
What are examples of operational risks?
Common operational risk examples in business include:
- Employee error or employee conduct
- Fraud (both internal and external)
- Breaches of private data resulting from management oversight
- Oversights related to business processes and controls
Sources of operational risk failure
Most operational risk failures are the result of a chain reaction of people, processes, and technology failures. Fraud, for example, arises from the ability of individuals to act in unethical ways, getting around systems and process controls. In such cases, vetting and background checking failed to prevent unethical individuals from entering or interacting with an organization. While technology and process controls are also essential tools to reduce business operational risk, the best way to avoid risk from fraud or other financial crime is to rigorously manage the ethical standards, the level of experience, and the skill levels of the people involved in company activity.
Most operational risk failures are the result of a chain reaction of people, processes, and technology failures.
Questionable sales practices, the entry of unauthorized transactions, unethical use of customer data, and cybersecurity are all examples of operational risk failures that begin with people. In addition, legal and compliance and regulatory risk create exposure to all parties directly or indirectly involved in company business. This includes employees, clients, and service providers.
Operational risk failures can also come from the failure to properly restrict transactions with a sanctioned entity, leading to increased scrutiny and consequences that can include legal liability, fines, and in extreme cases, loss of licensing and the ability to operate.
Well-known examples of operational risk failure
Wells Fargo Account Fraud Scandal
Wells Fargo was once one of the most well-respected banking brands, but now it continues to struggle to recover its reputation from a disastrous scandal. In 2016, it was revealed that Wells Fargo had inflated sales numbers by opening millions of fraudulent accounts without consent.
Ultimately, in 2020, the bank was ordered to pay $3 billion as part of a criminal prosecution by the Justice Department and to settle a civil lawsuit. On top of this, 5,300 bankers were fired for creating as many as two million unwanted bank and credit card accounts.
This major oversight was said to be set in motion by the head of community banking, who focused on sales targets and withheld information from her boss and the board. Bankers across the branch system were encouraged to reach sales goals by committing fraud. To meet quotas, employees opened unneeded customer accounts, ordered credit cards without customer permission, forged client signatures, and sometimes moved money in and out of sham accounts. Clients began to notice the fraud after seeing unanticipated fees and receiving unexpected credit or debit cards or lines of credit.
Moderna Staff Turnover
Moderna, the maker of a leading COVID-19 vaccine, is experiencing growing pains as it transitions from a biotech startup to an established provider of vaccines and drugs. The recent rapid turnover of key staff has been a very public embarrassment and raised questions about the quality of management decision-making.
On May 11, Moderna let its new CFO Jorge Gomez go only one day after he took the reins of the company, following the public disclosure of a financial reporting investigation at his former firm, Dentsply Sirona Inc., a maker of dental products. The investigation is focused on the company’s use of sales incentives, including whether or not those incentives were properly accounted for and whether or not senior management directed the use of incentives and other actions to achieve executive compensation targets.
How to manage operational risks
Effective operational risk management can help an organization reach its strategic goals while also mitigating risk exposure that could lead to long-term financial and reputational damage. Specifically, being aware of the business operational risks can result in improved visibility at the C-suite level, better relationships with customers and other stakeholders, as well as more informed business decisions.
Effective operational risk management begins with a clear view of operations, including key dependencies and interfaces.
1. Set Objectives and Clearly Define Terminology– Operational objectives, generally related to delivering quality products and services in a cost-efficient manner, are essential. These objectives, incorporating standards for employee conduct, must be clearly articulated and communicated. A standard set of risk terminology must be defined and consistently applied to ensure there is a common understanding throughout the organization.
2. Establish a Clear View of Operations– A clear view of operations includes a map of processes, risks, and controls, including identification of:
- Supporting technology (both internal and external)
- Number of handoffs (including automated versus manual handoffs)
- Use of third-party services
- Client interfaces
- Vendor interfaces
3. Risk Measurement– Risk self-assessments and control reviews are traditional, backward-looking approaches. These have their value but should be supplemented by technology-driven risk management tools.
4. Risk Mitigation– Operational risk mitigation involves selecting a method of controlling specific business operational risks. This can be done in the following ways:
- Transfer– Operational risk can be transferred to achieve efficiencies or to access expertise as needed. That being said, this could create other risks that also need to be managed.
- Accept– Management always has the option to accept the operational risk associated with a choice and move forward. In this case, management must weigh the potential costs versus the potential benefits.
- Control– A control is a measure that is put in place to limit the possible effects of risk. However, it is always better to prevent risk rather than try to do damage control.
- Avoid or Reduce– Ideally, operational risk should be avoided whenever possible. A thorough review of a potential partner’s or company’s background before the start of a potential business relationship can prevent significant financial or reputational damage.
5. Risk Monitoring– This step involves evaluating the key risk indicators, which are metrics that are observed over time to monitor levels of operational risk and to observe trends as well as potential control failures. These can provide an early signal of emerging operational risk exposure.
What are the challenges in managing operational risks?
Operational risk is always clear in hindsight, but it’s challenging to anticipate the specific operational risks that can cause serious damage. This is because, in nature, operational risks can be harder to identify than others, as these types of risks can be more challenging to define. Operational risks can also be very minor or very large. For example, the risk of loss from minor human mistakes is generally not considerable. However, human mistakes combined with poor operational controls and, worst case, with bad intentions and a lack of ethical management, can lead to serious fraud.
Only complicating matters, businesses are always changing, and their operations change with them. Thanks to technological advances and the availability of large data sets, enterprises are becoming more and more complex operationally every day.
In nature, operational risks can be harder to identify than others, as these types of risks can be more challenging to define.
Taking this into consideration, operational risk management depends on an up-to-date understanding of the interactions between employees and customers and the use of technology, both internal and external. As a result, the risk landscape is constantly changing, and therefore, the list of operational risks that need to be accounted for is only growing.
Legal and compliance risk are also a key part of the changing risk landscape, given that new or modified sanctions are announced frequently, adding yet another layer to operational risk management.
In addition, an organization might not be able to fully evaluate all of the operational risks it is exposed to if they don’t have the necessary systems or software in place to collect data in a way that prevents data overload, highlights risks in a timely fashion, and facilitates management decision making.
New tools to advance operational risk management
New analytical tools can harness large data sets and detect suspicious patterns or departures from existing patterns. Given these capabilities, more and more investment firms are turning to advanced technologies like artificial intelligence (AI) and machine learning to manage their business operational risks.
Using AI and the analytical insight of human specialists, Intelligo provides detailed background checks on individuals and companies to help investors identify and understand operational risks, enabling them to make informed business decisions.
Continuous monitoring of operational risks
A background check is only good until it is published as new operational risks can emerge at any time. Continuous monitoring can help to manage operational risks that may arise over time. Intelligo’s Clarity Live alerts you as soon as new adverse information comes to light. Some of the data points that could be included in a Live report are criminal records, civil records, sex offender lists, bankruptcy records, international sanctions, and other watchlists.
While some level of operational risk is inevitable, understanding operational risk and identifying it while it is still a manageable problem can prevent irreparable damage to a business. Although they can be challenging to manage and are constantly evolving, failure to detect operational risks can have serious and long-lasting consequences. With this in mind, evaluating operational risk can add valuable insight to any pre-investment decisions.