When it comes to enterprise risk, the first types of exposures that come to mind are strategic, financial, compliance, or even cyber. However, since organizations are composed of people, operational risk exposures are seated at the heart of an enterprise’s risk matrix, since it deals with the risk of business operations failing due to human error. In fact, operational risk is commonly summarized and referred to more aptly as human risk.
In this article, we’ll explore the most fundamental of enterprise risk—operational risk—its four main categories/types, and considerations and measures for mitigating these exposures.
What is Operational Risk?
Operational risk is defined as an organization’s risk that stems from human-created procedures and thinking processes (again, in more simple terms, human risk). This type of enterprise risk tends to take on new forms depending on which industry is involved. For example, a transportation enterprise and its constituent employees are quite different from an organization and its workers involved in manufacturing. In turn, these two firms inherently have different types of operational risk.
According to McKinsey and Company, direct losses from operational risk failures are on the rise—driven by the current volatility of today’s economic arena, resulting losses have a larger material impact on an enterprise’s share price than ever before. McKinsey sampled close to 400 operational risk events at enterprises across North America and Europe; its finding revealed that, over time, total shareholder returns (TSR) declined by 2.7 percent in overall returns, compared with peers during the 120 days after the operational risk event. This amounts to an average of $1.9 billion, or 3.7 times the average actual loss value of $500 million.
It’s worth noting, however, that differing operational risks are less related to what is being produced (e.g., in the previous example—the movement of people versus the creation of fast-moving consumer goods) and more to the active decisions being made regarding the firm’s functions, related prioritization efforts, and resulting/related internal management decisions. Also, since operation risk is fundamentally human risk, industries with lower levels of human interactivity naturally have lower operation risk exposures.
Four Main Types of Operational Risk
1. People
Operational risk emerging from people may stem from talent shortages or deficiencies in existing team members (e.g., lack of updated training, insider threats). Understaffing during seasonal peaks and suboptimal employee skill levels are examples of people-related operation risks. Proper hiring tactics/strategies can be a mitigative measure for this type of risk, as well as proper employee upskilling and training.
2. Processes
Organizations in all industries are composed of sets of processes that require a sequential ordering of events. These processes and their sequences must be codified to replicate, improve/refine, and train human executors/operators. Without a fully realized set of processes and documentation regarding how to carry out these processes, organizations are at risk of various internal failures such as stoppages due to high turnover, failed internal controls, and losses due to theft/collusion.
3. Systems
In this day and age, even enterprises that operate in the most traditional industries rely on software and systems to carry out their day-to-day operations. Operational risks vis-a-vis these systems include outdated computing platforms/software, misconfigurations, and suboptimal or underperforming machines. These technical deficiencies invariably result in a compromised resilience/security posture and the heightened risk of system failures, cyber-attacks, and exploitation by malicious actors.
4. External Events
Operational risks may also originate from outside the proverbial company walls—events like natural disasters and physical impediments to daily operations (e.g., storms/earthquakes resulting in road blockages, political unrest impacting shipping routes) are the most obvious examples, but negative business externalities such as third-party disagreements and contract defaults also fall in this category.
Operational Risk Assessment and Mitigation Strategies
As with any type of risk, the first step to mitigation is understanding it; to this end, key risk indicators (KRIs) and data can help to establish benchmarks for proper risk visibility and situational awareness. Operational risk management software can help organizations dynamically gauge the amount of operational risk present at any given time. Other operational risk mitigation strategies include continuous evaluation (i.e., cost/benefit analysis) of risk undertaken and proper delegation of risk decisions to upper management. Again, these require the proper all-around visibility access to risk instruments for making such assessments.
Automation For Reducing Human/Operational Risk
As mentioned earlier, industries with lower levels of human interactivity are less prone to operational risk exposures. Extending this concept, more automation tends to result in less manual effort and—as a direct result—lower levels of human and operational risk. To this end, the optimal operational risk management platform helps organizations aggregate risk, insurance, and environmental health and safety (EHS) data into a unified, single source of truth for empowering upper management with the proper decision-making instruments.
In short, operational risk may be a fixture of modern enterprises’ operating environments, but it doesn’t have to pose an existential threat. With the right solution in place, firms can evaluate, mitigate, and monitor operational risk with powerful analytics, business intelligence, and reporting capabilities. Talk to a Ventiv professional today and learn how an operational risk platform can help improve your firm’s performance with effective governance and risk visibility/ownership.
