Operational risk can manifest in the form of product failure, health & safety issues, supply chain or logistics problems, loss of talent, or even the failure to comply with specific regulations in certain jurisdictions. All these could lead to disruptions to the business and, subsequently, its continued operation and ability to generate revenue. Appropriate internal controls of processes and procedures should be instituted in order to manage these risks effectively, starting with the identification of areas where the organisation is most vulnerable, and aligning this with the organisation’s risk appetite to determine its capacity for risk.
A firm’s objectives, its internal processes and procedures and the environment it operates in, are constantly evolving; its risks change in tandem. There is a need, therefore, to continuously monitor, report and review operational risk and compliance measures, for instance, and determine if they are fit for purpose. This begs the question of who should be in charge of all this. While internal audit has the responsibility of ensuring the overall integrity of the internal controls that keep operations humming, management and the board should establish a culture that supports robust operational risk management.
This may take the form of codes of conduct or written policies that clearly outline the organisation’s expectations when it comes to staff performance of their duties, the enforcement of rules, and the consequences of not adhering to instructions and guidelines. Management should ensure that the appropriate level of training is made available to staff who require it. Operational risk pertains to how things are done; it reflects human-made processes and procedures, and is therefore also very much a human risk, or the risk of business failing because of human error. It varies from one industry to another, and within industries themselves.
Subject matter experts opine that if overlooked, such risk, regardless of size, will lead to the manifestation of greater risks that may negatively impact the firm’s reputation and bottom line. Risks like business continuity, environmental risk, crisis management, occupational health & safety, and even IT, can be subsumed under operational risks. Managing it has become a complex, challenging task due to its extended scope.
22 The IERP® Monthly Newsletter September - November 2021