DISCLAIMER: The information in this article is not meant to provide any legal, tax/accounting or investment advice. Please consult with your own investment, tax, and legal advisor.
Introduction
Operational Risk often gets overlooked compared to broader GRC (Governance, Risk Management, Compliance) topics and Cybersecurity. This article highlights its importance for board members, outlining a three-phase maturity approach. It covers the evolution from initial to fully implemented Operational Risk functions and provides practical steps and questions for board meetings to ensure effective risk oversight and continuous improvement.
Background
The topic of Operational Risk seems often unnoticed between the larger GRC (Governance, Risk, and Compliance) and its own subtopic of Cybersecurity. In fact, Operational Risk is part of GRC, and Cybersecurity is part of Operational Risk (OR). OR has siblings, which are market and credit risk. This article will focus on OR.
So why should a board care about Operational Risk?
Consider these basic hypothetical scenarios:
- Insufficient training or knowledge transfer leads to a client receiving the wrong merchandise.
- A factory’s bookkeeping department cannot pay an invoice because they lack access to their accounting system, resulting in a penalty payment despite having funds available.
- A customer falls in a public area of a hotel, and the company needs to pay for medical treatment.
- An employee gets hurt while working at an automated assembly line due to insufficient workplace protection.
- …. And the list goes on and on and on…
What do these scenarios all have in common?
Yes, they are examples of Operational Risk.
I think we can all agree that we DO NOT want these scenarios to materialize in our companies.
As a company’s board represents a supervisory function, it is ultimately responsible for overseeing the risk exposure of the entire firm, and this includes Operational Risk events such as those above.
Operational Risk can be subdivided into several distinct (often overlapping) categories such as Business Continuity Risk, Cyber Security Risk, Technology Risk, Supplier Risk, Process Risk, Project Risk, etc.
A lot has been written about Cyber Security Risk, so we leave this aside in this article. Also, keep in mind that Business Risk (e.g., the risk of a failed product) is separate from these categories.
How is Operational Risk Management relevant for my next board meeting?
How you as a board member address Operational Risk in the boardroom depends on two factors:
-
How sophisticated your OR function needs to be.
-
How advanced your business is in the implementation of that OR function.
Your trajectory of tackling Operational Risk depends on the complexity of your company. If your company is just at the beginning of its Operational Risk journey, you want to take a measured approach. Otherwise, you might overwhelm all business stakeholders (clients, employees, suppliers, etc.) and not get sufficient buy-in, or you might scatter into too many directions at once.
Let us differentiate three distinct levels of maturity in terms of Operational Risk implementation.
Phase 1: Your company has never or just barely had Operational Risk on its radar …
How do you know if your company falls into this category?
Check if your company falls into this maturity stage by asking yourself honestly these key questions:
- If you have an OR question, do you know whom you can reach out to in the executive team? Does a basic OR reporting and escalation structure exist in your company?
- Has someone from the executive team regularly reported to the board on operational losses, failed processes, and customer complaints? (think of the examples above). Are you happy about the quality of information you get?
- Does your company have a documented business continuity and crisis response plan, and is it regularly updated?
- If you have an Operational Loss or Business Continuity disruption, is there any follow-up with lessons learned?
If the answers to these basic questions are ‘No,’ it is time to start with the basics.
In this case, you should address these issues in one of the next board or committee meetings.
Potential questions to ask at your board or committee meeting:
- Who is responsible for Operational Risk? Generally, OR is a topic that should be everyone’s responsibility, but we need to understand what structure exists in the business to report, escalate, track, and mitigate OR events. In many cases OR is part of the COO (Chief Operating Officer) portfolio, a component of an GRC plan, or rolls into the Audit department.
- How quickly can the executive team produce reporting on OR events, and what does the current reporting entail?
- How much would it cost if the business had to stop for a day due to a business disruption event (e.g., a hurricane, technology outage, etc.)? Do all departments of the company agree with this figure? What would it take if the company wanted to reduce business outage costs?
- Has the board communicated its risk appetite to the executive team, and is OR consideration sufficiently embedded in the decision-making processes for products, projects, and the overarching business strategy?
Potential homework for the executive team:
-
If your company does not have a Business Continuity or Crisis Reaction Plan (or if it is outdated) creating (or updating) it will be the number 1 priority. The Business Continuity & Crisis Plan should cover common outage/incident scenarios that you could encounter (e.g., related to supplier, weather, technology, pandemic disruption, etc.) and be tested in a walkthrough at a tabletop exercise.
-
Implement a process where departments brainstorm proactively about potential operational risk scenarios; this process should be repeated at least annually to account for changes in trends. The risk scenarios should feed into a risk register and have assigned ownership depending on the scenario theme and subject matter expert in the company.
-
Produce a process to document the operational losses in a database. This should include the root cause, how the issue was mitigated, and mapping to risk categories (e.g., project risk, process risk, etc.). If OR event reporting already exists, this may just need to be built out.
-
Define processes to incorporate risk review into the major decision-making processes for products, projects, and the strategy.
These are just the initial steps in managing OR; it is still reactive and limited. There is room to build this out.
Depending on your requirements as a business, you can use the momentum to further develop your operational risk management. Always consider how much OR you need.
Phase 2: If your company has already taken the first steps in Operational Risk…
Check if your company is in this maturity stage by asking yourself these key questions:
-
Has the executive team communicated to the board, the structure, how OR is managed and reported, and is it reflected in policies and guidelines?
-
When OR events are reported, is there any differentiation into systemic (recurring) vs. one-time events? Are the recurring events adequately addressed in lessons learned and updated procedures? Is reputational impact part of the reporting?
-
Does the feedback loop between OR and process/product improvement work seamlessly?
-
Does a broad range of mitigation options show up in the event reporting? (e.g., training, updating procedures, buying insurance, product/project exit, risk acceptance, updated Service Level Agreements with vendors).
-
If a larger OR event occurs (e.g., a business outage), does a well-working process exist to communicate (if needed) with the public stakeholders?
If you are not sure about any of the above answers, you should address them in one of your next board or committee meetings.
Potential questions to ask at your board or committee meeting:
-
What is the process to decide how to mitigate an OR event? Are all relevant functions (e.g., Legal, Compliance, Process Improvement) included?
-
What are the actions the COO or Process Improvement Team has done over the past quarter to address OR events? If mitigants are in place, is this reflected in the OR loss figures? (Loss figures should trend down after mitigating process improvements.)
Potential homework for the executive team:
-
The number 1 priority should be to ensure that a reputational assessment is part of regular OR event review. However, the company needs to set a criticality threshold that determines in which cases Reputational Risk needs to be reviewed.
-
Add granularity into OR review. Add dimensions of impact vs likelihood to arrive at a criticality assessment when assessing the operational risk of a process, product, vendor, etc.
-
Define how you communicate significant OR events externally (e.g., to the press).
-
Make risk review part of the regular review of products, processes, and change projects (e.g., new technology, suppliers, etc.).
-
Expand on the risk categories and what-if scenarios. What is the impact of a key person leaving, of a supplier failing, etc.? Ask the businesses to do a bottom-up self-assessment of the key risks.
Depending on your company’s complexity and individual company needs, keep moving to the next phase.
Phase 3: If your company is more advanced in Operational Risk…
Check if your company is in the advanced maturity stage by asking yourself these key questions:
-
Given the size, complexity, growth, and rate of change of your enterprise, are you comfortable that the OR function is resourced adequately and works effectively? Is the reporting to the board adequate?
-
In the board discussions and OR reporting, is there any analysis on cascading (downstream) risks? Are all relevant stakeholders involved in the downstream impact reviews and follow-ups?
-
Are there any discussions in board meetings on how the changing landscape in technology, regulation, or consumer trends (and other trends) impact the company’s risk profile? Are you going beyond the obvious trends, e.g., by using expert opinion to reveal ambiguous trends that might impact the company’s risk profile?
Look at another set of more complex hypothetical scenarios:
-
An e-commerce shop experiencing technology failure due to an insufficiently reviewed software code.
-
A retail merchandise company is failing to get lucrative discounts due to missing an ordering deadline.
-
A construction company builds a home with deviating specifications because the requirements of the customer were insufficiently documented, resulting in rework to meet the customer’s expectations.
-
A travel company facing losses when expanding into a new geographic market after relying on a wrong set of data for its business case.
-
A transportation company forgetting to cancel an expensive service contract for a truck that is no longer needed, leading to being stuck with the contract for several more years.
Do you feel comfortable that these more complex and ambiguous scenarios would be adequately escalated and addressed in your organization?
Again, if you are not sure about any of the above answers, you should bring it up in one of your next board or committee meetings.
Potential questions to ask at your board or committee meeting:
-
Is there a high-level side-by-side comparison available that maps OR events and their losses vs the reputational impact (where relevant)?
-
When did the company do the latest dry run (e.g., tabletop exercise) of an OR event occurring? (A dry run/tabletop exercise is to walk through a hypothetical incident scenario, e.g., a technology outage with stakeholders to assess if procedures work or need to be adjusted.) What were the results and follow-up of the hypothetical scenario?
-
Has a review been done about the major suppliers and the company’s dependencies on these suppliers? Was concentration risk assessed, and what happens if a key supplier (or key supply channel) is not available? Does your company have additional suppliers / channels as backup if a short or long-term interruption in the supply chain occurs?
Potential homework for the executive team:
-
Your priority should be to expand your risk register: This needs to account for changes in trends (mentioned above) and planned business line changes. Can you leverage industry organizations, who sometimes have (anonymous) sharing mechanisms about potential risks in their industry?
-
The teams should brainstorm about extremely rare events that exhibit a low probability of occurrence but extremely high-cost impact.
-
Business continuity plans need to be broken down in more granularity, considering production lines, key technology systems, key suppliers, locations, etc.
-
With a well-functioning and documented OR process and function, the COO or Procurement department should inquire from the business liability insurance provider if the company can get a discount on its insurance premiums.
Always keep in mind that you cannot completely rule out OR, but you can potentially reduce the impact. Always balance practicality and business needs vs risk management. The intention is to keep a balanced approach, managing risk, while moving the business forward.
ABOUTH THE AUTHOR
HOLGER KLIESCH
Holger Kliesch serves as the Chief Executive Officer of Voonoogoo LLC, bringing more than 25 years of expertise in technology, project management, finance, and risk. As the founder of Voonoogoo LLC, he provides consulting and project management services to startups, financial firms, cybersecurity companies, IT and manufacturing businesses.
Holger’s extensive career includes positions such as Change and Program Manager in the financial industry, along with advisory and mentoring roles for startups. Holger is a certified Financial Risk Manager, a Certified Information Systems Security Professional, and holds various certificates in the Blockchain and emerging technology space.
Feel free to connect with Holger on LinkedIn at Holger Kliesch on LinkedIn.