We provide keys to reduce operational risk based on several different potential failure points in your organization.
No business is immune to operational risk. At any time, in any business task or process, risk may arise from internal process failures or gaps, human error, system failures, or external risks imposed by customers, suppliers, natural disasters, regulatory changes, or geopolitical shifts. Operational risk may include legal risks, risks to human capital and physical business assets, or risks to the bottom line of the business. Typically, strategic and reputational risks are not included in the definition of operational risk, but they may be adversely impacted when operational risks remain unchecked for too long.
Every business needs to periodically assess the threat horizon from all anticipated risks as a first step toward ongoing operational risk reduction.
The financial industry has been at the forefront of operational risk management for many years, but all businesses stand to benefit significantly from a tighter approach to identifying and dealing with operational risks. Consider the following examples of risks that are common across industry verticals:
- A capital expense fails to garner appropriate approvals because it was rushed through ad hoc procurement procedures
- The sudden dismissal of a rogue employee does not follow a defined list of steps, so the individual still has access to critical business systems after being escorted off the business premises
- An HR Manager unwittingly sends out a spreadsheet of employee names, addresses and social security numbers to a phisher
- Failure to provide advance warning to an employee that his or her wages are about to be garnished, resulting in a devastating workplace violence incident when the first paycheck arrives
- A receiving inspection step was skipped, and low-quality raw materials caused a customer safety issue
- Failure to follow appropriate procedures when a plant production line needs repair results in an environmental disaster and huge regulatory fines
- Maintenance staff does not receive proactive notice when diagnostic equipment needs to be recalibrated, and life threatening actions are taken based on erroneous readings
Risk impact varies. It may result in the company paying huge legal fees and fines, wasted money on duplicate purchases, significant loss of control over the company’s books and records, and threats to employee and customer health and safety. The level of risk tolerance also varies with prevailing business conditions. Every business needs to periodically assess the threat horizon from all anticipated risks as the first step toward ongoing operational risk reduction.
A meaningful risk assessment should include:
- Identification of risks by category (physical security, data security, expense reduction, health and safety, product safety and quality, etc.)
- Scoring of risks by expected frequency and severity of the impact. Historical data plays a huge role in the ability to score risks accurately.
- Proposed mitigation strategy. Begin by brainstorming the options. Guided by the severity and frequency score, you will find it easier to determine where to allocate your risk reduction resources.
Keys to Reducing Operational Risk
The proposed mitigation strategy for most risks usually includes the creation of new business processes or adjustments to existing processes. In the immediate aftermath of an incident that impacts operational risk, some businesses promulgate new policies and procedures by email. In the crush of their daily tasks, even the most willing and motivated employees often forget the new rules. Businesses that have already embraced workflow automation have the ability to quickly create new workflows, alter approval requirements, and create monitoring dashboards so that compliance with operational risk management procedures is ensured – compliance with the new risk mitigation procedures is enforced by the system.
Compliance with the new risk mitigation procedures is enforced by the workflow system.
When defining new workflows to deal with specific operational risks, there are a few guiding principles to keep in mind:
- Identify and Divide Tasks – List the necessary steps for eliminating a particular risk. If they are currently being performed by a single individual or role, divide the tasks so that one role performs the tasks and another role checks or approves the result of the task.
- Assign Tasks to the Right People – Faced with the need to operate with a lean headcount, some businesses ask individuals to wear multiple hats. Don’t be so aggressive in trying to level workloads that you assign critical tasks to people who are not trained or not willing to take on the additional responsibilities.
- Streamline Business Processes – If a task can be automated to reduce reliance on off-system information, you can close a significant risk hole. Replace internalized judgment with data-driven business rules to eliminate significant sources of human error.
- Brainstorm the exceptions – Many risk events stem from the unforeseen exception situation that was not examined during initial business process design. Rush orders, sudden staff departures, receipt of substandard raw materials, missed steps during the business’ peak season, or product recalls are a few of the many exception situations that may introduce operational risk if there are no formal processes in place.
- Measure Performance/Exceptions – Data is key and provides businesses with the means of validating their initial risk assessment. Is the frequency and impact severity in line with what you originally anticipated? Is the current mitigation strategy working, or do you need to tweak it? Are some individuals or departments better than others at reducing this risk should you move certain steps to different roles? If you are served with a lawsuit or face government review because of a particular risk, your historical data is often crucial to minimizing fees, judgements, and fines.
- Adopt an ongoing approach – Risk assessment is only meaningful in the context of your current business situation. Last year’s risks and mitigation strategies may now work in today’s world. Review your risk assessment regularly (quarterly, semi-annually, or annually). If you need to tighten or loosen some of your business rules or change your workflows, this can be accomplished quickly with a workflow automation tool in place.
There’s no doubt about it: companies that are already using workflow automation tools are ahead of the game when it comes to identifying and mitigating operational risks. The ease of creating new workflows and modifying existing workflows and business rules provides tremendous agility in keeping operational risk management practices optimized and up to date. If you are building a case for your first foray into workflow automation, be sure to include operational risk mitigation along with the benefits of automating particular business processes or departments.