Operational risk is most often associated with natural disasters, such as hurricanes and terrorist attacks. However, it is increasingly inclusive of the risks associated with a corporation's processes, people, information systems and technology. Operational risk procedures need to be well-planned and documented to be effective.
- The significance of operational risk management is measured by consequences. Large, enterprise-wide failures can be so devastating and destructive to a company that their significance cannot be overstated. For example, bank failures are often seen as market and credit risk events, but closer examination of internal processes and individual decision-making actually point to operational failures as well. When a hurricane destroys a company's main buildings, the ability to recover critical data from an offsite data center can mean the difference between survival and failure.
- The function of operational risk management within an organization is to analyze and quantify risks in terms of their potential frequency and impact. Some risks and events might occur often but have little or no impact. Other risks, such as the loss of a data center and client or corporate records, might be a very rare potential event, but if it happens, the impact is severe. Careful documentation, mapping and testing of risk procedures and mitigation scenarios must be performed to see if the operational risk planning on paper can be trusted to function in an emergency.
- There are as many types of operational risk as there are types of bad things that can happen within a company's processes, systems and individual decision-making. Categories of operational risk types include litigation risk, the risk of fraud, natural and man-made disaster risk and human error. Litigation risk involves exposure of a company to adverse legal action that result from its day-to-day operations. Fraud risk is more closely tied to poor screening, controls and supervision of individuals. Disaster risk can be natural, such as hurricanes, or man-made, such as the 9/11 attacks. Human error involves unintentional mistakes by people that can lead to bad information going into financial statements.
- Operational risk management features include measurement of risks in terms of impact and frequency, and then mitigation procedures and processes documented to create preparedness. For example, rules around the management of bank accounts can be designed to prevent theft, and detailed quality control processes can mitigate litigation risk. Redundancy of systems plays a large role in disasters. The use of data centers in areas that are far away from a company's operations can allow for data recovery soon after a disaster hits. With regard to financial information, the use of a do-check-review process will significantly lower the potential of inaccurate information going out to the public. Three separate individuals would be involved at a minimum with financial data. One to do the work, a second to check the work, and a third to review the work.
- Two important considerations are testing and quantification. A company's disaster recovery capabilities should be tested by live drills that simulate real disasters. Rigorous quantification of the real cash impact of operational failures needs to be considered so that leadership knows the dollar value of vulnerabilities.
评论