Operational risk is the risk of loss due to errors, breaches, interruptions or damages—either intentional or accidental—caused by people, internal processes, systems or external events. The most companies from financial industry take a comprehensive approach in managing operational risk. They recognized four broad areas that need attention.
The first is people. Even in a digital age, employees can cause substantial damage when they do things wrong, either by accident or on purpose. Problems can arise from a combination of factors, including intentional and illegal breaches of policies and rules, sloppy execution, lack of knowledge and training, and unclear and sometimes contradictory procedures.
The second area is IT. Systems can be hacked and breached; data can be corrupted or stolen. The risks can be extended to the third-party IT providers. Systems can slow down or crash, leaving customers unable to access financial products. Even the speed of technological change presents an operational risk.
The third area is less tangible than the first two, but no less important: organizational structure. Well establish organizational structure can decrease operational risk exposure, by setting clear rules and procedures, and lines of reporting and communication (vertical and horizontal).
The fourth area is regulation. Since the global financial crisis, regulators have increased the number and complexity of rules that the financial industry must follow. Companies that operate in multiple jurisdictions can face overlapping, inconsistent and conflicting regulatory regimes. Lapses can be expensive, triggering regulatory sanctions and customer defections. As is the case with technology, the speed and magnitude of regulatory change can be daunting.
The most effective way to manage operational risk is decentralized approach through organizational structure. Each manager is responsible for managing operational risk in the area of her/his responsibility. Each employee is responsible to support their managers in managing operational risk.