Organization operational risk

Entrepreneurship is full of risks. They meet here and there. One of the most likely is operational risk. What is he like? How does operational risk management work? What affects its value?

general information

And we will start with terminology. Operational risk is the risk of loss due to errors / inappropriate actions on the part of the organization’s employees, malfunctioning systems or external events. These include reputational, strategic and legal losses. That is, operational risk is associated with the implementation of the business functions of the enterprise. It is used to indicate the danger of additional costs due to the mismatch of the nature and extent of the credit structure, violation of the requirements of current legislation, procedures for interaction with banking institutions. For example, it may include violation of a bank employee, unintentional or deliberate illegal actions on his part, malfunctioning of functional / automated systems due to external influences.

Depending on the origin, internal and external risks are distinguished. They, in turn, are divided into classes. Internal risks include everything related to personnel, processes, and systems. Let's look at a few examples. Can employee actions be detrimental? The threat. Are there any flaws in business processes? The threat. Malfunctioning information systems? The threat. External risks are disasters, ensuring security (physical, data), breaking relationships with customers and counterparties, as well as from regulatory authorities. Let us consider examples for these cases. Can fires and terrorist attacks occur? The threat. Poor or false information, goods, services, technologies can interfere with interactions with customers and contractors? The threat. Fakes, theft, attacks, hacks, etc. will undermine the organization’s position? The threat. Changes in legislation and regulatory framework will force additional activities? The threat.

The essence and types

If you want to avoid something, you need to know this in person. The world is developing, becoming more complicated. Because of this, the risk from operational risks is increasing. Basel II was taken as a support for further information. According to him, operational risks include everything that can lead to material damage for the organization due to incorrect (or non-fulfillment of necessary) actions of personnel, external influence, erroneous processes and the like. They themselves do not sign, and there is no advice on organizing an effective fight against them. The main purpose of Basel II is to calculate the amount of coverage for them. In addition, a powerful management system is provided there, the task of which is to help reduce the likelihood of operational risks. This document provides that the management and the board of directors should take on the function of them. And it is they who are responsible for reporting on operational risks and the magnitude of current damage. From this point of view, two types are distinguished: those that directly or indirectly depend on the person, and force majeure circumstances. The latter include earthquakes, hurricanes, mudflows, landslides and more. With the former, everything is much more diverse. So, there are four main groups:

1. Intentional actions. These include fraud and other deliberate actions that lead to damage.
2. Unintentional actions. This is a choice of technology that is not fully developed, erroneous unintentional actions of employees, inadequate performance by managers of their duties.
3. Technical risks that are directly or indirectly related to human activities. This is a failure in the network, external communications, hardware breakdowns and the like.
4. Program risks that are directly or indirectly related to human activities. This is a failure in telecommunications and / or computer hardware.

The specifics of practical implementation

As knowledgeable people can confirm, operational risk management in reality has many differences from theoretical recommendations. In particular, a situation is quite rare when the management takes upon itself problematic issues that are caused by malfunctions in the information system. Practicing the transfer of such work to specialists with lower qualifications. This approach often leads to even greater losses. This is important if only because operational risk is one of the three most important and significant. Also in practice, such subspecies are often found:

1. The risk of information leakage or destruction, which is necessary for the formation of organizational processes. This means intentional or accidental deletion of files in an automated information system. These actions can lead to a serious failure and inability of the commercial structure to fulfill its obligations to customers.
2. The risk of using biased or falsified (fake) data. An example is not a real payment order. Although there are more complex options. For example, the use of a previously transferred payment when one of the participants is substituted.
3. The risk of problems with the supply of objective and relevant information to customers. As a rule, this is connected with the operation of computer systems.
4. Risk of transfer of information unfavorable for the organization. Examples include rumors, slander, incriminating evidence about a manager’s link, a leak of valuable documents (with the subsequent hit in the media), and the like.

Reasons for appearance and how to deal with them

It has already turned out that the operational risk of the organization does not appear just like that. Any problem has its own root. The main reasons include the following:

1. Lack of qualifications and the lack of a serious approach in matters of training and advanced training. The human factor can greatly influence the organization and is most often a source of problems. So, many companies are not able to correctly use the available capabilities of information systems. This is compounded by a limited level of knowledge of ordinary users.
2. Information security is not given due attention and the real threats that come from this sector are ignored. Ignoring on the part of the governing bodies, inadequate funding, the lack of measures to increase the reliability level of systems, etc. only exacerbate the situation.
3. Poor quality, as well as insufficient elaboration of procedures aimed at anticipating risks. Also, few people care about having adequate security policies and job descriptions. Because of this, in crisis situations, confusion and ignorance of employees can exacerbate the problem.
4. Low-efficiency system for protecting information assets. It is enough for an attacker to find one weak spot, and this should already be enough to cause serious damage. Best if layered protection is provided.
5. A large number of weaknesses in automated systems and various software products, if not tested software is used. For an attacker, this is a real gift.

Correction of the situation

And what to do? Numerous types of operational risks threaten to materialize, so you should remember the old adage that the fish rots from the head. Therefore, you need to start with a guide. The following items can be implemented:

1. The senior manager (board of directors) has a key role in the formation of the management, control and protection system.
2. It is necessary to create, implement and adequately apply trouble-free functioning systems wherever they are needed and it makes sense to be developed.
3. Should work on a risk management system. Once it is created, you need to analyze for vulnerabilities. You should also think about controlling executive bodies.
4. The senior manager (board of directors) sets the limits of risk appetite.
5. The executive body must develop clear, efficient and reliable tools with transparent, consistent and full-fledged areas of competence. The implementation of the basic principles, processes and systems involved in risk adjustment will be entrusted to him.
6. The executive body should identify and evaluate current problems, as well as formulate their nature and factors. In addition, let him ensure the implementation of the developed innovations. Also, the executive body can be entrusted with the process of monitoring and reporting control of individual units.
7. It is necessary to ensure the availability of a reliable and complete control system, as well as risk transfer / reduction.
8. A plan should be developed according to which the organization will be restored and continuously functioning in the presence of obvious problems.

And it's all?

Of course not. These are exclusively generalizing words in which fundamental points are considered. When working with specific situations, they will need to be customized to existing conditions. Let's look at a small example. The bank has well-established management procedures in the event of a credit risk threat. The criteria for potential borrowers are set and collateral for loans is provided. An external specialist is involved to evaluate the proposed collateral. And so the price was assigned to them more security than it really stands on the market. So to speak, the situation is developing in favor of the borrower. At the same time, the adequacy of the assessment was not double-checked within the bank. After a certain time, a situation arises when the borrower cannot repay the loan. The bank expects that it will be able to repay the arisen debt by selling collateral. But in practice it turns out that the market price will be able to cover only half of the loan. The cause of this problem is non-compliance with procedures. Indeed, according to existing requirements, financial institutions must double-check the price of collateral. This is how operational risk increased, followed by credit risk. And you can also recall how individual banks give out obviously bad loans, violating all conceivable procedures. Such institutions quickly enter the liquidation queue. In this case, the connivance on the part of employees affects the amount of operational risk. Alas, completely avoiding such situations is extremely problematic. You can only minimize by introducing training, an effective control system and strict discipline.

Real examples

In life, things can happen that scriptwriters can not come up with. There were such situations when the level of operational risk just went through the roof, but this situation could not be identified for a long time. Let's look at some of the most impressive examples. There was such a man - Jerome Cerviel. O was a trader at Société Générale Investment Bank. In 2007, he opened positions on the indexes of European futures exchanges. It seems to be an ordinary story. But the total position amounted to about 50 billion euros! This is one and a half times the capitalization of the bank! How was Jerome able to do this? The fact is that he worked before in the office and knew the work of the control mechanism well. This was discovered only at the end of January 2008. It was decided to close them quickly. But the huge size of the positions provoked sales in the stock markets. Because of this, the bank lost 7.2 billion dollars (or 4.9 billion euros). Or another example. There was a man like John Rusnak. He worked in the American branch of the largest bank in Ireland, whose name is Allied Irish Bank. He was hired in 1993. In 1996, John began to carry out risky operations with the Japanese yen. But they were unsuccessful, losses began. But John managed to hide the growing losses from partners. For example, in 1997, he lost $ 29.1 million. In 2001, the amount was already 300 million! To hide such losses, he faked reporting. For his operations, this trader even managed to get bonus in the amount of 433 thousand dollars. Everything was discovered in 2001. At the time of the autopsy, the total loss amounted to 691 million dollars. Smaller losses and risks of operating activities are much more common than such large ones. In the age of automation, with the right approach, they can be significantly minimized.

External risks and their solution

They arise during the relationship of the organization with the outside world. This may be robbery, theft, penetration by third parties into the information system, failure of the infrastructure and natural disasters. Although, perhaps, the legislative environment should also be attributed. What methods of operational risk assessment should be used to get an idea of ​​the current situation? There are a number of recommendations on the general scheme of work. In addition, the calculation of operational risk can be carried out by specially created mathematical models. So what needs to be done to create an effective management system that can deal with problems?

Action plan

First of all, you need to take care of an adequate architecture. That is, if the problems are in the system itself, then, alas, even the best specialist will not be able to provide a satisfactory result. It should also be reasonable. Suppose there is a certain number of minor incidents that cost 10 thousand rubles a year. You can create a system that will 100% prevent them. But its cost is 100 thousand rubles. In this case, you should think about the feasibility. Of course, if we are talking about theft or something similar, which will gradually grow in scale, then you can’t hesitate. After all, if you pull, then the operational risks of the enterprise may increase so much that they destroy the company. But three methods will help maintain the system in a generally adequate condition:

1. Control self-esteem.
2. Key risk indicators.
3. Operational incident management.

We solve problems

The amount of operational risk is affected by many factors. The fewer the better. Optimally, if problems are solved before they arise. Therefore, operational risk assessment plays a significant role. How to spend it? First of all, it is necessary to focus on the control self-esteem. To paraphrase, this method can be called a frank conversation about problems. It is implemented in the form of employee surveys . Then come the key risk indicators. These indicators allow you to learn about upcoming problems even before they show their full potential. Of course, if they are adequately selected and their data is collected. And trinity closes incident management. The purpose of this procedure is to investigate, identify the scope of the problems and deal with them. If this is not done, then the company will face financial risks. Operational risk over time, as a rule, only grows. This must be remembered.