Monday, 18 February 2013

Identifying Operational Risk

I recently read an article outlining the top 10 operational risks for 2013.  Some were what you might expect (fraud, political intervention to sort out Europe’s problems), others, not so much (epidemic disease).  The latest – contamination of beef products with horsemeat – was nowhere to be found.

Basel II defines operational risk as “The risk of loss resulting from failed or inadequate people, systems, processes or external errors”.  Back in 2004, they identified 7 risks that could “hit” the financial services sector: 

1.      Internal Fraud
2.      External Fraud
3.      Employment Practices and Workplace Safety
4.      Clients, Products and Business Practices
5.      Execution, Delivery and Process Management
6.      Business Disruption and System Failure
7.      Damage to Physical Assets 

Although designed for the financial services industry, these could apply to any business.  Look through any international newspaper on any day and you’ll find 4-5 instances of one/more of the above impacting an organisation.  The present beef/horsemeat scare is a current example.  Looking at the risks above, this could come under “External Fraud” (if the action was deliberate), “Clients, Products and Business Practices” (failure to check suppliers and their product) or “Execution, Delivery and Process Management” (supplier failure). 

The damage to various supermarkets’ “names” has been clear for all to see.  As investigations progress, it looks like it’s the end suppliers who are the cause. 

Risk management is about looking forward as well as back, outward as well as inward.  You look back at your own organisation or other similar ones to see what events have caused your business or others problems in the past.  You look forward to assess what might cause your business a problem in the future, what the impact might be (in terms of cost, litigation, life and other factors).  

Impacts can be:

·         Massive
·         Major
·         Moderate
·         Minor
·         Minuscule 

Next, think about the likelihood of the event happening.  Is it: 

·         Highly Likely?
·         Probable?
·         May Occur In Time?
·         Unlikely? 

The descriptions you decide on may be different/ include more than 4 levels.  They should include at one end the “highly likely”/”almost certain” extreme and the “unlikely/impossible” at the other. 

Once you’ve decided on the impact and likelihood of an event happening, you then work out how critical it is to your organisation.   For example, a highly likely event with massive impact on your organisation is likely to be extremely critical to your organisation’s ability to survive and will consume massive amounts of time, energy and money to resolve. 

Now, look outward: apply this other organisations on which you depend.  For example, the computer industry relies on factories in Bangkok to manufacture Hard Disk Drives (HDDs).  In 2012 heavy flooding meant that factories had to close PC manufacturers suddenly found that they had a problem.  The 2011 tsunami in Japan caused problems for the auto industry.  Supermarkets have long supply chains for their goods, as the horsemeat saga has shown. 

The Bangkok and Japan examples concern very rare events known as “Black Swan” events because they are almost impossible to predict.  However, if you know that a factory is located in a flood plain, you know that it’s more likely to see floods (“probable” or “highly likely” depending on weather patterns).   

More “highly likely” events are suppliers’ vehicles breaking down, strikes, equipment malfunctions or employees going ill at certain times of year (e.g. the winter in the UK).  As pressure grows for suppliers to drop prices, is it more likely that they will find devious ways to cut costs? 

Once you’ve identified the criticality of an event occurring to you or to a key supplier, you need to think how to manage the results of this happening.  Your choices are: 

Tolerate:
Accept that this may happen.  Have a plan to deal with it.
Terminate:
Don’t take the risk.
Transfer:
Pass it to someone else (insure it/use a third party agent to take the risk).
Treatment:
Mitigate it internally or externally.

You could have alternative suppliers so that you can switch from one to the other.  It may cost you more, but better that than to see your reputation suffer due to your failure to deliver.  What you choose will depend on your circumstances. 

Finally, things change.  As time passes, what started off as “unlikely” may become “probable”.  A simple example is driving a car; the older the car and the longer the interval between services, the higher the chances of it breaking down.  Make sure you review regularly to see which risks might change, which risks should be added and which removed. 


I have spent more than half my life delivering change all over the world markets from the most developed to “emerging” economies. With more than 20 years in the world financial services industry running different service, operations and lending businesses, I started my own Performance Management Consultancy and work with individuals, small businesses, charities, quoted companies and academic institutions across the world. An international speaker, trainer, author and fund-raiser, I can be contacted by email . My website provides a full picture of my portfolio of services.  For strategic questions that you should be asking yourself, follow me at @wkm610.

Labels: , ,

posted by William Martin @ 17:36

0 Comments:

Post a Comment

Subscribe to Post Comments [Atom]

<< Home