The Growing Importance of AI Governance: Navigating Upcoming Regulations for Business Executives
In recent years, artificial intelligence (AI) has transitioned from a futuristic concept to a critical component of modern…
A cyberattack is stifled before it affects a single one of your servers. You’ve got loads of cash reserves to weather the economic downturn. Supply chain problems? You’ve got back-up suppliers lined up six ways from Sunday. The walls of your organization are a risk-proof fortress.
But risk doesn’t stop at your office walls or your firewalls. Risk leaders need to consider all of the things that could go wrong inside their organization as well. Managing this type of risk is known as operational risk management.
Standing up an operational risk management program is similar in many ways to building strategic or enterprise risk programs, but it also differs in many ways. This article will dive into what types of operational risk organizations face and how to identify, measure, and mitigate the ones threatening your own business.
Operational risk is defined under Basel II as the risk of loss resulting from ineffective or failed internal processes, people, systems, or external events that disrupt normal business operations. In short, it’s the risk that an employee will make a mistake, a process will fail to achieve its purpose, or a system will break down or become compromised, leading to a risk event.
Here are a few examples of what operational risk from each category might look like:
Operational risks originating with people can result from inadequate staffing levels leading to important tasks being overlooked and shortcuts being taken, policies being misunderstood or ignored, malicious insider activity, or ineffective workforce training.
The more complex your internal processes are, the higher the chance one or more crucial steps in the process will get missed and operations will become broken, delayed, inefficient, or more costly.
Cybercrime and other cyber threats are on the rise, and falling victim to one can lead to damaging data breaches or, worse, cripple your organization. Failing to properly secure your systems and take measures to detect and ward off bad cyber actors can expose your organization to operational risk.
This type of operational risk came into full focus when the COVID-19 pandemic essentially shut down the global economy—and the supply chains that power it—for the better part of two years. Any events that interrupt your business’s operations, from a change in local political leadership to an earthquake or hurricane, is an operational risk originating outside your organization. These risks can also fall under the category of enterprise risks.
Every company faces operational risk every day just by virtue of doing business. As operations become more complex, it becomes increasingly likely that things will fall through the cracks, policies will collect dust on a shelf or fail to be communicated as the workforce grows, or controls that haven’t been continuously monitored and updated will begin to fail.
All of this increases exposure to operational risk over time, making it more likely that one will materialize and impact your revenue or brand reputation.
Organizational risk can come in a variety of forms and many are unique to the specific industry your organization is operating in, but here are some of the most common types of organizational risk you can expect to face.
Compliance risk is the risk that your organization will fail to stay compliant with regulatory requirements, raising the likelihood that you’ll be subject to negative audit findings, fines, and other penalties.
Every third-party service provider or vendor you work with represents another vector for operational risk to enter your organization. Plus, the third parties you work with almost certainly do business with a network of third parties themselves, introducing the potential for this type of risk to grow exponentially. Each must be vetted to the fullest extent to ensure none of that third-party risk makes it through your business’s front—or back—door.
As digital tools and cloud-based services proliferate and work is increasingly performed over the internet, organizations have begun to face more frequent and more sophisticated cyber attacks. Every connection point to your organization’s network—every laptop, smartphone, or even printer—is a potential spot for bad actors to squirm in and cause headaches or worse.
Another source of operational risk in the vein of cybersecurity risk is technological risk. This is the risk that your technology will stop working properly and slow or halt operations, cause significant downtime, and lead to other negative outcomes. This type of risk is especially important to be paying attention to as the majority of organizations accelerate their digital transformations.
Significant portions of daily life are being conducted over the internet these days, and each task completed, item purchased, form submitted, and video watched creates data. Some of this data—lots of it, in fact—can be of a very personal nature, and it’s critical that organizations keep this information secure. Failing to do so can cause irreparable harm to your customers, draw the ire of regulators, and lead to significant financial and reputational damage.
Everyone makes mistakes from time to time. But a lot of the errors that have the potential to derail your operations in some way can be prevented by proper operational risk management practices and effective employee training programs. These include data entry error, failing to follow processes properly, inadvertent release of sensitive information, and other mistakes.
Unfortunately, employee actions that cause problems for your business aren’t always inadvertent. Disgruntled employees, corporate thieves, saboteurs, and other bad actors in your midst all raise your business’s risk of experiencing a malicious insider attack.
Any job your employees work on can expose them to different kinds of occupational safety hazards, whether they’re hauling bags of concrete to a construction site or programming source code for a digital product at their desk. These hazards can affect both physical and mental health, and they can happen entirely by accident, or because someone ignored safety protocols.
Any of the operational risks we covered above can expose your business to legal risk, too.
Let’s take a look at operational risk in the wild with real-world examples from some of the world’s most recognizable brands and institutions, and some associated with emerging technologies:
The natural response to operational risk of any kind is to find ways to manage it. That’s where operational risk management enters the picture. Operational risk management is a subdiscipline of enterprise risk management that provides for processes for identifying, measuring, reporting, managing, and mitigating operational risk.
The end goal of any operational risk management program is to anticipate and prevent as many operational risks from materializing and causing problems for an organization as possible. Companies that experience fewer operational risk events will be more trusted by their customers and clients, and that improves investor confidence, brand reputation, and the overall bottom line.
While operational risk can stem from strategic risks and errors associated with them, the two are distinct concepts. As defined above, operational risks come into play when processes fail, policies are ignored, systems break down, and other events that interrupt the flow of business occur.
Strategic risks, on the other hand, are related to the overall planning, management, and strategy of the business. These are things like not having clear goals or priorities, departmental siloing or tribalism, turbulence and inconsistency caused by turnover in management, competitors eating into revenue, a poorly executed merger and acquisition, or the introduction of a new product that flopped.
Operational risk management also puts a much heavier emphasis on protecting the organization from risks that could cause problems, while part of strategic risk management is looking for the right risks that can be taken, rather than avoided, to generate strategic and competitive advantages.
Few organizations deal with higher-stakes risk scenarios than the U.S. military. Naturally, they put extensive time and resources into developing operational risk management programs and training personnel on adhering to them. The U.S. Navy has developed four specific principles that underpin their operational risk management process:
Now that we have a deeper understanding of what operational risk and operational risk management are, let’s get into how to build a program for managing operational risk. We’ll cover the basics of taking stock of all your organization’s operational risks and carrying out an operational risk assessment, plus more advanced techniques like using key risk indicators and risk quantification to stay on top of them.
It’s impossible to start effectively managing operational risk without knowing which operational risks you’re facing. That’s why the first step in standing up any solid operational risk management program is to get a clear view of your organization’s entire risk landscape.
Then, you can begin to prioritize which operational risks pose the gravest threat to your business. The best way to do this is to use risk quantification and risk scoring methods, like Monte Carlo simulations and the Open FAIR framework to tie each risk to its potential financial impact.
With your prioritized list of risks in hand, you can now begin taking steps to mitigate operational risk in a variety of ways.
Once you’ve finished assessing each operational risk and developing your mitigation plans, ensure that the plans, policies, and protocols that emerge from the process are clearly communicated out into the rest of your organization.
One constant in the world of operational risk management is change, and that’s why you need to always be measuring, monitoring, and adjusting your controls and plans. The plans you developed in the previous steps should also include a regular cadence where your team evaluates each of your controls and improves them where necessary.
An effective way for conducting continuous controls monitoring is by developing a good set of key risk indicators. More on that below.
Key risk indicators, or KRIs, are metrics designed to warn you of impending risk events or trends that could lead to risk events. They estimate the overall likelihood that the risk being monitored will occur, how fast that could happen, and the potential impact if it does occur.
You can assign KRIs to each of your operational risks as follows:
As with any aspect of risk management, operational risk management comes with its own set of challenges and pitfalls that can derail your well-laid plans or even open your organization up to additional risk exposure. Here are a few of the common challenges and mistakes made in operational risk management.
There’s no avoiding it: If you’re operating a business or any other type of organization, you’re going to have to deal with operational risk. Standing up an effective operational risk management program is the best way to get ahead of—and stay ahead of—any risk facing your business.
Click here to learn how LogicGate Risk Cloud can help you fortify your own operational risk program.
In recent years, artificial intelligence (AI) has transitioned from a futuristic concept to a critical component of modern…
The benefits of automating GRC operations - with the oversight of human intelligence - is undeniable. Modern GRC platforms…
The EU AI Act marks a significant step towards regulating artificial intelligence, setting a global standard for AI…