RC: In your opinion, how important is the operational risk management function within an organisation? Are companies in general doing enough to identify the sources of operational risk?

Clark: The function is less important than business leaders accepting and acknowledging the existence of the risk category, its related discipline and toolset. Within financial services, that is recognised by regulators seeking evidence of the ‘use test’ and the need for a ‘tone from the top’ which drives acceptance, adoption and ownership by everyone involved. Certainly a function can give this focus but the expertise it brings will be dependent upon the organisation’s understanding of operational risk (OR), which then defines the level of competency that it thinks it needs. Companies’ management of OR is dependent upon that interpretation, and many do not yet fully understand the richness and depth of the competency needed to identify and manage the sources of OR. Specific technical areas, such as fraud, information security, and others, are well understood. The main gap is differentiating between risk managers and process or control experts.

RC: What are some of the common types of operational risk that companies face?

Clark: OR is the oil in the engine room of risk management. It is easy to categorise common types of OR, such as fraud, conduct and IT. Risk takers need to be equally aware of the impact of issues such as poor recruitment strategies and training, key people risk and the lack of succession planning. Single points of failure and never tested expert judgment on which they rely for critical decisions, are also common types of operational risk. It is possible to argue that OR can be synthesised into two issues: data and people. A lack of, or poor quality of, information and data can lead to ill-informed decisions. A failure to understand that OR, unlike other risk categories, is context and environment dependent, ignores the connection between this and individuals’ behaviours, values and what drives their decision making. Given, too, that OR is often judgement based, then the biases inherent within data and people need to be better understood.

Apr-Jun 2017 Issue

Institute of Operational Risk