Operational Risk Management

Operational risk is defined as the risk of loss resulting from inadequate or failed internal processes, people and systems, or from external events. Although the risks apply to any organization in business it is of particular relevance businesses in such industries as banking where regulators are responsible for establishing safeguards to protect against systemic failure of the banking system and the economy. Operational risk also includes legal risk, but excludes strategic risk: i.e. the risk of a loss arising from a poor strategic business decision. This definition also excludes reputational risk (damage to an organization through loss of its reputation or standing) although it is understood that a significant but non-catastrophic operational loss could still affect its reputation possibly leading to a further collapse of its business and organisational failure.

Operational Risk Management (ORM) is the oversight of many forms of day-to-day operational risk including the risk of loss resulting from inadequate or failed internal processes, people and systems, or from external events. Operational risk does not include market risk or credit risk.  The goal of ORM is to:

1. Reduction of operational loss;
2. Lower compliance/auditing costs;
3. Early detection of unlawful activities.; and
4. Reduced exposure to future risks.

Risk Categories

Operational risk generally breaks down loss events into seven general categories:

1. Internal Fraud - Loss due to acts of a type intended to defraud, misappropriate property or circumvent regulations, the law or company policy, excluding diversity, discrimination events, which involves at least one internal party.
2. External Fraud - Losses due to acts of a type intended to defraud, misappropriate property or circumvent the law, by a third party. These activities include theft, robbery, hacking or phishing attacks.
3. Employment Practices & Workplace Safety - Losses arising from acts inconsistent with employment, health or safety laws or agreements, from payment of personal injury claims, or from diversity / discrimination.
4. Clients, Products & Business Practice - Losses arising from unintentional or negligent failure to meet a professional obligation to specific clients (including fiduciary and suitability requirements), or from the nature of design of a product.
5. Damage to Physical Assets - Losses arising from loss or damage to physical assets from natural disaster or other events.
6. Business Disruption & Systems Failures - Losses arising from disruption of business or system failures. This includes loss of due to failure of computer hardware, computer software, telecommunications failure or utility outage and disruptions.
7. Execution, Delivery & Process Management - Losses from failed transaction processing or process management, from relations with trade suppliers and vendors. This includes Transaction Capture, Execution & Maintenance Miscommunication, Data entry, maintenance or loading error Missed deadline or responsibility, Model / system misoperation Accounting error, entity attribution error, Delivery failure, Collateral management failure Reference data maintenance, Monitoring & Reporting Failed mandatory reporting obligation, Inaccurate external report (loss incurred), Customer Intake & Documentation Client permissions / disclaimers missed Legal documents missing / incomplete, Customer / Client Account Management Unapproved access given to accounts, Incorrect client records (loss incurred), Negligent loss or damage of client assets, Trade partners, non-client vendor misperformance and vendor disputes.

ORM Software

The impact of the Enron failure and the implementation of the Sarbanes-Oxley Act has caused several software development companies to create enterprise-wide software packages to manage risk. These software systems allow the financial audit to be executed at lower cost.  Up till now there is not much commercial software focusing on operational risk management. Only some consulting firm providing temporary solutions, such as Loss Event Management. Because operational management is very business oriented, it is closely related with each organization's structure and business, which makes it difficult to satisfy the customer requirements.