GRACIOUS

MAZENGERA -
R2215193H
NYARAI M CHIUNGA
R171467J
 DEFINITION

• Operational risk is the risk of loss due to failed internal processes or external events at a business,
bank, or other financial institution.
• This type of risk involves the legal risks in response to the disruption of day-to-day business
operations.
• The goal in the operational risk management function is to focus on the risks that have the most impact
on the organization and to hold accountable employees who manage operational risk.
• Operational risk management attempts to reduce risks through risk identification, risk assessment,
measurement and mitigation, and monitoring and reporting while determining who manages
operational risk.
 COMPONENTS OF THE OPERATIONAL RISK
MANAGEMENT FRAMEWORK:

• Identify risks: risks can emanate from anywhere, at any time, and from anyone. So, a robust approach to identifying risk is a foundation
for risk management. As they say, an ounce of prevention is better than a pound of cure. To identify risks, enterprises should consider
incentivizing those that bring forth the risks – even before they have had a chance to take root.

• Assess risks: risk assessment must be multi-dimensional. Risk managers must consider several aspects such as: what is the source of risk,
what is the probability of occurrence, the potential magnitude of impact, what prevention/mitigation steps may be possible, and what
measures may be feasible once the risk event occurs.

• Decide on risk management strategy: while prevention and mitigation are worthy steps, companies never rely on always being able to
eliminate risks or nipping them in the bud. Hence, the fundamental strategies are to a) assume the risk b) transfer the risk or a
combination thereof often with a stop loss.

• Monitor: irrespective of the strategy on how to handle risk, once a threat is identified and quantified, monitoring it constantly is vital. A
risk register and various business activity monitoring and analytics systems can help in this regard.
• Measure: as risks evolve, so does the impact of such events. Hence, measurement of the probability and impact is not a one-time task, but
an ongoing process. Continuously updating risk exposure allows for highlighting the state and status of risks but also leads to reevaluating
the decisions on whether to assume or transfer a particular risk.

• Report risks: risk registers, risk graphs and scorecards on executive dashboards, and a monthly risk management summary are ways to
communicate the state or operational risks to the key decision-makers. It is possible to report on most risks in real-time or almost real-
time.
 SOURCES OF OPERATIONAL RISK INCLUDE:

• Employee conduct and employee error

• Breach of private data resulting from cybersecurity attacks

• Technology risks tied to automation, robotics, and artificial intelligence

• Business processes and controls

• Physical events that can disrupt a business, such as natural catastrophes

• Internal and external fraud

• Internal fraud: employees conspiring and often colluding to overtake internal controls and misappropriate company resources.

• External fraud: independent parties outside of the company attempting to bribe, thieve, forge, or cyberattack.

• Technology failures: deficiencies in computer systems, hardware, software, or the interaction between any of their components.

• Process execution: management's inability to property assess a situation and deploy the right strategy or failure to execute a correct strategy.

• Safety: violation or risk of violation of workplace safety measures, whether physical, mental, or other.

• Natural disasters: inclement weather, fire, or harsh winter conditions that can put physical assets at risk and make it impossible for
employees to perform their daily tasks.

• Business practices: operational activities that harm customers, mislead information, incite negligence, or accidently not be in compliance of
requirements.
 A ROBUST OPERATIONAL RISK MANAGEMENT FUNCTION CAN
BENEFIT THE ENTERPRISE IN SEVERAL WAYS:

• Better capital allocation: knowing the risk the company is taking and an understanding of the corresponding rewards will allow for better
capital budgeting and resourcing decisions.

• Improve brand and corporate equity: strong risk management will help boost the company brand equity as well as corporate equity,
which in turn will result in better valuation and improvement in employee and customer loyalty.

• Dynamism and resiliency: risk management will foster a sense of vitality and flexibility into enterprise decision-making and boost
innovation efforts. Over time, proper risk management controls will increase business resiliency.

• Operational efficiency: managing risks also will help solve process bottlenecks, chokepoints, performance issues, and allow for
operational optimization.

• How does your enterprise manage operational risk? Please share your thoughts .
 OPERATIONAL RISK MANAGEMENT
STRATEGIES
AVOID UNNECESSARY RISK

• It should go without saying, but companies should continually evaluate whether they are taking on risk with no real reward coming back to them. For example
avoiding dealing with vendors that may potentially default on contracts. Should there be equally if not better vendors the company could work with that have a
better credit history, the company may be taking on risk by working with less than superior vendors.

• As is with all things in investing, there is usually a positive relationship between risk and returns. As companies take on more risk, they should be fairly
compensated with greater returns. Therefore, companies can manage operational risk by cutting out processes that do not reward the company but instead solely
incur unnecessary risk.

COST/BENEFIT ANALYSIS

• Companies can manage risk by continually considering and evaluating CBA.This means that companies must manage risk by comparing the risk they take on
with the benefits they receive. Instead of focusing solely on the risk, this step entails being mindful of the what the company benefits from.

• For example, a company may decide it wants to expand into an international market. There may be tremendous operational risk with this move. However, if the
market is untapped and proper research has been done, the reward of expanding the business may far outweigh the operational risk. To manage risk, sometimes
companies need to understand that risk is necessary.
DELEGATE DECISIONS TO UPPER MANAGEMENT

• For companies to make the wisest decisions, it's usually best for upper management to make the decisions on how to approach operational
risk. These members of the team often have the greatest insights into a company and know larger, bigger strategies that may work
together.

• Running with the example above, a senior member of the management team should be made responsible for the decision-making of that
international expansion. That executive should work with members across all teams of the company to better understand the logistics,
legal, procurement, and shipment risks. This type of responsibility is not suited for an individual contributor at a lower level.

• ANTICIPATE RISK

• Perhaps one of the most important aspects of managing risk is understanding when it is approaching and anticipating its outcomes. By
doing so, companies can preemptively make decisions on whether to accept, mitigate, or avoid risk.

• In the international expansion example above, a company can easily perform vast amounts of research to better understand geographical
limitations, political risks, or consumer preference differences in this new market. The first step to accepting risk or managing it is to
understand what may happen in the future and have a plan already in place to overcome it.
• Rely on sophisticated systems that are already in place for other purposes – such as BPM, analytics, and transactional systems to beef up
the risk management function.

• Allow inherent flexibility for the risk management function to evolve to the needs of the enterprise within the context of market,
regulatory, technological, and societal trends.

• Decouple it from an omnibus department:

• Treating risk as a non-core function and combining it with a bunch of others – legal, regulatory affairs, risk, compliance, and governance –
will diminish the focus and allow for risk to creep in and cause significant losses to the enterprise. When an omnibus department head is
spreading their attention on several things, risk often fades into the background until a substantial impact event occurs.
Let ORM not become a prosecutor:

• One of the reasons risk management is feared and frowned upon in corporate settings is often there is a desire to assign the blame. Of course, if there
are bad actors and intentional damage, it is quite essential to find out the culprit. But in most cases, where risk permeates the day to day, without any
evil intent, and manifests unbeknownst to anyone, ORM should function as a protector, not just as a prosecutor.

• Companies need to think about risk in a structured and systematic way. That is where an operational risk management framework (ORM framework)
will prove to be invaluable. Below is a simple operational risk management framework, and you may modify and adapt to your enterprise needs.

• Establish ORM as a technology-enabled, data-driven function:

• Today, a slew of technologies allows the management to keep tabs on operations and the consequent risks. Modern BPM (business process
management) allows for business activity monitoring and analytics systems to combine disparate data to provide a holistic set of metrics to monitor
risk. While technology does increase certain risks as a whole, it is an omniscient force multiplier in managing operational risks.
• Elevate ORM to the coo scorecard:

• As mentioned before, the risk is not just come middle office function. Operational risk management has to be front and center and
including it as a key performance indicator on a c-suite executive – either the CFO or the COO will bring the appropriate importance and
attention to the matter.

• The reason for this elevated caution is that while the monetary damages from a risk incident may be affordable or transferable (to an
insurance company), at times, the impact on the franchise is devastating.

• Elevating the risk management function and staffing it with the right resources provides a safety net that is immeasurable.