The concept is so simple; so why are so many people, including shareholders, having such a hard time getting their heads around the phrase "operational risk" or "op risk" - the risk of loss from any operational failure at a company?
Not only are they having a hard time understanding it, the vast majority of stakeholders have never heard the term - even though a great a great number of finance specialists say extraordinarily poor management of operational risk (not other categories of risk, such as market, liquidity or credit) is exactly what led to the collapse of global financial markets starting in 2007. (Read about the financial crisis that struck in 2007 in The 2007-08 Financial Crisis In Review.)
That is exactly why investors and other stakeholders need to get up to snuff on operational risk as quickly as possible. If they don't, there's every reason to expect other financial implosions to follow.
The Impact Of Op Risk
What may surprise stakeholders is that a number of financial experts say poor operational risk management has been the underlying cause of every major financial services loss over the past two decades - including this past year's $180 billion-plus bailout of American Insurance Group (AIG) and well-publicized fiascoes such as those at Barings, Long Term Capital Management (LTCM), Allied Irish Bank-All First, Societe Generale, Bear Stearns and Lehman Brothers.
Even more surprisingly, the finger pointing doesn't stop there. Any number of additional significant upsets at "non-financial" companies - everything from Union Carbide's chemical leak in Bhopal, India years ago to JetBlue's massive ticketing and route scheduling failures to accounting-related fraud at Cendant and Bausch & Lomb - can be attributed to operational risk management failures.
"Until investors and all stakeholders - John Q. Taxpayer, corporate board members, 'C-suite' executives, shareholder activists, ratings agencies, analysts, regulators, even legislators - understand this risk and how to measure and manage it, there is no way to guarantee that we won't face future financial meltdowns as big as, or bigger, than the most recent one," says Ali Samad-Khan, founder and president of Stamford Risk Analysts (a recent rebranding of OpRisk Advisory) in Connecticut.
"Coming to terms now with operational risk must become a strategic imperative for organizations in all industries, not simply for financial services giants."
Bolstering the view that stakeholders must understand the importance of operational risk is a just-released study from the Society of Actuaries, the Casualty Actuary Society and the Canadian Institute of Actuaries called A New Approach for Managing Operational Risk: Addressing the Issues Underlying the 2008 Global Financial Crisis.
"Regulators and other key stakeholders (e.g., rating agencies) need to take an active role in calling for improved ORM practices," the report notes. "Historically, ORM has taken a back seat to the management of the other major risks, which are often defined as market, credit, insurance and strategic risk and sometimes include 'liquidity,' 'legal' and 'reputation' risk … This has not only caused operational risk to be underestimated, but has also obscured the underlying causes of many of the most significant financial losses."
Just What is "Operational risk"?
So how do we define operational risk? On its face, it sounds enormously simple: the risk of financial loss from any operational failure. But "operational failure" encompasses a dizzying array of possible events, actions and inactions - everything from inadvertent execution errors, system failures and acts of nature to conscious violations of policy, law and regulation. Of course, it also encompasses the greatest of all faux pas: direct and indirect acts of excessive risk-taking.
It's exactly this depth and breadth of issues and "cross-silo" concerns that has lead to ongoing confusion about exactly what is and isn't an operational risk - and continuing doubts about how to identify and manage it. For instance, too often op risk has been misdiagnosed as other, relatively newer areas of recognized exposures such as those involving IT security, supply chain and business interruptions.
As a result, some corporate managers argue that op risk simply doesn't exist - that it is nothing more than existing risks by a newly-invented name - or that, if in fact it is a legitimate, separate exposure, the amount of operational risk they face isn't significant enough to merit a specific and separate measurement and management system. Typically, executives at non-financial organizations advance these views - pointing out, for instance, that they don't run complex trading operations or have the related balance sheet concerns faced daily by the world's banking, energy and commodity firms.
Finally, that op risk has been recognized formally by the regulatory community as a legitimate issue only recently (and then, by financial services regulators exclusively), hasn't helped encourage active recognition or management of it. That acknowledgment came in 1999, when the Basel Committee on Banking Supervision, a global financial services firm, highlighted operational risks as a distinct potential bête noire..
Much Ado About Nothing?
Many stakeholders might view discussions about whether op risk exists, what it is, how it differs from other exposures, and if and how it can be managed as academic. It's easy to dismiss the debate thinking that, whatever its merit, it has no bearing ultimately on shareholder value, reputation, governance or related concerns.
But op risk proponents say it's not so. Those who don't acknowledge their own op risks are simply setting themselves up for future devastating material failures and losses.
Indeed, they say, the seeming minutiae of operational issues can quickly spin out of control into a major balance sheet and stakeholder concern. One example comes from Norm Parkerson, executive director of advisory services at Grant Thornton in Atlanta, who points to a recent unanticipated op risk loss suffered by one of his own clients. In this case, a manufacturing company introduced a new product covered by a warranty reserve based on its own historical data. Unexpectedly, a manufacturing problem - an operationally-related risk - generated warranty claims far exceeding the warranty reserve booked on its balance sheet. The result: a loss of well over $100 million.
"This happened rapidly and the impact was far reaching," says Parkerson. "Not only was there an impact to the financial statement; there was an adverse impact on the manufacturing process, the quality assurance process, the procurement of raw materials, the ability or inability to fulfill customer orders, and the company's reputation."
Managing Op Risk
Unfortunately for stakeholders, no models exist where they can turn to management and boards and ask: "How effectively are you managing op risk - for instance, against X, Y or Z?"
In fact, banks and insurers acknowledge that they don't know if their op risk management endeavors to date have been successful.
The SOA's report says "Many financial firms have spent millions of dollars hoping to improve their management of operational risk, but those initiatives do not appear to have achieved their desired objectives. Developing an effective method of managing operational risk is proving to be a daunting task."
Meanwhile, stakeholders remain far more exposed than they realize.
"Organizations that choose to remain blissfully ignorant of the importance of operational risk will continue to operate under a false sense of security," says Samad-Khan. "They will remain 'under-controlled' in areas where they have the most risk and significantly 'over-controlled' in areas where they have the least risk. So without addressing op risk head on, recognizing and understanding it and acknowledging the crucial role it plays, we face the prospect another global financial crisis in the not too distant future."
The Bottom Line
Operational risk remains a controversial topic, but by whatever name you call it, the risk will not dissipate by being ignored. While managing op risk may be a daunting task, it is one of utmost importance to companies and shareholders alike. (For related information, take a look at The Evolution of Enterprise Risk Management.)