What Is Operational Risk?
Operational risk summarizes the uncertainties and hazards a company faces when it attempts to do its day-to-day business activities within a given field or industry. A type of business risk, it can result from breakdowns in internal procedures, people and systems—as opposed to problems incurred from external forces, such as political or economic events, or inherent to the entire market or market segment, known as systematic risk.
Operational risk can also be classified as a variety of unsystematic risk, which is unique to a specific company or industry.
- Operational risk summarizes the chances and uncertainties a company faces in the course of conducting its daily business activities, procedures, and systems.
- Operational risk is heavily dependent on the human factor: mistakes or failures due to actions or decisions made by a company's employees.
- Companies assess operational risk by identifying key risk indicators (KRIs) and collecting data against these metrics.
- A type of business risk, operational risk is distinct from systematic risk and financial risk.
- Companies can manage operational risk by anticipating risks before they arise, perform cost/benefit analysis, avoid unnecessary risk, and delegate strategic planning to upper management.
What Is Operational Risk?
Understanding Operational Risk
Operational risk focuses on how things are accomplished within an organization and not necessarily what is produced or inherent within an industry. These risks are often associated with active decisions relating to how the organization functions and what it prioritizes. While the risks are not guaranteed to result in failure, lower production, or higher overall costs, they are seen as higher or lower depending on various internal management decisions.
Because it reflects man-made procedures and thinking processes, operational risk can be summarized as a human risk; it is the risk of business operations failing due to human error. It changes from industry to industry and is an important consideration to make when looking at potential investment decisions. Industries with lower human interaction are likely to have lower operational risk.
Operational risk falls into the category of business risk; other types of business risk include strategic risk (not operating according to a model or plan) and compliance risk (not operating in accordance with laws and industry regulations).
Causes of Operational Risk
Operational risk is usually caused by four different avenues: people, processes, systems, or external events. For many aspects of operational risk, companies must simply try to mitigate the risk within each category as best as possible with the understanding that some operational risk will likely always be present.
Operational risk caused by people can arise due to employee deficiencies or employee shortages. For example, a company may not have staff that has the knowledge needed to tackle a specific problem. On the other hand, a company may not have an appropriate quantity of employees on hand to properly address peak season or the busier times of the year.
To mitigate these types of risks, companies can simply look to markets to hire staff. However, this introduces new people-centric operational risks such as identifying the appropriate candidates to hire, training staff, and ensuring employee retention remains high. As each of these aspects is resource and time-intensive, operational risks caused by people are heavily tied to financial repercussions.
Every company has its own processes. More complex manufacturing companies (i.e. a vehicle manufacturer) will have different processes compared to a service-only law firm. In either case, all companies have steps that must be performed in sequential order or else detrimental outcomes are possible.
In many cases, especially with companies that have experienced high turnover, companies may not have fully built out their processes or documented all steps. In addition, some processes are also at-risk of being taken advantage of through collusion and failed internal controls to put the company at risk of losing money through theft.
Companies more and more are relying on software and systems to operate their business. Operational risk includes the chance that these systems are outdated, inadequate, or not property set up. There are also performance considerations, as operational risk includes the chance that one company's systems are not as efficient as a competitor's.
There are operational risks relating to the technical aspects of a system. Systems may have bugs or technical deficiencies leading to more exposure to cybercrime. Systems also have capacity constraints, and a company may be increasing its risk by putting to heavy of a load of expectations on what their systems can do.
In many cases, operational risk occurs from outside the company. This can be anything from natural disasters that impede the shipping process of a company to political changes that restrict how the company can operate. Some of these types of risk may be classified on their own (i.e. geopolitical risk). Others are simply a nature of business such as a third-party defaulting on a contract agreement.
Operational risk can never be 100% eliminated. Management must decide what level of operational risk is comfortable accepting.
The 7 Categories of Operational Risk
The four causes above can be expanded and broken into 7 main categories of operational risk. These 7 primary categories include (in no particular order):
- Internal fraud: employees conspiring and often colluding to overtake internal controls and misappropriate company resources.
- External fraud: independent parties outside of the company attempting to bribe, thieve, forge, or cyberattack.
- Technology failures: deficiencies in computer systems, hardware, software, or the interaction between any of their components.
- Process execution: management's inability to property assess a situation and deploy the right strategy or failure to execute a correct strategy.
- Safety: violation or risk of violation of workplace safety measures, whether physical, mental, or other.
- Natural disasters: inclement weather, fire, or harsh winter conditions that can put physical assets at risk and make it impossible for employees to perform their daily tasks.
- Business practices: operational activities that harm customers, mislead information, incite negligence, or accidently not be in compliance of requirements.
How to Assess Operational Risk
There are two primary parts of assessing operational risk: key risk indicators (KRIs) and data.
KRIs are metrics a company may self-assign as the benchmarks for risk. For example, a company may target that it only wants to work with the most creditworthy vendors. Therefore, it sets the KRI that there may be no more than three vendors that default on a contract. As the year progresses, the company can assess whether the KRI goal is being met, reasons why it is not, and take the appropriate steps to manage that risk.
KRIs are most often quantifiable; it's most useful to a company to have something they can actually track and measure. For this reason, the second key part is data. Without data, a company will never know whether its KRIs are on track or deficient. Companies may seek to build out robust information-gathering processes whether through automation, third-party surveys, financial results, or industry data.
In respect to KRIs and data, some companies may have the operational risk areas worth tracking defined for them. For example, banking standards may require banks to have certain processes in place, cash on hand, or systems operating in certain ways. In these cases, the benchmarks are set for the company, and it is much easier to assess operational risk because the KRIs have already been set.
How to Manage Operational Risk
There's several overarching strategies and overarching principles when it comes to managing operational risk. Though every company can choose to approach operational risk, here are four primary ways companies manage risk.
Avoid Unnecessary Risk
It should go without saying, but companies should continually evaluate whether they are taking on risk with no real reward coming back to them. Consider the example above with vendors that may potentially default on contracts. Should there be equally if not better vendors the company could work with that have a better credit history, the company may be taking on risk by working with less than superior vendors.
As is with all things in investing, there is usually a positive relationship between risk and returns. As companies take on more risk, they should be fairly compensated with greater returns. Therefore, companies can manage operational risk by cutting out processes that do not reward the company but instead solely incur unnecessary risk.
Companies can manage risk by continually considering and evaluating cost/benefit situations. Similarly to the concept above, companies must manage risk by comparing the risk they take on with the benefits they receive. Instead of focusing solely on the risk, this step entails being mindful of the what the company benefits from.
For example, a company may decide it wants to expand into an international market. There may be tremendous operational risk with this move. However, if the market is untapped and proper research has been done, the reward of expanding the business may far outweigh the operational risk. To manage risk, sometimes companies need to understand that risk is necessary.
Delegate Decisions to Upper Management
For companies to make the wisest decisions, it's usually best for upper management to make the decisions on how to approach operational risk. These members of the team often have the greatest insights into a company and know larger, bigger strategies that may work together.
Running with the example above, a senior member of the management team should be made responsible for the decision-making of that international expansion. That executive should work with members across all teams of the company to better understand the logistics, legal, procurement, and shipment risks. This type of responsibility is not suited for an individual contributor at a lower level.
Perhaps one of the most important aspects of managing risk is understanding when it is approaching and anticipating its outcomes. By doing so, companies can preemptively make decisions on whether to accept, mitigate, or avoid risk.
In the international expansion example above, a company can easily perform vast amounts of research to better understand geographical limitations, political risks, or consumer preference differences in this new market. The first step to accepting risk or managing it is to understand what may happen in the future and have a plan already in place to overcome it.
Operational Risk vs. Other Types of Risk
Operational Risk vs. Financial Risk
In a corporate context, financial risk refers to the possibility that a company's cash flow will prove inadequate to meet its obligations—that is, its loan repayments and other debts. Although this inability could relate to or result from decisions made by management (especially company finance professionals), as well as the performance of the company products, financial risk is considered distinct from operational risk. It is most often related to the company's use of financial leverage and debt financing, rather than the day-to-day efforts of making the company a profitable enterprise.
Operational Risk vs. Market Risk
Market risk is usually referred to as the risk of price movements for a financial instrument. These changes in price are often based on investor disposition towards a stock and a company, interest rates, or economic factors. Whereas market risk is primarily focused on investments and securities, operational risk is focused on mostly the internal operations of a company, its resources, and its people.
Operational Risk vs. Strategic Risk
These two types of risks may blend together in certain areas, though the greatest distinction is that strategic risk is usually long-term and may involve more external parties. A new competitor entering a market is a strategic risk, though how the company handles that on a day-to-day basis is an operational risk. The competitor may have also decided to enter the market because they felt their level of operational risk could be less than other companies.
Examples of Operational Risk
One area that may involve operational risk is the maintenance of necessary systems and equipment. If two maintenance activities are required, but it is determined that only one can be afforded at the time, making the choice to perform one over the other alters the operational risk depending on which system is left in disrepair. If a system fails, the negative impact is associated directly with the operational risk.
Other areas that qualify as operational risk tend to involve the personal element within the organization. If a sales-oriented business chooses to maintain a subpar sales staff, due to its lower salary costs or any other factor, this behavior is considered an operational risk. The same can be said for failing to properly maintain a staff to avoid certain risks. In a manufacturing company, for example, choosing not to have a qualified mechanic on staff, and having to rely on third parties for that work, can be classified as an operational risk. Not only does this impact the smooth functioning of a system, but it also involves additional time delays.
The willing participation of employees in fraudulent activity may also be seen as operational risk. In this case, the risk involves the possibility of repercussions if the activity is uncovered. Since individuals make an active decision to commit fraud, it is considered a risk relating to how the business operates.
What Are the 5 Levels of Risk?
Companies often gauge risk by determining whether it is highly likely, likely, possible, unlikely, or highly unlikely an event will occur. Highlight likely is often assigned a percentage of greater than 90%, while likely includes a range that is always above 50%. Management uses these percentages to determine the best course of action when evaluating the cost of mitigation against the cost of a detrimental outcome.
How Do You Identify Operational Risk?
Operational risk is identified by assessing what could go wrong in the day-to-day aspects of a company. Management often identifies operational risk by asking questions such as "what if a certain system broke down?" or "what if a certain supplier was unable to deliver goods on time?". Management can come up countless areas of operational risk; it is up to them to decide which aspects are most important to mitigate and which to accept.
What Are the 4 T's of Risk Management?
The four T's of risk management are:
- Tolerate: management decides they are okay with a certain operational risk and does not action to stop it.
- Terminate: management is not okay with any level of risk with a certain activity and decides to stop that activity.
- Treat: management puts in place certain maneuvers that decrease the potential total risk.
- Transfer: management wants to perform an activity but seeks a third-party to incur the risk on their behalf (i.e. buy insurance).
Who Is Responsible for Managing Operational Risk?
Senior management is often responsible for managing operational risk by being aware of what risks are in place and the strategies for overcoming them. Though lower-level field managers are more involved in the day-to-day aspects, senior management should oversee their activities to make sure the operational risk strategies are being properly carried out.
The Bottom Line
Operational risk is the risk of loss resulting from many normal aspects of business. This includes the risk of loss caused by failed processes, unskilled employees, inadequate systems, or external events. In many ways, operational risk can't be avoided as it is part of the daily business activity of a company. In other ways, companies can seek to reduce, mitigate, or accept operational risk.