How to generate an Operational Risk Culture
Introduction
Currently, most organizations are exposed to suffer financial losses due to different causes, regardless of the economic sector to which they belong.
To avoid this inconvenience, an adequate operational risk management system is crucial, which, among other advantages, allows contingency plans to respond promptly to problems that may occur due to processes, technology, infrastructure, external events, or human failures.
After identifying operational risks, which can be done simply through software such as Pirani, they must be measured and controlled through corporate policies and strategies. It is crucial to consider elements such as documents, company structure, event registration, control bodies, continuity plan, information disclosure, and training for company members to achieve this goal.
In the following E-book, we explain everything you need to know about the culture of the operational risk management system, from its definition, principles, types, procedures, advantages, and recommendations to achieve the proper establishment of a thriving risk culture.
Operational risk culture fundamentals
Operational risk culture refers to how a company addresses and manages operational risks in its daily tasks, i.e., those arising from a company's activity. Examples include process, human error, IT system failures, and unforeseen external events.
Concept of operational risk
Operational risk contemplates the danger of loss arising from inadequate internal processes, system failures, human error, or unforeseen external events. In other words, operational risk refers to the probability that a company will suffer financial losses or damage to its reputation due to failures in its operating processes.
Moreover, operational risks can arise from any business activity, including technology, personnel, business processes, and compliance with rules and regulations. Therefore, effective active risk management is crucial to protect the company from financial losses and other negative impacts on its reputation and ability to achieve its business objectives.
Types of operating risks
There are several types of operational risks, among which the following can be mentioned:
- Process risks are those produced by an inadequate internal process, such as a supply chain or production failure.
- Technology risks: are those produced by failures in information technology systems, such as cyber-attacks or software failures.
- Legal and regulatory risks arise from non-compliance with legal and regulatory rules and regulations.
- Reputational risks: those arising from the negative perception of the company by customers, suppliers, investors, or the general public.
- Personnel management problems, such as lack of training or turnover, cause human resources risks.
- Environmental and safety risks are caused by environmental and safety impacts in the company's operation, such as occupational accidents or environmental pollution.
- Fraud risks: are those arising from fraudulent activities carried out by employees, suppliers, or other stakeholders.
Companies must identify and adequately manage operational risks relevant to their business activity to minimize their impact on the company and ensure effective active risk management.
Effects of operational risks on the organization
Operational risks can have several effects on a company, such as:
- Financial losses: Operational risks can cause significant financial losses to the company due to errors in internal processes, systems failures, or unforeseen external events.
- Reputational damage: Operational risks can cause damage to the company's reputation if it is perceived that the company is not managing risks appropriately. This can result in losing customers, suppliers, and other business partners and hurt the company's long-term profitability.
- Regulatory fines and penalties: Not complying with rules and regulations can lead to operational risks that result in regulatory fines and penalties. This can significantly impact a company's profitability and ability to operate effectively.
- Disruption to business operations: Operational risks can disrupt normal business operations, resulting in lost revenue and customer dissatisfaction.
- Negative impact on employees: Operational risks can negatively affect employee morale and motivation, especially if it is perceived that the company is not adequately managing the risks and is not taking measures to mitigate them.
Companies must acknowledge the possible consequences of operational risks and implement measures to recognize, evaluate, and effectively control these risks. This ensures that their impact on the organization is minimized.
Identification of operational risks
The identification of operational risks is a fundamental step to be carried out for risk management. To perform proper risk identification, the following steps can be followed:
- Documentation review: A detailed analysis of available documentation, such as internal and external audit reports, past incident reports, policies and procedures, operating manuals, and other relevant documentation, is necessary.
- Process analysis consists of reviewing the company's processes and assessing all the associated risks. This analysis identifies critical processes and potential failure points in each process.
- Technology analysis: assesses the company's information technology systems and the risks associated with them, such as information security, risk of cyber-attacks, and data integrity.
- Human resources analysis: This consists of analyzing the risks associated with personnel management, such as lack of training, staff turnover, and staff shortages.
- Performing legal and regulatory risk analysis involves evaluating the likelihood of non-compliance with laws and regulations in areas such as occupational health and safety, data protection, and privacy.
- Reputational risk analysis: assesses risks related to the negative perception of the company by customers, suppliers, investors, or the general public.
- Environmental and safety risk analysis consists of a detailed assessment of the risks associated with environmental and safety impacts in the company's operations, such as occupational accidents or environmental pollution.
Involving employees is fundamental in identifying operational risks since they have detailed knowledge of the company's processes and systems and can provide valuable information to the company. Once operational risks are identified, they should be prioritized, and risk management plans developed to minimize their impact on the organization.
Elements of an operational risk culture
Best practices for creating a risk management culture
To get all the company's collaborators involved with risk management and have the necessary knowledge to identify and report the events that may affect the operation, finances, reputation, and continuity on time. It is required to implement practical actions, such as:
- Having the support of top management is essential.
- Create an interdisciplinary team with an excellent capacity for innovation to develop strategies that impact all the company's employees.
- Work in coordination with all areas of the organization.
- Communicate directly and assertively to create awareness of the importance of risk management.
- Provide frequent and didactic training to all employees, raise awareness, and educate them effectively.
- Provide close support to all employees through the internal control areas.
- Develop risk management programs in each work area.
- Provide incentives and bonuses as long as they align with the employee's expectations and generate value.
- Have an adequate means for personnel to report in complete confidentiality all events, failures, or threats that may put the company at risk.
In addition to these good practices mentioned above, it is recommended to implement a technological tool that allows all employees to get involved more simply and efficiently with risk management. In this way, it is possible to contribute both to the fulfillment of the objectives and the continuity of the business in the long term.
Designing and implementing an operational risk culture
The design and consolidation of a risk management culture within an organization is a systematic process involving the execution of several key steps to achieve shared understanding. The essential steps to achieve this are presented one by one below:
Step 1: Understanding operational risk
This first step requires the organization's members to make a detailed analysis of their operational processes and activities to identify those events that can potentially damage the company, causing financial losses and reputational damage. To do so, they must specify in their critical processes and systems the associated risks, human errors, failures in execution, external events, unexpected situations, vulnerabilities, regulatory non-compliance, etc.
For this, it is necessary to review past incidents (what happened and how it was acted upon); for example, if the headquarters is located in an area susceptible to hurricanes or floods, employees misused their emails, etc. Anything that allows visualizing similar patterns or trends, consulting with experts, and interviewing employees in each area to see how the existing internal controls work.
Once the possible operational risks have been identified, from fraud, ransomware, strike, etc., it is necessary to evaluate the probability of occurrence and its consequences for the organization, an excellent resource to capture the information collected is through the development of risk nuances, to order and prioritize those with greater certainty of materializing and from which the company cannot recover. This allows the organization to focus on the most damaging and probable risks.
Step 2: Define an action strategy.
In this step, the members already know the risks, and which one demands more attention, so they must establish the mechanisms, how they will be addressed, how to do the right thing, and what measures must be implemented. At this point, it should be planning what is to be done, mentioning specific activities, for example, training personnel in their actions, how to use email, how to verify transactions, making them aware of the rules applicable in their area, implementing software tools for the automation of activities, reduction of the manual load, monitoring of activities, etc.
In addition, set clear objectives and goals for leaders and employees, which may include optimizing the ability to detect vulnerabilities or failures, misconduct, strengthening internal controls, implementing additional policies or procedures, and creating awareness among staff.
The critical point is defining each member's values, roles, and responsibilities for the common purpose, setting compliance deadlines, and monitoring and evaluating their effectiveness.
Step 3: Creation of clear policies and procedures
Now it is time to materialize the planning of the previous step, to create a manifesto or document that establishes understandably for all members what, how, when, and where they have to act, what is the correct behavior, what is expected of them in the development of activities, the factors to which they should pay particular attention, and their possible responses to risk.
The objective of these is to define without a doubt the behavior of the employees, what is black and what is white, to understand why they must choose to do the right thing, and how it benefits them because it is indispensable for the success of all.
Step 4: Communication of the plan and Motivation of personnel
In this step, it is necessary to educate the members of the organization so that they fully understand their responsibilities and their critical role in operational risk management, the risks they face, why it is necessary to fully comply with the established protocols, how to reduce the probability of errors, how to follow internal controls, etc.
The company must create in the personnel the conviction to act correctly through direct communication bridges, allowing them to call, notify immediately about the problem that arises, and recognize and reward those with a proactive attitude to the risk.
If the problem is a possible flood, a contingency plan, or if it has been the hijacking or infiltration of information, how to avoid opening suspicious emails or links, apply security and confidentiality measures, etc.
Step 5: Regular follow-up and continuous improvement
It is necessary to regularly monitor the plan's effectiveness, from reviewing policies and control measures to prevent the risk from materializing to analyzing and identifying new risks, remembering that threats are dynamic and vary and evolve as the organization grows and progresses.
Pirani: As a crucial part of the risk culture
We have insisted on the risk management culture as the understanding by the members of the organization of what risk implies, to achieve in each one the desire to think and behave in the "right way" for a common purpose, which is none other than the continuity of the company in the market.
IT solutions such as Pirani facilitate the implementation and consolidation of the risk culture, from identifying operational risks and prioritizing efforts and resources to regularly following up and monitoring activities. To achieve this, it offers a communication platform and access to all members so they can understand, notify and follow up on the incidents that develop during their activities.
Advantages of having a risk management system
Creating a solid infrastructure for the prevention and control of operational risks provides several benefits for the organization, among which are:
Early detection of risks
Allows the organization to identify and assess potential risks before they become severe damage. For example, employees misuse their email or equipment and access irregular sites, no double-checking processes for access to critical data, poor inventory management, etc.
To achieve this, the organization must establish internal processes and controls that allow them to analyze the large volume of data they handle quickly and monitor the activities in progress, from the behavior of employees and leaders, the use of resources, the distribution and transportation of raw materials, inventory management in real-time, etc.
It takes care of the excellent image of the organization.
The early detection and addressing of errors, failures, or external events before they escalate, interrupt, or suspend the continuity of operations, prevent them from meeting commitments to partners, customers, and suppliers and lose confidence in the company.
Optimizes decision making
Implementing an effective risk management system provides team leaders with essential information, insight, trends, and trends to see the way forward and create an informed strategy. For example, if a raw material shortage is looming and you need to buy more before it happens, if you need to reconcile with workers because there is a risk of a strike, etc.
Minimize long-term costs
The main consequence of operational risk is severe financial losses; however, acting proactively rather than reactively helps prevent the problem from escalating and having to invest more resources and time to correct it. Continuing with the previous example, how much will raw materials cost once a shortage occurs?
It drives regulatory compliance
An excellent operational risk management framework helps members and employees to have a complete understanding of the set of internal policies, labor standards, and international standards that must be followed in their area of work, especially since it is essential to adhere to the limits of the framework.
Improve the quality of products and services
It helps to detect what is not working in the systems or work processes and take measures to optimize them; it offers valuable information about how the organization works, what threatens quality, and how to prevent them, thus improving customer satisfaction.
Recommendations for a thriving risk culture
Effective consolidation of the risk management culture within a business organization demands from its member a holistic approach, involving different areas and levels and evaluating all layers, from safety, supply chain, production, inventory, data, etc.
Some key suggestions:
Instill in the members the sense of the importance of risk management
From the top management, who must lead the way, manage the awareness process, and communicate assertively, the effects not only for the organization but also for them if the risk occurs. The key is to ensure that risk is no longer an abstract or distant idea but a latent threat unless due care is taken.
Structuring a risk management process
As explained in the section on design, clear steps must be established for the identification, evaluation, approach, and monitoring of each of the risks by area, including adopting tools that employees and the management team know how to use.
Define roles and responsibilities
Each member and employee must know their role to prevent risk from materializing in their area, from customer onboarding managers, accounting staff, those involved in the supply chain, etc.
Integrate management into decision-making.
Reports derived from risk control measures such as assessments, internal and external audits, and continuous monitoring need to be part of the daily planning of activities to see what needs to be improved and where time and money need to be invested.
Continuous employee training
One of the severe problems of organizations is that they think management needs to be more energized by presenting a document containing the guidelines to follow to employees. The work is just beginning because, as we have insisted, culture is consolidated when employees understand why it is essential to avoid threats and adopt preventive measures in their daily activities. It is not a matter of forcing them to do so but of creating a passion for doing things right.
Conclusion
A thriving risk culture is achieved not by forcing members and employees to abide by protocols and standards in the execution of operations but by effectively instilling an ongoing desire to do the right thing in them. However, as discussed, this is a challenging path, and companies often focus on it after they have suffered severe financial losses once the operational risk has materialized.
Culture is consolidated when people within the organization know clearly what is right and wrong, and there is no grayscale in their behavior. To promote it, corporate values must be strengthened, and the need to take care of each other in the face of possible risk to minimize evil. For this, the leaders' guidance must be clear and the path to follow well defined, which helps create a robust work environment in the face of risk.
Leaders know that they have succeeded in implementing the risk management culture when staff call or report all types of incidents when risk indicators are continuously reviewed when activities are completed before the due date. Above all, it is part of the decisions made when they know that risk is possible at any time.
Bibliographic references
- https://www.theirm.org/what-we-say/thought-leadership/risk-culture/
- https://www.pwc.com/cz/en/sluzby/risk-culture.html
- https://www.protechtgroup.com/en-us/blog/key-elements-to-creating-and-maintaining-a-good-risk-culture?utm_source=protechtgroup.com&utm_medium=referral
- https://www.managementstudyguide.com/identification-of-operational-risks.htm
- https://reciprocity.com/blog/5-best-practices-for-risk-management/