Operational risk management system manual

Having an adequate risk management system allows companies to manage in a timely manner the different risks and threats that can affect their finances, reputation and business continuity.

Introduction

Most organizations, no matter what sector they belong to, are exposed to financial losses due to various causes. To avoid such threats, it is recommended to have an adequate operational risk management system focused on ISO 31000 and a contingency plan that offers guarantees against the inconveniences that may arise, whether through processes, technology, infrastructure, external events, or human failures.

After the identification of operational risks, which can be done in a simple way through software such as Pirani, they must be measured and controlled, for example, through corporate policies and strategies. For this, it is important to take into account elements such as documents, company structure, event registration, control bodies, continuity plan, information dissemination and training to company members. 

In the following eBook you will find all the information related to the operational risk management system, the types that exist, the procedures, stages and principles that must be followed.

What is operational risk?

It can be defined as the possibility of incurring losses due to human, technological, environmental, infrastructure, or external failures that may jeopardize the normal development of the company's activities and prevent the fulfillment of corporate objectives.

The above-mentioned includes everything related to legal risk but leaves aside reputational and systematic risks and losses due to economic, social, or political factors.

This type of risk is inherent in all systems and processes that are performed by humans.

According to Basel, this is "a risk of economic loss resulting from the inadequacy or inefficiency of internal processes and external changes in the performance of personnel or systems integrated into the production unit."

For an adequate management of operational risks in the organization, a good practice is to use a risk management software such as Pirani, which allows to create a parameterized risk matrix, identify risks, associate them to processes and controls, report events and generate reports to make timely decisions that benefit the company.

Types of operational risk

Classifying risks according to the category to which they belong makes it easier to identify them. For this reason, the following are the seven types of operational risk that exist so that you can be aware of them within your company.

1. Internal fraud: theft, bribery, or non-compliance with regulations by direct employees or third parties contractually linked to your company are risks caused by internal fraud.
2. External fraud: This type of risk is caused by the actions of persons outside the entity. It may occur through theft, forgery, or computer attacks.
3. Technological failures: If your company is exposed to failures in its computer systems, hardware, or software, you must identify the risks generated by these events.
4. Process execution and management: Errors in process management also imply risks for your company. In this regard, transaction capture, monitoring, reporting, customer documentation, and account management must be evaluated to recognize potential operational risks.
5. Labor relations and workplace safety: Any actions that violate labor laws and workplace safety can create an obvious risk. Therefore, be alert to possible personal injury claims or cases of employment discrimination within the company.
6. Damage to tangible assets: fortuitous circumstances such as fires, earthquakes, and terrorist acts, among others, may put your company's physical assets at risk, so identify the damage or harm that these events may cause.
7. Customers, products, and business practices: Finally, this last type of operational risk refers to acts such as unfair competition, damages to customers, and misleading information about products, which may imply a risk of involuntary or negligent non-compliance.

Operational risk management system

The operational risk management system is one of the best practices carried out by the entities' boards of directors.

It is defined as a repetitive process composed of a series of steps that must be carried out with an established structure to improve decision-making and protect the company's most important assets, such as finances.

Here, operational risk must be identified, evaluated, monitored, controlled, and mitigated. To do this correctly, the system must have an efficient monitoring process, which must be carried out periodically to identify in time if any of the controls are not working or are not adequate. This will allow decisions to be made in time and reduce the frequency and extent of losses.

Risk management system framework

They are taken from: Operational risk management, implementation, data and analytics from Deloitte.

• Governance and risk culture: the people in charge, what they will be in charge of, and how the culture will be created within the company are established.
• Infrastructure and tools: Operational risk is defined as the tools and data to be used to prevent it.
• Strategy, policies, procedures, and controls: ability to address complexity and risk appetite.
• Evaluation, monitoring, and testing: Scope and frequency defined for monitoring and testing.
• Data, measurement, and reporting: timely identification, measurement, and reporting of risks.
• Training and communications: training needs and development plan.
• Escalation and resolution: transparency, issue monitoring, and remediation plans.
• Reputation and external events: external event monitoring and review of historical data to identify potential loss events.

Politics

Operational Risk Committee

 This committee is responsible for ensuring compliance with the established operational risk management framework. Its mission is to identify, measure, monitor, and disclose the institution's risk levels.

On the other hand, they must adequately manage the procedures, which must be focused on the requirements of local and international standards.

Lines of business

They are classified and established according to the requirements of the control entities and what the company defines. They are generally divided into:

• Corporate finance.
• Business and sales.
• Retail and commercial banking.
• Payments and settlement.
• Services
• Asset management.
• Brokerage.

Audit

An internal audit should be carried out to review in depth whether the corrective measures are adequate and producing the expected results.

The audit is not responsible for managing operational risks. However, it can provide recommendations based on its experience to create an adequate system.

Internal procedure

A manual should be created to indicate how the procedures should be carried out, which tools will be used, and how the operational risk management system will be implemented.

This manual should set out the company's exposure to risks, the scenario in which any of them materializes, and the steps to be followed.

Internal dissemination

 It is essential to promote the risk culture within the company so that all internal and external members are aware of everything related to this type of risk management.

For this purpose, training, courses, and talks should be created to make them aware of the vision, policies, procedures, and responsibilities since all employees will be part of the management and, in a certain way, will be responsible for its implementation.

Business continuity

When we talk about business continuity, we refer to the ability of companies to survive in the event of a risk that may occur internally or externally, affecting the normal development of activities. However, companies must be able to react immediately to a threat and continue to provide their services in a "business as usual" manner to avoid interruption and the normal development of their daily work.

Regulatory compliance

The system will comply with all legal requirements demanded by national and international control entities and seek to keep up to date with any modifications and updates that may be made.

Procedures

By having a risk management system in place, the following objectives will be met:

• Create a solid and forceful organizational culture.
• Minimize the data that may occur due to human failures.
• Decrease the probability of occurrence of risks.
• To have a record of events that contribute to the reduction of incidents.
• To fully identify risks and have the required controls in place.

With regard to procedures, the following should be carried out:

Self-assessment

 This provides an opportunity to identify critical points in management, gain detailed knowledge of the system's quality being implemented, and make improvements.

It also provides the opportunity to identify new risks, which can be evidenced through workshops and group meetings focused on determining whether the company may be exposed to new risks and how the existing ones are being controlled.

Event and loss reporting

those responsible for the risk management system must report the operational risks that materialized and the losses they caused so that the situation can be analyzed and thus identify whether new risks may appear due to events.

Indicators

These are not just metrics but the backbone of our risk management process. They must be defined to enable periodic risk measurement and, importantly, to detect and identify changes in the evaluated risks. This ensures the board of directors can fully believe in our risk management strategy.

Assignment of risks

These must be classified to create a risk map for products or services, taking into account the line of business or the loss event to which they are associated. This tool allows us to see the registered risks on a large scale and designate their priority.

Management reports

 These are not just documents but powerful tools that give us control over operational risk management. They allow us to delve into the depth of all the information that has been documented, empowering the risk management team with comprehensive insights.

Data related to results, follow-up, and corrections should prevail in management controls or processes.

These should be analyzed by the board of directors, and the new strategies that were proposed to create an optimal operational risk system should be approved.

Structure

Stages

All organizations have different strategic objectives, and the level of exposure to risk also varies from company to company. However, the risk management process has five primary stages that determine the risk management maturity level within the entity.

First stage: traditional base.

At this stage, there is no formal structure for addressing risks. Thus, considering that risks are always present, risk managers act independently.

The compliance area relies too heavily on internal audit to verify losses. Since, at this stage, the risk culture is not diffused at all levels of the company, the quality and integrity of the officers and shareholders are totally dependent on maintaining adequate control of events.

Second stage: awareness-raising

Companies that establish a specific area to manage risks reach this stage of the operational risk management process. They define policies, responsibilities, and support tools. Among the resources available to managers to manage risk at this stage are mapping processes to identify risks and formalize controls, structuring the loss history database, and designing efficiency and profitability indicators.

Third stage: monitoring

After identifying all risks, it is essential to interpret their impact on business processes. In this stage of the operational risk management process, the current risk level and the effectiveness of risk management functions are monitored. Risk indicators, both qualitative and quantitative, as well as targets or limits, are established for monitoring purposes. Risk exposure measures are consolidated into a balanced scorecard to measure business performance about risks. In this phase, management is decentralized to all areas of the organization, and the risk culture is strengthened. Likewise, monitoring ceases to depend on the compliance area, and people responsible for analyzing and monitoring processes and activities are assigned.

Fourth stage: quantification

This is one of the stages of the operational risk management process in which the organization achieves greater maturity. At this stage, the institution already has a better understanding of its operational risk exposure. Managers are now able to focus on quantifying risks and predicting future events. Therefore, they use more analytical tools based on real data, as the loss data bank from stage 2 now has sufficient information to make decisions.

Fifth stage: integration

All business areas recognize the importance of operational risk management. They are concerned with fully integrating the quantification of all the organization's risks and are not limited to considering only operational risks. In this sense, quantification is applied to strategic planning and process quality improvement.

At this fifth stage, the company will already have oriented the process of developing operational risk management according to the guidelines of the control bodies and comply with the requirements established by the Basel Committee.

Principles

• Risk vision: this must be aligned with the organizational vision.
• Value: These are the benefits obtained in the short and long term.
• First processes: priority should be given to the processes to be implemented, and then the technology to be used should be reviewed.
• Clear roles: Designate the people in charge of each area and be clear about their responsibilities.
• Relevance: the focus given to the lines of business.
• Influence: the existing environment is taken into account.
• Risk culture: having people lead this initiative and provide knowledge to all organization members.

Responsible

Board of Directors:

• Determine the policies related to the operational management system.
• Approve the policy manual designed for the company.
• Perform the pertinent monitoring of the system.
• Create preventive measures for the operational risk profile, focusing on the organization's tolerance level.
• Give their opinion on the reports that are presented.
• To follow up on the audits carried out by the control entities.
• Provide the company with the necessary resources to function the system properly. 

Legal representative:

• Design the policy manual.
• Ensure compliance with the established policies.
• Follow up on the stages of the system.
• Designate the persons responsible for the department in charge.
• Adopt measures related to the risk profile, taking tolerance into account.
• To have an adequate application of controls.
• Receive and evaluate the reports submitted.
• Submit a report on the evolution and aspects of the management system to be highlighted.

Operational risk department:

• To have the appropriate personnel with knowledge in operational risk management.
• To have decision-making capacity.
• Not to depend on control entities, technology departments, or interests that may cause conflicts of interest.
• I have the necessary resources to carry out all functions.
• Definition of strategies, methodologies, and procedures for operational risk management that comply with legal requirements.
• Create the internal and external reporting system.
• Manage operational risks.
• To have the necessary information for the registration of events.
• Evaluate the adequacy of controls.
• Establish and monitor the organization's risk profile.
• Have the appropriate measurement models.
• Create training programs focused on operational risk management.
• Propose changes in controls if necessary.

Challenges

Most companies are adjusting the operational risk management model using three lines of defense to make the systems more effective.

Remember that in Pirani, you can create your free account with all the functionalities we offer or schedule a meeting to learn more about how we can help you simplify risk management in your organization.