How to Identify Operational Risks

In the previous article, we discussed about the top-down and bottom-up approach which has been created to identify risks. In this article, we will provide an alternate approach. This approach is similar to the bottom-up approach in that it uses process maps to identify risks. However, the way that they look at the process maps and the methodologies used for the identification of risks is quite different.

Operational Risk Exposure

Risk exposure is defined as a measure of the possibility of future loss which may arise from a specific process or event. Exposure is related to the activities themselves whereas risk is the probability of an adverse event occurring while conducting those activities.

During the natural course of business, companies tend to engage in a lot of activities that increase their exposure to operational risks. Some of these activities have been mentioned below:

• Companies may route their products to the market via some key distribution channels. Hence, companies have large exposure to such channels. This could create operational risk in the future. For instance, the distributor might themself go out of business. Alternatively, the distributor may start distributing for another company which gives them a higher margin. Other times, geopolitical events and government rules may prevent the company from effectively using the services to be provided by the distributor.

• The company may rely on a handful of clients to generate the majority of its revenue. This creates exposure towards those clients. There is a possibility that those clients may go bankrupt or may find an alternate supplier. It is also possible that those clients may try to leverage their bargaining power and offer very low rates to the company thereby adversely impacting the profit margin.

• In many cases, companies are also dependent upon the services of some suppliers and key third parties. In such cases also, the company faces a similar set of challenges. The supplier may not be able to provide timely supply to our company. Also, the supplier may increase prices thereby disrupting the profit margin of the company

• Companies may also have exposure to some critical IT systems. The business may be largely driven by the flow of information which is enabled by these IT systems. If the suppliers to these systems stop providing support, the company may find it expensive and time-consuming to transition to a new product.

• Also, there is always the operational risk related to regulations. American companies trading with China have recently found out that their efficient and optimized business model can also be completely disrupted and uprooted for no fault of theirs. There is always a risk that a new regulatory framework may be created which would adversely affect the business interests of the company

If you tried to map operational risk exposure on a risk matrix, it would be mapped in a high impact low probability zone. This means that the probability of any of these events mentioned above happening is very low. However, if it does happen then the impact will be significant.

Operational Vulnerability

Operational vulnerabilities on the other hand are low impact, high-frequency events. These events are much more likely to occur and even keep happening in the day-to-day life of any company. However, their financial impact is not that high. Operational vulnerabilities are often defined as the weakest link in any business process.

Defects or shortcomings in the day-to-day processes of the company are referred to as operational vulnerabilities. For instance, it is quite possible that a company may manufacture defective products or sometimes may ship the wrong product to the wrong customer. If these events occur, the company can quickly replace the product and provide the right order to the customer. They can even provide some freebies to ensure customer satisfaction. Hence, the cost will be low. However, these events happen quite often in some companies.

There is always a chance that the information system of a company crashes due to high data load. It is not unheard of for companies to stop functioning for a couple of hours or even a couple of days due to defects in their information systems. The financial impact of such outages is relatively low. However, they tend to happen more frequently

Incompetent personnel is also an operational risk to the business. There are some companies that routinely hire inexperienced people and then train them. In such cases, it is quite possible that the service level of the company may drop because of the inexperienced people providing the service. This is another important operational vulnerability that may cost the company in the long run. It is quite possible that each company may have some silos wherein a small group of people will continue to operate unabated without following the proper risk management protocols.

The goal of operational risk management is to thoroughly assess the exposures and vulnerabilities. Once they have been identified, the goal is to minimize the exposure. It is important to realize that exposures cannot be completely eliminated. However, at the same time, it is important to eliminate the vulnerabilities. Multinational companies spend a lot of their time and money ensuring that their processes are six sigma compliant and are therefore devoid of operational vulnerabilities.