Currently, most organizations are exposed to suffer financial losses due to different causes, regardless of the economic sector to which they belong.
To avoid this inconvenience, an adequate operational risk management system is crucial, which, among other advantages, allows contingency plans to respond promptly to problems that may occur due to processes, technology, infrastructure, external events, or human failures.
After identifying operational risks, which can be done simply through software such as Pirani, they must be measured and controlled through corporate policies and strategies. It is crucial to consider elements such as documents, company structure, event registration, control bodies, continuity plan, information disclosure, and training for company members to achieve this goal.
In the following E-book, we explain everything you need to know about the culture of the operational risk management system, from its definition, principles, types, procedures, advantages, and recommendations to achieve the proper establishment of a thriving risk culture.
Operational risk culture refers to how a company addresses and manages operational risks in its daily tasks, i.e., those arising from a company's activity. Examples include process, human error, IT system failures, and unforeseen external events.
Operational risk contemplates the danger of loss arising from inadequate internal processes, system failures, human error, or unforeseen external events. In other words, operational risk refers to the probability that a company will suffer financial losses or damage to its reputation due to failures in its operating processes.
Moreover, operational risks can arise from any business activity, including technology, personnel, business processes, and compliance with rules and regulations. Therefore, effective active risk management is crucial to protect the company from financial losses and other negative impacts on its reputation and ability to achieve its business objectives.
There are several types of operational risks, among which the following can be mentioned:
Companies must identify and adequately manage operational risks relevant to their business activity to minimize their impact on the company and ensure effective active risk management.
Operational risks can have several effects on a company, such as:
Companies must acknowledge the possible consequences of operational risks and implement measures to recognize, evaluate, and effectively control these risks. This ensures that their impact on the organization is minimized.
The identification of operational risks is a fundamental step to be carried out for risk management. To perform proper risk identification, the following steps can be followed:
Involving employees is fundamental in identifying operational risks since they have detailed knowledge of the company's processes and systems and can provide valuable information to the company. Once operational risks are identified, they should be prioritized, and risk management plans developed to minimize their impact on the organization.
To get all the company's collaborators involved with risk management and have the necessary knowledge to identify and report the events that may affect the operation, finances, reputation, and continuity on time. It is required to implement practical actions, such as:
In addition to these good practices mentioned above, it is recommended to implement a technological tool that allows all employees to get involved more simply and efficiently with risk management. In this way, it is possible to contribute both to the fulfillment of the objectives and the continuity of the business in the long term.
The design and consolidation of a risk management culture within an organization is a systematic process involving the execution of several key steps to achieve shared understanding. The essential steps to achieve this are presented one by one below:
This first step requires the organization's members to make a detailed analysis of their operational processes and activities to identify those events that can potentially damage the company, causing financial losses and reputational damage. To do so, they must specify in their critical processes and systems the associated risks, human errors, failures in execution, external events, unexpected situations, vulnerabilities, regulatory non-compliance, etc.
For this, it is necessary to review past incidents (what happened and how it was acted upon); for example, if the headquarters is located in an area susceptible to hurricanes or floods, employees misused their emails, etc. Anything that allows visualizing similar patterns or trends, consulting with experts, and interviewing employees in each area to see how the existing internal controls work.
Once the possible operational risks have been identified, from fraud, ransomware, strike, etc., it is necessary to evaluate the probability of occurrence and its consequences for the organization, an excellent resource to capture the information collected is through the development of risk nuances, to order and prioritize those with greater certainty of materializing and from which the company cannot recover. This allows the organization to focus on the most damaging and probable risks.
In this step, the members already know the risks, and which one demands more attention, so they must establish the mechanisms, how they will be addressed, how to do the right thing, and what measures must be implemented. At this point, it should be planning what is to be done, mentioning specific activities, for example, training personnel in their actions, how to use email, how to verify transactions, making them aware of the rules applicable in their area, implementing software tools for the automation of activities, reduction of the manual load, monitoring of activities, etc.
In addition, set clear objectives and goals for leaders and employees, which may include optimizing the ability to detect vulnerabilities or failures, misconduct, strengthening internal controls, implementing additional policies or procedures, and creating awareness among staff.
The critical point is defining each member's values, roles, and responsibilities for the common purpose, setting compliance deadlines, and monitoring and evaluating their effectiveness.
Now it is time to materialize the planning of the previous step, to create a manifesto or document that establishes understandably for all members what, how, when, and where they have to act, what is the correct behavior, what is expected of them in the development of activities, the factors to which they should pay particular attention, and their possible responses to risk.
The objective of these is to define without a doubt the behavior of the employees, what is black and what is white, to understand why they must choose to do the right thing, and how it benefits them because it is indispensable for the success of all.
In this step, it is necessary to educate the members of the organization so that they fully understand their responsibilities and their critical role in operational risk management, the risks they face, why it is necessary to fully comply with the established protocols, how to reduce the probability of errors, how to follow internal controls, etc.
The company must create in the personnel the conviction to act correctly through direct communication bridges, allowing them to call, notify immediately about the problem that arises, and recognize and reward those with a proactive attitude to the risk.
If the problem is a possible flood, a contingency plan, or if it has been the hijacking or infiltration of information, how to avoid opening suspicious emails or links, apply security and confidentiality measures, etc.
It is necessary to regularly monitor the plan's effectiveness, from reviewing policies and control measures to prevent the risk from materializing to analyzing and identifying new risks, remembering that threats are dynamic and vary and evolve as the organization grows and progresses.
We have insisted on the risk management culture as the understanding by the members of the organization of what risk implies, to achieve in each one the desire to think and behave in the "right way" for a common purpose, which is none other than the continuity of the company in the market.
IT solutions such as Pirani facilitate the implementation and consolidation of the risk culture, from identifying operational risks and prioritizing efforts and resources to regularly following up and monitoring activities. To achieve this, it offers a communication platform and access to all members so they can understand, notify and follow up on the incidents that develop during their activities.
Creating a solid infrastructure for the prevention and control of operational risks provides several benefits for the organization, among which are:
Allows the organization to identify and assess potential risks before they become severe damage. For example, employees misuse their email or equipment and access irregular sites, no double-checking processes for access to critical data, poor inventory management, etc.
To achieve this, the organization must establish internal processes and controls that allow them to analyze the large volume of data they handle quickly and monitor the activities in progress, from the behavior of employees and leaders, the use of resources, the distribution and transportation of raw materials, inventory management in real-time, etc.
The early detection and addressing of errors, failures, or external events before they escalate, interrupt, or suspend the continuity of operations, prevent them from meeting commitments to partners, customers, and suppliers and lose confidence in the company.
Implementing an effective risk management system provides team leaders with essential information, insight, trends, and trends to see the way forward and create an informed strategy. For example, if a raw material shortage is looming and you need to buy more before it happens, if you need to reconcile with workers because there is a risk of a strike, etc.
The main consequence of operational risk is severe financial losses; however, acting proactively rather than reactively helps prevent the problem from escalating and having to invest more resources and time to correct it. Continuing with the previous example, how much will raw materials cost once a shortage occurs?
An excellent operational risk management framework helps members and employees to have a complete understanding of the set of internal policies, labor standards, and international standards that must be followed in their area of work, especially since it is essential to adhere to the limits of the framework.
It helps to detect what is not working in the systems or work processes and take measures to optimize them; it offers valuable information about how the organization works, what threatens quality, and how to prevent them, thus improving customer satisfaction.
Effective consolidation of the risk management culture within a business organization demands from its member a holistic approach, involving different areas and levels and evaluating all layers, from safety, supply chain, production, inventory, data, etc.
Some key suggestions:
From the top management, who must lead the way, manage the awareness process, and communicate assertively, the effects not only for the organization but also for them if the risk occurs. The key is to ensure that risk is no longer an abstract or distant idea but a latent threat unless due care is taken.
As explained in the section on design, clear steps must be established for the identification, evaluation, approach, and monitoring of each of the risks by area, including adopting tools that employees and the management team know how to use.
Each member and employee must know their role to prevent risk from materializing in their area, from customer onboarding managers, accounting staff, those involved in the supply chain, etc.
Reports derived from risk control measures such as assessments, internal and external audits, and continuous monitoring need to be part of the daily planning of activities to see what needs to be improved and where time and money need to be invested.
One of the severe problems of organizations is that they think management needs to be more energized by presenting a document containing the guidelines to follow to employees. The work is just beginning because, as we have insisted, culture is consolidated when employees understand why it is essential to avoid threats and adopt preventive measures in their daily activities. It is not a matter of forcing them to do so but of creating a passion for doing things right.
A thriving risk culture is achieved not by forcing members and employees to abide by protocols and standards in the execution of operations but by effectively instilling an ongoing desire to do the right thing in them. However, as discussed, this is a challenging path, and companies often focus on it after they have suffered severe financial losses once the operational risk has materialized.
Culture is consolidated when people within the organization know clearly what is right and wrong, and there is no grayscale in their behavior. To promote it, corporate values must be strengthened, and the need to take care of each other in the face of possible risk to minimize evil. For this, the leaders' guidance must be clear and the path to follow well defined, which helps create a robust work environment in the face of risk.
Leaders know that they have succeeded in implementing the risk management culture when staff call or report all types of incidents when risk indicators are continuously reviewed when activities are completed before the due date. Above all, it is part of the decisions made when they know that risk is possible at any time.