Business risk is classified in two major categories: financial risk and operational risk. Today we focus on operational risk. The committee on banking supervision defines operational risk as “the risk of direct or indirect loss resulting from inadequate or failed internal processes, people and systems or from external events.” This includes legal risk.
Operational risk is further divided into the following categories:
Process risk. This is the risk that processes employed will be either inefficient or ineffective causing failure to achieve desired outcome. Alternatively, the objective may be attained but at a cost far greater than the income earned from the business activity.
People risk. This is risk arising from staff constraints like incompetence, dishonesty or inadequacy. Here, business objectives may fail because the staff hired lack requisite skills, steal from their employer or are too few to cope with the customer numbers streaming in.
Systems risk. This risk has to do with ICT infrastructure in place in terms of availability, capacity and integrity of data therein. A system being unavailable means that customers and users are not able to access it when needed. Capacity means that the systems in place should cope with demand including peak times while data integrity just means that you can rely on information the system gives without fearing it is incorrect.
Event risk. This is risk arising from occasional events like riots, earthquakes etc.
Business risk. This is risk arising from changes in the business environment for example entry of a new competitor or the existing competition becoming more aggressive.
Legal risk. This is risk arising from contracts that cannot be enforced legally. In this case, the business may have entered a contract with a customer and are unable to demand performance from the customer may be because of ambiguity, insufficient documentation or contracts that violate the law of the land including engaging in illegal business activities.
In general, many businesses have no formal policy on risk management. The few that have, view the risk management function in isolation from general business processes. This means that everyone does their job without concern as to what risks the business is getting exposed to. It is up to the risk manager to figure out any mitigation needed.
Modern practice however seeks to incorporate risk management at all levels of decision making in a business.
If I may use the case of Barclaycard, there was a very strong push to recruit new card holders about 3 years ago. An aggressive media campaign was launched and hundreds of sales staff unleashed in the market. Naturally, many people signed up including customers who would not ordinarily have been granted. Hardly a year later, the sales drive went quiet and many cards have since been cancelled or recalled.
Being an international institution of high repute, the attendant risks could not have been missed.
However, the attitude that came through from the sales people was that their job ended at closing the sale. It was up to someone else to recover money from customers. This is the problem of segmenting risk management. One person’s push to achieve their targets becomes a problem elsewhere in the chain harming the whole organization.
It is therefore important to create awareness in the entire organization and charge everyone to manage risks associated with their roles. This builds a culture of managing risks at all levels increasing likelihood of business success.