Operational risk: what it is and why it matters
We’ve partnered with Marcus Alcock, editor of www.emergingrisks.co.uk, which provides essential news and analysis on the world of corporate emerging risks, to look at the key areas of operational risk.
You may have heard the term operational risk bandied around as an important area for companies to monitor. According to UK regulator the Prudential Regulation Authority (PRA), operational risk includes the risk of loss resulting from inadequate or failed internal processes, people and systems. But what does this mean in practice?
There is a huge variety of specific operational risks. By their nature, they are often less visible than other risks and are often difficult to pin down precisely. Operational risks range from the very small, for example, the risk of loss due to minor human mistakes, to the very large, such as the risk of serious fraud. Operational risk can occur at every level in an organisation, but here we outline some of the most important.
Key areas of operational risks
Failure of IT systems
IT failures – whether from a disabling cyber-attack, or the more mundane causes of human error or failure of aging hardware – are a significant threat. Ensuring resiliency against disruptive cyber-attack is a broad task, operational risk experts admit, encompassing information security controls, third-party oversight, data protection and fraud authentication processes.
Many small and medium sized businesses in the UK are ignoring or under-estimating the potential risks of reputational damage, according to the Chartered Insurance Institute (CII). From an operational risk perspective, reputational damage can be directly caused by the actions of the company directors, or by the actions of employees and key suppliers that have not been given due oversight.
Loss of key people
Employees with skills that are uniquely valuable to a company’s success are worth their weight in gold, but what happens when they leave, taking that knowledge and experience with them? Relying on key individuals carries risks that, if not properly managed, may damage profits, productivity, and confidence among remaining employees.
Diversity and inclusion
From the Black Lives Matter movement (BLM) to Environment, Society and Governance (ESG) initiatives, the resounding societal cry is for greater diversity and inclusion in the workforce, as well as reducing barriers to opportunity. There is a growing view that a lack of diversity and inclusion (D&I) in the workforce – and having D&I policies in place – is a major operational business risk, both from a liability viewpoint and also from a wider reputational risk viewpoint (see above).
A data breach is a breakdown in security resulting in the accidental or unlawful disclosure, access to or use of sensitive or personal information belonging to your business. Worryingly, this is far more widespread than you might think: recent data from the EU Agency for Network and Information Security Report showed that 61% of data breaches affected organisations with 1,000 employees or less. Although this includes incidences of cybercrime, many data breaches are as a result of human error – another key operational risk.