People and Technology Risks —The Next Frontier of Operational Risk Management
- January 22, 2016
- Posted by: admin
- Category: Compliance, Corporate governance, Governance Risk and Compliance, Leadership, risk assessments, Risk management
This article appeared in IRM’s Magazine, 1st issues of 2016
Since risk management was recognized as a business discipline in 1970s, its application has broadly evolved through three stages.
Firstly, it was used to minimize the downside through establishing the credit controls, liquidity and investment policies, audit procedures and insurance coverage among others. The principal focus was on protection against the downside risks.
However, as it later turned out, a simple focus on the downside was not enough, since it was too restrictive—business units taking risks are frequently at loggerhead with risk function minimizing the same.
Secondly, in 1990s, risk management focused on managing volatility around business and financial results. The primary aim was to demonstrate how risk management can be a positive force in supporting profitability and business growth.
More importantly, during the period, operation risk management recognition increased sharply. Disasters such as Kidder Peabody and Exxon Valdez oil spill brought crisis and management to the foe.
Thirdly and more significant, was use of risk management as a lever for performance optimization. This stage was characterized by more integrated approach in managing all risks. Enterprise Risk Management optimize business performance by supporting and influencing pricing, resource allocation and other business decisions.
Although companies have come up with various strategies to manage credit and market risks, operational risk management remains the biggest challenge in terms of knowledge and application.
Emerging Challenges in Risk Management Practices
As earlier mentioned, good risk management is an integral part of business decision making, not external to it. However, changes in business environment affect the practice of effective risk management. Some of major changes that are affecting risk management practice in all industries today include but not limited to:
- Technology and people risk; these are new operational risks associated with developments in technology and people related actions, key being dishonesty— largely occasioned by moral decay in the society. Kenyan parliament recently passed a bill to introduce ethics and integrity lessons in schools in a bid to instill national values to young Kenyans.
- Restructuring; the effects of mergers and acquisitions, strategic alliances, outsourcing and reengineering.
- Changes in market structures; impacts of deregulation, privatization and new competition.
- Globalization; this is the growing interdependence of economies and markets through networks
Basel II and other industry sources have defined operational risk as the risk of direct or indirect loss resulting from inadequate or failed internal processes, people and systems or from external events.
A special focus on technology and people risk, which largely represents a significant portion of operational risk reveals the need for increased attention when devising treatment mechanisms. Thus, operational risks will continue to pose challenges as it cut across both credit and market risks.
Hence, if not treated as a discrete area of risk it tends to be implemented differently in various areas of the same company.
The widely-publicized collapse of Barings bank a 233-year-old bank in 1995, because of one rogue trader –Nick Leeson, and 1996 demise of Kidder Peabody as a result of alleged fraud are just but examples of what happens when controls over operational risks are lacking.
Locally, and more recently, Kenya has witnessed major scandals both in financial and non-financial sectors. The Imperial bank of Kenya which is currently under receivership is a good example of how people risk can bring down hitherto financially thriving bank to its knees. A forensic audit by FTI Consulting revealed shocking details of how eight members of one family that largely deals with fish business conspired with the bank’s top management to siphon sh 34 billion from the bank in one of the biggest bank theft to strike the banking industry.
Still in the banking sector, National bank of Kenya reported a surprise sh 1.2 billion loss for year ending December 2015 compared with a profit of sh 1.3 billion in the same period last year.
The bank management attributed the loss to heavy provisions and a loan impairment change that increased by sh 3.2 billion over the period in question.
However, preliminary investigation and insider sources have pointed a finger to malpractices by the top management of the bank. Equally, non-financial sector has not been spared either, for example National Youth Service and Youth Enterprise Fund both state corporations under the Ministry of Planning and Devolution, lost close to sh 1 billion, in what has become a norm in the public sector, where senior public officers collude to plunder public resources.
James Lam —a renowned risk management practitioner once said, “Risk management is a bout processes and people”. It’s possible for a company to survive and may even do so if it has good people and bad processes, but it cannot if the reverse is true.
Clearly, at the end of the day a company risk profile is driven by decisions and actions of its employees. Therefore, every employee in an organization must be considered a risk. On the other hand, technological development has eased the cost of doing business.
For example, improvements in communication technology have helped to bring down the barriers between markets that were historically distinct and significantly contributed to globalization process.
Although technology has become increasingly necessary, operational risk events due to system failures have become a major concern to various industry players. More worrying is the rise of e-commerce as the preferred mode of doing business.
While this is a step forward in business development, information security breaches remain a huge risk.
A look into the future for operation risk management is bright, given its recognition as a key ingredient in addressing significant portion of risks affecting organizations.
More encouraging is the development of analytical models such as extreme value theory, dynamic simulations and/or other models borrowing from total quality management techniques to quantify operational risk.
Lack of consistent operational risk loss data still remains to be a challenge when it comes to effective measurement. However, moving forward, the greatest challenge of operational risks will remain that of management and not measurement.