3.2 Operational risk management
Operational risks are very wide ranging since they effectively can arise from any potential weaknesses in an organisation arising from its processes and staff.
Managing these risks is therefore a process that envelops all parts of an organisation. The list of practices that can be adopted to contain operational risk is therefore huge and, to a large degree, will be specific to the nature of the organisation. Certain generic rules, though, do apply. Let us look at these.
All organisations are vulnerable when staff levels are inadequate in either number or quality. The success of organisations or, indeed, the recovery of failing organisations can usually be ascribed not only to the quality of senior management, but the effectiveness of procedures put in place for recruiting, training and retaining good staff.
In assessing how well organisations avoid the risk of having inadequate staff resources in place, the following should therefore be tested:
- What is the staff turnover rate (rate of leavers per staff complement per annum) and how does it compare with the organisation’s peer group?
- What is the rate of absenteeism and how does it compare with the peer group?
- What procedures does the organisation have for the induction of new staff and for training staff?
- What percentage of staff positions is vacant and how does this compare with the peer group?
- Is there a succession plan in place for all key and senior staff? What procedures exist to replace key staff on their departure?
Organisations with high staff turnover, high absenteeism, weak training and development processes, high levels of staff vacancies and vulnerability to the departure of key staff are under prepared to take on competitors with better records in these areas. Even if organisations are not operating in a competitive environment (for example, in government organisations), weaknesses in these areas will undermine the delivery of the services for which they are responsible.
Failure of systems will interrupt business activity and, as with the example of Sainsbury’s, can result in large costs being incurred. In assessing the exposure to operational risk arising from inadequate systems, what should you therefore be looking for if you are doing a risk audit?
You should include the following key tests:
- How often are systems out of operation (or ‘down’)?
- What proportion of an organisation’s activities is supported by existing systems? Is there a high proportion of manual ‘work arounds’ – for example, analysis and record keeping using ‘homemade’ spreadsheets?
- What back-ups exist for existing systems?
- Are there contingency sites available from which back-up systems can be employed if the location of the main site is impaired, say by fire or flood or another disaster? Are these contingency sites in the right location? (See Box 11.)
- Are all new systems thoroughly tested and run on a parallel basis with existing systems during their launch period?
Again, any weaknesses here spell potential financial trouble for an organisation. Malfunctioning systems mean that organisations may be unable to conduct business. It is hard to identify a greater financial risk than that.
Box 11 The wrong place for your contingency site
The atrocity of the terrorist attack on the World Trade Centre on 11 September 2001 highlighted an operational risk run by many businesses in Lower Manhattan.
To accommodate systems failures and the risk that access to the main site of their business may be prevented, many organisations had established contingency sites in alternative Manhattan locations. These could then be put into operation, employing back-up systems, to ensure the continued operation of business activities.
In many cases these sites were shared by businesses on the basis that it was statistically unlikely that more than one business would need access to the contingency site at any one time – and sharing the sites reduces the cost of retaining and maintaining them in readiness for possible use.
The extent of the devastation resulting from 11 September meant that not only was there multiple demand for contingency sites, but also many of these sites were located in areas of Lower Manhattan that were, temporarily at least, closed off to the public after the attack.
Consequently, many businesses learned a lesson in operational risk: yes, you do want a contingency site and, yes, it should be close to the main business location so that staff can relocate to it quickly, but you should not have it so close that access is prevented by the same event that is barring access to your main site.
Finally, operational-risk management should include the maintenance of an effective set of internal controls with these being documented in an organisation’s procedures manual. This manual, or at least the parts of it relevant to the business area in which staff are employed, should ideally be required to be read by staff at least once a year to ensure they know the control environment applying to their responsibilities.
Compiling and reading a procedures manual may not be the most exciting thing anyone does, but it is an aid to reducing the incidence of operational failures and the financial risks they bring.
Control or procedures manuals should at least include details on the following:
- The delegation of powers to undertake transactions. These should detail the limits on the scope of an individual within an organisation to take business decisions.
- The reporting lines of employees to their superiors.
- The segregation of responsibilities between different parts of the business (for example, between the dealing room of a business and its settlements and accounting functions).
- The reporting of business activities – in terms of the timing and regularity of reports and their recipients. This should include ‘exception reporting’ – that is, the reporting of activities that occur only if a pre-defined limit has been exceeded or an event has taken place.
Applying these controls is the responsibility of managers. Testing the controls (regularly) is the responsibility of the organisation’s auditors.
Activity 5 Stop and reflect
One control that appears in many organisations’ procedures manuals is that employees are required to have at least one period of time off from work each year lasting a minimum of two weeks (or ten working days).
Why do you think this control is applied?
The evidence is that if fraudulent activity is being committed by an individual there is a higher likelihood of it being discovered during the second week of their holiday than during the first week. Why is this? Well, in the first week the people covering for (fraudulent) colleagues on leave tend to spend time getting used to their additional and temporary responsibilities. By the second week they are familiar with the new routine and can more readily detect anything their colleagues were doing that, shall we say, looks abnormal! Particularly with positions that involve direct involvement with transactions and cash flows, the trend, therefore, is to require a two-week break (ten working days) each year.