Subscribe
  • Home
  • /
  • TechForum
  • /
  • Operational risk: The changing face of IT risk management

Operational risk: The changing face of IT risk management


Johannesburg, 16 Sep 2003

Risk management is a topic that needs little introduction. During the past five years a lot of research has gone into various systems and methodologies that enable companies to implement more successful risk management strategies.

However, recent reports such as the Basel II have highlighted one - not that well known -subject: operational risk.

It seems that operational risk has in the past not enjoyed as much priority as other elements of risk management such as credit and market risks.

Operational risk has turned out to be more costly than many companies have realised - recent estimates put it at 25% or more of risk capital. And this figure is rising as the Internet, e-commerce and outsourcing become even more prevalent.

Top executives are, therefore, wondering whether decisions based on risk-adjusted return on capital (RAROC) might be flawed if operational risk is not taken into account.

According to a recent report on operational risk by the Basel Committee, failure to understand and manage operational risk may greatly increase the likelihood that some risks will go unrecognised and uncontrolled.

The human element

Generally, people are seen as the greatest asset of any company. But, until recently, the risks associated with employees have been elements such as fraud and misuse of company IT networks.

The truth is that people can cause damage through incompetence, bad decision-making and rule breaking. There is, therefore, an increasing interest in the psychology of risk and decision taking.

Although e-commerce and information systems are in some cases key contributors to operational risks, they can also prove very valuable - physically preventing certain actions and reporting on infringements.

These intelligent process control tools can help to turn reliance on people into reliance on properly designed systems.

However, it still remains a challenge to enforce control through technology. Researchers believe the reason why individuals break rules - more crucially, why their colleagues let them get away with it - is sometimes rooted in the corporate culture of a company.

Reporting systems that are independent of business line, risk sensitive, automatic, consistent and secure are all parts of successful operational risk control. But unfortunately losses - in many cases - spiral out of control because a compromised executive was high enough in the hierarchy to disguise it.

Wrong-headed decisions are rooted in poor corporate governance and not due to system downtime.

IT and operational risk

From individual business lines, to the core support functions of a company, IT systems are the principal means for storing and managing data.

In many cases, IT tools and applications are also used to analyse information and run key business processes.

It will, however, be a mistake to think that all these systems are interconnected. Companies generally rely on a series of partially interconnected systems - all with their own key functions.

The point is that most operational risks today lie between the system and a company`s business plans. To counter this, IT administrators must with the clear direction of business managers provide flexibility in capacity and the proper security levels.

As business plans or volumes change, managers must identify, monitor and manage the critical risks in their organisation, including e-commerce and multi-channel initiatives.

The bigger picture

Many operational risks are already managed by specific risk functions within a company - line managers, operations managers, technology risk, security, and so on.

Although these functions all play important roles, they cannot provide a company with a wide-angle view of its operational risks.

Enterprises have taken different approaches to this wide-angle view, with some appointing senior operational risk managers, while other are extending internal audit to include operational risk.

Whatever the framework, taking a wider view means bringing together information about risk in a consistent fashion so that corporate management and specific owners of risk can take action.

Operational risk tools can contribute to realising a wide-angle view. They can make measurement more consistent and make it easier for companies to benchmark their risk standards.

It would be a pleasant irony that technology, which has been the cause of many famous operational losses, will be able to tame one of the most unpredictable pieces of the risk jigsaw - operational risk.

Share

Editorial contacts

Wilhelm Hamman
Computer Associates Africa
(011) 236-9111
Wilhelm.hamman@ca.com