Risk management: Are you ready?

During the past six years a lot of research has gone into various systems and methodologies that enable companies to implement more successful risk management strategies.

However, it is has become apparent that companies aren`t necessarily taking a proactive approach to risk management and are to a certain extent ignoring key issues such operational risk management, focusing more on other elements such as credit and market risks.

Significantly, Basel II places a lot of emphasis on operational risk management, stipulating its importance and the role an effective (operational risk) framework plays in service delivery organisations.

According to the Basel Committee, failure to understand and manage operational risk may greatly increase the likelihood that some risks will go unrecognised and uncontrolled.

So, it`s quite clear that in order for risk management, which includes operational risk, to evolve it needs to move from a static approach to more dynamic practices.

Organisations and indeed governmental departments must guard against approaching risk planning and management as a single mechanism. This static approach creates a false sense of security, which could negatively impact an organisation. We know the vulnerabilities associated with operations, be it security or infrastructure related, are dynamic and therefore require active management.

Controls must be put in place and regularly tested for its applicability and ability, which will in turn continuously improve the ability of an organisation or governmental department to manage risks.

Technology also plays an important role in dynamic or active risk management. It can be used to protect organisations against specific vulnerabilities, but mostly to manage the huge amount of data generated during this protection process.

Again, if we look at operational risk management it`s clear that there are many areas of vulnerability.

These can be security related, internal fraud or the availability of the critical government infrastructure. Data from all these systems including event, near misses and incidents need to be analysed on a continuous basis to form a relevant and clear picture of overall operational risk.

If this is not done, organisations and governmental departments may have a static and non-relevant view of their risk exposure and management capability.

Looking at the human element, generally people are seen as the greatest asset of any company. But, until recently, the risks associated with employees have been elements such as fraud and misuse of company IT networks.

The truth is that people can cause damage through incompetence, bad decision-making and rule breaking. There is, therefore, an increasing interest in the psychology of risk and decision-taking.

Although information systems are in some cases key contributors to operational risks, they can also prove very valuable - physically preventing certain actions and reporting on infringements.

These intelligent process control tools can help to turn reliance on people into reliance on properly designed systems.

However, it still remains a challenge to enforce control through technology. Researchers believe the reason why individuals break rules - more crucially, why their colleagues let them get away with it - is sometimes rooted in the corporate culture of a company.

Reporting systems that are independent of business line, risk sensitive, automatic, consistent and secure are all parts of successful operational risk control. But unfortunately losses - in many cases - spiral out of control because a compromised executive was high enough in the hierarchy to disguise it.

Wrong-headed decisions are rooted in poor corporate governance and not due to system downtime.