Operational risk organization

Entrepreneurial activities are full of risks. They meet here and there. One of the most likely operational risk. What is it? How is operational risk management? What influences its value?

General information

Let's start with the terminology. Operational risk – risk of loss due to mistakes/inappropriate actions on the part of employees, failures in the systems or external events. These include reputational, strategic and legal losses. That is operational risk associated with implementation of executable business functions of the enterprise. It is used to denote risk of additional costs due to the incompatibility of the nature and extent of credit structure, the violations of the current legislation, procedures of interaction with banking institutions. For example, it is possible to include the violation of a Bank employee, unintentional or deliberate wrongdoing on his part, a failure of the functional/automated systems due to external impact.

Depending on the origin identify internal and external risks. They, in turn, are divided into classes. Internal risks include all associated personnel, processes and systems. Let's look at some examples. The actions of staff could cause damage? A threat. Business processes are the disadvantages? A threat. Fails work information systems? A threat. External risks – disaster recovery, security (physical, data), the rupture of relations with customers and counterparties, as well as by regulatory bodies. Let us for these cases, consider the examples. Fires and terrorist acts can happen? A threat. Poor or false information, goods, services, technology can disrupt the interaction with clients and contractors? A threat. Forgery, theft, attacks, break-ins, etc. will undermine the position of the organization? A threat. Changes in legislation and regulatory framework will necessitate extra activities? The threat.

An Essence and types

If you want something to avoid, it is necessary to know in person. The world evolves, becomes more difficult. This increases the danger from operational risks. As a support for further information taken Basel II. According to him, to operating risks include anything that can lead to material damage due to incorrect (or if the necessary) personnel actions, external influences, incorrect processes and the like. They are not painted, also there is tips for organizations to effectively deal with them. The main purpose of Basel II – a calculation of the amount of coverage for them. In addition, it provides a powerful control system, whose task – to contribute to the reduction of the probability of occurrence of operational risks. In this document it is envisaged that management and the Board of Directors shall assume the function for them. And that they have a reporting about operational risk and current damage. From this point of view there are two types: those that directly or indirectly depend on the person, and force majeure. The latter include earthquakes, hurricanes, mudslides, landslides and so on. The first is much more diverse. So, there are four main groups:

Recommended

Staff evaluation: system and methods

Personnel Assessment allows you to identify how competent the employees involved in the enterprise, and it is the performance of their work – the most significant factor affecting the efficiency of the company. To clarify the impact of performa...

How to start your own business: important aspects.

Many people, tired of working for someone else, are increasingly thinking about how to start your own business. Someone wants to open a salon, someone store, and someone enough and vegetable stalls. Before you throw in the pool with his head, it is i...

Business activities. its essence and basic functions

The Entrepreneurial activity of the citizen – is undertaken at your own risk and independent activity, which aims to systematically profit through the sale of works, goods, services, use of the property. The citizen engaged in such activities, ...

1. Intentional acts. These include fraud and other intentional acts that result in damage.
2. Unintentional actions. It is the choice of technology that is not fully developed, unintentional erroneous actions of employees, inadequate control execution of their duties.
3. Technical risks that are directly or indirectly associated with human activities. It is a failure in the network, external communications, breakage of machine tools, and the like.
4. Software risks that are directly or indirectly associated with human activities. It's a failure in the telecommunications and/or computer equipment.

The Specifics of practical implementation

As you can attest to knowing people, operational risk management in reality has many differences from the theoretical recommendations. In particular, a rather rare situation when the leadership takes care of the problem issues that caused problems in the information system. Practiced the transfer of such work to specialists with lower qualifications. This approach often leads to even greater losses. It is important though, because operational risk is among the three most important and essential. Also, in practice, often there are subtypes:

1. The Risk of leakage or destruction of information that is necessary for the formation of organizational processes. Means the intentional or accidental deletion of files in an automated information system. These actions can lead to serious failure and the inability of commercial structures to fulfill its obligations to clients obligations.
2. The Risk of using biased or falsified (fake) data. As an example, not a real payment. Although there are morecomplex variants. For example, the use of already transmitted payment, when substituted for one of the participants.
3. The Risk of problems with the supply objective and relevant information to customers. Typically, this involves computer systems.
4. The Risk transfer unprofitable for the organization of information. As example rumors, slander, compromising management, leakage of valuable documents (with subsequent release to the media) and the like.

Causes and how to deal with them

It has turned out that the operational risk of the organization not simply appear. Every problem has its own root. The main causes include the following:

1. Lack of qualification and lack of serious approach to education and training. The human factor can strongly influence the organization and is often the source of problems. So, many companies can not afford to properly use the available features of information systems. This is exacerbated by the limited knowledge of ordinary users.
2. Are Not given adequate attention to information security and ignored the real threats that emanate from this sector. Disregard on the part of governing bodies, insufficient funding, lack of activities increase the level of reliability of systems and things only aggravate the situation.
3. Low quality, but also the insufficient development of the procedures to pre-emption of risks. Also, few people care about the existence of adequate policies and job descriptions in the field of security. In crisis situations, confusion and lack of knowledge employees can contribute to the problem.
4. The Inefficient system of protection of information assets. The attacker only needs to find one weak spot, and this should already be enough to cause serious damage. Best of all, if provided for layered protection.
5. A Large number of weaknesses in automated systems and various software products if it is not tested FOR. For the attacker this is a real gift.

Correction

What to do? Many types of operational risks and threaten to be realized, something to keep in mind the old adage that the fish rots from the head. Therefore, you need to start with leadership. You can implement the following items:

1. Top management (Board of Directors) occupies a key role in the formation of the system of management, control, and protection.
2. You Need to create, implement and adequately enforce smooth functioning of the system wherever they are needed and have meaning to be developed.
3. Should work on the risk management system. After it is created, you need to analyze for vulnerabilities. You should also think about the control over the Executive organs.
4. Top management (Board of Directors) sets limits for risk appetite.
5. The Executive body should develop a clear, efficient, and reliable Toolkit with transparent, consistent and meaningful areas of responsibility. On it and will be responsible for implementing the basic principles, processes and systems involved in risk adjustment.
6. The Executive authority must identify and assess current problems and to articulate their nature and factors. In addition, he ensures the implementation of developed innovations. Also on the Executive authority to impose monitoring and controls reporting of individual units.
7. You Need to ensure the availability of reliable and complete system control, and transmission/risk reduction.
8. Should develop a plan that will ensure recovery and ongoing activities of the organization in the presence of obvious problems.

Is that all?

Of Course not. It is solely generalizing words, which address fundamental aspects. While working with the specific situation they will need to adjust to existing conditions. Let's consider a small example. The Bank has a well-written management procedures in case of realization of the threat of credit risk. To potential borrowers exhibited the criteria and provided the collateral for the loans. To assess the proposed collateral involved external specialist. And here the security was rated more price than it is really worth on the market. That is to say, the situation is developing in favor of the borrower. While inside the Bank, the adequacy assessment has not been rechecked. After some time, a situation where the borrower is unable to repay a loan. The Bank expects that he will be able to repay the debt by selling the collateral. But in practice it turns out that the market price will be able to cover only half credit. The cause of this problem – violation of procedures. After all, according to existing requirements, financial institutions must verify the price of collateral. So increased operational risk, followed by credit. And you can still remember and how private banks issue non-performing loans, in violation of all conceivable procedures. Such institutions quickly put into place to eliminate. Onthe size of operational risk impact in this case, the connivance of the employees. Alas, to completely avoid such situations is extremely problematic. You can only minimize it, typing training, an effective system of control and strict discipline.

Real life examples

In life can happen, and the writers not come up. There have been situations where the operational risk level was off the charts, but this situation a long time could not identify. Let's look at some of the most impressive examples. Was himself a man like Jerome Kerviel. About was a trader at an investment Bank Société Générale. In 2007 he opened the position at the close of the European stock exchanges to flycasters. It seems to be a common story. But the amount of items amounted to about 50 billion Euro! This one and a half times higher than the capitalization of the Bank! As Jerome could do this? The fact that it worked before in the office and knew the work of the monitoring mechanism. It was only discovered at the end of January 2008. It was decided to close them quickly. But the enormous size of the positions provoked the sell-off in stock markets. Because of this, the Bank lost $ 7.2 billion (or 4.9 billion euros). Or another example. Was a man like John Rusnak. He worked in the American branch of the largest Bank in Ireland, the name of which – Allied Irish Bank. He was hired in 1993. In 1996 John began to carry out risky operations against the Japanese yen. But they were unsuccessful, went loss. But John managed to conceal from the partners the growing losses. For example, in 1997, he lost to 29.1 million dollars. In 2001, the amount was 300 million! To hide these losses, he forged statements. For their operation, this trader even managed to receive a bonus in the amount of 433 thousand dollars. It all came out in 2001. At the time of opening, the total volume of losses was $ 691 million. Smaller losses and risks from operating activities are much more likely than such a large. In the age of automation with the right approach they can be significantly minimized.

External risks and their solutions

They occur during the organization's relationship with the surrounding world. It can be robbery, theft, trespassing by third parties to the information system, the failure of infrastructure and natural disasters. Although, perhaps it should be attributed to the legislative environment. What methods of evaluation of operational risk must be used to get an idea about the situation? There are a number of recommendations on the General scheme of work. In addition, the calculation of the operational risk can be produced specifically created mathematical models. So what you need to do to create an effective management system that can deal with the problems?

Action Plan

You first need to take care of an adequate architecture. That is, if the problems in the system, then, alas, even the best expert will not be able to provide a satisfactory result. It should also be reasonable. For example, there are a number of small incidents that cost 10 thousand rubles per year. You can create a system that will 100% prevent them. But the cost – 100 thousand rubles. In this case, you should think about the feasibility. Of course, if we are talking about theft or something similar that will gradually grow in scale, you need to act now. After all, if pull, then the operational risks of an enterprise can grow so much that will destroy the company. But to support the system in General adequate condition will help three methods:

1. Control self-assessment.
2. Key risk indicators.
3. Management of operational incidents.

Solve problems

The size of operational risk is influenced by many factors. The fewer the better. Optimally, if the problems are solved before will arise. Therefore, the assessment of operational risk plays a significant role. How to spend it? You first need to focus on control self-assessment. To paraphrase, this method can be called a candid conversation about the issues. Is implemented in the form of employee surveys. Then there are key risk indicators. These figures let you know of impending problems before they manifest themselves in full force. Of course, if they are adequately matched and collected their data. And closes the Trinity incident management. The objective of this procedure – to investigate, identify problems and deal with them. If this is not done, the company offers financial risk. Operational risk over time, as a rule, is only growing. You need to be aware.