Operational risk has figured prominently in the business news this summer:  a lightning storm destroyed cloud data stored by Google, and a cyber-hack of dating website Ashley Madison breached confidentiality of 33 million accounts. Are companies addressing operational risk the best way possible?

What is called operational risk may in fact have its roots in business risk, according to Mike Finlay, Chief Executive of RiskBusiness International. He was the first of two speakers at a webinar on operational risk held on August 27, 2015, sponsored by the Global Association of Risk Professionals.

For example, the 2011 Fukushima Daiichi disaster in Japan had an overt operational cause, namely, the one-two punch of an earthquake-tsunami, which caused structural damage to a nuclear plant. But the actual risk type was business risk, posited Finlay, because long before the event “engineers were aware that sea defence walls were not high enough to counter known probable sea levels.” It was a business decision during construction, to skimp on the defence wall construction, due to cost implications.

Integrating OpRisk1_tsunami

The standard Committee of Sponsoring Organizations of the Treadway Commission (COSO) definition of enterprise risk management (ERM) is “holistic,” said Finlay. Yet all too often, the risk management framework is based around a siloed approach. ERM is intended to look at a company’s strategy and “tends to focus on the long-term goals of the organization.”

COSO lists eight risk categories: Strategic, Business, Credit, Market, Operational, Liquidity, Insurance, Environmental Risk.  Finlay proposed that these eight be reduced to pure market risk, credit risk, and liquidity risk—and all the rest are variations of operational risk, which may be seen as an outgrowth of business risk.

Proper management of risk occurs over time. “We must look at the linkage between different types of exposure,” Finlay said.

The Basel II definition took “a very causal approach” to defining operational risk. There are “issues” with operational risk, such as lack of boundaries with other risk types; no direct correlation with business cycle; and a direct link to the “human factor.” Finlay noted there is a proliferation of different forms of operational risk, such as non-compliance, reputation, business continuity, and so on.

Finlay pointed to the Edelman Trust Barometer. The 27 countries surveyed by Edelman exhibit growing distrust of the business sector, in part because the pace of innovation is so fast. It’s especially important to manage operational risk, in order to win customer trust. The summary of Edelman’s findings states: “Companies need to demonstrate that innovations are safe, based on independent research. There must be a commitment to evolve the product based on consumer experience and feedback. The new product or service must be shown to be good for society, with transparency on the results of the innovation.”

“There is a perception that the three lines of defence is a risk model,” said Finlay, whereas it is really a governance model. Transparency into the governance of a company, or who within the company will be held accountable, will improve trust, and will make operational risk responsibilities clearer.

Finlay concluded, “a sound three lines of defense model is risk-agnostic and supports ERM.” He called for the establishment of an “accountable governance forum.” ª


Click here to view the webinar presentation, Integrating Operational Risk Management into your Enterprise Risk Framework. Finlay’s presentation is from slide 4 to 10, inclusive.

Click here to read about the second presentation in the webinar.


The image is by Shigeru23 (Own work (ref:[1] [2])) [CC BY-SA 3.0 (http://creativecommons.org/licenses/by-sa/3.0) or GFDL (http://www.gnu.org/copyleft/fdl.html)], via Wikimedia Commons.