Common Types of Operational Risk. Internal fraud.External fraud.Legal and liability losses.Noncompliance with regulations.System failures.Inappropriate business practice.
Tuesday, July 14th, 2009Types of Operational Risk
Here are the common types of operational risk:
? Internal fraud. Employees stealing from their company or from company clients are typical of internal company fraud. This could range from the taking of the office stapler to the misuse or inappropriate redirection of company or client funds. Other ways include employee bribery, the intentional misappropriation of company assets, intentionally pricing inventory incorrectly, or intentional mismarking of security positions. Many companies have fraud detection programs to help mitigate, reduce, or prevent this type of employee behavior.
? External fraud. This other type of fraud is just as dangerous as internal fraud. Fraudulent clients can wreak much damage on a company. Other external sources that are not clients could do the same. This could range from simple robbery to forgery and to the most devious computer hacking and identity theft, leaving companies and their innocent clients as unfortunate victims. Companies need to implement protections against this type of fraud, especially in today’s technologically savvy world.
? Legal and liability losses. Most, if not all, U.S. corporations are subject to lawsuits every year. In some parts of Europe and Asia the tendency to litigate has become more popular. In any case, such litigation becomes expensive to companies, even if the company has done nothing wrong. Companies should not only look outside— liability exists internally as well. Employee relations are expensive, yet mandatory. Wrongful termination, inconsistent employee compensation or promotion processes, and inappropriate employee behavior are a few of the risks that cost companies large amounts of money in either lost productivity, lawsuits, costly settlements, or all three. As a result, many companies have enhanced the employee relations function in their human resources departments. Nevertheless, the recurring cost of retaining legal counsel for both external and internal legal and liability risk is now a basic expense on many companies’ expense statements. To avoid or minimize the cost of litigation, many companies have resorted to settling with plaintiffs as soon as possible—another expense, although with less adverse impact on the company books. Complete avoidance of such cost is impossible. The challenge is to determine the most effective way to mitigate this risk and minimize such losses.
? Noncompliance with regulations. Large companies, especially national and international firms, must worry about complying with country standards, and with the regulations of each region within a country in which the company has offices or clients. This has become extremely complicated and expensive. For example, a company in the United States must adhere to every federal law and regulation and then to every law and regulation of each state in which the company is conducting business. The term conducting business is not a national or federal term. Instead, individual states define the term. A state may define conducting business as simply having an office in that state. Another may mean having employees in or from that state. Yet another may want to regulate a company that may not have an office or even employees, but has clients residing in that state who purchase products or services generated from that company. Finally, some states may define conducting business as any of those three definitions. The cost of determining the rules are staggering. Yet, every company in the United States, no matter how large or small, needs to set aside enough funds to pay for understanding the applicable laws and regulations and ensure that such laws and regulations are complied with. The reason for this is simply that the cost of noncompliance with these rules can be even more staggering.
? Processing errors. Losses can occur due to poor or failed transaction processing or poor management of the process. These losses could be due to individual mistakes or due to a poor process itself. Examples of such processing errors are: data entry errors, accounting errors, delivery failures, incomplete legal documentation, unapproved access given to client accounts, incomplete or inaccurate client records, client errors, poor communications with clients, vendor or trade supplier errors, incomplete or inaccurate vendor or supplier records, and miscommunication or disputes with vendors or suppliers. Note that processing errors are not mistakes that happen on the assembly line or in the back office. These types of errors can occur at any point within a front-to-back process, from the point of customer contact and sales through the point of production and delivery, to the point of recording and then billing of the transaction to the final point of reporting the transaction results. Thus, a salesperson carrying out the correct or incorrect customer sale is just as important as the back-office clerk entering the correct or incorrect order details. Neither is immune from needing a control framework to ensure that processing errors are minimized.
? Physical security breaches. This has at least three parts. First, workplace safety is important for both employees and clients. A mishap in the workplace could cost a company millions in losses. Additionally, companies are currently forced to pay for workers’ compensation and employee health and safety insurance. These premiums could increase if workplace safety is not appropriate. Aside from a company’s managing how it operates its workplace, the company needs to be sure doors and windows are properly secure to prevent theft or to prevent unwanted intruders from entering its premises and potentially harming the physical assets or its employees and clients. Even physical loss due to terrorism is something companies must think of today. Finally, a company could sustain damage to its furniture, equipment, physical plant, and people from fire, flood, earthquake, hurricane, or other natural disaster. Simple precautions could help mitigate this damage. Yet, insurance against physical disaster is commonplace, if not required, and the placement of the physical location of a business operation should not be considered a minor or trivial event. This decision could cost a firm significant losses later when it is too late to realize that early planning and due diligence would have been wise.
? Information security breaches. The computer hacker represents one type of information security breach. The simple loss of a laptop with client or company data stored on an unencrypted hard drive is another and perhaps more damaging information security breach. Even low-tech breaches can be devastating—perhaps the loss of a briefcase containing client or company papers, or confidential information falling off of a truck in New York City. The concern over information security goes beyond corporate life and into everyday lives of individuals, where identity theft in this day goes beyond the postal service and business by telephone into use of credit cards on the Internet, web cams, wireless connectivity, e-mail, and personal messages on web sites, such as Facebook or MySpace. It has now become commonplace for a company located in Detroit, Michigan, to worry about how to protect its internal corporate intranet from computer hackers residing in Eastern Europe. This is a significant operational risk that has far-reaching concern for the corporation, its employees, and its clients. The theft of a customer’s identity due to a company’s poor information security measures or lack of protection could have more dire consequences on that company’s reputation than a processing error or even poor service.
? System failures. Losses could result from failures in computer hardware, computer software, and in telecommunications equipment and software. In today’s world, where business relies greatly on technology, the failure of systems produces significant losses to an organization. This could include failures in systems that support sales to clients, that support the processing of client or employee transactions, or that support corporate functions, such as accounting, human resources, control, and relations with investors or regulators. Even a simple failure in the telephone system could spell a load of trouble for the company operating in the twenty-first century.
? Disaster recovery and business continuity. While systems failures could be caused by a single failure of a component or a portion of the organization and create significant risk and loss, the wholesale failure in an organization’s set of systems, such as one caused by a power outage, could produce material losses to that company. Not only would a system failure cause such a disaster; a hurricane, flood, or other natural disaster could cause a disruption to an entire business or company. The operational risk associated with such disruptions is important. Risk management must be concerned with the company’s ability to recover quickly and completely from these disasters and ensure continuity of the business front-office and back-office operations.
? Inappropriate business practice. Listed last and such a basic and simple thing, yet something that could cause disaster for a company, is the way its front-line employees conduct business and relate to clients. Of course, this would include obvious tactics such as defects in products, manipulating the market, false advertising, and improper sales or trading. What about other front-line or front-office employees? How well does customer support handle telephone calls? Are technicians competent and friendly? The failure to develop, execute, and conduct basic and sound business practice is an operational risk and could result in a poor reputation for a company.
Search Here:
