The weakness of a risk matrix is that it is based on a static picture of a specific problem.
In recent years, many companies have improved their understanding of risks with risk assessments and risk matrices, however, the weakness of a risk matrix is that it is based on a static picture of a specific problem, which can make it difficult to understand where the companies really have the underlying challenges. The answer may lie in understanding the nature of operational risk.
The Institute of Operational Risk (IOR) in UK emphasizes the importance of a good understanding of a concept – commonly referred to as – cause, event and impact chain, when talking about operational risks. Essentially, this model holds that there are many causal factors with specific impacts based on the type of event. On their own, these causal factors do no damage. However, you cannot have an event without a causal factor. Most events also have an impact, and if not – they are referred to as near misses.
As a result of this causality, some firms map common causes, events, and impacts. IOR has created such a scheme where they use the Basel II categories as examples of events:
1) Internal Fraud
2) External Fraud
3) Employment Practices and Workplace Safety
4) Clients, Products, and Business Practices
5) Damage to Physical Assets
6) Business Disruption and System Failures
7) Execution, Delivery and Process Management.
Next, IOR uses four causal drivers from the operational risk definition, which are:
1) Process
2) People
3) Systems
4) External factors.
Finally, IOR operates with five types of impacts:
1) Financial impacts
2) Efficiency impacts
3) Service impacts
4) Lost Business Opportunities
5) Reputational impacts.
This gives us a following scheme:
Cause | Event | Impact |
People & Process | Internal Fraud | Financial & Reputation |
External processes & Process | External Fraud | Financial & Business Opportunities, Reputation |
People & Process, External Factors | Employment Practices and Workplace Safety | Reputation & Service, Financial, Efficiency |
People & Processes | Clients, Products and Business Practices | Reputation & Financial, Business Opportunities, Efficiency |
External Factors & Process, Systems | Damage to Physical Assets | Financial & Service, Business Opportunities, Efficiency |
Systems & Process, External Factors | Business Disruption | Service & Efficiency, Reputation, Business Opportunities, Financial |
Process & People, Systems | Execution, Delivery and Process Management | Service & Financial, Efficiency, Reputation |
As always, this set-up might not be fully objective and different industries and companies might think that it is not representative for their businesses.
However, if we look at this scheme carefully, it shows that all risk events relate to “processes” and all events will have a “financial” impact. A bit surprisingly, it also tells us that almost all events have a “reputational” impact.
So, what conclusion can we draw as to how we manage operational risk?
Firstly, it shows that the identification of the causalities between different risks requires a separate and specific analysis for the various types of risk. Secondly, an analysis highlights the importance of well-functioning processes.
Therefore, if an organisation is serious in its desire to manage and improve its exposure to operational risk, it should focus on identifying the internal controls related to processes and ultimately well-functioning processes should help the organisation improve the return on assets on a permanent basis.