Reputational Risk Management

Ask the Chief Executive Officer, Founder or Chairman of an organization about his key concerns and one thing which will never skip the list is the ‘Reputational Risk’. It is certainly a very challenging task to protect a firm’s reputation given the increasing competition in the market on one end and dynamic social and economic conditions of global market on the other.

Imagine a Rolls Royce standing in the street without a garage! I know it’s difficult to imagine that, but considering the value of an asset, ‘reputation’ or ’goodwill’, and the kind of risks it is exposed to, it is very much similar to the previous scenario. Tremendous development of global media and other communication channels, increased levels of regulatory controls are some of the issues which expose an organization to Reputational Risk.

The factor which leaves risk managers baffled about ‘Reputational Risk’ is that it is not possible to easily categorize and compute them. It is widely agreed that the root causes of the risks impacting the reputation of an organization are primarily derived from the market, operational or capital risks. While the root causes are still widely debated, it is more likely that the reputation takes a big hit primarily because of inefficient adherance to regulatory and legal requirements which is growing with time and ever increasing number and complexity of regulatory and legal requirements. Due to the numerous cases of immoral actions taken in the organization (in many cases by a very small group of influential individuals), it is can be considered as a major root cause of reputational risk. While legal, regulatory and unethical practices are certainly the forerunners, the quality of delivery of the product or service too follows closely in scenarios where failure to deliver to the basic industry standards leads to very high proportion of customer dissatisfaction multiplying the negative impact on the reputation. Being an ‘Employer of choice’ is also one of the critical aspects for an organization to survive with a clean reputation.

Effective and timely communication is the most important remedy which will prevent or repair the impact of reputational risk. There are several instances when incidents leading to reputational risk have been managed with minimal impact through clear and appropriate communication. This not only helps manage external factors but also the critical and fluid asset in the form of employees. While the leadership team plays a very important role in the task of effective communication, it is equally important for an organization to make an appropriate investment in a formal and independent risk management body which can monitor all the above factors and recommend necessary preventive or mitigating steps to manage the reputational risk.

Key Risk Indicators (KRI’s)

Even though KRI is one of the most familiar terms used amongst the senior management and risk managers, it has not been given its due share of importance amongst other such risk measurement tools. This article focuses on highlighting the typical challenges experienced in organizing a good KRI system.

Some of the key challenges in having an efficient risk indicator are incompatible languages used by different sources, usage of different terminologies, timeliness of reporting the risk profiles to the management, appropriate authority to take necessary mitigating steps and finally clearly defining the risk thresholds.

Incompatible languages
Incompatibility in the language refers to two different dimensions, where one relates to the risk controller in understanding the various evolutions in the market practices and integrating them in the internal risk control framework. This is commonly attributed to the skills and tools or information sources one has access to. The other one pertains to the process of assigning a unified scale for measurement of the inputs received from the various risk indicators since most indicators are specific to individual businesses or processes and generally uncommon in nature.

Use of different terminologies
Often there are disconnects between the operations management teams and operational risk teams on the term ‘Risk Metrics’ and ‘Process Metrics’. The Operations team views their process metrics and in some cases their Service Level Agreements (SLA’s) as the key metrics and holds true as a risk indicator also. A good risk controlling group would consider those factors as risk metrics, which would result in a high impact financial or non-financial loss and it is not uncommon to have some of the process metrics or SLA’s form the sub-sets of risk metrics. Another interesting fact is that one person’s KRI is another’s performance indicator (KPI) and a third person’s service level indicator. Thus, these terminologies differ based on the different perspectives of the users and the activity in which they are engaged.

Timeliness of reporting
This might sound very generic but when you add the essence of risk management, this has the potential to alter the overall outcome of an event. To give a reference from history, imagine the changed scenario if the fax informing US authorities of an attack on Pearl Harbor was reported even a few hours earlier instead of a day late! In the real time corporate environment where every bit of your action is recorded and used in the performance appraisals, there will always be some amount of resistance towards declaring the errors or issues in the system. It is hence very crucial to design the system in such a manner that all such errors or issues are flagged in the best possible timelines. Many times, the operations and risk management groups need to predict the possibilities based on the inter dependability of factors amongst each other.

Right authority
Issue of authority in risk management is one of the major under-currents which has not surfaced much or is not discussed openly in public forums. It is very important for a risk controller or manager to have access to necessary authority to push the right lever at the right time. Unavailability of such authority slowly leads to deterioration of the control effectiveness and thus leads to major losses through undetected or delayed actions on critical risk exposures.

Defining risk thresholds
Risk thresholds can represent or misrepresent the actual risk exposure. This is why it is important to understand that an organization is defining these thresholds not based on the industry benchmark but based on their real time risk appetite. Both the Operations Managers and the Risk Managers need to review it based on a neutral and independent manner. It must be in the common interest of the authorities to define these risk thresholds in a manner that they flash the Red or Amber code also. Many times, it would help to revisit those metrics which are continuously sitting in the Green zone as they might do so because of relaxed risk threshold definitions.

I believe these typical and real time challenges might sound familiar to many of you managing the Operations or Risk portfolios, but with few careful actions and precautions, this tool will work wonders in helping you hit the ‘Bulls eye’ while managing risk in operations.

Challenges in Operational Risk

Some of the key challenges which the risk managers come across as far as operational risk is concerned are:

Early identification of risk exposures
With the ever increasing complexity, irrespective of the sector an industry is catering to, it is always a challenge to detect the potential operational risks in the system. While not all have robust systems or processes which will raise an alarm as soon as an operational factor goes wrong and it is very evident that not all the professionals would want to willingly share the mistakes they did in this highly pink-slip driven world, lays the challenges for the Operational Risk Manager. Many a times there are no second chances to be able to fix the risk from recurring!

Proper categorization of risks
Wondering what further categorization in the Operational risk category? Yes, it is true that there are specific categories within the Operational risk domain, which are based on risk events namely ‘internal events risk’, ‘external event risk’ and ‘business event risk’.

The name itself suggests the meaning of each of these risk characteristics but what is normally overseen is that a risk which is resultant of an external event might eventually turn in to a business event risk and similarly an internal event risk might potentially cause a wide spread external risk which might impact a particular business segment or multiple segments in very high impact cases. Thus, an Operational risk manager needs to be smart and quick in understanding the movements or intentions so to say of any such event risks and take appropriate control measures to prevent it. The word ‘mitigation’ sounds very much embossed on the Operational risk framework, but the best risk manager is one who controllers the risk exposures in a manner which will not lead to the scenario where one has to take mitigating steps.

Methods used for data collection and analysis
This particular challenge is experienced by the operational risk managers in both large scale and small scale organizations in different fashions. The logic is similar to the one between the rich and poor. Like the rich has too much money, and often struggles to find the best use of it the large scale companies too have too much data and at times have too many different sources or methods or tools of collating data that a lot of times they spend developing systems which will integrate all the complex and diverse process divided not just functionally but also in geographies. In case of the small scale industries, like the poor, has to struggle to get relevant data or information to process and perform the necessary assessment. Thus, an operational risk manager, irrespective of the strength of his / her organization, constantly faces the challenge of getting relevant information using which they can understand the risk exposures in their true colours.

Being a ‘Devils Advocate’
It is unfortunate but true that all or many of the risk managers are looked upon as the devils advocate and in some scenarios as actual devils for not approving a lucrative project or for making the busy employees fill a series of check lists and certify their work! It is often a key challenge for an operational risk manager to put forward his point in a forum of senior executives who too are equally keen in the development of their organization, only in a different angle. Many times the operational risk manager’s act based on the treatment he / she will receive for being the devils advocate.

Spreading Operational Risk awareness
It is often said that the operational risk manager has to do so and so things to assess and identify the potential risks. While this is true, the most important factor which proves to be very helpful is the operations team involved in the delivery of their respective products or services to their internal or external clients. As many in operations management feel that their performance is directly proportional to their performance appraisal, it is one of the most common and I believe one of the unavoidable challenges an operational risk manager has to face.

So has all the above inspired you to be an ‘Operational Risk Manager’? If not, I hope the article would have at least helped you in providing the perspective of the Operational Risk Managers in a different light… Happy working!

Nature of 'Operational Risk'

Operational Risk as a process follows a cyclic fashion which revolves around risk identification, risk assessment, determining mitigating actions and setting controls to avoid or minimise the effect of the risk exposures arising out of the business operations. If we have to categorize risks in to two broad categories as ‘financial’ and ‘non-financial’, the loss can result due to human errors, external or internal events, the manner in which the systems or processes operate in a business. Operational risk covers all the above aspects of risk exposure. Does this mean that ‘Operational Risk Control’ is all that is required to save an organization or business from doom? The answer is ‘No’; it is certainly not the only process contributing towards risk management, as Market Risk & Credit Risk too has its due share. But the key differentiator between the other risk management process from that of Operational risk is the nature of its application in the business environment. To further simplify, there are pre-defined models to manage Credit / Market risks, whereas there is no specific model or application to bank on, as far as Operational risk is concerned. It is hence considered more dynamic in nature compared to other risk segments.

As represented in the pictographic representation of the Operational Risk Framework, the core of the Operations risk governance model of Assessing the risk exposures or incidents, placing controls, monitoring the performance of those controls and initiating necessary actions as required are carried out by scheduling appropriate set of processes, technology and of course the human resource. All the above comes together to ensure ‘Confidentiality’, ‘Integrity’ and ‘Availability’ of the assets of any organization.

Risk in Service Sector

Quality and timeliness with an optimum efficiency levels are the key factors affecting the delivery in service sectors. While this holds true even now, with the insertion of frequent market turmoil affecting the various line of services, many of which are linked to each other have turned the focus lights towards risk related considerations taken by the companies who strive to guard the interests of their existing customers, shareholders and employees on one end and to enhance their brand and goodwill to develop new clients.

The fashion in which Operations Management and Quality Management systems addresses the areas of improvement in the service delivery performance and customer delight, the processes and systems used to control and manage the various forms of risks like operational risks, credit risk, liquidity risk, market risk, IT risk etc., too have gained better momentum. Standards in the areas like information security, business continuity are changing the structure of operations models in the service sector.

Of all the service sectors, one industry which has been in the limelight for quite some time now and in fact, the industry which happens to respond most to this volatility in the market is the financial services industry. Based on the past experiences and future assumptions, it is expected that the financial markets will continue to experience some amount of volatility in the next few years. Even though various regulations like Basel II, Solvency II for insurers, UCITS 3 for Asset Managers and Sarbanes Oxley (SOX) for everything else are being prescribed, events wiping out major financial services giant like Lehman Brothers are promoting new sets of stringent regulations.

While it is very crucial from the risk management perspective to understand the appetite of the company to digest these new regulations and churn out positive outcomes for energising the overall financial system, it is more important to understand the gaps in the existing systems and regulations which resulted in such a large scale financial crises. Thus, finding realistic solutions which precisely lies in the basics of risk management needs to be looked afresh.

Starting with Risk Management

The companies we work are huge, the processes we are involved are getting complex and demanding, not to mention the cut throat competition. One certainly gets the feeling if it is necessary to check/click on those checkboxes from the n number of checklists to ensure he / she has done their routine job? Of all the uncertainty prevailing around, is it necessary to add to ones paper work with those checklists popping in the table or screen?

The answers to all the questions above are ‘Yes’, it is absolutely necessary. It would be appropriate to say that a Risk would constitute of anything that can affect the performance of a product or service, all of which ultimately leads to financial or non-financial losses. If you dig deeper, all such effects roll’s up to the only constant factor in the world, viz., Uncertainty. This uncertainty is directly proportional to the risk exposures associated with a successful completion or achievement of any given task. What matters most is how prepared are we to face this uncertainty. Many might think that how can one possibly imagine the infinite probabilities in which a risk might arise. It is certainly not possible to track each such exposure, but being prepared to the best of our ability with the help of IT systems and of course logical thinking will certainly help us in withstanding the constant attack of risk on the process.

Even though several risk management standards have been developed, their definitions and goals differ widely based on the context and sector with which it is being associated. Members associated with project management, security, engineering, industrial processes, financial portfolios, actuarial assessments, or public health and safety use the risk management principles widely to prevent or minimise the impact of the losses resulting from risks. The various strategies to manage risk span from avoiding the risk, transferring the risk to another party, reducing the negative effect of the risk and also in some cases, accepting some or all of the consequences of a particular risk.

It is not a mathematical formula or a code of conduct which need to has a specific defined form. It is up to us to use all the available resources to manage risk in the most efficient manner. So lets get started…

Welcome to Risk-o-logy!!!

'Risk-o-logy' aims to facilitate, share and exchange information with a purpose to generate ideas and promote good practice for those involved in the business of managing risk. From the endless events of huge financial crises hitting all the sectors of the world economy, it is essential to come out of the crude assessments of risks which has not only resulted in a large scale loss of opportunities, business and reputation, but also a lot of innocent life!