People get into business for all sorts of reasons: whether it’s a simple need to earn more money or a desire to make things better, to solve a problem that needs solving or to share a burning passion with the world. Trouble is, you can’t open the door to all that exciting stuff without inviting a host of unsavoury other elements to the party too.
Whether you’re a team of window cleaners bouncing your way down the side of The Shard in the City of London, a mountain-biking nut leading tours through forest trails, or simply a lone wolf sat crunching through company accounts from the relative safety of an office, you’re going to encounter operational risk.
Operational risk is the risk of loss that results from problems with internal processes, people and systems, or from external events, in the course of conducting your business. In other words, it’s the risk that comes with doing the very things your organisation was built to do.
Examples of operational risk range from the Hollywood-style – hurricanes, computer hacking and fraud – to the far more prosaic: like the failure to adhere to internal health and safety policies. Every workplace, from the oil rig way out in the North Sea to the sweet shop at the heart of the neighbourhood, breeds operational risks of some kind. It’s just the frequency and the degree of severity that changes.
One component of operational risk that’s common to all organisations is human error. Research by DuPont found that 82% of workplace incidents come down to poor decision-making. It’s unavoidable: it’s people who make a business tick. And people make mistakes.
But whether the problem arises from human error or an unexpected act of God, how well you handle that risk will come down to how well your company has been primed to deal with it in the first place.
Operational risk management (ORM) is the art of working out just what the potential for such incidents is, as well as establishing the degree of damage they’d cause if they did crop up.
But it’s also about controlling that risk – managing it in a way that’s proportionate and appropriate, so your business has the freedom to operate and to grow while sensibly minimising the fallout from any nasty surprises.
The ORM strategy you adopt will be shaped by your business. To develop it you need a solid understanding of the specific risks you face, as well as the people you employ and the culture you operate.
If all this seems somewhat nebulous, the Risk Management Association has designed an ORM framework designed to suit businesses of all sizes and complexity. It breaks ORM into the following components: governance, policies and procedures; risk identification and assessment; control of your environment; monitoring and reporting; quantifying, measurement and modelling; risk decision-making; and incentivising behaviours (how to ensure certain members of your team are happy to wear a beard net, for example).
The key thing to remember here is that these elements are not divorced from all the exciting motivations we mentioned at the start. Get ORM right and it’ll lower your operating costs, reduce operating losses, increase customer satisfaction and give you a better deal on your insurance. And it’ll have a knock-on effect on your team too: the discipline that comes with following these policies will make people more efficient, a handy tool to have in their back pocket (after running the requisite risk assessment on said tool, of course).
The window cleaner, the sweet shop owner, the accountant: anyone who runs a business signed up for operational risk simply by choosing to do what they do. And how they understand and manage that risk is absolutely up to them too.