Identifying Operational Risks Associated With Business Processes
Business processes are one of the most critical aspects of implementing any organisation’s business strategy. This results in many critical operational risk exposures of an organisation residing within its business processes. Managing these risks effectively can maintain high level of efficiency and effectiveness of the business processes. In this post I will cover some of the introductory concepts of identifying operational risks within business processes.
Understand Process Outputs & Objectives
First step is to understand the process outputs & objectives. Without understanding these, you may end up wasting time on assessing trivial or irrelevant risks. Every process produces one or more key outputs e.g. key outputs of the process for “selling a new personal loan product to retail customers” are
1. Decision on whether to issue the loan
2. Decision on what interest rate to charge for the loan
3. Issue the loan to the customer if the decision is made to issue the loan
To measure the performance of a process, it is common to define some measurable objectives. Examples of objectives based on above outcomes can include: –
1. Make the decision on new customer loans within 5 hours
2. Issue new loans within 3 business days of receiving the customer application
The objectives of a business process will typically be based around following themes: –
1. Timelines for delivering the process outputs (as mentioned in the examples above)
2. Volume of output (e.g. processing minimum of 4,000 new personal loan applications every day)
3. Quality of process outputs (e.g. customer queries are resolved correctly by customer service staff during the first customer call)
In addition to the explicit objectives mentioned above, there are also some implicit objectives for every process. These include: –
1. Ensure that the process execution or outputs do not breach any compliance obligations e.g. ensuring that the organisation is not discriminating against certain customers when issuing new personal loans.
2. Ensure that the process execution or outputs are not utilised by external malicious actors e.g. ensuring that criminals are not able to steal money from customer bank accounts.
3. Ensure that the people involved in process execution do not breach any ethical or conduct policies of the organisation e.g. ensuring that the employees involved in the process execution are not mis-selling products to customers to earn their commission.
I am referring to these as implicit objectives as they may not be typically included explicitly in the documentation of every process. It is implied that individuals involved in designing and executing the business processes will also consider these implicit objectives. Ideally, these should also be converted into explicit objectives to ensure maximum transparency and manage risks effectively.
Identifying Operational Risks
Once you understand the outputs and objectives then identifying key risks should be very straightforward. For each objective you can utilise the following checklist for identifying relevant risks: –
People Involved In Process Execution
If execution of a process relies on people then it will be exposed to following types of risks: –
1. Human errors: – Examples include entering wrong details of the customers during a sales process, skipping processing of certain transactions.
2. Human capacity: – Examples include large amount of staff on sick leave at the same time, mass strike by employees.
3. Misconduct: – Examples include employees accepting bribe to offer personal loans, employees mis-selling insurance to customers.
Systems Involved In Process Execution
If execution of a process relies on IT systems then it will be exposed to following types of risks: –
1. System errors: – Examples include wrong interest rate assigned to a loan due to a software error, wrong information provided to customers due to errors in a system driven automated process.
2. System disruption due to internal factors: – Examples include outage of the IT system used for processing new personal loan applications due to memory outage, outage of core banking system after an upgrade.
3. System disruption due to external factors: – Examples include outage of the IT system used for processing new personal loan applications due to a cyber attack, outage of core banking system due to a DDoS attack.
4. Theft of information by internal actors: – Examples include employees stealing information about customers before moving to a competitor, employees stealing information about products and selling this for personal gains.
5. Theft of information by external actors: – Examples includes cyber criminals stealing credit card customer information of customers from IT system hosting this data, cyber criminals stealing information of products
Malicious External Actors
1. External fraud targeting funds of the organisation or its customers: – Examples include fraudsters utilising fake identity to procure new personal loan, fraudsters submitting false medical documents to commit medical insurance fraud.
2. Malicious use of organisation’s products/services: – Examples include terrorist group utilising bank accounts to collect funds for launching terrorist attacks in the future, corrupt politicians utilise bank accounts for collecting bribe.
Process Design
1. Process design misaligned with compliance requirements: – Examples include collection of KYC documents not aligned with latest compliance requirements, product documentation offered to customers is not aligned with latest compliance requirements.
2. Process design misaligned with business priorities: – Examples include continuing to sell certain products even after a business decision has been made to not sell the products, continuing to sell products to certain customer segments even after a business decision has been made to not sell to the customer segments.